Quantum security of Grain-128/Grain-128a stream cipher against HHL algorithm

HHL algorithm is a quantum algorithm for solving linear equation system. It can achieve an exponential improvement over the best classical algorithm. In this paper, we analyze the quantum security of Grain-128/Grain-128a stream cipher by using the HHL algorithm. Our algorithm is based on Chen and Gao’s research on solving nonlinear equation system in Chen et al. (Quantum algorithm for optimization and polynomial system solving over finite field and application to cryptanalysis, 2018. arXiv:​1802.​03856) and Chen et al. (Quantum algorithms for Boolean equation solving and quantum algebraic attack on cryptosystems, 2017. arXiv:​1712.​06239). Firstly, we build a nonlinear Boolean equation system by choosing any keystream. Then, the nonlinear equation system is transformed into a special linear equation system that can be solved with the HHL algorithm. Finally, we solve the system by the HHL quantum algorithm. Our attack requires \( N > {2^8} \)-bit keystream, and the complexity is \(O(2^{21} N^{3.5} \kappa ^2 e^\epsilon /\epsilon ^{0.5})\) for Grain-128, and \(O(2^{21.5} N^{3.5} \kappa ^2 e^\epsilon /\epsilon ^{0.5})\) for Grain-128a where \(\kappa \) is the condition number of the matrix of the corresponding linear systems and \(\epsilon \) is a given error bound. Then we give a toy example of Grain family to estimate \(\kappa \) and briefly analyze the security of Grain-128/Grain-128a against HHL algorithm.