Stream cipher

Stream cipher
The operation of the keystream generator in A5/1, a LFSR-based stream cipher used to encrypt mobile phone conversations.

In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption. An alternative name is a state cipher, as the encryption of each digit is dependent on the current state. In practice, a digit is typically a bit and the combining operation an exclusive-or (xor).

Stream ciphers represent a different approach to symmetric encryption from block ciphers. Block ciphers operate on large blocks of digits with a fixed, unvarying transformation. This distinction is not always clear-cut: in some modes of operation, a block cipher primitive is used in such a way that it acts effectively as a stream cipher. Stream ciphers typically execute at a higher speed than block ciphers and have lower hardware complexity. However, stream ciphers can be susceptible to serious security problems if used incorrectly: see stream cipher attacks — in particular, the same starting state must never be used twice.


Loose inspiration from the one-time pad

Stream ciphers can be viewed as approximating the action of a proven unbreakable cipher, the one-time pad (OTP), sometimes known as the Vernam cipher. A one-time pad uses a keystream of completely random digits. The keystream is combined with the plaintext digits one at a time to form the ciphertext. This system was proved to be secure by Claude Shannon in 1949. However, the keystream must be (at least) the same length as the plaintext, and generated completely at random. This makes the system very cumbersome to implement in practice, and as a result the one-time pad has not been widely used, except for the most critical applications.

A stream cipher makes use of a much smaller and more convenient key — 128 bits, for example. Based on this key, it generates a pseudorandom keystream which can be combined with the plaintext digits in a similar fashion to the one-time pad. However, this comes at a cost: because the keystream is now pseudorandom, and not truly random, the proof of security associated with the one-time pad no longer holds: it is quite possible for a stream cipher to be completely insecure.

Types of stream ciphers

A stream cipher generates successive elements of the keystream based on an internal state. This state is updated in essentially two ways: if the state changes independently of the plaintext or ciphertext messages, the cipher is classified as a synchronous stream cipher. By contrast, self-synchronising stream ciphers update their state based on previous ciphertext digits.

Synchronous stream ciphers

In a synchronous stream cipher a stream of pseudo-random digits is generated independently of the plaintext and ciphertext messages, and then combined with the plaintext (to encrypt) or the ciphertext (to decrypt). In the most common form, binary digits are used (bits), and the keystream is combined with the plaintext using the exclusive or operation (XOR). This is termed a binary additive stream cipher.

In a synchronous stream cipher, the sender and receiver must be exactly in step for decryption to be successful. If digits are added or removed from the message during transmission, synchronisation is lost. To restore synchronisation, various offsets can be tried systematically to obtain the correct decryption. Another approach is to tag the ciphertext with markers at regular points in the output.

If, however, a digit is corrupted in transmission, rather than added or lost, only a single digit in the plaintext is affected and the error does not propagate to other parts of the message. This property is useful when the transmission error rate is high; however, it makes it less likely the error would be detected without further mechanisms. Moreover, because of this property, synchronous stream ciphers are very susceptible to active attacks — if an attacker can change a digit in the ciphertext, he might be able to make predictable changes to the corresponding plaintext bit; for example, flipping a bit in the ciphertext causes the same bit to be flipped in the plaintext.

Self-synchronizing stream ciphers

Another approach uses several of the previous N ciphertext digits to compute the keystream. Such schemes are known as self-synchronizing stream ciphers, asynchronous stream ciphers or ciphertext autokey (CTAK). The idea of self-synchronization was patented in 1946, and has the advantage that the receiver will automatically synchronise with the keystream generator after receiving N ciphertext digits, making it easier to recover if digits are dropped or added to the message stream. Single-digit errors are limited in their effect, affecting only up to N plaintext digits.

An example of a self-synchronising stream cipher is a block cipher in cipher feedback (CFB) mode.

Linear feedback shift register-based stream ciphers

Binary stream ciphers are often constructed using linear feedback shift registers (LFSRs) because they can be easily implemented in hardware and can be readily analysed mathematically. The use of LFSRs on their own, however, is insufficient to provide good security. Various schemes have been proposed to increase the security of LFSRs.

Non-linear combining functions

One approach is to use n LFSRs in parallel, their outputs combined using an n-input binary Boolean function (F).

Because LFSRs are inherently linear, one technique for removing the linearity is to feed the outputs of several parallel LFSRs into a non-linear Boolean function to form a combination generator. Various properties of such a combining function are critical for ensuring the security of the resultant scheme, for example, in order to avoid correlation attacks.

Clock-controlled generators

Normally LFSRs are stepped regularly. One approach to introducing non-linearity is to have the LFSR clocked irregularly, controlled by the output of a second LFSR. Such generators include the stop-and-go generator, the alternating step generator and the shrinking generator.

An alternating step generator comprises three linear feedback shift registers, which we will call LFSR0, LFSR1 and LFSR2 for convenience. The output of one of the registers decides which of the other two is to be used; for instance if LFSR2 outputs a 0, LFSR0 is clocked, and if it outputs a 1, LFSR1 is clocked instead. The output is the exclusive OR of the last bit produced by LFSR0 and LFSR1. The initial state of the three LFSRs is the key.

