Related-Key Chosen IV Attacks on Grain-v1 and Grain-128⋆ Yuseop Lee1 , Kitae Jeong1 , Jaechul Sung2 , and Seokhie Hong1 1 2 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {yusubi,kite,hsh}@cist.korea.ac.kr Department of Mathematics, University of Seoul, Seoul, Korea jcsung@uos.ac.kr Abstract. The slide resynchronization attack on Grain was proposed in [6]. This attack finds related keys and initialization vectors of Grain that generate the 1-bit shifted keystream sequence. In this paper, we extend the attack proposed in [6] and propose related-key chosen IV attacks on Grain-v1 and Grain-128. The attack on Grain-v1 recovers the secret key with 222.59 chosen IV s, 226.29 -bit keystream sequences and 222.90 computational complexity. To recover the secret key of Grain-128, our attack requires 226.59 chosen IV s, 231.39 -bit keystream sequences and 227.01 computational complexity. These works are the first known key recovery attacks on Grain-v1 and Grain-128. Keywords: Stream cipher, Grain-v1, Grain-128, Related-key chosen IV attack, Cryptanalysis. 1 Introduction A bit-oriented synchronous stream cipher Grain [2] was designed by M. Hell, T. Johansson and W. Meier. Their main goal was to design an algorithm which can be implemented efficiently in hardware. Grain consists of two 80-bit shift registers, a linear feedback shift register (LFSR) and a nonlinear feedback shift register (NFSR), and a 5-input filter function. The key size is specified with 80 bits and additionally an initialization vector of 64 bits is required. But because of weakness in the filter function, a key recovery attack [1] and a distinguishing attack [5] on Grain were proposed. In order to solve the security problem of Grain, the designers of Grain proposed the tweak versions of Grain, called Grain-v1 [3] and Grain-128 [4]. Similarly to Grain, Grain-v1 uses a 80-bit secret key and a 64-bit initialization vector to fill in an internal state of size 160 bits divided into LFSR and NFSR of length 80 bits each. The feedback function of NFSR used in Grain-v1 is not equal to ⋆ This research was supported by the MKE(Ministry of Knowledge Economy), Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Advancement) (IITA2008-(C1090-0801-0025)). Y. Mu, W. Susilo, and J. Seberry (Eds.): ACISP 2008, LNCS 5107, pp. 321–335, 2008. c Springer-Verlag Berlin Heidelberg 2008  322 Y. Lee et al. that used in Grain. Grain-v1 generate a keystream bit by XORing 7-bit values from NFSR with the output value of the filter function, in contrast to XORing 1-bit value from NFSR with the output value of the filter function in Grain. The Grain-128 supports a 128-bit secret key and a 96-bit initialization vector. It consists of an 128-bit LFSR, an 128-bit NFSR and a 9-input filter function. On the other hand, Grain, Grain-v1 and Grain-128 use the same setup mode similar to the keystream generation mode. The slide resynchronization attack (SRA) on Grain was suggested with this property [6], finds related keys and initialization vectors of Grain that generate the 1-bit shifted keystream sequence with probability 2−2 . In this paper, we extend the attack in [6] and propose related-key chosen IV attacks on Grain-v1 and Grain-128. To attack Grain-v1 and Grain-128, our attack uses m + 1 keys and does m steps repeatedly, i.e., we run the fist step by using the secret key and the first related key and then the second step by using the first related key and the second related key and so on. In each step, we apply three methods, D-Test, ∗-Change and †-Change which will be explained in Section 3. At first, in order to construct α linear equations for the secret key, we find the initialization vector passing D-Test for the secret key and the α-bit left rotated key among chosen initialization vectors adequately. Then we apply †-Change to recover additional α-bit key. We repeat this step m times. In case of Grain-v1 we can find 2mα-bit information of the key, the remained key bits can be recovered by the exhaustive search with computational complexity 280−2mα . The attack on Grain-128 is similar to that of Grain-v1. It decrease the computational complexity of the exhaustive search from 2128 to 2128−3mα . Table 1 summarizes our results. This paper is organized as follows: in Section 2, we briefly describe Grain-v1, Grain-128 and the attack proposed in [6]. We present key recovery attacks on Grain-v1 and Grain-128 in Section 3 and 4, respectively. Finally, we conclude in Section 5. Table 1. Results on Grain-v1 and Grain-128 Stream Cipher Grain-v1 Grain-128 2 Related Data Complexity Keys Chosen IV s Keystream Bits 3 3 222.59 226.59 226.29 231.39 Computational Complexity 222.90 240-clock cycles 227.01 384-clock cycles Preliminaries In this section, we briefly describe Grain-v1, Grain-128 and the attack proposed in [6]. The following notations are used throughout the paper. – – – – S t : the internal state of Grain-v1 and Grain-128 at time t. Lt : the internal state of LFSR at time t. N t : the internal state of NFSR at time t. nt : a feedback bit of the NFSR at time t. Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 (a) 323 (b) NFSR lt LFSR nt NFSR h( x ) LFSR h( x ) 1 bit 7 bits ot Fig. 1. (a) the keystream generation mode (b) the setup mode of Grain-v1 – – – – 2.1 lt : a feedback bit of the LFSR at time t. ot : an output bit of Grain-v1 or Grain-128 at time t. Z = (z0 , z1 , · · · ): the keystream sequence of Grain-v1 or Grain-128. Z[α]: the α-bit shifted keystream sequence of Z, i.e., Z[α] = (zα , zα+1 , · · · ). Grain-v1 and Gain-128 Grain-v1 consists of an 80-bit LFSR, an 80-bit NFSR and a 5-input filter function h. It generates the keystream sequence from an 80-bit secret key K = (k0 , · · · , k79 ) and a 64-bit initialization vector IV = (iv0 , · · · , iv63 ). At time t, LFSR and NFSR are denoted by Lt = (Lt0 , · · · , Lt79 ) and N t = t t are the most significant bits. The ), respectively, where Lt79 , N79 (N0t , · · · , N79 t feedback bits of LFSR and NFSR, l and nt , are computed as follows: lt = Lt62 ⊕ Lt51 ⊕ Lt38 ⊕ Lt23 ⊕ Lt13 ⊕ Lt0 . t t t t t t t t t nt = Lt0 ⊕ N62 ⊕ N60 ⊕ N52 ⊕ N45 ⊕ N37 ⊕ N33 ⊕ N28 ⊕ N21 ⊕ N14 ⊕ N9t ⊕ N0t t t t t t t t t t t t t t t ⊕ N63 N60 ⊕ N37 N33 ⊕ N15 N9t ⊕ N60 N52 N45 ⊕ N33 N28 N21 ⊕ N63 N45 N28 N9t t t t t t t t t t t t t t ⊕ N60 N52 N37 N33 ⊕ N63 N60 N21 N15 ⊕ N63 N60 N52 N45 N37 t t t t t t t t t t ⊕ N33 N28 N21 N15 N9t ⊕ N52 N45 N37 N33 N28 N21 . The filter function h takes 5-bit input values from LFSR and NFSR as follows: t t t h(Lt3 , Lt25 , Lt46 , Lt64 , N63 ) = Lt25 ⊕ N63 ⊕ Lt3 Lt64 ⊕ Lt46 Lt64 ⊕ Lt64 N63 ⊕ Lt3 Lt25 Lt46 t t t ⊕ Lt3 Lt46 Lt64 ⊕ Lt3 Lt46 N63 ⊕ Lt25 Lt46 N63 ⊕ Lt46 Lt64 N63 . At time t, the output bit ot of Grain-v1 is generated as follows.  t ot = Nkt ⊕ h(Lt3 , Lt25 , Lt46 , Lt64 , N63 ), k∈A where A = {1, 2, 4, 10, 31, 43, 56}. Note that z0 is equal to o160 , since Grain-v1 is clocked for 160 clock cycles without producing the keystream sequence. 324 Y. Lee et al. (a) (b) NFSR lt LFSR nt NFSR LFSR h( x ) ot h( x ) 1 bit 7 bits Fig. 2. (a) the keystream generation mode (b) the setup mode of Grain-128 The setup process is carried out using (K, IV ) in three steps: 1. The internal state of NFSR is loaded with K as follows: Ni0 = ki (0 ≤ i ≤ 79). 2. The internal state of LFSR is loaded with IV as follows:  ivi , where 0 ≤ i ≤ 63 0 Li = . 1, where 64 ≤ i ≤ 80 3. The two registers are clocked for 160 clock cycles without producing the keystream sequence, where the output bit is fed back and XORed with the input, both to LFSR and to NFSR. See Fig. 1-(b). Grain-128 consists of a 128-bit LFSR, a 128-bit NFSR and a 9-input filter function h. It generates keystream sequence from a 128-bit secret key K = (k0 , · · · , k127 ) and a 96-bit initialization vector IV = (iv0 , · · · , iv95 ). At time t, the feedback bits of LFSR and NFSR are computed as follows. lt = Lt96 ⊕ Lt81 ⊕ Lt70 ⊕ Lt38 ⊕ Lt7 ⊕ Lt0 . t t t t t t t t t t nt = Lt0 ⊕ N96 ⊕ N91 ⊕ N56 ⊕ N26 ⊕ N0t ⊕ N84 N68 ⊕ N65 N61 ⊕ N48 N40 t t t t t t t ⊕ N59 N27 ⊕ N18 N17 ⊕ N13 N11 ⊕ N67 N3t . The filter function h takes an input values as 7-bit values from LFSR and 2-bit values from NFSR, respectively. It is defined as follows: t t t t h(Lt8 , Lt13 , Lt20 , Lt42 , Lt60 , Lt79 , Lt95 , N12 , N95 ) = N12 Lt8 ⊕ Lt13 Lt20 ⊕ N95 Lt42 t t ⊕ Lt60 Lt79 ⊕ N12 N95 Lt95 . The output bit ot of Grain-128 at time t is generated as follows.  