Near Collision Attack Against Grain V1

Abstract

A near collision attack against the Grain v1 stream cipher was proposed by Zhang et al. in Eurocrypt 18. The attack uses the fact that two internal states of the stream cipher with very low hamming distance between them, produce similar keystream sequences which can be identified by simple statistical tests. Such internal states once found in the stream cipher simplify the task of cryptanalysis for the attacker. However this attack has recently come under heavy criticism from Derbez et al. at ToSC 2020:4, who claim that some of the assumptions made in the above paper were not correct. As a result they concluded that the attack presented by Zhang et al. when implemented would take time more than required for a brute force search. In this paper, we take another look at the near collision attack against the Grain v1 stream cipher. We avoid the techniques of the above Eurocrypt paper that have come under criticism, and independently show that a near collision attack can still be applied to Grain v1.

Appendices

A Cost of Executing One Round of Grain V1

To do an exhaustive search, first an initialization phase has to be run for 160 rounds, after which 80-bits of keystream is generated to do a unique match. However, since each keystream bit generated matches the correct one with probability \(\frac{1}{2}\), \(2^{80}\) keys are tried for 1 clock and roughly half of them are eliminated, \(2^{79}\) for 2 clocks and half of the remaining keys are eliminated, and so on. This means that in the process of brute force search, the probability that for any random key, \((i+1)\) Grain v1 keystream phase rounds need to be run, is \(\frac{1}{2^i}\). Hence, the expected number of Grain v1 rounds per trial is

$$\begin{aligned} \sum _{i=0}^{79}\frac{(i+1)2^{80-i}}{2^{80}} = \sum _{i=0}^{79}(i+1)\frac{1}{2^i} \approx 4 \end{aligned}$$

Adding to this the 160 rounds in the initialization phase, the average number of Grain v1 rounds per trial is 164. As a result, we will assume that clocking the registers once will cost roughly \(\frac{1}{160+4} =2^{-7.36}\) encryptions.

B Difference Vectors

Table 2. Table of the functions \(p_{t_1+j}, ~q_{t_1+j}\) for various j.

C Reducing the Memory Footprint

The attack in the main body requires \(2^{80.5}\) hash table insertions. In general, the time to access a table could be considered to be more than a typical cryptographic operation, and unless we have the technology or means to perform disk access in short enough time, it is unclear whether the physical time needed to do table insertions is less than the that required of exhaustive search.

In this section we try to reduce the number of table accesses using the algebraic structure of the Grain v1. We use the fact that the sampling resistance of Grain v1 is very low. In general if it is efficient to enumerate all internal states of a stream cipher that generates keystream segments with some constant R-bit prefix, then the sampling resistance of a stream cipher is said to be \(2^{-R}\). The following result is well known:

Lemma 10

[Bjo08] The sampling resistance of Grain v1 is at most \(2^{-18}\).

Proof

Although it was proven in [Bjo08], for completeness, we give a brief proof sketch. From the output equation of Grain v1, we can see that

$$\begin{aligned} \begin{aligned} n_{t+10} =&~ z_t~~ ~~\oplus _{i\in \{1,2,4,31,43,56\}} n_{t+i} \oplus h(l_{t+3},l_{t+25},l_{t+46},l_{t+64},n_{t+63}) \\ \vdots \\ n_{t+25} =&~ z_{t+15} \oplus _{i\in \{16,17,19,46,58,71\}} n_{t+i} \oplus h(l_{t+18},l_{t+40},l_{t+61},l_{t+79},n_{t+78}) \\ \end{aligned} \end{aligned}$$

(1)

Now, fixing the keystream prefix \(z_{t},z_{t+1},\ldots z_{t+17}\) to some constant, say \(0^{18}\), we can determine 16 state bits \(n_{t+10}\) to \(n_{t+25}\) sequentially, by simply guessing all the other state bits that appear on the right side of the above equation list, whose values have not been already determined in any of the previous steps. This kind of enumeration is further made possible since at each step the computed NFSR bit (i.e. on the left side of each equation) does not occur in any of the previous equations. In [Bjo08], it was additionally shown that \(n_{t+26}, n_{t+27}\) can also be deduced using this technique by using \(z_{t+\{16,17\}}\) and some other state bits. Hence the result follows.

