Py (cipher)

What is a Stream cipher?

A stream cipher is a symmetric key cipher where plaintext digits are combined with a sequence of bits used as a key which is called keystream. In a stream cipher each character or number of the plain text is encrypted one at a time with the corresponding digit of the keystream, and the result will be a digit of the cyphertext stream. Encryption is accomplished by combining the keystream with the plaintext, usually with the bitwise XOR operation.

This keystream is typically generated serially from a random seed value using digital shift registers. The seed value serves as the cryptographic key for decrypting the ciphertext stream.

Stream ciphers can be designed to be exceptionally fast, much faster than any block cipher, that's because stream ciphers typically operate on smaller units of plaintext, usually bits.

Py cipher

Py (written in the Cyrillic alphabet, thus pronounced Roo). is a stream cipher submitted to eSTREAM (a project to "identify new stream ciphers suitable for widespread adoption") by Eli Biham and Jennifer Seberry. It is one of the fastest eSTREAM candidates at around 2.6 cycles per byte on some platforms.

Py is a stream cipher designed for very fast and secure encryption of extremely long streams. It is use with keys of up to 256 bits, and initial values ( up to 128 bits), but it also allows longer keys of up to 256 bytes, and intitial values sizes up to 64 bytes; keys and initial values should be in multiples of a byte, and at least one byte in length. Talking about speed, Py spends only about 2.85 cycles/byte on stream generation in its efficient implementation.

A second variant of Py, called Py6, is used for shorter streams. This variant has smaller rolling arrays, thus its key setup and IV setup are much faster than of Py

Here a comparison between Py, Py6 and RC4 ciphers in 4 different processors

The allowed stream size is 2⁶⁴ bytes in each stream (or 2⁴⁰ in the smaller version Py6). The most important thing of Py is called rolling arrays, these arrays are rotated and updated over time in a way that allows both the data to be updated very quickly and a very efficient implementation.

Py cipher uses rolling arrays which are vectors whose units are cyclically rotated every rotation step by one unit. A useful property of rolling arrays is that if you access the same entry in two consecutive steps, the contents of this entry are expected to be different. An example of a rolling array algorithm is: for some entry k, the swap exchanges entry 0 and entry k, and then the rotation is performed.

The cipher Py maintains two rolling arrays P and Y and one word variable s. P is an array of 256 bytes that contains a permutation of all the values 0, . . . , 255, and Y is an array of 260 32-bit words, indexed −3, . . . , 256. In each step of the cipher the two arrays are rotated, and two output words (a total of eight bytes) are computed. The word s is updated by mixing two words of Y into it, where the two words are indirectly selected by indices from P, and then a variable rotation is performed, which rotates s by a number of bits which is taken from another entry of P.

The update of the rolling array (i.e., entry Y [−3]), and the computation of the two output words are very similar: take a rotated value of s, XOR it with a value of Y (with a direct access to a fixed entry of Y ), and add a value from Y which is accessed indirectly through a fixed entry of P

This cipher uses a key schedule which initializes the array Y from the key. In order to have a fast non-linear mixing, it uses an 8x8-bit S box. The key setup starts by initializing a 32-bit word s to depend on the key size and the first and last bytes of the key, by setting one of its bytes to be the value of the internal permutation applied on the key size (minus one, to ensure it is in the range 0–255). The next byte applies the permutation in the same way on the IV, but this time it is XORed with the previous computed byte before the application of the permutation.

Here is in pseudocode an algorithm of Py cipher and more especific, how the rolling arrays can be implemented:

The above pseudocode I found it in Py (Roo, åø): A Fast and Secure Stream Cipher using Rolling Arrays text written by Eli Biham and Jennifer Seberry, below in references is the link to ecrypt site where I found this text.

Attacks and vulnerabilities

the best cryptanalytic attack on Py, which was made by Hongjun Wu and Bart Preneel, can under some circumstances recover the key given partial keystreams for 224 chosen initial values.

Given only known plaintext, there is a distinguishing attack on the keystream made by Paul Crowley, which requires around 272 bytes of output and comparable time.

Py's security bounds limit any attacker to a total of 264 bytes of output across all keystreams everywhere

References

• Stream_cipher
• eSTREAM
• rsa
• ecrypt
• wikipedia