Editing ISAAC (cipher) (section)

== Cryptanalysis ==

[[Cryptanalysis]] has been undertaken by Marina Pudovkina (2001).<ref>Marina Pudovkina, A known plaintext attack on the ISAAC keystream generator, 2001, Cryptology ePrint Archive: Report 2001/049, [http://eprint.iacr.org/2001/049/].</ref> Her attack can recover the initial state with a complexity that is approximated to be less than the time needed for searching through the square root of all possible initial states. In practice this means that the attack needs <math>4.67 \times 10^{1240}</math> instead of <math>10^{2466}</math>. This result has had no practical impact on the security of ISAAC.<ref name=":0">{{cite web|title=On the pseudo-random generator ISAAC|url=https://eprint.iacr.org/2006/438.pdf|publisher=Cryptology ePrint Archive|access-date=21 August 2016}}</ref>

In 2006 Jean-Philippe Aumasson discovered several sets of weak states.<ref>Jean-Philippe Aumasson, [http://eprint.iacr.org/2006/438 On the pseudo-random generator ISAAC]. Cryptology ePrint archive, report 2006/438, 2006.</ref> The fourth presented (and smallest) set of weak states leads to a highly biased output for the first round of ISAAC and allows the derivation of the internal state, similar to a [[Fluhrer, Mantin and Shamir attack|weakness in RC4]]. It is not clear if an attacker can tell from just the output whether the generator is in one of these weak states or not. He also shows that a previous attack<ref>Souradyuti Paul, Bart Preneel, On the (In)security of Stream Ciphers Based on Arrays and Modular Addition.Asiacrypt 2006.</ref> is flawed, since the [[Souradyuti Paul|Paul]]-[[Bart Preneel|Preneel]] attack is based on an erroneous algorithm rather than the real ISAAC.
An improved version of ISAAC is proposed, called ISAAC+.<ref name=":0" />