The technique we will use to reduce the hash table insertions is similar to collision search with privileged points, in the sense that the strategy will be to only store keystream vectors with some easily identifiable property: let’s say during the search for keystream collision we only insert in table the tuple \((t,Z_t,Y_t)\) iff \(Z_t\) begins with r consecutive 0s, for some \(r\le 15\) (it will be clear shortly why we choose 15 as a bound for r instead of 18). If this is the strategy, we have to work out how many key stream bits we have to generate before we detect two states \(S_{t_1},S_{t_2}\) such that \(S_{t_1}\oplus S_{t_2}=0^{80}||e_{79}\).

1.1 C.1 The Effect of Low Sampling Resistance

In general what low sampling resistance does is that it allows us to have a shorter description of all internal states that produce keystream with a constant r bit prefix, for any r less than R, where \(2^{-R}\) is the sampling resistance. For example, in Grain v1, we know that for all states generating keystream with the \(0^{18}\) prefix, the 18 state bits \(n_{t+10}\) to \(n_{t+27}\) can be uniquely determined from values of the other 142 state bits. Thus given any 142-bit input X we can define a bijective map \(B:\{0,1\}^{142}\rightarrow \{0,1\}^{160}\) such that B(X) represents the 160-bit internal state of Grain v1 that produces keystream starting with 18 zeros. Thus X is in a sense a shorter description of B(X) which is of only 142 bits. This exercise can be carried out for any r less than 18, i.e. we can define bijective maps \(B_r:\{0,1\}^{160-r}\rightarrow \{0,1\}^{160}\) similarly.

When we limit \(r\le 15\), we only use up to the first 15 equations in Eq. (1) to construct the bijective map, i.e. from \(n_{t+10}\) to \(n_{t+24}\). This ensures that \(l_{t+79}\) is not involved in any of the expressions. Thus, if we have two short states \(X_1,X_2\), then

$$B_r(X_1)\oplus B_r(X_2)=0^{80}||e_{79} \Leftrightarrow X_1\oplus X_2=0^{80-r}||e_{79}.$$

Now when we store only keystream vectors that begin with \(0^r\), we will get a collision \(B_r(X_1)\oplus B_r(X_2)=0^{80}||e_{79}\) if and only if we get a collision between the shorter states \(X_1,X_2\) such that \(X_1\oplus X_2=0^{80-r}||e_{79}.\) By standard Birthday assumptions, if the \(X_i\)’s are generated randomly we can see that this occurs when we generate \(\sqrt{2\cdot 2^{160-r}}= 2^{80.5-r/2}\) short states. This now becomes the number of times we have to insert keystream tuples in the table. By standard randomness assumptions, we get a \(0^r\) keystream prefix every \(2^r\) rounds of Grain v1 on average. Thus to generate \(\sqrt{2\cdot 2^{160-r}}\) short states, we have to run the cipher for \(2^r\cdot \sqrt{2\cdot 2^{160-r}} = 2^{80.5+r/2}\) iterations. Thus we see that it gives a clear tradeoff: we decrease the number of memory accesses by a factor of \(2^{r/2}\) at the cost of increasing the run time of the cipher by the same factor.

1.2 C.2 Modified Algorithm and Time Complexity

The modified algorithm is exactly the same as the original algorithm with the only difference that instead of all t, we only insert a tuple \((t,Z_t,Y_t)\) in the table if \(Z_t\) begins with r consecutive 0s for some \(r\le 15\). Note that \(z_t,z_{t+1},\ldots ,z_{t+14}\) are not involved in any of the filtering processes and so the rest of that algorithm can be exactly the same as the algorithm detailed in Sect. 4.6. Thus the only modifications in the complexity estimates are as follows:

1. 1.

   We have seen that \(T_{Gen}\) increases by a factor \(2^{r/2}\). Taking \(r=10\) gives us \(T_{Gen}\approx 2^{78.14}\). The total attack complexity is given by \(T_{total}=T_{Gen}+T_{LFSR}+T_{F_1}+T_{Eq}+T_{El}\approx 2^{78.14}\), since \(T_{Gen}\) is the dominant term.

2. 2.

   The number of table insertions decrease by a factor \(2^{r/2}\), Again taking \(r=10\), reduces the number of insertions to \(2^{75.5}\).

