An Efficient State Recovery Attack on the X-FCSR Family of Stream Ciphers

We describe a state recovery attack on the X-FCSR family of stream ciphers. In this attack we analyse each block of output keystream and try to solve for the state. The solver will succeed when a number of state conditions are satisfied. For X-FCSR-256, our best attack has a computational complexity of only 2 4.7 table lookups per block of keystream, with an expected 2 44.3 such blocks before the attack is successful. The precomputational storage requirement is 2 33 . For X-FCSR-128, the computational complexity of our best attack is 2 16.3 table lookups per block of keystream, where we expect 2 55.2 output blocks before the attack comes through. The precomputational storage requirement for X-FCSR-128 is 2 67 .