Skip to main content

Design and analysis of small-state grain-like stream ciphers


Time-memory-data (TMD) tradeoff attacks limit the security level of many classical stream ciphers to the birthday bound. Very recently, a new field of research has emerged, which searches for so-called small-state stream ciphers that try to overcome this limitation. In this paper, existing designs and known analysis of small-state stream ciphers are revisited and new insights on distinguishers and key recovery are derived based on TMD tradeoff attacks. A particular result is the transfer of a generic distinguishing attack suggested in 2007 by Englund et al. to this new class of lightweight ciphers. Our analysis shows that the initial hope of achieving full security against TMD tradeoff attacks by continuously using the secret key has failed. In particular, we provide generic distinguishers for Plantlet and Fruit with complexity significantly smaller than that of exhaustive key search. However, by studying the assumptions underlying the applicability of these attacks, we are able to come up with a new design idea for small-state stream ciphers, which might allow to finally achieve full security against TMD tradeoff attacks. Another contribution of this paper is the first key recovery attack against the most recent version of Fruit. We show that there are at least 264 weak keys, each of which does not provide 80-bit security as promised by designers.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4


  1. Please note that when speaking of a more complicated key schedule, we are referring to the way in which the key bits are used in order to compute the round key bit (e.g., using more than on key bit as input to an elaborate round key function with potentially high algebraic degree).

  2. While, from a theoretical point of view, this looks very elegant, it’s not really clear whether the security of Plantlet does actually benefit from the fact that the LFSR feedback polynomial is also primitive during initialization. After all, due to the additional feedback of the output bit z t, the LFSR’s period between t = 0 and t = 319 is unclear anyhow.

  3. A small amount of IV collisions may be tolerable depending on the security claims; see, e.g., Lizard [27], which claims 80-bit security against key recovery and 60-bit security against distinguishing.

  4. Englund, Hell, and Johansson similarly concluded: “If the key size |K| > N/2, then the new distinguishing attack will always succeed with complexity below exhaustive key search”. However, they left out the logarithmic factor, which we chose to include as exhaustive key search has negligible data and memory complexity, whereas in the above distinguishing attack, these complexities are actually each at a factor of \(\tilde {n}\) higher than the time complexity and dominate the overall cost of the attack.

  5. As pointed out in Section 3.1.1, due to the focus on block ciphers in OFB mode, this security margin was not necessary for the attack of Englund, Hell, and Johansson. It would, however, be required in the well-known TMD tradeoff attacks by Babbage [3] and Biryukov and Shamir [10], where, like the additional factor n itself, it is usually not included in the description of the respective attack complexities.

  6. Note that the 112-bit input ((k32∗,…,k63∗), (l130∗,…,l172∗), (n130∗,…,n166∗)) contains all necessary information to compute this keystream prefix, because: the counter at t = 130 before it is overwritten is publicly known, and we suppose the last 16 key bits to be 0, and the first 32 key bits are never needed again for the state update (and the keystream generation) after t = 0.

  7. In fact, e.g., the data complexity would be increased by a factor below 23 (and possibly even decrease) as now, the keystream blocks can be derived via sliding a 118-bit window over the keystream, just like in the classical TMD tradeoff attack.

  8. A corresponding full paper by two of the authors of this work is currently under submission.

  9. Resulting in Fruit v1 (ePrint version 20170304:073404), for which we now also presented a key recovery attack in Section 3.2.

  10. Also do not forget that, unlike stream ciphers, block ciphers additionally need an appropriate mode of operation (if the problems of electronic codebook mode (ECB) are to be avoided), increasing hardware costs in terms of, e.g., area and power consumption.

  11. More precisely, in the context of cube attacks, the algebraic degree of the Boolean function that maps secret key and IV to the first keystream bit.

  12. In other words, under an arbitrarily fixed key, two IVs will never lead to shifted versions of the same keystream.

  13. Though stream cipher designers seem to hardly talk about this issue in their suggestions and instead leave the problem of IV uniqueness to user.


  1. Armknecht, F., Hamann, M., Mikhalev, V.: Lightweight authentication protocols on ultra-constrained RFIDs - myths and facts. In: Saxena, N., Sadeghi, A.R. (eds.) Radio Frequency Identification: Security and Privacy Issues: 10th International Workshop, RFIDSec 2014, Oxford, UK, July 21-23, 2014, Revised Selected Papers, pp. 1–18. Springer International Publishing, Cham (2014).

