**Some results on Sprout**

*Subhadeep Banik*

**Abstract: **Sprout is a lightweight stream cipher proposed by Armknecht and Mikhalev at FSE 2015. It has a Grain-like structure with two State Registers of size 40 bits each, which is exactly half the state size
of Grain v1. In spite of this, the cipher does not appear to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. In this paper, we first present improved results on Key Recovery with partial knowledge of the internal state. We show that if 50 of the 80 bits of the internal state are guessed then the remaining bits along with the Secret Key can be found in a reasonable time using a SAT solver. Thereafter we show that it is possible to perform a distinguishing attack on the full Sprout stream cipher in the multiple IV setting using around $2^{40}$ randomly chosen IVs on an average. The attack requires around $2^{48}$ bits of memory. Thereafter we will show that for every Secret Key, there exist around $2^{30}$ IVs for which the LFSR used in Sprout enters the all zero state during the Keystream generating phase. Using this observation, we will first show that it is possible to enumerate Key-IV pairs that produce keystream bits with period as small as 80. We will then outline a simple Key recovery attack that takes time equivalent to $2^{66.7}$ encryptions with negligible memory requirement. This although is not the best attack reported against this cipher in terms of the Time complexity, it is the best in terms of the memory required to perform the attack.

**Category / Keywords: **

**Date: **received 11 Apr 2015

**Contact author: **subb at dtu dk

**Available format(s): **PDF | BibTeX Citation

**Version: **20150413:040612 (All versions of this report)

**Short URL: **ia.cr/2015/327

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]