A New Distinguishing Attack on Grain-V1 with 111 Initialization Rounds

The Grain-v1 stream cipher has been selected in the eSTREAM hardware finalists. In this paper, the authors derive a new distinguishing attack on Grain-v1 with 111 initialization rounds in a single-key setting. To achieve this goal, the authors present two delicate strategies targeting an obvious distinguishing probability of the output difference of reduced Grain-v1. The authors show that conditional differential cryptanalysis of reduced Grain-v1 with 111 initialization rounds could mount a distinguishing attack with success probability about 0.8281 for all secret keys. It is also shown that when the attacking round further increases to 112 and 113, the distributions of the output differences are nearly random. Thus far, to the best of the authors’ knowledge, the attack on Grain-v1 with 111 initialization rounds is the best single-key cryptanalytic result for reduced versions of Grain-v1 in terms of the number of attacking rounds.