Indian Statistical Institute

ISI Digital Commons
Journal Articles

Scholarly Publications

11-1-2019

Distinguisher and non-randomness of Grainv1 for 112, 114 and
116 initialisation rounds with multiple-bit difference in IVs
Deepak Kumar Dalai
National Institute of Science Education and Research

Subhamoy Maitra
Indian Statistical Institute, Kolkata

Santu Pal
National Institute of Science Education and Research

Dibyendu Roy
National Institute of Science Education and Research

Follow this and additional works at: https://digitalcommons.isical.ac.in/journal-articles

Recommended Citation
Dalai, Deepak Kumar; Maitra, Subhamoy; Pal, Santu; and Roy, Dibyendu, "Distinguisher and nonrandomness of Grainv1 for 112, 114 and 116 initialisation rounds with multiple-bit difference in IVs"
(2019). Journal Articles. 631.
https://digitalcommons.isical.ac.in/journal-articles/631

This Research Article is brought to you for free and open access by the Scholarly Publications at ISI Digital
Commons. It has been accepted for inclusion in Journal Articles by an authorized administrator of ISI Digital
Commons. For more information, please contact ksatpathy@gmail.com.

IET Information Security
Research Article

Distinguisher and non-randomness of Grainv1 for 112, 114 and 116 initialisation rounds
with multiple-bit difference in IVs

ISSN 1751-8709
Received on 4th June 2018
Revised 13th June 2019
Accepted on 24th July 2019
E-First on 10th September 2019
doi: 10.1049/iet-ifs.2018.5276
www.ietdl.org

Deepak Kumar Dalai1 , Subhamoy Maitra2, Santu Pal1, Dibyendu Roy1
1School

of Mathematical Sciences, National Institute of Science Education and Research, HBNI, Bhubaneswar, Odisha 752050, India
Statistics Unit, Indian Statistical Institute, Kolkata 700108, India
E-mail: deepak@niser.ac.in

2Applied

Abstract: In this study, the authors construct two different distinguishers on Grain-v1 with 112 and 114 initialisation rounds.
Their first distinguisher can distinguish Grain-v1 with 112 initialisation rounds from a uniform random source for 99% of the
randomly chosen keys from full key space. The second one can distinguish Grain-v1 from a random source for 73% of the
randomly chosen keys for one-fourth of the total key space (278 keys out of 280 keys). Our results improve upon the earlier
distinguishers. The technique used for the distinguishers is conditional differential cryptanalysis. The existing works in this
direction considered only one bit difference in the initialisation vector. However, for the first time, they could handle complicated
conditions for the 2-bit difference to obtain better cryptanalytic results. Extending their technique by allowing the 1-bit difference
in the pair of keys (i.e. related keys) and the 4-bit difference in IVs, they could observe the non-randomness till 116 initialisation
rounds with a success in 62% cases.

1 Introduction
Stream ciphers play an important role in symmetric key
cryptography as it is used for their speed, key size, and simplicity
in hardware circuitry. In 2008, Grain-v1 [1] was placed in the list
of seven stream ciphers for the final candidates by eSTREAM [2].
This is one of the three ciphers selected in hardware portfolio.
Hence, Grain-v1 [1] has received a lot of attention among the
cryptanalysts. This cipher is a bit-oriented non-linear feedback shift
register (NFSR)-based stream cipher, which uses an 80-bit NFSR,
an 80-bit linear feedback shift register (LFSR) and a non-linear
filter function of five variables. Grain-v1 consists of two phases,
the first one is the key scheduling phase (i.e. the key-IV
initialisation phase) and the second one is the keystream generation
phase (i.e. the pseudorandom bit generation phase). An 80-bit
secret key (K) and a 64-bit initialisation vector (IV) are used to
initialise the state of the cipher in the key scheduling phase. During
this phase, the process runs for 160 rounds to update the state to a
random looking (or pseudorandom) state. In the pseudorandom bit
generation phase, the cipher generates keystream bit as output in
each step and subsequently, the state gets updated.
Several works have been published to demonstrate weaknesses
in Grain-v1 with a reduced number of initialisation rounds. Since
the conditional differential attack [3] suits well for NFSR-based
stream ciphers, the distinguishing attack using conditional
differential cryptanalysis has received a lot of attention. In this
technique, the analysts propose an algorithm to distinguish the first
keystream bit of the stream cipher from a random bit by imposing
some conditions on the input bits in the difference function of the
output function (see Section 2). All the existing conditional
difference cryptanalysis on Grain-v1 are based on the difference
vector of weight one which is also known as dynamic cube attack
of dimension one.
• The first result in terms of distinguisher was obtained by
Aumasson et al. [4] in 2009. They observed bias in the first
keystream bit of Grain-v1 with 81 initialisation rounds.
• In 2010, Knellwolf et al. [3] could distinguish the first
keystream bits of Grain-v1 with 97 and 104 initialisation rounds.
• In 2014, Banik [5] provided a formal way for finding a
distinguisher of Grain-v1 till 105 rounds.
IET Inf. Secur., 2019, Vol. 13 Iss. 6, pp. 603-613
© The Institution of Engineering and Technology 2019

• Recently, in 2016, Sarkar [6] designed a distinguisher for Grainv1 with 106 rounds, which can distinguish Grain-v1 from a
random source with the success rate ∼63%.
• In 2016, Ma et al. [7] improved the distinguisher till 107
initialisation rounds with significant probability and till 110
initialisation rounds where the probability figure was not
properly provided.
• Again in 2016, Watanabe et al. [8] presented a non-randomness
on Grain-v1 with 114 initialisation rounds on a small subset of
the key space, i.e. in a weak key setting. This can distinguish
Grain-v1 till 114 initialisation rounds from a random source if
the secret key belongs to a particular set of 240 keys. This attack
does not hold much significance as exhaustive search is possible
in a set of 240 keys. This is a very minor fraction 240 /280 = 2−40
of the key space.
• In 2018, Ma et al. [9] proposed a distinguisher for Grain-v1 with
111 initialisation rounds. Their distinguisher can distinguish
Grain-v1 with 111 initialisation rounds from a random source
with a success rate of ∼83%.
In the literature, there are some theoretical cryptanalytic results on
full (or reduced) initialisation round of Grain-v1, here we mention
few of them. In 2008, Cannière et al. [10] analysed grain
initialisation algorithm by its sliding property. This attack is
completely based on the related key setup. In the same paper, they
proposed two instances of differential attacks on Grain-v1. The
first instance is under related key setup on Grain-v1 with full
initialisation round with 271 weak keys, 257 weak IVs and 255
chosen IV pairs. The second instance is on Grain-v1 with 112
initialisation rounds with 263 weak IVs and 272 chosen IV pairs.
Although the size of the complete IV space is 264. In 2017,
Mihaljević et al. [11] presented a conditional time-memory-data
trade-off attack to recover the state bits of Grain-v1 with full
initialisation round. The complexity of the online phase of the
attack is quite lesser than the complexity of the exhaustive key
search, but the complexity of the preprocessing phase is very high
(≥284), which needs to be performed before the online phase of the
attack. In Eurocrypt 2018, Zhang et al. [12] proposed a near
collision attack on Grain-v1 with full initialisation round. The
authors claimed that their attack has time complexity 275.7 and data
603

1.1 Design specification of Grain-v1
Grain-v1 [1] is based on an 80-bit NFSR, an 80-bit LFSR, and a
non-linear filter function on five variables. The state bits of the
NFSR are denoted by ni and the state bits of the LFSR are denoted
by li, where 0 ≤ i ≤ 79. In each round, the state bits of NFSR and
LFSR are shifted by one position towards left. The feedback bit of
LFSR and NFSR are computed using the following feedback
functions:
lt + 80 = lt + 62 + lt + 51 + lt + 38 + lt + 23 + lt + 13 + lt, for t ≥ 0.

