In recent years, many symmetric encryption ciphers have been proposed for homomorphic encryption (HE) applications. Rasta and its variants Masta and Pasta have gradually become a self‐contained series of HE‐friendly stream ciphers. The feature of these ciphers is that a fresh affine layer is randomly generated for each encryption. Although Rasta explicitly stated that it does not consider related‐key attacks in its specification and it is difficult to find exploitable good differential characteristics even if considered, Masta and Pasta do not mention related‐key attacks. Therefore, in this paper, we aim to comprehensively study the impact of related‐key attacks on the security of these ciphers and determine whether the round requirement for satisfying the security bound is effective even in the multi‐client scenario. Based on the general key structure and specific key differential patterns, we propose two practical related‐key attacks based on linearization attacks and one based on SAT solving method. These attacks successfully break Pasta’s both instances (2/2), Masta and Rasta’s most instances (9/16 and 5/9). Furthermore, we theoretically discuss the validity conditions of the trivial linearization attack and experimentally verify it.
Hu et al. (Thu,) studied this question.