Paper 2009/109

Cryptanalysis of Stream Cipher Grain Family

Haina Zhang and Xiaoyun Wang

Abstract

Grain v1 is one of the 7 final candidates of ECRYPT eStream project, which involves in the 80-bit secret key. Grain-128 is a variant version with 128-bit secret key, and Grain v0 is the original version in the first evaluation phase. Firstly, we describe a distinguishing attack against the Grain family with weak Key-IVs. Utilizing the second Walsh spectra of the nonlinear functions, we show that there are $2^{64}$/$2^{64}$/$2^{96}$ weak Key-IVs among total $2^{144}$/$2^{144}$/$2^{224}$ Key-IVs, and to distinguish a weak Key-IV needs about $2^{12.6}$/$2^{44.2}$/$2^{86}$ keystream bits and $2^{15.8}$/$2^{47.5}$/ $2^{104.2}$ operations for Grain v0, Grain v1 and Grain-128 respectively. Secondly, we apply algebraic attacks to the Grain family with a weak Key-IV, and can recover the secret key in about 2 seconds and 150 keystream bits for Grain v0 and Grain v1, and reveal the key of Grain-128 with about 100 keystream bits and $2^{93.8}$ operations. Furthermore, we discuss the period of the keystream with a weak Key-IV for any Grain-like structure which can lead in self-sliding attack.

Note: The text submitted is not the last.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Unknown where it was published
Keywords
stream ciphercryptanalysisGrain
Contact author(s)
hnzhang cn @ gmail com
foxseazhn @ sina com
History
2009-03-11: received
Short URL
https://ia.cr/2009/109
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2009/109,
      author = {Haina Zhang and Xiaoyun Wang},
      title = {Cryptanalysis  of  Stream Cipher Grain  Family},
      howpublished = {Cryptology ePrint Archive, Paper 2009/109},
      year = {2009},
      note = {\url{https://eprint.iacr.org/2009/109}},
      url = {https://eprint.iacr.org/2009/109}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.