Fault analysis and weak key-IV attack on Sprout

Armknecht and Mikhalev proposed a new stream cipher `Sprout\u27 based on the design specification of the stream cipher, Grain-128a. Sprout has shorter state size than Grain family with a round key function. The output of the round key function is XOR\u27ed with the feedback bit of the NFSR of the cipher. In this paper, we propose a new fault attack on Sprout by injecting a single bit fault after the key initialization phase at any arbitrary position of the NFSR of the cipher. By injecting a single bit fault, we recover the bits of the secret key of the cipher by observing the normal and faulty keystream bits at certain clockings of the cipher. By implementing the attack, we verify our result for one particular case. We also show that the Sprout generates same states for several rounds in key initialization phase for two different key-IV pairs, which proves that the key initialization round is having very poor period

Necessary conditions for designing secure stream ciphers with the minimal internal states

After the introduction of some stream ciphers with the minimal internal state, the design idea of these ciphers (i.e. the design of stream ciphers by using a secret key, not only in the initialization but also permanently in the keystream generation) has been developed. The idea lets to design lighter stream ciphers that they are suitable for devices with limited resources such as RFID, WSN. We present necessary conditions for designing a secure stream cipher with the minimal internal state. Based on the conditions, we propose Fruit-128 stream cipher for 128-bit security against all types of attacks. Our implementations showed that the area size of Fruit-128 is about 25.2% smaller than that of Grain-128a. The discussions are presented that Fruit-128 is more resistant than Grain-128a to some attacks such as Related key chosen IV attack. Sprout, Fruit-v2 and Plantlet ciphers are vulnerable to time-memory-data trade-off (TMDTO) distinguishing attacks. For the first time, IV bits were permanently used to strengthen Fruit-128 against TMDTO attacks. We will show that if IV bits are not permanently available during the keystream production step, we can eliminate the IV mixing function from it. In this case, security level decreases to 69-bit against TMDTO distinguishing attacks (that based on the application might be tolerable). Dynamic initialization is another contribution of the paper (that it can strengthen initialization of all stream ciphers with low area cost)