  2. Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Leander, G. (ed.) Fast Software Encryption: 22nd International Workshop, FSE 2015, Istanbul, Turkey, March 8-11, 2015, Revised Selected Papers, pp. 451–470. Springer, Berlin (2015).

  3. Babbage, S.: Improved exhaustive search attacks on stream ciphers. In: 1995 European Convention on Security and Detection, pp. 161–166 (1995).

  4. Babbage, S., Dodd, M.: The stream cipher MICKEY 2.0 eSTREAM: The ECRYPT Stream Cipher Project. (2006)

  5. Banik, S.: Some results on sprout. In: Biryukov, A., Goyal, V. (eds.) Progress in Cryptology – INDOCRYPT 2015: 16th International Conference on Cryptology in India, Bangalore, India, December 6-9, 2015, Proceedings, pp. 124–139. Springer International Publishing, Cham (2015).

  6. Banik, S., Isobe, T.: Some cryptanalytic results on lizard. Cryptology ePrint Archive Report 2017/346. (2017)

  7. Barkan, E., Biham, E.: Conditional estimators: An effective attack on A5/1. In: Preneel, B., Tavares, S. (eds.) Selected Areas in Cryptography: 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11-12, 2005, Revised Selected Papers, pp. 1–19. Springer, Berlin (2006).

  8. Biryukov, A.: LEX. eSTREAM: The ECRYPT Stream Cipher Project. (2005)

  9. Biryukov, A., Perrin, L.: State of the Art in Lightweight Symmetric Cryptography. Cryptology ePrint Archive Report 2017/511. (2017)

  10. Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) Advances in Cryptology — ASIACRYPT 2000: 6th International Conference on the Theory and Application of Cryptology and Information Security Kyoto, Japan, December 3–7, 2000 Proceedings, pp. 1–13. Springer, Berlin (2000).

  11. Bjørstad, T.E.: Cryptanalysis of Grain using Time/Memory/Date Tradeoffs. eSTREAM, ECRYPT Stream Cipher Project Report 2008/012. (2008)

  12. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2007: 9th International Workshop, Vienna, Austria, September 10-13, 2007. Proceedings, pp. 450–466. Springer, Berlin (2007).

  13. Briceno, M., Goldberg, I., Wagner, D.: A pedagogical implementation of a5/1. (1999)

  14. Cannière, C.D., Preneel, B.: Trivium – Specifications eSTREAM: The ECRYPT Stream Cipher Project. (2005)

  15. Cole, P.H., Ranasinghe, D.C.: Networked RFID Systems and Lightweight Cryptography: Raising Barriers to Product Counterfeiting, first edn. Springer, Berlin (2008)

    Book  Google Scholar 

  16. De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN — A family of small and efficient hardware-oriented block ciphers. In: Clavier, C., Gaj, K. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2009: 11th International Workshop Lausanne, Switzerland, September 6-9, 2009 Proceedings, pp. 272–288. Springer, Berlin (2009).

  17. Dey, S., Sarkar, S.: Cryptanalysis of full round Fruit. Cryptology ePrint Archive Report 2017/87. (2017)

  18. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). Updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919 (2008)

  19. Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) Advances in Cryptology - EUROCRYPT 2009: 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26-30, 2009. Proceedings, pp. 278–299. Springer, Berlin (2009).

  20. ECRYPT – European Network of Excellence for Cryptology: eSTREAM: the ECRYPT stream cipher project. (2008)

  21. Englund, H., Hell, M., Johansson, T.: A note on distinguishing attacks. In: 2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks, pp. 1–4 (2007).

  22. Esgin, M.F., Kara, O.: Practical cryptanalysis of full sprout with TMD tradeoff attacks. In: Dunkelman, O., Keliher, L. (eds.) Selected Areas in Cryptography - SAC 2015: 22nd International Conference, Sackville, NB, Canada, August 12-14, 2015, Revised Selected Papers, pp. 67–85. Springer International Publishing, Cham (2016).

