Trivium. 2 Specifications

Similar documents
Chosen Ciphertext Attack on SSS

Breaking Grain-128 with Dynamic Cube Attacks

COZMO - A New Lightweight Stream Cipher

Some Thoughts on Time-Memory-Data Tradeoffs

Power Analysis Attacks against FPGA Implementations of the DES

Two Attacks on Reduced IDEA (Extended Abstract)

Stream Ciphers An Overview

Piret and Quisquater s DFA on AES Revisited

Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication

Cryptanalysis of the Alleged SecurID Hash Function

Analysis of Involutional Ciphers: Khazad and Anubis

DESIGNING OF STREAM CIPHER ARCHITECTURE USING THE CELLULAR AUTOMATA

Differential Fault Analysis of Trivium

Cryptography for Resource Constrained Devices: A Survey

CUBE-TYPE ALGEBRAIC ATTACKS ON WIRELESS ENCRYPTION PROTOCOLS

Secret Key Algorithms (DES)

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

An Introduction to new Stream Cipher Designs

Improved Attack on Full-round Grain-128

Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

On the Applicability of Distinguishing Attacks Against Stream Ciphers

CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic

The MESH Block Ciphers

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2015 AEGIS 1

This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.

Chosen-Ciphertext Attacks against MOSQUITO

CHAPTER 2. KEYED NON-SURJECTIVE FUNCTIONS IN STREAM CIPHERS54 All bytes in odd positions of the shift register are XORed and used as an index into a f

Treatment of the Initial Value in Time-Memory-Data Tradeoff Attacks on Stream Ciphers

Implementing AES : performance and security challenges

Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN

Differential-Linear Cryptanalysis of Serpent

CPS2323. Symmetric Ciphers: Stream Ciphers

Vulnerability of Certain Stream Ciphers Based on k-normal Boolean Functions

Grain - A Stream Cipher for Constrained Environments

A Chosen-key Distinguishing Attack on Phelix

Related-key Attacks on Triple-DES and DESX Variants

Improved Algebraic Cryptanalysis of QUAD, Bivium and Trivium via Graph Partitioning on Equation Systems

Fault Analysis Study of IDEA

Security Overview of Bluetooth

Stream Cipher Criteria

Update on Tiger. Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium

Cryptography BITS F463 S.K. Sahay

RECTANGLE: A Bit-slice Ultra-Lightweight Block Cipher Suitable for Multiple Platforms

On Using Machine Learning for Logic BIST

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2016 AEGIS 1

Power-Analysis Attack on an ASIC AES implementation

A Related-Key Attack on TREYFER

On the (In)security of Stream Ciphers Based on Arrays and Modular Addition

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

TWO GENERIC METHODS OF. Chinese Academy of Sciences

Multi-version Data recovery for Cluster Identifier Forensics Filesystem with Identifier Integrity

Design Of High Performance Rc4 Stream Cipher For Secured Communication

Primitive Specification for SOBER-128

Cube Attacks and Cube-attack-like Cryptanalysis on the Round-reduced Keccak Sponge Function

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Advanced WG and MOWG Stream Cipher with Secured Initial vector

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

On the Design of Secure Block Ciphers

Integral Cryptanalysis of the BSPN Block Cipher

Submission to ECRYPT call for stream ciphers: the self-synchronizing stream cipher Mosquito

CPSC 467b: Cryptography and Computer Security

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher

The CS 2 Block Cipher

Small-Footprint Block Cipher Design -How far can you go?

A Practical Attack on KeeLoq

Security Analysis of Extended Sponge Functions. Thomas Peyrin

Recurrent Neural Network Models for improved (Pseudo) Random Number Generation in computer security applications

Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN

Secret Key Cryptography (Spring 2004)

Linear Cryptanalysis of Reduced Round Serpent

Cache Timing Attacks on estream Finalists

CHAPTER 1 INTRODUCTION

Matrices. Chapter Matrix A Mathematical Definition Matrix Dimensions and Notation

Cryptography and Network Security

Fast Block Cipher Proposal

Unit 9 : Fundamentals of Parallel Processing

NON LINEAR FEEDBACK STREAM CIPHER

HPCC Random Access Benchmark Excels on Data Vortex

Key Separation in Twofish

Towards measuring anonymity

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Micro-Architectural Attacks and Countermeasures

