**Cryptanalysis of Plantlet**

*Subhadeep Banik and Khashayar Barooti and Takanori Isobe*

**Abstract: **Plantlet is a lightweight stream cipher designed by Mikhalev, Armknecht and M\"{u}ller in \texttt{IACR ToSC} 2017. It has a Grain-like structure with two state registers of size $40$ and $61$ bits. In spite of this, the cipher does not seem to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. The cipher uses a 80-bit secret key and a 90-bit IV.
In this paper, we first present a key recovery attack on Plantlet that requires around $2^{76.26}$ Plantlet encryptions. The attack leverages the fact that two internal states of Plantlet that differ in the 43rd LFSR location are guaranteed to produce keystream that are either equal or unequal in 45 locations with probability 1. Thus an attacker can with some probability guess that when 2 segments of keystream blocks possess the 45 bit difference just mentioned, they have been produced by two internal states that differ only in the 43rd LFSR location. Thereafter by solving a system of polynomial equations representing the keystream bits, the attacker can find the secret key if his guess was indeed correct, or reach some kind of contradiction if his guess was incorrect. In the latter event, he would repeat the procedure for other keystream blocks with the given difference. We show that the process when repeated a finite number of times, does indeed yield the value of the secret key.
In the second part of the paper, we observe that the previous attack was limited to internal state differences that occurred at time instances that were congruent to $0\bmod 80$. We further observe that by generalizing the attack to include internal state differences that are congruent to all equivalence classed modulo 80, we lower the total number of keystream bits required to perform the attack and in the process reduce the attack complexity to $2^{69.98}$ Plantlet encryptions.

**Category / Keywords: **secret-key cryptography / Grain v1, Plantlet, Stream Cipher

**Date: **received 13 Jun 2019, last revised 20 Jul 2019

**Contact author: **subhadeep banik at epfl ch

**Available format(s): **PDF | BibTeX Citation

**Version: **20190721:014817 (All versions of this report)

**Short URL: **ia.cr/2019/702

[ Cryptology ePrint archive ]