Talk:Grain (cipher)

Untitled
I'm sorry if I'm stepping on someone's toes here, but I thought the description "serious weaknesses" seemed a bit biased. The fact of the matter is that Kucuk's paper only documents a finding that shows that for some (K, IV)-pairs there exist related (K',IV')-pairs that generate a shifted version of the same bitstream. Although this is a potential weakness there are no known cryptoanalytical attacks that can exploit it. I feel that "potential, but not as yet exploitable, weaknesses" is more nuanced.

I have no connection to the eStream initiative or either of the creators of Grain. Neither am I an expert cryptoanalyst. I have however designed a hardware implementation of Grain (v1) for a low-security application, and have since tried to follow whether the cipher has been broken, since there was some controversy with the first version. I think this Wikipedia article should reflect the consensus that, Grain has a weakness in its initialization phase that could potentially be exploited, but this does not amount to a "serious weakness".

Robinhoel 00:07, 15 November 2007 (UTC)


 * I can't see any consensus on whether this weakness is considered to be serious or not. So far, Grain has been included in Phase 3 of eStream. There is no need for Wikipedia to make any advance judgement on whether this weakness will be considered serious or not by the eStream committee. All Wikipedia should do is report that there is a potential weakness and leave the judgement to eStream. Standardisation committees usually don't wait until a weakness becomes exploitable before they drop a candidate. 85.2.52.164 11:56, 15 November 2007 (UTC)

I'm happy with the change to "potential weaknesses".

Robinhoel (talk) 18:56, 21 November 2007 (UTC)

Grain-128a
In my opinion we should include Grain-128a — Preceding unsigned comment added by 80.152.173.165 (talk) 12:10, 20 July 2011 (UTC)