Cryptography and Communications

, Volume 10, Issue 5, pp 803–834 | Cite as

Design and analysis of small-state grain-like stream ciphers

  • Matthias Hamann
  • Matthias Krause
  • Willi Meier
  • Bin Zhang
Part of the following topical collections:
  1. Special Issue on Statistics in Design and Analysis of Symmetric Ciphers


Time-memory-data (TMD) tradeoff attacks limit the security level of many classical stream ciphers to the birthday bound. Very recently, a new field of research has emerged, which searches for so-called small-state stream ciphers that try to overcome this limitation. In this paper, existing designs and known analysis of small-state stream ciphers are revisited and new insights on distinguishers and key recovery are derived based on TMD tradeoff attacks. A particular result is the transfer of a generic distinguishing attack suggested in 2007 by Englund et al. to this new class of lightweight ciphers. Our analysis shows that the initial hope of achieving full security against TMD tradeoff attacks by continuously using the secret key has failed. In particular, we provide generic distinguishers for Plantlet and Fruit with complexity significantly smaller than that of exhaustive key search. However, by studying the assumptions underlying the applicability of these attacks, we are able to come up with a new design idea for small-state stream ciphers, which might allow to finally achieve full security against TMD tradeoff attacks. Another contribution of this paper is the first key recovery attack against the most recent version of Fruit. We show that there are at least 264 weak keys, each of which does not provide 80-bit security as promised by designers.


Stream ciphers Lightweight cryptography Time-memory-data tradeoff attacks Grain Fruit 

Mathematics Subject Classification (2010)




We are grateful to anonymous reviewers of Cryptography and Communications (CCDS), whose comments helped improve the presentation of this paper.


