Another Tradeoff Attack on SproutLike Stream Ciphers
Abstract
Sprout is a new lightweight stream cipher with shorter internal state proposed at FSE 2015, using keydependent state updating in the keystream generation phase. Some analyses have been available on eprint so far. In this paper, we extend the design paradigm in general and study the security of Sproutlike ciphers in a unified framework. Our new penetration is to investigate the knormality of the augmented function, a vectorial Boolean function derived from the primitive. Based on it, a dedicated time/memory/data tradeoff attack is developed for such designs. It is shown that Sprout can be broken in \(2^{79xy}\) time, given \({\left[ {c \cdot (2x + 2y  58) \cdot {2^{71  x  y}}} \right] }\)bit memory and \(2^{9+x+y}\)bit keystream, where x / y is the number of forward/backward steps and c is a small constant. Our attack is highly flexible and compares favorably to all the previous results. With carefully chosen parameters, the new attack is at least \(2^{20}\) times faster than Lallemand/NayaPlasencia attack at Crypto 2015, Maitra et al. attack and Banik attack, \(2^{10}\) times faster than Esgin/Kara attack with much less memory.
Keywords
Cryptanalysis Stream ciphers Sprout Tradeoff1 Introduction
Design of secure lightweight stream ciphers for constrained hardware environments is important both in theory and practice. The most area/power consuming component in a lightweight design is the number of memory gates, which corresponds to the internal state size of the primitive. On the other hand, a common rule of thumb for stream cipher design is that the internal state size should be at least twice as long as the key size to resist against time/memory/data (TMD) tradeoff attacks [4].
This design principal indeed works, and security analysis of the eSTREAM finalists, e.g., Grain v1, Mickey v2 and Trivium [7] evolves rather slowly. At FSE 2015, another design paradigm for stream ciphers is proposed and instantiated by a new design, called Sprout, aiming to reduce the internal state size, thus the hardware area size by using keydependent state updating in the keystream generation phase [2]. It is expected that the immunity against TMD tradeoff attacks will not be compromised.
Surprisingly, there have been some cryptanalysis of Sprout appearing on the IACR eprint monthly after ESC 2015 and FSE 2015. In the time order of the open literature, a related key chosen IV attack on Sprout is presented in [9], but the designers have already ruled out the related key model in [2]. Then the first attack in the single key model is found in [12] by using a list merging technique with a time complexity around \(2^{69}\) Sprout encryptions at Crypto 2015. In [13], another attack based on a SAT solver is given with a complexity of \(2^{54}\) attempts, where each attempt takes a time equivalent to \(6.6 \cdot 2^{54}\cdot 2^{e}\) encryptions which is more than \(2^{80}\) if \(e > 23\). Thus, it is questionable whether this work in [13] translates into a feasible attack on Sprout or not. To directly challenging the design rationale, Esgin and Kara presented a TMD tradeoff attack in [8] with an online time complexity of \(2^{33}\) Sprout encryptions and 770 TB of memory after a precomputation around \(2^{53}\) basic operations. Finally in [3], a key recovery attack is launched against Sprout with a complexity of \(2^{66.7}\) Sprout encryptions together with some other analysis results.
In this paper, we extend the design paradigm in general and study the security of Sproutlike ciphers in a unified framework. The model involves the secret key not only in the initialization process but also in the nonlinear state updating in a Sproutlike manner during the keystream generation phase. Then based on the notion of normality first introduced by Dobbertin in [6], we investigate the knormality of the augmented function [5], a vectorial Boolean function derived from the underlying primitive. This property is relevant for the design and analysis of cryptosystems. In [14] and [15], security implications of knormal Boolean functions are considered when they are employed in certain stream ciphers. We make a systematic security analysis based on this property for Sproutlike stream ciphers and develop a dedicated TMD tradeoff attack framework for such designs. In particular, it is shown that Sprout can be broken in \(2^{79xy}\) time, given \({\left[ {c \cdot (2x + 2y  58) \cdot {2^{71  x  y}}} \right] }\)bit memory and \(2^{9+x+y}\)bit keystream, where x is the number of forward steps, y is the number of backward steps and c is a small constant. Our attack is highly flexible and compares favorably to all the previous attacks on Sprout. With carefully chosen attack parameters, our method is at least \(2^{20}\) times faster than Lallemand/NayaPlasencia attack at Crypto 2015, Maitra et al. attack and Banik attack, \(2^{10}\) times faster than Esgin/Kara attack with much less memory. Practical simulations confirmed our analysis.
This paper is structured as follows. In Sect. 2, the stream cipher Sprout is described and generalized to a generic Sproutlike model. In Sect. 3, based on a natural extension of normality from Boolean functions to vectorial Boolean functions, a generic TMD cryptanalysis framework of such ciphers is formalized with complexity analysis. In Sect. 4, the framework is applied to Sprout with comparisons to other attacks. Section 5 provides the experimental results. Finally, some conclusions are given in Sect. 6.
2 SproutLike Stream Ciphers
In this section, a brief description of Sprout that is relevant to our work and a generic Sproutlike model that inherits the design spirit are presented. The following notations will be used throughout the paper.

\({L^t} = [{l_t},{l_{t + 1}},...,{l_{t + 39}}]\), the internal state of the LFSR at time t.

\({N^t} = [{n_t},{n_{t + 1}},...,{n_{t + 39}}]\), the internal state of the NFSR at time t.

\([a,b] \buildrel \varDelta \over = \{ a,a + 1,...,b\} \), for two positive integers a, b \((a< b)\).

\(N_{[a,b]}^t \buildrel \varDelta \over = \{ {n_{t + a}},{n_{t + a + 1}},...,{n_{t + b}}\} \) and \(L_{[a,b]}^t \buildrel \varDelta \over = \{ {l_{t + a}},{l_{t + a + 1}},...,{l_{t + b}}\} \), for two positive integers a, b \((a < b)\).

\(IV=(iv_0,iv_1,...,iv_{69})\), the 70bit initialization vector.

\(K=(k_0, k_1,...,k_{79})\), the 80bit secret key.

\(k_t^*\), the round key bit generated at time t.

\(z_t\), the keystream bit generated at time t.

\(c_t^4\), the round constant at time t, generated by a counter.
2.1 Description of Sprout
Denote the feedback functions of the NFSR, the LFSR and the nonlinear filter function by g, f and h respectively. There is a 9bit counter register in Sprout, of which the lower 7 bits are a modulo 80 counter, denoted by \((c_t^6,c_t^5,c_t^4,c_t^3,c_t^2,c_t^1,c_t^0)\) at time t. The 4th LSB \(c_t^4\) of the counter is employed in the keystream generation. It should be noted that, \(c_t^4\) has a cycle of length 80, i.e., in each cycle, this bit takes the values \(\underbrace{0,0,...,0}_{16}\underbrace{1,1,...,1}_{16}\underbrace{0,0,...,0}_{16}\underbrace{1,1,...,1}_{16}\underbrace{0,0,...,0}_{16}\).

the LFSR update function is changed to \({l_{t + 40}} = {z_t} \oplus f({L^t})\).

the NFSR update function is changed to \({n_{t + 40}} = {z_t} \oplus k_t^* \oplus {l_t} \oplus c_t^4 \oplus g({N_t})\).

no keystream bit is generated.
After the initialization phase, the keystream generation phase starts and there is no feedback keystream anymore.
2.2 A Model for SproutLike Stream Ciphers
There are three functions involved in the model: a nonlinear function G(x), a linear function F(x) and a nonlinear filter function \(h(\cdot )\).
The internal state of the model consists of the nonlinear state N and the linear state L. At each step, the function \(G(\cdot )\) is applied to N and \(F(\cdot )\) to L, respectively. Besides, there may also be some other mixing procedure that xoring some bits of N into L, and vice versa. Further, the secret key is involved in the nonlinear state updating selectively by a function \(u(\cdot )\). The output of the current state is also computed as the xoring of the bits from both N and L and a nonlinear filter function \(h(\cdot )\), which takes some input values from both N and L, respectively. Some notations that will be used in the description are listed here.

