A note on distinguishing attacks

A new distinguishing attack scenario for stream ciphers, allowing a resynchronization collision attack, is presented. The attack can succeed if the part of the state that depends on both the key and the IV is smaller than twice the key size. It is shown that the attack is applicable to block ciphers in OFB mode. For OFB mode, the attack is more powerful than the previously known generic distinguishing attack since it will directly recover a part of the plaintext while having the same asymptotic complexity as the generic distinguishing attack. The attack is also demonstrated on the eSTREAM candidate LEX. LEX is not vulnerable to any of the previously known generic distinguishing attack but is vulnerable to the new attack. It is shown that if approximately 265.7 resynchronizations using LEX are performed for the same key, some plaintext might be recovered