Grain-128AEAD

Grain-128AEAD is a stream cipher supporting authenticated encryption with associated data. It is currently one of the ciphers in the NIST lightweight crypto standardization process.

Here, we collect material related to the cipher, including design documents and hardware/software implementations. If you are aware of documents or results that should be shown here, please let us know through hirotaka.yoshida@@aist.go.jp or martin.hell@eit.lth.se. We'd be happy to link to any third party material.

Grain-128AEAD is a member of the Grain family of stream ciphers. Many of the other variants in the family have undergone much analysis. Those results, while sometimes also valid for Grain-128AEAD, will not be featured on this website. However, the design document includes several references to these for anyone interested.

Design documents

  • Martin Hell, Thomas Johansson, Alexander Maximov, Willi Meier and Hirotaka Yoshida: Grain-128AEADv2: Strengthening the Initialization Against Key Reconstruction.
    This document discusses in detail the motivation behind the changes made to the version 2 of the algorithm compared to the first version. It is the same document as published on eprint (2021/751).
  • Martin Hell, Thomas Johansson, Alexander Maximov, Willi Meier, Jonathan Sönnerup and Hirotaka Yoshida: Grain-128AEADv2 - A lightweight AEAD stream cipher. NIST 2021.
    This is the official round 3 (finalist) specification of the design (on NISTs website). It presents an update to the version in the first two rounds and is denoted Grain-128AEADv2.
  • Martin Hell, Thomas Johansson, Willi Meier, Jonathan Sönnerup and Hirotaka Yoshida: Grain-128AEAD - A lightweight AEAD stream cipher. NIST 2019.
    This is the official round 2 specification of the design (on NISTs website). Note that it is identical to the round 1 specification.
  • Martin Hell, Thomas Johansson, Willi Meier, Jonathan Sönnerup and Hirotaka Yoshida: An AEAD variant of the Grain stream cipher. C2SI 2019.
    This paper presents the core design of Grain-128AEAD. Note that it does not follow the NIST API as it does not e.g., explicitly handle variable length associated data.

Hardware implementation

  • Jonathan Sönnerup, Martin Hell, Mattias Sönnerup and Ripudaman Khattar: Efficient Hardware Implementations of Grain-128AEAD. Indocrypt 2019.
    This paper presents a hardware implementation (VHDL) in 65nm technology. Synthesis and power simulations is done using the Synopsys Design Compiler 2013.12. The implementation can be found on the Grain-128AEAD repo on Github.

Software implementation

  • The software implementation for Grain-128AEADv2 can be found in the zip-file on NISTs webpage. Note that there are both a reference implementation and optimized implementations. Make sure to use the optimized implementations for benchmarking.
  • The reference software implementation for the original version (used in round 1 and round 2 of NIST LWC) can be found in the Grain-128AEAD repo on Github. The reference implementation is also available on NISTs round 2 website.
  • Alexander Maximov and Martin Hell: Software Evaluation of Grain-128AEAD for Embedded Platforms. ePrint 2020/659.
    This paper describes implementations optimized for embedded platforms. The two smallest processors in the FELICS-AEAD framework are used as target, the 8-bit AVR ATmega 128 and the 16-bit MSP430F1611.