Grain 128a explained

The Grain 128a stream cipher was first purposed at Symmetric Key Encryption Workshop (SKEW) in 2011^[1] as an improvement of the predecessor Grain 128, which added security enhancements and optional message authentication using the Encrypt & MAC approach. One of the important features of the Grain family is that the throughput can be increased at the expense of additional hardware. Grain 128a is designed by Martin Ågren,^[1] Martin Hell, Thomas Johansson and Willi Meier.

Description of the cipher

Grain 128a consists of two large parts: Pre-output function and MAC. The pre-output function has an internal state size of 256 bits, consisting of two registers of size 128 bit: NLFSR and LFSR. The MAC supports variable tag lengths w such that

0<w\leq32

. The cipher uses a 128 bit key.

The cipher supports two modes of operation: with or without authentication, which is configured via the supplied

IV₀

such that if

IV₀₌₁

then authentication of the message is enabled, and if

IV₀₌₀

authentication of the message is disabled.

Pre-output function

The pre-output function consists of two registers of size 128 bit: NLFSR (

) and LFSR (

) along with 2 feedback polynomials

and

and a boolean function

f(x)=1+x³²+x⁴⁷+x⁵⁸+x⁹⁰+x¹²¹+x¹²⁸

g(x)=1+x³²+x³⁷+x⁷²+x¹⁰²+x¹²⁸+x⁴⁴x⁶⁰+x⁶¹x¹²⁵+x⁶³x⁶⁷x⁶⁹x¹⁰¹+x⁸⁰x⁸⁸+x¹¹⁰x¹¹¹+x¹¹⁵x¹¹⁷+x⁴⁶x⁵⁰x⁵⁸+x¹⁰³x¹⁰⁴x¹⁰⁶+x³³x³⁵x³⁶x⁴⁰

h(x)=b_i+12s_i+8+s_i+13s_i+20+b_i+95s_i+42+s_i+60s_i+79+b_i+12b_i+95s_i+94

In addition to the feedback polynomials, the update functions for the NLFSR and the LFSR are:

b_i+128=s_i+b_i+b_i+26+b_i+56+b_i+91+b_i+96+b_i+3b_i+67+b_i+11b_i+13+b_i+17b_i+18+b_i+27b_i+59+b_i+40b_i+48+b_i+61b_i+65+b_i+68b_i+84+b_i+88b_i+92b_i+93b_i+95+b_i+22b_i+24b_i+25+b_i+70b_i+78b_i+82

s_i+128=s_i+s_i+7+s_i+38+s_i+70+s_i+81+s_i+96

The pre-output stream (

) is defined as:

y_i=h(x)+s_i+93+b_i+2+b_i+15+b_i+36+b_i+45+b_i+64+b_i+73+b_i+89

Initialisation

Upon initialisation we define an

of 96 bit, where the

IV₀

dictates the mode of operation.

The LFSR is initialised as:

s_i=IV_i

for

0\leqi\leq95

s_i=1

for

96\leqi\leq126

s₁₂₇=0

The last 0 bit ensures that similar key-IV pairs do not produce shifted versions of each other.

The NLFSR is initialised by copying the entire 128 bit key (

) into the NLFSR:

b_i=k_i

for

0\leqi\leq127

Start up clocking

Before the pre-output function can begin to output its pre-output stream it has to be clocked 256 times to warm up, during this stage the pre-output stream is fed into the feedback polynomials

and

Key stream

The key stream (

) and MAC functionality in Grain 128a both share the same pre-output stream (

). As authentication is optional our key stream definition depends upon the

IV₀

When authentication is enabled, the MAC functionality uses the first

bits (where

is the tag size) after the start up clocking to initialise. The key stream is then assigned every other bit due to the shared pre-output stream.

If authentication is enabled:

z_i=y_2w+2i

If authentication is disabled:

z_i=y_i

MAC

Grain 128a supports tags of size

up to 32 bit, to do this 2 registers of size

is used, a shift register(

) and an accumulator(

). To create a tag of a message

where

is the length of

m+1

as we have to set

m_L=1

to ensure that i.e.

m1=1

and

m2=10

has different tags, and also making it impossible to generate a tag that completely ignores the input from the shift register after initialisation.

For each bit

0\leqj\leq31

in the accumulator we at time

0\leqi\leqL

we denounce a bit in the accumulator as

	j
a
	i

Initialisation

When authentication is enabled Grain 128a uses the first

bits of the pre-output stream(

) to initialise the shift register and the accumulator. This is done by:

Shift register:

r_i=y_i+31

for

0\leqi\leq31

Accumulator:

	j
a
	0

=y_j

for

0\leqj\leq31

Tag generation

Shift register:

The shift register is fed all the odd bits of the pre-output stream(

r_i+31=y_64+2i+1

Accumulator:

	j
a
	i+1

	j
a
	i

+m_ir_i+j

for

0\leqi\leqL

Final tag

When the cipher has completed the L iterations the final tag(

) is the content of the accumulator:

t_i=

	i
a
	L+1

for

0\leqi\leq31

External links

A New Version of Grain-128 with Authentication

Notes and References

Web site: Publications by Martin Ågren . Martin Ågren . 9 May 2013 . dead . https://web.archive.org/web/20140312023217/http://www.eit.lth.se/index.php?uhpuid=dhs.mta&hpuid=666&L=1 . 12 March 2014 .