Abstract
Plantlet is a lightweight stream cipher designed by Mikhalev, Armknecht and Müller in IACR ToSC 2017. It has a Grain-like structure with two state registers of size 40 and 61 bits. In spite of this, the cipher does not seem to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. The cipher uses a 80-bit secret key and a 90-bit IV. In this paper, we first present a key recovery attack on Plantlet that requires around 276.26 Plantlet encryptions. The attack leverages the fact that two internal states of Plantlet that differ in the 43rd LFSR location are guaranteed to produce keystream that are either equal or unequal in 45 locations with probability 1. Thus an attacker can with some probability guess that when 2 segments of keystream blocks possess the 45 bit difference just mentioned, they have been produced by two internal states that differ only in the 43rd LFSR location. Thereafter by solving a system of polynomial equations representing the keystream bits, the attacker can find the secret key if his guess was indeed correct, or reach some kind of contradiction if his guess was incorrect. In the latter event, he would repeat the procedure for other keystream blocks with the given difference. We show that the process when repeated a finite number of times, does indeed yield the value of the secret key.
 In the second part of the paper, we observe that the previous attack was limited to internal state differences that occurred at time instances that were congruent to 0 mod 80. We further observe that by generalizing the attack to include internal state differences that are congruent to all equivalence classed modulo 80, we lower the total number of keystream bits required to perform the attack and in the process reduce the attack complexity to 269.98 Plantlet encryptions.
Highlights
Lightweight stream ciphers have become immensely popular in the cryptological research community, since the advent of the eStream project [est08]
As mentioned in the abstract, it is first observed that two internal states of Plantlet that differ in the 43rd LFSR location are guaranteed to produce keystream that are either deterministically equal or unequal in 45 locations
It can, with some probability, be guessed that when 2 segments of keystream blocks that possess the above 45 bit difference is encountered, they have been generated by two internal states that differ in the 43rd LFSR location
Summary
Lightweight stream ciphers have become immensely popular in the cryptological research community, since the advent of the eStream project [est08]. After the publication of [BS00], it was widely accepted that to be secure against generic Time-Memory-Data tradeoff attacks, the internal state of a stream cipher needed to be at least twice the size of the secret key. The authors were further able to use this fact to mount a guess and determine attack, that required around 266.7 Sprout encryptions To counter this attack, the designers of Plantlet kept the 61st LFSR bit fixed to 1 during the entire Key-IV mixing phase. The designers of Plantlet kept the 61st LFSR bit fixed to 1 during the entire Key-IV mixing phase This ensured that after the Key-IV phase terminated, the LFSR would never enter the all zero state and both the above weaknesses were patched. In [MSS17], a differential fault attack was reported against Plantlet that recovered the secret key using 4 fault injections
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
