Abstract
A near collision attack against the Grain v1 stream cipher was proposed by Zhang et al. in Eurocrypt 18. The attack uses the fact that two internal states of the stream cipher with very low hamming distance between them, produce similar keystream sequences which can be identified by simple statistical tests. Such internal states once found in the stream cipher simplify the task of cryptanalysis for the attacker. However this attack has recently come under heavy criticism from Derbez et al. at ToSC 2020:4, who claim that some of the assumptions made in the above paper were not correct. As a result they concluded that the attack presented by Zhang et al. when implemented would take time more than required for a brute force search. In this paper, we take another look at the near collision attack against the Grain v1 stream cipher. We avoid the techniques of the above Eurocrypt paper that have come under criticism, and independently show that a near collision attack can still be applied to Grain v1.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
 1.
We exclude the degenerate case when \(i_2\equiv i_1 \bmod 2^{80}1 \), as then \(L_{i_1}\) must be equal to \(L_{i_2}\) and so their difference can not be \(e_{79}\). But this occurs with extremely small probability for the range of values of N we are interested in and so we ignore this event here.
References
Afzal, M., Masood, A.: Algebraic cryptanalysis of A NLFSR based stream cipher. In: 2008 3rd International Conference on Information and Communication Technologies: From Theory to Applications, pp. 1–6 (2008)
Banik, S.: Conditional differential cryptanalysis of 105 round Grain v1. Cryptogr. Commun. 8(1), 113–137 (2016)
Banik, S., Barooti, K., Isobe, T.: Cryptanalysis of plantlet. IACR Trans. Symmetric Cryptol. 2019(3), 103–120 (2019)
Banik, S., et al.: Atom: a stream cipher with double key filter. IACR Trans. Symmetric Cryptol. 2021(1), 5–36 (2021)
Bjorstad, T.E.: Cryptanalysis of Grain using Time/Memory/Date Tradeoffs. eSTREAM, ECRYPT Stream Cipher Project, Report 2008/012 (2008). https://www.ecrypt.eu.org/stream/papersdir/2008/012.pdf
Derbez, P., Fouque, P.A., Mollimard, V.: Fake near collisions attacks. IACR Trans. Symmetric Cryptol. 2020(4), 88–103 (2020)
Dinur, I., Güneysu, T., Paar, C., Shamir, A., Zimmermann, R.: An experimentally verified attack on full Grain128 using dedicated reconfigurable hardware. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 327–343. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642253850_18
Dinur, I., Shamir, A.: Breaking Grain128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642217029_10
Esgin, M.F., Kara, O.: Practical cryptanalysis of full sprout with TMD tradeoff attacks. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 67–85. Springer, Cham (2016). https://doi.org/10.1007/9783319313016_4
Hell, M., Johansson, T., Meier, W.: Grain  a stream cipher for constrained environments. eSTREAM, ECRYPT Stream Cipher Project Report (2005). http://www.ecrypt.eu.org/stream/p3ciphers/grain/Grain_p3.pdf
Hell, M., Johansson, T., Meier, W.: Grain: a stream cipher for constrained environments. Int. J. Wirel. Mob. Comput. 2(1), 86–93 (2007)
Hell, M., Johansson, T., Maximov, A., Meier, W., Sönnerup, J., Yoshida, H.: Grain128aeadv2  a lightweight AEAD stream cipher. NIST Lightweight Cryptography Project (2019)
Hell, M., Johansson, T., Maximov, A., Meier, W.: A stream cipher proposal: Grain128. In: Proceedings 2006 IEEE International Symposium on Information Theory, ISIT 2006, The Westin Seattle, Seattle, Washington, USA, 9–14 July 2006, pp. 1614–1618. IEEE (2006)
Iso/iec 29167–13:2015 information technology  automatic identification and data capture techniques  part 13: Crypto suite grain128a security services for air interface communications
Knellwolf, S., Meier, W., NayaPlasencia, M.: Conditional differential cryptanalysis of NLFSRbased cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642173738_8
