A stream cipher is a
symmetric key
Symmetric-key algorithms are algorithms for cryptography that use the same Key (cryptography), cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transforma ...
cipher
In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. An alternative, less common term is ''encipherment''. To encipher or encode i ...
where plaintext digits are combined with a
pseudorandom
A pseudorandom sequence of numbers is one that appears to be statistically random, despite having been produced by a completely deterministic and repeatable process. Pseudorandom number generators are often used in computer programming, as tradi ...
cipher digit stream (
keystream
In cryptography, a keystream is a stream of random or pseudorandom characters that are combined with a plaintext message to produce an encrypted message (the ciphertext).
The "characters" in the keystream can be bit
The bit is the most basic ...
). In a stream cipher, each
plaintext
In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted.
Overview
With the advent of comp ...
digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the
ciphertext
In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
stream. Since encryption of each digit is dependent on the current state of the cipher, it is also known as ''state cipher''. In practice, a digit is typically a
bit
The bit is the most basic unit of information in computing and digital communication. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represented as ...
and the combining operation is an
exclusive-or
Exclusive or, exclusive disjunction, exclusive alternation, logical non-equivalence, or logical inequality is a logical operator whose negation is the logical biconditional. With two inputs, XOR is true if and only if the inputs differ (one ...
(XOR).
The pseudorandom keystream is typically generated serially from a random
seed value using digital
shift register
A shift register is a type of digital circuit using a cascade of flip-flop (electronics), flip-flops where the output of one flip-flop is connected to the input of the next. They share a single clock signal, which causes the data stored in the syst ...
s. The
seed value serves as the
cryptographic key
A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm
In mathematics and computer science, an algorithm () is a finite sequenc ...
for decrypting the ciphertext stream. Stream ciphers represent a different approach to symmetric encryption from
block cipher
In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called ''blocks''. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage a ...
s. Block ciphers operate on large blocks of digits with a fixed, unvarying transformation. This distinction is not always clear-cut: in some
modes of operation
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity.
A block cipher by itself is only suitable for the secure cryptographic transform ...
, a block cipher primitive is used in such a way that it acts effectively as a stream cipher. Stream ciphers typically execute at a higher speed than block ciphers and have lower hardware complexity. However, stream ciphers can be susceptible to security breaches (see
stream cipher attack
Stream ciphers, where plaintext bits are combined with a cipher bit stream by an exclusive-or operation (xor), can be very secure if used properly. However, they are vulnerable to attacks if certain precautions are not followed:
*keys must never ...
s); for example, when the same starting state (seed) is used twice.
Loose inspiration from the one-time pad
Stream ciphers can be viewed as approximating the action of a proven unbreakable cipher, the
one-time pad
The one-time pad (OTP) is an encryption technique that cannot be Cryptanalysis, cracked in cryptography. It requires the use of a single-use pre-shared key that is larger than or equal to the size of the message being sent. In this technique, ...
(OTP). A one-time pad uses a
keystream
In cryptography, a keystream is a stream of random or pseudorandom characters that are combined with a plaintext message to produce an encrypted message (the ciphertext).
The "characters" in the keystream can be bit
The bit is the most basic ...
of completely
random
In common usage, randomness is the apparent or actual lack of definite pattern or predictability in information. A random sequence of events, symbols or steps often has no order and does not follow an intelligible pattern or combination. ...
digits. The keystream is combined with the plaintext digits one at a time to form the ciphertext. This system was proven to be secure by
Claude E. Shannon
Claude Elwood Shannon (April 30, 1916 – February 24, 2001) was an American mathematician, electrical engineer, computer scientist, cryptographer and inventor known as the "father of information theory" and the man who laid the foundations of th ...
in 1949. However, the keystream must be generated completely at random with at least the same length as the plaintext and cannot be used more than once. This makes the system cumbersome to implement in many practical applications, and as a result the one-time pad has not been widely used, except for the most critical applications. Key generation, distribution and management are critical for those applications.
A stream cipher makes use of a much smaller and more convenient key such as 128 bits. Based on this key, it generates a pseudorandom keystream which can be combined with the plaintext digits in a similar fashion to the one-time pad. However, this comes at a cost. The keystream is now pseudorandom and so is not truly random. The proof of security associated with the one-time pad no longer holds. It is quite possible for a stream cipher to be completely insecure.
