Key recovery attacks on Grain family using BSW sampling and certain weaknesses of the filtering function

A novel internal state recovery attack on the whole Grain family of ciphers is proposed in this work. It basically uses the ideas of BSW sampling along with employing a weak placement of the tap positions of the driving LFSRs. The currently best known complexity trade-offs are obtained, and due to the structure of Grain family these attacks are also key recovery attacks. It is shown that the internal state of Grain-v1 can be recovered with the time complexity of about 2 operations using a memory of about 2 bits, assuming availability of 2 keystream sequences each of length 2 bits generated for different initial values. Moreover, for Grain-128 or Grain-128a, the attack requires about 2 operations using a memory of about 2 bits, assuming availability of 2 keystream sequences each of length 2 bits generated for different initial values. These results further show that the whole Grain family, due to the choice of tap positions mainly, does not provide enough security margins against internal state recovery attacks. A simple modification of the selection of the tap positions, as a countermeasure against the attacks described here, is given.