An Observation of Non-randomness in the Grain Family of Stream Ciphers with Reduced Initialization Round

The key scheduling algorithm (KSA) of the Grain family of stream ciphers expands the uniformly chosen key (K) and initialization vector (IV) to a larger uniform looking state. The existence of non-randomness in KSA results a non-randomness in final keystream. In this paper, we observe a non-randomness in the KSA of Grain-v1 and Grain-128a stream ciphers of reduced round R. However, we could not exploit the non-randomness into an attack. It can be claimed that if the KSA generates pseudorandom state, then the probability of generating a valid state T (i.e., in the range set of KSA function) of Grain-v1, Grain-128a must be \(2^{-\delta }\), where \(\delta \) is the length of padding bits. In case of Grain-v1 and Grain-128a, \(\delta =16, 32\) respectively. We show that a new valid state can be constructed by flipping 3 and 19 bits of a given state in Grain-v1 and Grain-128a respectively with a probability higher than \(2^{-\delta }\). We show that the non-randomness happens for \(R \le 129\) and \(R\le 208\) rounds of KSA of Grain-v1 and Grain-128a respectively. Further, in the case of Grain-v1, we also found non-randomness in some key, IV bits from the experiment.