Types
A stream cipher generates successive elements of the keystream based on an internal state. This state is updated in essentially two ways: if the state changes independently of the plaintext or
ciphertext
In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext ...
messages, the cipher is classified as a ''synchronous'' stream cipher. By contrast, ''self-synchronising'' stream ciphers update their state based on previous plaintext or ciphertext digits. A system that incorporates the plaintext into the key is also known as an
autokey cipher
An autokey cipher (also known as the autoclave cipher) is a cipher that incorporates the message (the plaintext) into the key. The key is generated from the message in some automated fashion, sometimes by selecting certain letters from the text o ...
or autoclave cipher.
Synchronous stream ciphers

In a synchronous stream cipher a stream of pseudorandom digits is generated independently of the plaintext and ciphertext messages, and then combined with the plaintext (to encrypt) or the ciphertext (to decrypt). In the most common form, binary digits are used (
bit
The bit is the most basic unit of information in computing and digital communication. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represented as ...
s), and the keystream is combined with the plaintext using the
exclusive or
Exclusive or, exclusive disjunction, exclusive alternation, logical non-equivalence, or logical inequality is a logical operator whose negation is the logical biconditional. With two inputs, XOR is true if and only if the inputs differ (on ...
operation (XOR). This is termed a binary additive stream cipher.
In a synchronous stream cipher, the sender and receiver must be exactly in step for decryption to be successful. If digits are added or removed from the message during transmission, synchronisation is lost. To restore synchronisation, various offsets can be tried systematically to obtain the correct decryption. Another approach is to tag the ciphertext with markers at regular points in the output.
If, however, a digit is corrupted in transmission, rather than added or lost, only a single digit in the plaintext is affected and the error does not propagate to other parts of the message. This property is useful when the transmission error rate is high; however, it makes it less likely the error would be detected without further mechanisms. Moreover, because of this property, synchronous stream ciphers are very susceptible to
active attacks: if an attacker can change a digit in the ciphertext, they might be able to make predictable changes to the corresponding plaintext bit; for example, flipping a bit in the ciphertext causes the same bit to be flipped in the plaintext.
Self-synchronizing stream ciphers
Another approach uses several of the previous ''N'' ciphertext digits to compute the keystream. Such schemes are known as self-synchronizing stream ciphers, asynchronous stream ciphers or ciphertext autokey (CTAK). The idea of self-synchronization was patented in 1946 and has the advantage that the receiver will automatically synchronise with the keystream generator after receiving ''N'' ciphertext digits, making it easier to recover if digits are dropped or added to the message stream. Single-digit errors are limited in their effect, affecting only up to ''N'' plaintext digits.
An example of a self-synchronising stream cipher is a block cipher in
cipher feedback
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity.
A block cipher by itself is only suitable for the secure cryptographic transform ...
(CFB)
mode
Mode ( meaning "manner, tune, measure, due measure, rhythm, melody") may refer to:
Arts and entertainment
* MO''D''E (magazine), a defunct U.S. women's fashion magazine
* ''Mode'' magazine, a fictional fashion magazine which is the setting fo ...
.
Based on linear-feedback shift registers
Binary stream ciphers are often constructed using
linear-feedback shift register
In computing, a linear-feedback shift register (LFSR) is a shift register whose input bit is a Linear#Boolean functions, linear function of its previous state.
The most commonly used linear function of single bits is exclusive-or (XOR). Thus, ...
s (LFSRs) because they can be easily implemented in hardware and can be readily analysed mathematically. The use of LFSRs on their own, however, is insufficient to provide good security. Various schemes have been proposed to increase the security of LFSRs.
Non-linear combining functions
Because LFSRs are inherently linear, one technique for removing the linearity is to feed the outputs of several parallel LFSRs into a non-linear
Boolean function
In mathematics, a Boolean function is a function whose arguments and result assume values from a two-element set (usually , or ). Alternative names are switching function, used especially in older computer science literature, and truth functi ...
to form a ''combination generator''. Various properties of such a ''combining function'' are critical for ensuring the security of the resultant scheme, for example, in order to avoid
correlation attack
Correlation attacks are a class of cryptographic known-plaintext attacks for breaking stream ciphers whose keystreams are generated by combining the output of several linear-feedback shift registers (LFSRs) using a Boolean function. Correlation a ...
s.
