Paper 2015/289

Practical Cryptanalysis of Full Sprout with TMD Tradeoff Attacks

Muhammed F. Esgin and Orhun Kara

Abstract

The internal state size of a stream cipher is supposed to be at least twice the key length to provide resistance against the conventional Time-Memory-Data (TMD) tradeoff attacks. This well adopted security criterion seems to be one of the main obstacles in designing, particularly, ultra lightweight stream ciphers. At FSE 2015, Armknecht and Mikhalev proposed an elegant design philosophy for stream ciphers as fixing the key and dividing the internal states into equivalence classes where any two different keys always produce non-equivalent internal states. The main concern in the design philosophy is to decrease the internal state size without compromising the security against TMD tradeoff attacks. If the number of equivalence classes is more than the cardinality of the key space, then the cipher is expected to be resistant against TMD tradeoff attacks even though the internal state (except the fixed key) is of fairly small length. Moreover, Armknecht and Mikhalev presented a new design, which they call Sprout, to embody their philosophy. In this work, ironically, we mount a TMD tradeoff attack on Sprout within practical limits using $2^d$ output bits in $2^{71-d}$ encryptions of Sprout along with $2^{d}$ table lookups. The memory complexity is $2^{86-d}$ where $d\leq 40$. In one instance, it is possible to recover the key in $2^{31}$ encryptions and $2^{40}$ table lookups if we have $2^{40}$ bits of keystream output by using tables of 770 Terabytes in total. The offline phase of preparing the tables consists of solving roughly $2^{41.3}$ systems of linear equations with 20 unknowns and an effort of about $2^{35}$ encryptions. Furthermore, we mount a guess-and-determine attack having a complexity about $2^{68}$ encryptions with negligible data and memory. We have verified our attacks by conducting several experiments. Our results show that Sprout can be practically broken.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Selected Areas in Cryptography (SAC) 2015
Keywords
Stream ciphersCryptanalysisTime-Memory-Data TradeoffSprout
Contact author(s)
muhammedgs @ gmail com
History
2015-09-28: revised
2015-04-01: received
See all versions
Short URL
https://ia.cr/2015/289
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/289,
      author = {Muhammed F.  Esgin and Orhun Kara},
      title = {Practical Cryptanalysis of Full Sprout with TMD Tradeoff Attacks},
      howpublished = {Cryptology ePrint Archive, Paper 2015/289},
      year = {2015},
      note = {\url{https://eprint.iacr.org/2015/289}},
      url = {https://eprint.iacr.org/2015/289}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.