3. 3.

   We can do away with storing the first r bits of \(Z_t\). Thus the total memory required is \((250-r)\cdot 2^{75.5}\approx 2^{83}\) bits for \(r=10\).

1.3 C.3 Comparison with Generic Attacks on Stream Ciphers

We consider generic key recovery and state recovery attacks on Grain v1. The generic key recovery attack proceeds by the adversary testing every key in the keyspace and comparing the generated key stream with some key stream from an encryption oracle. It requires \(2^{80}\) encryptions in the worst case.

We also need to calculate the complexity of generic state recovery attacks on stream ciphers. The generic attack proceeds as follows:

• Generate N bits of keystream.

• Generate 160 bits of keystream from T random internal states.

• Look for a collision.

The cost of this attack is N data, \(160T + N\) iterations of the stream cipher, and we must have \(NT \ge 2^{160}\). By minimizing \(160T + N\), one can see that there is an attack in \(2\sqrt{160} \cdot 2^{80}\) iterations. This is equivalent to around \(2^{77.3}\) Grain v1 encryptions using around \(2^{83.7}\) bits of memory with \(2^{76.3}\) hash table insertions. By contrast, our attack with sampling resistance \(r = 8\) requires \(2^{77.14}\) encryptions, \(2^{84.4}\) bits of memory and \(2^{76.5}\) insertions in the hash table.

D Extending the Attack to Grain-128

In this appendix, we apply similar techniques to perform a state recovery attack on the 128-bit cipher Grain-128 [HJMM06a]. That is, we first generate a near collision on the keystream. Then, for each candidate LFSR state determined by algebraic relations induced by the near collision, we try to solve a set of equations to either recover the entire NFSR/LFSR state or reach a contradiction, then repeat if necessary.

We generalize the notation introduced in Sect. 2, e.g. letting \(L_t =[l_t,\) \(l_{t+1},\dots , l_{t + 127}]\) be the LFSR state at the t-th clock interval. Grain-128 consists of a 128-bit LFSR and a 128-bit NFSR, and uses an 128-bit key K. Grain-128’s LFSR is defined by the update function f given by

$$f(Y_t) = l_{t+96} + l_{t+81} + l_{t+70} + l_{t+38} + l_{t+7} + l_t$$

The NFSR state is updated as \(n_{t+128} = l_t + g(\cdot )\) for NFSR update function g, which is given by

$$ \begin{aligned}&g(X_t) = n_{t+96} + n_{t+91} + n_{t+56} + n_{t+26} + n_{t} + n_{t+3}n_{t+67} + n_{t+11}n_{t+13} + \\ {}&~ n_{t+17}n_{t+18} + n_{t+27}n_{t+59} + n_{t+40}n_{t+48} + n_{t+61}n_{t+65} + n_{t+68}n_{t+84} \end{aligned} $$

The output function is of the form

$$z_t = h'(X_t, Y_t) = \bigoplus _{a \in A}n_{t + a} + h(s_0, \dots , s_8) + l_{93}$$

where \(A = \{2, 15, 36, 45, 64, 73, 89\}\), \(h(s_0,\dots ,s_8) = s_0s_1 + s_2s_3 + s_4s_5 + s_6s_7 + s_0s_4s_8\), and \((s_0, \dots , s_8) = (n_{t+12}, l_{t+8},\) \(l_{t+13},l_{t+20},n_{t+95}, l_{t+42}, l_{t+60}, l_{t+79}, l_{t+95})\). 256 clocks of initialization are executed before entering the keystream phase.

We first note that an analogous result to Lemma 1 can be shown which allows us to efficiently compute the LFSR states \(L_{t_1}\) and \(L_{t_2}\) given \(t_1, t_2\) and \(\delta = L_{t_1} \oplus L_{t_2}\). By essentially the same analysis as in Sect. 3, one can solve for \(L_{t_1}\) and \(L_{t_2}\) in at most \(5 \cdot 128^3 \approx 2^{23.3}\) bit-operations. We can also state an analogous result on the probability of finding a suitable near collision.

