Paper 2022/749

Cryptanalysis of Draco

Subhadeep Banik, Universita della Svizzera Italiana

Draco is a lightweight stream cipher designed by Hamann et al. in IACR ToSC 2022. It has a Grain-like structure with two state registers of size 95 and 33 bits. In addition, the cipher uses a 128-bit secret key and a 96-bit IV. The first 32 bits of the key and the IV forms a non-volatile internal state that does not change during the time that the cipher produces keystream bits. The authors claim that the cipher is provably secure against Time Memory Data (TMD) Tradeoff attacks. However in this paper, we first present two TMD tradeoff attacks against Draco. Both attacks leverage the fact that for certain judiciously chosen IVs, the state update function of the cipher depend on only a small fraction of the non-volatile internal state. This makes the state update function in Draco essentially a one way function over a much smaller domain and range. The first attack requires around $2^{114.2}$ Draco iterations and requires that the adversary has access to $2^{32}$ chosen IVs. The second attack is such that the attack parameters can be tuned as per the requirements of the attacker. If the attacker prioritizes that the number of different chosen IVs is limited to $2^{20}$ say, then the attack can be done in around time proportional to $2^{126}$ Draco rounds. However if the total attack complexity is to be optimized, then the attack can be performed in $2^{107}$ time using around $2^{40}$ chosen IVs.

Available format(s)
Secret-key cryptography
Publication info
Draco Cryptanalysis Stream Cipher
Contact author(s)
subhadeep banik @ protonmail com
2022-06-14: approved
2022-06-11: received
See all versions
Short URL
Creative Commons Attribution


      author = {Subhadeep Banik},
      title = {Cryptanalysis of Draco},
      howpublished = {Cryptology ePrint Archive, Paper 2022/749},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.