\({L^t} = [L_0^t,L_1^t,...,L_{{l_1}  1}^t]\), the internal state of the linear component.

\({N^t} = [N_0^t,N_1^t,...,N_{{l_2}  1}^t]\), the internal state of the nonlinear component.

\(r{L^t} = \mathrm{{\{ }}L_{{\gamma _1}}^t,L_{{\gamma _2}}^t,...,L_{{\gamma _{{a_1}}}}^t\mathrm{{\} }}\), a subset of \(L^t\) and the linear part of \(u(\cdot )\).

\(r{N^t} = \mathrm{{\{ }}N_{{\delta _1}}^t,N_{{\delta _2}}^t,...,N_{{\delta _{{a_2}}}}^t\mathrm{{\} }}\), a subset of \(N^t\) and the nonlinear part of \(u(\cdot )\).

\(p{L^t} = \mathrm{{\{ }}L_{{\alpha _1}}^t,L_{{\alpha _2}}^t,...,L_{{\alpha _{{n_1}}}}^t\mathrm{{\} }}\), a subset of \(L^t\) with the variables of the filter function \(h(\cdot )\) coming from the LFSR.

\(p{N^t} = \mathrm{{\{ }}N_{{\beta _1}}^t,N_{{\beta _2}}^t,...,N_{{\beta _{{n_2}}}}^t\mathrm{{\} }}\), a subset of \(N^t\) with the variables of the filter function \(h(\cdot )\) coming from the NFSR.

\(q{L^t} = \mathrm{{\{ }}L_{{\sigma _1}}^t,L_{{\sigma _2}}^t,...,L_{{\sigma _{{m_1}}}}^t\mathrm{{\} }}\), a subset of \(L^t\) and the linear masking in the keystream generation function.

\(q{N^t} = \mathrm{{\{ }}N_{{\tau _1}}^t,N_{{\tau _2}}^t,...,N_{{\tau _{{m_2}}}}^t\mathrm{{\} }}\), a subset of \(N^t\) and the nonlinear masking in the keystream generation function.

\(pq{N^t} = p{N^t} \cup q{N^t}\), the variables used in the keystream generation coming from the NFSR.
The general framework is specified by the following items (we only focus on the keystream generation phase).

The linear component is \({L^t} = [L_0^t,L_1^t,...,L_{{l_1}  1}^t] \in F_2^{{l_1}}\), whose initial state is denoted by \(L^0\). It is updated recursively as \(L^{t+1}=F(L^t)\). Without loss of generality, we assume this process is invertible, and the inverse process is \(L^{t1}=F'(L^t)\).
 The nonlinear component is \({N^t} = [N_0^t,N_1^t,...,N_{{l_2}  1}^t] \in F_2^{{l_2}}\), whose initial state is denoted by \(N^0\). It is updated recursively aswhere \(G(\cdot )\) is a \((l_2,l_2)\)vectorial Boolean function, \(C_t\) is a counter related vector of length \(l_2\). Note that whether the key is involved in the state updating is dependent on the value of \(u(\cdot )\). If \(u(r{L^t},r{N^t}) = 1\), the key will be involved. Similarly, we assume this nonlinear process is invertible, and the inverse process is computed as$$\begin{aligned} {N^{t + 1}} = G({N^t}\oplus {L_1}({L^t})) \oplus {L_2}({L^t}) \oplus u(r{L^t},r{N^t}) \cdot R(t,K)\oplus C_t, \end{aligned}$$$$\begin{aligned} {N^{t  1}} = G'({N^t}\oplus {L_1'}({L^{t  1}})) \oplus {L_2'}({L^{t  1}}) \oplus u(r{L^{t  1}},r{N^{t  1}}) \cdot R(t  1,K)\oplus C_{t1}. \end{aligned}$$

A filter function \(h(\cdot )\) from \(F_2^{n_1+n_2}\) into \(F_2\) is used as part of the output function in the form \(h(p{L^t},p{N^t})\), which takes \(n_1\) input values \(\mathrm{{\{ }}L_{{\alpha _1}}^t,L_{{\alpha _2}}^t,...,L_{{\alpha _{{n_1}}}}^t\mathrm{{\} }}\) from \(L^t\) and \(n_2\) input values \(\mathrm{{\{ }}N_{{\beta _1}}^t,N_{{\beta _2}}^t,...,N_{{\beta _{{n_2}}}}^t\mathrm{{\} }}\) from \(N^t\), respectively.

A linear Boolean function \(l(\cdot )\) from \(F_2^{m_1+m_2}\) into \(F_2\) is used as part of the output function in the form \(l(q{L^t},q{N^t})\), which takes \(m_1\) input values \(\mathrm{{\{ }}L_{{\sigma _1}}^t,L_{{\sigma _2}}^t,...,L_{{\sigma _{{m_1}}}}^t\mathrm{{\} }}\) from \(L^t\) and \(m_2\) input values \(\mathrm{{\{ }}N_{{\tau _1}}^t,N_{{\tau _2}}^t,...,N_{{\tau _{{m_2}}}}^t\mathrm{{\} }}\) from \(N^t\), respectively.

An output function \(\phi (\cdot ) = l( \cdot ) \oplus h( \cdot )\), which generates the keystream \({\{ {z_t}\} _{t \ge 0}}\) based on the inputs taken from both \(L^t\) and \(N^t\), \(t=0,1,...\)
Definition 1
An mvariable Boolean function f is knormal (resp. kweakly normal) if there exists a flat \(V \subseteq F_2^m\) of dimension k such that f is constant (resp. affine) on V.
For example, the 5variable Boolean function \(h(\cdot )\) in Grainv1 is 2normal and 3weakly normal, and the 9variable Boolean function \(h(\cdot )\) in Sprout and Grain128a is 5normal.
Next, we study a natural generalization of the above definition for vectorial Boolean functions [5].
Definition 2
An \((m,\;n)\)function F: \(F_2^m \rightarrow F_2^n\) is called knormal if there exists a flat \(V \subseteq F_2^m\) of dimension k such that F is constant on V.
In our analysis, we investigate the knormality of the augmented function defined as follows.
Definition 3

3.1: there exists two positive integers b, f such that \(\bigcup \nolimits _{i =  b}^f {pq{N^{t + i}}} \subseteq {N^t}\) for any \(t\ge b\). In this case, the output segment \({z_{t  b}},...,{z_t},...,{z_{t + f}}\) can be computed from the complete state \((L^t, N^t)\) at time t.

3.2: \({H^{(b,f)}}\), the \((b+f+1)\)th augmented function of the filter function h, is a knormal Boolean function such that \({H^{(b,f)}}({x_1},...,{x_n}) = 0^{b+f+1}\) when \(x_j\) is fixed for all \(j\in \varOmega \), where \(\varOmega \) is a subset of \([1,\;n]\) and \(\varOmega =nk\).

3.3: there exists two positive integers d, e such that \(\bigcup \nolimits _{i =  d}^e {r{N^{t + i}}} \subseteq {N^t}\) for any \(t\ge d\). In this case, \(u(r{L^{t + i}},r{N^{t + i}}),i =  d,...,  1,0,1,...,e\) can be computed from the complete state \((L^t, N^t)\) at time t.

3.4: assume \(pq{N^{t + f+1}} \not \subset {N^t}\) and \(pq{N^{t + f+1}}\subset {N^{t+1}}\) for any \(t\ge b\), meaning that we cannot get \(pq{N^{t + f + 1}}\) from the state \((L^t, N^t)\). Note that the secret key is incorporated in the nonlinear state updating selectively, if we assume a special state \((L^t, N^t)\) such that \(u(r{L^t},r{N^t}) = 0\), \(N^{t+1}\) can be computed from \((L^t, N^t)\), thus we further get the output bit \(z_{t+f+1}\). Repeat this process for x steps, i.e., we assume a special state \((L^t, N^t)\) such that \(u(r{L^{t + i}},r{N^{t + i}}) = 0\) for \(i=0,1,...,x1\), then we get the output bits \({z_{t + f + 1}},...,{z_{t + f + x}}\).

