Research On Differential Fault Attack Of Grain

Grain is one of the final winner algorithms in the project of E-STREAM whichwas designed by M. Hell , T. Johansson and W. Meier. Grain is designed for hardwareimplementation of binary synchronous stream cipher. As the algorithm is designed tobe simple and the adjustable key quantity, Grain has widely concerned in cryptography.Grain has three versions:Grain v0, Grain v1 and Grain-128.These constructionsare basically similar to each other. In Grain v0 and Grain v1,both shift registers are 80bits in sizes, and the internal state variable are 160 bits. In Grain-128, both shiftregisters are 128 bits in sizes, and the internal state variable are 256 bits respectively.After Grain v0 was submitted, many scholars have conducted the deep research to it.By the approach of linear sequence circuit, S.Khazaei, M. Hassanzadeh and M. Kiaeifind a linear function whose correlation is about 2^-63.7 . Then they make a distinguishattack. A.Maximov presented a key recovery attack of Grain v0. The attack needs only2⁴³ computation and 2⁴² bits memory and 2³⁸ bits keystream. A.Maximov made greatadvice to the design of Grain, and then he joined the design of Grain-128.On the basis of existing research result, this paper is discussed on the followingaspects.By analyzing the weakness in design of the stream cipher Grain-v1, adifferential fault attack is presented. The attack makes use of the weakness that the keystream equations in the first 17 times have comparatively low orders. The attackerneeds to inject faults to the specified positions of LFSR at the stage of generating keystream. By differentiating, the attacker is able to acquire 17 linear equations which arelinear independent and 80 initial states of the stream cipher directly. The attacker justneeds to guess 62bits internal states, and then all the internal state can be achieved. Theproposed attack algorithm can reduce the complexity to O(2^74.26).The result shows that the algorithm which has been analyzed exists securityvulnerabilities, and the computational complexity of attacks is lower than that thedesigners claimed O(2⁸⁰).