Clock-controlled generators
Normally LFSRs are stepped regularly. One approach to introducing non-linearity is to have the LFSR clocked irregularly, controlled by the output of a second LFSR. Such generators include the
stop-and-go generator
A stop-and-go may refer to:
* Stop-and-go route, in American football
* Stop-go, a penalty in motorsport; see
* '' Stop & Go'', a 1973 album by American musician Hamilton Bohannon
* Traffic wave
See also
* Go-Stop
Go-Stop (), also called G ...
, the
alternating step generator
In cryptography, an alternating step generator (ASG) is a cryptographic pseudorandom number generator used in stream ciphers, based on three linear-feedback shift registers. Its output is a combination of two LFSRs which are stepped (clocked) in ...
and the
shrinking generator
In cryptography, the shrinking generator is a form of pseudorandom number generator intended to be used in a stream cipher. It was published in Crypto 1993 by Don Coppersmith, Hugo Krawczyk and Yishay Mansour.
The shrinking generator uses two li ...
.
An
alternating step generator
In cryptography, an alternating step generator (ASG) is a cryptographic pseudorandom number generator used in stream ciphers, based on three linear-feedback shift registers. Its output is a combination of two LFSRs which are stepped (clocked) in ...
comprises three LFSRs, which we will call LFSR0, LFSR1 and LFSR2 for convenience. The output of one of the registers decides which of the other two is to be used; for instance, if LFSR2 outputs a 0, LFSR0 is clocked, and if it outputs a 1, LFSR1 is clocked instead. The output is the exclusive OR of the last bit produced by LFSR0 and LFSR1. The initial state of the three LFSRs is the key.
The stop-and-go generator (Beth and Piper, 1984) consists of two LFSRs. One LFSR is clocked if the output of a second is a 1, otherwise it repeats its previous output. This output is then (in some versions) combined with the output of a third LFSR clocked at a regular rate.
The
shrinking generator
In cryptography, the shrinking generator is a form of pseudorandom number generator intended to be used in a stream cipher. It was published in Crypto 1993 by Don Coppersmith, Hugo Krawczyk and Yishay Mansour.
The shrinking generator uses two li ...
takes a different approach. Two LFSRs are used, both clocked regularly. If the output of the first LFSR is 1, the output of the second LFSR becomes the output of the generator. If the first LFSR outputs 0, however, the output of the second is discarded, and no bit is output by the generator. This mechanism suffers from timing attacks on the second generator, since the speed of the output is variable in a manner that depends on the second generator's state. This can be alleviated by buffering the output.
Filter generator
Another approach to improving the security of an LFSR is to pass the entire state of a single LFSR into a non-linear ''filtering function''.
Other designs
Instead of a linear driving device, one may use a nonlinear update function. For example, Klimov and Shamir proposed triangular functions (
T-functions) with a single cycle on n-bit words.
Security
For a stream cipher to be secure, its keystream must have a large
period
Period may refer to:
Common uses
* Period (punctuation)
* Era, a length or span of time
*Menstruation, commonly referred to as a "period"
Arts, entertainment, and media
* Period (music), a concept in musical composition
* Periodic sentence (o ...
, and it must be impossible to ''recover the cipher's key'' or internal state from the keystream. Cryptographers also demand that the keystream be free of even subtle biases that would let attackers ''distinguish'' a stream from random noise, and free of detectable relationships between keystreams that correspond to ''related keys'' or related
cryptographic nonce
In cryptography, a nonce is an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that each communication session is unique, ...
s. That should be true for all keys (there should be no ''
weak key In cryptography, a weak key is a key, which, used with a specific cipher, makes the cipher behave in some undesirable way. Weak keys usually represent a very small fraction of the overall keyspace, which usually means that, a cipher key made by ran ...
s''), even if the attacker can ''know'' or ''choose'' some ''plaintext'' or ''ciphertext''.
