Paper 2015/231

A Related-Key Chosen-IV Distinguishing Attack on Full Sprout Stream Cipher

Yonglin Hao

Abstract

Sprout is a new lightweight stream cipher proposed at FSE 2015. According to its designers, Sprout can resist time-memory-data trade-off (TMDTO) attacks with small internal state size. However, we find a weakness in the updating functions of Sprout and propose a related-key chosen-IV distinguishing attacks on full Sprout. Under the related-key setting, our attacks enable the adversary to detect non-randomness on full 320-round Sprout with a practical complexity of $\tilde{O}(2^4)$ and find collisions in 256 output bits of full Sprout with a complexity of $\tilde{O}(2^7)$. Furthermore, when considering possible remedies, we find that only by modifying the updating functions and output function seems unlikely to equip Sprout with better resistance against this kind of distinguisher. Therefore, it is necessary for designers to give structural modifications.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint. MAJOR revision.
Keywords
stream cipherSproutdistinguishing attack
Contact author(s)
haoyl14 @ mails tsinghua edu cn
History
2015-03-18: last of 4 revisions
2015-03-12: received
See all versions
Short URL
https://ia.cr/2015/231
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2015/231,
      author = {Yonglin Hao},
      title = {A Related-Key Chosen-{IV} Distinguishing Attack on Full Sprout Stream Cipher},
      howpublished = {Cryptology {ePrint} Archive, Paper 2015/231},
      year = {2015},
      url = {https://eprint.iacr.org/2015/231}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.