Keywords

1 Introduction

Lightweight stream ciphers have become immensely popular in the cryptological research community, since the advent of the eStream project [1]. The three hardware finalists included in the final portfolio of eStream i.e. Grain v1 [11], Trivium [5] and MICKEY 2.0 [3], all use bitwise shift registers to generate keystream bits. After the design of Grain v1 was proposed, two other members Grain-128 [12] and Grain-128a were added to the Grain family mainly with an objective to provide a larger security margin and include the functionality of message authentication respectively. In FSE 2015, Armknecht and Mikhalev proposed the Grain-like stream cipher Sprout [2] with a startling trend: the size of its internal state of Sprout was equal to the size of its Key. After the publication of [4], it is widely accepted that to be secure against generic Time-Memory-Data tradeoff attacks, the internal state of a stream cipher must be atleast twice the size of the secret key. However the novelty of the Sprout design ensured that the cipher remained secure against generic TMD tradeoffs. The smaller internal state makes the cipher particularly attractive for compact lightweight implementations.

1.1 Previous Attacks on Sprout

To the best of our knowledge, four attacks have been reported against Sprout. We present a summary of these attacks:

  • In [9], a related Key-chosen IV distinguisher is reported against Sprout. Let KV denote a Key-IV pair and let \(K^\prime \) denote K with the first bit flipped and similarly let \(V^\prime \) denote V with the first bit flipped. Then it is easy to see that the probability that the first 80n keystream bits produced by KV and \(K^\prime ,V^\prime \) are equal is given by \(\frac{1}{8\cdot 2^n}\).

  • In [13], a fault attack against Sprout is presented. Another attack based on solving a system of non-linear equations by a SAT solver is also presented. The authors guess the values of 54 out of the 80 bits of the internal state. The remaining 106 unknowns, i.e. the remaining 26 internal state bits and the 80 Key bits are found as follows. The authors use the first 450 keystream bits produced by the cipher to populate a bank of non-linear equations in the unknown variables. The resulting system is solved via a SAT solver in around 77 s on average on a system running on a 1.83 GHz processor and 4 GB RAM. The SAT solver on an average returns 6.6 candidate Keys. Thus the authors argue that their findings amount to an attack on Sprout in \(2^{54}\) attempts, since 54 bits are initially guessed in this process. However, the authors do not discuss the computational complexity associated with one attempt at solution by a SAT solver. If one can perform around \(2^{e}\) Sprout encryptions in 77 s, then in terms of number of encryptions performed, the attack takes time equivalent to \(6.6 \times 2^{54} \times 2^{e}\) encryptions which is more than \(2^{80}\) if \(e>23\) (which may be achievable with a good implementation of the cipher), and so it is not certain that the work in [13] translates to a feasible attack on Sprout.

  • In [10], a list merging technique is employed to determine the internal state and secret key of Sprout that is faster than exhaustive search by \(2^{10}\). The attack has a memory complexity of \(2^{46}\) bits.

  • In [6], a TMD tradeoff attack is outlined using an online time complexity of \(2^{33}\) encryptions and 770 TB of memory. The paper first observes that it is easy to deduce the secret key from the knowledge of the internal state and the keystream. The paper then makes an observation on special states of Sprout that produce keystream without the involvement of the secret key. A method to generate and store such states in tables is first outlined. The online stage consists of inspecting keystream bits, retrieving the corresponding state from the table, assuming of course that the state in question is a special state, and then computing the secret key. The process, if repeated a certain number of times, guarantees that a special state is encountered, from where the correct secret key is found.

1.2 Contribution and Organization of the Paper

We summarize the contributions in this paper as follows:

  • 1. In Sect. 2, we present the mathematical description of the Sprout stream cipher.

  • 2. In Sect. 3, we show that by guessing 50 out of the 80 bits of the internal state, one can determine the remaining bits of the state and the secret key by using a SAT solver. This improves the results presented in [13], but due to reasons mentioned earlier, this does not necessarily amount to cryptanalysis of the cipher.

  • 3. In Sect. 4, we show that it is possible to find two IVs for every secret key that generate 80-bit shifted keystream sequences. Making use of this result we mount a distinguishing attack on Sprout using keystream bits from around \(2^{40}\) randomly chosen IVs, and a memory complexity of around \(2^{48}\) bits. We also show that the time complexity of this attack can be reduced at the cost of more memory.

  • 4. Finally in Sect. 5, we observe that for every secret key there exist around \(2^{30}\) IVs that result in the LFSR landing in the all zero state during the keystream generating phase. Based on this observation, we first show how it is possible to find Key-IV pairs that generate keystream sequences with period as small as 80. Thereafter, we mount a simple key recovery attack that requires time equivalent to \(2^{66.7}\) encryptions and negligible memory.

  • 5. In Sect. 6, we conclude the paper by making some wider observations about Sprout and some possible solutions towards making it resistant to the aforementioned cryptanalytic advances.

A summary of the results obtained in this paper with respect to the previous attacks on Sprout is presented in Table 1.