3.5: assume \(r{N^{t + e + 1}} \not \subset {N^t}\) and \(r{N^{t + e + 1}} \subset {N^{t+1}}\) for any \(t\ge d\). For the above special state \((L^t,N^t)\) such that \(u(r{L^{t + i}},r{N^{t + i}}) = 0\) for \(i=0,1,...,x1\), if \(x1 \le e\), we have only unknowns from \((L^t,N^t)\); if \(x1>e\), then the unknowns from \(N^{t+1}\), \(N^{t+2}\),... will appear with some nonlinear equations \({N^{t + j + 1}} = G({N^{t + j}} \oplus {L_1}({L^{t + j}})) \oplus {L_2}({L^{t + j}}) \oplus C_{t+j}\), \(j=0,1,...,xe2\).

3.6: assume \(pq{N^{t b1}} \not \subset {N^t}\) and \(pq{N^{tb1}} \subset {N^{t1}}\) for any \(t\ge b\), which means we cannot get \(pq{N^{tb1}}\) from the state \((L^t, N^t)\). If we assume a special state \((L^t, N^t)\) such that \(u(r{L^{t1}},r{N^{t1}}) = 0\), \(N^{t1}\) can be computed from \((L^t, N^t)\), thus we further get the output bit \(z_{tb1}\). Repeat this process for y steps, i.e., we assume a special state \((L^t, N^t)\) such that \(u(r{N^{tj}},r{L^{tj}}) = 0\) for \(j=1,...,y\), then we get the output bits \({z_{tb1}},...,{z_{tby}}\).

3.7: assume \(r{N^{td1}} \not \subset {N^t}\) and \(r{N^{td1}} \subset {N^{t1}}\) for any \(t\ge d\). For the above special state \((L^t,N^t)\) such that \(u(r{L^{tj}},r{N^{tj}}) = 0\) for \(j=1,...,y\), if \(y\le d\), we have only unknowns from \((L^t,N^t)\); if \(y>d\), then the unknowns from \(N^{t1}\), \(N^{t2}\),... will appear with some nonlinear equations \({N^{t  j  1}} = G'({N^{t  j}} \oplus {L_1'}({L^{t  j  1}})) \oplus {L_2'}({L^{t  j  1}})\oplus C_{tj1}\), \(j=0,1,...,yd1\).
It is easy to check that the proposed model includes a number of primitives, e.g., Sprout and the Grain family. For Grain family, the term \(u(r{L^t},r{N^t}) = 0\) for any time t. For Sprout, \({N^t} = [{n_t},{n_{t + 1}},...,{n_{t +39}}]\), \({L^t} = [{l_t},{l_{t + 1}},...,{l_{t + 39}}]\), and for any t, \(u(r{L^t},r{N^t}) = {l_{t + 4}} \oplus {l_{t + 21}} \oplus {l_{t + 37}} \oplus {n_{t + 9}} \oplus {n_{t + 20}} \oplus {n_{t + 29}}\). The positive integers b, f, d, e are \(b=1,\;f=1,\; d=9,\; e=10\) respectively.
3 A TMD Tradeoff Attack Framework
In this section, we provide a systematic security analysis for Sproutlike stream ciphers. A dedicated TMD tradeoff attack framework is developed for such designs based on the knormality of the augmented function.
The goal of cryptanalysis is to recover the internal state which has generated a sample segment, and if possible, given the internal state, to further restore the secret key. There are two phases in the framework: the preprocessing phase and the processing phase. The offline preprocessing phase is performed only once and is independent of the employed secret key and the keystream sample.
3.1 PreProcessing Phase
In the offline preprocessing phase, some tables are prepared which will be used later in the processing phase. Given the parameters \(l_1, l_2\) and b, f, d, e, x, y, define a twodimensional counter array \(\mathbf{{\bar{C}}} = [{C_{t  y}},...,{C_{t  1}},{C_t},{C_{t + 1}},...,{C_{t + (x  1)}}]\), we construct the StateKeystream pair tables as follows.
 1.
Under the assumptions in the model, construct a system of equations which implies a “special” state \((L^t,N^t)\) satisfying the following conditions.

(1.1) \({H^{(b,f)}}(P{L^t},P{N^t}) = 0^{b + f + 1}\) and \(l(q{L^{t + i}},q{N^{t + i}}) = 0\), for \(i= b,...,1,0,1,...,f\).

(1.2) \(u(r{L^{t + i}},r{N^{t + i}}) = 0\) for \(i=0,1,...,x1\), from which we can get the output bits \({z_{t + f + 1}}\),...,\({z_{t + f + x}}\).

(1.3) \(u(r{L^{tj}},r{N^{tj}}) = 0\) for \(j=1,...,y\), from which we can get the output bits \({z_{tb1}}\),...,\({z_{tby}}\).

 2.Suppose Assumptions 3.2, 3.5 and 3.7 hold,

if \(x1\le e\) and \(y\le d\), the above system of equations has only unknowns from the state \((L^t,N^t)\).
 if \(x1> e\) and \(y\le d\), the unknowns from \(N^{t+1}\), \(N^{t+2}\),... will appear with some nonlinear equations:Define another counter array \(\mathbf{{\bar{C}'}} = [{C_t},{C_{t + 1}},...,{C_{t + (xe2)}}]\), note that the round constant vectors in \(\mathbf{{\bar{C}'}}\) are involved in these equations.$${N^{t + j + 1}} = G({N^{t + j}} \oplus {L_1}({L^{t + j}})) \oplus {L_2}({L^{t + j}})\oplus C_{t+j},\;j=0,1,...,xe2.$$
 if \(x1\le e\) and \(y> d\), the unknowns from \(N^{t1}\), \(N^{t2}\),... will appear with some nonlinear equations:Define counter array \(\mathbf{{\bar{C}}}' = [{C_{t  (y  d)}},...,{C_{t  2}},{C_{t  1}}]\), the round constant vectors in \(\mathbf{{\bar{C}'}}\) are involved in these equations.$${N^{t  j  1}} = G'({N^{t  j}} \oplus {L_1'}({L^{t  j  1}})) \oplus {L_2'}({L^{t  j  1}})\oplus C_{tj1},\;j=0,1,...,yd1.$$
 if \(x1> e\) and \(y> d\), the unknowns from \(N^{t+1}\), \(N^{t+2}\),... and \(N^{t1}\), \(N^{t2}\),... will appear with some nonlinear equations:Define counter array \(\mathbf{{\bar{C}}}' = [{C_{t  (y  d)}},...,{C_{t  1}},{C_t},{C_{t + 1}},...,{C_{t + (x  e  2)}}]\), the round constant vectors in \(\mathbf{{\bar{C}'}}\) are involved in these equations.$$\begin{array}{l} {N^{t + j + 1}} = G({N^{t + j}} \oplus {L_1}({L^{t + j}})) \oplus {L_2}({L^{t + j}}) \oplus {C_{t + j}},j = 0,1,...,x  e  2,\\ {N^{t  j  1}} = G'({N^{t  j}} \oplus {L_{1'}}({L^{t  j  1}})) \oplus {L_{2'}}({L^{t  j  1}}) \oplus {C_{t  j  1}},j = 0,1,...,y  d  1. \end{array}$$