  23. Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the Key Scheduling Algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) Selected Areas in Cryptography: 8th Annual International Workshop, SAC 2001 Toronto, Ontario, Canada, August 16–17, 2001 Revised Papers, pp. 1–24. Springer, Berlin (2001).

  24. Ghafari, V.A., Hu, H., Xie, C.: Fruit: Ultra-lightweight Stream Cipher with Shorter Internal State. Cryptology ePrint Archive Report 2016/355. (2016)

  25. Ågren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: A new version of grain-128 with optional authentication. Int. J. Wireless Mobile Comput. 5(1), 48–59 (2011).

    Article  Google Scholar 

  26. Hamann, M., Krause, M.: On Stream Ciphers with Provable Beyond-the-Birthday-Bound Security against Time-Memory-Data Tradeoff Attacks. Cryptology ePrint Archive Report 2015/636. (2015)

  27. Hamann, M., Krause, M., Meier, W.: LIZARD – a lightweight stream cipher for power-constrained devices. IACR Trans. Symmetric Cryptology 2017(1), 45–79 (2017).

    Google Scholar 

  28. Hamann, M., Krause, M., Meier, W., Zhang, B.: On Stream Ciphers with Small State. Early Symmetric Crypto (ESC), January 2017, Canach, Luxembourg.

  29. Hao, Y.: A Related-key chosen-IV Distinguishing Attack on Full Sprout Stream Cipher. Cryptology ePrint Archive Report 2015/231. (2015)

  30. The grain family of stream ciphers. In: Hell, M., Johansson, T., Maximov, A., Meier, W., Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs: The eSTREAM Finalists, pp. 179–190. Springer, Berlin (2008).

  31. Hell, M., Johansson, T., Meier, W.: Grain - A Stream Cipher for Constrained Environments eSTREAM: The ECRYPT Stream Cipher Project. (2006)

  32. Hong, J., Sarkar, P.: New Applications of Time Memory Data Tradeoffs, pp 353–372. Springer, Berlin (2005).

    MATH  Google Scholar 

  33. Institute of Electrical and Electronics Engineers: IEEE Standard for information technology – telecommunications and information exchange between systems – local and metropolitan area networks – specific requirements – part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Std 802.11-1997 pp. i–445.

  34. Institute of Electrical and Electronics Engineers: IEEE Standard for information technology – telecommunications and information exchange between systems – local and metropolitan area networks – specific requirements – part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications: Amendment 6: Medium access control (MAC) security enhancements. IEEE Std 802.11i-2004 pp. 1–190. (2004)

  35. Krause, M.: On the Hardness of Trivium and Grain with respect to Generic Time-Memory-Data Tradeoff Attacks. Cryptology ePrint Archive Report 2017/289. (2017)

  36. Lallemand, V., Naya-Plasencia, M.: Cryptanalysis of full sprout. In: Gennaro, R., Robshaw, M. (eds.) Advances in Cryptology – CRYPTO 2015: 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pp. 663–682. Springer, Berlin. (2015)

  37. Liu, M.: Degree Evaluation of NFSR-based Cryptosystems. To appear at Crypto 2017 (2017)

  38. Lu, Y., Meier, W., Vaudenay, S.: The conditional correlation attack: A practical attack on bluetooth encryption. In: Shoup, V. (ed.) Advances in Cryptology – CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005. Proceedings, pp. 97–117. Springer, Berlin. (2005)

  39. Maitra, S., Sarkar, S., Baksi, A., Dey, P.: Key Recovery from State Information of Sprout. Cryptology ePrint Archive Report 2015/236. (2015)

  40. Méaux, P., Journault, A., Standaert, F.X., Carlet, C.: Towards stream ciphers for efficient FHE with low-noise ciphertexts. In: Fischlin, M., Coron, J.S. (eds.) Advances in Cryptology – EUROCRYPT 2016: 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part I, pp. 311–343. Springer, Berlin. (2016)

  41. Meier, W., Staffelbach, O.: Fast correlation attacks on stream ciphers. In: Barstow, D., Brauer, W., Brinch Hansen, P., Gries, D., Luckham, D., Moler, C., Pnueli, A., Seegmüller, G., Stoer, J., Wirth, N., Günther, C.G. (eds.) Advances in Cryptology — EUROCRYPT ’88: Workshop on the Theory and Application of Cryptographic Techniques Davos, Switzerland, May 25–27, 1988 Proceedings, pp. 301–314. Springer, Berlin. (1988)

  42. Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Trans. Symmetric Cryptology 2016(2), 52–79 (2017).

