Analysis and Improvements of the Full Spritz Stream Cipher
Spritz is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. It is intended to be a replacement of the popular RC4 stream cipher. In this paper we propose distinguishing attacks on the full Spritz, based on a short-term bias in the first two bytes of a keystream and a...
Saved in:
| Main Authors: | , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2017
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/81487 http://hdl.handle.net/10220/43486 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-81487 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-814872020-09-26T22:19:27Z Analysis and Improvements of the Full Spritz Stream Cipher Banik, Subhadeep Isobe, Takanori Morii, Masakatu Temasek Laboratories RC4 Spritz Spritz is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. It is intended to be a replacement of the popular RC4 stream cipher. In this paper we propose distinguishing attacks on the full Spritz, based on a short-term bias in the first two bytes of a keystream and a long-term bias in the first two bytes of every cycle of N keystream bytes, where N is the size of the internal permutation. Our attacks are able to distinguish a keystream of the full Spritz from a random sequence with samples of first two bytes produced by 244.8 multiple key-IV pairs or 260.8 keystream bytes produced by a single key-IV pair. These biases are also useful in the event of plaintext recovery in a broadcast attack. In the second part of the paper, we look at a state recovery attack on Spritz, in a special situation when the cipher enters a class of weak states. We determine the probability of encountering such a state, and demonstrate a state recovery algorithm that betters the 21400 step algorithm of Ankele et al. at Latincrypt 2015. Finally we propose a simple fix that removes the bias in the first two keystream bytes. The countermeasure requires only one additional memory access and hence does not diminish software performance substantially, and in fact the loss in software speed is only around 1.5%. Published version 2017-07-28T02:51:16Z 2019-12-06T14:32:04Z 2017-07-28T02:51:16Z 2019-12-06T14:32:04Z 2017 Journal Article Banik, S., Isobe, T., & Morii, M. (2017). Analysis and Improvements of the Full Spritz Stream Cipher. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E100.A(6), 1296-1305. 0916-8508 https://hdl.handle.net/10356/81487 http://hdl.handle.net/10220/43486 10.1587/transfun.E100.A.1296 en IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences © 2017 Institute of Electronics, Information and Communication Engineers (IEICE). This paper was published in IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences and is made available as an electronic reprint (preprint) with permission of Institute of Electronics, Information and Communication Engineers (IEICE). The published version is available at: [http://dx.doi.org/10.1587/transfun.E100.A.1296]. One print or electronic copy may be made for personal use only. Systematic or multiple reproduction, distribution to multiple locations via electronic or other means, duplication of any material in this paper for a fee or for commercial purposes, or modification of the content of the paper is prohibited and is subject to penalties under law. 10 p. application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| country |
Singapore |
| collection |
DR-NTU |
| language |
English |
| topic |
RC4 Spritz |
| spellingShingle |
RC4 Spritz Banik, Subhadeep Isobe, Takanori Morii, Masakatu Analysis and Improvements of the Full Spritz Stream Cipher |
| description |
Spritz is a stream cipher proposed by Rivest and Schuldt at the rump session of CRYPTO 2014. It is intended to be a replacement of the popular RC4 stream cipher. In this paper we propose distinguishing attacks on the full Spritz, based on a short-term bias in the first two bytes of a keystream and a long-term bias in the first two bytes of every cycle of N keystream bytes, where N is the size of the internal permutation. Our attacks are able to distinguish a keystream of the full Spritz from a random sequence with samples of first two bytes produced by 244.8 multiple key-IV pairs or 260.8 keystream bytes produced by a single key-IV pair. These biases are also useful in the event of plaintext recovery in a broadcast attack. In the second part of the paper, we look at a state recovery attack on Spritz, in a special situation when the cipher enters a class of weak states. We determine the probability of encountering such a state, and demonstrate a state recovery algorithm that betters the 21400 step algorithm of Ankele et al. at Latincrypt 2015. Finally we propose a simple fix that removes the bias in the first two keystream bytes. The countermeasure requires only one additional memory access and hence does not diminish software performance substantially, and in fact the loss in software speed is only around 1.5%. |
| author2 |
Temasek Laboratories |
| author_facet |
Temasek Laboratories Banik, Subhadeep Isobe, Takanori Morii, Masakatu |
| format |
Article |
| author |
Banik, Subhadeep Isobe, Takanori Morii, Masakatu |
| author_sort |
Banik, Subhadeep |
| title |
Analysis and Improvements of the Full Spritz Stream Cipher |
| title_short |
Analysis and Improvements of the Full Spritz Stream Cipher |
| title_full |
Analysis and Improvements of the Full Spritz Stream Cipher |
| title_fullStr |
Analysis and Improvements of the Full Spritz Stream Cipher |
| title_full_unstemmed |
Analysis and Improvements of the Full Spritz Stream Cipher |
| title_sort |
analysis and improvements of the full spritz stream cipher |
| publishDate |
2017 |
| url |
https://hdl.handle.net/10356/81487 http://hdl.handle.net/10220/43486 |
| _version_ |
1681059188841644032 |