t t ot = Nkt ⊕ h(Lt8 , Lt13 , Lt20 , Lt42 , Lt60 , Lt79 , Lt95 , N12 , N95 ) ⊕ Lt93 , k∈A where A = {2, 15, 36, 45, 64, 73, 89} and z0 = o256 . The setup process of Grain-128 is similar to that of Grain-v1 except that the number of clocking without producing the keystream sequence is 256. See Fig. 2-(b). Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 325 Table 2. Conditions used in the attack on Grain K = (k0 , · · · , k79 ), IV = (iv0 , · · · , iv79 ) t t N79 Lt79 K ′ = (k1 , · · · , k79 , n0 ⊕ o0 ), IV ′ = (iv1 , · · · , iv63 , 1) ′t t N79 L′t 79 Condition 0 k79 1 1 n0 ⊕ o0 l0 ⊕ o0 0 n0 ⊕ o0 1 l0 ⊕ o0 = 1 1 1 1 1 ′0 ′0 ′0 ′0 2 n ⊕o l ⊕o 1 n ⊕o l ⊕o .. .. .. .. .. .. .. . . . . . . . 160 n159 ⊕ o159 l159 ⊕ o159 159 n′158 ⊕ o′158 l′158 ⊕ o′158 161 n160 l160 160 n′159 ⊕ o′159 l′159 ⊕ o′159 o′159 = 0 161 161 162 n l 161 n′160 ⊕ o′160 l′160 ⊕ o′160 .. .. .. .. .. .. .. . . . . . . . 2.2 Slide Resynchronization Attack on Grain In [6], Kücük showed that it is possible to find related keys and initialization vectors of Grain. For any pair (K, IV ), slide resynchronization attack (SRA) ′ ′ on Grain finds the related pair (K ′ , IV ′ ) = ((k0′ , · · · , k79 ), (iv0′ , · · · , iv63 )) that −2 generates the 1-bit shifted keystream sequence with probability 2 . It is based on two observations: 1. The number of updated bits for 1 clock is only 2. 2. The setup process and the keystream generation procedure are similar. SRA is done by assuming two conditions as shown in Table 2. The relation of (K, IV ) and (K ′ , IV ′ ) is as follows: K = (k0 , · · · , k79 ) ⇒ K ′ = (k1 , · · · , k79 , b), where b ∈ {0, 1}. IV = (iv0 , · · · , iv63 ) ⇒ IV ′ = (iv1 , · · · , iv63 , 1). Let S t and S ′t be internal states generated from (K, IV ) and (K ′ , IV ′ ) at time t, respectively. We assume that S 1 = S ′0 which is equal to l0 ⊕ o0 = 1 from Table 2. Then S t+1 = S ′t (0 ≤ t ≤ 159). S 161 is updated by the keystream generation mode but S ′160 is updated by the setup mode. If o′159 = 0, then S 161 is equal to S ′160 . Thus if l0 ⊕ o0 = 1 and o′159 = 0, then (K ′ , IV ′ ) generates the 1-bit shifted keystream sequence Z[1] of Z generated from (K, IV ). Assuming that l0 ⊕o0 and o′159 are uniformly distributed, we find the related pair (K ′ , IV ′ ) with probability 2−2 . 3 Related-Key Chosen IV Attack on Grain-v1 In this section, we introduce a key recovery attack on Grain-v1. Firstly, we introduce some properties of Grain-v1 and propose a key recovery attack on Grain-v1 326 Y. Lee et al. by using same properties. Let K be a secret key and IV be an initialization vector. Our attack uses m + 1 keys K, K1 , · · · , Km . Here, we only describe the case that ((K, IV ) , (K1 , IV ′ )) pair is used. Other cases can be done by repeating the case that ((Ki , IV ) and (Ki+1 , IV ′ )) is used, i.e., if we use three keys K, K1 and K2 , we run the first attack by using K, K1 and then second one by using K1 , K2 . The second attack procedure is almost similar to the first. 3.1 Constructing α Linear Equations for K The related key K ′ and initialization vector IV ′ are defined as follows. Here, α is a parameter such that 1 ≤ α ≤ 12. K = (k0 , · · · , k79 ) ⇒ K ′ = (kα , · · · , k79 , k0 , · · · , kα−1 ). IV = (iv0 , · · · , iv63 ) ⇒ IV ′ = (ivα , · · · , iv63 , 1, · · · , 1). (1) (2) Let Z and Z ′ be keystream sequences generated from (K, IV ) and (K ′ , IV ′ ). Kücük assumed that S 1 is equal to S ′0 which implies S t+1 is equal to S ′t (0 ≤ t ≤ 159). We can get Property 1 by using this property. Property 1. If S α is equal to S ′0 , then S i is equal to S ′i−α for α < i ≤ 160. It means that oi is equal to o′i−α . That is, S α = S ′0 ⇒ S i = S ′i−α . Proof. This property follows directly from the setup process of Grain-v1. Recall that the number of clocking without producing the keystream sequence is 160 in the setup process. ⊓ ⊔ If IV satisfies S α = S ′0 , we say that IV is valid. Otherwise we say that the IV is invalid. In Theorem 1, we prove that we can construct total 2α equations for secret key using a valid IV and calculate the probability that a valid IV exists. Theorem 1. For a valid IV , we can construct 2α equations of which unknown values are