Distinguishing attacks on stream ciphers based on arrays of pseudo-random words

In numerous modern stream ciphers, the internal state consists of a large array of pseudo-random words, while the output key-stream is a relatively simple function of the state. It has been heuristically shown in several situations [3], [8], [9], [10], [11] and [14] that this structure may lead to distinguishing attacks on the cipher. In this note we present a more rigorous treatment of this structural attack. First, we present a rigorous proof of the main probabilistic claim behind it in the basic cases. We then apply it concretely to the cipher sn3 [12], and demonstrate that the heuristic assumptions of the attack are remarkably precise in more complicated cases.