Improve sprout cipher to resist the divide and conquer based key recovery attack

Abstract

In Sprout, a new design principle is proposed to resist the Time-Memory-Data Tradeoff (TMDTO) attack. The general idea is to involve the secret key bits in the keystream generation phase. A round key function is introduced to determine the involvement of the secret key bit at each clock. However, this function turns out to be the main weakness in this design. A key recovery attack can be easily mounted on Sprout. The attacker is able to recover the whole 80-bit secret key with time complexity equivalent to 269 encryptions. In this paper, we investigate the fundamental mechanism of the divide-and-conquer based key recovery attack. After analyzing the process of every sieving and merging step, we identify the key factor in the design that makes the cipher vulnerable. Based on our finding, we improve the round key function and the output function for Sprout. The attacker can only perform one round of sieving on the improved version, which means this attack is no better than exhaustive search. To support the validity of our theoretical method, we implement the attack on an improved toy Sprout cipher. The experiment results show that the improvement for each type of sieving helps resist the attack as predicted.