K. And the valid IV exists with probability 2−2α . That is,   P r S α = S ′0 = 2−2α . Proof. Since (K, IV ) is loaded to NFSR and LFSR directly, the following holds: S α = S ′0 ⇔ N α = K ′ , Lα = IV ′ (1 · · · 1). For 0 ≤ i < α, N α = K ′ and Lα = IV ′ (1 · · · 1) imply (3) and (4). ni ⊕ oi = ki . i i l ⊕ o = 1. (3) (4) So, we can construct 2α equations for K using the valid IV . If ni , oi , li and ki are assumed statically independent, (3) and (4) hold with probability 2−1 , respectively. Thus S α = S ′0 holds with probability 2−2α . ⊓ ⊔ Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 327 We show that how to construct α linear equations for K in Property 2 and Theorem 2. Property 2. If h takes the input value of which some bits are fixed, then it is approximated to h′ with probability 1, as follows. Approx1 : If Lt46 = 0, Lt64 = 1 then h′ = Lt3 ⊕ Lt25 t Approx2 : If Lt3 = Lt25 , Lt46 = 1, Lt64 = 1 then h′ = N63 ⊕1 Using Theorem 1 and Property 2, we can induce the following theorem. This theorem shows that there exists a valid IV among 22α IV s whose some bit positions are fixed. Theorem 2. For a fixed K, we choose 22α IV s where (iv45+1 , · · · , iv45+α ) = (0, · · · , 0) , (iv12+1 , · · · , iv12+α , iv24+1 , · · · , iv24+α ) are all 2α-bit values and the remaining bits are fixed to b (∈ {0, 1}). Then there exists exactly one valid IV . Thus we can construct α linear equations for K using (6) and the IV . Proof. L064 , · · · , L079 are fixed to 1 in the setup mode. Thus (3) and (4) are equal to (5) and (6) respectively by Approx1 of Property 2, if iv45+1 , · · · , iv45+α are fixed 0.  ivi ⊕ (iv3+i ⊕ iv25+i ) = (ni ⊕ ivi ) ⊕ ki ⊕ ks+i , (5) s∈A (ivi ⊕iv13+i ⊕ iv23+i ⊕ iv38+i ⊕ iv51+i ⊕ iv62+i )⊕(iv3+i ⊕ iv25+i ) = 1⊕  ks+i , s∈A (6) where 0 ≤ i < α and A = {1, 2, 4, 10, 31, 43, 56}. Because the right hand side of (5) and (6) are determined by K, these values are fixed for all chosen IV s. Also the remaining bits of IV s except for (iv12+1 , · · · , iv12+α , iv24+1 , · · · , iv24+α ) are fixed for all chosen IV s by the assumption. Thus we can rewrite (5) as (7), where the right hand side of (7) is fixed for all chosen IV s.  iv25+i = iv3+i ⊕ ni ⊕ ki ⊕ ks+i . (7) s∈A Since iv25+i ∈ {iv24+1 , · · · , iv24+α }, there exist 2α IV s which satisfy (7) among all 22α chosen IV s and these IV s are fixed except for (iv12+1 , · · · , iv12+α ). Similarly to the case of (5), we can rewrite (6) as (8), where the right hand side of (8) is fixed for all 2α IV s.  iv13+i = ivi ⊕ iv23+i ⊕ iv38+i ⊕ iv51+i ⊕ iv62+i ⊕ iv3+i ⊕ iv25+i ⊕ 1 ⊕ ks+i . (8) s∈A So there exists exactly one IV satisfying (7) and (8) among all chosen 22α IV s. By the definition of “valid IV ”, the IV satisfying (7) and (8) is valid. Hence there exists exactly one valid IV . Moreover, we can construct α linear equations by applying the valid IV to (6), since (6) is a linear equation for K. ⊓ ⊔ 328 Y. Lee et al. Table 3. The changed bit positions of ∗-Change Event The changed bit positions ∗-Change1 iv15 , iv40 ∗-Change2 iv16 , iv41 ∗-Change3 iv17 , iv42 ∗-Change4 iv18 , iv43 Event The changed bit positions ∗-Change5 iv15 , iv40 , iv16 , iv41 ∗-Change6 iv15 , iv40 , iv17 , iv42 ∗-Change7 iv15 , iv40 , iv18 , iv43 ∗-Change8 iv16 , iv41 , iv17 , iv42 Let β be the maximum value such that zi = 0 (0 ≤ i < β) (Note that the expected value of β is about 2, since 2 ≈ 1 · 12 + 2 · 41 + 3 · 18 + · · · ). Because an updated bit affects to keystream bits after 16 clock cycles, we define ∼α as follows: Z ∼α Z ′ ⇔ zα+i = zi′ (0 ≤ i < 16 − α + β). In our attack, we find a valid IV by checking that Z and Z ′ satisfy Z ∼α Z ′ . The following theorem enable us to distinguish a valid IV and an invalid IV . Theorem 3. A valid IV always satisfies Z ∼α Z ′ but an invalid IV satisfies it with probability 2−(16−α+β) . Proof. By Theorem 1, a valid IV satisfies S 160 = S ′160−α . Then o160 (= z0 ) is equal to o′160−α . Since zi = 0 (0 ≤ i < b), o′160−α+i = zi = 0 (0 ≤ i < β) and S 160+β = S ′160−α+β . After (α − β) clock cycles, L160+α and N 160+α are always equal to L′160 and N ′160 except the (α − β) most significant bits, respectively. Since α used in our attack is less than or equal to 12, h