Advanced conditional differential attack on Grain-like stream cipher and application on Grain v1

Conditional differential attacks against non-linear feedback shift register based cryptosystems were proposed by Knellwolf et al. at Asiacrypt 2010. In this study, the authors propose an advanced conditional differential attack on Grain-like stream cipher. They trace propagations of a single bit difference of internal states both inversely and forward. Methods of both searching for the longest inverse difference characteristic with probability one and deriving initial value (IV) conditions with the max inverse round are introduced. When tracing forward, conditions are imposed to limit the propagation of difference to obtain a high bias. Conditions of the proposed method are only imposed on IV bits and the proposed attack works in the single-key setting. Moreover, a method of recovering key expressions as well as bias-complexity-success probability target is presented in this study. Using the proposed method, the authors conduct a key recovery attack on 114-round Grain v1, recovering 6 key expressions with the time complexity of 2 ³² , which is also verified by experiments. With more conditions imposed, this attack can be improved to Grain v1 of 120 rounds, recovering 12 key expressions with the time complexity of 2 ^42.75 and theoretical success probability of about 93%, which is ten rounds longer than the longest previous result of Grain v1 in the single-key setting.