Table 1. Summary of attacks on Sprout
Full size table
Fig. 1.
figure 1

Block diagram of Sprout

Full size image

2 Description of Sprout

The exact structure of Sprout is explained in Fig. 1. It consists of a 40-bit LFSR and a 40-bit NFSR. Certain bits of both the shift registers are taken as inputs to a combining Boolean function, whence the keystream is produced. The keystream is produced after performing the following steps:

  • Initialization Phase: The cipher uses an 80 bit Key and a 70 bit IV. The first 40 most significant bits of the IV is loaded on to the NFSR and the remaining IV bits are loaded on to the first 30 most significant bits of the LFSR. The last 10 bits of the LFSR are initialized with the constant 0x3fe, i.e. the string of nine \(1^\prime \)s followed by a 0. Let \(L_t = [l_t,l_{t+1},\ldots ,l_{t+39}] \) and \(N_t = [n_t,n_{t+1},\ldots ,n_{t+39}]\) be the 40-bit vectors that denote respectively LFSR and NFSR states at the \(t^{th}\) clock interval. During the initialization phase, the registers are updated as follows.

    • (a) In the first 320 rounds (i.e. \(0\le t \le 319\)) of the initialization phase the cipher produces the keystream bit \(z_t\) which is not produced as output. This is computed as

      $$\begin{aligned} z_t = l_{t+30} + \sum _{i \in \mathcal {A}} n_{t+i} + h(N_t,L_t). \end{aligned}$$

      where \(\mathcal {A} =\{1,6,15,17,23,28,34\}\) and \(h(N_t,L_t)= n_{t+4} l_{t+6} + l_{t+8} l_{t+10} + l_{t+32} l_{t+17} + l_{t+19} l_{t+23} + n_{t+4} l_{t+32} n_{t+38}\).

    • (b) The LFSR updates as \(l_{t+40} = z_t+ f(L_t)\), where

      $$\begin{aligned} f(L_t)= l_t +l_{t+5} +l_{t+15}+l_{t+20}+l_{t+25}+l_{t+34}. \end{aligned}$$

    • (c) The NFSR updates as \(n_{t+40} = z_t+ g(N_t)+c_t^4 +k_t^* +l_0^t\), where \(c_t^4\) denotes the \(4^{th}\) LSB of the modulo 80 up-counter which starts at \(t=0\), \(k_t^*\) is the output of the Round Key function defined as:

      $$\begin{aligned} k_t^* = \left\{ \begin{array}{ll} K_{t \text { mod }80}, &{} \text{ if } t<80,\\ K_{t \text { mod }80}\cdot (l_{t+4}+l_{t+21}+l_{t+37}+n_{t+9}+n_{t+20}+n_{t+29}), &{} \text{ otherwise. } \end{array} \right. \end{aligned}$$

      Here \(K_i\) simply denotes the \(i^{th}\) bit of the secret key. The non-linear function \(g(N_t)\) is given as:

      $$\begin{aligned} \begin{aligned} g(N_t)=&~ n_{t+0}+n_{t+13}+n_{t+19}+n_{t+35}+n_{t+39}+ n_{t+2} n_{t+25} + n_{t+3} n_{t+5} + \\&~ n_{t+7} n_{t+8} + n_{t+14} n_{t+21} + n_{t+16} n_{t+18}+ n_{t+22} n_{t+24} + n_{t+26} n_{t+32} +\\ {}&~ n_{t+33} n_{t+36} n_{t+37} n_{t+38} +n_{t+10} n_{t+11} n_{t+12}+ n_{t+27} n_{t+30} n_{t+31}. \end{aligned} \end{aligned}$$

  • Keystream Phase: After the initialization phase is completed, the cipher discontinues the feedback of the keystream bit \(z_t\) to the update functions of the NFSR and LFSR and makes it available as the output bit. During this phase, the LFSR and NFSR update themselves as \(l_{t+40}= f(L_t)\) and \(n_{t+40} =g(N_t)+c_t^4 +k_t^* +l_0^t\) respectively.

3 Key Recovery from Partial Knowledge of State

In [13], results were presented pertaining to the recovery of the secret key with partial knowledge of the state. The authors claimed that if all the NFSR bits are known and 14 bits of the LFSR are also known then by using the algebraic equations resulting from the first 450 keystream bits, the keyspace can be reduced to a set of 6.6 candidates on average, by solving the equations through a SAT solver. It was also mentioned that the solver took around 77 s on average to solve the system. Although this does not necessarily lead to an attack, we show in this section that it is possible to propose a better algorithm. Before proceeding we present a brief outline of the algorithm used in [13]:

  1. 1.

    Assume that the entire NFSR state and around m bits of the LFSR are known just after the completion of the key initialization phase. Let us label the time index as \(t=0\) at this instant. The remaining \(40-m\) bits of the LFSR and the 80 bits of the secret key are unknown at this point. The vectors \(L_t=[l_t,l_{t+1},\ldots ,l_{t+39}]\) and \(N_t=[n_t,n_{t+1},\ldots ,n_{t+39}].\) So initially it is assumed that \(N_0\) is completely known and \(L_0\) is known partially.

  2. 2.

    For \(t=0\) to \(N_r-1\) do

    • \(\bullet \) Introduce two new unknowns \(l_{40+t}, n_{40+t}\) defined as \(l_{40+t}= f(L_t)\) and \(n_{40+t}= g(N_t) + c_t^4 +k_t^*+l_t\).

