## Cryptology ePrint Archive: Report 2012/349

A Differential Fault Attack on Grain-128a using MACs

Subhadeep Banik and Subhamoy Maitra and Santanu Sarkar

Abstract: The $32$-bit MAC of Grain-128a is a linear combination of the first 64 and then the alternative keystream bits. In this paper we describe a successful differential fault attack on Grain-128a, in which we recover the secret key by observing the correct and faulty MACs of certain chosen messages. The attack works due to certain properties of the Boolean functions and corresponding choices of the taps from the LFSR. We present methods to identify the fault locations and then construct set of linear equations to obtain the contents of the LFSR and the NFSR. Our attack requires less than $2^{11}$ fault injections and invocations of less than $2^{12}$ MAC generation routines.

Category / Keywords: implementation / Grain v1, Grain-128, Grain-128a, LFSR, MAC, NFSR, Stream Cipher.