 3.
For each possible counter array \(\mathbf{{\bar{C}}}'\), solve the constructed system of equations and get the special states \((L^t,N^t)\) satisfying 1 and 2. Memorize the special state \((L^t,N^t)\) in the first column of a row in table \({\mathrm{T}_{\mathbf{{\bar{C}'}}}}\), further for this state and for each possible counter array \({{\mathbf{{\bar{C}}}}^*} = \mathbf{{\bar{C}}}\backslash \mathbf{{\bar{C}}}'\), get the corresponding \((x+y)\) output bits \(\underbrace{{z_{t  b  1}},...,{z_{t  b  y}}}_y,\underbrace{{z_{t + f + 1}},...,{z_{t + f + x}}}_x\) and store them in the second column as a subrow in table \({\mathrm{T}_{\mathbf{{\bar{C}'}}}}\).
3.2 Processing Phase
Now we discuss how to recover the internal state which has generated a sample segment, and if possible, given the internal state, to further restore the secret key. The following two propositions have provided us a direct way of key recovery from an internal state candidate and some keystream bits.
Proposition 1
For a special state \((L^t,N^t)\) satisfying the conditions (1.1) and (1.2), \(N^{t+1}\),...,\(N^{t+x}\) can be computed directly from the complete state \((L^t,N^t)\) and the nonlinear state updating function without involving the secret key. Besides, if \(u(r{L^{t + x}},r{N^{t + x}}) = 1\), we may get some secret key information \(R(t+x,K)\) when the keystream bit \(z_{t+f+x+1}\) is known. Further, more key information \(R(t+x+j,K)\), \(j=0,1,...\) will probably be obtained when more keystream bits \(z_{t+f+x+j+1}\), \(j=0,1,...\) are known.
Proof
The first half is clear from the condition (1.2).
For a special state \((L^t,N^t)\), if \(u(r{L^{t + x}},r{N^{t + x}}) = 1\), the secret key information \(R(t+x,K)\) is incorporated into the updating of the nonlinear part from \(N^{t+x}\) to \(N^{t+x+1}\). One can check that the keystream bit \(z_{t+f+x+1}\) is dependent on \(N^{t+x+1}\). In a word, \(R(t+x,K)\) is likely to affect (if \(u(r{L^{t + x}},r{N^{t + x}}) = 1\)) the keystream bit \(z_{t+f+x+1}\). Accordingly, we may obtain some key information \(R(t+x,K)\) from \(z_{t+f+x+1}\). This procedure can be repeated many times. \(\Box \)
Similar to the proof of Proposition 1, we have the following proposition.
Proposition 2
For a special state \((L^t,N^t)\) satisfying the conditions (1.1) and (1.3), \(N^{t1}\),...,\(N^{ty}\) can be computed directly from the complete state \((L^t,N^t)\) and the nonlinear state updating function without involving the secret key. Besides, if \(u(r{L^{t y1}},r{N^{ty1}}) = 1\), we may get some key information \(R(ty1,K)\) when the keystream bit \(z_{tby1}\) is known. Further, more key information \(R(tyj,K)\), \(j=1,2,...\) will probably be obtained when more keystream bits \(z_{tbyj}\), \(j=1,2,...\) are known.
By utilizing the precomputed tables and the given keystream sample, the processing phase is carried out as follows.
The Internal State Recovery Algorithm. Given the parameters b, f, x, y, the tables \(\mathrm{T}_{\mathbf{{\bar{C}'}}}\), and the keystream sample \({\{ {z_t}\} _{t \ge 0}}\), the processing steps are as follows.
 1.
Search the keystream sequence \({\{ {z_t}\} _t}\) for the next nonconsidered block of \((b+f+1)\) zeros. If there are no more blocks, output a flag that the algorithm has failed.
 2.For each detected block, compute the corresponding counter array \({\mathbf{{\bar{C}}}}\), \({\mathbf{{\bar{C}'}}}\) and \({\mathbf{{\bar{C}^*}}}\) from the time t, compare the xbit segment of the keystream subsequent to the block and ybit segment prior to the block with the memorized \((x+y)\)bit segments in the second column (subrow is indexed by \({\mathbf{{\bar{C}^*}}}\)) of the table \(\mathrm{T}_{\mathbf{{\bar{C}'}}}\), and do the following:

If the matching does not exist, go the processing Step 1.

If the \((x+y)\)bit output segment matches with a segment in table \(\mathrm{T}_{\mathbf{{\bar{C}'}}}\), go to Step 3.

 3.
Read the corresponding state, and if appropriate, recover (part of) the secret key according to Propositions 1 and 2 from this state and more keystream bits.
3.3 Complexity Analysis
Lemma 1
Proof
Theorem 1
Suppose \(V^{(b,f)}\) is a flat such that \(H^{(b,f)}=0^{b+f+1}\) over it, then the complexities of the proposed generic algorithm for cryptanalysis are as follows:
(1) The processing data complexity is \(D={2^{{l_1} + {l_2}  \dim ({V^{(b,f)}})}} \cdot {2^{b + f + 1}} \cdot p^{  (x + y)}\).
(2) The expected space complexity in the preprocessing phase is proportional to the sum of number of rows in each table \(\mathrm{T}_{\mathbf{{\bar{C}'}}}\).
(3) The processing (table lookups) time complexity is proportional to \({2^{{l_1} + {l_2}  \dim ({V^{(b,f)}})}} \cdot {p^{  (x + y)}}\).
(4) The preprocessing time complexity is equivalent to the workload for solving the system of equations constructed.
Proof
The data complexity is determined by the probability that an internal state is a special state satisfying conditions (1.1), (1.2) and (1.3) simultaneously in the preprocessing phase, which is given in the proof of Lemma 1 as \({2^{  ({l_1} + {l_2}  dim({V^{(b,f)}}))}} \cdot {2^{  (b + f + 1)}} \cdot p^{x + y}\). Thus we have \(D={2^{{l_1} + {l_2}  \dim ({V^{(b,f)}})}} \cdot {2^{b + f + 1}} \cdot p^{  (x + y)}.\)
For each possible counter array \({\mathbf{{\bar{C}'}}}\), we have constructed the corresponding table \(\mathrm{T}_{\mathbf{{\bar{C}'}}}\), thus the estimated space complexity is proportional to the sum of number of rows in each table \(\mathrm{T}_{\mathbf{{\bar{C}'}}}\).
In the processing phase, the expected number of table lookups depends on the probability that an internal state \((L^t,N^t)\) is a special state satisfying the conditions (1.1), (1.2) and (1.3) simultaneously when the keystream segment \(\mathrm{{Z}}_t^{(b + f + 1)} = 0^{b + f + 1}\), which is given in Lemma 1 as \({2^{  ({l_1} + {l_2}  dim({V^{(b,f)}}))}} \cdot p^{x + y}\). Thus the number of table lookups is \({2^{{l_1} + {l_2}  dim({V^{(b,f)}})}} \cdot p^{  (x + y)}.\)
The preprocessing time complexity is determined by the workload for solving the system of equations constructed. \(\Box \)
4 Cryptanalysis of Sprout
In this section, we apply the framework proposed in Sect. 3 to Sprout with the comparisons to the previous relevant attacks.
4.1 Fitting into the Model
As described in Sect. 2, whether the secret key is involved in the NFSR state updating is determined by the value \({u_t} = {l_{t + 4}} \oplus {l_{t + 21}} \oplus {l_{t + 37}} \oplus {n_{t + 9}} \oplus {n_{t + 20}} \oplus {n_{t + 29}}\), to fit in the model, we have \(r{L^t} = \{ {l_{t + 4}},{l_{t + 21}},{l_{t + 37}}\} \), \(r{N^t} = \{ {n_{t + 9}},{n_{t + 20}},{n_{t + 29}}\} \) and the two parameters \(d=9\), \(e=10\) such that \(\bigcup \nolimits _{i =  9}^{10} {r{N^{t + i}}} \subseteq {N^t}\).
4.2 Cryptanalysis
We first discuss how to construct tables that will be used in the processing phase.
 1.
Define a counter array as \(C = [c_{t  y}^4,...,c_{t  1}^4,c_t^4,c_{t + 1}^4,...,c_{t + (x  1)}^4]\) of size \(C=x+y\). For an internal state \((L^t,N^t)\) such that \(n_{t+3}=n_{t+4}=n_{t+5}=0\) (thus there are 77 unknowns), construct a system of equations which implies a state \((L^t,N^t)\) satisfying the following conditions.