(1)

nt + 80 = lt + nt + 62 + nt + 60 + nt + 52 + nt + 45 + nt + 37
+nt + 33 + nt + 28 + nt + 21 + nt + 14 + nt + 9 + nt
+nt + 63nt + 60 + nt + 37nt + 33 + nt + 15nt + 9
+nt + 60nt + 52nt + 45 + nt + 33nt + 28nt + 21

Fig. 1 Algorithm 1: KSA of Grain-v1

complexity 219. Later in Crypto 2018, Todo et al. [13] proposed a
fast correlation attack on Grain-v1 with full initialisation round.
Their proposed attack has time complexity 276.7 and data
complexity 275.1. The complexities of these two attacks are
significantly lesser than the complexity of the exhaustive key
search. Although the complexity of the near collision attack of [12]
is debatable, as in [13] the authors reported that the actual time
complexity of near collision attack of [12] will be 286.1, which is
even larger than the time complexity of the exhaustive key search.
All these attacks have large time, data complexities, hence these
attacks cannot be used to attack Grain-v1 in practical time.
Several other cryptanalytic results on Grain-v1 and other
variants of Grain family are available in the literature [14–20].
More results based on related key setup are available in [21, 22].
The related keys of these works differ at multiple positions.
Our contributions: In [3, 5–7, 9], the authors considered a single
bit difference in IV. This is because handling the situations for a
higher number of bit differences assumed to be quite complicated
in terms of handling several conditions. For the first time, we
present certain distinguishers for the higher rounds of Grain-v1
with two bits difference in the IV.
• The first distinguisher can distinguish Grain-v1 with 112
initialisation rounds from a random source almost certainly
(with success rate ∼99%).
• The second distinguisher can distinguish Grain-v1 with 114
initialisation rounds from a random source with success rate
∼73% for 278 weak keys (i.e. one-fourth of the key space).
• Furthermore, this distinguisher has been extended to 116
initialisation rounds with 1 bit difference in the key and 4 bit
difference in the IV. Here we obtain a successful result in 62%
cases for 275 related keys.
The second and third distinguishers are designed by extending the
idea of the first technique going in the backward direction from the
initial state. As a result, the last two distinguishers fall in weak and
related key setup, respectively.
The organisation of the paper: The paper is organised as follows.
The design specification of Grain-v1 and notations are presented in
Sections 1.1 and 1.2. The broad framework of the conditional
differential cryptanalysis on NFSR-based stream ciphers is
presented in Section 2. Necessary statistical studies to relate a
random Boolean function (coming out of complex evolution of a
finite-state machine) and the normal distribution are provided in
Section 2.1. To compare our work with the recent attacks, we
briefly discuss existing results in Section 2.2. The distinguisher for
112 initialisation rounds of Grain-v1 is described in Section 3. In
Section 4, the second distinguisher for 114 initialisation rounds is
provided. The non-randomness result until 116 initialisation rounds
is presented in Section 4.1. Finally, we conclude this paper with
future scopes in Section 5.

604

+nt + 63nt + 45nt + 28nt + 9
+nt + 60nt + 52nt + 37nt + 33

(2)

+nt + 63nt + 60nt + 21nt + 15
+nt + 63nt + 60nt + 52nt + 45nt + 37
+nt + 33nt + 28nt + 21nt + 15nt + 9
+nt + 52nt + 45nt + 37nt + 33nt + 28nt + 21, for t ≥ 0.
The algebraic normal form of the non-linear filter generator (a
Boolean function) h is
h(x0, x1, x2, x3, x4) = x1 + x4 + x0 x3 + x2 x3 + x3 x4
+x0 x1 x2 + x0 x2 x3 + x0 x2 x4 + x1 x2 x4 + x2 x3 x4 .

(3)

The variables x0, x1, x2, x3, and x4 correspond to the state bits lt + 3,
lt + 25, lt + 46, lt + 64, and nt + 63, respectively, at the tth clock. In each
round, the cipher computes one keystream bit zt using some state
bits from the NFSR and output of the non-linear filter function.
The algebraic expression of the keystream bit at the tth round is
zt =

∑ nt

+k

+ h lt + 3, lt + 25, lt + 46, lt + 64, nt + 63 , for t ≥ 0,

k∈A

(4)

where A = {1, 2, 4, 10, 31, 43, 56}.
Grain-v1 passes through two steps as key scheduling phase and
pseudorandom bit generation phase. The algorithms for these
phases are known as the key scheduling algorithm (KSA) and
pseudorandom (bit) generation algorithm (PRGA), respectively.
The KSA initialises the cipher by using one secret key (K) of 80
bits and one IV of 64 bits. The secret key bits and IV bits are
denoted by ki, 0 ≤ i ≤ 79 and ivi, 0 ≤ i ≤ 63, respectively. The
cipher loads the 80-bit secret key into the NFSR and 64-bit IV into
the LFSR as below. One may note that the rest of the 16 bits are
padded as all one pattern
ni = ki, 0 ≤ i ≤ 79
li = ivi, 0 ≤ i ≤ 63
li = 1, 64 ≤ i ≤ 79
Then the cipher runs the KSA for 160 rounds, without generating
any keystream bit as output bit. Instead, these keystream bits are
added with the feedback bit of the NFSR and LFSR. The KSA
algorithm of Grain-v1 for r rounds is described in Algorithm 1
(Fig. 1). The value of r for the full round of Grain-v1 is 160.
After the completion of the key scheduling phase, the cipher
starts the pseudorandom bit generation phase, where the cipher
produces keystream bits as output. These keystream bits are used
for encryption/decryption of plaintext/ciphertext. The graphical
view of these two phases is provided in Fig. 2.

IET Inf. Secur., 2019, Vol. 13 Iss. 6, pp. 603-613
© The Institution of Engineering and Technology 2019

1.2 Notations
In this subsection, we present a few notations related to Grain-v1,
which will be used later.
• Fm
2 : The m-dimensional vector space on binary field F 2.
• +: The addition operation in F 2 or in usual number system used
as per the requirement.
• K, IV: The secret key and public IV, respectively.
• St, t ≥ 0: The state of the cipher at the tth round; S0 being the
initial state of the cipher.
• m, n, l: The length of the state, secret key, and IV respectively,
where m > n + l.
• z: The output of the first bit of Grain-v1 after (reduced round)
KSA.
• Δz: Difference (XOR) in the pair of first output bits after a
certain number of KSA rounds for two different instantiations.
• zt: The keystream bit after t KSA rounds as defined in (4).
• Δzt: Difference (XOR) of the pair of keystream bits from two
different instantiations after t KSA rounds.

2 Conditional differential attack on NFSR-based
stream cipher
The technique of the conditional differential cryptanalysis works
by placing certain conditions on the IV as well as the key (K) bits
after introducing a differential in the IV. In distinguishing attack, a
distinguisher is designed to distinguish the first keystream bit of
the cipher from a uniform random source. For Grain family,
distinguishing attack by using conditional differential attack was
initiated by Knellwolf et al. [3].
The general framework of NFSR-based stream ciphers contains
a state of m bits such that m > n + l, where n, l are the lengths of
the key and IV, respectively. Let us denote the initial state as
S0 = (s0, s1, …, sm − 1) ∈ F 2m.
In
every
round,
the
state
Si = (si, si + 1, …, si + m − 1) ∈ F 2m, i ≥ 0, is updated by a non-linear
feedback shift register following a recursive formula
Si + 1 = (si + 1, si + 2, …, si + m − 1, si + m), where si + m = g(Si) a non-linear
function on the state bits. After performing the non-linear
evaluation for a certain number of rounds, the cipher generates its
first keystream bit z. Therefore, the first output bit z of the cipher
can be represented as the output of a keyed Boolean function
f : F 2n × F 2l ↦ F 2, where the first n bits correspond to the secret key
K and the following l bits relate to the IV, i.e. z = f (K, IV).
For a fixed secret key K, we define the Boolean function
f K : F 2l ↦ F 2 as f K (x) = f (K, x). Furthermore, for a difference
vector a ∈ F 2l on the public parameter IV, we define the difference
function Δa f K (x) = f K (x) + f K (x + a). If one runs two instances of
the cipher with the same key K and the IVs with difference a ∈ F 2l ,
then the non-linear differences get added in the feedback bits in
every round, i.e. in every round, the difference starts affecting the
state bits non-linearly by adding the non-linear differences in the

feedback bits. It might be possible for the attacker to control the
spread of differences by putting some conditions on the state bits
involved in the non-linear function in a particular round. Then
going back recursively, the conditions can be represented on the
initial state bits. As per the involvement of the type of initial state
bit, the conditions are classified as follows.
• Type I: Conditions involving only the bits of IV.
• Type II: Conditions involving the bits of both K and IV (but
may be exploited without any information on the key bits).
• Type III: Conditions involving only the bits of K.
The Type I conditions put a restriction on the choice of the IVs,
which can easily be achieved by the attacker. On the other hand,
the attacker cannot do anything in the case of Type III conditions
as the involved bits remain secret for the attacker. However, fixing
certain secret key bits, the cryptanalyst can point out a subset of
weak keys for which the attack can be implemented. In the case of
Type II conditions, since some secret key bits are expressed as
some bits of the IV bits, these conditions might be exploited
without the knowledge of the secret key bits and consequently, that
may help to expose some secret bits.
If the function f is truly random, then the Boolean function
Δa f K should behave like a random function in every sub-domain
(i.e. a subset) of the domain F l2. To control the spreading of the
difference by imposing the conditions on IV and K, the domain of
the IV and secret key K is shrunk. Therefore, the spreading of
difference is controlled in this sub-domain and some bias is
expected in the output of the difference function Δa f K in this subdomain. Since the statistical test needs to be performed to find the
bias in Δa f K , the number of imposed conditions needs to be
optimised such that the number of sample inputs should support the
theoretical bound for the statistical test. Therefore, the cryptanalyst
attempts to optimise the following parameters while presenting an
improvement on such attack:
i. Maximisation of the number of initialisation rounds.
ii. Maximisation of the success rate.
iii. Maximisation of the space of IVs (i.e. minimisation of Type I
and Type II conditions).
iv. Maximisation of the effective key space (i.e. minimisation of
the Type III conditions).
v. Minimisation of the number of queries to the oracle (stream
cipher) (i.e. minimisation of the Type II conditions); for α,
many IV-bits related to the Type II conditions, we need to
query with 2α many IVs, and one may like to minimise this.
2.1 Randomness test of the difference function Δa f K
In this section, we use a statistical method of testing the
randomness of the difference function Δa f K . This concept was also
followed in [3, 6]. If the Boolean function Δa f K : F 2l ↦ F 2 is a
random Boolean function then the output of Δa f K is randomly