Cache Timing Analysis of LFSR-based Stream Ciphers

3 Symmetric Cryptography

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

PRACTICAL DPA ATTACKS ON MDPL. Elke De Mulder, Benedikt Gierlichs, Bart Preneel, Ingrid Verbauwhede

D eepa.g.m 3 G.S.Raghavendra 4

Journal of Global Research in Computer Science A UNIFIED BLOCK AND STREAM CIPHER BASED FILE ENCRYPTION

Traffic Analysis Attacks on a Continuously-Observable Steganographic File System

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel

Cryptanalysis of ORYX

A Weight Based Attack on the CIKS-1 Block Cipher

Susceptibility of estream Candidates towards Side Channel Analysis

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

The road from Panama to Keccak via RadioGatĂșn

Cryptography. Summer Term 2010

Confusion/Diffusion Capabilities of Some Robust Hash Functions

A New Architecture of High Performance WG Stream Cipher

Transcription:

Trivium Specifications Christophe De Cannière and Bart Preneel Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium {cdecanni, preneel}@esat.kuleuven.be Abstract. This document specifies Trivium, a hardware oriented synchronous stream cipher which aims to provide a flexible trade-off between speed and area. The description of the cipher is followed by some performance figures and a summary of the cryptographic properties of the algorithm. For a more theoretical discussion of the rationale behind the design, the reader is referred to the accompanying paper [1]. 1 Introduction Trivium is a hardware oriented synchronous stream cipher. It was designed as an exercise in exploring how far a stream cipher can be simplified without sacrificing its security, speed or flexibility. While simple designs are more likely to be vulnerable to simple, and possibly devastating, attacks (which is why we strongly discourage the use of Trivium at this stage), they certainly inspire more confidence than complex schemes, if they survive a long period of public scrutiny despite their simplicity. The next section provides a complete description of the stream cipher proposal. Sect. 3 discusses the performance of the cipher, and Sect. 4 briefly touches some security aspects of the algorithm. A more theoretical discussion of the rationale behind the design can be found in a separate paper [1]. 2 Specifications Trivium is a synchronous stream cipher designed to generate up to 2 64 bits of key stream from an 80-bit secret key and an 80-bit initial value (IV). As for most stream ciphers, this process consists of two phases: first the internal state of the cipher is initialized using the key and the IV, then the state is repeatedly updated and used to generate key stream bits. We first describe this second phase. The work described in this paper has been partly supported by the European Commission under contract IST-2002-507932 (ECRYPT). F.W.O. Research Assistant, Fund for Scientific Research Flanders (Belgium).

Parameters Key size: IV size: Internal state: 80 bit 80 bit 288 bit Table 1. Parameters of Trivium 2.1 Key stream generation The proposed design contains a 288-bit internal state denoted by (s 1,..., s 288 ). The key stream generation consists of an iterative process which extracts the values of 15 specific state bits and uses them both to update 3 bits of the state and to compute 1 bit of key stream z i. The state bits are then rotated and the process repeats itself until the requested N 2 64 bits of key stream have been generated. A complete description is given by the following simple pseudo-code: for i = 1 to N do t 1 s 66 + s 93 t 2 s 162 + s 177 t 3 s 243 + s 288 z i t 1 + t 2 + t 3 t 1 t 1 + s 91 s 92 + s 171 t 2 t 2 + s 175 s 176 + s 264 t 3 t 3 + s 286 s 287 + s 69 (s 1, s 2,..., s 93 ) (t 3, s 1,..., s 92 ) (s 94, s 95,..., s 177 ) (t 1, s 94,..., s 176 ) (s 178, s 279,..., s 288 ) (t 2, s 178,..., s 287 ) end for Note that here, and in the rest of this document, the + and operations stand for addition and multiplication over GF(2) (i.e., XOR and AND), respectively. A graphical representation of the key stream generation process can be found in Fig. 1. 2.2 Key and IV setup The algorithm is initialized by loading an 80-bit key and an 80-bit IV into the 288-bit initial state, and setting all remaining bits to 0, except for s 286, s 287, and s 288. Then, the state is rotated over 4 full cycles, in the same way as explained above, but without generating key stream bits. This is summarized in the pseudo-code below: (s 1, s 2,..., s 93 ) (K 1,..., K 80, 0,..., 0) (s 94, s 95,..., s 177 ) (IV 1,..., IV 80, 0,..., 0) (s 178, s 279,..., s 288 ) (0,..., 0, 1, 1, 1) for i = 1 to 4 288 do