Lehmann, M., Meier, W.: Conditional differential cryptanalysis of Grain128a. In: Pieprzyk, J., Sadeghi, A.R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 1–11. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642354045_1
Lallemand, V., NayaPlasencia, M.: Cryptanalysis of full sprout. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 663–682. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662479896_32
Nist lightweight cryptography project. https://csrc.nist.gov/projects/lightweightcryptography
Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the nonvolatile key. IACR Trans. Symmetric Cryptol. 2016(2), 52–79 (2016)
Robshaw, M., Billet, O. (eds.): LNCS, vol. 4986. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540683513
Todo, Y., Isobe, T., Meier, W., Aoki, K., Zhang, B.: Fast Correlation Attack Revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 129–159. Springer, Cham (2018). https://doi.org/10.1007/9783319968810_5
Zhang, B., Li, Z., Feng, D., Lin, D.: Near collision attack on the grain v1 stream cipher. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 518–538. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662439333_27
Zhang, B., Xu, C., Meier, W.: Fast near collision attack on the grain v1 stream cipher. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 771–802. Springer, Cham (2018). https://doi.org/10.1007/9783319783758_25
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Cost of Executing One Round of Grain V1
To do an exhaustive search, first an initialization phase has to be run for 160 rounds, after which 80bits of keystream is generated to do a unique match. However, since each keystream bit generated matches the correct one with probability \(\frac{1}{2}\), \(2^{80}\) keys are tried for 1 clock and roughly half of them are eliminated, \(2^{79}\) for 2 clocks and half of the remaining keys are eliminated, and so on. This means that in the process of brute force search, the probability that for any random key, \((i+1)\) Grain v1 keystream phase rounds need to be run, is \(\frac{1}{2^i}\). Hence, the expected number of Grain v1 rounds per trial is
Adding to this the 160 rounds in the initialization phase, the average number of Grain v1 rounds per trial is 164. As a result, we will assume that clocking the registers once will cost roughly \(\frac{1}{160+4} =2^{7.36}\) encryptions.
B Difference Vectors
C Reducing the Memory Footprint
The attack in the main body requires \(2^{80.5}\) hash table insertions. In general, the time to access a table could be considered to be more than a typical cryptographic operation, and unless we have the technology or means to perform disk access in short enough time, it is unclear whether the physical time needed to do table insertions is less than the that required of exhaustive search.
In this section we try to reduce the number of table accesses using the algebraic structure of the Grain v1. We use the fact that the sampling resistance of Grain v1 is very low. In general if it is efficient to enumerate all internal states of a stream cipher that generates keystream segments with some constant Rbit prefix, then the sampling resistance of a stream cipher is said to be \(2^{R}\). The following result is well known:
Lemma 10
[Bjo08] The sampling resistance of Grain v1 is at most \(2^{18}\).
Proof
Although it was proven in [Bjo08], for completeness, we give a brief proof sketch. From the output equation of Grain v1, we can see that
Now, fixing the keystream prefix \(z_{t},z_{t+1},\ldots z_{t+17}\) to some constant, say \(0^{18}\), we can determine 16 state bits \(n_{t+10}\) to \(n_{t+25}\) sequentially, by simply guessing all the other state bits that appear on the right side of the above equation list, whose values have not been already determined in any of the previous steps. This kind of enumeration is further made possible since at each step the computed NFSR bit (i.e. on the left side of each equation) does not occur in any of the previous equations. In [Bjo08], it was additionally shown that \(n_{t+26}, n_{t+27}\) can also be deduced using this technique by using \(z_{t+\{16,17\}}\) and some other state bits. Hence the result follows.