  1. 1.
    Armknecht, F., Hamann, M., Mikhalev, V.: Lightweight authentication protocols on ultra-constrained RFIDs - myths and facts. In: Saxena, N., Sadeghi, A.R. (eds.) Radio Frequency Identification: Security and Privacy Issues: 10th International Workshop, RFIDSec 2014, Oxford, UK, July 21-23, 2014, Revised Selected Papers, pp. 1–18. Springer International Publishing, Cham (2014).
  2. 2.
    Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Leander, G. (ed.) Fast Software Encryption: 22nd International Workshop, FSE 2015, Istanbul, Turkey, March 8-11, 2015, Revised Selected Papers, pp. 451–470. Springer, Berlin (2015).
  3. 3.
    Babbage, S.: Improved exhaustive search attacks on stream ciphers. In: 1995 European Convention on Security and Detection, pp. 161–166 (1995).
  4. 4.
    Babbage, S., Dodd, M.: The stream cipher MICKEY 2.0 eSTREAM: The ECRYPT Stream Cipher Project. (2006)
  5. 5.
    Banik, S.: Some results on sprout. In: Biryukov, A., Goyal, V. (eds.) Progress in Cryptology – INDOCRYPT 2015: 16th International Conference on Cryptology in India, Bangalore, India, December 6-9, 2015, Proceedings, pp. 124–139. Springer International Publishing, Cham (2015).
  6. 6.
    Banik, S., Isobe, T.: Some cryptanalytic results on lizard. Cryptology ePrint Archive Report 2017/346. (2017)
  7. 7.
    Barkan, E., Biham, E.: Conditional estimators: An effective attack on A5/1. In: Preneel, B., Tavares, S. (eds.) Selected Areas in Cryptography: 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11-12, 2005, Revised Selected Papers, pp. 1–19. Springer, Berlin (2006).
  8. 8.
    Biryukov, A.: LEX. eSTREAM: The ECRYPT Stream Cipher Project. (2005)
  9. 9.
    Biryukov, A., Perrin, L.: State of the Art in Lightweight Symmetric Cryptography. Cryptology ePrint Archive Report 2017/511. (2017)
  10. 10.
    Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) Advances in Cryptology — ASIACRYPT 2000: 6th International Conference on the Theory and Application of Cryptology and Information Security Kyoto, Japan, December 3–7, 2000 Proceedings, pp. 1–13. Springer, Berlin (2000).
  11. 11.
    Bjørstad, T.E.: Cryptanalysis of Grain using Time/Memory/Date Tradeoffs. eSTREAM, ECRYPT Stream Cipher Project Report 2008/012. (2008)
  12. 12.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2007: 9th International Workshop, Vienna, Austria, September 10-13, 2007. Proceedings, pp. 450–466. Springer, Berlin (2007).
  13. 13.
    Briceno, M., Goldberg, I., Wagner, D.: A pedagogical implementation of a5/1. (1999)
  14. 14.
    Cannière, C.D., Preneel, B.: Trivium – Specifications eSTREAM: The ECRYPT Stream Cipher Project. (2005)
  15. 15.
    Cole, P.H., Ranasinghe, D.C.: Networked RFID Systems and Lightweight Cryptography: Raising Barriers to Product Counterfeiting, first edn. Springer, Berlin (2008)CrossRefGoogle Scholar
  16. 16.
    De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN — A family of small and efficient hardware-oriented block ciphers. In: Clavier, C., Gaj, K. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2009: 11th International Workshop Lausanne, Switzerland, September 6-9, 2009 Proceedings, pp. 272–288. Springer, Berlin (2009).
  17. 17.
    Dey, S., Sarkar, S.: Cryptanalysis of full round Fruit. Cryptology ePrint Archive Report 2017/87. (2017)
  18. 18.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). Updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919 (2008)
  19. 19.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) Advances in Cryptology - EUROCRYPT 2009: 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26-30, 2009. Proceedings, pp. 278–299. Springer, Berlin (2009).
  20. 20.
    ECRYPT – European Network of Excellence for Cryptology: eSTREAM: the ECRYPT stream cipher project. (2008)
  21. 21.
    Englund, H., Hell, M., Johansson, T.: A note on distinguishing attacks. In: 2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks, pp. 1–4 (2007).
  22. 22.
    Esgin, M.F., Kara, O.: Practical cryptanalysis of full sprout with TMD tradeoff attacks. In: Dunkelman, O., Keliher, L. (eds.) Selected Areas in Cryptography - SAC 2015: 22nd International Conference, Sackville, NB, Canada, August 12-14, 2015, Revised Selected Papers, pp. 67–85. Springer International Publishing, Cham (2016).
  23. 23.
    Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the Key Scheduling Algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) Selected Areas in Cryptography: 8th Annual International Workshop, SAC 2001 Toronto, Ontario, Canada, August 16–17, 2001 Revised Papers, pp. 1–24. Springer, Berlin (2001).
  24. 24.
    Ghafari, V.A., Hu, H., Xie, C.: Fruit: Ultra-lightweight Stream Cipher with Shorter Internal State. Cryptology ePrint Archive Report 2016/355. (2016)
  25. 25.
    Ågren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: A new version of grain-128 with optional authentication. Int. J. Wireless Mobile Comput. 5(1), 48–59 (2011). CrossRefGoogle Scholar
  26. 26.
    Hamann, M., Krause, M.: On Stream Ciphers with Provable Beyond-the-Birthday-Bound Security against Time-Memory-Data Tradeoff Attacks. Cryptology ePrint Archive Report 2015/636. (2015)
  27. 27.