Fig. 2 Design specification of Grain-v1
(a) KSA of Grain-v1, (b) PRGA of Grain-v1

IET Inf. Secur., 2019, Vol. 13 Iss. 6, pp. 603-613
© The Institution of Engineering and Technology 2019

605

Fig. 3 Algorithm 2: distinguisher for the first keystream bit of Grain-v1
with r KSA rounds

distributed in every non-empty subset S of F l2. Hence, it follows
from the central limit theorem that for sufficiently large input
xi ∈ S = {x1, x2, …, xN }, the probability density function of the
random variable
X=

∑ Δa f K(xi),

xi ∈ S

Ai, 0 ≤ i ≤ 2t2 − 1. As each pi 0 ≤ i ≤ 2t2 − 1 might be very close
to 0.5, we calculate W = ∑0 ≤ i ≤ 2t2 − 1, pi ≥ 12 pi − 1/2 .

approximately follows the normal distribution N(μ, σ), i.e.
1 −(x − μ)2 /2σ2
e
,
2πσ

ϕ(x μ, σ) =

where μ and σ are the mean and standard deviation of the
distribution of X. Let b ∈ F 2 be a fixed value. Then, for a random
1
Boolean function Δa f K with given Pr[Δa f K (x) = b] ≥ , the
2
1
expectation of (Pr[Δa f K (x) = b] − ) is
2
1
2πσ

∫

N

μ

e−(x − μ)

2 /2σ 2

x 1
− dx .
N 2

1
.
8πN

(5)

If this experiment is done for m number of times, then the sum
M=

∑
Pr[Δa f K (x) = b] ≥

Pr[Δa f K (x) = b] −
1
2

1
2

is expected to be around mℰ. For a specific stream cipher, if the
value of the above sum (M) is greater than mℰ for a large
percentage (i.e. significantly more than 50%) of keys K or lesser
606

If it is found that W is either greater than 2t2ℰ for a large
percentage (i.e. significantly more than 50%) out of the randomly
chosen keys or lesser than 2t2ℰ for a large percentage (i.e.
significantly more than 50%) out of the randomly chosen keys then
we claim that the cipher output is not pseudorandom. In that event,
it is possible to distinguish Grain-v1 from a random source. This
technique has earlier been exploited in [6]. We too follow this
method to design the distinguishers on Grain-v1 in Sections 3 and
4. Algorithm 2 describes the distinguisher for Grain-v1 with r
number of KSA rounds. The success rate of the distinguisher
(described in Algorithm 2) will vary with the input of the algorithm
(Fig. 3).
2.2 Existing conditional differential attacks on Grain-v1

In our case, the mean μ = N /2 and standard deviation
σ = N /2 . Hence, solving the integration, we have the required
expectation
ℰ=

than mℰ for a large percentage (i.e. significantly more than 50%)
of keys K then it allows to distinguish the stream cipher from a
uniform random source. In case of our first distinguisher on 112
rounds, the sum is greater than mℰ for 99% of random keys (see
towards the end of Section 3). For the other two distinguishers on
114 and 116 rounds, the sum is lesser than mℰ for 73% and 62% of
random keys, respectively (see towards the end of Section 4 and
Section4.1, respectively). We performed a similar experiment for a
random source for a large number of samples. In our experiment,
we considered higher rounds of Grain-v1 to verify our
distinguishers. It is found that the sum M is greater (or lesser) than
the expected value mℰ happens for close to 50% of samples for
higher rounds (see towards the end of Section 3, Section 4 and
Section 4.1). Therefore, from this experimental fact, we can
distinguish Grain-v1 with the above-mentioned reduced rounds
from a random source. Now we present the distinguishing
technique on Grain-v1.
In the case of Grain-v1, the length of the key is n = 80 and the
length of IV is l = 64. Consider there are t1, t2, and t3 with many
Type I, Type II, and Type III conditions, respectively. As per
the involvement of state bits in Type I and Type III conditions,
t1 and t3 with many bits in the IV and the key K need to be fixed,
respectively. In the case of the Type II conditions, t2 with many
IV bits are dependent on some key bits and IV bits. Each
assignment of t2 with many IV bits provides a group where we
need to check the bias. Let denote the assignments for t2 with many
IV bits as Ai, 0 ≤ i ≤ 2t2 − 1 with some order. One of the 2t2 many
assignments for t2 with many IV bits must satisfy the Type II
conditions. As the key bits are secret, the correct assignment is not
known to the observer.
For each assignment Ai, Grain-v1 has the domain of IV of size
264 − t1 − t2. For all the assignments corresponding to Type II
conditions, it is expected that the keystream bit z will be produced
with some bias, i.e. for certain b ∈ F 2, we expect a deviation on the
1
Pr[Δz = b] − . Hence, for a random key and b ∈ F 2, we
2
calculate the probability pi = Pr[Δz = b] for each assignment

In this subsection, we briefly present the existing works on the
conditional differential attack on Grain-v1. All these works are
based on a single bit difference (i.e. wt(a) = 1) on the IV which is
also known as one-dimensional cube attack. In the case of Grainv1, the key length n = 80 and the IV length l = 64. Let us denote
ei ∈ F 64
2 , 0 ≤ i ≤ 63 is the unit binary vector where the ith position
from the left in ei is 1 and other positions are 0.
In 2010, Knellwolf et al. [3] proposed the conditional
differential attack with one bit difference in IV of Grain-v1 with 97
initialisation rounds. The difference vector a was chosen as e37, i.e.
they selected two IVs as IV = (iv0, …, iv37, …, iv63) and
IV = (iv0, …, 1 + iv37, …, iv63) for the difference. Let zi and z i be the
ith keystream bits with IVs and IV, respectively, and Δzi = zi + z i
be the difference between them. To control the initial spread of the
differences in the state, they imposed certain conditions on the bits
of IV to make Δz12 = 0, Δz34 = 0, Δz40 = 0, and Δz46 = 0. With such
IET Inf. Secur., 2019, Vol. 13 Iss. 6, pp. 603-613
© The Institution of Engineering and Technology 2019

conditions, non-randomness has been observed at the 97th round.
In the same paper, they extended the result to 104 initialisation
rounds with single bit difference in IV.
In 2014, Banik [5] chose the difference vector a = e61 and
improved the result till 105 initialisation rounds. The author
imposed some conditions on the bits of IV to make
Δz15 = Δz36 = Δz39 = Δz42 = 0. Having the IV's with the imposed
conditions, non-randomness in the first keystream bit of Grain-v1
with 105 initialisation rounds could be observed.
In 2015, Sarkar [6] improved the number of rounds to 106 by
taking the difference vector a = e62. This could be achieved by
finding the conditions on the IV bits by making
Δz16 = Δz34 = Δz37 = Δz40 = 0. The distinguisher could distinguish
Grain-v1 with 106 initialisation rounds from a random source with
a success rate of ∼63%.
In 2016, Ma et al. [7] proposed a conditional differential attack
on Grain-v1 with 107 initialisation rounds. For 107 rounds, they
chose three different difference vectors e34, e60, and e63. For the
difference vector, a = e63, they imposed conditions on the IV bits to
make Δz17 = Δz35 = Δz38 = Δz41 = Δz46 = 0. With these conditions,
they observed bias at the first keystream bit of Grain-v1 with 107
initialisation rounds. Similarly, for e34, e60 they imposed several
conditions and observed the presence of bias in the first keystream
bit of Grain-v1 with 107 initialisation rounds. In the same paper,
they extended the conditional differential attack on Grain-v1 with
110 initialisation rounds by choosing the difference vector a = e37.
They imposed conditions on the IV bits to make
Δz12 = Δz34 = Δz40 = Δz46 = Δz48 = 0. With these conditions, the
authors have observed bias in the first keystream bit of Grain-v1
with 110 initialisation rounds. As these are experimental biases, the
exact number of samples needs to be described. While this is clear
in the case for 107 rounds [7, Table 4], the number of the secret
key used in the case of 110 rounds [7, Table 5] is not provided.
In the same year, Watanabe et al. [8] proposed a conditional
differential attack on Grain-v1 with 114 initialisation rounds. In
this work, the authors imposed some conditions on IV bits as well
as on secret key bits. Since conditions are applied on 40 secret key