The technique we will use to reduce the hash table insertions is similar to collision search with privileged points, in the sense that the strategy will be to only store keystream vectors with some easily identifiable property: let’s say during the search for keystream collision we only insert in table the tuple \((t,Z_t,Y_t)\) iff \(Z_t\) begins with r consecutive 0s, for some \(r\le 15\) (it will be clear shortly why we choose 15 as a bound for r instead of 18). If this is the strategy, we have to work out how many key stream bits we have to generate before we detect two states \(S_{t_1},S_{t_2}\) such that \(S_{t_1}\oplus S_{t_2}=0^{80}e_{79}\).
1.1 C.1 The Effect of Low Sampling Resistance
In general what low sampling resistance does is that it allows us to have a shorter description of all internal states that produce keystream with a constant r bit prefix, for any r less than R, where \(2^{R}\) is the sampling resistance. For example, in Grain v1, we know that for all states generating keystream with the \(0^{18}\) prefix, the 18 state bits \(n_{t+10}\) to \(n_{t+27}\) can be uniquely determined from values of the other 142 state bits. Thus given any 142bit input X we can define a bijective map \(B:\{0,1\}^{142}\rightarrow \{0,1\}^{160}\) such that B(X) represents the 160bit internal state of Grain v1 that produces keystream starting with 18 zeros. Thus X is in a sense a shorter description of B(X) which is of only 142 bits. This exercise can be carried out for any r less than 18, i.e. we can define bijective maps \(B_r:\{0,1\}^{160r}\rightarrow \{0,1\}^{160}\) similarly.
When we limit \(r\le 15\), we only use up to the first 15 equations in Eq. (1) to construct the bijective map, i.e. from \(n_{t+10}\) to \(n_{t+24}\). This ensures that \(l_{t+79}\) is not involved in any of the expressions. Thus, if we have two short states \(X_1,X_2\), then
Now when we store only keystream vectors that begin with \(0^r\), we will get a collision \(B_r(X_1)\oplus B_r(X_2)=0^{80}e_{79}\) if and only if we get a collision between the shorter states \(X_1,X_2\) such that \(X_1\oplus X_2=0^{80r}e_{79}.\) By standard Birthday assumptions, if the \(X_i\)’s are generated randomly we can see that this occurs when we generate \(\sqrt{2\cdot 2^{160r}}= 2^{80.5r/2}\) short states. This now becomes the number of times we have to insert keystream tuples in the table. By standard randomness assumptions, we get a \(0^r\) keystream prefix every \(2^r\) rounds of Grain v1 on average. Thus to generate \(\sqrt{2\cdot 2^{160r}}\) short states, we have to run the cipher for \(2^r\cdot \sqrt{2\cdot 2^{160r}} = 2^{80.5+r/2}\) iterations. Thus we see that it gives a clear tradeoff: we decrease the number of memory accesses by a factor of \(2^{r/2}\) at the cost of increasing the run time of the cipher by the same factor.
1.2 C.2 Modified Algorithm and Time Complexity
The modified algorithm is exactly the same as the original algorithm with the only difference that instead of all t, we only insert a tuple \((t,Z_t,Y_t)\) in the table if \(Z_t\) begins with r consecutive 0s for some \(r\le 15\). Note that \(z_t,z_{t+1},\ldots ,z_{t+14}\) are not involved in any of the filtering processes and so the rest of that algorithm can be exactly the same as the algorithm detailed in Sect. 4.6. Thus the only modifications in the complexity estimates are as follows:

1.
We have seen that \(T_{Gen}\) increases by a factor \(2^{r/2}\). Taking \(r=10\) gives us \(T_{Gen}\approx 2^{78.14}\). The total attack complexity is given by \(T_{total}=T_{Gen}+T_{LFSR}+T_{F_1}+T_{Eq}+T_{El}\approx 2^{78.14}\), since \(T_{Gen}\) is the dominant term.

2.
The number of table insertions decrease by a factor \(2^{r/2}\), Again taking \(r=10\), reduces the number of insertions to \(2^{75.5}\).

3.
