Paper 2016/092

Cryptanalysis of the Full Spritz Stream Cipher

Subhadeep Banik and Takanori Isobe

Abstract

Spritz is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. It is intended to be a replacement of the popular RC4 stream cipher. In this paper we propose distinguishing attacks on the full Spritz, based on {\it a short-term bias} in the first two bytes of a keystream and {\it a long-term bias} in the first two bytes of every cycle of $N$ keystream bytes, where $N$ is the size of the internal permutation. Our attacks are able to distinguish a keystream of the {\it full} Spritz from a random sequence with samples of first two bytes produced by $2^{44.8}$ multiple key-IV pairs or $2^{60.8}$ keystream bytes produced by a single key-IV pair. These biases are also useful in the event of plaintext recovery in a broadcast attack. In the second part of the paper, we look at a state recovery attack on Spritz, in a special situation when the cipher enters a class of weak states. We determine the probability of encountering such a state, and demonstrate a state recovery algorithm that betters the $2^{1400}$ step algorithm of Ankele et al. at Latincrypt 2015.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A minor revision of an IACR publication in FSE 2016
Keywords
RC4Spritzstream ciphershort-term biaslong-term biasdistinguishing attackplaintext recovery attackstate recovery attack
Contact author(s)
subb @ dtu dk
History
2016-02-03: last of 2 revisions
2016-02-02: received
See all versions
Short URL
https://ia.cr/2016/092
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/092,
      author = {Subhadeep Banik and Takanori Isobe},
      title = {Cryptanalysis of the Full Spritz Stream Cipher},
      howpublished = {Cryptology ePrint Archive, Paper 2016/092},
      year = {2016},
      note = {\url{https://eprint.iacr.org/2016/092}},
      url = {https://eprint.iacr.org/2016/092}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.