Related Key Chosen IV Attack on Grain-128a Stream Cipher

The well-known stream cipher Grain-128 is a variant version of Grain v1 with 128-bit secret key. Grain v1 is a stream cipher which has successfully been chosen as one of seven finalists by European eSTREAM project. Yet Grain-128 is vulnerable against some recently introduced attacks. A new version of Grain-128 with authentication, named Grain-128a, is proposed by Agren, Hell, Johansson, and Meier. The designers claimed that Grain-128a is strengthened against all known attacks and observations on the original Grain-128. So far there exists no attack on Grain-128a except a differential fault attack by Banik, Maitra, and Sarkar. In this paper, we give some observations on Grain-128a, and then propose a related key chosen IV attack on Grain-128a based on these observations. Our attack can recover the 128-bit secret key of Grain-128a with a computational complexity of 2(96.322), requiring 2(96) chosen IVs and 2(103.613) keystream bits. The success probability of our attack is 0.632. This related key attack is "minimal" in the sense that it only requires two related keys. The result shows that our attack is much better than an exhaustive key search in the related key setting.