bits, the attack is restricted to a subset of key space of size 240
whereas the size of key space is 280. If the unknown secret key K is
from the set of 280 − 240 many keys then their adversary will not
be able to distinguish Grain-v1 from a random source.
Furthermore, the domain of weak key space (i.e. of size 240) is
immediately prone to exhaustive key search attack and thus this
result does not look significant.
In 2018, Ma et al. [9] used the difference vector e37 to design a
distinguisher on Grain-v1 with 111 initialisation rounds. The
success rate of their distinguisher is ∼83%. They have imposed
some conditions on the state bits to prevent the first five difference
propagations. From these conditions on state bits, they obtained a
total of 14 Type II and 15 Type II conditions. These Type I
and Type II conditions provide a bias in the first keystream bit
after 111 initialisation rounds.
Our distinguisher is practical and is experimentally verified.
The comparison between the existing practical attacks and our
present work is presented in Tables 1 and 2.
However, one may immediately note that all the works [3, 5–9]
in this direction are based on the difference vector of weight 1, i.e.
one bit difference in 1 of the improvement distinguishing success
chance, the dimension of IV space, key space and query space. The
dimension of IV space is equal to (64 – the number of Type I and
Type II conditions) and the dimension of key space is equal to
(80 – the number of Type III conditions). Furthermore, the
dimension of the query space is proportional to (the number of
Type II conditions + 1) as in each case we need to run the cipher
with the same key and two different IVs. Some theoretical
cryptanalytic results (see towards the end of Section 1) are
available on Grain-v1 with full initialisation round which is not
practical at the current time.

3

Distinguisher on Grain-v1 with 112 KSA round

The non-randomness in the first keystream bit of Grain-v1 with 97,
104, 105, 106, 110, and 111 initialisation rounds have been

Table 1 Comparison table (in the single key model)
Reference
R
#Key
#Type I, II, III conditions

Success rate

#Queries

K

97

1024

33, 5, 0

231

280

83%

104

1024

25, 5, 0

239

280

58%

Banik [5]

105

1000

25, 6, 0

280

92%

Sarkar [6]

106

1000

34, 6, 0

Ma et al. [7]

104

1024

14, 15, 0

107

64

12, 12, 0

Knellwolf et al. [3]

39 − n1a

2

2

2

80

63%

240

280

97%

242b

280

99%

30

110

NA

17, 15, 0

2

2

Ma et al. [9]

111

64

14, 15, 0

235

280

83%

our work

112

2048

29, 7, 0

235

280

99%

47

80

NA

R: number of KSA rounds.
#Key: number of random keys used in the experiment. The higher number of keys confirms the success probability better.
#Queries: number of queries used for each random key.
K : size of the key space where distinguisher gets success.
an ≤ 5 is the extra Type I conditions for faster implementation.
1

bOnly for the difference e .
63

Table 2 Comparison table (in the weak related key model)
Reference
R #Key
#Type I, II, III conditions

#Queries

K

Watanabe et al. [8]

114

128

23, 1, 39

our work

114

2048

30, 7, 2

2

2

116

4096

36, 7, 5

228

275

32

2

34

Key model

Success rate

weak

NA

weak

73%

relateda

62%

40

2

78

R: number of KSA rounds.
#Key: number of random keys used in the experiment. The higher number of keys confirms the success probability better.
#Queries: number of queries used for each random key.
K : size of the key space where distinguisher gets success.
aTwo related keys differ only in one place. Existing works are based on more number of key bit differences under different attack models.

IET Inf. Secur., 2019, Vol. 13 Iss. 6, pp. 603-613
© The Institution of Engineering and Technology 2019

607

observed in [3, 5–7, 9]. Furthermore, the same is done for 114
initialisation rounds in the weak key set up of key space size 240 in
[8]. These works exploited the transmission of bias from a single
bit difference in the IV. At the current situation, improving result
using a single bit difference seems exhaustive. Hence, working on
single bit difference in similar direction seems difficult for higher
rounds as it needs a powerful computer to study the equations
generated at higher round.
Further working on multiple difference vectors, in general, it
spreads more differences into the state as there are multiple
numbers of non-zero positions in multiple bit difference vectors.
Henceforth, it creates more situations when Δzt ≠ 0 and generates
complicated equations at lower rounds. As a result, it becomes
more difficult to analyse for a higher round. In contrast, there could
be some difference vectors of multiple weight where the difference
generated due to the different non-zero positions cancel each other
to result Δzt = 0. Hence, if such a difference vector is chosen then
the attacker can make Δzt = 0 for higher rounds and go for
attacking for higher rounds.
In our work, we have improved the number of initialisation
rounds by imposing a two bit difference in the IV, i.e. by using a
difference vector of weight two. Let us denote vector
ei, j ∈ F 64
2 , 0 ≤ i < j ≤ 63 such that ei, j = ei + e j. For our work, we
choose the difference vector e20, 45 of weight two from
64/2 = 2016 possibilities. The reason for choosing the specific
difference vector e20, 45 is described in Remark 1.
Remark 1: For each of 2016 possible difference vectors ei, j of
weight two, we experimentally checked the probability of the
difference Δzt = zt + z t at the output of every round t, 0 ≤ t ≤ 41,
for a large number of random key, IV pairs. Hence for each ei, j,
there are disjoint partitions S1, S2, and S3 of the set {0, 1, …, 41}
such that zt = 0 for t ∈ S1, zt = 1 for t ∈ S2 and zt is a non-constant
function of K, IV for t ∈ S3. For a chosen ei, j, we take action for
these three different situations as the following.
• When t ∈ S1: since zt = 0, there is no addition of difference in
the state from zt. We need not do anything in this situation.
• When t ∈ S2: since zt = 1 (constant function), it is not possible to
put any condition on state bits to stop the propagation of
difference into the state. Hence, we prefer to choose such ei, j
where S2 = 0.
• When t ∈ S3: since zt is a non-constant function of IV and K, it is
possible to put conditions on the bits of IV and/or K such that
zt = 0. As per the involvement of bits of IV and K, the
conditions are classified as Type I, Type II, and Type III.
Hence we need to choose ei, j such that the size of set S3 is
minimised, which possibly give a minimised set of conditions.
From the initial rounds (i.e. 0 ≤ t ≤ 41), we need to find the set
S2 ∪ S3 containing a few numbers of elements. For further refining,
our aim is to choose ei, j such that S2 = 0 and S3 is a minimised set.
We experimentally checked for each possible ei, j for a large set of
random K, IV pairs. The experimental result shows that the vectors
e20, 45, e23, 61, e38, 62 are having minimised set S2 ∪ S3. Furthermore, our
distinguisher gives the best success rate for the difference vector
e20, 45. Hence, we choose e20, 45 as the difference vector for the
distinguisher.
For the difference vector e20, 45, the difference probabilities
Pr[Δzt ≠ 0] are non-zero for t = 17, 20, 36, 37, and 38. Therefore,
our aim is to find a set of conditions on IV and key bits such that
the restriction Δz17 = Δz20 = Δz36 = Δz37 = Δz38 = 0 is satisfied.
The reason for choosing the restrictions on Δz17, Δz20, Δz36, Δz37,
and Δz38 is as follows.
Let two instances of the cipher be initialised with IV and
IV = IV + e20, 45. The states at the tth round are St and S t,
respectively. Denote ΔSt = St + S t, t ≥ 0. The states S0 and S 0 at the
zeroth round differ exactly at two places with probability 1. As the
number of rounds increases in the KSA, the number of difference
608

positions increases with a complicated probability distribution. Our
goal is to minimise the differences for maximum possible
initialisation rounds by imposing specific conditions on the bit
values in IV.
In the KSA, the keystream bit zt involves the feedback bits from
both the LFSR and the NFSR. The main reason for the
transmission of difference into the state bits is the injection of the
difference in zt via these feedback bits. We denote the tth keystream
bits of the cipher with initial state S0 and S 0 by zt and z t,
respectively. Since there are differences in the two bits of the initial
states, the keystream bits (zt and z t) start differing after a certain
number of rounds t. The difference of the keystream bits
Δzt = zt + z t is a function of the bits of key K and IV. The algebraic
expression of the function becomes more complicated as the
number of rounds increases. We use SAGE [23] to compute the
algebraic expressions of the function Δzt for 0 ≤ t ≤ 41. The
conditions on IV bits are generated by imposing the condition
Δzt = 0 as follows:
[C0.] Case (0 ≤ t ≤ 41 and t ≠ 17, 20, 36, 37, 38): It is observed

