On the Data Limitation of Small-State Stream Ciphers: Correlation Attacks on Fruit-80 and Plantlet

Abstract

Many cryptographers have focused on lightweight cryptography, and a huge number of lightweight block ciphers have been proposed. On the other hand, designing lightweight stream ciphers is a challenging task due to the well-known security criteria, i.e., the state size of stream ciphers must be at least twice the key size. The designers of Sprout addressed this issue by involving the secret key not only in the initialization but also in the keystream generation, and the state size of such stream ciphers can be smaller than twice the key size. After the seminal work, some small-state stream ciphers have been proposed such as Fruit, Plantlet, and LIZARD. Unlike conventional stream ciphers, these small-state stream ciphers have the limitation of keystream bits that can be generated from the same key and IV pair. In this paper, our motivation is to show whether the data limitation claimed by the designers is proper or not. The correlation attack is one of the attack methods exploiting many keystream bits generated from the same key and IV pair, and we apply it to Fruit-80 and Plantlet. As a result, we can break the full Fruit-80, i.e., the designers’ data limitation is not sufficient. We can also recover the secret key of Plantlet if it allows about \(2^{53}\) keystream bits from the same key and IV pair.

Appendices

A Correlation of \(g'_t \oplus \langle L^{(t)}, \varLambda \rangle \) on Fruit-80

In this section, we show the detailed method to evaluate the correlation of \(g'_t \oplus \langle L^{(t)}, \varLambda \rangle \). As we already showed in Sect. 4, we first extract independent terms from \(g'_t \oplus \langle L^{(t)}, \varLambda \rangle \) as

where \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \) is the remaining term after extracting the first six lines. Then, there are \(2^{11}\) linear masks \(\varLambda [1,3,4,6,9,13,15,18,22,24,25,34]\) satisfying \(g'_t \oplus \langle \varLambda , L \rangle \approx g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \) with correlation \(\pm 2^{-6}\).

Our next goal is to evaluate the correlation of \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \), which is described as

where

Here, the indices 44, 45, and 49 exceeds the length of \(\varLambda \), i.e., 43. Therefore, \(\varLambda '[44,45,49]\) are computed by using the feedback function f as

We expand all terms in \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \) as

There are 35 bits in the NFSR and 9 bits in the LFSR in \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \), and the size of involved bits is too large to evaluate the correlation with brute force. Therefore, we decompose this Boolean function into six Boolean functions \(G_1\), \(G_2\), \(G_3\), \(G_4\), \(G_5\), and \(G_6\), i.e., \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle = G_1 \oplus G_2 \oplus G_3 \oplus G_4 \oplus G_5 \oplus G_6\).

Six Boolean functions \(G_1\), \(G_2\), \(G_3\), \(G_4\), \(G_5\), and \(G_6\) involve 3, 5, 8, 7, 18, and 20 bits, respectively. These involved bits are independent except for \(n_{t+24}\), \(n_{t+31}\), \(n_{t+33}\), and \(n_{t+36}\), where these four bits are colored by red. Therefore, we compute the conditional correlations of \(G_1\), \(G_2\), \(G_3\), \(G_4\), \(G_5\), and \(G_6\).

Definition 2 (Conditional correlation)

Let G be a Boolean function from n bits to 1 bit, and let x be the input of G. We add a condition for bits \(x_i \in \mathbb {I}\), and these bits are fixed to \(v_i\). Then, the conditional correlation of G is defined as

$$\begin{aligned} \sum _{ x \in \{ \{0,1\}^n, x_i = v_i~\mathrm{for~all}~x_i \in \mathbb {I} \} } (-1)^{G(x)}. \end{aligned}$$

We add conditions for four bits \(n_{t+24}\), \(n_{t+31}\), \(n_{t+33}\), and \(n_{t+36}\). Then, we compute the conditional correlations of the six Boolean functions, and then, compute the conditional correlation of G by using the piling-up lemma. Finally, the correlation of G is computed by summing conditional correlations of G over all conditions.

Table 5. Case that \(\varLambda '[8,17,27,29,30,42,44,45,49] = 000100000\).

Table 5 shows the correlation of G when \(\varLambda '[8,17,27,29,30,42,44,45,49] = 000100000\). Here, note that each conditional correlation must be divided by \(2^{4}\) because we add 4-bit condition. Finally, Table 6 summarizes each correlation, where we picked the case whose absolute values of correlation are greater than \(2^{-18}\).

Table 6. Correlations of \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \).

B Correlation of \(g_t'' \oplus \langle L^{(t)}, \varLambda ' \rangle \) of Plantlet

Similarly to the case of Fruit-80, we compute the correlation of \(g_t'' \oplus \langle L^{(t)}, \varLambda ' \rangle \) of Plantlet. After extracting independent terms from \(g'_t \oplus \langle L^{(t)}, \varLambda \rangle \), \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \) is described as

where

Now, let us expand all terms in \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \) as

There are 46 bits in the NFSR and 6 bits in the LFSR in \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \), and the size of involved bits is too large to evaluate the correlation with brute force. We decompose this Boolean function into four Boolean functions \(G_1\), \(G_2\), \(G_3\), and \(G_4\), i.e., \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle = G_1 \oplus G_2 \oplus G_3 \oplus G_4\).

Four Boolean functions \(G_1\), \(G_2\), \(G_3\), and \(G_4\) involve 14, 12, 24, and 24 bits, respectively. These involved bits are independent except for \(n_{t+39}\), \(n_{t+38}\), \(n_{t+34}\), \(n_{t+32}\), \(n_{t+31}\), \(n_{t+29}\), \(n_{t+21}\), \(n_{t+15}\), and \(n_{t+10}\), where these nine bits are colored by red. Therefore, we compute the conditional correlations of \(G_1\), \(G_2\), \(G_3\), and \(G_4\).

Table 7. Case that \(\varLambda '[8,17,27,29,30,42,44,45,49] = 000100000\).

Table 7 shows the correlation of G when \(\varLambda '[6,17,18,29,32,44] = 001100\). Here, note that each conditional correlation must be divided by \(2^{9}\) because we add 9-bit condition. Table 8 summarizes each correlation, where we picked the case whose correlation is non-zero.

Table 8. Correlations of \(g''_t \oplus \langle L^{(t)}, \varLambda ' \rangle \).