s 288 s 1 s 243 s 66 z i s 178 s 94 s 162 Fig. 1. Trivium

t 1 s 66 + s 91 s 92 + s 93 + s 171 t 2 s 162 + s 175 s 176 + s 177 + s 264 t 3 s 243 + s 286 s 287 + s 288 + s 69 (s 1, s 2,..., s 93 ) (t 3, s 1,..., s 92 ) (s 94, s 95,..., s 177 ) (t 1, s 94,..., s 176 ) (s 178, s 279,..., s 288 ) (t 2, s 178,..., s 287 ) end for 3 Implementation 3.1 Hardware Trivium is a hardware oriented design focussed on flexibility. It aims to be compact in environments with restrictions on the gate count, power-efficient on platforms with limited power resources, and fast in applications that require high-speed encryption. The requirement for a compact implementation suggests a bit-oriented approach. It also favors the use of a nonlinear internal state, in order not to waste all painfully built up nonlinearity at the output of the key stream generator. In order to allow power-efficient and fast implementations, the design must also provide a way to parallelize its operations. In the case Trivium, this is done by ensuring that any state bit is not used for at least 64 iterations after it has been modified. This way, up to 64 iterations can be computed at once, provided that the 3 AND gates and 11 XOR gates in the original scheme are duplicated a corresponding number of times. This allows the clock frequency to be divided by a factor 64 without affecting the throughput. Based on the figures stated in [2] (i.e., 12 NAND gates per Flip-flop, 2.5 gates per XOR, and 1.5 gates per AND), we can compute an estimation of the gate count for different degrees of parallelization. The results are listed in Table. 2. Components 1-bit 8-bit 16-bit 32-bit 64-bit Flip-flops: 288 288 288 288 288 AND gates: 3 24 48 96 192 XOR gates: 11 88 176 352 704 NAND gate count: 3488 3712 3968 4480 5504 Table 2. Estimated gate counts of 1-bit to 64-bit hardware implementations 3.2 Software Despite the fact that Trivium does not target software applications, the cipher is still reasonably efficient on a standard PC. The measured performance of the reference C-code on an 1.5 GHz Xeon processor can be found in Table 3.

Operation Stream generation: 12 cycles/byte Key setup: 55 cycles IV setup: 2050 cycles Table 3. Measured performance on an Intel r Xeon TM CPU 1.5 GHz 4 Security In this section we briefly discuss some of the cryptographic properties of Trivium. For a more detailed analysis of the cipher, we refer to the paper [1]. The security requirement we impose on Trivium is that any type of cryptographic attack should not be significantly easier to apply to trivium than to any other imaginable stream cipher with the same external parameters (i.e., any cipher capable of generating up to 2 64 bits of key stream from an 80-bit secret key and an 80-bit IV). Unfortunately, this requirement is not easy to verify, and the best we can do is to provide arguments why we believe that certain common types of attacks are not likely to affect the security of the cipher. 4.1 Correlations When analyzing the security of a synchronous stream cipher, a cryptanalyst will typically consider two different types of correlations The first type are correlations between linear combinations of key stream bits and internal state bits, which can potentially lead to a complete recovery of the state. The second type, exploited by distinguishing attacks, are correlations between the key stream bits themselves. Obviously, linear correlations between key stream bits and internal state bits are easy to find, since z i is simply defined to be equal to s 66 + s 93 + s 162 + s 177 + s 243 +s 288. However, as opposed to LFSR based ciphers, Trivium s state evolves in a nonlinear way, and it is not clear how the attacker should combine these equations in order to efficiently recover the state. An easy way to find correlations of the second type is to follow linear trails through the cipher and to approximate the outputs of all encountered AND gates by 0. However, the positions of the taps in Trivium have been chosen in such a way that any trail of this specific type is forced to approximate at least 72 AND gate outputs. An example of a correlated linear combination of key stream bits obtained this way is z 1 + z 16 + z 28 + z 43 + z 46 + z 55 + z 61 + z 73 + z 88 + z 124 + z 133 + z 142 + z 202 + z 211 + z 220 + z 289. If we assume that the correlation of this linear combination is completely explained by the specific trail we considered, then it would have a correlation

