Introduction

LEVIATHAN [5] is a stream cipher proposed by David McGrew and Scott Fluhrer for the NESSIE project [6]. Like most stream ciphers, it maps a key onto a pseudorandom keystream that can be XORed with the plaintext to generate the ciphertext. But it is unusual in that the keystream need not be generated in strict order from byte 0 onwards; arbitrary ranges of the keystream may be generated efficiently without the cost of generating and discarding all prior values. In other words, the keystream is ``seekable''. This property allows data from any part of a large encrypted file to be retrieved efficiently, without decrypting the whole file prior to the desired point; it is also useful for applications such as IPsec [2]. Other stream ciphers with this property include block ciphers in CTR mode [3]. LEVIATHAN draws ideas from the stream ciphers WAKE [9] and SEAL [7], and the GGM pseudo-random function (PRF) construction [1].

The keystream is bounded at $2^{50}$ bytes. Though the security goals are stated in terms of key recovery, it is desirable that distinguishing this keystream from a random binary string should be as computationally expensive as an exhaustive search of the 128 or 256-bit keyspace. Keystream generation is best modelled as a key-dependent function $\textrm{Lev}:\{0,1\}^{48}\mapsto \{0,1\}^{32}$ , mapping a location in the stream to a 32-bit output word; catenating consecutive values of this function from 0 gives the entire keystream:

$\begin{displaymath} \textrm{Lev}(0)\vert\textrm{Lev}(1)\vert\textrm{Lev}(2)\vert\ldots \vert\textrm{Lev}(2^{48}-1)\end{displaymath}$

Finding $\textrm{Lev}(i)$ for arbitrary $i$ is not especially fast. However, once this is done, intermediate values can usually be reused to find $\textrm{Lev}(i+1),\textrm{Lev}(i+2)\ldots$ much more efficiently. This is because the internal structure of the cipher is based on a forest of $2^{32}$ binary trees, each of which generates $2^{16}$ words of output, as shown in Figure 1.

**Figure 1:** Computation of an entire output tree of 8 words with $h=3$ . In the full cipher, $h=16$ and the complete output is built from $2^{32}$ such trees.
$\resizebox*{1\columnwidth}{!}{\includegraphics{tree.epsi}}$

The notation we use to specify this function precisely is somewhat different from that given in [5], but is convenient for our purposes; we treat $z$ as a parameter, rather than as a word of state. The cipher is parameterised on $n$ and $h$ , where $n$ is divisible by 4 and $n\geq h$ ; LEVIATHAN sets $n=32$ and $h=16$ . $\mid$ denotes catenation of bit strings, $\overline{x}$ bitwise complementation of $x$ , $\oplus$ the XOR operation (addition in $Z_{2}^{n}$ or $Z_{2}^{n/4}$ as appropriate), and $+$ addition in the group $Z_{2^{n}}$ , treating the first bit of the bitstring as the most significant and padding bitstrings shorter than $n$ bits with zeroes on the left. We specify the forest structure illustrated in Figure 1 recursively:

$\begin{eqnarray*} \textrm{Lev}:\{0,1\}^{n+h} & \mapsto & \{0,1\}^{n}\\ \textrm{... ...z\vert) & = & A_{z}(V(t,z))\\ V(t,z\vert 1) & = & B_{z}(V(t,z)) \end{eqnarray*}$

The internal state that functions $A$ , $B$ , and $C$ operate on (and the functions $D$ , $F$ , $G$ used to define them) is a 2-tuple of bitstrings $(x,y)$ ; we treat this as distinct from the catenated bitstring $x\vert y$ . The functions $L$ , $R$ , and $S$ operate on bytes within a word: $L$ and $R$ are rotates, while $S$ provides nonlinearity with the key-dependent permutations $S_{0\ldots 3}$ which map $\{0,1\}^{n/4}$ onto itself. These permutations are generated by the key schedule, which we omit. Note that $F$ and $G$ operate on each word of the tuple independently; mixing is provided by $D$ .

$\begin{eqnarray*} C(x,y) & = & x\oplus y\\ A_{z} & = & F\circ D_{z}\\ B_{z} & ... ...lus S_{2}(x_{0})\vert x_{1}\oplus S_{1}(x_{0})\vert S_{0}(x_{0}) \end{eqnarray*}$

[5] gives a functionally different definition of $D$ ( $D_{z}(x,y)=(2x+y+z,x+y+z)$ ); the one given here is that intended by the authors [4] and used to generate the test vectors, though the difference is not relevant for our analysis.

We present two biases in the LEVIATHAN keystream that distinguish it from a random bit string. We know of no other attacks against LEVIATHAN more efficient than brute force.