Lemma 11

In the event that we generate N iterations of internal states of Grain-128 sequentially: \(S_{i} \in \{0,1\}^{256}\), for \(i\in [0,N-1]\), then the probability that there is at least one tuple \(i_1,i_2\in [0,N-1]\) and \(i_2> i_1\), such that, \(S_{{i_1}}\oplus S_{{i_2}} = 0^{128}||e_{127}\), is approximately \(p_{coll}=\frac{N^2}{2^{257}}\).

Thus for \(N \approx 2^{128.5}\) we expect to find the desired near collision once. We first state the core result analogous to Lemma 2.

Lemma 12

Consider two internal states in Grain-128, \(S_{t_1} = (N_{t_1},L_{t_1} )\) and \(S_{t_2} = (N_{t_2},L_{t_2})\) during the keystream phase such that \(S_{t_1}\oplus S_{t_2}=0^{128}||e_{127}\), i.e. \(N_{t_1}=N_{t_2}\) and \(L_{t_1}\oplus L_{t_2} = e_{127}\). Then consider

$$\begin{aligned} Z_{t_i} = [z_{t_i+0}, z_{t_i+1}, z_{t_i+2},\ldots ,z_{t_i+255}] ,~ Y_{t_i} = [z_{t_i-1}, z_{t_i-2}, z_{t_i-3},\ldots ,z_{t_i-11}]. \\ \end{aligned} $$

for \(i=1,2\). Then in the 267 bit difference vector \(\varDelta = Z_{t_1}||Y_{t_1} \oplus Z_{t_2}||Y_{t_2}\), there are 150 bits that take the value 1 or 0 with probability 1.

Proof

Considering the forward difference vector, we have \(z_{t_1 + j} \oplus z_{t_2 + j} = 0\) for \(j \in [0, 31] \cup \{33\} \cup [35, 47] \cup [49, 62] \cup \{65\} \cup [68, 78] \cup [82, 84] \cup [86, 89] \cup \{91, 93, 94, 97\} \cup [100, 105] \cup [108, 111] \cup \{113, 115, 116, 118, 120, 121, 123, 127,129\} \cup [133, 137] \cup \{140, 141, 147, 152, 162,\) \(167, 168, 176, 182, 185, 187, 190, 198, 199, 205,\) \(231\}\), and \(z_{t_1 + j} + z_{t_2 + j} = 1\) for \(j \in \{34, 66, 81,\) 92, 98, 124, 130, 145, 150, 155, 156,  \(191, 194, 214\}\). In the backwards direction, we have \(z_{t_1 - j} \oplus z_{t_2 - j} = 0\) for \(j \in \{1, 2, 4, 5, 7, 8, 11\}\) and \(z_{t_1 - j} + z_{t_2 - j} = 1\) for \(j \in \{3, 10\}\).    \(\square \)

We now state some lemmas containing additional relations induced by the near collision. These properties can be argued to hold analogously as done for Grain v1 in Sect. 3 and 4. Similarly to with Grain v1, we use Lemmas 12 to 17 for filtering and Lemmas 17 to 19 to assist with equation solving in the attack.

Lemma 13

Consider again the conditions in the previous lemma. We have \(z_{t_1+99}\oplus z_{t_2+99} \oplus z_{t_1+165} \oplus z_{t_2+165}=0\), \(z_{t_1+106}\oplus z_{t_2+106} \oplus z_{t_1+146} \oplus z_{t_2+146}=0\) and \(z_{t_1+125}\oplus z_{t_2+125} \oplus z_{t_1+144} \oplus z_{t_2+144}=0\) with probability 1.

Lemma 14

Consider again the conditions in the previous lemma. For the 29 pairs \((i, j) \in \{(48, 108), (67, 146), (80, 140), (95, 155), (99, 178), (106, 166),\) (107, 120), (112, 172), (125, 204),  (131, 210), (138, 198), (139, 152), (142, 202),  (144, 204), (146, 166), (157, 236), (159, 219),  (163, 242), (164, 224), (165, 178),  (169, 229), (170, 230), (171, 184), (172, 192), (174, 324),  (193, 272), (200, 260),  \((202, 262), (225, 245)\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = l_{t_1 + j}\). For the 5 pairs \((i, j) \in \{ (188, 267), (203, 216), (219, 298), (222, 282), (253, 332)\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = l_{t_1 + j} \oplus 1\).

