Library
Back to reading

What Is a Keystream?

What Is a Cryptographic Keystream?

Preview: Learn more about keystreams and how they are used to encrypt data in stream ciphers.

A keystream is a sequence of binary digits used by a stream cipher to encrypt and decrypt digital information. Rather than encrypting data in fixed-size blocks, a stream cipher combines the plaintext with a continuously generated keystream, usually one bit or one byte at a time. The security of the encryption depends largely on the unpredictability of the keystream and the secrecy of the cryptographic key used to generate it.

The basic principle is straightforward. Before transmission, the sender uses a cryptographic algorithm and a secret key to generate a pseudorandom sequence of bits known as the keystream. Each bit of the plaintext is then combined with the corresponding keystream bit using the exclusive-OR (XOR) operation. The result is the ciphertext. At the receiving end, the same keystream is generated from the same secret key, and another XOR operation recovers the original plaintext.

A useful analogy is writing a message using a sheet of transparent paper covered with a seemingly random pattern of black and white squares. If both the sender and receiver possess identical copies of the pattern, they can overlay it on the message to hide or reveal the original text. Anyone without the correct pattern sees only meaningless symbols. The keystream performs a similar function mathematically, masking the original data with a sequence known only to the communicating parties.

The quality of the keystream is critical to the security of the cipher. Ideally, it should appear completely random and should never repeat. In practice, most stream ciphers generate the keystream using a pseudorandom number generator (PRNG) or cryptographically secure pseudorandom number generator (CSPRNG) initialised with a secret key and, in many systems, an initialization vector (IV) or nonce. Although the sequence is generated deterministically, it should be computationally indistinguishable from a truly random sequence.

The most famous example of a keystream is the one-time pad. In a one-time pad, the keystream consists of a genuinely random sequence that is exactly the same length as the message and is never reused. When these conditions are satisfied, the system provides perfect secrecy, meaning that the ciphertext reveals no information whatsoever about the plaintext. In practical communication systems, however, truly random keystreams of unlimited length are difficult to distribute, so most stream ciphers generate pseudorandom keystreams instead.

Keystream reuse presents a serious security risk. If the same keystream is used to encrypt two different messages, an attacker may combine the two ciphertexts to reveal information about both plaintexts. For this reason, modern stream ciphers employ unique initialization vectors or nonces to ensure that a different keystream is generated for every encryption session, even when the same secret key is reused.

Examples of stream ciphers that generate keystreams include RC4 (now considered insecure for most applications), Salsa20, and ChaCha20, the latter being widely used in modern Internet security protocols because of its excellent performance and strong security. Cellular communication systems, wireless networks, and satellite communication systems have also employed keystream generators in various proprietary and standardised encryption algorithms.

It is important to distinguish a keystream from a cryptographic key. The key is the secret value shared between the communicating parties, while the keystream is the long sequence of pseudorandom bits generated from that key. The key may consist of only 128 or 256 bits, whereas the resulting keystream may be millions or even billions of bits long.

Today, keystream generation remains a fundamental concept in modern cryptography. By providing a secure pseudorandom sequence that masks the original information, keystreams enable efficient, high-speed encryption of continuous data streams ranging from Internet traffic and wireless communications to satellite links and encrypted voice communications. Their quality largely determines the strength of the stream cipher and therefore the overall security of the communication system.

Back to reading