Cryptology ePrint Archive: Report 2015/231

A Related-Key Chosen-IV Distinguishing Attack on Full Sprout Stream Cipher

Yonglin Hao

Abstract: Sprout is a new lightweight stream cipher proposed at FSE 2015. According to its designers, Sprout can resist time-memory-data trade-off (TMDTO) attacks with small internal state size. However, we find a weakness in the updating functions of Sprout and propose a related-key chosen-IV distinguishing attacks on full Sprout. Under the related-key setting, our attacks enable the adversary to detect non-randomness on full 320-round Sprout with a practical complexity of $\tilde{O}(2^4)$ and find collisions in 256 output bits of full Sprout with a complexity of $\tilde{O}(2^7)$.

Furthermore, when considering possible remedies, we find that only by modifying the updating functions and output function seems unlikely to equip Sprout with better resistance against this kind of distinguisher. Therefore, it is necessary for designers to give structural modifications.

Category / Keywords: cryptographic protocols / stream cipher, Sprout, distinguishing attack

Date: received 11 Mar 2015, last revised 17 Mar 2015

Contact author: haoyl14 at mails tsinghua edu cn

Available format(s): PDF | BibTeX Citation

Version: 20150318:020851 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]