Lemma 15

Consider again the conditions in the previous lemma. We have the following 7 identities with probability 1.

$$ \begin{aligned} z_{t_1+114}\oplus z_{t_2+114} =&~ l_{t_1 + 134} \oplus l_{t_1 + 193}, \ \ z_{t_1+161}\oplus z_{t_2+161} = l_{t_1 + 181} \oplus l_{t_1 + 240} \\ z_{t_1+178}\oplus z_{t_2+178} =&~ l_{t_1 + 198} \oplus l_{t_1 + 257}, \ \ z_{t_1+189}\oplus z_{t_2+189} = l_{t_1 + 249} \oplus l_{t_1 + 268} \oplus 1 \\ z_{t_1+208}\oplus z_{t_2+208} =&~ l_{t_1 + 228} \oplus l_{t_1 + 268} \oplus l_{t_1 + 287} \\ z_{t_1+228}\oplus z_{t_2+228} =&~ l_{t_1 + 241} \oplus l_{t_1 + 288} \oplus 1, \ z_{t_1+236}\oplus z_{t_2+236} = l_{t_1 + 256} \oplus l_{t_1 + 296} \end{aligned} $$

Lemma 16

Consider again the conditions in the previous lemma. For the 10 pairs \((i, j) \in \{(85, 180), (117, 212), (119, 131), (132, 227), (149, 244), (151, 163),\) \((177, 189), (179, 274), (181, 276), (237, 332)\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = n_{t_1 + j}\). For the 3 pairs \((i, j) \in \{(166, 178),(175, 270), (209, 221)\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = n_{t_1 + j} \oplus 1\).

Lemma 17

We have the following 6 identities with probability 1.

$$ \begin{aligned} z_{t_1+160} \oplus z_{t_2+160} \oplus l_{t_1 + 202} \oplus n_{t_1 + 172} \cdot l_{t_1 + 255} =&~ 1 \\ z_{t_1+197} \oplus z_{t_2+197} \oplus l_{t_1 + 210} \oplus l_{t_1 + 239} \oplus n_{t_1 + 209} \cdot l_{t_1 + 292} =&~ 1 \\ z_{t_1+224} \oplus z_{t_2+224} \oplus l_{t_1 + 266} \oplus n_{t_1 + 236} \cdot l_{t_1 + 319} =&~ 1 \\ z_{t_1+232} \oplus z_{t_2+232} \oplus l_{t_1 + 274} \oplus l_{t_1 + 292} \oplus n_{t_1 + 244} \cdot l_{327} =&~ 0 \\ z_{t_1+234} \oplus z_{t_2+234} \oplus l_{t_1 + 276} \oplus l_{t_1 + 294} \oplus n_{t_1 + 246} \cdot l_{329} =&~ 0 \\ z_{t_1+255} \oplus z_{t_2+255} \oplus l_{t_1 + 268} \oplus l_{t_1 + 275} \oplus l_{t_1 + 297} \oplus l_{t_1 + 334} \oplus n_{t_1 + 267} \cdot l_{t_1 + 350} =&~ 0 \end{aligned} $$

Lemma 18

Consider again the conditions in the previous lemma. For the 19 values \(i \in \{32, 64, 79, 90, 96, 122, 126, 148, 153, 158, 173, 180, 184, 192, 195, 212,\) \(216, 217, 238\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = n_{t_1 + 12+ i} \cdot n_{t_1 + 95 + i}\). For the 3 values \(i \in \{128, 186, 250\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = n_{t_1 + 12+ i} \cdot n_{t_1 + 95 + i} \oplus 1\). For the 2 values \(i \in \{143, 206\}\), we have: \(z_{t_1+i}\oplus z_{t_2+i} = (1 \oplus n_{t_1 + 12+ i}) \cdot n_{t_1 + 95 + i}\).

