ciphergoth | Stream ciphers

I recently discovered Helger Lipmaa's excellent page on stream ciphers:

http://www.tcs.hut.fi/~helger/crypto/link/stream/index.html

and sent Helger an email correcting a small error (though I hadn't noticed the reference to "Paul McCrowley" until later!). His reply asked what stream cipher I had most confidence in. Here's what I said:

Interesting question!

If I was specifying a new application now, and encryption needed to be faster than any block cipher could manage, I would if I could use RC4 after discarding 1024 bytes of output. There are efficient distinguishers for RC4, but it has probably seen more cryptanalysis than all the other CPRNGs put together, and it's hard to think of circumstances where the RC4 distinguishers lead to a useful attack.

More modern designs are still faster and have clearer design principles. An attack on the PANAMA hash function was of course presented at FSE 2001, but I know of no attacks on the PANAMA stream cipher. If I felt that my requirements called either for strict non-distinguishability or greater speed, I think that PANAMA would be my next choice.

But overall there seems to be much more stream cipher cryptography than cryptanalysis, and we don't seem to have design principles to guide the design of stream ciphers as we do for block ciphers. One problem seems to be that stream ciphers have many fewer rounds (if they have the concept of rounds at all), so attacking reduced-round variants doesn't tell you very much. But it's this very property that makes them so fast... it would be very useful to have a stream cipher with more scalable security, so we can learn more about the limits of where cryptanalysis stops working.

I'm sort of hoping that the standardisation on AES reduces the "market" for new block ciphers, and so attention at FSE and suchlike turns to the design of other symmetric primitives, like stream ciphers and hash functions. Mainly because the stream cipher I really want doesn't exist yet.

Thanks for asking!