We can do away with storing the first r bits of \(Z_t\). Thus the total memory required is \((250r)\cdot 2^{75.5}\approx 2^{83}\) bits for \(r=10\).
1.3 C.3 Comparison with Generic Attacks on Stream Ciphers
We consider generic key recovery and state recovery attacks on Grain v1. The generic key recovery attack proceeds by the adversary testing every key in the keyspace and comparing the generated key stream with some key stream from an encryption oracle. It requires \(2^{80}\) encryptions in the worst case.
We also need to calculate the complexity of generic state recovery attacks on stream ciphers. The generic attack proceeds as follows:

Generate N bits of keystream.

Generate 160 bits of keystream from T random internal states.

Look for a collision.
The cost of this attack is N data, \(160T + N\) iterations of the stream cipher, and we must have \(NT \ge 2^{160}\). By minimizing \(160T + N\), one can see that there is an attack in \(2\sqrt{160} \cdot 2^{80}\) iterations. This is equivalent to around \(2^{77.3}\) Grain v1 encryptions using around \(2^{83.7}\) bits of memory with \(2^{76.3}\) hash table insertions. By contrast, our attack with sampling resistance \(r = 8\) requires \(2^{77.14}\) encryptions, \(2^{84.4}\) bits of memory and \(2^{76.5}\) insertions in the hash table.
D Extending the Attack to Grain128
In this appendix, we apply similar techniques to perform a state recovery attack on the 128bit cipher Grain128 [HJMM06a]. That is, we first generate a near collision on the keystream. Then, for each candidate LFSR state determined by algebraic relations induced by the near collision, we try to solve a set of equations to either recover the entire NFSR/LFSR state or reach a contradiction, then repeat if necessary.
We generalize the notation introduced in Sect. 2, e.g. letting \(L_t =[l_t,\) \(l_{t+1},\dots , l_{t + 127}]\) be the LFSR state at the tth clock interval. Grain128 consists of a 128bit LFSR and a 128bit NFSR, and uses an 128bit key K. Grain128’s LFSR is defined by the update function f given by
The NFSR state is updated as \(n_{t+128} = l_t + g(\cdot )\) for NFSR update function g, which is given by
The output function is of the form
where \(A = \{2, 15, 36, 45, 64, 73, 89\}\), \(h(s_0,\dots ,s_8) = s_0s_1 + s_2s_3 + s_4s_5 + s_6s_7 + s_0s_4s_8\), and \((s_0, \dots , s_8) = (n_{t+12}, l_{t+8},\) \(l_{t+13},l_{t+20},n_{t+95}, l_{t+42}, l_{t+60}, l_{t+79}, l_{t+95})\). 256 clocks of initialization are executed before entering the keystream phase.
We first note that an analogous result to Lemma 1 can be shown which allows us to efficiently compute the LFSR states \(L_{t_1}\) and \(L_{t_2}\) given \(t_1, t_2\) and \(\delta = L_{t_1} \oplus L_{t_2}\). By essentially the same analysis as in Sect. 3, one can solve for \(L_{t_1}\) and \(L_{t_2}\) in at most \(5 \cdot 128^3 \approx 2^{23.3}\) bitoperations. We can also state an analogous result on the probability of finding a suitable near collision.
Lemma 11
In the event that we generate N iterations of internal states of Grain128 sequentially: \(S_{i} \in \{0,1\}^{256}\), for \(i\in [0,N1]\), then the probability that there is at least one tuple \(i_1,i_2\in [0,N1]\) and \(i_2> i_1\), such that, \(S_{{i_1}}\oplus S_{{i_2}} = 0^{128}e_{127}\), is approximately \(p_{coll}=\frac{N^2}{2^{257}}\).
Thus for \(N \approx 2^{128.5}\) we expect to find the desired near collision once. We first state the core result analogous to Lemma 2.
Lemma 12
Consider two internal states in Grain128, \(S_{t_1} = (N_{t_1},L_{t_1} )\) and \(S_{t_2} = (N_{t_2},L_{t_2})\) during the keystream phase such that \(S_{t_1}\oplus S_{t_2}=0^{128}e_{127}\), i.e. \(N_{t_1}=N_{t_2}\) and \(L_{t_1}\oplus L_{t_2} = e_{127}\). Then consider
for \(i=1,2\). Then in the 267 bit difference vector \(\varDelta = Z_{t_1}Y_{t_1} \oplus Z_{t_2}Y_{t_2}\), there are 150 bits that take the value 1 or 0 with probability 1.
Proof
Considering the forward difference vector, we have \(z_{t_1 + j} \oplus z_{t_2 + j} = 0\) for \(j \in [0, 31] \cup \{33\} \cup [35, 47] \cup [49, 62] \cup \{65\} \cup [68, 78] \cup [82, 84] \cup [86, 89] \cup \{91, 93, 94, 97\} \cup [100, 105] \cup [108, 111] \cup \{113, 115, 116, 118, 120, 121, 123, 127,129\} \cup [133, 137] \cup \{140, 141, 147, 152, 162,\) \(167, 168, 176, 182, 185, 187, 190, 198, 199, 205,\) \(231\}\), and \(z_{t_1 + j} + z_{t_2 + j} = 1\) for \(j \in \{34, 66, 81,\) 92, 98, 124, 130, 145, 150, 155, 156, \(191, 194, 214\}\). In the backwards direction, we have \(z_{t_1  j} \oplus z_{t_2  j} = 0\) for \(j \in \{1, 2, 4, 5, 7, 8, 11\}\) and \(z_{t_1  j} + z_{t_2  j} = 1\) for \(j \in \{3, 10\}\). \(\square \)
We now state some lemmas containing additional relations induced by the near collision. These properties can be argued to hold analogously as done for Grain v1 in Sect. 3 and 4. Similarly to with Grain v1, we use Lemmas 12 to 17 for filtering and Lemmas 17 to 19 to assist with equation solving in the attack.
Lemma 13
Consider again the conditions in the previous lemma. We have \(z_{t_1+99}\oplus z_{t_2+99} \oplus z_{t_1+165} \oplus z_{t_2+165}=0\), \(z_{t_1+106}\oplus z_{t_2+106} \oplus z_{t_1+146} \oplus z_{t_2+146}=0\) and \(z_{t_1+125}\oplus z_{t_2+125} \oplus z_{t_1+144} \oplus z_{t_2+144}=0\) with probability 1.
Lemma 14
Consider again the conditions in the previous lemma. For the 29 pairs \((i, j) \in \{(48, 108), (67, 146), (80, 140), (95, 155), (99, 178), (106, 166),\) (107, 120), (112, 172), (125, 204), (131, 210), (138, 198), (139, 152), (142, 202), (144, 204), (146, 166), (157, 236), (159, 219), (163, 242), (164, 224), (165, 178), (169, 229), (170, 230), (171, 184), (172, 192), (174, 324), (193, 272), (200, 260), \((202, 262), (225, 245)\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = l_{t_1 + j}\). For the 5 pairs \((i, j) \in \{ (188, 267), (203, 216), (219, 298), (222, 282), (253, 332)\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = l_{t_1 + j} \oplus 1\).
Lemma 15
Consider again the conditions in the previous lemma. We have the following 7 identities with probability 1.
Lemma 16
Consider again the conditions in the previous lemma. For the 10 pairs \((i, j) \in \{(85, 180), (117, 212), (119, 131), (132, 227), (149, 244), (151, 163),\) \((177, 189), (179, 274), (181, 276), (237, 332)\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = n_{t_1 + j}\). For the 3 pairs \((i, j) \in \{(166, 178),(175, 270), (209, 221)\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = n_{t_1 + j} \oplus 1\).
