Practical Cryptanalysis of Full Sprout with TMD Tradeoff Attacks

The internal state size of a stream cipher is supposed to be at least twice the key length to provide resistance against the conventional Time-Memory-Data (TMD) tradeoff attacks. This well adopted security criterion seems to be one of the main obstacles in designing, particularly, ultra lightweight stream ciphers. At FSE 2015, Armknecht and Mikhalev proposed an elegant design philosophy for stream ciphers as fixing the key and dividing the internal states into equivalence classes where any two different keys always produce non-equivalent internal states. The main concern in the design philosophy is to decrease the internal state size without compromising the security against TMD tradeoff attacks. If the number of equivalence classes is more than the cardinality of the key space, then the cipher is expected to be resistant against TMD tradeoff attacks even though the internal state (except the fixed key) is of fairly small length. Moreover, Armknecht and Mikhalev presented a new design, which they call Sprout, to embody their philosophy. In this work, ironically, we mount a TMD tradeoff attack on Sprout within practical limits using 2 output bits in 271−d encryptions of Sprout along with 2 table lookups. The memory complexity is 286−d where d ≤ 40. In one instance, it is possible to recover the key in 2 encryptions and 2 table lookups if we have 2 bits of keystream output by using tables of 770 Terabytes in total. The offline phase of preparing the tables consists of solving roughly 2 systems of linear equations with 20 unknowns and an effort of about 2 encryptions. Furthermore, we mount a guess-and-determine attack having a complexity about 2 encryptions with negligible data and memory. We have verified our attacks by conducting several experiments. Our results show that Sprout can be practically broken.