that Δzt = 0 for 0 ≤ t ≤ 16, 18 ≤ t ≤ 19, 21 ≤ t ≤ 35, 39 ≤ t ≤ 41.
Hence, we have nothing to impose for these rounds.
[C1.] Case t = 17 : In the 17th round, Δz17 = P1(K, IV), where
P1(K, IV) is a polynomial involving the bits of K and IV. The
algebraic normal from P1 is provided in [24]. For a fixed key K, we
need to find the set of IVs such that P1(K, IV) = 0. Since finding
this set is quite difficult, we choose a subset of IVs by imposing
some conditions on the IV bits such that P1(K, IV) = Δz17 = 0. We
follow the method explained in Section 3.1 to make Δz17 = 0. We
set iv47 = iv63 = 0 and iv1 = iv4 + iv14 + iv24 + iv26 + iv39. With these
conditions, the equation becomes Δz17 = iv52 + F1(K), where F1 is a
function involving only the secret key bits. Further, fixing
iv52 = F1(K), we get Δz17 = 0. Therefore, having three Type I
conditions iv47 = 0; iv63 = 0; iv1 + iv4 + iv14 + iv24 + iv26 + iv39 = 0
and one Type II condition iv52 = F1(K), we have a smaller set of
IVs where Δz17 = 0.
[C2.] Case t = 20 : At this round, Δz20 = P2(K, IV), where P2 is a
polynomial involving the bits of K and IV. The algebraic normal
form of P2 is provided in [24]. Similar to [C1], we set some
conditions on the IV bits, so that Δz20 = 0. Setting iv49 = 0 and
iv3 = iv6 + iv23, we have the equation Δz20 = iv28 + F2(K), where F2
is a function involving only the secret key bits. Furthermore,
imposing an extra condition iv28 = F2(K), we have Δz20 = 0.
Therefore, we set two Type I conditions iv49 = 0;
iv3 + iv6 + iv23 = 0 and one Type II condition iv28 = F2(K) .
[C3.] Case t = 36 : In this case, we have Δz36 = P3(K, IV), where
P3 is a polynomial involving the bits of K and IV. As the algebraic
expression of P3 is very large, the algebraic normal form of P3 is
placed at [24]. The same technique (as in Section 3.1) has been
followed to make Δz36 = P3 = 0.
To
set
Δz36 = 0,
we
fix
the
conditions
iv5 = iv14 = iv48 = 0; iv2 = iv22 = iv44 = 1; iv15 = iv25, iv40 = iv53, iv16.
= iv19 + iv23 + iv24 + iv26 + iv41
After
setting
these
conditions,
we
have
Δz36 = iv54 + iv27iv54 + iv54F3(K) + iv27 f 1(K) + f 2(K)
= iv54(1 + iv27 + F3(K)) + iv27 f 1(K) + f 2(K) .
Here, F3, f 1 and f 2 are functions on key bits. Furthermore, setting
iv27 = F3(K) and iv54 = F3(K) f 1(K) + f 2(K) = F4(K), we get
Δz36 = 0. Therefore, setting nine Type I conditions
iv5 = iv14 = iv48 = iv15 + iv25 = iv40 + iv53 = 0;
iv16 + iv19 + iv23 + iv24 + iv26 + iv41 = 0; iv2 = iv22 = iv44 = 1; and two
Type II conditions iv27 = F3(K); iv54 = F4(K), we get Δz36 = 0.
[C4.] Case (t = 37): In the 37th round, we have Δz37 = P4(K, IV),
where P4 is a polynomial involving the bits of K and IV. The
algebraic normal form of P4 is available in [24].
To
make
Δz37 = 0,
we
impose
the
conditions
iv24 = iv46 = iv50 = iv51 = iv62 = 0; iv19 = 1; iv34 = iv43 + iv53 + iv56;
iv7 = iv4 + iv8 + iv18 + iv21 + iv29 + iv30 + iv59. After fixing these
conditions, we have Δz37 = iv53 + F5(K). Now considering
IET Inf. Secur., 2019, Vol. 13 Iss. 6, pp. 603-613
© The Institution of Engineering and Technology 2019

iv53 = F5(K), we have Δz37 = 0. Therefore, at the 37th round, we set
the following eight Type I and one Type II conditions.

TypeI:
iv5 = iv14 = iv17 = iv24 = iv39 = iv42 = iv46 = iv47
= iv48 = iv49 = iv50 = iv51 = iv55 = iv62 = iv63 = 0;
iv2 = iv19 = iv22 = iv44 = 1; iv8 = iv18; iv15 = iv25;
iv21 = iv30; iv40 = iv53; iv3 = iv6 + iv23;
iv41 = iv43 + iv56; iv34 = iv43 + iv53 + iv56;
iv1 = iv4 + iv14 + iv24 + iv26 + iv39;
iv16 = iv19 + iv23 + iv24 + iv26 + iv41;
iv4 = iv7 + iv8 + iv18 + iv21 + iv29 + iv30 + iv59;
TypeII:
iv52 = F1(K); iv28 = F2(K); iv27 = F3(K);
iv54 = F4(K); iv53 = F5(K); iv23 = F6(K);
iv59 = F7(K) .

TypeI: iv24 = iv46 = iv50 = iv51 = iv62 = 0;
iv19 = 1; iv34 + iv43 + iv53 + iv56 = 0;
iv4 + iv7 + iv8 + iv18 + iv21 + iv29 + iv30 + iv59 = 0
TypeII: iv53 = F5(K) .

[C5.] Case t = 38 : In this round, we have Δz38 = P5(K, IV),

where P5 is a polynomial involving the bits of K and IV. The
algebraic normal form of P5 is available in [24].
To have Δz38 = 0, we impose iv17 = iv39 = iv42 = iv55 = 0,
iv8 = iv18, iv21 = iv30, iv56 = iv41 + iv43. So, we have equation
Δz38 = iv59 + iv23iv59 + iv59F6(K) + iv23 f 3(K) + f 4(K) = iv59(1 + iv23.
+ F6(K)) + iv23 f 3(K) + f 4(K)
Furthermore,
imposing
conditions
iv23 = F6(K)
and
iv59 = F6(K) f 3(K) + f 4(K) = F7(K), we have Δz38 = 0.
Finally, for the 38th round, we set the following seven Type I
conditions and two Type II conditions to have Δz38 = 0

This set of conditions can further be simplified as
TypeI:
iv5 = iv14 = iv17 = iv24 = iv39 = iv42 = iv46
= iv47 = iv48 = iv49 = iv50 = iv51 = iv55
= iv62 = iv63 = 0;
iv2 = iv19 = iv22 = iv44 = 1;
iv1 = iv4 + iv26; iv3 = iv6 + iv23;
iv4 = iv7 + iv29 + iv59; iv8 = iv18;
iv15 = iv25; iv16 = 1 + iv23 + iv26 + iv41;
iv21 = iv30; iv34 = iv41 + iv53;
iv40 = iv53; iv41 = iv43 + iv56;
TypeII:
iv52 = F1(K); iv28 = F2(K); iv27 = F3(K);
iv54 = F4(K); iv53 = F5(K); iv23 = F6(K);
iv59 = F7(K) .

TypeI: iv17 = iv39 = iv42 = iv55 = iv8 + iv18 =
iv21 + iv30 = iv41 + iv43 + iv56 = 0
TypeII: iv23 = F6(K); iv59 = F7(K) .
Therefore, for a fixed key K, setting the conditions proposed in C1,
C2, C3, C4, and C5 on the bits of IV, we will have
Δzt = 0, for 0 ≤ t ≤ 41. We summarise the difference propagation
and required Type I and Type II conditions in Table 3. It can be
observed that unlike the results in [3, 5–7], in our case there is no t
for which Δzt = 1, where 0 ≤ t ≤ 41. This provides an advantage
to obtain an improved distinguisher by choosing the difference
vector e20, 45.
For the 42nd round, the algebraic expression of Δz42 is very
large and complicated on the bits of K and IV. However, the Items
[C1, C2, C3, C4, C5] contain 29 Type I conditions and 7 Type II
conditions, which are listed below. Hence, with these conditions,
we have Δzt = 0 for 0 ≤ t ≤ 41.

The Type II conditions are imposed on seven known IV bits iv23,
iv27, iv28, iv52, iv53, iv54, and iv59 and a set of unknown key bits. For an
unknown fixed key K and a chosen IV, if values of Fi(K),
i = 1, 2, …, 7 match with the values of the above-mentioned IV
bits, respectively, then all Type II conditions are satisfied and
hence, Δzt = 0; 0 ≤ t ≤ 41. Consider an unknown random key K

Table 3 Differential status of Grain-v1 from round 0 to round 41
Round (i)
Δzi
Type-I conditions
Type-II conditions Round (i)
0–16

0

no conditions

no conditions

(6)

36

Δzi
P3(K, IV)

Type-I conditions

Type-II conditions

iv5 = iv14 = iv48

iv27 = F3(K);

= iv15 + iv25

iv54 = F4(K);

= iv40 + iv53 = 0;
iv16 + iv19 + iv23 +
iv24 + iv26 + iv41 = 0;
iv2 = iv22 = iv44 = 1;
17

P1(K, IV)

iv47 = iv63 = 0;

iv52 = F1(K)

37

P4(K, IV)

iv24 = iv46 = iv50

iv1 + iv4 + iv14 +

= iv51 = iv62 = 0;

iv24 + iv26 + iv39 = 0

iv19 = 1; iv34 + iv43

iv53 = F5(K)