takes the same input values for additional (16 − α + β) clock cycles in two cases. Thus (K, IV ) and (K ′ , IV ′ ) always generate the same keystream bits for additional (16 − α + β) clock cycles. For an invalid IV, Z and Z ′ are uniformly generated. Thus the IV satisfies Z ∼α Z ′ with 2−(16−α+β) . ⊓ ⊔ If α = 12 and β = 2, then the probability that an invalid IV satisfies Z ∼α Z ′ is 2−6 (we call it D-Test) which is not small. To decrease the probability that an invalid IV passes D-Test, we use another method, ∗-Change. For any IV , we generate the corresponding IV ∗ by modifying the values of even positions in the IV . We change the bits of IV that do not affect the results of (5) and (6) as shown in Table 3. Since these bits are not used as input values of h for 1 ≤ α ≤ 12 and the left hand side of (6) is linear, the results of these equations do not change. Thus an IV is valid if and only if the corresponding IV ∗ is valid. Corollary 1 show that we can distinguish valid IV s and invalid IV s with very high probability using ∗-changes. In our attack, we generate (γ − 1) IV ∗ s for an IV where γ is the integer satisfying 22α−γ(16−α+β) << 1. Hence, we can find a valid IV by Corollary 1 and construct α linear equations for K using Theorem 2 and the valid IV . Corollary 1. If an IV is invalid, the probability that the IV and the corresponding IV ∗ pass D-Test is 2−2(16−α+β) . Further, the IV and the corresponding (γ − 1) IV ∗ s pass D-Test with probability 2−γ(16−α+β). Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 329 Proof. This property follows directly from the fact that each invalid IV ∗ passes D-Test independently. ⊓ ⊔ 3.2 Recovering Another α-Bit Key Up to now, we introduced the method to find a valid IV and construct α linear equations for K by using the valid IV . From this, we can get the α-bit key information. Now, we present the method, †-Change, to recover another α-bit key. For a valid IV , we will generate the corresponding IV † by modifying the values of some positions in the valid IV . In case of α = 12, Appendix A.1 presents the bit positions where †-Change modifies. The conditionally changed bit positions in †-Changei are modified only if iv3+i is not equal to iv25+i . Here, we focus only †-Change0 . Other events †-Changei (1 ≤ i ≤ 11) can be done similar to †-Change0 . †-Change0 is done as follows: 1. Using Approx2 of Property 2, do the followings; (a) Modify iv46 which is the third input value of h at time 0. (b) If iv3 is not equal to iv25 , then modify iv25 . Here, iv3 and iv25 are the first and second input values of h at time 0, respectively. 2. Modify bit positions of the IV such that the results of (5) and (6) that time is not 0 do not change. (a) Since iv46 changes the result of (6) at time 8, modify iv59 which is in the linear part of (6) at time 8. Note that we can change other bits which are in the linear part of (6) at time 8. But we found that the number of the additional changed bits for iv59 are less than for other bits. (b) If iv25 in Step 1-(b) is changed, it changes the result of (6) at time 2. Thus modify iv15 which is in the linear part of (6) at time 2. Applying †-Change0 , the results of (5) and (6) for (K, IV ) are equal to them for (K, IV † ) except time 0. The equations for (K, IV † ) at time 0 are (9) and (10). Here, A = {1, 2, 4, 10, 31, 43, 56}. iv0 ⊕ (k63 ⊕ 1) = (n0 ⊕ iv0 ) ⊕ k0 ⊕  (9) ks . s∈A (iv0 ⊕ iv13 ⊕ iv23 ⊕ iv38 ⊕ iv51 ⊕ iv62 ) ⊕ (k63 ⊕ 1) = 1 ⊕  ks . (10) s∈A If the IV † is valid, (5) and (6) are equal to (9) and (10) at time 0, respectively. Thus we get (11). Otherwise we get (12). Applying other events similarly, we can recover k63 , · · · , k74 . iv3 ⊕ iv25 = k63 ⊕ 1. (11) iv3 ⊕ iv25 = k63 . (12) 330 3.3 Y. Lee et al. Description of Our Attack on Grain-v1 We are ready to present our attack on Grain-v1. This attack uses m + 1 keys K, K1 , · · · , Km and consists of m steps. For 0 ≤ i < m, the i-th step use Ki and Ki+1 satisfying the following relation: Ki = (k0 , · · · , k79 ) ⇒ Ki+1 = (kα , · · · , k79 , k0 , · · · , kα−1 ). Note that K0 = K. In each step, we construct α linear equations for K and recover the α-bit key. Finally we find the remaining bits by the exhaustive search. Each step runs three algorithms, the FilterIV algorithm, the CheckValid algorithm and the RecoverKey algorithm. Firstly, the FilterIV algorithm finds a valid IV among 22α IV s that satisfies Corollary 1 as follows: 1. Generate 22α (16 + βi )-bit keystream sequences Zi by using K and IVi (1 ≤ i < 22α ) from Corollary 1. Here, βi is the value such that the first βi bits of Zi are zeros. 