    Google Scholar 

  43. Popov, A.: Prohibiting RC4 cipher suites RFC 7465 (proposed standard). (2015)

  44. Poschmann, A.: Lightweight Cryptography - Cryptographic Engineering for a Pervasive World. Cryptology ePrint Archive Report 2009/516. (2009)

  45. Schneier, B.: Applied Cryptography (2nd Ed.): Protocols, Algorithms, and Source Code in C. Wiley, New York (1995)

    MATH  Google Scholar 

  46. SIG, B.: Bluetooth Core Specification 4.2. (2014)

  47. Subhamoy Maitra, A.S.: A differential fault attack on plantlet. Cryptology ePrint Archive Report 2017/088. (2017)

  48. Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) Advances in Cryptology – EUROCRYPT 2015: 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I, pp. 287–314. Springer, Berlin. (2015)

  49. Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube Attacks on Non-Blackbox Polynomials Based on Division Property. Cryptology ePrint Archive, Report 2017/306 (to appear at Crypto 2017). (2017)

  50. Wu, H.: Acorn v3 Submission to CAESAR competition (2016)

  51. Zhang, B., Gong, X.: Another tradeoff attack on sprout-like stream ciphers. In: Iwata, T., Cheon, H.J. (eds.) Advances in Cryptology – ASIACRYPT 2015: 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29 – December 3, 2015, Proceedings, Part II, pp. 561–585. Springer, Berlin. (2015)

Download references


We are grateful to anonymous reviewers of Cryptography and Communications (CCDS), whose comments helped improve the presentation of this paper.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Willi Meier.

Additional information

This article is part of the Topical Collection on Special Issue on Statistics in Design and Analysis of Symmetric Ciphers

Appendix: Shrunk Fruit v1

Appendix: Shrunk Fruit v1

In the following, we present an overview over Shrunk Fruit v1, our ‘halved’ variant of Fruit v1 that we used for the experiments described in Section 3.1.3. As compared to Fruit v1, which has a key size of 80 bits and an IV size of 70 bits, Shrunk Fruit v1 uses 40-bit keys and 35-bit IVs. The sizes of the NFSR and the LFSR were also shrunk from 37 to 19 bits and from 43 to 21 bits, respectively. For the specifications of the new FSRs as well as for the key schedule and the output function, we did our very best to retain the properties of the original cipher and, in particular, not to introduce new weaknesses. To that extent, we actually even kept the number and degree of terms in the key schedule, output and feedback functions of the original Fruit v1. Instead, we just squeezed the corresponding tap indices to fit the new FSRs. In consequence, Shrunk Fruit v1 is probably even stronger (against non-generic attacks) than one would expect from a truly halved variant. Other important properties such as the use of a maximum-period LFSR were also transferred from Fruit v1 to Shrunk Fruit v1. The size of the counter C r was only reduced by one bit, because in Fruit v1, seven bits are required to index 80 key bits and, consequently, in Shrunk Fruit v1, six bits are now required to index the 40 key bits.

Please find below a full specification of Shrunk Fruit v1 in bullet point form:

  • Input: 40-bit key K := (k 0k 39), 35-bit initialization vector I V := (v 0v 34)

  • Keystream Limit per IV: 221 bit (due to the 21-bit maximum-period LFSR; corresponds to the limit of 243 bit and the 43-bit maximum-period LFSR in Fruit v1)

  • 6-bit Counter:

    $$C_{r} = \left( {c_{t}^{1}}, {c_{t}^{2}}, {c_{t}^{3}}, {c_{t}^{4}}, {c_{t}^{5}}, {c_{t}^{6}}\right)$$
  • Key Schedule:

    $$\begin{array}{@{}rcl@{}} k^{\prime}_{t} &=& k_{s} \cdot k_{y + 32} \oplus k_{u + 36} \cdot k_{p} \oplus k_{q + 16} \oplus k_{r + 32}\\ s &=& \left( {c_{t}^{1}}, {c_{t}^{2}}, {c_{t}^{3}}, {c_{t}^{4}}, {c_{t}^{5}}\right)\\ y &=& \left( {c_{t}^{4}}, {c_{t}^{5}}\right)\\ u &=& \left( {c_{t}^{5}}, {c_{t}^{6}}\right)\\ p &=& \left( {c_{t}^{1}}, {c_{t}^{2}}, {c_{t}^{3}}, {c_{t}^{4}}\right)\\ q &=& \left( {c_{t}^{2}}, {c_{t}^{3}}, {c_{t}^{4}}, {c_{t}^{5}}\right)\\ r &=& \left( {c_{t}^{4}}, {c_{t}^{5}}, {c_{t}^{6}}\right) \end{array} $$
  • 19-bit NFSR:

    $$\begin{array}{@{}rcl@{}} n_{t + 19} &=&k^{\prime}_{t} \oplus l_{t} \oplus {c_{t}^{4}} \oplus n_{t} \oplus n_{t + 5} \oplus n_{t + 10} \oplus n_{t + 6} \cdot n_{t + 2}\\ &\oplus& n_{t + 8} \cdot n_{t + 13} \oplus n_{t + 3} \cdot n_{t + 11} \cdot n_{t + 15}\\ &\oplus& n_{t + 4} \cdot n_{t + 9} \oplus n_{t + 14} \cdot n_{t + 15} \cdot n_{t + 16} \cdot n_{t + 17} \end{array} $$
  • 21-bit LFSR (a maximum-period LFSR like in Fruit v1):

    $$l_{t + 21} = l_{t} \oplus l_{t + 4} \oplus l_{t + 9} \oplus l_{t + 12} \oplus l_{t + 14} \oplus l_{t + 17} $$
  • Keybit z t :

    $$\begin{array}{@{}rcl@{}} h_{t} &=&l_{t + 3} \cdot l_{t + 7} \oplus l_{t + 1} \cdot l_{t + 11} \oplus n_{t + 18} \cdot l_{t + 13}\\ &\oplus& l_{t + 5} \cdot l_{t + 16} \oplus n_{t + 1} \cdot n_{t + 17} \cdot l_{t + 20} \end{array} $$
    $$\begin{array}{@{}rcl@{}} z_{t} &=& h_{t} \oplus n_{t} \oplus n_{t + 3} \oplus n_{t + 7} \oplus n_{t + 9} \oplus n_{t + 12}\\ &&n_{t + 14} \oplus n_{t + 18} \oplus l_{t + 19} \end{array} $$
  • I V (extension of 35-bit IV to 65 bits; corresponds to the extension of the 70-bit IV to 130 bits in Fruit v1):

    $$IV^{\prime} := 10000 v_{0} v_{1} {\ldots} v_{33} v_{34} 000 {\ldots} 000$$
  • Key Loading:

    $$\begin{array}{@{}rcl@{}} \left( n_{0},\ldots,n_{18}\right) &:=& \left( k_{0},\ldots,k_{18}\right)\\ \left( l_{0},\ldots,l_{20}\right) &:=& \left( k_{19},\ldots,k_{39}\right) \end{array} $$
  • Key Schedule Counter Initialization:

    $$\left( {c_{0}^{1}}, {c_{0}^{2}}, {c_{0}^{3}}, {c_{0}^{4}}, {c_{0}^{5}}, {c_{0}^{6}}\right) := \left( 0,\ldots,0\right)$$
  • Initialization Procedure:

    • 65 IV loading and mixing steps as described in the Fruit v1 paper [24] (there: 130 steps)

    • Set

      $$\left( c_{65}^{1}, c_{65}^{2}, c_{65}^{3}, c_{65}^{4}, c_{65}^{5}, c_{65}^{6}\right) := \left( n_{65},n_{66},n_{67},n_{68},n_{69},l_{65}\right) $$

      and then l 65 := 1.

    • Clock 40 times as described in the Fruit v1 paper paper (there: 80 times).

  • Output: The first keystream bit that is output is z 105 .

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Hamann, M., Krause, M., Meier, W. et al. Design and analysis of small-state grain-like stream ciphers. Cryptogr. Commun. 10, 803–834 (2018).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI:


  • Stream ciphers
  • Lightweight cryptography
  • Time-memory-data tradeoff attacks
  • Grain
  • Fruit

Mathematics Subject Classification (2010)

  • 94A60