As with other attacks in cryptography, stream cipher attacks can be ''certificational'' so they are not necessarily practical ways to break the cipher but indicate that the cipher might have other weaknesses.
Securely using a secure synchronous stream cipher requires that one never reuse the same keystream twice. That generally means a different
nonce or key must be supplied to each invocation of the cipher. Application designers must also recognize that most stream ciphers provide not ''authenticity'' but ''privacy'': encrypted messages may still have been modified in transit.
Short periods for stream ciphers have been a practical concern. For example, 64-bit block ciphers like
DES can be used to generate a keystream in
output feedback (OFB) mode. However, when not using full feedback, the resulting stream has a period of around 2
32 blocks on average; for many applications, the period is far too low. For example, if encryption is being performed at a rate of 8
megabyte
The megabyte is a multiple of the unit byte for digital information. Its recommended unit symbol is MB. The unit prefix ''mega'' is a multiplier of (106) in the International System of Units (SI). Therefore, one megabyte is one million bytes ...
s per second, a stream of period 2
32 blocks will repeat after about an hour.
Some applications using the stream cipher
RC4
In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...
are attackable because of weaknesses in RC4's key setup routine; new applications should either avoid RC4 or make sure all keys are unique and ideally
unrelated (such as generated by a well-seeded
CSPRNG
A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also referred t ...
or a
cryptographic hash function
A cryptographic hash function (CHF) is a hash algorithm (a map (mathematics), map of an arbitrary binary string to a binary string with a fixed size of n bits) that has special properties desirable for a cryptography, cryptographic application: ...
) and that the first bytes of the keystream are discarded.
The elements of stream ciphers are often much simpler to understand than block ciphers and are thus less likely to hide any accidental or malicious weaknesses.
Usage
Stream ciphers are often used for their speed and simplicity of implementation in hardware, and in applications where plaintext comes in quantities of unknowable length like a secure
wireless
Wireless communication (or just wireless, when the context allows) is the transfer of information (''telecommunication'') between two or more points without the use of an electrical conductor, optical fiber or other continuous guided transm ...
connection. If a
block cipher
In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called ''blocks''. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage a ...
(not operating in a stream cipher mode) were to be used in this type of application, the designer would need to choose either transmission efficiency or implementation complexity, since block ciphers cannot directly work on blocks shorter than their block size. For example, if a 128-bit block cipher received separate 32-bit bursts of plaintext, three quarters of the data transmitted would be
padding
Padding is thin cushioned material sometimes added to clothes. Padding may also be referred to as batting or wadding when used as a layer in lining quilts or as a packaging or stuffing material. When padding is used in clothes, it is often done in ...
. Block ciphers must be used in
ciphertext stealing
In cryptography, ciphertext stealing (CTS) is a general method of using a block cipher mode of operation that allows for processing of messages that are not evenly divisible into blocks without resulting in any expansion of the ciphertext, at the c ...
or
residual block termination mode to avoid padding, while stream ciphers eliminate this issue by naturally operating on the smallest unit that can be transmitted (usually bytes).
Another advantage of stream ciphers in military cryptography is that the cipher stream can be generated in a separate box that is subject to strict security measures and fed to other devices such as a radio set, which will perform the XOR operation as part of their function. The latter device can then be designed and used in less stringent environments.
ChaCha
Cha-Cha, Cha Cha, ChaCha or Chacha may refer to:
Music
*Cha-cha-cha (dance), a dance of Cuban origin
*Cha-cha-cha (music), a genre of Cuban music
*Cha Cha (album), ''Cha Cha'' (album), a 1978 album by Herman Brood & His Wild Romance
*Cha Cha (sou ...
is becoming the most widely used stream cipher in software;
others include:
RC4
In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...
,
A5/1
A5/1 is a stream cipher used to provide over-the-air communication privacy in the Global System for Mobile Communications, GSM Cell phone, cellular telephone standard. It is one of several implementations of the A5 security protocol. It was initial ...
,
A5/2
A5/2 is a stream cipher used to provide voice privacy in the GSM cellular telephone protocol. It was designed in 1992-1993 (finished March 1993) as a replacement for the relatively stronger (but still weak) A5/1, to allow the GSM standard to be e ...
