[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content

Some Results on Sprout

  • Conference paper
  • First Online:
Progress in Cryptology -- INDOCRYPT 2015 (INDOCRYPT 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9462))

Included in the following conference series:

Abstract

Sprout is a lightweight stream cipher proposed by Armknecht and Mikhalev at FSE 2015. It has a Grain-like structure with two state Registers of size 40 bits each, which is exactly half the state size of Grain v1. In spite of this, the cipher does not appear to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. In this paper, we first present improved results on Key Recovery with partial knowledge of the internal state. We show that if 50 of the 80 bits of the internal state are guessed then the remaining bits along with the secret key can be found in a reasonable time using a SAT solver. Thereafter, we show that it is possible to perform a distinguishing attack on the full Sprout stream cipher in the multiple IV setting using around \(2^{40}\) randomly chosen IVs on an average. The attack requires around \(2^{48}\) bits of memory. Thereafter, we will show that for every secret key, there exist around \(2^{30}\) IVs for which the LFSR used in Sprout enters the all zero state during the keystream generating phase. Using this observation, we will first show that it is possible to enumerate Key-IV pairs that produce keystream bits with period as small as 80. We will then outline a simple key recovery attack that takes time equivalent to \(2^{66.7}\) encryptions with negligible memory requirement. This although is not the best attack reported against this cipher in terms of the time complexity, it is the best in terms of the memory required to perform the attack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 35.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 44.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. The ECRYPT Stream Cipher Project. eSTREAM Portfolio of Stream Ciphers. Accessed on 8 September 2008

    Google Scholar 

  2. Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 451–470. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  3. Babbage, S., Dodd, M.: The stream cipher MICKEY 2.0. ECRYPT Stream Cipher Project Report. http://www.ecrypt.eu.org/stream/p3ciphers/mickey/mickey_p3.pdf

  4. Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  5. De Cannière, C., Preneel, B.: TRIVIUM -Specifications. ECRYPT Stream Cipher Project Report. http://www.ecrypt.eu.org/stream/p3ciphers/trivium/trivium_p3.pdf

  6. Esgin, M.F., Kara, O.: Practical Cryptanalysis of Full Sprout with TMD Tradeoff Attacks. To appear in Selected Areas in Cryptography (2015)

    Google Scholar 

  7. Fredricksen, H.: A survey of full length nonlinear shift register cycle algorithms. SIAM Rev. 24(1982), 195–221 (1982)

    Article  MATH  MathSciNet  Google Scholar 

  8. Golomb, S.W.: Shift Register Sequences. Holden-Day Inc., Laguna Hills (1967)

    MATH  Google Scholar 

  9. Hao, Y.: A Related-Key Chosen-IV Distinguishing Attack on Full Sprout Stream Cipher. http://eprint.iacr.org/2015/231.pdf

  10. Lallemand, V., Naya-Plasencia, M.: Cryptanalysis of full Sprout. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 663–682. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  11. Hell, M., Johansson, T., Meier, W.: Grain - A Stream Cipher for Constrained Environments. ECRYPT Stream Cipher Project Report 2005/001 (2005). http://www.ecrypt.eu.org/stream

  12. Hell, M., Johansson, T., Meier, W.: A stream cipher proposal: Grain-128. In: IEEE International Symposium on Information Theory (ISIT 2006) (2006)

    Google Scholar 

  13. Maitra, S., Sarkar, S., Baksi, A., Dey, P.: Key Recovery from State Information of Sprout: Application to Cryptanalysis and Fault Attack. http://eprint.iacr.org/2015/236.pdf

  14. Sarkar, S., Banik, S., Maitra, S.: Differential Fault Attack against Grain family with very few faults and minimal assumptions. http://eprint.iacr.org/2013/494.pdf

  15. Soos, M.: CryptoMiniSat-2.9.5. http://www.msoos.org/cryptominisat2/

  16. Stein, W.: Sage Mathematics Software. Free Software Foundation Inc. (2009). http://www.sagemath.org. (Open source project initiated by W. Stein and contributed by many)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Subhadeep Banik .

Editor information

Editors and Affiliations

Appendix A: Cost of Executing One Round of Sprout [6]

Appendix A: Cost of Executing One Round of Sprout [6]

To do an exhaustive search, first an initialization phase has to be run for 320 rounds, and then generate 80-bits of keystream to do a unique match. However, since each keystream bit generated matches the correct one with probability \(\frac{1}{2}\), \(2^{80}\) keys are tried for 1 clock and roughly half of them are eliminated, \(2^{79}\) for 2 clocks and half of the remaining keys are eliminated, and so on. This means that in the process of brute force search, the probability that for any random key, \((i+1)\) Sprout keystream phase rounds need to be run, is \(\frac{1}{2^i}\). Hence, the expected number of Sprout rounds per trial is

$$\begin{aligned} \sum _{i=0}^{79}\frac{(i+1)2^{80-i}}{2^{80}} = \sum _{i=0}^{79}(i+1)\frac{1}{2^i} \approx 4 \end{aligned}$$

Add to this the 320 rounds in the initialization phase, the average number of Sprout rounds per trial is 324. As a result, we will assume that clocking the registers once will cost roughly \(\frac{1}{320+4} =2^{-8.34}\) encryptions.

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Banik, S. (2015). Some Results on Sprout . In: Biryukov, A., Goyal, V. (eds) Progress in Cryptology -- INDOCRYPT 2015. INDOCRYPT 2015. Lecture Notes in Computer Science(), vol 9462. Springer, Cham. https://doi.org/10.1007/978-3-319-26617-6_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26617-6_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26616-9

  • Online ISBN: 978-3-319-26617-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics