Analysis of Xorrotation with Application to an HC-128 Variant

  • Paul Stankovski
  • Martin Hell
  • Thomas Johansson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7372)


Many cryptographic primitives rely on word rotations (R) and xor (X) to provide proper mixing. We give RX-system mixing a very general treatment and deduce some theoretical results on related probability distributions. Pure RX-systems are easy to break, so we show how to apply our theory to a more complex system that uses RX operations in combination with S-boxes. We construct an impractical (keystream complexity 290.9), but new and non-trivial distinguisher for a variant of HC-128 for which modular addition is replaced with xor.


RX probability distribution stream cipher HC-128 cryptanalysis distinguisher 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Cover, T., Thomas, J.A.: Elements of Information Theory. Wiley series in Telecommunication. Wiley (1991)Google Scholar
  2. 2.
    Dunkelman, O.: Phorum5: ECRYPT forum, post ’A small observation on HC-128’,,1143 (last accessed on January 14, 2011)
  3. 3.
    Khovratovich, D., Nikolić, I.: Rotational Cryptanalysis of ARX. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 333–346. Springer, Heidelberg (2010), CrossRefGoogle Scholar
  4. 4.
    Kircanski, A., Youssef, A.M.: Differential Fault Analysis of HC-128. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 261–278. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Liu, Y., Qin, T.: The key and IV setup of the stream ciphers HC-256 and HC-128. In: International Conference on Networks Security, Wireless Communications and Trusted Computing, pp. 430–433 (2009)Google Scholar
  6. 6.
    Maitra, S., Paul, G., Raizada, S., Sen, S., Sengupta, R.: Some observations on HC-128. In: Designs, Codes and Cryptography, pp. 1–15 (2010)Google Scholar
  7. 7.
    Paul, G., Maitra, S., Raizada, S.: A Combinatorial Analysis of HC-128. Cryptology ePrint Archive: Report 2010/387Google Scholar
  8. 8.
    Paul, S., Preneel, B.: Solving Systems of Differential Equations of Addition (Extended Abstract). In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 75–88. Springer, Heidelberg (2005), CrossRefGoogle Scholar
  9. 9.
    Rivest, R.L.: The invertibility of the XOR of rotations of a binary word. International Journal of Computer Mathematics 88(2), 281–284 (2011); First published on: December 4, 2010MathSciNetzbMATHGoogle Scholar
  10. 10.
    Stankovski, P., Ruj, S., Hell, M., Johansson, T.: Improved Distinguishers for HC-128. In: Designs, Codes and Cryptography, pp. 1–16,
  11. 11.
    Thomsen, S.S.: Cryptographic hash functions. PhD thesis, Technical University of Denmark (November 2008)Google Scholar
  12. 12.
    Wu, H.: The Stream Cipher HC-128. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 39–47. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Paul Stankovski
    • 1
  • Martin Hell
    • 1
  • Thomas Johansson
    • 1
  1. 1.Dept. of Electrical and Information TechnologyLund UniversityLundSweden

Personalised recommendations