The stop-and-go generator (Beth and Piper, 1984) consists of two LFSRs. One LFSR is clocked if the output of a second is a "1", otherwise it repeats its previous output. This output is then (in some versions) combined with the output of a third LFSR clocked at a regular rate.

The shrinking generator takes a different approach. Two LFSRs are used, both clocked regularly. If the output of the first LFSR is "1", the output of the second LFSR becomes the output of the generator. If the first LFSR outputs "0", however, the output of the second is discarded, and no bit is output by the generator. This mechanism suffers from timing attacks on the second generator, since the speed of the output is variable in a manner that depends on the second generator's state. This can be alleviated by buffering the output.

Filter generator

Another approach to improving the security of an LFSR is to pass the entire state of a single LFSR into a non-linear filtering function.

Other designs

RC4 is one of the most widely used stream cipher designs.

Instead of a linear driving device, one may use a nonlinear update function. For example, Klimov and Shamir proposed triangular functions (T-Functions) with a single cycle on n bit words.


Main article: Stream cipher attack

For a stream cipher to be secure, its keystream must have a large period and it must be impossible to recover the cipher's key or internal state from the keystream. Cryptographers also demand that the keystream be free of even subtle biases that would let attackers distinguish a stream from random noise, and free of detectable relationships between keystreams that correspond to related keys or related cryptographic nonces. This should be true for all keys (there should be no weak keys), and true even if the attacker can know or choose some plaintext or ciphertext.

As with other attacks in cryptography, stream cipher attacks can be certificational, meaning they aren't necessarily practical ways to break the cipher but indicate that the cipher might have other weaknesses.

Securely using a secure synchronous stream cipher requires that one never reuse the same keystream twice; that generally means a different nonce or key must be supplied to each invocation of the cipher. Application designers must also recognize that most stream ciphers don't provide authenticity, only privacy: encrypted messages may still have been modified in transit.

Short periods for stream ciphers have been a practical concern. For example, 64-bit block ciphers like DES can be used to generate a keystream in output feedback (OFB) mode. However, when not using full feedback, the resulting stream has a period of around 232 blocks on average; for many applications, this period is far too low. For example, if encryption is being performed at a rate of 8 megabytes per second, a stream of period 232 blocks will repeat after about a half an hour.

Some applications using the stream cipher RC4 are attackable because of weaknesses in RC4's key setup routine; new applications should either avoid RC4 or make sure all keys are unique and ideally unrelated (e.g., generated by a cryptographic hash function) and that the first bytes of the keystream are discarded.


Stream ciphers are often used for their speed and simplicity of implementation in hardware, and in applications where plaintext comes in quantities of unknowable length—for example, a secure wireless connection. If a block cipher (not operating in a stream cipher mode) were to be used in this type of application, the designer would need to choose either transmission efficiency or implementation complexity, since block ciphers cannot directly work on blocks shorter than their block size. For example, if a 128-bit block cipher received separate 32-bit bursts of plaintext, three quarters of the data transmitted would be padding. Block ciphers must be used in ciphertext stealing or residual block termination mode to avoid padding, while stream ciphers eliminate this issue by naturally operating on the smallest unit that can be transmitted (usually bytes).

Another advantage of stream ciphers in military cryptography is that the cipher stream can be generated in a separate box that is subject to strict security measures and fed to other devices, e.g. a radio set, which will perform the xor operation as part of their function. The latter device can then be designed and used in less stringent environments.

RC4 is the most widely used stream cipher in software; others include: A5/1, A5/2, Chameleon, FISH, Helix, ISAAC, MUGI, Panama, Phelix, Pike, SEAL, SOBER, SOBER-128 and WAKE.

