Cryptanalysis of the full Spritz stream cipher

Subhadeep Banik; Takanori Isobe

doi:10.1007/978-3-662-52993-5_4

Cryptanalysis of the full Spritz stream cipher

Subhadeep Banik, Takanori Isobe

Department of Applied Mathematics and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

Abstract

Spritz is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. It is intended to be a replacement of the popular RC4 stream cipher. In this paper we propose distinguishing attacks on the full Spritz, based on a short-term bias in the first two bytes of a keystream and a long-term bias in the first two bytes of every cycle of N keystream bytes, where N is the size of the internal permutation. Our attacks are able to distinguish a keystream of the full Spritz from a random sequence with samples of first two bytes produced by 244.8 multiple key-IV pairs or 260.8 keystream bytes produced by a single key- IV pair. These biases are also useful in the event of plaintext recovery in a broadcast attack. In the second part of the paper, we look at a state recovery attack on Spritz, in a special situation when the cipher enters a class of weak states. We determine the probability of encountering such a state, and demonstrate a state recovery algorithm that betters the 21400 step algorithm of Ankele et al. at Latincrypt 2015.

Original language	English
Title of host publication	Revised Selected Papers of the 23rd International Conference on Fast Software Encryption (FSE 2016)
Publisher	Springer
Publication date	2016
Pages	63-77
ISBN (Print)	978-3-662-52992-8
ISBN (Electronic)	978-3-662-52993-5
DOIs	https://doi.org/10.1007/978-3-662-52993-5_4
Publication status	Published - 2016
Event	23rd International Conference on Fast Software Encryption (FSE 2016) - Bochum, Germany Duration: 20 Mar 2016 → 23 Mar 2016 Conference number: 23 https://fse.rub.de/

Conference

Conference	23rd International Conference on Fast Software Encryption (FSE 2016)
Number	23
Country/Territory	Germany
City	Bochum
Period	20/03/2016 → 23/03/2016
Internet address	https://fse.rub.de/

Series	Lecture Notes in Computer Science
Volume	9783
ISSN	0302-9743

Keywords

RC4
Spritz
Stream cipher
Short-term bias
Long-term bias
Distinguishing attack
Plaintext recovery attack
State recovery attack

Access to Document

10.1007/978-3-662-52993-5_4

OpenUrl availability

Full text

Cite this

@inproceedings{70354c8903c5425697b802e0d3e812cf,

title = "Cryptanalysis of the full Spritz stream cipher",

abstract = "Spritz is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. It is intended to be a replacement of the popular RC4 stream cipher. In this paper we propose distinguishing attacks on the full Spritz, based on a short-term bias in the first two bytes of a keystream and a long-term bias in the first two bytes of every cycle of N keystream bytes, where N is the size of the internal permutation. Our attacks are able to distinguish a keystream of the full Spritz from a random sequence with samples of first two bytes produced by 244.8 multiple key-IV pairs or 260.8 keystream bytes produced by a single key- IV pair. These biases are also useful in the event of plaintext recovery in a broadcast attack. In the second part of the paper, we look at a state recovery attack on Spritz, in a special situation when the cipher enters a class of weak states. We determine the probability of encountering such a state, and demonstrate a state recovery algorithm that betters the 21400 step algorithm of Ankele et al. at Latincrypt 2015.",

keywords = "RC4, Spritz, Stream cipher, Short-term bias, Long-term bias, Distinguishing attack, Plaintext recovery attack, State recovery attack",

author = "Subhadeep Banik and Takanori Isobe",

year = "2016",

doi = "10.1007/978-3-662-52993-5_4",

language = "English",

isbn = "978-3-662-52992-8",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "63--77",

booktitle = "Revised Selected Papers of the 23rd International Conference on Fast Software Encryption (FSE 2016)",

note = "23rd International Conference on Fast Software Encryption (FSE 2016), FSE 2016 ; Conference date: 20-03-2016 Through 23-03-2016",

url = "https://fse.rub.de/",

}

Banik, S & Isobe, T 2016, Cryptanalysis of the full Spritz stream cipher. in Revised Selected Papers of the 23rd International Conference on Fast Software Encryption (FSE 2016). Springer, Lecture Notes in Computer Science, vol. 9783, pp. 63-77, 23rd International Conference on Fast Software Encryption (FSE 2016), Bochum, Germany, 20/03/2016. https://doi.org/10.1007/978-3-662-52993-5_4

Cryptanalysis of the full Spritz stream cipher. / Banik, Subhadeep; Isobe, Takanori.
Revised Selected Papers of the 23rd International Conference on Fast Software Encryption (FSE 2016). Springer, 2016. p. 63-77 (Lecture Notes in Computer Science, Vol. 9783).

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

TY - GEN

T1 - Cryptanalysis of the full Spritz stream cipher

AU - Banik, Subhadeep

AU - Isobe, Takanori

N1 - Conference code: 23

PY - 2016

Y1 - 2016

N2 - Spritz is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. It is intended to be a replacement of the popular RC4 stream cipher. In this paper we propose distinguishing attacks on the full Spritz, based on a short-term bias in the first two bytes of a keystream and a long-term bias in the first two bytes of every cycle of N keystream bytes, where N is the size of the internal permutation. Our attacks are able to distinguish a keystream of the full Spritz from a random sequence with samples of first two bytes produced by 244.8 multiple key-IV pairs or 260.8 keystream bytes produced by a single key- IV pair. These biases are also useful in the event of plaintext recovery in a broadcast attack. In the second part of the paper, we look at a state recovery attack on Spritz, in a special situation when the cipher enters a class of weak states. We determine the probability of encountering such a state, and demonstrate a state recovery algorithm that betters the 21400 step algorithm of Ankele et al. at Latincrypt 2015.

AB - Spritz is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. It is intended to be a replacement of the popular RC4 stream cipher. In this paper we propose distinguishing attacks on the full Spritz, based on a short-term bias in the first two bytes of a keystream and a long-term bias in the first two bytes of every cycle of N keystream bytes, where N is the size of the internal permutation. Our attacks are able to distinguish a keystream of the full Spritz from a random sequence with samples of first two bytes produced by 244.8 multiple key-IV pairs or 260.8 keystream bytes produced by a single key- IV pair. These biases are also useful in the event of plaintext recovery in a broadcast attack. In the second part of the paper, we look at a state recovery attack on Spritz, in a special situation when the cipher enters a class of weak states. We determine the probability of encountering such a state, and demonstrate a state recovery algorithm that betters the 21400 step algorithm of Ankele et al. at Latincrypt 2015.

KW - RC4

KW - Spritz

KW - Stream cipher

KW - Short-term bias

KW - Long-term bias

KW - Distinguishing attack

KW - Plaintext recovery attack

KW - State recovery attack

U2 - 10.1007/978-3-662-52993-5_4

DO - 10.1007/978-3-662-52993-5_4

M3 - Article in proceedings

SN - 978-3-662-52992-8

T3 - Lecture Notes in Computer Science

SP - 63

EP - 77

BT - Revised Selected Papers of the 23rd International Conference on Fast Software Encryption (FSE 2016)

PB - Springer

T2 - 23rd International Conference on Fast Software Encryption (FSE 2016)

Y2 - 20 March 2016 through 23 March 2016

ER -

Cryptanalysis of the full Spritz stream cipher

Abstract

Conference

Keywords

Access to Document

OpenUrl availability

Fingerprint

Cite this