2. Calculate the corresponding IVi′ to IVi from (2) and generate the (16 − α + βi )-bit keystream sequence Zi′ by using K ′ and IVi′ . 3. Check D-test for each (Zi , Zi′ ) and store all IVi which the corresponding Zi and Zi′ pass D-test. 4. Until only one IV remains, repeat the followings; (a) Set j=1; (b) Calculate IV ∗ s by applying ∗-Changej to the remaining IV s. (c) Calculate the IV ∗′ s corresponding IV ∗ s. (d) Generate keystream sequences using (K, IV ∗ ) and (K ′ , IV ∗′ ). (e) Check D-Test for the generated keystream sequences and discard IV s that the corresponding keystream sequences do not pass D-test. (f) Add 1 to j. 5. Return the remaining IV . On average, the number of IV s used in this algorithm is 2 γ−1  i=0  22α−i(16−α+β) , where α is parameter which is chosen by the attacker, β is maximum value such that zi = 0 (0 ≤ i < β) and γ is the number satisfying 22α−γ(16−α+β) << 1. From an IV , this algorithm generates the (16 + β)-bit keystream sequence for K and the (16 − α + β)-bit keystream sequence for K ′ . Thus it requires the (16 + β) γ−1  i=0 γ−1    22α−i(16−α+β) + (16 − α + β) 22α−i(16−α+β) -bit keystream sequence on average. i=0 Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 331 The CheckValid algorithm takes an IV and checks the validity of it as follows: 1. Generate Z and Z ′ using (K, IV ) and (K ′ , IV ′ ), respectively. Check Dtest for (Z, Z ′ ). If it does not pass D-test, then return “invalid”. 2. Set i = 1 and if i < γ, then repeat the followings; (a) Calculate the IV ∗ by applying ∗-Changei to the IV . (b) Generate keystream sequences by using (K, IV ∗ ), (K ′ , IV ∗′ ) and check D-Test for the generated keystream sequences. If they do not pass, then return “invalid”. (c) Add 1 to i. 3. Return “valid”. This algorithm uses 2γ IV s and ((16 + β)γ + (16 − α + β)γ)-bit keystream sequence. Finally, the RecoverKey algorithm takes a valid IV and recover the α-bit key   k(62+mα+1) mod 80 , · · · , k(62+mα+α) mod 80 in the m-th step. Since this algorithm calls the CheckValid algorithm α times, it requires 2αγ IV s and the α((16 + β)γ + (16 − α + β)γ)-bit keystream sequence. It is done as follows: Input : a valid IV = (iv0 , · · · iv63 ) 1. Set i = 0 and if i < α, then repeat the followings; (a) Calculate the corresponding IVi† by applying †-Changei to the IV . (b) Check that IVi† is valid by using the CheckValid algorithm. (c) If IVi† is valid, k(63+mα+i) mod 80 = iv3+i ⊕ iv25+i ⊕ 1. Otherwise k(63+mα+i) mod 80 = iv3+i ⊕ iv25+i . (d) Add 1 to i. We find the right secret key by the exhaustive search by using the 2mα-bit key information obtained in previous steps. We generate the 80-bit keystream sequence from each candidate key and check that it is equal to the original keystream sequence. Thus, this test requires 240-clock cycles of Grain-v1. Our attack procedure on Grain-v1 is done as follows: 1. Generate 22α IV s from Theorem 2. 2. Set i = 0 and if i < m, repeat the followings; (a) For Ki and Ki+1 , find an valid IV by using the FilterIV algorithm. (b) Construct α linear equations by using (6) and the valid IV . (c) Recover the α-bit key by using the RecoverKey algorithm. 3. Find the right secret key K by the exhaustive search using the 2mα-bit key information obtained in Step 2. γ−1 The number of chosen IV s used in our attack is 2m( i=0 (22α−i(16−α+β) ) + 2α−i(16−α+β) γα) and our attack requires m((32 − α + 2β)( γ−1 ) + γα))-bit i=0 (2 keystream sequence. The computational complexity of Step 2 is m( (352−α+2β) 240 332 Y. Lee et al. Table 4. Our results on Grain-v1 m α γ Data Complexity Computational Complexity Chosen IV s Keystream Bits 1 12 6 2 12 6 3 10 4 3 12 6 Computation 225.02 228.61 256 26.02 29.61 32.02 2 2 2 22.59 26.29 2 2 222.90 26.61 30.19 2 2 226.70 complexity unit: 240-clock cycles of