Lemma 19

Consider again the conditions in the previous lemma. We have the following 11 identities with probability 1.

$$ \begin{aligned} z_{t_1+154} \oplus z_{t_2+154} =&~ l_{t_1 + 167} \oplus n_{t_1 + 166} \cdot n_{t_1 + 249} \\ z_{t_1+183} \oplus z_{t_2+183} =&~ l_{t_1 + 262} \oplus n_{t_1 + 195}, \ \ z_{t_1+196} \oplus z_{t_2+196} = l_{t_1 + 256} \oplus n_{t_1 + 291} \\ z_{t_1+207} \oplus z_{t_2+207} =&~ 1 \oplus n_{t_1 + 302} \oplus l_{t_1 + 249}\\ {}&\oplus n_{t_1 + 219} \cdot n_{t_1 + 302} \oplus l_{t_1 + 302} \cdot n_{t_1 + 219} \oplus n_{t_1 + 219} \\ z_{t_1+201} \oplus z_{t_2+201} =&~ l_{t_1 + 214} \oplus n_{t_1 + 296}, \ z_{t_1+211} \oplus z_{t_2+211} = l_{t_1 + 271} \oplus n_{t_1 + 306} \\ z_{t_1+218} \oplus z_{t_2+218} =&~ 1\oplus l_{t_1 + 231} \oplus l_{t_1 + 260} \oplus n_{t_1 + 230} \cdot n_{t_1 + 313}\\ {}&\oplus n_{t_1 + 230} \cdot l_{t_1 + 313} \oplus n_{t_1 + 230} \\ z_{t_1+230} \oplus z_{t_2+230} =&~ 1\oplus n_{t_1 + 242} \oplus l_{t_1 + 250} \oplus l_{t_1 + 309} \\ z_{t_1+239} \oplus z_{t_2+239} =&~ 1\oplus n_{t_1 + 334} \oplus l_{t_1 + 281} \oplus n_{t_1 + 251} \cdot l_{t_1 + 334} \\ z_{t_1+244} \oplus z_{t_2+244} =&~ l_{t_1 + 286} \oplus n_{t_1 + 256} \cdot n_{t_1 + 339} \oplus n_{t_1 + 256} \cdot l_{t_1 + 339} \oplus n_{t_1 + 256} \end{aligned} $$

The Base Attack. We now calculate the complexity of a state recovery attack. We first consider the probability \(\rho \) that a keystream collision as in Lemma 12 that also satisfies the relations in Lemmas 13 to 15 was induced by two states that do not differ only in bit 127 of the LFSR. By application of the aforementioned lemmas and a similar counting exercise to that of Sect. 4.3, making comparable independence assumptions along the way, we have \(\rho = (\frac{1}{2})^{150 + 3 + 29 + 5 + 7} \cdot (\frac{3}{4})^{6} \approx 2^{-196.49}\). Then the expected number of pairs that proceed to the equation solving stage of the attack is \(P_s = \left( {\begin{array}{c}N\\ 2\end{array}}\right) \cdot \rho \approx 2^{59.51}\) where \(N \approx 2^{128.5}\) as described above.

To calculate the cost of equation solving, we take the alternate approach described but not followed in Sect. 4.4. Recall that, after the filtering stages of the attack, we are required to essentially determine which of the approximately \(P_s\) remaining candidate states is correct. Following [BBI19], we compare the real-time cost of performing an encryption of Grain-128 with the cost of accepting/rejecting one such candidate state. Letting \(C_u\) be the cost of rejecting a candidate state and \(C_s\) the cost of accepting a candidate state in the number of Grain-128 encryptions, the cost of equation solving is therefore around \([(P_s - 1) \cdot C_u + C_s]\) Grain-128 encryptions.

To this end, we formulated the problem as a SAT problem and ran experiments using Cryptominisat and computer algebra software SAGE 9.6. More precisely, we generated a series of equations in 256 + 11 keystream bits additionally subject to the constraints from Lemmas 17 to 19. Note that in particular that using relations above with \(n_{t_1 + 12 + i} \cdot n_{t_1 + 95 + i}\) terms allows us to linearize equations with degree 2 terms and thus speed up solving. We used a laptop running an Intel i7-8565U processor with 16GB of RAM to perform the experiments. Firstly, we estimated the time for the solver to return SAT when the attacker correctly assumes that a given differential keystream which satisfies filters derived from relations from Lemmas 12 to 17 is from the desired near collision state. We then estimated the time for the solver to return UNSAT when the attacker incorrectly assumes the above (by enforcing the constraints from Lemmas 12 to 17 on an otherwise random internal state). Finally, we estimated the amount of time required for one Grain-128 encryption, i.e. to perform 256 initialization rounds and 4 keystream clocks (one can argue that 4 keystream clocks is appropriate as in Appendix A). Our results are as follows:

• Encryption time: Encryption took an average of 1.448ms to perform, taking the average over 10000 runs.

