Paper 2016/207

Fault analysis and weak key-IV attack on Sprout

Dibyendu Roy and Sourav Mukhopadhyay


Armknecht and Mikhalev proposed a new stream cipher `Sprout' based on the design specification of the stream cipher, Grain-128a. Sprout has shorter state size than Grain family with a round key function. The output of the round key function is XOR'ed with the feedback bit of the NFSR of the cipher. In this paper, we propose a new fault attack on Sprout by injecting a single bit fault after the key initialization phase at any arbitrary position of the NFSR of the cipher. By injecting a single bit fault, we recover the bits of the secret key of the cipher by observing the normal and faulty keystream bits at certain clockings of the cipher. By implementing the attack, we verify our result for one particular case. We also show that the Sprout generates same states for several rounds in key initialization phase for two different key-IV pairs, which proves that the key initialization round is having very poor period.

Note: There are some minor changes.

Available format(s)
Publication info
Boolean functionSproutFault attackWeak key-IV.
Contact author(s)
dibyendu roy1988 @ gmail com
2016-10-20: last of 2 revisions
2016-02-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Dibyendu Roy and Sourav Mukhopadhyay},
      title = {Fault analysis and weak key-{IV} attack on Sprout},
      howpublished = {Cryptology ePrint Archive, Paper 2016/207},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.