Grain-v1 γ−1 ( i=0 (22α−i(16−α+β) )+γα)) 240-clock cycles of Grain-v1. Since we get the 2mαbit key information, the computational complexity of Step 3 is 280−2mα 240-clock cycles of Grain-v1. Table 4 shows the complexities of our attack for parameters m, α and γ. For m = 3, α = 10 and γ = 4, we recover the secret key of Grain-v1 with 226.29 bits keystream sequence and 222.90 computational complexity. If we use more related keys, we need less complexities to attack Grain-v1, i.e., if we use 40 related keys, then the computational complexity decrease to 28.21 240-clock cycles of Grain-v1 and the data complexity is as follows: 28.64 chosen IV s and 212.77 -bit keystream sequence. The usage of 3 related keys and the computational complexity of 222.90 is reasonable. For m = 3, α = 10 and γ = 4, we practically recovered the secret key within 3 minutes on average. 4 Related-Key Chosen IV Attack on Grain-128 Since the attack on Grain-128 is similar to that on Grain-v1, we briefly present our attack on Grain-128 using one related key K ′ . K ′ , IV ′ and ∼α are defined as follows: K = (k0 , · · · , k127 ) ⇒ K ′ = (kα , · · · , k127 , k0 , · · · , kα−1 ). IV = (iv0 , · · · , iv95 ) ⇒ IV ′ = (ivα , · · · , iv95 , 1, · · · , 1). Z ∼α Z ′ ⇔ zα+i = zi′ (0 ≤ i < 32 − α + β). In case of Grain-128, a valid IV always satisfy Z ∼α Z ′ but an invalid IV passes D-test with probability 2−(32−α+β) . Similarly to the attack on Grain-v1, we apply ∗-Change to decreases the probability that an invalid IV passes D-test. The changed bit positions are shown in Table 5. In the attack on Grain-v1, we change the values of even positions in IV but the positions of Table 5 do not affect all equations for α ≤ 15. Thus we choose just one position in IV . Table 5. The changed bit positions of ∗-Change on Grain-128 Event The changed bit positions Event The changed bit positions ∗-change1 iv38 ∗-change3 iv40 ∗-change2 iv39 ∗-change4 iv41 Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 333 Table 6. The modification of h Event Fixed value Approximated function h′ t t Approx1 Lt8 = 0, Lt13 = 0, Lt42 = 0, Lt60 = 0, Lt95 = 1 N12 N95 t t t Approx2 Lt8 = 1, Lt13 = 0, Lt42 = 0, Lt60 = 0, Lt95 = 1 N12 ⊕ N12 N95 t t t t t t t t Approx3 L8 = 0, L13 = 0, L42 = 1, L60 = 0, L95 = 1 N95 ⊕ N12 N95 Table 7. Our results on Grain-128 m α γ Data Complexity Computational Complexity Chosen IV s Keystream Bits 1 15 2 231 235.73 283 32 36.73 38.03 2 15 2 2 2 2 3 12 2 226.59 231.39 227 32.59 37.31 32.98 3 15 2 2 2 2 Computation complexity unit: 384-clock cycles of Grain-128 As shown in Table 6, h is approximated to h′ with probability 1. Since h takes two input value from NFSR, we can recover the 2α-bit key by applying †-Change as shown in Appendix A.2. For 0 ≤ i < α, the events †-Change1i and †Change2i can be used to recover k12+i and k95+i , respectively. The conditionally changed bit positions in †-Changei are modified only if iv20+i = 0. Note that iv87 , · · · , iv95 are fixed to 1 in order to apply †-Change. Our attack on Grain-128 uses 22α IV s that satisfy conditions of Approx1 in Table 6. Then there exists a valid IV among these IV s. But ui ⊕ oi = 1 (0 ≤ i < α) is quadratic equation for K. So we construct α quadratic equations for K as follows: li ⊕ k12+i k95+i ⊕ (k2+i ⊕ k15+i ⊕ k36+i ⊕ k45+i ⊕ k64+i ⊕ k73+i ⊕ k89+i ) = 1. Since we can recover k12+i and k95+i by using the RecoverKey algorithm, we can construct α linear equations as follows: li ⊕(k2+i ⊕k15+i ⊕k36+i ⊕k45+i ⊕k64+i ⊕k73+i ⊕k89+i ) = 1⊕vi (vi = k12+i k95+i ). Because the RecoverKey algorithm recovers the key bits that are quadratic part of these equations, we can construct α linear equations for K. The bit positions that are modified in †-changei is presented in Appendix A.2. As shown in Table 7, we need 226.59 chosen IV s, the 231.39 -bit keystream sequence and 227 384-clock cycles of Grain-128 to recover the secret key of Grain128. If we use more related keys, we need less complexities to attack Grain-128. 