Tight Security Bounds For Generic Stream Cipher Constructions

The design of modern stream ciphers is strongly influenced by the fact that Time-Memory-Data tradeoff (TMD-TO) attacks reduce their effective key length to half of the inner state length. The classical solution is to design the cipher in accordance with the Large-State-Small-Key principle, which implies that the state length is at least twice as large as the session key length. In lightweight cryptography, considering heavily resource-constrained devices, a large amount of inner state cells is a big drawback for these type of constructions.Recent stream cipher proposals like Lizard, Sprout, Plantlet and Fruit employ new techniques to avoid a large inner state size. However, when considering indistinguishability, none of the ciphers mentioned above provide a security above the birthday barrier with regard to the state length.In this paper, we present a formal indistinguishability framework for proving lower bounds on the resistance of generic stream cipher constructions against TMD-TO attacks. In particular, we first present a tight lower bound on constructions underlying the Large-State-Small-Key principle. Further, we show a close to optimal lower bound of stream cipher constructions continuously using the initial value during keystream generation. These constructions would allow to shorten the inner state size significantly and hence the resource requirements of the cipher. We thus believe that Continuous-IV-Use constructions are a hopeful direction of future research.