(a). \(l(q{L^{t + i}},q{N^{t + i}}) = 0\), for \(i =1,0,1\).

(b). \(u_{t+i}=0\) for \(i=0,1,...,x1\), from which we can get the output bits \({z_{t+2}}\),...,\({z_{t+x+1}}\) (suppose the round constants \(c_t^4,c_{t + 1}^4,...,c_{t + (x  1)}^4\) are known).

(c). \(u_{tj}=0\) for \(j=1,...,y\), from which we can get the output bits \({z_{t2}}\),...,\({z_{ty1}}\) (suppose the round constants \(c_{t  1}^4,c_{t  2}^4,...,c_{t  y}^4\) are known).

 2.We discuss it in the following situations:
 Case 1: If \(x \le 11\) and \(y\le 9\), we have the corresponding system of \((3+x+y)\) linear equations with only 77 unknowns from the state \((L^t,N^t)\): 40 unknowns from \(L^t\) and 37 unknowns from \(N^t\).$$\begin{aligned} \left\{ \begin{array}{l} {l_{t + 30 + k}} \oplus \left( {\mathop {\bigoplus }\nolimits _{i \in A} {n_{t + i+k}}} \right) =0,k =  1,0,1\\ {l_{t + 4 + i}} \oplus {l_{t + 21 + i}} \oplus {l_{t + 37 + i}} \oplus {n_{t + 9 + i}} \oplus {n_{t + 20 + i}} \oplus {n_{t + 29 + i}} = 0,i = 0,1,...,x  1\\ {l_{t + 4  j}} \oplus {l_{t + 21  j}} \oplus {l_{t + 37  j}} \oplus {n_{t + 9  j}} \oplus {n_{t + 20  j}} \oplus {n_{t + 29  j}} = 0,j = 1,...,y \end{array} \right. \end{aligned}$$
 Case 2: If \(x\ge 12\) and \(y\le 9\), in addition to the 77 unknowns from the state \((L^t,N^t)\), the unknowns \(n_{t+40}\), \(n_{t+41}\),...,\(n_{t+40+(x12)}\) will appear with some nonlinear equations. Thus we obtain a system of equations with \((66+x)\) unknowns, and \((2x+y8)\) equations (\((3+x+y)\) linear equations and \((x11)\) nonlinear equations). Define another counter array \({C'} = [c_t^4,c_{t + 1}^4,...,c_{t + (x  12)}^4]\) of size \(C' = x  11\), note that the round constants in \(C'\) are involved in this system.$$\begin{aligned} \left\{ \begin{array}{l} {l_{t + 30 + k}} \oplus \left( {\mathop {\bigoplus }\nolimits _{i \in A} {n_{t + i+k}}} \right) = 0,k =  1,0,1\\ {l_{t + 4 + i}} \oplus {l_{t + 21 + i}} \oplus {l_{t + 37 + i}} \oplus {n_{t + 9 + i}} \oplus {n_{t + 20 + i}} \oplus {n_{t + 29 + i}} = 0,i = 0,1,...,x  1\\ {l_{t + 4  j}} \oplus {l_{t + 21  j}} \oplus {l_{t + 37  j}} \oplus {n_{t + 9  j}} \oplus {n_{t + 20  j}} \oplus {n_{t + 29  j}} = 0,j = 1,...,y\\ {n_{t + 40 + m}} \oplus {l_{t + m}} \oplus c_{t + m}^4 \oplus g({N^{t + m}}) = 0,m = 0,1,...,x  12\;(nonlinear) \end{array} \right. \end{aligned}$$
 Case 3: If \(x\le 11\) and \(y\ge 10\), in addition to the 77 unknowns from the state \((L^t,N^t)\), the unknowns \(n_{t1}\), \(n_{t2}\),...,\(n_{t(y9)}\) will appear with some nonlinear equations. Thus we obtain a system of equations with \((68+y)\) unknowns, and \((x+2y6)\) equations (\((3+x+y)\) linear equations and \((y9)\) nonlinear equations). Define \({C'} = [c_{t(y9)}^4,...,c_{t1}^4]\) of size \(C' = y9\), the round constants in \(C'\) are involved in this system.$$\begin{aligned} \left\{ \begin{array}{l} {l_{t + 30 + k}} \oplus \left( {\mathop {\bigoplus }\nolimits _{i \in A} {n_{t + i+k}}} \right) = 0,k =  1,0,1\\ {l_{t + 4 + i}} \oplus {l_{t + 21 + i}} \oplus {l_{t + 37 + i}} \oplus {n_{t + 9 + i}} \oplus {n_{t + 20 + i}} \oplus {n_{t + 29 + i}} = 0,i = 0,1,...,x  1\\ {l_{t + 4  j}} \oplus {l_{t + 21  j}} \oplus {l_{t + 37  j}} \oplus {n_{t + 9  j}} \oplus {n_{t + 20  j}} \oplus {n_{t + 29  j}} = 0,j = 1,...,y\\ {n_{t  n}} \oplus {l_{t  n}} \oplus c_{t  n}^4 \oplus g'({N^{t  n + 1}}) = 0,n = 1,...,y 9\;(nonlinear) \end{array} \right. \end{aligned}$$
 Case 4: If \(x\ge 12\) and \(y\ge 10\), in addition to the 77 unknowns from the state \((L^t,N^t)\), the unknowns \(n_{t+40}\), \(n_{t+41}\),...,\(n_{t+40+(x12)}\) and \(n_{t1}\), \(n_{t2}\),...,\(n_{t(y9)}\) will appear with some nonlinear equations. Thus we obtain a system of equations with \((57+x+y)\) unknowns, and \((2x+2y~17)\) equations (\((3+x+y)\) linear equations and \((x+y20)\) nonlinear equations). Define \({C'} = [c_{t  (y9)}^4,...,c_{t  1}^4,c_t^4,c_{t + 1}^4,...,c_{t + (x  12)}^4]\) of size \(C' = x+y20\), the round constants in \(C'\) are involved in the system.$$\begin{aligned} \left\{ \begin{array}{l} {l_{t + 30 + k}} \left( {\mathop {\bigoplus }\nolimits _{i \in A} {n_{t + i+k}}} \right) = 0,k =  1,0,1\\ {l_{t + 4 + i}} \oplus {l_{t + 21 + i}} \oplus {l_{t + 37 + i}} \oplus {n_{t + 9 + i}} \oplus {n_{t + 20 + i}} \oplus {n_{t + 29 + i}} = 0,i = 0,1,...,x  1\\ {l_{t + 4  j}} \oplus {l_{t + 21  j}} \oplus {l_{t + 37  j}} \oplus {n_{t + 9  j}} \oplus {n_{t + 20  j}} \oplus {n_{t + 29  j}} = 0,j = 1,...,y\\ {n_{t + 40 + m}} \oplus {l_{t + m}} \oplus c_{t + m}^4 \oplus g({N^{t + m}}) = 0,m = 0,1,...,x  12\;(non  linear)\\ {n_{t  n}} \oplus {l_{t  n}} \oplus c_{t  n}^4 \oplus g'({N^{t  n + 1}}) = 0,n = 1,...,y  9\;(non  linear) \end{array} \right. \end{aligned}$$