,
Chameleon
Chameleons or chamaeleons (Family (biology), family Chamaeleonidae) are a distinctive and highly specialized clade of Old World lizards with 200 species described as of June 2015. The members of this Family (biology), family are best known for ...
,
FISH
A fish (: fish or fishes) is an aquatic animal, aquatic, Anamniotes, anamniotic, gill-bearing vertebrate animal with swimming fish fin, fins and craniate, a hard skull, but lacking limb (anatomy), limbs with digit (anatomy), digits. Fish can ...
,
Helix
A helix (; ) is a shape like a cylindrical coil spring or the thread of a machine screw. It is a type of smooth space curve with tangent lines at a constant angle to a fixed axis. Helices are important in biology, as the DNA molecule is for ...
,
ISAAC
Isaac ( ; ; ; ; ; ) is one of the three patriarchs (Bible), patriarchs of the Israelites and an important figure in the Abrahamic religions, including Judaism, Christianity, Islam, and the Baháʼí Faith. Isaac first appears in the Torah, in wh ...
,
MUGI
In cryptography, MUGI is a pseudorandom number generator (PRNG) designed for use as a stream cipher. It was among the cryptographic techniques recommended for Japanese government use by CRYPTREC in 2003, however, has been dropped to "candidate" ...
,
Panama
Panama, officially the Republic of Panama, is a country in Latin America at the southern end of Central America, bordering South America. It is bordered by Costa Rica to the west, Colombia to the southeast, the Caribbean Sea to the north, and ...
,
Phelix
Phelix is a high-speed stream cipher with a built-in single-pass message authentication code (MAC) functionality, submitted in 2004 to the eSTREAM contest by Doug Whiting, Bruce Schneier, Stefan Lucks, and Frédéric Muller. The cipher uses onl ...
,
Pike
Pike, Pikes or The Pike may refer to:
Fish
* Blue pike or blue walleye, an extinct color morph of the yellow walleye ''Sander vitreus''
* Ctenoluciidae, the "pike characins", some species of which are commonly known as pikes
* ''Esox'', genus of ...
,
Salsa20
Salsa20 and the closely related ChaCha are stream ciphers developed by Daniel J. Bernstein. Salsa20, the original cipher, was designed in 2005, then later submitted to the eSTREAM European Union cryptographic validation process by Bernstein. Ch ...
,
SEAL
Seal may refer to any of the following:
Common uses
* Pinniped, a diverse group of semi-aquatic marine mammals, many of which are commonly called seals, particularly:
** Earless seal, also called "true seal"
** Fur seal
** Eared seal
* Seal ( ...
,
SOBER,
SOBER-128,
and
WAKE.
Comparison
Trivia
* United States
National Security Agency
The National Security Agency (NSA) is an intelligence agency of the United States Department of Defense, under the authority of the director of national intelligence (DNI). The NSA is responsible for global monitoring, collection, and proces ...
documents sometimes use the term combiner-type algorithms, referring to algorithms that use some function to combine a
pseudorandom number generator
A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random number generation, random n ...
(PRNG) with a
plaintext
In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted.
Overview
With the advent of comp ...
stream.
See also
*
eSTREAM
*
Linear-feedback shift register
In computing, a linear-feedback shift register (LFSR) is a shift register whose input bit is a Linear#Boolean functions, linear function of its previous state.
The most commonly used linear function of single bits is exclusive-or (XOR). Thus, ...
(LFSR)
*
Nonlinear-feedback shift register (NLFSR)
Notes
References
* Matt J. B. Robshaw, Stream Ciphers Technical Report TR-701, version 2.0, RSA Laboratories, 199
(PDF)
*
* Christof Paar, Jan Pelzl
"Stream Ciphers" Chapter 2 of "Understanding Cryptography, A Textbook for Students and Practitioners". (companion web site contains online cryptography course that covers stream ciphers and LFSR), Springer, 2009.
External links
*
tp://ftp.rsasecurity.com/pub/pdfs/tr701.pdf RSA technical report on stream cipher operation.Cryptanalysis and Design of Stream Ciphers (thesis by Hongjun Wu).Analysis of Lightweight Stream Ciphers (thesis by S. Fischer).
{{DEFAULTSORT:Stream Cipher
Cryptographic primitives