Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 29167-13 — Grain-128A Stream Cipher for RFID Security
Information technology — Automatic identification and data capture techniques — Part 13: Crypto suite Grain-128A for security services
1. Grain-128A: A Stream Cipher for RFID
ISO/IEC 29167-13 specifies the Grain-128A stream cipher as a cryptographic suite for RFID security services. Grain-128A is an evolution of the eSTREAM finalist Grain v1, designed by Hell, Johansson, and Meier. It is a lightweight stream cipher that uses an 128-bit key and a 96-bit initialization vector (IV) to generate a keystream for encrypting data. Unlike block ciphers such as AES-128 and PRESENT-80, which operate on fixed-size blocks, Grain-128A generates a continuous keystream that can be XORed with data of arbitrary length — a natural fit for RFID applications where message sizes vary from a few bytes (authentication tokens) to hundreds of bytes (user data reads).
Grain-128A’s hardware footprint is approximately 2,130 gate equivalents in a 0.18 µm process — smaller than AES-128 (3,400 GE) but larger than PRESENT-80 (1,570 GE). However, its stream cipher nature means zero padding overhead: a 3-byte Read command requires only 3 bytes of keystream, with no block padding waste.
The cipher is built around two shift registers: a 128-bit Linear Feedback Shift Register (LFSR) and a 128-bit Nonlinear Feedback Shift Register (NFSR). The LFSR ensures a long period and good statistical properties, while the NFSR introduces nonlinearity that resists algebraic and correlation attacks. The output function combines bits from both registers through a nonlinear Boolean function to produce the keystream bit. During the initialization phase, the key and IV are loaded into the registers, and the cipher is clocked 256 times without producing output, allowing the state to mix thoroughly.
2. Operational Modes and Protocol Integration
The standard defines Grain-128A’s operation within the SMP framework for two primary functions: (1) encrypted data transfer using the generated keystream, and (2) message authentication using a ciphertext feedback mode. For encryption, the reader and tag first synchronize their cipher states by exchanging an IV through the Authenticate command. Once synchronized, both parties generate identical keystreams and use them to encrypt and decrypt subsequent messages.
| Phase | Operation | Data Flow | Clock Cycles Required |
|---|---|---|---|
| 1. IV Exchange | Reader sends 96-bit IV | Reader → Tag | — (over-the-air) |
| 2. Initialization | Load key + IV, 256 clocks | Internal (tag) | 256 @ 100 kHz = 2.56 ms |
| 3. Keystream Generation | Generate N bits | Internal (both) | N @ 1 bit/clock |
| 4. Data XOR | Encrypt/decrypt payload | Bidirectional | — (combinatorial) |
A key engineering advantage of Grain-128A is that keystream generation can begin before all data is received. As soon as the initialization phase completes, the tag can pre-compute keystream bytes and store them in a small FIFO buffer. This look-ahead generation enables zero-latency encryption: the encrypted data is available one clock cycle after the last plaintext bit arrives, compared to the 240+ clock cycles needed for AES-128 block encryption.
The message authentication mode uses a ciphertext feedback approach. After encrypting the message, the tag computes an authentication tag by feeding the ciphertext back into the cipher state for an additional 64 clock cycles. The resulting 64-bit MAC is appended to the encrypted message. The reader performs the same computation to verify the MAC. This integrated authenticated encryption (AE) scheme eliminates the need for a separate MAC engine, reducing the overall gate count by approximately 15% compared to implementing encryption and authentication separately.
3. Security Considerations and Hardware Implementation
Grain-128A provides 128-bit security against brute-force key search. The cipher has been extensively analyzed since its introduction, and as of 2026, the best known attacks are against reduced-round variants only. The full 256-clock initialization provides strong resistance against related-key attacks and time-memory-data tradeoff attacks. The 128-bit internal state size limits the keystream length to 2^64 bits before the LFSR state repeats, which is far beyond any practical RFID usage scenario.
Grain-128A, like all stream ciphers, has a critical security requirement: the same (Key, IV) pair must never be used to encrypt two different messages. If a keystream is reused, an attacker can XOR the two ciphertexts to cancel the keystream and obtain the XOR of the plaintexts. The standard mandates that the reader manage IV uniqueness across all transactions, typically by using a monotonically increasing counter as part of the IV. Tags should reject repeated IV values.
Hardware implementation of Grain-128A on an RFID tag is relatively straightforward. The two 128-bit shift registers require 256 flip-flops, and the nonlinear feedback and output functions require approximately 800 gates of combinatorial logic. The total area of 2,130 GE makes it an attractive middle ground between the ultra-compact PRESENT-80 and the more capable AES-128. Power consumption at 100 kHz is approximately 2.5 µW in a 0.18 µm process, well within the tag’s power budget. For initialization, the tag needs to draw power continuously for 2.56 ms — a duration that the reader can support by maintaining a continuous carrier wave during the computation period.
A specific vulnerability in Grain-128A implementations arises from the re-synchronization mechanism. If the tag and reader lose synchronization (e.g., due to a power dropout on the tag), the cipher states will diverge, and all subsequent decryption will fail. The standard defines a re-synchronization procedure requiring a new IV exchange. However, during the re-sync window, the tag may reveal its state through fault messages. Implementations should limit the number of re-synchronization attempts and enforce an exponential backoff to prevent brute-force state recovery attacks.
4. Frequently Asked Questions
Q: When should I choose Grain-128A over AES-128 for an RFID design?
Grain-128A is preferable when (1) message sizes are small and variable (avoiding block padding waste), (2) the tag has moderate area constraints (2,130 GE vs. 3,400 GE), and (3) zero-latency encryption is desired. It is less suitable when a well-established, FIPS-approved cipher is a compliance requirement.
Grain-128A is preferable when (1) message sizes are small and variable (avoiding block padding waste), (2) the tag has moderate area constraints (2,130 GE vs. 3,400 GE), and (3) zero-latency encryption is desired. It is less suitable when a well-established, FIPS-approved cipher is a compliance requirement.
Q: How does Grain-128A handle message integrity?
Through the ciphertext feedback mode defined in the standard. The MAC is computed over the encrypted message, ensuring both confidentiality and integrity with a single cipher core. This combined AE mode is specified in Annex B of the standard.
Through the ciphertext feedback mode defined in the standard. The MAC is computed over the encrypted message, ensuring both confidentiality and integrity with a single cipher core. This combined AE mode is specified in Annex B of the standard.
Q: Can Grain-128A be used for random number generation?
Yes. When loaded with a random key and a known IV, the output keystream can serve as a deterministic random bit generator (DRBG) conforming to NIST SP 800-90A. This dual use allows the same hardware to serve both encryption and random number generation functions.
Yes. When loaded with a random key and a known IV, the output keystream can serve as a deterministic random bit generator (DRBG) conforming to NIST SP 800-90A. This dual use allows the same hardware to serve both encryption and random number generation functions.
Q: What happens if the tag loses power during keystream generation?
The cipher state is lost, and synchronization with the reader is broken. The tag must re-initialize using a new IV exchange. This is a common occurrence in passive RFID, which is why Grain-128A’s fast re-initialization (2.56 ms) is a practical advantage over block ciphers that may require re-transmission of entire data blocks.
The cipher state is lost, and synchronization with the reader is broken. The tag must re-initialize using a new IV exchange. This is a common occurrence in passive RFID, which is why Grain-128A’s fast re-initialization (2.56 ms) is a practical advantage over block ciphers that may require re-transmission of entire data blocks.