+iv53 + iv56 = 0;
iv4 + iv7 + iv8 + iv18
+iv21 + iv29 + iv30
+iv59 = 0
18 and 19

0

no conditions

no conditions

38

P5(K, IV)

iv17 = iv39 = iv42

iv23 = F6(K);

= iv55 = iv8 + iv18

iv59 = F7(K)

= iv21 + iv30 = iv41
+iv43 + iv56 = 0
20
21–35

P2(K, IV)

iv49 = 0;

iv28 = F2(K)

0

no conditions

no conditions

IET Inf. Secur., 2019, Vol. 13 Iss. 6, pp. 603-613
© The Institution of Engineering and Technology 2019

39–41

0

no conditions

no conditions

609

Fig. 4 Distinguisher for Grain-v1 with 112 KSA rounds

and IV satisfying all Type I conditions. Then, there is one
possibility out of 27 possible assignments of seven bits iv23, iv27,
iv28, iv52, iv53, iv54, and iv59 that satisfies the Type II conditions.
Since the secret key K is unknown, we have to try for all 27
possible assignments of state bits iv23, iv27, iv28, iv52, iv53, iv54, and iv59
and there is a case for which Δzt = 0, 0 ≤ t ≤ 41, i.e. there must be
a case for which Pr[Δzt = 0] = 1 and for other 127 cases
Pr[Δzt = 0] ≤ 1 for 0 ≤ t ≤ 41. Note that there might be many
assignments from these non-satisfying 127 assignments where
Pr[Δzt = 0] = 1 and 0 ≤ t ≤ 41 − l for some small integers l.
For the high values of t, the probability Pr[Δzt = 0] is expected
to be 1/2 . However, the existence of a case where
Pr[Δzt = 0] = 1 for 0 ≤ t ≤ 41 (or 0 ≤ t ≤ 41 − l for some integers
l) motivates us to search for non-randomness at higher rounds and
to construct a distinguisher. For a random key K, the probability
pi = Pr [Δzr = 1] is calculated for each assignment Ai, 0 ≤ i ≤ 127
of the IV bits iv23, iv27, iv28, iv52, iv53, iv54, and iv59 for a higher value
of r. We have observed small non-randomness in some assignments
for r = 112. As each assignment corresponds to a very small bias,
we use the fact to present a distinguisher as discussed in Section
2.1.
Consider W = ∑0 ≤ i ≤ 127, pi > 12 pi − 1/2 . If Grain-v1 with 112
initialisation rounds generates pseudorandom bits then the value of
W would be expected as Wϕ = 27ℰ, where ℰ = 1/ 8πN and N
is the size of the sample space. The number of IV bits fixed by the
Type I and Type II conditions are 29 + 7 = 36. As we take a pair
IV, IV to create the differences, there are 64 − 36 − 1 = 27 free
IV bits that can be used to generate 227 samples. Putting the sample
size N = 227 in (5), we have Wϕ ≃ 0.0022.
We performed experiments on 2048 random keys and it is
observed that for ∼99% of keys W > 0.0022. This took around 5
days in a machine having 120 processors of 2.8 GHz clock in a
multi-user environment. With this experiment, we can distinguish
Grain-v1 with 112 initialisation rounds from a random source with
the success rate of ∼99%. For cross-checking, we too perform the
same experiment for the round 113 and achieved the success rate of
45% which is close to 50%. To claim the success rate of 45%, we
need to run the same experiment for a large number of random
keys. This is not possible at this point with the present
computational power we are having.
610

Hence, the proposed distinguisher, designed by selecting the IV
differential set of dimension 2, can distinguish the stream cipher
Grain-v1 with 112 initialisation rounds from a uniform random
source with a significantly high success rate (∼99%).
The proposed distinguisher for Grain-v1 with 112 KSA rounds
is presented as follows. The pictorial view of our distinguisher is
provided in Fig. 4.
• A distinguisher for the first keystream bit of Grain-v1 with 112
KSA round:
i. A random key K of 80 bit is generated.
ii. An adversary A is given oracle access to the pseudorandom bit
generator, which generates keystream bit by using K.
iii. A selects 64 bits IV, which satisfies Type I and Type II
conditions in (6).
iv. A constructs another IV, IV = IV + e20, 45 .
v. A considers all possible 0/1 values to seven IV bits, which
satisfy Type II conditions.
vi. For every 0/1 possible values of seven IV bits (involved in
27
Type II), A queries 2 IV and IV to the oracle.
7
27
34
vii For 2 ⋅ 2 = 2 IV bits, the oracle returns z and z
. corresponding to IV and IV.
vii For every 0/1 possible value of those seven IV bits (involved in
i. Type II) A segregates the keystream bits into 27 buckets
ℬi, i = 0, …, 127 . Here, each bucket contains 227 z and z.
ix. A computes the probability pi = Pr[z ≠ z], for each bucket ℬi,
i = 0, …, 127 .
1
x.
A computes W = ∑0 ≤ i ≤ 127, pi > 12 pi − .
2
xi. If W > 0.0022, then A claims that the oracle is Grain-v1 with
112 KSA rounds to generate the keystream bits. Otherwise A
claims that the oracle is generating the random bits.
It has been experimentally observed that the success rate of the
adversary A is ∼99%.
3.1 Function reduction method
It can be observed from [24] that the algebraic normal form of
functions Pi(K, IV), 1 ≤ i ≤ 5 is quite complicated. In Section 3,
we have imposed some Type I and Type II conditions to get
IET Inf. Secur., 2019, Vol. 13 Iss. 6, pp. 603-613
© The Institution of Engineering and Technology 2019

Pi(K, IV) = 0 for 1 ≤ i ≤ 5. These Type I and Type II
conditions are obtained by carefully analysing the functions. We
follow the following steps to get these Type I and Type II
conditions.
i.

Firstly, we save the complete algebraic expression of the
function into a file.
ii. We assign 0 or 1 values to some IV bits to simplify the
function.
iii. Then we replace some IV bits in terms of the linear
combination of some other IV bits to get a more simplified
form of the function.
iv. Finally, some IV bits are substituted in terms of the secret key
bits to get Pi(K, IV) = 0.
Most of these things are done manually. Let us discuss the scenario
for P2(K, IV), as the other functions can be tackled in the same
technique. From the algebraic normal form of the function
P2(K, IV) (can be found in [24]), one can observe that the bit iv49 is
involved in many monomials in the algebraic normal form. Hence,
the algebraic normal form is made simpler by substituting iv49 = 0.
Furthermore, substituting iv3 + iv6 + iv23 = 0, the algebraic normal
form of the function P2(K, IV) becomes as simple as iv28 + F2(K).
Finally, the Type II condition iv28 = F2(K) helps us to achieve
P2(K, IV) = 0. We have followed a similar method for the other
complicated functions and naturally for the functions P3, P4, P5 it
took quite a bit of effort. Software to handle these issues may
provide even better results that may be explored in the future.

4 Distinguisher on Grain-v1 with 114 KSA round
In this section, we design a distinguisher on Grain-v1 with 114
initialisation rounds. The idea is to increase the number of rounds
followed in two steps.
• In
the
first
step,
we
put
conditions
on
iv63 = iv62 = ⋯ = iv63 − j = 1 for some j ≥ 0 and generate
conditions as discussed in Section 3 to obtain a distinguisher at
the rth round.
• Since we are able to run the inverse of KSA for j + 1 rounds as
iv63 = ⋯ = iv63 − j = 1, with some more conditions on key bits,
i.e. Type III conditions, we can design a distinguisher for
(r + j + 1) KSA rounds with some more conditions on key
space.
For our work, we first put three Type I conditions
iv63 = iv62 = iv61 = 1 on last three IV bits. Then following a similar
technique as in Section 3, we choose the same difference vector
a = e20, 45 and generate the conditions as follows. We have followed
the same technique, as in Section 3.1) to construct the following
Type I and Type II conditions.
[C0.] Case (0 ≤ t ≤ 41 and t ≠ 17, 20, 36, 37, 38): It is observed
that Δzt = 0 for 0 ≤ t ≤ 16, 18 ≤ t ≤ 19, 21 ≤ t ≤ 35, 39 ≤ t ≤ 41.
We need not require any additional condition for these rounds.
[C1.] Case t = 17 : In this round, Δz17 = Q1(K, IV), where Q1 is a
polynomial involving the bits of K and IV. From now on we will
use the term Qi in general for this. Imposing the conditions on the
IV bits as

TypeI: iv46 = iv0 + iv3 + iv25 = 0;
TypeII: iv42 = G1(K),
we have Δz17 = Q1(K, IV) = 0.

[C2.] Case t = 20 : In this round, Δz20 = Q2(K, IV). Similarly,

imposing the following conditions on IV bits

TypeI: iv49 = iv3 + iv6 + iv23 = 0;

we get Δz20 = Q2(K, IV) = 0.