coefficient of 2 72. Detecting such a correlation would require at least 2 144 bits of key stream, which is well above the security requirement. Other more complicated types of linear trails with larger correlations might exist, but at this stage it seems unlikely that these correlations will exceed 2 40. This issue is discussed in more details in the paper [1]. 4.2 Period Because of the fact that the internal state of Trivium evolves in a nonlinear way, its period is hard to determine. Still, a number of observations can be made. First, if the AND gates are omitted (resulting in a completely linear scheme), one can show that any key/iv pair would generate a stream with a period of at least 2 96 3 1. This has no immediate implications for Trivium itself, but it might be seen as an indication that the taps have been chosen properly. Secondly, Trivium s state is updated in a reversible way, and the initialization of (s 178,..., s 288 ) prevents the state from cycling in less than 111 iterations. If we believe that Trivium behaves as a random permutation after a sufficient number of iterations, then all cycle lengths up to 2 288 would be equiprobable, and hence the probability for a given key/iv pair to cause a cycle smaller than 2 80 would be 2 208. 4.3 Guess and Determine attacks In each iteration of Trivium, only a few bits of the state are used, despite the general rule-of-thumb that sparse update functions should be avoided. As a result, guess and determine attacks are certainly a concern. A straightforward attack would guess (s 25,..., s 93 ), (s 97,..., s 177 ), and (s 244,..., s 288 ), 195 bits in total, after which the rest of the bits can immediately be determined from the key stream. Further research should be conducted to examine to which extent more sophisticated attacks can reduce this number. 4.4 Algebraic attacks Trivium seems to be a particularly attractive target for algebraic attacks. The complete scheme can easily be described with extremely sparse equations of low degree. However, its state does not evolve in a linear way, and hence the efficient linearization techniques used to solve the systems of equations generated by LFSR based schemes will be hard to apply. However, other techniques might be applicable and their efficiency in solving this particular system of equations needs to be investigated. 4.5 Resynchronization attacks Another type of attacks are resynchronization attacks, where the adversary is allowed to manipulate the value of the IV, and tries to extract information about

the key by examining the corresponding key stream. Trivium tries to preclude this type of attacks by cycling the state a sufficient number of times before producing any output. It can be shown that each state bit depends on each key and IV bit in a nonlinear way after two full cycles (i.e., 2 288 iterations). We expect that two more cycles will suffice to protect the cipher against resynchronization attacks. 5 Conclusion Trivium is a simple synchronous stream cipher which seems to be particularly well suited for application which require a flexible hardware implementation. It is clearly in an experimental stage though, and further research will reveal whether it meets its security requirements or not. Remarks concerning the name. The word trivium is Latin for the three-fold way, and refers to the three-fold symmetry of Trivium. The adjective trivial, which was derived from it, has a connotation of simplicity, which is also one of the characteristics of Trivium. Moreover, with some imagination, one might recognize the shape of a Trivial Pursuit board in Fig. 1 (while we admit that in this respect Merecedes would have been a more appropriate name). Finally, the name provides a nice title for a subsequent cryptanalysis paper: Three Trivial Attacks on Trivium. References 1. C. De Cannière and B. Preneel, Trivium A Stream Cipher Construction Inspired by Block Cipher Design Principles, to be uploaded to http://www.ecrypt. eu.org/stream soon. 2. J. Lano, N. Mentens, B. Preneel, and I. Verbauwhede, Power Analysis of Synchronous Stream Ciphers with Resynchronization Mechanism, in ECRYPT Workshop, SASC The State of the Art of Stream Ciphers, pp. 327 333, 2004.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback