Related-Key Attacks on the Py-Family of Ciphers and an Approach to Repair the Weaknesses

  • Gautham Sekar
  • Souradyuti Paul
  • Bart Preneel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4859)


The stream cipher TPypy has been designed by Biham and Seberry in January 2007 as the strongest member of the Py-family ciphers, after weaknesses in the other members Py, Pypy, Py6 were discovered. One main contribution of the paper is the detection of related-key weaknesses in the Py-family of ciphers including the strongest member TPypy. Under related keys, we show a distinguishing attack on TPypy with data complexity 2192.3 which is lower than the previous best known attack on the cipher by a factor of 288. It is shown that the above attack also works on the other members TPy, Pypy and Py. A second contribution of the paper is design and analysis of two fast ciphers RCR-64 and RCR-32 which are derived from the TPy and the TPypy respectively. The performances of the RCR-64 and the RCR-32 are 2.7 cycles/byte and 4.45 cycles/byte on Pentium III (note that the speeds of the ciphers Py, Pypy and RC4 are 2.8, 4.58 and 7.3 cycles/byte). Based on our security analysis, we conjecture that no attacks lower than brute force are possible on the RCR ciphers.


Hash Function Block Cipher Stream Cipher Full Version Round Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Baignères, T., Junod, P., Vaudenay, S.: How Far Can We Go Beyond Linear Cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004)Google Scholar
  2. 2.
    Biham, E.: New Types of Cryptanalytic Attacks Using Related Keys. J. Cryptology 7(4), 229–246 (1994)zbMATHGoogle Scholar
  3. 3.
    Biham, E., Seberry, J.: Tweaking the IV Setup of the Py Family of Ciphers – The Ciphers Tpy, TPypy, and TPy6 (January 25, 2007), Published on the author’s webpage at
  4. 4.
    Biham, E., Seberry, J.: Py (Roo): A Fast and Secure Stream Cipher using Rolling Arrays. ecrypt submission (2005)Google Scholar
  5. 5.
    Biham, E., Seberry, J.: Pypy (Roopy): Another Version of Py. ecrypt submission (2006)Google Scholar
  6. 6.
    Chang, D., Gupta, K., Nandi, M.: RC4-Hash: A New Hash Function based on RC4 (Extended Abstract). In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Crowley, P.: Improved Cryptanalysis of Py. In: Workshop Record of SASC 2006 - Stream Ciphers Revisited, ECRYPT Network of Excellence in Cryptology, Leuven, Belgium, pp. 52–60 (February 2006)Google Scholar
  8. 8.
    Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the Key Scheduling Algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Handschuh, H., Knudsen, L., Robshaw, M.: Analysis of SHA-1 in Encryption Mode. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 70–83. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Handschuh, H., Naccache, D.: SHACAL. In: First Nessie Workshop, Leuven (2000)Google Scholar
  11. 11.
    Isobe, T., Ohigashi, T., Kuwakado, H., Morii, M.: How to Break Py and Pypy by a Chosen-IV Attack. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/060Google Scholar
  12. 12.
    Kelsey, J., Schneier, B., Wagner, D.: Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. In: Han, Y., Quing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 233–246. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  13. 13.
    Kelsey, J., Schneier, B., Wagner, D.: Key-Schedule Cryptoanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 237–251. Springer, Heidelberg (1996)Google Scholar
  14. 14.
    Knudsen, L.R.: Cryptanalysis of LOKI. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 22–35. Springer, Heidelberg (1993)Google Scholar
  15. 15.
    Knudsen, L.R.: Cryptanalysis of LOKI91. In: Zheng, Y., Seberry, J. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 196–208. Springer, Heidelberg (1993)Google Scholar
  16. 16.
    Knudsen, L.: A key-schedule weakness in SAFER K-64. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 274–286. Springer, Heidelberg (1995)Google Scholar
  17. 17.
    Dunkelman, O., Biham, E., Kellar, N.: A Simple Related-Key Attack on the Full SHACAL-1. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, Springer, Heidelberg (2006)Google Scholar
  18. 18.
    Paul, S., Preneel, B., Sekar, G.: Distinguishing Attacks on the Stream Cipher Py. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 405–421. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Paul, S., Preneel, B.: On the (In)security of Stream Ciphers Based on Arrays and Modular Addition. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 69–83. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Research and Development in Advanced Communication Technologies in Europe, RIPE Integrity Primitives: Final Report of RACE Integrity Primitives Evaluation (R1040), RACE (June 1992)Google Scholar
  21. 21.
    Sekar, G., Paul, S., Preneel, B.: New Weaknesses in the Keystream Generation Algorithms of the Stream Ciphers TPy and Py. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) Information Security Conference 2007. LNCS, vol. 4779, pp. 249–262. Springer, Heidelberg (2007)Google Scholar
  22. 22.
    Sekar, G., Paul, S., Preneel, B.: Attacks on the Stream Ciphers TPy6 and Py6 and Design of New Ciphers TPy6-A and TPy6-B. In: WEWoRC-Western European Workshop on Research in Cryptology (2007)Google Scholar
  23. 23.
    Sekar, G., Paul, S., Preneel, B.: Weaknesses in the Pseudorandom Bit Generation Algorithms of the Stream Ciphers TPypy and TPy, available at
  24. 24.
    Sekar, G., Paul, S., Preneel, B.: Related-key Attacks on the Py-family of Ciphers and an Approach to Repair the Weaknesses, available at
  25. 25.
    Tsunoo, Y., Saito, T., Kawabata, T., Nakashima, H.: Distinguishing Attack against TPypy. Selected Areas in Cryptography (to appear, 2007)Google Scholar
  26. 26.
    Wang, X., Yao, A., Yao, F.: Cryptanalysis on SHA-1. Cryptographic Hash Workshop, NIST, Gaithersburg (2005)Google Scholar
  27. 27.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  28. 28.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar
  29. 29.
    Wu, H., Preneel, B.: Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy. In: Naor, M. (ed.) Eurocrypt 2007. LNCS, vol. 4515, pp. 276–290. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Gautham Sekar
    • 1
  • Souradyuti Paul
    • 1
  • Bart Preneel
    • 1
  1. 1.Katholieke Universiteit Leuven, Dept. ESAT/COSIC, Kasteelpark Arenberg 10, B–3001, Leuven-HeverleeBelgium

Personalised recommendations