We have shown two forms of bias in the output of the LEVIATHAN keystream generator,
either of which distinguish it from a random function with 
known
bytes of output; we have not as yet found a way to recover key material using
these distinguishers. These distinguishers can both be applied to the same portion
of keystream for greater statistical significance. Both make use of compression
in the PairCom function.
Despite these attacks, LEVIATHAN demonstrates that a tree-based cipher could offer many advantages. It is to be hoped that similar designs, offering the same speed and flexibility but resistant to this and other attacks, will be forthcoming.