The Grain-v1 stream cipher has been selected in the eSTREAM hardware finalists. In this paper, the authors derive a new distinguishing attack on Grain-v1 with 111 initialization rounds in a single-key setting. To achi...The Grain-v1 stream cipher has been selected in the eSTREAM hardware finalists. In this paper, the authors derive a new distinguishing attack on Grain-v1 with 111 initialization rounds in a single-key setting. To achieve this goal, the authors present two delicate strategies targeting an obvious distinguishing probability of the output difference of reduced Grain-v1. The authors show that conditional differential cryptanalysis of reduced Grain-v1 with 111 initialization rounds could mount a distinguishing attack with success probability about 0.8281 for all secret keys. It is also shown that when the attacking round further increases to 112 and 113, the distributions of the output differences are nearly random. Thus far, to the best of the authors' knowledge, the attack on Grain-v1 with 111 initialization rounds is the best single-key cryptanalytic result for reduced versions of Grain-vl in terms of the number of attacking rounds.展开更多
基金supported by the National Natural Science Foundation of China under Grant Nos.61521003and 61672533the National Cryptography Development Fund of China under Grant No.MMJJ20170103
文摘The Grain-v1 stream cipher has been selected in the eSTREAM hardware finalists. In this paper, the authors derive a new distinguishing attack on Grain-v1 with 111 initialization rounds in a single-key setting. To achieve this goal, the authors present two delicate strategies targeting an obvious distinguishing probability of the output difference of reduced Grain-v1. The authors show that conditional differential cryptanalysis of reduced Grain-v1 with 111 initialization rounds could mount a distinguishing attack with success probability about 0.8281 for all secret keys. It is also shown that when the attacking round further increases to 112 and 113, the distributions of the output differences are nearly random. Thus far, to the best of the authors' knowledge, the attack on Grain-v1 with 111 initialization rounds is the best single-key cryptanalytic result for reduced versions of Grain-vl in terms of the number of attacking rounds.