Lemma 17
We have the following 6 identities with probability 1.
Lemma 18
Consider again the conditions in the previous lemma. For the 19 values \(i \in \{32, 64, 79, 90, 96, 122, 126, 148, 153, 158, 173, 180, 184, 192, 195, 212,\) \(216, 217, 238\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = n_{t_1 + 12+ i} \cdot n_{t_1 + 95 + i}\). For the 3 values \(i \in \{128, 186, 250\}\), we have \(z_{t_1+i}\oplus z_{t_2+i} = n_{t_1 + 12+ i} \cdot n_{t_1 + 95 + i} \oplus 1\). For the 2 values \(i \in \{143, 206\}\), we have: \(z_{t_1+i}\oplus z_{t_2+i} = (1 \oplus n_{t_1 + 12+ i}) \cdot n_{t_1 + 95 + i}\).
Lemma 19
Consider again the conditions in the previous lemma. We have the following 11 identities with probability 1.
The Base Attack. We now calculate the complexity of a state recovery attack. We first consider the probability \(\rho \) that a keystream collision as in Lemma 12 that also satisfies the relations in Lemmas 13 to 15 was induced by two states that do not differ only in bit 127 of the LFSR. By application of the aforementioned lemmas and a similar counting exercise to that of Sect. 4.3, making comparable independence assumptions along the way, we have \(\rho = (\frac{1}{2})^{150 + 3 + 29 + 5 + 7} \cdot (\frac{3}{4})^{6} \approx 2^{196.49}\). Then the expected number of pairs that proceed to the equation solving stage of the attack is \(P_s = \left( {\begin{array}{c}N\\ 2\end{array}}\right) \cdot \rho \approx 2^{59.51}\) where \(N \approx 2^{128.5}\) as described above.
To calculate the cost of equation solving, we take the alternate approach described but not followed in Sect. 4.4. Recall that, after the filtering stages of the attack, we are required to essentially determine which of the approximately \(P_s\) remaining candidate states is correct. Following [BBI19], we compare the realtime cost of performing an encryption of Grain128 with the cost of accepting/rejecting one such candidate state. Letting \(C_u\) be the cost of rejecting a candidate state and \(C_s\) the cost of accepting a candidate state in the number of Grain128 encryptions, the cost of equation solving is therefore around \([(P_s  1) \cdot C_u + C_s]\) Grain128 encryptions.
To this end, we formulated the problem as a SAT problem and ran experiments using Cryptominisat and computer algebra software SAGE 9.6. More precisely, we generated a series of equations in 256 + 11 keystream bits additionally subject to the constraints from Lemmas 17 to 19. Note that in particular that using relations above with \(n_{t_1 + 12 + i} \cdot n_{t_1 + 95 + i}\) terms allows us to linearize equations with degree 2 terms and thus speed up solving. We used a laptop running an Intel i78565U processor with 16GB of RAM to perform the experiments. Firstly, we estimated the time for the solver to return SAT when the attacker correctly assumes that a given differential keystream which satisfies filters derived from relations from Lemmas 12 to 17 is from the desired near collision state. We then estimated the time for the solver to return UNSAT when the attacker incorrectly assumes the above (by enforcing the constraints from Lemmas 12 to 17 on an otherwise random internal state). Finally, we estimated the amount of time required for one Grain128 encryption, i.e. to perform 256 initialization rounds and 4 keystream clocks (one can argue that 4 keystream clocks is appropriate as in Appendix A). Our results are as follows:

Encryption time: Encryption took an average of 1.448ms to perform, taking the average over 10000 runs.

SAT time: To speed up the SAT solver, we guessed 55 of the NFSR state bits in each experiment (thus the cost of this portion attack increases by a factor of \(2^{55}\)). 600 experiments yielded an average time of 16.70 s.

UNSAT time: We guessed less bits of the NFSR state for UNSAT instances, namely 35 bits (inducing an increase in running time of \(2^{35}\) per iteration); an average of 12.57 s was used over 600 experiments.
