Some Conditional Cube Testers for Grain-128a of Reduced Rounds.

In this article, a new strategy, maximum last $\alpha$ α round, is proposed to select cubes for cube attacks. This strategy considers the cubes in a particular round where the probability of its superpoly to be 1 is at most $\alpha$ α , where $\alpha$ α is a very small number. A heuristic method to find a number of suitable cubes using this strategy and the previously used strategies (i.e., maximum initial zero, maximum last zero) are proposed. To get a bias at the higher rounds, the heuristic, too, imposes conditions on some state bits of the cipher to make the non-constant superpoly of a cube as zero for the first few rounds. Some cube testers are formed by using those suitable cubes to implement a distinguishing attack on Grain-128a of reduced KSA (or initialization) rounds. We present a distinguisher for Grain-128a of 191 (out of 256) KSA round in the single key setup and 201 (out of 256) KSA round in the weak key setup by using the cubes of dimension 5. The number of rounds is the highest till today, and the cube dimension is smaller than the previous results. Further, we tested our algorithm on Grain-128 and achieved good results by using small cubes. [ABSTRACT FROM AUTHOR]