**Cryptanalysis of Plantlet**

*Subhadeep Banik and Khashayar Barooti and Takanori Isobe*

**Abstract: **Plantlet is a lightweight stream cipher designed by Mikhalev, Armknecht and M\"{u}ller in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 40 and 61 bits. In spite of this, the cipher does not seem to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. The cipher uses a 80-bit secret key and a 90-bit IV. In this paper, we present a key recovery attack on Plantlet that requires around $2^{76.26}$ Plantlet encryptions. The attack leverages the fact that two internal states of Plantlet that differ in the 43rd LFSR location are guaranteed to produce keystream that are either equal or unequal in 45 locations with probability 1. Thus an attacker can with some probability guess that when 2 segments of keystream blocks possess the 45 bit difference just mentioned, they have been produced by two internal states that differ only in the 43rd LFSR location. Thereafter by solving a system of polynomial equations representing the keystream bits, the attacker can find the secret key if his guess was indeed correct, or reach some kind of contradiction if his guess was incorrect. In the latter event, he would repeat the procedure for other keystream blocks with the given difference. We show that the process when repeated a finite number of times, does indeed yield the value of the secret key.

**Category / Keywords: **secret-key cryptography / Grain v1, Plantlet, Stream Cipher

**Date: **received 13 Jun 2019

**Contact author: **subhadeep banik at epfl ch

**Available format(s): **PDF | BibTeX Citation

**Version: **20190613:173950 (All versions of this report)

**Short URL: **ia.cr/2019/702

[ Cryptology ePrint archive ]