    • \(\bullet \) Form the keystream equation \( z_t = l_{t+30} + n_{t+4} l_{t+6} + l_{t+8} l_{t+10} + l_{t+32} l_{t+17} + l_{t+19} l_{t+23} + n_{t+4} l_{t+32} n_{t+38}+\sum _{i \in \mathcal {A}} n_{t+i}.\)

  3. 3.

    After forming the above bank of \(3N_r\) equations, pass them to a SAT solver.

The authors of [13] claimed that for \(m=14, ~N_r=450\), the SAT solver was able to narrow down the set of candidate secret keys to 6.6 on average in around 77 s.

3.1 A Few Observations

The ease with which a SAT solver is able to solve a given bank of equations depends on the algebraic degree of the equations so formed [14]. It is clear that the algebraic degree of \(z_t\) with respect to the unknowns in \(L_0\) and the secret key increases for increasing t. It is also known that, if the key is known, then the state update during both the keystream phase and the initialization phase are one-to-one and invertible. Indeed, rewriting the functions f,  g as \(f(L_t)=l_t+f^\prime (L^\prime _t)\) and \(g(N_t)=n_t+g^\prime (N^\prime _t)\) (here \(L^\prime _t=[l_{t+1},l_{t+2},\ldots , l_{t+39}]\) and \(N^\prime _t=[n_{t+1},n_{t+2},\ldots ,n_{t+39}]\), then if \(L_t,~N_t\) denote the state at time t, then \(L_{t-1}\) is given as \([l_{t-1},l_{t},\ldots ,l_{t+38}]\) where \( l_{t-1}= l_{t+39} + f^\prime (L^\prime _{t-1}) \), and since \(L^\prime _{t-1}\) is a subset of \(L_t\), we can see that \(L_{t-1}\) is completely defined by \(L_t\). Similarly \(N_{t-1}=[n_{t-1},n_{t},\ldots ,n_{t+38}]\) where

$$\begin{aligned} n_{t-1}= n_{t+39}+ l_{t-1}+k_{t-1}^*+c_{t-1}^4+g^\prime (N^\prime _{t-1}). \end{aligned}$$

Here too since \(N^\prime _{t-1} \subset N_t\), the previous state \(N_{t-1}\) is completely defined by \(L_t,N_t\). Keeping this in mind, we formulate the following strategy for key recovery from the partial knowledge of state.

  1. 1.

    We assume that at \(t=320\), all the bits of \(N_{320}\) and the first m bits of \(L_{320}\) are known. Thereafter, we do the following:

  2. 2.

    For \(t=0\) to 319 do

    • \(\bullet \) Introduce two new unknowns \(l_{360+t}, n_{360+t}\) defined as \(l_{360+t}= f(L_{t+320})\) and \(n_{360+t}= g(N_{t+320}) + c_{t+320}^4 +k_{t+320}^*+l_{t+320}\).

    • \(\bullet \) Form the keystream equation

      $$\begin{aligned} z_{t+320} = l_{t+350} + \sum _{i \in \mathcal {A}} n_{t+320+i} +h(N_{t+320},L_{t+320}). \end{aligned}$$
  3. 3.

    We now take help of the keystream generated before \(t=320\)

  4. 4.

    For \(t=320\) to 1 do

    • \(\bullet \) Introduce two new unknowns \(l_{t-1}, n_{t-1}\) defined as \(l_{t-1}= l_{t+39} + f^\prime (L^\prime _{t-1})\) and \(n_{t-1}= n_{t+39}+ l_{t-1}+k_{t-1}^*+c_{t-1}^4+g^\prime (N^\prime _{t-1}).\)

    • \(\bullet \) Form the keystream equation

      $$\begin{aligned} z_{t-1} = l_{t+29} + \sum _{i \in \mathcal {A}} n_{t-1+i} +h(N_{t-1},L_{t-1}). \end{aligned}$$
  5. 5.

    After preparing this bank of \(320*3*2=1920\) equations, we forward it to a SAT Solver.

Since the algebraic degrees of \(z_{320+t}\) and \(z_{320-t}\) are expected to be the same with respect to the unknowns in \(L_{320}\) and the secret key, we achieve the dual purpose of populating our bank of equations with more entries and at the same time control the algebraic degree of the equations to some extent. We performed the experiments with Cryptominisat 2.9.5 [15] solver installed with the SAGE 5.7 [16] computer algebra system on a computer with a 2.1 GHz CPU and 16 GB memory. For \(m=10\), (after guessing 50 bits of the internal state), we were able to find the remaining bits of the state and the correct secret key in around 31 s on average.

4 A Distinguishing Attack

Before we get into details of the distinguisher, let us revisit a few facts about Sprout. We have already shown that if the secret key is known, then the state updates in both the keystream and initialization phases are one-to-one and efficiently invertible. Before proceeding, we give a formal algorithmic description of the state update inversion routines in the keystream and initialization phases, as per the observations in Sect. 3.1. We denote the algorithms by KS \(^{-1}\)and Init \(^{-1}\)respectively.

figure a

We will use the above subroutines to generate Key-IV pairs that generate 80-bit shifted keystream sequences. To do that we follow the following steps:

  1. 1.

    Fix the secret key K to some constant in \(\{0,1\}^{80}\)

  2. 2.

    Fix Success \(\leftarrow 0\)

  3. 3.

