Restricted near collision attack on Plantlet

Plantlet is a recent lightweight stream cipher designed by Mikhalev, Armknecht and Muller in IACR ToSC 2017. This design paradigm receives attention as it is secure against generic time-memory-data trade-off attacks despite its small internal state size. One major motivation for Plantlet is to shore up the weaknesses of Sprout, which is another lightweight stream cipher from the same designers in IACR FSE 2015. In this paper, we observe that a full key recovery attack is possible using a restricted version of near collision attack. We have listed 38 internal state differences whose keystream differences have some fixed 0/1 pattern at certain positions and are efficient for our attack. An adversary in the online phase looks for any one of those 38 patterns in keystream difference. If found then with some probability, the adversary guesses the internal state difference. Afterwards, on solving a system of polynomial equations (formed by keystream bits) using a SAT solver, the adversary can recover the secret key if the guess is correct; otherwise, some contradiction occurs. After probability computations, we find that on repeating the experiment for a fixed number of times, the adversary can recover the secret key with expectation one. The time complexity of the whole process is 264.693 Plantlet encryptions which is 39 times faster than the previous best key recovery attack by Banik et al. in IACR ToSC 2019. We further suggest a countermeasure and its analysis to avoid our attacks. However, the complexity presented in this paper is dependent on the system architecture and implementation of the cipher.