Bias in the LEVIATHAN Stream Cipher

We show two methods of distinguishing the LEVIATHAN stream cipher from a random stream using $2^{36}$ bytes of output and proportional effort; both arise from compression within the cipher. The first models the cipher as two random functions in sequence, and shows that the probability of a collision in 64-bit output blocks is doubled as a result; the second shows artifacts where the same inputs are presented to the key-dependent S-boxes in the final stage of the cipher for two successive outputs. Both distinguishers are demonstrated with experiments on a reduced variant of the cipher.

Bias in the LEVIATHAN Stream Cipher

Abstract:

Footnotes