    Do the following till Success =1

    • \(\bullet \) Select randomly.

    • \(\bullet \) Assign \(N_0 \longleftarrow [s_0,s_1,\ldots ,s_{39}]\), \(L_0 \longleftarrow [s_{40},s_{41},\ldots ,s_{79}]\)

    • \(\bullet \) Run Init \(^{-1}\)over \(N_0,L_0\) for 320 rounds and store the result as

      $$\begin{aligned} \mathbf {U}=[u_0,u_1,\ldots , u_{79}]. \end{aligned}$$

    • \(\bullet \) Assign \(N_{80} \longleftarrow [s_0,s_1,\ldots ,s_{39}]\), \(L_{80} \longleftarrow [s_{40},s_{41},\ldots ,s_{79}]\)

    • \(\bullet \) Run KS \(^{-1}\)over \(N_{80},L_{80}\) for 80 rounds, followed by Init \(^{-1}\)for 320 rounds.

    • \(\bullet \) Store the result as \(\mathbf {V}=[v_0,v_1,\ldots , v_{79}]\).

    • \(\bullet \) If \(u_{70}=u_{71}=\cdots =u_{78} = v_{70}=v_{71}=\cdots =v_{78}=1\) and \(u_{79}=v_{79}=0\) then Success =1.

The above algorithm fixes the secret key K, and randomly chooses a state \(\mathbf {S}\) and assumes that for two different IVs \(V_1,V_2\), the state in the \(0^{th}\) round of the keystream phase for \((K,V_1)\) and the \(80^{th}\) round of the keystream phase for \((K,V_2)\) are both equal to \(\mathbf {S}\). The algorithm then performs the state inversion routines in each case and tries to find \(V_1\) and \(V_2\). A Success occurs when the last 10 bits of both \(\mathbf {U,~V}\) are equal to the padding 0x3fe used in Sprout. In that case \(V_1=[u_0,u_1,\ldots ,u_{69}]\) and \(V_2=[v_0,v_1,\ldots ,v_{69}]\) produces exactly 80-bit shifted keystream sequences for the key K. Of course, a Success requires 20 bit conditions to be fulfilled and assuming that \(\mathbf {U,V}\) are i.i.d, each iteration of the above algorithm has a success probability of \(2^{-20}\) for any randomly selected \(\mathbf {S}\). So running the iteration \(2^{20}\) times guarantees one Success on average. By running the above algorithm we were able to obtain several Key-IV pairs that generates 80 bit shifted keystream sequences, which we tabulate in Table 2. Note that the above method can not be used to find Key-IV pairs that generate keystream bits of shift other than multiples of 80. This is because Sprout employs a counter whose 4th LSB is used to update the NFSR. The counter resets after every 80 rounds and so any analysis involving the self-similarity of the initialization phase must be done at intervals of multiples of 80.

Table 2. Key-IV pairs that produce 80 bit shifted keystream bits. (Note that the first hex character in \(V_1,V_2\) encodes the first 2 IV bits, the remaining 17 hex characters encode bits 3 to 70)
Full size table

Note that it is possible to generate such a Key-IV pair in \(2^{10}\) attempts instead of \(2^{20}\), if instead of choosing \(\mathbf {S}\), we first choose \(K,V_1\) randomly, run the forward initialization algorithm to generate \(\mathbf {S}\), and then assume that \(\mathbf {S}\) is the \(80^{th}\) keystream phase state for some \(K,V_2\) and thereafter run 80 rounds of KS \(^{-1}\)and 320 rounds of Init \(^{-1}\)to generate \(\mathbf {V}\). In such a case, Success would be dependent on only the last 10 bits of \(\mathbf {V}\) and hence expected once in \(2^{10}\) attempts. However we present the first algorithm in order to better explain the distinguishing attack.

4.1 The Distinguisher

In the above algorithm for finding Key-IV pairs that generate shifted keystream sequences, once the key is fixed, a Success is expected every \(2^{20}\) attempts and since there are \(2^{80}\) ways of choosing \(\mathbf {S}\), this implies that for every Key K, there exist \(2^{80-20}=2^{60}\) IV pairs \(V_1,V_2\) such that the key-IV pairs \((K,V_1)\) and \((K,V_2)\) produce exactly 80-bit shifted keystream sequences. So our distinguisher is as follows

  1. 1.

    Generate around 240 keystream bits for the unknown Key K and some randomly generated Initial Vector V.

  2. 2.

    Store the keystream bits in some appropriate data structure like a Binary Search Tree.

  3. 3.

    Continue the above steps with more randomly generated IVs V till we obtain two Initial Vectors for K that generate 80-bit shifted keystream.

