When designing symmetric ciphers, security and performance are of utmost importance. When selecting a symmetric encryption algorithm, the first choice is whether to choose a block cipher or a stream cipher. Most modern block ciphers offer a sufficient security and a reasonably good performance. But a block cipher must usually be used in a stream cipher mode of operation, which suggests that using a pure stream cipher primitive might be beneficial.

Modern stream ciphers will indeed offer an improved performance compared with block ciphers (typically at least a factor 4-5 if measured in speed). However, the security of modern stream ciphers is not as well understood as for block ciphers. Most stream ciphers that have been widely spread, like RC4, A5/1, have security weaknesses.

It is clear that modern stream cipher designs, represented by proposals like Panama, Mugi, Sober, Snow, Seal, Scream, Turing, Rabbit, Helix, and many more, are very far from classical designs like nonlinear filter generators, nonlinear combination generators, etc. One major difference is that classical designs are bit-oriented, whereas modern designs tend to operate on (e.g. 32 bit) words to provide efficient software implementations. This leads to usage of different operations. Modern stream ciphers use building blocks very similar to those used in block ciphers. Essentially all modern stream cipher designs use S-boxes in one way or the other and combine this with various linear operations, essentially following the old confuse and diffuse paradigm from Shannon.

In this invited talk, we will overview various methods for cryptanalysis of modern stream ciphers. This will include time-memory tradeoff attacks, correlation attacks, distinguishing attacks of different kinds, guess-and-determine type of attacks, and the recent and very interesting algebraic attacks. This will give us lots of useful feedback when considering the design of secure and fast stream ciphers.