Grain is best described as a family of hardware-efficient (profile 2), synchronous stream ciphers. The cipher's initial version (article) used an 80-bit key and a 64-bit initialization vector but analysis in the early stages of the eSTREAM effort compromised its security (see article). The revised specification, Grain v1, described two stream ciphers: one for 80-bit (with 64-bit initialization vector) and another for 128-bit keys (with 80-bit initialization vector). Elegant and simple, Grain v1 has been an attractive choice for cryptanalysts and implementors alike with two shift registers -- one with linear feedback and the second with non-linear feedback -- being the essential feature of the algorithm family. These registers, and the bits that are output, are coupled by means of very lightweight, but judiciously-chosen boolean functions.
For the version that takes 80-bit keys, the specification given by Grain v1 is the currently recommended one. However, cryptanalysis of the 128-bit version of Grain v1 has led to the proposal of a new version called Grain 128a (article). This variant also specifies some additional registers to enable the calculation of a message authentication code in addition to generating a keystream. While Grain 128a retains the elegance of earlier versions of the cipher, in its fastest implementation it now occupies more space (2700 GE) and runs at half the speed of Grain v1. However, the design of the Grain family allows for an ingenious multiplication of throughput speed, though at the cost of a minor increase in the space consumed. Hardware performance of all profile-2 eSTREAM candidates (phase 3) was described in Good and Benaissa's paper at SASC 2008 (article). Prototype quantities of an ASIC containing all phase-3 hardware candidates was designed and fabricated on 0.18 μm CMOS, as part of the eSCARGOT project.
Like many stream ciphers, there is some cost incurred during initialisation and the impact of this will depend on the intended application and the likely size of the messages being encrypted.
The initial cryptanalysis of Grain was proposed by Berbain, Gilbert and Maximov at FSE 2006 (article). This led to the design of Grain v1, which was included in the final eSTREAM portfolio. Recent cryptanalysis, primarily by Dinur and Shamir (article), has led to the 128-bit version of Grain v1 being replaced by a new variant of the cipher, Grain 128a (article), that also provides a mechanism for authentication.
There is some evidence that versions of the Grain family are currently being considered for deployment in niche, lightweight applications. The designers of Grain state that the algorithm is patent-free (see statement).
- Grain - A Stream Cipher for Constrained Environments: article
- A Stream Cipher Proposal: Grain-128: article
- C source: Grain v1 (zip), Grain 128 (zip)
- API-compliant C code: link
- Grain original eSTREAM process page
- Software Performance: link
- Software Implementation: link
- Hardware Performance: article
- Hardware Implementation: eSCARGOT project