The only question now remains how many random Initial Vectors do we need to try before we get a match. The answer will become clearer if (for a fixed K) we imagine the space of Initial Vectors as an undirected Graph \(G=(W,E)\), where \(W = \{0,1\}^{70}\) is the Vertex set which contains all the possible 70 bit Initial vector values as nodes. An edge \((V_1,V_2) \in E\) if and only if \((K,V_1)\) and \((K,V_2)\) produce 80-bit shifted keystream sequence. From the above discussion, it is clear that the cardinality of E is expected to be \(2^{60}\). When we run the Distinguisher algorithm for N different Initial Vectors, we effectively add \(\left( {\begin{array}{c}N\\ 2\end{array}}\right) \) edges to the coverage and a match occurs when one of these edges is actually a member of the Edge-set E. Since there are potentially \(\left( {\begin{array}{c}2^{70}\\ 2\end{array}}\right) \) edges in the IV space, by the Birthday bound, a match will occur when the product of \(\left( {\begin{array}{c}N\\ 2\end{array}}\right) \) and the cardinality of E which is around \(2^{60}\) is equal to \(\left( {\begin{array}{c}2^{70}\\ 2\end{array}}\right) \). From this equation solving for N, we get \(N \approx 2^{40}\). This gives a bound for the time and memory complexity of the Distinguisher. The time complexity is around \(2^{40}\) encryptions, and the memory required is of the order of \(2^{40}*240\approx 2^{48}\) bits.

In general for Sprout like structures that have an n bit LFSR and NFSR with a 2n-bit secret key and \(2n-\varDelta \) bit IV (for some \(\varDelta >0\)), the above equation boils down to

$$\begin{aligned}\left( {\begin{array}{c}N\\ 2\end{array}}\right) * 2^{2n-2\varDelta }= \left( {\begin{array}{c}2^{2n-\varDelta }\\ 2\end{array}}\right) .\end{aligned}$$

Solving this equation gives \(N \approx 2^n\). In order to verify our theoretical results, we performed experiments on smaller versions of Sprout with \(n=8,9,10,11\) to find the expected value of N in each case. The results have been tabulated in Table 3.

Table 3. Experimental values of N for smaller versions of Sprout
Full size table

Decreasing the Time Complexity: So far we have been restricting ourselves to 80-bit shifts of keystream sequences. We could easily consider shifts of the form \(80*P\) where P can be any positive integer. The algorithm to find two Initial Vectors \(V_1, V_2\) for any Key K that generates \(80 *P\)-bit shifted keystream sequence is not very different from the one which finds IVs that generate 80-bit shifted keystream. We present the explicit form of the algorithm for convenience.

  1. 1.

    Fix the secret key K to some constant in \(\{0,1\}^{80}\)

  2. 2.

    Fix Success \(\leftarrow 0\)

  3. 3.

    Do the following till Success =1

    • \(\bullet \) Select randomly.

    • \(\bullet \) Assign \(N_0 \longleftarrow [s_0,s_1,\ldots ,s_{39}]\), \(L_0 \longleftarrow [s_{40},s_{41},\ldots ,s_{79}]\)

    • \(\bullet \) Run Init \(^{-1}\)over \(N_0,L_0\) for 320 rounds and store the result as \(\mathbf {U}=[u_0,u_1,\ldots , u_{79}]\).

    • \(\bullet \) Assign \(N_{80* P} \longleftarrow [s_0,s_1,\ldots ,s_{39}]\), \(L_{80* P} \longleftarrow [s_{40},s_{41},\ldots ,s_{79}]\)

    • \(\bullet \) Run KS \(^{-1}\)over \(N_{80*P},L_{80*P}\) for \(80*P\) rounds, followed by Init \(^{-1}\)for 320 rounds.

    • \(\bullet \) Store the result as \(\mathbf {V}=[v_0,v_1,\ldots , v_{79}]\).

    • \(\bullet \) If \(u_{70}=u_{71}=\cdots =u_{78} = v_{70}=v_{71}=\cdots =v_{78}=1\) and \(u_{79}=v_{79}=0\) then Success =1.

The only change is that we assume that \(\mathbf {S}\) is the round 0 state for some \(K,V_1\) and the round \(80*P\) state for some \(K,V_2\). We perform the inversion operations accordingly and look for a Success. Arguing just as before, we can say that, for any fixed K and P, there exist \(2^{60}\) IV pairs that generate \(80*P\)-bit shifted keystream Sequences. So we redefine our Distinguishing attack as follows:

  1. 1.

    Generate around \(80*P\) keystream bits for the unknown Key K and some randomly generated Initial Vector V.

  2. 2.

    Store the keystream bits in some appropriate data structure like a Binary Search Tree.

  3. 3.

    Continue the above steps with more randomly generated IVs V till we obtain two Initial Vectors for K that generate \(80*i\)-bit shifted keystream for some \(1\le i \le P\).

We can calculate the expected number of attempts N before we get a match as follows. Redefine the undirected graph \(G=(W,E)\), where \(W = \{0,1\}^{70}\) is the Vertex set which contains all the possible 70 bit Initial vector values as nodes. An edge \((V_1,V_2) \in E\) if and only if \((K,V_1)\) and \((K,V_2)\) produce \(80*i\)-bit shifted keystream sequence for some \(0 \le i \le P\). The expected cardinality of E is approximately \(P * 2^{60}\). Again choosing N Initial Vectors adds \(\left( {\begin{array}{c}N\\ 2\end{array}}\right) \) edges to the coverage and so the required value of N is given by \(\left( {\begin{array}{c}N\\ 2\end{array}}\right) * P * 2^{60}=\left( {\begin{array}{c}2^{70}\\ 2\end{array}}\right) \Rightarrow N \approx \frac{2^{40}}{\sqrt{P}}\). This implies that the time complexity can be reduced to \(\frac{2^{40}}{\sqrt{P}}\) encryptions with the memory complexity at \(80*P*2^{40}\) bits. For \(P=2^{10}\) say, this results in a time complexity of \(2^{35}\) encryptions and memory of \(2^{57}\) bits.

5 A Key Recovery Attack

We make another observation to begin this section. During the keystream phase, the LFSR pretty much runs autonomously. Which means that if after the initialization phase, the LFSR lands on the all zero state then it remains in this state for the remainder of the keystream phase, i.e. if \(L_0=\mathbf {0}\), then \(L_t=\mathbf {0}\) for all \(t>0\). Assuming uniform distribution of \(L_0\), we can argue that for every Key K, this event occurs for \(2^{-40}\) fraction of IVs on average. So for each K, there exists on an average \(2^{70-40}=2^{30}\) IVs which lead to an all zero LFSR after the initialization phase. We shall see two implications of this event.

5.1 Keystream with Period 80

Now once the LFSR enters the all zero state the NFSR runs autonomously. Since the NFSR is a finite state machine of 40 bits only, we can always expect keystream of period less than \(80*2^{40}\), once the LFSR becomes all zero. Hence for every Key, we expect to find \(2^{30}\) Initial vectors that produce keystream sequences of less than \(80*2^{40}\). With some effort, we can even find Key-IV pairs that produce keystream with period 80. We will take help of SAT solvers for his. The procedure may be outlined as follows:

  1. 1.

    Select a Key randomly.

  2. 2.

    Assume \(L_0=[0,0,0,\ldots ,0].\)

  3. 3.

    Assign \(N_0\leftarrow [n_0, n_1,n_2,\ldots ,n_{39}]\), where all the \(n_i\) are unknowns.

  4. 4.

    For \(i = 0\) to 79 do

    • \(\bullet \)   Introduce the unknown \(n_{40+i}\), and add the equation \(n_{40+i}=g(N_i)+c_i^4+k_i^*\) to the equation bank.

  5. 5.

    Add the 40 Equations \(n_i=n_{80+i}\), \(\forall ~i \in [0,39]\) to the equation bank.

  6. 6.

    Pass the equations to the Solver. This effectively asks the solver to solve the vector equation \(N_0=N_{80}\) for the given Key K.

  7. 7.

    If the solver returns the solution \(N_0=[s_0,s_1,\ldots ,s_{39}]\) then run the Init \(^{-1}\)routine 320 times on \(N_0=[s_0,s_1,\ldots ,s_{39}],L_0=[0,0,\ldots ,0] \).

  8. 8.

    Store the result in \(\mathbf {B}=[b_0,b_1,\ldots ,b_{79}]\).

  9. 9.

    If \(b_{70}=b_{71}=\cdots =b_{78}=1\) and \(b_{79}=0\) then Exit else repeat the above steps with another random secret key.

The steps in the above the above algorithm can be summarized as follows. First select a random secret key K. Then assume that the LFSR is all zero after the initialization phase, and fill the corresponding NFSR state with unknowns. We then populate the equation bank accordingly for the first 80 rounds and ask the solver to solve the vector equation \(N_0=N_{80}\), in the unknowns \(n_0,n_1,\ldots ,n_{119}\). If the solver returns the solution \(N_0=[s_0,s_1,\ldots ,s_{39}]\) then \(N_0=[s_0,s_1,\ldots ,s_{39}],L_0=[0,0,\ldots ,0] \) is a valid initial state for the Sprout keystream phase if we can find an IV for the given Key K that results in this state. So we run the Init \(^{-1}\)routine 320 times and obtain the resultant vector \(\mathbf {B}\). Now if the last ten bits of \(\mathbf {B}\) are equal to the 0x3fe pattern used in Sprout, then we can be sure that for the key K and the Initial Vector \(V=[b_0, b_1,\ldots , b_{69}]\), the keystream sequence produced is of period exactly 80 since the same state \(N_0=[s_0,s_1,\ldots ,s_{39}],L_0=[0,0,\ldots ,0] \) will repeat in the keystream phase every 80 iterations. The above process is expected to produce one such Key-IV pair in \(2^{10}\) attempts. Since the above algorithm can be run for \(2^{80}\) values of the secret key, this implies that there exist around \(2^{80-10}=2^{70}\) Key-IV pairs that produce keystream bits period 80. Table 4 lists a few examples of such Key-IV pairs.

Table 4. Key-IV pairs that produce keystream sequence with period 80. (Note that the first hex character in V encodes the first 2 IV bits, the remaining 17 hex characters encode bits 3 to 70)
Full size table

5.2 Application to Key Recovery

It is clear, that for every Key, on average one out of every \(2^{40}\) Initial Vectors lands the LFSR in the all zero state after initialization. In such a situation the algebraic structure of the cipher becomes simpler to analyze. The NFSR update equation becomes

$$\begin{aligned} n_{t+40} = g(N_t) +c_t^4+k_t^*, \end{aligned}$$

where \(k_t^*= K_{t \text { mod }80}\cdot ( n_{t+9}+n_{t+20}+n_{t+29})\) and the output keystream bit is generated as

$$\begin{aligned} z_t =n_{t+1}+n_{t+6}+n_{t+15}+n_{t+17}+n_{t+23}+n_{t+28}+n_{t+34}. \end{aligned}$$