Comparison Of Stream Ciphers

(cycles per byte)
(bits) Attack
Initialization vector Internal
Best Known Computational
A5/1 1989 Voice (Wphone) 54 114 64 Active KPA OR
KPA Time-Memory Tradeoff
~2 seconds OR
A5/2 1989 Voice (Wphone) 54 114 64? Active 4.6 milliseconds
Achterbahn-128/80 2006 1 (hardware) 80/128 80/128 297/351 Brute force for frame lengths L ≤ 244. Correlation attack for L ≥ 248. 280 resp. 2128 for L ≤ 244.
FISH 1993 Quite Fast (Wsoft) Variable ? ? Known-plaintext attack 211
Grain Pre-2004 Fast 80 64 160 Key-Derivation 243
HC-256 Pre-2004 4 (WP4) 256 256 65536 ? ?
ISAAC 1996 2.375 (W64-bit) -
4.6875 (W32-bit)
usually 40-256
N/A 8288 (2006) First-round
4.67×101240 (2001)
MUGI 1998–2002 ? 128 128 1216 N/A (2002) ~282
PANAMA 1998 2 256 128? 1216? Hash Collisions (2001) 282
Phelix Pre-2004 up to 8 (Wx86) 256 + a 128-bit Nonce 128? ? Differential (2006) 237
Pike 1994 0.9 x FISH (Wsoft) Variable ? ? N/A (2004) N/A (2004)
Py Pre-2004 2.6 8-2048?
usually 40-256?
64 8320 Cryptanalytic Theory (2006) 275
Rabbit 2003-Feb 3.7(WP3)-9.7(WARM7) 128 64 512 N/A (2006) N/A (2006)
RC4 1987 Impressive 8-2048
usually 40-256
8 2064 Shamir Initial-Bytes Key-Derivation OR KPA 213 OR 233
Salsa20 Pre-2004 4.24 (WG4) -
11.84 (WP4)
256 a 64-bit Nonce + a 64-bit stream position 512 Probabilistic neutral bits method 2251 for 8 rounds (2007)
Scream 2002 4 - 5 (Wsoft) 128 + a 128-bit Nonce 32? 64-bit round function ? ?
SEAL 1997 Very Fast (W32-bit) ? 32? ? ? ?
SNOW Pre-2003 Very Good (W32-bit) 128 OR 256 32 ? ? ?
SOBER-128 2003 ? up to 128 ? ? Message Forge 2−6
SOSEMANUK Pre-2004 Very Good (W32-bit) 128 128 ? ? ?
Trivium Pre-2004 4 (Wx86) - 8 (WLG) 80 80 288 Brute force attack (2006) 2135
Turing 2000–2003 5.5 (Wx86) ? 160 ? ? ?
VEST 2005 42 (WASIC) -
64 (WFPGA)
usually 80-256
usually 80-256
256 - 800 N/A (2006) N/A (2006)
WAKE 1993 Fast ? ? 8192 CPA & CCA Vulnerable
(cycles per byte)
(bits) Attack
Initialization vector Internal
Best Known Computational


See also


  • Matt J. B. Robshaw, Stream Ciphers Technical Report TR-701, version 2.0, RSA Laboratories, 1995 (PDF).
  • Thomas Beth and Fred Piper, The Stop-and-Go Generator. EUROCRYPT 1984, pp88–92.
  • Christof Paar, Jan Pelzl, "Stream Ciphers", Chapter 2 of "Understanding Cryptography, A Textbook for Students and Practitioners". (companion web site contains online cryptography course that covers stream ciphers and LFSR), Springer, 2009.

External links

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Stream-cipher — Stromverschlüsselung (engl. stream cipher) ist ein kryptographischer Algorithmus, bei dem Zeichen des Klartextes mit den Zeichen eines Schlüsselstroms einzeln (XOR bei nur zwei verschiedenen Zeichen) verknüpft werden. Der Schlüsselstrom ist eine… …   Deutsch Wikipedia

  • Stream cipher attack — Stream ciphers, where plaintext bits are combined with a cipher bit stream by an exclusive or operation (xor), can be very secure if used properly. However they are vulnerable to attack if certain precautions are not followed:*keys must never be… …   Wikipedia

  • Quick Stream Cipher — (QUISCI) ist ein für Software optimierter symmetrischer Stromchiffrierer, welcher zur Verschlüsselung von Daten geeignet ist. Er wurde 2001 von Stefan Müller (FGAN FHR) entwickelt. Inhaltsverzeichnis 1 Merkmale 2 Kern des Algorithmus 3 Sicherheit …   Deutsch Wikipedia

  • ABC (stream cipher) — In cryptography, ABC is a stream cypher algorithm developed by Vladimir Anashin, Andrey Bogdanov, Ilya Kizhvatov, and Sandeep Kumar. It has been submitted to the eSTREAM Project of the eCRYPT network …   Wikipedia

  • Cipher — For other uses, see Cipher (disambiguation). Edward Larsson s rune cipher resembling that found on the Kensington Runestone. Also includes runically unrelated blackletter writing style and pigpen cipher. In cryptography, a cipher (or cypher) is… …   Wikipedia

  • Cipher disk — The Union Cipher Disk from the American Civil War was 3.75 inches (95 mm) in diameter and made of light yellow heavy card stock. It consisted of two concentric disks of unequal size revolving on a central pivot. The disks were divided along their …   Wikipedia

  • Cipher security summary — This article summarizes publicly known attacks against ciphers. Note that not all entries may be up to date. Table color key No known successful attacks Theoretical break Attack demonstrated in practice The Best attack column lists the complexity …   Wikipedia

  • Cipher suite — A cipher suite is a named combination of authentication, encryption, and message authentication code (MAC) algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) or Secure Sockets… …   Wikipedia

  • Cipher (newuniversal) — Not to be confused with Cipher (comics) or Cypher (comics). Cipher Cover to newuniversal: shockfront #2, Marvel Publishing, circa 2008. Publication information …   Wikipedia

  • Block cipher modes of operation — This article is about cryptography. For method of operating , see modus operandi. In cryptography, modes of operation is the procedure of enabling the repeated and secure use of a block cipher under a single key.[1][2] A block cipher by itself… …   Wikipedia