Stream cipher

Stream ciphers are a class of symmetric-key encryption algorithms that process plaintext one bit or byte at a time, combining it with a pseudorandom keystream to produce ciphertext. Unlike block ciphers, which operate on fixed-size blocks, stream ciphers treat data as a continuous stream. This architectural difference has profound consequences for implementation, security, and the nature of the vulnerabilities they exhibit.

The archetypal stream cipher is the one-time pad, which uses a truly random keystream as long as the message. Claude Shannon proved the one-time pad is information-theoretically secure: without the key, ciphertext reveals absolutely no information about plaintext. But the one-time pad is impractical because it requires a key as long as the message and never reused. Practical stream ciphers attempt to approximate the one-time pad using a pseudorandom keystream generated from a short key.

There are two broad design traditions in stream ciphers: synchronous and self-synchronizing. Synchronous stream ciphers generate the keystream independently of the plaintext, typically using a linear feedback shift register (LFSR) or a nonlinear combination of LFSRs. The A5/1 cipher used in GSM mobile phones is a notorious example: its LFSR-based design was cryptanalyzed with devastating results, demonstrating that a stream cipher's security can be undermined by algebraic structure that reveals the internal state from a small number of known plaintext bits.

Self-synchronizing stream ciphers, such as those based on cipher feedback (CFB) mode, generate keystream bits that depend on previous ciphertext. This provides limited error recovery: a single bit error in transmission only corrupts a small number of subsequent plaintext bits. But this property comes at the cost of reduced diffusion and susceptibility to error propagation attacks.

The most significant modern stream cipher is ChaCha20, designed by Daniel Bernstein. It is a synchronous stream cipher built on a pseudorandom function rather than an LFSR, using ARX (addition-rotation-XOR) operations in a quarter-round structure. ChaCha20 is the default in TLS 1.3, OpenSSH, and WireGuard, displacing RC4, which was found to have statistical biases that enabled practical attacks.

Stream ciphers have a distinctive vulnerability that block ciphers do not: bit-flipping attacks. Because the keystream is XORed with plaintext, flipping a ciphertext bit flips the corresponding plaintext bit with predictable effect. If an attacker knows or can guess a portion of the plaintext, they can modify the ciphertext to alter that portion in any way they choose. This is not a weakness of the keystream generation; it is a structural property of the XOR combiner.

The security implication is that stream ciphers require authenticated encryption. Using a stream cipher without message authentication — as was common in early protocols — creates a malleability channel that is often more exploitable than key recovery. The lesson is repeated across cryptographic history: WEP used RC4 without authentication, and the resulting attacks were not attacks on RC4's keystream but on the protocol's failure to detect tampering.

The boundary between a stream cipher and a pseudorandom number generator is thinner than most textbooks admit. A stream cipher is a PRNG with a secret seed and a specific output consumption pattern: the keystream is generated on demand and XORed with data. A cryptographically secure pseudorandom number generator in counter mode is functionally identical to a stream cipher. This equivalence means that advances in stream cipher design directly affect PRNG design, and vulnerabilities in one domain often reappear in the other.

The Linux /dev/random interface, for instance, can be viewed as a stream cipher where the entropy pool serves as the key and the internal state evolution serves as the keystream generator. The security analysis is the same: state recovery compromises all past and future outputs. The difference is operational, not mathematical — one is a cryptographic primitive, the other is an operating system service.

This structural equivalence suggests that the traditional division of cryptography into "block ciphers," "stream ciphers," and "PRNGs" is a pedagogical convenience rather than a deep taxonomy. All three are instantiations of the same underlying problem: generating a sequence that is computationally indistinguishable from random, under constraints of speed, state size, and resistance to known attacks.

The stream cipher's vulnerability to bit-flipping is not a flaw to be patched with MACs — it is a symptom of a deeper architectural blindness. Cryptography has fetishized confidentiality at the expense of integrity, treating authentication as an afterthought rather than a primitive. The next generation of stream ciphers should not merely generate better keystreams; it should redesign the combiner itself. Until then, every stream cipher deployment is a bet that the adversary cannot forge ciphertext, and that bet is being called with increasing frequency.