Abstract
Plantlet is a recent lightweight stream cipher designed by Mikhalev, Armknecht and Müller in IACR ToSC 2017. This design paradigm receives attention as it is secure against generic time–memory–data trade-off attacks despite its small internal state size. One major motivation for Plantlet is to shore up the weaknesses of Sprout, which is another lightweight stream cipher from the same designers in IACR FSE 2015. In this paper, we observe that a full key recovery attack is possible using a restricted version of near collision attack. We have listed 38 internal state differences whose keystream differences have some fixed 0/1 pattern at certain positions and are efficient for our attack. An adversary in the online phase looks for any one of those 38 patterns in keystream difference. If found then with some probability, the adversary guesses the internal state difference. Afterwards, on solving a system of polynomial equations (formed by keystream bits) using a SAT solver, the adversary can recover the secret key if the guess is correct; otherwise, some contradiction occurs. After probability computations, we find that on repeating the experiment for a fixed number of times, the adversary can recover the secret key with expectation one. The time complexity of the whole process is \(2^{64.693}\) Plantlet encryptions which is 39 times faster than the previous best key recovery attack by Banik et al. in IACR ToSC 2019. We further suggest a countermeasure and its analysis to avoid our attacks. However, the complexity presented in this paper is dependent on the system architecture and implementation of the cipher.
Similar content being viewed by others
Data Availability
One can generate data using our source codes. The source codes of our results are publicly available at https://github.com/Satyam-Crypto/Restricted_Near-Collision-Attack_on_Plantlet.git.
References
Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Fast Software Encryption - 22nd International Workshop, FSE 2015, Istanbul, Turkey, March 8–11, 2015, Revised Selected Papers, Lecture Notes in Computer Science, vol. 9054, pp. 451–470. Springer (2015). https://doi.org/10.1007/978-3-662-48116-5_22
Baksi, A., Bhasin, S., Breier, J., Jap, D., Saha, D.: Fault attacks in symmetric key cryptosystems. Cryptology ePrint Archive, Report 2020/1267 (2020). https://eprint.iacr.org/2020/1267
Banik, S.: Some results on Sprout. In: Progress in Cryptology—INDOCRYPT 2015—16th International Conference on Cryptology in India, Bangalore, India, December 6-9, 2015, Proceedings, Lecture Notes in Computer Science, vol. 9462, pp. 124–139. Springer (2015). https://doi.org/10.1007/978-3-319-26617-6_7
Banik, S., Barooti, K., Isobe, T.: Cryptanalysis of Plantlet. IACR Trans. Symmetric Cryptol. 2019(3), 103–120 (2019). https://doi.org/10.13154/tosc.v2019.i3.103-120
Banik, S., Mikhalev, V., Armknecht, F., Isobe, T., Meier, W., Bogdanov, A., Watanabe, Y., Regazzoni, F.: Towards low energy stream ciphers. IACR Trans. Symmetric Cryptol. 2018(2), 1–19 (2018). https://doi.org/10.13154/tosc.v2018.i2.1-19
Biham, E., Shamir, A.: Differential cryptanalysis of des-like cryptosystems. In: Advances in Cryptology—CRYPTO ’90, 10th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11-15, 1990, Proceedings, pp. 2–21 (1990). https://doi.org/10.1007/3-540-38424-3_1
Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Advances in Cryptology - ASIACRYPT 2000. 6th International Conference on the Theory and Application of Cryptology and Information Security, Kyoto, Japan, December 3-7, 2000, Proceedings, Lecture Notes in Computer Science 1976, 1–13 (2000). https://doi.org/10.1007/3-540-44448-3_1. (Springer)
Coppersmith, D., Winograd, S.: Matrix multiplication via arithmetic progressions. In: Proceedings of the Nineteenth Annual ACM Symposium On Theory Of Computing, pp. 1–6 (1987)
Esgin, M.F., Kara, O.: Practical cryptanalysis of full Sprout with TMD tradeoff attacks. In: Selected Areas in Cryptography - SAC 2015 - 22nd International Conference, Sackville, NB, Canada, August 12-14, 2015, Revised Selected Papers, Lecture Notes in Computer Science, vol. 9566, pp. 67–85. Springer (2015). https://doi.org/10.1007/978-3-319-31301-6_4
Hamann, M., Krause, M., Meier, W.: LIZARD - A lightweight stream cipher for power-constrained devices. IACR Trans. Symmetric Cryptol. 2017(1), 45–79 (2017). https://doi.org/10.13154/tosc.v2017.i1.45-79
Hamann, M., Krause, M., Meier, W., Zhang, B.: Design and analysis of small-state Grain-like stream ciphers. Cryptogr. Commun. 10(5), 803–834 (2018). https://doi.org/10.1007/s12095-017-0261-6
Lallemand, V., Naya-Plasencia, M.: Cryptanalysis of full Sprout. In: Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference. Santa Barbara, CA, USA, August 16–20, 2015, Proceedings, Part I, Lecture Notes in Computer Science 9215, 663–682 (2015). https://doi.org/10.1007/978-3-662-47989-6_32
Maitra, S., Sarkar, S., Baksi, A., Dey, P.: Key recovery from state information of Sprout: Application to cryptanalysis and fault attack. Cryptology ePrint Archive, Report 2015/236 (2015). https://eprint.iacr.org/2015/236
Maitra, S., Siddhanti, A., Sarkar, S.: A differential fault attack on Plantlet. IEEE Trans. Comput. 66(10), 1804–1808 (2017). https://doi.org/10.1109/TC.2017.2700469
Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Trans. Symmetric Cryptol. 2016(2), 52–79 (2016). https://doi.org/10.13154/tosc.v2016.i2.52-79
Todo, Y., Meier, W., Aoki, K.: On the data limitation of small-state stream ciphers: Correlation attacks on Fruit-80 and Plantlet. In: Selected Areas in Cryptography - SAC 2019 - 26th International Conference, Waterloo, ON, Canada, August 12–16, 2019, Revised Selected Papers, Lecture Notes in Computer Science, vol. 11959, pp. 365–392. Springer (2019). https://doi.org/10.1007/978-3-030-38471-5_15
Zhang, B., Li, Z., Feng, D., Lin, D.: Near collision attack on the Grain v1 stream cipher. In: Fast Software Encryption—20th International Workshop, FSE 2013, Singapore, March 11–13, 2013. Revised Selected Papers, Lecture Notes in Computer Science, vol. 8424, pp. 518–538. Springer (2013). https://doi.org/10.1007/978-3-662-43933-3_27
Acknowledgements
The author Satyam Kumar acknowledges the generous support of NBHM-DAE (Government of India) for providing research fellowship. Sandip Kumar Mondal is thankful to the University Grants Commission(UGC). Research of Dr. Avishek Adhikari is partially supported by the DST-SERB project MATRICS, vide sanction order: MTR/2019/001573, and DST-FIST project, Govt. of INDIA, vide sanction order: SR/FST/MS-I/2019/41.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Kumar, S., Mondal, S.K., Sarkar, S. et al. Restricted near collision attack on Plantlet. J Cryptogr Eng 14, 19–34 (2024). https://doi.org/10.1007/s13389-023-00336-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-023-00336-y