Small-state stream ciphers (SSCs), which violate the principle that the state size should exceed the key size by a factor of two, still demonstrate robust security properties while maintaining a lightweight design. These ciphers can be classified into several constructions and their basic security requirement is to resist generic attacks, i.e., the time–memory–data tradeoff (TMDTO) attack. In this paper, we investigate the security of small-state constructions in the multi-user setting. Based on it, the TMDTO distinguishing attack and the TMDTO key recovery attack are developed for such a setting. It is shown that SSCs which continuously use the key can not resist the TMDTO distinguishing attack. Moreover, SSCs based on the continuous-IV-key-use construction cannot withstand the TMDTO key recovery attack when the key length is shorter than the IV length, no matter whether the keystream length is limited or not. Finally, we apply these two generic attacks to TinyJAMBU and DRACO in the multi-user setting. The TMDTO distinguishing attack on TinyJAMBU with a 128-bit key can be mounted with time, memory, and data complexities of \(2^{64}\), \(2^{48}\), and \(2^{32}\), respectively. This attack is comparable with a recent work on ToSC 2022, where partial key bits of TinyJAMBU are recovered with more than \(2^{50}\) users (or keys). As DRACO’s IV length is smaller than its key length, it is vulnerable to the TMDTO key recovery attack. The resulting attack has a time and memory complexity of both \(2^{112}\), which means DRACO does not provide 128-bit security in the multi-user setting.

小状态流密码（SSC）违反了状态大小应超过密钥大小两倍的原则，但在保持轻量级设计的同时仍然表现出强大的安全特性。这些密码可以分为多种结构，其基本安全要求是抵抗通用攻击，即时间-内存-数据权衡（TMDTO）攻击。在本文中，我们研究了多用户环境中小状态结构的安全性。在此基础上，针对这样的场景，开发了TMDTO区分攻击和TMDTO密钥恢复攻击。结果表明，连续使用密钥的SSC不能抵抗TMDTO区分攻击。而且，当密钥长度短于IV长度时，无论密钥流长度是否受限，基于连续IV密钥使用结构的SSC都无法承受TMDTO密钥恢复攻击。最后，我们在多用户设置中将这两种通用攻击应用于 TinyJAMBU 和 DRACO。使用 128 位密钥对 TinyJAMBU 进行 TMDTO 区分攻击可以安装时间、内存和数据复杂度为分别为\(2^{64}\)、\(2^{48}\)和\(2^{32}\)。这种攻击与 ToSC 2022 上的最新工作相当，其中 TinyJAMBU 的部分密钥位由超过\(2^{50}\)个用户（或密钥）恢复。由于DRACO的IV长度小于其密钥长度，因此容易受到TMDTO密钥恢复攻击。由此产生的攻击的时间和内存复杂度均为\(2^{112}\)，这意味着 DRACO 在多用户设置中不提供 128 位安全性。