Paper 2015/236

Key Recovery from State Information of Sprout: Application to Cryptanalysis and Fault Attack

Subhamoy Maitra, Santanu Sarkar, Anubhab Baksi, and Pramit Dey


Abstract. Design of secure light-weight stream ciphers is an important area in cryptographic hardware & embedded systems and a very recent design by Armknecht and Mikhalev (FSE 2015) has received serious attention that uses shorter internal state and still claims to resist the time-memory-data-tradeoff (TMDTO) attacks. An instantiation of this design paradigm is the stream cipher named Sprout with 80-bit secret key. In this paper we cryptanalyze the cipher and refute various claims. The designers claim that the secret key of Sprout can not be recovered efficiently from the complete state information using a guess and determine attack. However, in this paper, we show that it is possible with a few hundred bits in practical time. More importantly, from around 850 key-stream bits, complete knowledge of NFSR (40 bits) and a partial knowledge of LFSR (around one third, i.e., 14 bits); we can obtain all the secret key bits. This cryptanalyzes Sprout with 2^{54} attempts (considering constant time complexity required by the SAT solver in each attempt, which is around 1 minute in a laptop). This is less than the exhaustive key search. Further, we show how related ideas can be employed to mount a fault attack against Sprout that requires around 120 faults in random locations (20 faults, if the locations are known), whereas the designers claim that such a fault attack may not be possible. Our cryptanalytic results raise quite a few questions about this design paradigm in general that should be revisited with greater care.

Note: This draft is dated March 2, 2015, when it has been submitted to a workshop.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
CryptanalysisFault AttackKey-streamSproutStream Cipher.
Contact author(s)
subho @ isical ac in
2015-03-13: received
Short URL
Creative Commons Attribution


      author = {Subhamoy Maitra and Santanu Sarkar and Anubhab Baksi and Pramit Dey},
      title = {Key Recovery from State Information of Sprout: Application to Cryptanalysis and Fault Attack},
      howpublished = {Cryptology ePrint Archive, Paper 2015/236},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.