[C3.] Case t = 36 : Here, Δz36 = Q3(K, IV). Here, we set the

following conditions on IV bits to make Δz36 = Q3(K, IV) = 0.
TypeI: iv5 = iv48 = iv47 = 0, iv2 = 1,
iv25 = iv15, iv40 = iv53, iv22 = iv44, iv4 = iv26,
iv1 = iv16 + iv19 + iv23 + iv26 + iv39 + iv41;
TypeII: iv27 = G3(K), iv54 = G4(K) .

[C4.] Case t = 37 : Here, Δz37 = Q4(K, IV). We set the following

conditions on IV bits to make Δz37 = Q4(K, IV) = 0.
TypeI: iv24 = iv50 = iv51 = 0,
iv16 = iv23 + iv26 + iv41,

iv7 = iv8 + iv16 + iv18 + iv21 + iv23 + iv29 + iv30 + iv34
+iv41 + iv43 + iv44 + iv53 + iv56 + iv59;
TypeII: iv53 = G5(K) .
[C5.] Case t = 38 : In this round, Δz38 = Q5(K, IV). We set the
following conditions to make Δz38 = Q5(K, IV) = 0

TypeI: iv34 = 0,
iv8 = iv17 + iv18 + iv21 + iv30 + iv34 + iv43 + iv44 + iv55,
iv17 = iv55, iv19 = iv39, iv23 = iv41 + iv44;
TypeII: iv56 = G6(K), iv59 = G7(k) .
Hence for a fixed key K, if the IV bits satisfy the conditions [C1,
C2, C3, C4, C5] and the initial conditions iv63 = iv62 = iv61 = 1 then
Δzt = 0 for 0 ≤ t ≤ 41. Complete set of Type I and Type II

conditions on IV bits is given in (7)

TypeI:
iv1 = iv5 = iv24 = iv34 = iv46 = iv47 = iv48
= iv49 = iv50 = iv51 = 0;
iv2 = iv61 = iv62 = iv63 = 1;
iv0 = iv3 + iv25; iv3 = iv6 + iv23; iv4 = iv26;
iv7 = iv26 + iv29 + iv53 + iv56 + iv59;
iv8 = iv18 + iv21 + iv30 + iv43 + iv44;
iv15 = iv25; iv16 = iv26 + iv44;
iv17 = iv55; iv19 = iv39; iv22 = iv44;
iv23 = iv41 + iv44; iv40 = iv53;
TypeII:
iv42 = G1(K); iv28 = G2(K); iv27 = G3(K);
iv54 = G4(K); iv53 = G5(K); iv56 = G6(K);
iv59 = G7(k) .

(7)

Since the last 3 bits of the IV are 1 (i.e. iv63 = iv62 = iv61 = 1), there
is a possibility to go for t, (t ≤ 3) inverse KSA rounds to have
another valid initial state keeping the last 16 bits of the initial state
S0 (i.e. the padding bits) as 1. In this manner, one can increase the
round number to (112 + t) rounds with few more conditions on IV
and K bits. We discuss the possibility of such improvement of
round numbers for t = 1, 2, 3 as follows.
For the first step of inversion in KSA (i.e. t = 1), we need to
make z + l0 = 1 where z is the output bit and l0 is the feedback bit
of the LFSR for inverse KSA. For this, we need to set the
following conditions on key and IV bits to have z = 1, l0 = 0

TypeII: iv28 = G2(K),
IET Inf. Secur., 2019, Vol. 13 Iss. 6, pp. 603-613
© The Institution of Engineering and Technology 2019

611

k0 = k1 + k3 + k9 + k30 + k42 + k55,

(8)

iv12 = iv37 + iv44 + 1.

(9)

Following the same process for the second inverse round of the
KSA, we set the conditions as
iv44 = 0; iv11 = iv21 + iv36 + iv41 + iv60; iv41 = 0.

(10)

k79 = k1 + k2 + k3 + k9 + k13 + k20 + k27 + k29 + k30

iv43 = 0; iv6 = iv15 + 1; iv10 = iv20 + iv35 + iv59;

+k32 + k36 + k41 + k42 + k44 + k51 + k54 + k55
+k59 + k61 + k8k14 + k32k36 + k59k62
+k20k27k32 + k44k51k59 + k8k27k44k62

(11)

+k30 + k31 + k35 + k40 + k41 + k42 + k43 + k50
+k53 + k54 + k55 + k58 + k60 + k7k13 + k31k35

+k8k14k20k27k32 + k36k44k51k59k62

+k58k61 + k19k26k31 + k43k50k58 + k7k26k43k61

+k20k27k32k36k44k51 .

+k13k19k58k61 + k31k35k50k58 + k7k13k19k26k31

4.1 Non-randomness of Grain-v1 with 116 KSA round with
one bit difference in keys
This section extends the distinguisher from 114 initialisation
rounds to 116 rounds. We first introduce one extra Type I
condition iv60 = 1, then start the inverse KSA of Grain-v1 with the
same setup presented in Section 4. As we have already performed
two inverse KSA rounds, the IV difference bits moved to the 22nd
and 47th positions of the LFSR. After one more round of inverse
KSA, these difference bits will move to the 23rd and 48th positions
of the LFSR. During the inverse KSA, the bit at the 23rd position
of LFSR is involved in the computation of the linear feedback bit
of the LFSR. Hence, it will flip the feedback bit of the LFSR in this

(12)

k78 = k2 + k3 + k8 + k9 + k12 + k19 + k26 + k28 + k29

+k14k20k59k62 + k32k36k51k59

Now if we run one more inverse KSA round then a difference
vector for the secret key K is formed. Since the difference is not
allowed for the secret key K, we cannot proceed for the third KSA
inverse (i.e. t = 3). This scenario has been discussed in Section 4.1.
The inclusion of two Type III conditions ((8) and (11)) reduces
the key space by a dimension of two (i.e. one-fourth of the original
key space). Including these four Type I and two Type III
conditions with the constraints in (7) on the key and IV bits and
further imposing two inverse KSA rounds on the state, we have the
initial state S0 for the Grain-v1. Then starting from the initial state
S0, we have a non-randomness in the first keystream bit of Grain-v1
with 114 initialisation rounds.
In this case, the total number of free IV variables is 26 and
Type
II conditions are 7. Hence, the value of
Wϕ = 27 × 1/ 8πN ≃ 0.00312, where N = 226 is the size of the
sample space (see Section 2.1 for the calculation of Wϕ).
Furthermore, to show a non-randomness in the 114th round of
KSA, as in Section 3, we compute the sum
W = ∑0 ≤ i ≤ 127, pi > 0.5 (pi − 0.5),
where
pi = Pr[Δz114 = 1]
corresponds with the ith assignment Ai 0 ≤ i ≤ 127 . Each
assignment Ai is an assignment of binary value to the seven IV bits
involved in the Type II conditions.
From the experiment with 2048 random keys, it is observed that
for ∼73% cases W < Wϕ = 0.00312. Therefore, like 112 KSA
rounds, we can design a distinguisher for the first keystream bit of
the Grain-v1 with 114 KSA rounds with a success rate of ∼73% in
the weak key setup as the key relation provided in Type III
conditions. For further cross-checking, we performed the same
experiment for 115 rounds and note that the experimental success
rate of distinguishing became ∼56% which is closer to 50%, i.e. for
278 keys, the first keystream bit of Grain-v1 with 114 initialisation
rounds can be distinguished from a random bit with a success rate
of ∼73%.
The success rate for the case of Grain-v1 with 115 initialisation
rounds is ∼56%. To claim this small success rate to use for
designing a distinguisher, we need to run the same experiment for a
large number of random keys, which is quiet impossible for us with
our present computational power.

612

inverse KSA round. Furthermore, this feedback bit of LFSR is
involved linearly in the feedback bit computation of NFSR. So it
will also flip the feedback bit of the NFSR. After this inverse
round, the state bits l0, l23, l48 and {n0} of the present state of the
cipher are flipped. As we have set iv61 = 1 (in Section 4), the last
16 bits of the LFSR remain valid (i.e. all 1). For this one round of
inverse KSA, we set some conditions on IV bits and secret key bits
to make z + l0 = 1 with z = 1 and l0 = 0 (as in Section 4). The
following conditions are introduced here:

(13)

+k35k43k50k58k61 + k19k26k31k35k43k50 .
Furthermore, we run the inverse KSA for one more round. It can be
observed that iv60 was free for the distinguisher on the 114th round
(presented in Section 4), but here we have set iv60 = 1. For the
second inverse KSA round the flipped bit at NFSR will move to
{n1} of the present state of NFSR. As the NFSR bit {n1} is involved
in the computation of keystream bit, the keystream bit z will be
flipped (i.e. Δz = 1) in this round. As a result, the linear feedback
bit of the LFSR of this inverse KSA round will also be flipped.
Owing to the linear involvement of both the keystream bit and the
linear feedback bit in the computation of non-linear feedback bit of
the NFSR, the non-linear feedback bit remains unaffected in this
inverse KSA round. After this inverse KSA round, state bits
{l0, l1, l24, l49} of the current state of LFSR and state bit {n1} of
current state of NFSR are flipped. The last 16 bits of LFSR remain
valid (i.e. all 1) as we have set iv60 = 1. In this inverse KSA round,
we also set following conditions on IV bits and secret key bits to
make z + l0 = 1, where z = 1 and l0 = 0 (as in Section 4)
iv21 = iv42 + 1; iv9 = iv39 + iv58;

(14)

k59 = 0;

(15)

k77 = k1 + k2 + k7 + k8 + k11 + k18 + k25 + k27 + k28
+k29 + k30 + k34 + k39 + k40 + k41 + k42 + k49
+k52 + k53 + k54 + k57 + k6k12 + k30k34
+k57k60 + k18k25k30 + k42k49k57 + k6k25k42k60

(16)

+k12k18k57k60 + k30k34k49k57 + k6k12k18k25k30
+k34k42k49k57k60 + k18k25k30k34k42k49 .
Now to go back further, we need to set iv59 = 1, which is not
possible as this bit is involved in Type II conditions (see (7)).
Here we have allowed 1 bit difference in the state of the NFSR, i.e.
we have allowed 1 bit difference in the secret key bits for 116
rounds. For two extra inverse KSA rounds, three extra Type III
and six extra Type I conditions (including iv60 = 1) are
introduced. Here, we consider two states, which differ only at
{n1, l0, l1, l24, l49} as the initial state of two ciphers. After that, we
perform 116 KSA rounds on both the ciphers. Under Type I,
Type II, and Type III conditions, we have observed the
following non-randomness in Δz116 after 116 initialisation rounds.
It can be noticed that the sample size is reduced to 220. With
this, we calculate Wϕ, which is ∼0.02493. Now we compute
W = ∑0 ≤ i ≤ 127, pi > 0.5 (pi − 0.5),
where
pi = Pr[Δz116 = 1]
corresponds with the ith assignment Ai 0 ≤ i ≤ 127 .
For each key, we compute W and compare with
Wϕ ≃ 0.02493 . We perform this experiment for 4096 random
keys and it has been observed that for 62% cases
W < Wϕ( ≃ 0.02493). Hence, Grain-v1 with 116 KSA rounds can
IET Inf. Secur., 2019, Vol. 13 Iss. 6, pp. 603-613
© The Institution of Engineering and Technology 2019

be distinguished in a weak key setup with the 1 bit difference in the
secret key and 4 bits difference in the IV. Further to cross check our
distinguisher, we perform the same experiment for 117 rounds but
the success rate is 52% (which is very close to 50%). To claim this
success chance ≃ 52% we need to repeat this experiment for a
large number of random keys, which is an impossible task to verify
with our present computation power.
Existing works under related key setup require more key bit
differences than us, but the rounds are higher than 116. Our main
contribution is distinguisher, and we show how the technique could
be evolved when very few key bits differ.

[4]

[5]
[6]
[7]
[8]

[9]

5 Conclusion
In this study, we have introduced distinguishers for Grain-v1 with
112 and 114 initialisation rounds. The first one can distinguish
Grain-v1 with 112 initialisation rounds from a random source with
a 99% success rate. The second one can distinguish Grain-v1 with
114 initialisation rounds from a random source with a 73% success
rate in a weak key setup for one-fourth of all the keys. Here, for the
first time, we have used the difference vector of weight 2 to
improve the number of rounds. The analysis in certain cases is
indeed complicated and required manual intervention rather than
writing computer programmes. Finally, the distinguisher for 114
rounds could be extended to 116 rounds with 1 bit and 4 bit
differences in key and IV, respectively. The success rate of this
distinguisher is 62%. We are presently working on similar
techniques for Grain-128a. Furthermore, conditional differential
attack on stream ciphers (designed like Grain) with more IV bit
differences can possibly be thought of as future work. Automated
handling of such scenarios will be of considerable interest.

6 Acknowledgments
The authors would like to thank the anonymous reviewers for their
valuable suggestions and comments, which considerably improved
the quality of the paper.

[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]

7 References
[1]
[2]
[3]

Hell, M., Johansson, T, Meier, W.: ‘Grain: a stream cipher for constrained
environments’, Int. J. Wirel. Mob. Comput., 2007, 2, (1), pp. 86–93
eSTREAM: Stream cipher project for ECrypt. Available at http://
www.ecrypt.eu.org/stream/, 2005
Knellwolf, S., Meier, W., Naya-Plasencia, M.: ‘Conditional differential
cryptanalysis of NLFSR-based cryptosystems’. Advances in CryptologyASIACRYPT 2010, Toronto, Canada, 2010, pp. 130–145

IET Inf. Secur., 2019, Vol. 13 Iss. 6, pp. 603-613
© The Institution of Engineering and Technology 2019

[23]
[24]

Aumasson, J.-P., Dinur, I., Henzen, L., et al.: ‘Efficient FPGA
implementations of high-dimensional cube testers on the stream cipher
grain-128’. Special-purpose Hardware for Attacking Cryptographic,
SHARCS'09, Systems, Lausanne, Switzerland, 2009, p. 147
Banik, S.: ‘Conditional differential cryptanalysis of 105 round grain v1’,
Cryptogr. Commun., 2016, 8, pp. 113–137
Sarkar, S.: ‘A new distinguisher on Grain v1 for 106 rounds’. Int. Conf. on
Information Systems Security, Kolkata, India, 2015, pp. 334–344
Ma, Z., Tian, T., Qi, W.-F.: ‘Improved conditional differential attacks on
Grain v1’, IET Inf. Sec., 2017, 11, (1), pp. 46–53
Watanabe, Y., Todo, Y., Morii, M.: ‘New conditional differential cryptanalysis
for NLFSR-based stream ciphers and application to Grain v1’. 2016 11th Asia
Joint Conf. on Information Security (AsiaJCIS), Fukuoka, Japan, 2016, pp.
115–123
Ma, Z., Tian, T., Qi, W.-F.: ‘A new distinguishing attack on Grain-v1 with 111
initialization rounds’, J. Syst. Sci. Complex., 2018, 32, pp. 1–14
Cannière, C.D., Küçük, Ö., Preneel, B.: ‘Analysis of grain's initialization
algorithm’. AFRICACRYPT, Casablanca, Morocco, 2008, pp. 276–289
Mihaljević, M.J., Sinha, N., Gangopadhyay, S., et al.: ‘An improved
cryptanalysis of lightweight stream cipher Grain-v1’. Cryptacus: Workshop
and MC meeting, Nijmegen, Netherlands, 16–18 November 2017
Zhang, B., Xu, C., Meier, W.: ‘Fast near collision attack on the grain v1
stream cipher’. EUROCRYPT, Tel Aviv, Israel, 2018, pp. 771–802
Todo, Y., Isobe, T., Meier, W., et al.: ‘Fast correlation attack revisited –
cryptanalysis on full Grain-128a, Grain-128, and Grain-v1’. Advances in
Cryptology - CRYPTO 2018, Santa Barbara, CA, USA, 2018, pp. 129–159
Banik, S.: ‘Some insights into differential cryptanalysis of Grain v1’.
Australasian Conf. on Information Security and Privacy, Wollongong,
Australia, 2014, pp. 34–49
Banik, S., Maitra, S., Sarkar, S.: ‘A differential fault attack on the grain
family of stream ciphers’. Cryptographic Hardware and Embedded Systems,
Leuven, Belgium, 2012, pp. 122–139
Banik, S., Maitra, S., Sarkar, S.: ‘A differential fault attack on the grain
family under reasonable assumptions’. Indocrypt, Kolkata, India, 2012, pp.
191–208
Ding, L., Jin, C., Guan, J., et al.: ‘New state recovery attacks on the Grain v1
stream cipher’, China Commun., 2016, 13, (11), pp. 180–188
Dinur, I., Shamir, A.: ‘Breaking Grain-128 with dynamic cube attacks’. Fast
Software Encryption, Lyngby, Denmark, 2011, pp. 167–187
Fischer, S., Khazaei, S., Meier, W.: ‘Chosen IV statistical analysis for key
recovery attacks on stream ciphers’. AFRICACRYPT, Casablanca, Morocco,
2008, pp. 236–245
Ma, Z., Tian, T., Qi, W.-F.: ‘Conditional differential attacks on Grain-128a
stream cipher’, IET Inf. Sec., 2017, 11, (3), pp. 139–145
Knellwolf, S.: ‘Cryptanalysis of hardware-oriented ciphers the Knapsack
generator, and SHA-1’, PhD dissertation, Zurich, 2012
Lee, Y., Jeong, K., Sung, J., et al.: ‘Related-key chosen IV attacks on Grainv1 and Grain-128’. Australasian Conf. on Information Security and Privacy
2008, Wollongong, Australia, 2008, pp. 321–335
SAGE: Open source mathematical software, http://www.sagemath.org/
Supporting Materials: Available at https://drive.google.com/drive/folders/
1FukMCaCeCRVidgQVMLpf_L5yFoVC60-9?usp=sharing

613