• SAT time: To speed up the SAT solver, we guessed 55 of the NFSR state bits in each experiment (thus the cost of this portion attack increases by a factor of \(2^{55}\)). 600 experiments yielded an average time of 16.70 s.

• UNSAT time: We guessed less bits of the NFSR state for UNSAT instances, namely 35 bits (inducing an increase in running time of \(2^{35}\) per iteration); an average of 12.57 s was used over 600 experiments.

Attack Complexity. We consider the attack cost \(T_{Total}\), which is dominated by the two terms \(T_{Gen}\) to generate the near collision and \(T_{Eq}\) to perform equation solving and ultimately recover the internal state. During equation solving we also need to solve for each candidate LFSR state. Here, for around \(2^{59.51}\) candidate states we need to perform around \(2^{23.3}\) bit-operations, i.e. perform around \(2^{82.81}\) bit-operations, a number that is dwarfed by the other two terms below.

For finding the near collision, we require around \(2^{128.5}\) keystream bits, which costs around \(2^{128.5} / (256 + 4) \approx 2^{120.48}\) Grain-128 encryptions. We insert elements of the form \((t, Z_i, Y_i)\) in a hash table as before where t denotes number of elapsed clocks of the Grain keystream (\(|t| = 128\)), \(Z_i\) comprises 256 bits of keystream from position t and \(Y_i\) comprises 11 bits of keystream backwards from t. We require around \(2^{128.5}\) hash table insertions, and thus \(2^{128.5} \cdot (128 + 256 + 11) \approx 2^{137.13}\) bits of memory. We note that since keystream bits overlap in the table and thus there is redundancy, we can simply store keystream bits in a separate ordered table and thus use \(2^{128.5} \cdot (128 + 1) + (256+11) \approx 2^{135.51}\) bits of memory, but optimizing via sampling resistance allows for even less memory consumption.

We now consider the cost of equation solving. By properties of the LFSR and NFSR feedback polynomials, one can easily design a hardware circuit which performs 32 clocks of Grain-128 per cycle with less than 32 times overhead versus running the circuit serially [HJMM06a]. We thus divide the time that we have measured by 32 when estimating the attack complexity to conservatively estimate the amount of time required to perform the encryption. The cost is around \(T_{Solve} = (P_s - 1) \cdot C_u + C_s\) Grain-128 encryptions. We deduce that \(C_u \approx 2^{35} \cdot \frac{12.70}{0.001448} \cdot 32 \approx 2^{53.08}\) and \(C_s = 2^{55} \cdot \frac{17.36}{0.001448} \cdot 32 \approx 2^{73.46}\). Correspondingly, equation solving costs around \(T_{Solve} \approx 2^{112.59}\) Grain-128 encryptions and relatively negligible memory. Thus the overall attack cost of around \(2^{120.48}\) Grain-128 encryptions is dominated by the cost of generating the collision.

Sampling Resistance. To reduce memory consumption we consider sampling resistance as in Sect. C. It is argued in [Bjo08] that the sampling resistance of Grain-128 is at most \(2^{-22}\) by considering the spacing between taps \(n_{15}\) and \(n_{36}\) in the output function. As before, we make use of this property and insert tuples \((t, Z_t, Y_t)\) into our hash table if and only if \(Z_t\) is prefixed by r zero bits, where we can safely consider \(r \le 22\) for our purposes. By similar analysis to Sect. C.1, we require \(2^{128.5 + r/2}\) keystream bits, i.e. \(2^{120.48 + r/2}\) Grain-128 encryptions, and \(2^{128.5 - r/2}\) hash table insertions to find the near collision (consuming around \(2^{137.1 - r/2}\) bits of memory). By comparison, by the same logic as used for Grain v1, the state recovery attack that minimises the number of Grain-128 encryptions requires around \(2^{124.98}\) Grain-128 encryptions, \(2^{123.98}\) hash table insertions and \(2^{132}\) bits of data and memory.