    Hamann, M., Krause, M., Meier, W.: LIZARD – a lightweight stream cipher for power-constrained devices. IACR Trans. Symmetric Cryptology 2017(1), 45–79 (2017). Google Scholar
  28. 28.
    Hamann, M., Krause, M., Meier, W., Zhang, B.: On Stream Ciphers with Small State. Early Symmetric Crypto (ESC), January 2017, Canach, Luxembourg.
  29. 29.
    Hao, Y.: A Related-key chosen-IV Distinguishing Attack on Full Sprout Stream Cipher. Cryptology ePrint Archive Report 2015/231. (2015)
  30. 30.
    The grain family of stream ciphers. In: Hell, M., Johansson, T., Maximov, A., Meier, W., Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs: The eSTREAM Finalists, pp. 179–190. Springer, Berlin (2008).
  31. 31.
    Hell, M., Johansson, T., Meier, W.: Grain - A Stream Cipher for Constrained Environments eSTREAM: The ECRYPT Stream Cipher Project. (2006)
  32. 32.
    Hong, J., Sarkar, P.: New Applications of Time Memory Data Tradeoffs, pp 353–372. Springer, Berlin (2005). zbMATHGoogle Scholar
  33. 33.
    Institute of Electrical and Electronics Engineers: IEEE Standard for information technology – telecommunications and information exchange between systems – local and metropolitan area networks – specific requirements – part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Std 802.11-1997 pp. i–445.
  34. 34.
    Institute of Electrical and Electronics Engineers: IEEE Standard for information technology – telecommunications and information exchange between systems – local and metropolitan area networks – specific requirements – part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications: Amendment 6: Medium access control (MAC) security enhancements. IEEE Std 802.11i-2004 pp. 1–190. (2004)
  35. 35.
    Krause, M.: On the Hardness of Trivium and Grain with respect to Generic Time-Memory-Data Tradeoff Attacks. Cryptology ePrint Archive Report 2017/289. (2017)
  36. 36.
    Lallemand, V., Naya-Plasencia, M.: Cryptanalysis of full sprout. In: Gennaro, R., Robshaw, M. (eds.) Advances in Cryptology – CRYPTO 2015: 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pp. 663–682. Springer, Berlin. (2015)
  37. 37.
    Liu, M.: Degree Evaluation of NFSR-based Cryptosystems. To appear at Crypto 2017 (2017)Google Scholar
  38. 38.
    Lu, Y., Meier, W., Vaudenay, S.: The conditional correlation attack: A practical attack on bluetooth encryption. In: Shoup, V. (ed.) Advances in Cryptology – CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005. Proceedings, pp. 97–117. Springer, Berlin. (2005)
  39. 39.
    Maitra, S., Sarkar, S., Baksi, A., Dey, P.: Key Recovery from State Information of Sprout. Cryptology ePrint Archive Report 2015/236. (2015)
  40. 40.
    Méaux, P., Journault, A., Standaert, F.X., Carlet, C.: Towards stream ciphers for efficient FHE with low-noise ciphertexts. In: Fischlin, M., Coron, J.S. (eds.) Advances in Cryptology – EUROCRYPT 2016: 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part I, pp. 311–343. Springer, Berlin. (2016)
  41. 41.
    Meier, W., Staffelbach, O.: Fast correlation attacks on stream ciphers. In: Barstow, D., Brauer, W., Brinch Hansen, P., Gries, D., Luckham, D., Moler, C., Pnueli, A., Seegmüller, G., Stoer, J., Wirth, N., Günther, C.G. (eds.) Advances in Cryptology — EUROCRYPT ’88: Workshop on the Theory and Application of Cryptographic Techniques Davos, Switzerland, May 25–27, 1988 Proceedings, pp. 301–314. Springer, Berlin. (1988)
  42. 42.
    Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Trans. Symmetric Cryptology 2016(2), 52–79 (2017). Google Scholar
  43. 43.
    Popov, A.: Prohibiting RC4 cipher suites RFC 7465 (proposed standard). (2015)
  44. 44.
    Poschmann, A.: Lightweight Cryptography - Cryptographic Engineering for a Pervasive World. Cryptology ePrint Archive Report 2009/516. (2009)
  45. 45.
    Schneier, B.: Applied Cryptography (2nd Ed.): Protocols, Algorithms, and Source Code in C. Wiley, New York (1995)zbMATHGoogle Scholar
  46. 46.
    SIG, B.: Bluetooth Core Specification 4.2. (2014)
  47. 47.
    Subhamoy Maitra, A.S.: A differential fault attack on plantlet. Cryptology ePrint Archive Report 2017/088. (2017)
  48. 48.
    Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) Advances in Cryptology – EUROCRYPT 2015: 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I, pp. 287–314. Springer, Berlin. (2015)
  49. 49.
    Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube Attacks on Non-Blackbox Polynomials Based on Division Property. Cryptology ePrint Archive, Report 2017/306 (to appear at Crypto 2017). (2017)
  50. 50.
    Wu, H.: Acorn v3 Submission to CAESAR competition (2016)Google Scholar
  51. 51.
    Zhang, B., Gong, X.: Another tradeoff attack on sprout-like stream ciphers. In: Iwata, T., Cheon, H.J. (eds.) Advances in Cryptology – ASIACRYPT 2015: 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29 – December 3, 2015, Proceedings, Part II, pp. 561–585. Springer, Berlin. (2015)

Copyright information

© Springer Science+Business Media, LLC 2017

Authors and Affiliations

  1. 1.Lehrstuhl für Theoretische InformatikUniversität MannheimMannheimGermany
  2. 2.FHNWWindischSwitzerland
  3. 3.TCA, SKLCS, Institute of SoftwareChinese Academy of SciencesBeijingChina

Personalised recommendations