Some observations on HC-128 (Q2430696)

HC-128 is a streamcipher from the eSTREAM portfolio (\url{http://www.ecrypt.org/stream}). Using linear approximations for the addition of three \(n\)-bit integers mod \( 2^n \), the authors obtain linear approximations for the feedback functions \( g_1 \) and \( g_2 \) of HC-128. These approximations are then used to extend a known distinguisher (using only the least significant bit of 32 bit keystreamwords), to one acting on all of the bits (except for one). Furthermore, a new distinguisher is obtained. Finally, the authors study the functions \(h_1\) and \(h_2\) showing that the keystream leaks information on the secret intial state. The authors' results do not lead to a practical attack since the required amount of keystream words is of astronomic proportions (\(2^{156}\), being a lot more than the size of the complete keyspace, i.e., \(2^{128}\)). Nevertheless, the observed weaknesses may be the basis for further cryptanalysis of the HC-128 cipher.