Grain-128AEAD is a stream cipher supporting authenticated encryption with associated data. It is currently one of the ciphers in the NIST lightweight crypto standardization process.

Here, we collect material related to the cipher, including design documents and hardware/software implementations. If you are aware of documents or results that should be shown here, please let us know through or We'd be happy to link to any third party material.

Grain-128AEAD is a member of the Grain family of stream ciphers. Many of the other variants in the family have undergone much analysis. Those results, while sometimes also valid for Grain-128AEAD, will not be featured on this website. However, the design document includes several references to these for anyone interested.

Design documents

  • Martin Hell, Thomas Johansson, Willi Meier, Jonathan Sönnerup and Hirotaka Yoshida: An AEAD variant of the Grain stream cipher. C2SI 2019.
    This paper presents the core design of Grain-128AEAD. Note that it does not follow the NIST API as it does not e.g., explicitly handle variable length associated data.
  • Martin Hell, Thomas Johansson, Willi Meier, Jonathan Sönnerup and Hirotaka Yoshida: Grain-128AEAD - A lightweight AEAD stream cipher. NIST 2019.
    This is the official round 2 specification of the design (on NISTs website). Note that it is identical to the round 1 specification.

Hardware implementation

  • Jonathan Sönnerup, Martin Hell, Mattias Sönnerup and Ripudaman Khattar: Efficient Hardware Implementations of Grain-128AEAD. Indocrypt 2019.
    This paper presents a hardware implementation (VHDL) in 65nm technology. Synthesis and power simulations is done using the Synopsys Design Compiler 2013.12. The implementation can be found on the Grain-128AEAD repo on Github.

Software implementation