A state bit recovery algorithm with TMDTO attack on Lizard and Grain-128a

We propose a deterministic algorithm to recover some state bits of any FSR-based stream cipher knowing some keystream bits by fixing some state bits. This algorithm searches for the number of fixing bits as minimum as possible. Applying the algorithm, we could recover 10 , 11 , … , 24 state bits by fixing 10, 12, 14, 16, 18, 20, 22, 24, 38, 40, 42, 44, 46, 48, 50 state bits respectively for Lizard and 35, 48 state bits by fixing 34, 54 state bits respectively for Grain-128a. The result on Lizard beats the previous result, which can recover 14 state bits by fixing 30 state bits and the result on Grain-128a is the first one in this direction. Further, we present the Time-Memory-Data Trade-Off (TMDTO) curve by using the number of recovering and fixing state bits. Then we use the obtained results on the number of recovering and fixing state bits of Lizard and Grain 128a to implement the TMDTO attack to recover other state bits of these two ciphers. Our results supersede the previous result by Maitra et al. (IEEE Trans Comput 67(5):733–739, 2018) (i.e., T = M = D = 2 54 ) on TMDTO attack on Lizard. The best results for Lizard are T = M = 2 54 , D = 2 48 which requires 64 times lesser data than in Maitra et al. (IEEE Trans Comput 67(5):733–739, 2018); T = 2 52 , M = D = 2 53 or, D = 2 52 , M = T = 2 53 which improves the minimization of max { T , M , D } ; T = 2 50 , M = D = 2 54 , which reduces the time complexity by 16 times than in Maitra et al. (IEEE Trans Comput 67(5):733–739, 2018); T = 2 42 , M = D = 2 60 which reduces the time complexity by 2 18 times with respect to overall complexity of Lizard claimed by Hamann et al. in FSE 2017.