The Grain Family of Stream Ciphers: an Abstraction, Strengthening of Components and New Concrete Instantiations

TL;DR

This paper formalizes the Grain family of stream ciphers, introduces strengthened component definitions, and proposes seven new cipher instantiations with improved security and efficiency at various security levels.

Contribution

It provides an abstract formalization of the Grain cipher family, enhances component definitions, and presents seven new cipher proposals with better cryptographic properties and efficiency.

Findings

New cipher proposals at multiple security levels with improved cryptographic properties.

Enhanced definitions of components including nonlinear Boolean functions and state update functions.

Some proposals achieve lower gate counts compared to existing standards.

Abstract

The first contribution of the paper is to put forward an abstract definition of the Grain family of stream ciphers which formalises the different components that are required to specify a particular member of the family. Our second contribution is to provide new and strengthened definitions of the components. These include definining new classes of nonlinear Boolean functions, improved definition of the state update function during initialisation, choice of the tap positions, and the possibility of the linear feedback shift register being smaller than the nonlinear feedback shift register. The third contribution of the paper is to put forward seven concrete proposals of stream ciphers by suitably instantiating the abstract family, one at the 80-bit security level, and two each at the 128-bit, 192-bit, and the 256-bit security levels. At the 80-bit security level, compared to the well known Grain~v1, the new proposal uses Boolean functions with improved cryptographic properties \textit{and} an overall lower gate count. At the 128-bit level, compared to ISO/IEC standard Grain-128a, the new proposals use Boolean functions with improved cryptographic properties; one of the proposals require a few extra gates, while the other has an overall lower gate count. At the 192-bit, and the 256-bit security levels, there are no proposals in the literature with smaller gate counts.