Attack Complexity. We consider the attack cost \(T_{Total}\), which is dominated by the two terms \(T_{Gen}\) to generate the near collision and \(T_{Eq}\) to perform equation solving and ultimately recover the internal state. During equation solving we also need to solve for each candidate LFSR state. Here, for around \(2^{59.51}\) candidate states we need to perform around \(2^{23.3}\) bitoperations, i.e. perform around \(2^{82.81}\) bitoperations, a number that is dwarfed by the other two terms below.
For finding the near collision, we require around \(2^{128.5}\) keystream bits, which costs around \(2^{128.5} / (256 + 4) \approx 2^{120.48}\) Grain128 encryptions. We insert elements of the form \((t, Z_i, Y_i)\) in a hash table as before where t denotes number of elapsed clocks of the Grain keystream (\(t = 128\)), \(Z_i\) comprises 256 bits of keystream from position t and \(Y_i\) comprises 11 bits of keystream backwards from t. We require around \(2^{128.5}\) hash table insertions, and thus \(2^{128.5} \cdot (128 + 256 + 11) \approx 2^{137.13}\) bits of memory. We note that since keystream bits overlap in the table and thus there is redundancy, we can simply store keystream bits in a separate ordered table and thus use \(2^{128.5} \cdot (128 + 1) + (256+11) \approx 2^{135.51}\) bits of memory, but optimizing via sampling resistance allows for even less memory consumption.
We now consider the cost of equation solving. By properties of the LFSR and NFSR feedback polynomials, one can easily design a hardware circuit which performs 32 clocks of Grain128 per cycle with less than 32 times overhead versus running the circuit serially [HJMM06a]. We thus divide the time that we have measured by 32 when estimating the attack complexity to conservatively estimate the amount of time required to perform the encryption. The cost is around \(T_{Solve} = (P_s  1) \cdot C_u + C_s\) Grain128 encryptions. We deduce that \(C_u \approx 2^{35} \cdot \frac{12.70}{0.001448} \cdot 32 \approx 2^{53.08}\) and \(C_s = 2^{55} \cdot \frac{17.36}{0.001448} \cdot 32 \approx 2^{73.46}\). Correspondingly, equation solving costs around \(T_{Solve} \approx 2^{112.59}\) Grain128 encryptions and relatively negligible memory. Thus the overall attack cost of around \(2^{120.48}\) Grain128 encryptions is dominated by the cost of generating the collision.
Sampling Resistance. To reduce memory consumption we consider sampling resistance as in Sect. C. It is argued in [Bjo08] that the sampling resistance of Grain128 is at most \(2^{22}\) by considering the spacing between taps \(n_{15}\) and \(n_{36}\) in the output function. As before, we make use of this property and insert tuples \((t, Z_t, Y_t)\) into our hash table if and only if \(Z_t\) is prefixed by r zero bits, where we can safely consider \(r \le 22\) for our purposes. By similar analysis to Sect. C.1, we require \(2^{128.5 + r/2}\) keystream bits, i.e. \(2^{120.48 + r/2}\) Grain128 encryptions, and \(2^{128.5  r/2}\) hash table insertions to find the near collision (consuming around \(2^{137.1  r/2}\) bits of memory). By comparison, by the same logic as used for Grain v1, the state recovery attack that minimises the number of Grain128 encryptions requires around \(2^{124.98}\) Grain128 encryptions, \(2^{123.98}\) hash table insertions and \(2^{132}\) bits of data and memory.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Banik, S., Collins, D., Meier, W. (2023). Near Collision Attack Against Grain V1. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13905. Springer, Cham. https://doi.org/10.1007/9783031334887_7
Download citation
DOI: https://doi.org/10.1007/9783031334887_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783031334870
Online ISBN: 9783031334887
eBook Packages: Computer ScienceComputer Science (R0)