Practical Cryptanalysis of Full Sprout with TMD Tradeoff Attacks

The internal state size of a stream cipher is supposed to be at least twice the key length to provide resistance against the conventional Time-Memory-Data TMD tradeoff attacks. This well adopted security criterion seems to be one of the main obstacles in designing, particularly, ultra lightweight stream ciphers. At FSE 2015, Armknecht and Mikhalev proposed an elegant design philosophy for stream ciphers as fixing the key and dividing the internal states into equivalence classes where any two different keys always produce non-equivalent internal states. The main concern in the design philosophy is to decrease the internal state size without compromising the security against TMD tradeoff attacks. If the number of equivalence classes is more than the cardinality of the key space, then the cipher is expected to be resistant against TMD tradeoff attacks even though the internal state except the fixed key is of fairly small length. Moreover, Armknecht and Mikhalev presented a new design, which they call Sprout, to embody their philosophy. In this work, ironically, we mount a TMD tradeoff attack on Sprout within practical limits using $$2^d$$2d output bits in $$2^{71-d}$$271-d encryptions of Sprout along with $$2^{d}$$2d table lookups. The memory complexity is $$2^{86-d}$$286-d where $$d\le 40$$d≤40. In one instance, it is possible to recover the key in $$2^{31}$$231 encryptions and $$2^{40}$$240 table lookups if we have $$2^{40}$$240 bits of keystream output by using tables of 770 Terabytes ini¾?total. The offline phase of preparing the tables consists of solving roughly $$2^{41.3}$$241.3 systems of linear equations with 20 unknowns and an effort of about $$2^{35}$$235 encryptions. Furthermore, we mount a guess-and-determine attack having a complexity about $$2^{68}$$268 encryptions with negligible data and memory. We have verified our attacks by conducting several experiments. Our results show that Sprout can be practically broken.

[1]  Santanu Sarkar,et al.  Key Recovery from State Information of Sprout: Application to Cryptanalysis and Fault Attack , 2015, IACR Cryptol. ePrint Arch..

[2]  Martin Hell,et al.  Grain-128a: a new version of Grain-128 with optional authentication , 2011, Int. J. Wirel. Mob. Comput..

[3]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[4]  Christophe De Cannière,et al.  Trivium: A Stream Cipher Construction Inspired by Block Cipher Design Principles , 2006, ISC.

[5]  Wenling Wu,et al.  LBlock: A Lightweight Block Cipher , 2011, ACNS.

[6]  S. Babbage Improved “exhaustive search” attacks on stream ciphers , 1995 .

[7]  Martin Hell,et al.  The Grain Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[8]  María Naya-Plasencia,et al.  Cryptanalysis of Full Sprout , 2015, Annual International Cryptology Conference.

[9]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[10]  Yonglin Hao,et al.  A Related-Key Chosen-IV Distinguishing Attack on Full Sprout Stream Cipher , 2015, IACR Cryptol. ePrint Arch..

[11]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[12]  Steve Babbage,et al.  The MICKEY Stream Ciphers , 2008, The eSTREAM Finalists.

[13]  Frederik Armknecht,et al.  On Lightweight Stream Ciphers with Shorter Internal States , 2015, FSE.

[14]  Eli Biham,et al.  Rigorous Bounds on Cryptanalytic Time/Memory Tradeoffs , 2006, CRYPTO.

[15]  A. E. Harmanci,et al.  ITUbee: A Software Oriented Lightweight Block Cipher , 2013, LightSec.

[16]  Kazuhiko Minematsu,et al.  $\textnormal{\textsc{TWINE}}$ : A Lightweight Block Cipher for Multiple Platforms , 2012, Selected Areas in Cryptography.

[17]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[18]  Martin Hell,et al.  Grain: a stream cipher for constrained environments , 2007, Int. J. Wirel. Mob. Comput..

[19]  Alex Biryukov,et al.  Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers , 2000, ASIACRYPT.

[20]  Jovan Dj. Golic,et al.  Cryptanalysis of Alleged A5 Stream Cipher , 1997, EUROCRYPT.

[21]  Martin Hell,et al.  A Stream Cipher Proposal: Grain-128 , 2006, 2006 IEEE International Symposium on Information Theory.

[22]  Alex Biryukov,et al.  Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[23]  Subhadeep Banik,et al.  Some Results on Sprout , 2015, INDOCRYPT.