Isn’t it more or less exactly what my #1 point above says? ;-)

PS: Ilya, big thanks for the link to EnRUPT! :-)

Input difference - (0,0)

Key difference - (e_8,e_31,0.0) (e_8 - bit 8 (0 is the LSB), e_31 - most significant bit).

This means at least 64 rounds are needed to achieve security against a standard related-key differential attack.

Also note that using the results of “A Unified Approach to Related-Key Attacks” (to appear in FSE’08), it is possible to attack any multiple of 8 rounds with about 2^30 related keys.

It is arguable that either claim may be equiprobably true with a very high probability while it is also arguable that the notion that neither one may be correct is arguable with an even higher probability, although it is most certainly arguable that both claims cannot be true or false simultaneously without a conceptually new information theoretic or computational complexity paradigm. But on the other hand…

2. It is vulnerable to Mod N attacks for a large number of rounds, even within the same stream: the key schedule preserves Mod N properties of the keywords too.

3. Even with the above two problems fixed, it would need more than 40 rounds to resist statistical attacks: up to 10 rounds are trivially distinguishable from random with trivial key recovery [less than 2^16 p/c pairs and 2^16 operations].

http://defectoscopy.com/ - there is no need to design inherently weak ciphers