 3.
For each possible counter array \(C'\), solve the constructed system of equations. Observe that all the round constants in \(C'\) are added to the system linearly, by guessing at most \(2^{74(x+y)}\) appropriate unknowns we can solve the system and get \(2^{74(x+y)}\) solutions \((L^t,N^t)\) for each possible counter array \(C'\).
 4.
For each possible counter array \(C'\), check each of the \(2^{74(x+y)}\) solutions \((L^t,N^t)\). If \((L^t,N^t) \in V_i\), i.e., \({P^t} = {a_i}\) for any \(i=1,2,...,2^{13}\), store the 61bit \(({L^{*t}},{N^{*t}})\) in the first column of a row in table \(\mathrm{T}_{C',i}\), where \({L^{*t}} = {L^t}\backslash {P^t}\) and \({N^{*t}} = {N^t}\backslash \{ {n_{t + 3}},{n_{t + 4}},{n_{t + 5}}\} \). Further for this state and for each possible round constants of \({C^*} = C\backslash C'\), get the corresponding \((x+y)\) output bits \(\left( {{z_{t  y  1}},...,{z_{t  2}},{z_{t + 2}},...,{z_{t + x + 1}}} \right) \) and put them in the second column as a subrow in table \(\mathrm{T}_{C',i}\). Thus there are expected \(2^{58xy}\) rows in the first column and \(2^{58xy}\times \frac{{Count(C)}}{{Count(C')}}\) rows in the second column, where Count(n) represents the number of all the possible counter arrays of size n.
The size of the counter array n and the number Count(n) for all the possible counter arrays
n  6  7  8  9  10  11  12  13  14  15  16  17 

Count(n)  12  14  16  18  20  22  24  26  28  30  32  33 
n  18  19  20  21  22  23  24  25  26  27  28  29 
Count(n)  35  37  39  41  43  45  47  49  51  53  55  57 
n  30  31  32  33  34  35  36  37  38  39  40  41 
Count(n)  59  61  63  64  65  66  67  68  69  70  71  72 
n  42  43  44  45  46  47  48  49  50  51  52  53 
Count(n)  73  74  75  76  77  78  79  80  80  80  80  80 
Remarks. First, it can be seen that, the necessary and sufficient condition for a state \((L^t,N^t)\) to be a “special” state is that \((L^t,N^t)\in V\) and the conditions (a), (b) and (c) hold. Second, for each possible counter array C, \(n_{t+40}\),...,\(n_{t+40+(x1)}\) and \(n_{t1}\),...,\(n_{ty}\) can be computed directly from a special state \((L^t,N^t)\) according to the state updating of NFSR without involving the key information. Third, denote the number of rows (in the first column) of table \(\mathrm{T}_{C',i}\) as \(2^{r_i}\), if \(r_i<x+y\), we only need to store \((x+yr_i)\) output bits in the second column, indexed by \(r_i\)bit of the output. Finally, in the preprocessing phase, we have obtained \(Count(C')\times {2^{13}}\) tables \(\mathrm{T}_{C',i}\), each having \(2^{58xy}\) rows in the first column to store “special" states and \({2^{58  x  y}} \times \frac{{Count(C)}}{{Count(C')}}\) rows in the second column to store the corresponding output bits.
Lemma 2
Proof
Next, we will present a State Checking and Key Recovery Mechanism specified for Sprout, by which we have the opportunity to check whether a state candidate is correct, and if so, further recover the key for a correct guess.
 1.
Compute the value of \(n_{t1}\) given by the keystream bit \(z_{t2}\) as \({n_{t  1}} = z_{t2}\oplus h({n_{t + 2}},{l_{t + 4}},{l_{t + 6}},{l_{t + 8}},{l_{t + 30}},{l_{t + 15}},{l_{t + 17}},{l_{t + 21}},{n_{t + 36}}) \oplus {l_{t + 28}} \oplus \left( {\mathop {\bigoplus }\nolimits _{i \in A'} {n_{t + i  2}}} \right) \) where \(A' = \{6,15,17,23,28,34\} \). And compute \(l_{t1}\) by the LFSR updating equation as \({l_{t  1}} = {l_{t + 39}} \oplus {l_{t + 33}} \oplus {l_{t + 24}} \oplus {l_{t + 19}} \oplus {l_{t + 14}} \oplus {l_{t+4}}\), and deduce from \(n_{t1}\), \(l_{t1}\) the value \(k_{t1}^*\) by the NFSR updating equation as \(k_{t1}^*=n_{t+39}\oplus c_{t1}^4 \oplus {l_{t1}}\oplus g(N^{t1}).\)
 2.Compute the value of \({u_{t1}} = {l_{t+3}} \oplus {l_{t + 20}} \oplus {l_{t + 36}} \oplus {n_{t+8}} \oplus {n_{t + 19}} \oplus {n_{t + 28}}\) and combine it with the value of \(k_{t1}^*\) obtained in Step 1:

if \(u_{t1}=0\) and \(k_{t1}^*=0\), set \(t \rightarrow t  1\) and go back to Step 1.

if \(u_{t1}=0\) and \(k_{t1}^*=1\), there is a contradiction, conclude that this guess for state is not correct and stop.

if \(u_{t1}=1\) and \(k_{t1}^*=0\), check if \(k_{(t1)\mod 80}\) has already been set in K. If no, set it to 0. Set \(t \rightarrow t  1\) and go back to Step 1. Else, if there is a contradiction, conclude that this guess for state is not correct and stop.

if \(u_{t1}=1\) and \(k_{t1}^*=1\), check if \(k_{(t1)\mod 80}\) has already been set in K. If no, set it to 1. Set \(t \rightarrow t  1\) and go back to Step 1. Else, if there is a contradiction, conclude that this guess for state is not correct and stop.

Next we illustrate the algorithm for the internal state and key recovery in the processing phase.
 1.
Search the keystream sequence \({\{ {z_t}\} _t}\) for the next nonconsidered block of 3 zeros. If there are no more blocks, output a flag that the algorithm has failed to recover the key.
 2.For each detected block, compute the corresponding counter array C, \(C'\) and \(C^*\) from the time t. For \(i=1,...,2^{13}\), compare the xbit segment of the keystream subsequent to the block and ybit segment prior to the block with the memorized \((x+y)\)bit segments in the second column (subrow is indexed by \(C^*\)) of the table \(\mathrm{T}_{C',i}\), and do the following:

If the matching does not exist, go to the processing Step 1.

If the \((x+y)\)bit sample segments match with a segment in table \(\mathrm{T}_{C',i}\), go to Step 3.

 3.
Read the corresponding state, check whether it is a correct state or not and recover the secret key by the State Checking and Key Recovery Mechanism stated above. If this state survives, recover and output the key, else go to Step 1.
Theorem 2
Proof
The data complexity is determined by the probability that an internal state \((L^t,N^t)\) is a special state (such that \((L^t,N^t)\in V\) and the conditions (a), (b) and (c) hold), which is given in the proof of Lemma 2 as \(2^{(9+x+y)}\). Thus we have \(D=2^{9+x+y}\).
The preprocessing time complexity is equivalent to solving the constructed system of equations. We see that by guessing at most \(2^{74(x+y)}\) appropriate unknowns we can solve the system for each possible counter array \(C'\). As the counter values are added to the systems linearly, we can do the Gauss elimination only once to store separate tables for each of the \(Count(C')\) counter arrays. \(\Box \)
4.3 Detailed Workload for \(x=16\), \(y=15\)

If \(n_{t+9}=0\), we come up with \(2^{32}\) systems with 6 linear equations and 16 unknowns; For each of these systems, we do the Gauss elimination once by choosing an invertible coefficient matrix of \(6 \times 6\). The systems can be solved with \({2^{32}} \times ({6^{3}} + {2^{10}}) = {2^{42.27}}\) basic operations.