Given such a situation, this greatly simplifies the guess and determine approach of [10] both in terms of time and memory (although only in the multiple IV mode). To explain the attack better let us define \(x_i=n_{i+1}\), for all \(i\ge 0\) and so we have \(N_1=[x_0,x_1,x_2,\ldots ,x_{39}]\). So for \(i=0\) to 6 we have

$$\begin{aligned} z_i = x_{i}+x_{i+5}+x_{i+14}+x_{i+16}+x_{i+22}+x_{i+27}+x_{i+33}. \end{aligned}$$

This means that if the attacker knows that \(L_0=\mathbf {0}\), then the first 7 keystream bits \(z_0,z_1,z_2,\ldots ,z_6\) is dependent on only \(N_1\) and the secret key is not involved directly in the computation. This implies that if the attacker intends to guess \(N_1\) then by observing the first seven keystream bits he can narrow down \(N_1\) to a set of \(2^{33}\) possible candidates in the following way:

  1. 1.

    Guess \(x_0,x_1,x_2,\ldots ,x_{32}\) first. There are \(2^{33}\) possible candidates.

  2. 2.

    Calculate \(x_{i+33} = z_i + x_{i}+x_{i+5}+x_{i+14}+x_{i+16}+x_{i+22}+x_{i+27}\) for \(i=0\) to 6.

For each of these \(2^{33}\) candidates, the attacker proceeds as follows: he calculates \(x_{40}\) from the equation for \(z_7\) as \(x_{40} = z_7 + x_{7}+x_{12}+x_{21}+x_{23}+x_{24}+x_{31}\) and from \(x_{40}\) he calculates \(k_0^*\) as \(k_0^*= x_{40}+ c_0^4+ g(N_1)\). Now we know that \(k_0^*=K_0\cdot (x_{8}+x_{19}+x_{28})\). So if \(k_0^*=0\) and \(x_{8}+x_{19}+x_{28}=0\) then nothing can be deduced. If \(k_0^*=0\) and \(x_{8}+x_{19}+x_{28}=1\) then it can be deduced that \(K_0=0\). If \(k_0^*=1\) and \(x_{8}+x_{19}+x_{28}=1\) then it can be deduced that \(K_0=1\). If \(k_0^*=1\) and \(x_{8}+x_{19}+x_{28}=0\), then a contradiction is reached and it is concluded that the guess for \(N_1\) was incorrect. Thereafter the same procedure with \(x_{41},x_{42} \ldots \) is followed sequentially. We outline the above procedure formally as follows:

  1. 1.

    For Each of the \(2^{33}\) choices of \(N_1\) do the following till a contradiction is arrived at

    • A. Assign \(i\leftarrow 0\)

    • B. Do the following:

      • Calculate \(x_{i+40} = z_{i+7} + x_{i+7}+x_{i+12}+x_{i+21}+x_{i+23}+x_{i+24}+x_{i+31}\)

      • Calculate \(k_{i}^* = x_{i+40} +c_i^4+g(N_{i+1})\)

      • Case 1: \(k_i^*=0\) and \(x_{i+8}+x_{i+19}+x_{i+28}=0\) \(\Rightarrow \) No Deduction

      • Case 2: \(k_i^*=0\) and \(x_{i+8}+x_{i+19}+x_{i+28}=1\) \(\Rightarrow \) If \(K_{i\text { mod }80}\) is not already assigned then assign \(K_{i\text { mod }80} =0\), otherwise if this bit has already been assigned to 0, then we have a contradiction.

      • Case 3: \(k_i^*=1\) and \(x_{i+8}+x_{i+19}+x_{i+28}=1\) \(\Rightarrow \) If \(K_{i\text { mod }80}\) is not already assigned then assign \(K_{i\text { mod }80} =1\), otherwise if this bit has already been assigned to 1, then we have a contradiction.

      • Case 4: \(k_i^*=1\) and \(x_{i+8}+x_{i+19}+x_{i+28}=0\) \(\Rightarrow \) we have a contradiction.

      • If there is a contradiction, then we restart the process with a new guess of \(N_1\).

      • If there is no contradiction then assign \(i\leftarrow i+1\) and repeat the process if the entire secret key has not already been found.

Analysis of Time Complexity: The attacker obtains keystream bits for \(2^{40}\) randomly generated IVs and repeats the above routine for every keystream sequence, till the correct Key is found. For the first 80 rounds, the only way we have a contradiction is when Case 4 occurs, i.e. \(k_i^*=1\) and \(x_{i+8}+x_{i+19}+x_{i+28}=0\). So the probability that any guess for \(N_1\) is eliminated in 1 round itself is \(\frac{1}{4}\), i.e. assuming that the events \(k_i^*=1\) and \(x_{i+8}+x_{i+19}+x_{i+28}=0\) are independently and uniformly distributed. The probability therefore that it takes 2 rounds to eliminate is \(\left( 1-\frac{1}{4}\right) *\frac{1}{4}\). In general, the probability that it takes i steps is roughly \(\left( 1-\frac{1}{4}\right) ^{i-1}*\frac{1}{4}\). Therefore the average number of rounds \(\theta \) that a guess takes to eliminate is given by

$$\begin{aligned} \theta = \sum _{i=1}^\infty \frac{i}{4} * \left( 1-\frac{1}{4}\right) ^{i-1} = 4. \end{aligned}$$

