Key Recovery from State Information of Sprout: Application to Cryptanalysis and Fault Attack

Design of secure light-weight stream ciphers is an important area in cryptographic hardware & embedded systems and a very recent design by Armknecht and Mikhalev (FSE 2015) has received serious attention that uses shorter internal state and still claims to resist the time-memory-data-tradeoff (TMDTO) attacks. An instantiation of this design paradigm is the stream cipher named Sprout with 80-bit secret key. In this paper we cryptanalyze the cipher and refute various claims. The designers claim that the secret key of Sprout can not be recovered efficiently from the complete state information using a guess and determine attack. However, in this paper, we show that it is possible with a few hundred bits in practical time. More importantly, from around 850 key-stream bits, complete knowledge of NFSR (40 bits) and a partial knowledge of LFSR (around one third, i.e., 14 bits); we can obtain all the secret key bits. This cryptanalyzes Sprout with 2 attempts (considering constant time complexity required by the SAT solver in each attempt, which is around 1 minute in a laptop). This is less than the exhaustive key search. Further, we show how related ideas can be employed to mount a fault attack against Sprout that requires around 120 faults in random locations (20 faults, if the locations are known), whereas the designers claim that such a fault attack may not be possible. Our cryptanalytic results raise quite a few questions about this design paradigm in general that should be revisited with greater care.

[1]  Sergei P. Skorobogatov Optically Enhanced Position-Locked Power Analysis , 2006, CHES.

[2]  Michal Hojsík,et al.  Floating Fault Analysis of Trivium , 2008, INDOCRYPT.

[3]  Martin Hell,et al.  A New Version of Grain-128 with Authentication , 2011 .

[4]  Martin Hell,et al.  Grain-128a: a new version of Grain-128 with optional authentication , 2011, Int. J. Wirel. Mob. Comput..

[5]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[6]  Michal Hojsík,et al.  Differential Fault Analysis of Trivium , 2008, FSE.

[7]  Martin Hell,et al.  A Stream Cipher Proposal: Grain-128 , 2006, 2006 IEEE International Symposium on Information Theory.

[8]  Santanu Sarkar,et al.  Differential Fault Attack against Grain Family with Very Few Faults and Minimal Assumptions , 2015, IEEE Transactions on Computers.

[9]  Eli Biham,et al.  Differential Cryptanalysis in Stream Ciphers , 2007, IACR Cryptol. ePrint Arch..

[10]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[11]  Santanu Sarkar,et al.  Improved differential fault attack on MICKEY 2.0 , 2015, Journal of Cryptographic Engineering.

[12]  Frederik Armknecht,et al.  On Lightweight Stream Ciphers with Shorter Internal States , 2015, FSE.

[13]  Martin Hell,et al.  Grain: a stream cipher for constrained environments , 2007, Int. J. Wirel. Mob. Comput..

[14]  Santanu Sarkar,et al.  A Differential Fault Attack on the Grain Family of Stream Ciphers , 2012, CHES.

[15]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[16]  Subhamoy Maitra,et al.  A Differential Fault Attack on MICKEY 2.0 , 2013, CHES.

[17]  Qing Liu,et al.  Fault analysis of Trivium , 2012, Des. Codes Cryptogr..

[18]  Alessandro Barenghi,et al.  Fault Injection Attacks on Cryptographic Devices: Theory, Practice, and Countermeasures , 2012, Proceedings of the IEEE.

[19]  Adi Shamir,et al.  Fault Analysis of Stream Ciphers , 2004, CHES.