Improved distinguishing attacks on HC-256

Abstract

The software-efficient stream cipher HC-256 was proposed by Wu at FSE 2004. Due to its impressive performance, the cipher was also a well-received entrant to the ECRYPT eSTREAM competition. The closely related stream cipher HC-128, also designed by Wu, went on to find a place in the final portfolio of the eSTREAM contest. The cipher HC-256 is word-oriented, with 32 bits in each word, and uses a 256-bit key and a 256-bit IV. Since HC-256 was published in 2004, barring a cache-timing analysis of unprotected implementations, there has not been any attack on the cipher. This paper makes two contributions. First, we build a class of distinguishers on HC-256, each of which requires testing the validity of about 2276.8 linear equations involving binary keystream variables. Thereby, our attacks improve the data complexity of the hitherto best-known distinguisher (presented by the designer along with the specifications of the cipher) by a factor of about 12. We also present another observation that, we believe, can be further exploited to build more efficient distinguishing attacks on the cipher. It is hoped that the results of this paper would also find use in future security evaluations of the closely-related ciphers HC-128 and HC-256'. © 2009 Springer-Verlag Berlin Heidelberg.