In the analysis we have assumed that the only source of contradiction arises out of Case 4. The actual value of \(\theta \) is hence slightly smaller than 4. The attacker obtains the keystream for some random IV and then tries all the possible \(2^{33}\) guesses. This takes \(\theta \cdot 2^{33}=2^{35}\) steps for any IV that does not lead to \(L_0=\mathbf {0}\). It has already been pointed out in [6], clocking each Sprout step is equivalent to \(2^{-8.34}\) encryptions (a proof is presented in Appendix A). And so for every any IV that does not yield \(L_0=\mathbf {0}\) the total work done is equivalent to \(2^{35-8.34}=2^{26.66}\) encryptions. Now the attacker has to try out around \(2^{40}\) IVs to succeed in getting \(L_0=\mathbf {0}\), and so the total time complexity in this process equals \(2^{40+26.66}=2^{66.66}\) encryptions.

Analysis of Memory Complexity: The memory complexity of the algorithm is surprisingly negligible. Testing each guess of \(N_1\) can be done on the fly and hence the memory complexity is limited to that required to run the loop and store the computed values of the key and the values of the \(x_i\) bits. This is in stark contrast to the \(2^{46}\) bits (8 TB) required in [10] or the 770 TB required in [6]. Thus although, the algorithm that we provide is not the best in terms of time complexity, it is certainly best in terms of memory.

6 Discussion and Conclusion

In this paper we outline a Distinguishing attack and a Key Recovery attack on the Sprout stream cipher. We also present some results on Key Recovery from partial knowledge of the state, shifted keystream sequence producing Key-IV pairs and Key-IV pairs producing keystream sequences with period 80. The key recovery attack that we propose is not the best in terms of time complexity but certainly best in terms of the total memory required. It can be pointed out that the attack in [6] was possible due to the non-linear mixing of the secret key during the keystream phase, i.e. \(k_t^* =K_{t \text { mod }80}\cdot (l_{t+4}+l_{t+21}+l_{t+37}+n_{t+9}+n_{t+20}+n_{t+29})\). This enabled the attacker to identify and generate special internal states that for 40 rounds or so do not involve the secret key bit in the computation of the keystream bit, i.e. those for which \(l_{t+4}+l_{t+21}+l_{t+37}+n_{t+9}+n_{t+20}+n_{t+29}=0\), for 40 consecutive rounds. The attack in [6] would not be directly applicable if the key mixing was linear, for example if \(k_t^*=K_{t\text { mod }80}\). However even if the key mixing were done linearly, all the attacks presented in this paper would still hold. This reiterates the point that when it comes to designing stream ciphers with shorter internal states, the Sprout architecture needs further tweaks. We briefly summarize what could be the possible solutions to the problems in the Sprout architecture:

  • State Size: In order to prevent the key recovery attacks of [10] and this paper, one possible solution could be increasing the state size to 100 bits. The cipher could employ two registers of 50 bits each, which would make the attacks of [10] and this paper worse than a brute force search for the secret key.

  • Use of LFSR: One of the reasons that the 40-bit LFSR (generated by a primitive polynomial) is used in the design, is to guarantee that the resulting keystream has a period which is a multiple \(2^{40}-1\). This is true only when the LFSR is non zero after the initialization phase. However on the rare occasion that the LFSR lands on the all zero state after initialization, it remains in this state for ever, and in the process weakens the algebraic structure of the cipher. One possible solution to this problem is to replace the LFSR with a register that generates a maximal length DeBruijn Sequence [7]. Such an n-bit maximal length producing register cycles through all possible \(2^n\) values, and so will not get stuck at the all zero state. However update functions that produce maximal length sequences are hardware intensive: if \((x_0,x_1,\ldots ,x_{n-1})\) represents the n-bit register, then the update function must contain the term \(x_1\cdot x_2\cdot \cdots x_{n-1}\) [8], and so some extra gate area needs to be used.

  • Reading the IV: Loading the IV on to the register directly is used in ciphers like Grain v1 and Trivium, but for ciphers with shorter internal states this is not a good idea. This helps in (a) Finding Key-IV pairs which produce 80 bit shifted keystream bits, (b) Mounting the Distinguishing attack in Sect. 4, and (c) Finding Key-IV pairs that produce keystream bits with small period. So a different method of reading the IV information into the registers must be found. One possible method could be reading the IV the same way the key is read i.e. bit by bit. For example in rounds \(t=80\) to 149, the IV bit could be included in the update function of the NFSR as

    $$\begin{aligned} n_{t+50} = z_t+ g(N_t)+c_t^4 +\nu _t^* +l_0^t, \end{aligned}$$

    where \(\nu _t^* = IV_{t-80}\).

  • Key Mixing: After the attack of [6] that specifically exploits the non-linear Key mixing used in Sprout, it is quite obvious that the key mixing must be linear to prevent such attacks. Therefore, if the round key bit \(k_t^*=K_{t\text { mod }80}\), then the attack of [6] can be prevented.

Although, the cipher Sprout may have been cryptanalyzed, the idea of designing a stream cipher with shorter internal states is indeed quite fascinating. This does open up a new research discipline in which the scope to experiment could be boundless.