information-theoretic;Shannon;one-time pad;cipherlinformation-theoretic;Shannon;one-time pad;cipher;
system-theoretic;randomized cipher">
###
Question
92. What Other Stream Ciphers Are There?

There are a vast number of alternative stream ciphers that have
been proposed in cryptographic literature as well as an equally
vast number that appear in implementations and products world-wide.
Many are based on the use of LFSRs (see Question 89) since such
ciphers tend to be more amenable to analysis and it is easier
to assess the security that they offer.

Rueppel suggests that there are essentially four distinct approaches
to stream cipher design [Rue92]. The first is termed the*
information-theoretic
*approach as exemplified by Shannon's analysis of the one-time
pad (see Question 93). The second approach is that of *system-theoretic
*design. In essence, the cryptographer designs the cipher along
established guidelines which ensure that the cipher is resistant
to all known attacks. While there is, of course, no substantial
guarantee that future cryptanalysis will be unsuccessful, it is
this design approach that is perhaps the most common in cipher
design. The third approach is to attempt to relate the difficulty
of breaking the stream cipher (where "breaking" means
being able to predict the unseen keystream with a success rate
better than can be achieved by guessing) to solving some difficult
problem (see [BM84][BBS86]).
This *complexity-theoretic *approach
* *is very appealing, but in practice the ciphers that have
been developed tend to be rather slow and impractical. The final
approach highlighted by Rueppel is that of designing a *randomized
cipher*. Here the aim is to ensure that the cipher is resistant
to any practical amount of cryptanalytic work rather than being
secure against an unlimited amount of work, as was the aim with
Shannon's information-theoretic approach.

See Rueppel's article [Rue92] or any book on contemporary cryptography
for examples of ciphers in each of these categories. More details
are also provided in RSA Laboratories Technical Report [Rob95b].