If \(n_{t+9}=1\), we further guess \(n_{t+8}\), thus we get \(2^{33}\) systems with 6 linear equations and 15 unknowns. Similarly, the systems can be solved with \({2^{33}} \times ({6^{3}} + {2^9}) = {2^{42.51}}\) basic operations.
In total, the precomputation is approximately \({2^{43.39}}\) basic operations.
The complexity issues of the attack on Sprout
x, y  \(Count(x+y)\)  Data  Memory(bit),(TB)  Time  Precomputation 

16,14  59  \(2^{39}\)  \(2^{51.39}\)bit, 336 TB  \(2^{40.66}\)  \(2^{44.03}\) 
16,15  61  \(2^{40}\)  \(2^{50.63}\)bit, 198 TB  \(2^{39.66}\)  \(2^{43.39}\) 
17,15  63  \(2^{41}\)  \(2^{49.85}\)bit, 115 TB  \(2^{38.66}\)  \(2^{43.81}\) 
17,16  64  \(2^{42}\)  \(2^{49.03}\)bit, 65 TB  \(2^{37.66}\)  \(2^{45.36}\) 
18,16  65  \(2^{43}\)  \(2^{48.20}\)bit, 36 TB  \(2^{36.66}\)  \(2^{47.09}\) 
Comparison of our time/memory/data Tradeoff attacks with the previous ones
Attack  Data  Memory(bit),(TB)  Time  Precomputation 

[12]  112  \(\ge 2^{52.32}\)bit, \(\ge 639\) TB  \(2^{66.80}\)  \(2^{68.87}\) 
[8]  \(2^{40}\)  \(2^{52.58}\)bit, 770 TB  \(2^{30.66}\)  \(2^{54.29}\) 
[8]  \(2^{41}\)  \(2^{52.64}\)bit, 399 TB  \(2^{29.66}\)  \( \approx {2^{56.70}}\) 
[8]  \(2^{42}\)  \(2^{50.69}\)bit, 207 TB  \(2^{28.66}\)  \( \approx {2^{59.07}}\) 
[8]  \(2^{43}\)  \(2^{49.74}\)bit, 108 TB  \(2^{27.66}\)  \( \approx {2^{61.42}}\) 
\(\mathbf ours \)  \(2^{39}\)  \(2^{51.39}\)bit, 336 TB  \(2^{40.66}\)  \(2^{44.03}\) 
\(\mathbf ours \)  \(2^{40}\)  \(2^{50.63}\)bit, 198 TB  \(2^{39.66}\)  \(2^{43.39}\) 
\(\mathbf ours \)  \(2^{41}\)  \(2^{49.85}\)bit, 115 TB  \(2^{38.66}\)  \(2^{43.81}\) 
\(\mathbf ours \)  \(2^{42}\)  \(2^{49.03}\)bit, 65 TB  \(2^{37.66}\)  \(2^{45.36}\) 
\(\mathbf ours \)  \(2^{43}\)  \(2^{48.20}\)bit, 36 TB  \(2^{36.66}\)  \(2^{47.09}\) 
5 Practical Implementation
To verify the validity of our attack, we experimentally test it on a reduced cipher with similar structure and properties as Sprout. In general, the simulation results match well with the theoretical estimates.
5.1 The Reduced Version of Sprout
Similarly, there is an 8bit counter register, of which the lower 6 bits are a modulo 40 counter, denoted by \((c_t^5,c_t^4,c_t^3,c_t^2,c_t^1,c_t^0)\) at a given round t. The 3th LSB \(c_t^3\) of the counter is employed in the keystream generation. It should be noted that, \(c_t^3\) has a cycle of length 40, i.e., in each cycle, this bit takes the values \(\underbrace{0,0,...,0}_{8}\underbrace{1,1,...,1}_{8}\underbrace{0,0,...,0}_{8}\underbrace{1,1,...,1}_{8}\underbrace{0,0,...,0}_{8}\).

the LFSR update function is changed to \({l_{t + 20}} = {z_t} \oplus f({L^t})\).

the NFSR update function is changed to \({n_{t + 20}} = {z_t} \oplus k_t^* \oplus {l_t} \oplus c_t^3 \oplus g({N_t})\).

no keystream bit is generated.
After the initialization phase, the keystream generation phase starts and there is no feedback keystream anymore.
5.2 Attack Process

\({L^{*t}} = {L^t}\backslash (\{ {l_{t + 4}}\} \cup {P^t})\) of 6bit.

\({N^{*t}} = {N^t}\backslash \{ {n_{t + 3}},{n_{t + 4}},{n_{t + 5}}\} \) of 17bit.
 Define \(C = [c_{t  5}^3,...,c_{t  1}^3,c_{t}^3, c_{t + 1}^3,...,c_{t +5}^3]\) of length 11, the employed counter array. There are 21 different counter arrays, denoted by hexadecimal numbers, they are$$\begin{array}{l} \mathtt{0x007},\mathtt{0x00f},\mathtt{0x01f},\mathtt{0x03f},\mathtt{0x07f},\mathtt{0x0ff},\mathtt{0x1fe},\\ \mathtt{0x3fc},\mathtt{0x7f8},\mathtt{0x7f0},\mathtt{0x7e0},\mathtt{0x7c0},\mathtt{0x780},\mathtt{0x700},\\ \mathtt{0x601},\mathtt{0x403},\mathtt{0x600},\mathtt{0x400},\mathtt{0x000},\mathtt{0x001},\mathtt{0x003}, \end{array}$$

Define \(C' = [c_{t  1}^3]\) of length 1, and \(C^* = [c_{t  5}^3,...,c_{t  2}^3,c_{t}^3, c_{t + 1}^3,...,c_{t +5}^3]\) of length 10. There are 2 different values for \(C'\), denoted as \(c'_1=\mathtt{0x0}\), \(c'_2=\mathtt{0x1}\). If \(c_{t1}^3=\mathtt{0x0}\), there are 13 different values for \(C^*\), they are \(\mathtt{0x007}\), \(\mathtt{0x00f}\), \(\mathtt{0x01f}\),\(\mathtt{0x03f}\),\(\mathtt{0x3c0}\),\(\mathtt{0x380}\),\(\mathtt{0x301}\),\(\mathtt{0x203}\),\(\mathtt{0x300}\),\(\mathtt{0x200}\),\(\mathtt{0x000}\),\(\mathtt{0x001}\),\(\mathtt{0x003}\); If \(c_{t1}^3=\mathtt{0x1}\), there are 8 different values for \(C^*\), they are \(\mathtt{0x03f}\),\(\mathtt{0x07f}\),\(\mathtt{0x0fe}\), \(\mathtt{0x1fc}\),\(\mathtt{0x3f8}\),\(\mathtt{0x3f0}\),\(\mathtt{0x3e0}\),\(\mathtt{0x3c0}\).
Next, we present the State Checking and Key Recovery Mechanism specified for the reduced version of Sprout, which is similar to the one stated for Sprout.
 1.
Compute the value of \(n_{t1}\) given by the keystream bit \(z_{t2}\) as \({n_{t  1}} = z_{t2}\oplus h({n_{t + 2}},{l_{t + 4}},{l_{t + 6}},{l_{t + 8}},{l_{t + 10}},{l_{t + 15}},{l_{t + 17}},{l_{t + 1}},{n_{t + 16}}) \oplus {l_{t + 8}} \oplus \left( {\mathop {\bigoplus }\nolimits _{i \in A'} {n_{t + i  2}}} \right) \) where \(A' = \{3,6,15,17\} \). And compute \(l_{t1}\) by the LFSR updating equation as \({l_{t  1}} = {l_{t + 19}} \oplus {l_{t + 18}} \oplus {l_{t + 15}} \oplus {l_{t + 14}} \oplus {l_{t + 13}} \oplus {l_t}\), and deduce from \(n_{t1}\), \(l_{t1}\) the value \(k_{t1}^*\) by the NFSR updating equation as \(k_{t1}^*=n_{t+19}\oplus c_{t1}^3 \oplus {l_{t1}}\oplus g(N^{t1})\).
 2.Compute the value of \({u_{t1}} = {l_{t}} \oplus {l_{t + 3}} \oplus {l_{t + 16}} \oplus {n_{t+3}} \oplus {n_{t + 9}} \oplus {n_{t + 13}}\) and combine it with the value of \(k_{t1}^*\) obtained in Step 1:

if \(u_{t1}=0\) and \(k_{t1}^*=0\), set \(t \rightarrow t  1\) and go back to Step 1.

if \(u_{t1}=0\) and \(k_{t1}^*=1\), there is a contradiction, conclude that this guess for state is not correct and stop.

if \(u_{t1}=1\) and \(k_{t1}^*=0\), check if \(k_{(t1)\mod 40}\) has already been set in K. If no, set it to 0. Set \(t \rightarrow t  1\) and go back to Step 1. Else, if there is a contradiction, conclude that this guess for state is not correct and stop.

if \(u_{t1}=1\) and \(k_{t1}^*=1\), check if \(k_{(t1)\mod 40}\) has already been set in K. If no, set it to 1. Set \(t \rightarrow t  1\) and go back to Step 1. Else, if there is a contradiction, conclude that this guess for state is not correct and stop.

By utilizing the precomputed tables and the given keystream sample, the processing phase is carried out as follows.
 1.
Search the keystream sequence \({\{ {z_t}\} _{t \ge 6}}\) for the next nonconsidered block of 3 zeros, i.e., \({z_{t  1}}{z_t}{z_{t + 1}} = 000\). If there are no more blocks, output a flag that the algorithm has failed.
 2.For each detected block, compute the corresponding \(C' = [c_{t  1}^3] \buildrel \varDelta \over = c'\) and \({C^*} = [c_{t  5}^3,...,c_{t  2}^3,c_t^3,c_{t + 1}^3,...,c_{t + 5}^3] \buildrel \varDelta \over = {c^*}\) from the time t. For \(a_1=\mathtt{0x0000}\), \(a_2=\mathtt{0x0001}\),...,\(a_{1024}=\mathtt{0x1ba1}\), compare \(({z_{t + 2}}{z_{t + 3}}...{z_{t + 7}})\) after the zerosegment and \(({z_{t  6}}{z_{t  5}}...{z_{t  2}})\) before the zerosegment with the memorized 11bit segments in the second column of a subrow indexed by \(c^*\) from the tables \(\mathrm{T}_{c',a_i}\), and do the following:

If the matching does not exist, go to the processing Step 1.

If the 11bit sample segments match with a segment in table \(\mathrm{T}_{c',a_i}\), go to Step 3.

 3.
Read the corresponding state, check whether it is a correct state or not and recover the secret key by the State Checking and Key Recovery Mechanism stated before. If this state survives, recover and output the key, else go to Step 1.
5.3 Simulation Results
Our attacks have been fully implemented on one core of a single PC, running with Windows 7, Intel Core i32120 CPU @ 3.30 GHz and 4.00 GB RAM. In general, the experimental results match the theoretical analysis quite well. We present the details as follows.
In our experiment, first of all, we constructed \(2\times 2^{10}\) tables indexed by \((c'_j,a_i)\) pairs for \(c'_1=\mathtt{0x0}\), \(c'_2=\mathtt{0x1}\) and \(a_1=\mathtt{0x0000}\), \(a_2=\mathtt{0x0001}\),...,\(a_{1024}=\mathtt{0x1ba1}\), storing the special internal states. We used \(2\times 2^{10}\) text files to store the \((State,Keystream_1,keystream_2,...,keystream_{count(C^*)})\) tuples named with the corresponding \(c'_j\) and \(a_i\). Note that \(count(C^*)=13\) for \(c'_1=\mathtt{0x0}\) and \(count(C^*)=8\) for \(c'_2=\mathtt{0x1}\). Experimental results show that there are 496 or 504 or 520 or 528 rows in each table, and totally 524448(\( \approx {2^{19}}\)) rows for \(c'_1=\mathtt{0x0}\) , 524128(\( \approx {2^{19}}\)) rows for \(c'_2=\mathtt{0x1}\). Thus the memory needed in the simulation is \(524448\times (23 + 11\times 13)+524128 \times (23 + 11\times 8) \approx {2^{27.11}}\)bit, i.e., 17.3 MB, which matches the theoretical estimate quite well.
For the key recovery algorithm illustrated above, the data complexity is estimated by the probability that an internal state \((L^t,N^t)\) is a special state satisfying:
(1) \(l_{t+4}=0\), \(n_{t+3}=n_{t+4}=n_{t+5}=0\),
(2) \(P^t=a_1\) or \(P^t=a_2\) or ... \(P^t=a_{1024}\),
(3) \({l_{t + 10 + d}} \oplus \left( {\mathop {\bigoplus }\nolimits _{i \in A} {n_{t + i + d}}} \right) = 0\) for \(d=1,0,1\),
(4) \(u_{t+j}=0\), for \(j=0,1,...,5\),
(5) \(u_{tk}=0\), for \(k=1,2,...,5\),
6 Conclusion
In this paper, we have studied the security of Sproutlike stream ciphers in a unified framework from the viewpoint of knormality of the augmented function. We made a systematic security analysis based on this property and developed a dedicated TMD tradeoff attack framework for such designs. In particular, it is shown that Sprout can be broken by various TMD tradeoffs. Our attack is highly flexible and compares favorably to all the previous attacks on Sprout, which demonstrates the superiority of the new method. We believe that stream ciphers with shorter internal state may suffer from the time/memory/data tradeoff attacks and the knormality of the augmented function should be taken into account for new stream cipher designs.
Footnotes
 1.
Since each table is expected to have \(2^9\) rows, we can only store 2 output bits in the second column of each row, indexed by 9 bits of the output. Thus, the memory can be reduced to \({2^{10}} \times {2^9} \times (23 + 2\times 13)+{2^{10}} \times {2^9} \times (23 + 2\times 8) \approx {2^{25.46}}\)bit, i.e., 5.5 MB.
References
 1.\(\mathring{A}\)gren, M., Hell, M., Johansson, T., Meier, W.: A New Version of Grain128 with Authentication, Symmetric Key Encryption Workshop 2011, DTU, DenmarkGoogle Scholar
 2.Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 451–470. Springer, Heidelberg (2015) CrossRefGoogle Scholar
 3.Banik Subhadeep., Some Results on Sprout. http://eprint.iacr.org/2015/327.pdf
 4.Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000) CrossRefGoogle Scholar
 5.Braeken, A., Wolf, C., Preneel, B.: Normality of vectorial functions. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 186–200. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 6.Dobbertin, H.: Construction of bent functions and balanced Boolean functions with high nonlinearity. In: Preneel, B. (ed.) Fast Software Encryption. LNCS, vol. 1008, pp. 61–74. Springer, Heidelberg (1995) CrossRefGoogle Scholar
 7.
 8.Esgin, M.F., Kara, O.: Practical Cryptanalysis of Full Sprout with TMD Tradeoff Attacks. http://eprint.iacr.org/2015/289.pdf
 9.Hao, Y.: A RelatedKey ChosenIV Distinguishing Attack on Full Sprout Stream Cipher. http://eprint.iacr.org/2015/231.pdf
 10.Hell, M., Johansson, T., Meier, W.: Grain  a Stream Cipher for Constrained Environments. Int. J. Wirel. Mobile Comput. 2(1), 86–93 (2007)CrossRefGoogle Scholar
 11.Hell, M., Johansson, T., Maximov, A., Meier, W.: A stream cipher proposal: grain128. In: IEEE International Symposium on Information Theory  ISIT 2006 (2006)Google Scholar
 12.Lallemand, V., NayaPlasencia, M.: Cryptanalysis of full sprout. In: Gennaro, R., Robshaw, M. (eds.) Advances in Cryptology – CRYPTO 2015. LNCS, vol. 9215, pp. 663–682. Springer, Heidelberg (2015) CrossRefGoogle Scholar
 13.Maitra, S., Sarkar, S., Baksi, A., Dey, P.: Key Recovery from State Information of Sprout: Application to Cryptanalysis and Fault Attack. http://eprint.iacr.org/2015/236.pdf
 14.Mihaljevic, M.J., Gangopadhyay, S., Paul, G., Imai, H.: Internal state recovery of grainv1 employing normality order of the filter function. Inf. Secur. IET 6(2), 55–64 (2012)MathSciNetCrossRefGoogle Scholar
 15.Mihaljevic, M.J., Gangopadhyay, S., Paul, G., Imai, H.: Generic cryptographic weakness of \(k\)normal boolean functions in certain stream ciphers and cryptanalysis of Grain128. Periodica Math. Hung. 65(2), 205–227 (2012)zbMATHMathSciNetCrossRefGoogle Scholar