The Grain Family of Stream Ciphers: an Abstraction, Strengthening of Components and New Concrete Instantiations
Palash Sarkar
TL;DR
The paper defines a formal abstract Grain family for hardware-oriented stream ciphers and strengthens its components, including new nonlinear functions, a revised initialization, and a systematic tap-position method. It then presents seven practical Grain instantiations across 80/128/192/256-bit security levels, featuring equal-length and smaller-LFSR variants, with improved cryptographic properties and reduced gate counts compared to prior designs. A scalable design approach is proposed, enabling rapid adaptation to future attack models while maintaining implementational efficiency. The work analyzes known attacks (cube, correlation, TMTO, fault, related-key) and argues that the new constructions exhibit enhanced resistance, supported by theoretical bounds and practical considerations such as a keystream cap of $2^{64}$ bits to limit feasible attacks. Overall, the paper advances a cohesive, scalable framework for secure, hardware-friendly grain-based stream ciphers and provides concrete proposals with substantial performance and security benefits.
Abstract
The first contribution of the paper is to put forward an abstract definition of the Grain family of stream ciphers which formalises the different components that are required to specify a particular member of the family. Our second contribution is to provide new and strengthened definitions of the components. These include definining new classes of nonlinear Boolean functions, improved definition of the state update function during initialisation, choice of the tap positions, and the possibility of the linear feedback shift register being smaller than the nonlinear feedback shift register. The third contribution of the paper is to put forward seven concrete proposals of stream ciphers by suitably instantiating the abstract family, one at the 80-bit security level, and two each at the 128-bit, 192-bit, and the 256-bit security levels. At the 80-bit security level, compared to the well known Grain~v1, the new proposal uses Boolean functions with improved cryptographic properties \textit{and} an overall lower gate count. At the 128-bit level, compared to ISO/IEC standard Grain-128a, the new proposals use Boolean functions with improved cryptographic properties; one of the proposals require a few extra gates, while the other has an overall lower gate count. At the 192-bit, and the 256-bit security levels, there are no proposals in the literature with smaller gate counts.