5 Conclusion In this paper, we have presented related-key chosen IV attacks on Grain-v1 and Grain-128 with the weakness that the setup mode is similar to the keystream 334 Y. Lee et al. Table 8. Simulation results of our attack Stream Cipher m α Grain-v1 Grain-128 3 3 γ Attack Time Success Rate (success trials/total trials) 10 4 12 2 145 sec 95 min 1 (100/100) 1 (100/100) generation mode. As summarized in Table 1, these results imply that Grain-v1 and Grain-128 have still the weakness, though they are designed to advance Grain which has been cryptanalyzed by a key recovery attack and a distinguishing attack by the weakness in the filter function. Our attack on Grain-v1 recovers the secret key with 222.59 chosen IV s, 226.29 -bit keystream sequences and 222.90 computational complexity. In case of Grain-128, our attack needs 226.59 chosen IV s, 231.39 -bit keystream sequences and 227.01 computational complexity. Table 8 presents simulation results that our attacks. The simulation was implemented on Pentium-4, CPU 2.4GHz, 2.0 Gb RAM, OS Windows XP Pro SP2. We could always recover the secret key of Grain-v1 and Grain-128 within 3 minutes and 100 minutes on average, respectively. References 1. Berbain, C., Gilbert, H., Maximov, A.: Cryptanalysis of Grain. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 15–29. Springer, Heidelberg (2006) 2. Hell, M., Johansson, T., Meier, W.: Grain - A Stream Cipher for Constrained Environments, eSTREAM - ECRYPT Stream Cipher Project, Report 2005/010 (2005), http://www.ecrypt.eu.org/stream/ciphers/grain/grain.pdf 3. Hell, M., Johansson, T., Meier, W.: Grain - A Stream Cipher for Constrained Environments, eSTREAM - ECRYPT Stream Cipher Project (2007), http://www.ecrypt.eu.org/stream/p3ciphers/grain/Grain p3.pdf 4. Hell, M., Johansson, T., Meier, W.: A Stream Cipher Proposal: Grain-128, eSTREAM - ECRYPT Stream Cipher Project (2007), http://www.ecrypt.eu.org/stream/p3ciphers/grain/Grain128 p3.pdf 5. Khazaei, S., Hassanzadeh, M., Kiaei, M.: Distinguishing Attack on Grain, eSTREAM - ECRYPT Stream Cipher Project, Report 2005/071 (2005), http://www.ecrypt.eu.org/stream/papersdir/071.pdf 6. Kücük, O.: Slide Resynchronization Attack on the Initialization of Grain 1.0, eSTREAM - ECRYPT Stream Cipher Project, Report 2006/044 (2006), http://www.ecrypt.eu.org/stream/papersdir/2006/044.ps 7. Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack, Cryptology ePrint Archive: Report 2007/413 (2007), http://eprint.iacr.org/2007/413.pdf Related-Key Chosen IV Attacks on Grain-v1 and Grain-128 335 †-Change on Grain-v1 and Grain-128 A A.1 The Changed Bit Positions of †-Change on Grain-v1 (α = 12) Event Recovered key bit The changed bit positions c c †-Change0 k63 iv46 , iv59 , iv25 , iv15 c c , iv16 †-Change1 k64 iv47 , iv60 , iv26 c c †-Change2 k65 iv48 , iv61 , iv27 , iv17 c c †-Change3 k66 iv49 , iv62 , iv38 , iv28 , iv18 c c †-Change4 k67 iv50 , iv29 , iv19 c c †-Change5 k68 iv51 , iv38 , iv30 , iv20 c c †-Change6 k69 iv52 , iv39 , iv31 , iv21 c c †-Change7 k70 iv53 , iv40 , iv32 , iv22 c c c †-Change8 k71 iv54 , iv41 , iv33 , iv37 , iv61 c c c †-Change9 k72 iv55 , iv42 , iv34 , iv38 , iv62 c †-Change10 k73 iv56 , iv43 , iv35 c †-Change11 k74 iv57 , iv44 , iv36 c ivi : the changed bit position conditionally. A.2 The Changed Bit Positions of †-Change on Grain-128 (α = 15) Recovered The changed Key bit bit positions 1 †-change0 k12 iv8 , iv68 , iv39 †-change11 k13 iv9 , iv69 , iv40 †-change12 k14 iv10 , iv70 , iv41 , iv38 †-change13 k15 iv11 , iv71 , iv85 , iv39 †-change14 k16 iv12 , iv72 , iv86 , iv40 †-change15 k17 iv13 , iv73 , iv87 , iv41 †-change16 k18 iv14 , iv74 , iv77 , iv85 †-change17 k19 iv15 , iv78 †-change18 k20 iv16 , iv79 †-change19 k21 iv17 , iv80 †-change110 k22 iv18 , iv92 †-change111 k23 iv19 , iv82 , iv39 †-change112 k24 iv20 , iv83 , iv40 , iv0c 1 †-change13 k25 iv21 , iv84 , iv41 , iv1c 1 †-change14 k26 iv22 , iv2c c ivi : the conditional changed bit position. Event Event †-change20 †-change21 †-change22 †-change23 †-change24 †-change25 †-change26 †-change27 †-change28 †-change29 †-change210 †-change211 †-change212 †-change213 †-change214 Recovered The changed Key bit bit positions k95 iv42 , iv85 k96 iv43 , iv86 k97 iv44 , iv87 k98 iv45 , iv88 k99 iv46 , iv89 k100 iv47 , iv90 k101 iv48 , iv91 k102 iv49 , iv92 k103 iv50 , iv39 k104 iv51 , iv40 k105 iv52 , iv41 k106 iv53 k107 iv54 k108 iv55 k109 iv56