Escolar Documentos
Profissional Documentos
Cultura Documentos
net/publication/291012336
CITATIONS READS
21 394
4 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Konstantinos Fysarakis on 26 September 2017.
REVIEW ARTICLE
ABSTRACT
Pervasive computing constitutes a growing trend, aiming to embed smart devices into everyday objects. The limited
resources of these devices and the ever-present need for lower production costs, lead to the research and development
of lightweight cryptographic mechanisms. Block ciphers, the main symmetric key cryptosystems, perform well in this
field. Nevertheless, stream ciphers are also relevant in ubiquitous computing applications, as they can be used to secure
the communication in applications where the plaintext length is either unknown or continuous, like network streams. This
paper provides the latest survey of stream ciphers for embedded systems. Lightweight implementations of stream ciphers
in embedded hardware and software are examined as well as relevant authenticated encryption schemes. Their speed and
simplicity enable compact and low-power implementations, allow them to excel in applications pertaining to resource-
constrained devices. The outcomes of the ISO/IEC 29192-3 standard and the cryptographic competitions eSTREAM and
CAESAR are summarized along with the latest results in the field. However, cryptanalysis has proved many of these
schemes are actually insecure. From the 31 designs that are examined, only 6 of them have been found to be secure by
independent cryptanalysis. A constrained benchmark analysis is performed on low-cost embedded hardware and software
platforms. The most appropriate and secure solutions are then mapped in different types of applications. Copyright
c
2010 John Wiley & Sons, Ltd.
KEYWORDS
authenticated encryption; embedded systems; lightweight cryptography; stream ciphers
∗
Correspondence
Dept. of Electronic and Computer Engineering, Technical University of Crete, Akrotiri Campus, 73100 Chania, Crete, Greece,
gchatzivasilis@isc.tuc.gr
Received . . .
Also, stream ciphers are typically fast, compact and application, with the concluding remarks following in
consume low power, making them an attractive choice for Section 7.
resource-constrained devices, like low-power RFID tags.
In recent years, stream ciphers have gained ground as
several research efforts have investigated secure stream 2. RELATED WORK
cipher designs. A milestone event in pertinent research
efforts was the eSTREAM competition [7], held by Stream ciphers have been applied in several real-time
ECRYPT from 2004 to 2008, which promoted the applications (e.g. mobile phone telephony) due to high
design of efficient and compact stream ciphers suitable performance in hardware. In 2004, a performance analysis
for wide adoption. In 2012, the ISO/IEC standardized of these mainstream ciphers was presented in [15]. The
stream ciphers for LWC in the ISO/IEC 29192-3:2012 main stream cipher designs and the basic hardware-
[8] standard. Since then, several new designs based on efficiency and security trade-offs were identified.
eSTREAM concepts and other novel structures have been In 2007, the development of the lightweight block
proposed. cipher PRESENT signified a milestone in LWC with
In addition to confidentiality and integrity, authenti- several lightweight designs being proposed afterwards. A
cation is another important security property that must first survey on LWC was held in the same year [16],
be considered. Thus, except from designing individual reviewing several symmetric and asymmetric ciphers for
ciphers, efforts have been made to implement symmet- embedded hardware and software.
ric cryptosystems that provide authenticated encryption The eStream project advanced the research efforts for
functionality. The interest in such schemes is expected compact stream cipher designs. A survey and software
to increase due to the ongoing Competition for Authenti- benchmark of stream ciphers for wireless sensor networks
cated Encryption: Security, Applicability, and Robustness was presented in 2007 [17], focusing on eStream
(CAESAR) [9]. CAESAR is organized by the international candidates. Several ciphers were deployed and evaluated
cryptographic research community and intends to select on the same micro-controller platform. Similarly, hardware
a portfolio of algorithms offering advantages over AES- results for selected eStream candidates in ASIC are
GCM [10] and being suitable for widespread adoption. The presented in [18].
final selection will be announced in 2017. The ISO/IEC standardization effort in 2012, enhanced
Hardware implementations of stream ciphers are mostly cryptanalysis results for secure stream cipher design.
suitable for ultra-constrained devices, as they typically Cryptanalysis techniques for stream ciphers and relevant
implement the exact cryptographic functionality without attacks are presented in [19] and [20] respectively.
redundant components (e.g. general purpose processing In 2013, a comparative analysis of newer stream cipher
units). The complexity of a design is defined by the Gate implementations for embedded systems was conducted
Equivalent (GE) metric, with the authors considering an in [13]. The most efficient implementations in embedded
upper limit of 3000 GEs for LWC [11, 12, 13]. However, hardware and software were evaluated based on a set of
reported characteristics of each cipher are closely related predefined metrics.
to a specific setting and cannot be directly transferred to Table I summarizes the main features of these related
other applications. In contrast, software implementation of studies. In this paper, we survey the main traditional and
ciphers retains portability across devices with the same lightweight stream ciphers along with the latest design and
microprocessor [14]. On the other hand, they are mostly cryptanalysis results in the field. We include authenticated
appropriate for more powerful devices, as they presuppose encryption schemes and relevant CAESAR candidates that
the existence of a microprocessor. are based on stream ciphers. We indicate the safe ciphers
In this work the authors present a survey of lightweight and perform a benchmark analysis on embedded hardware
stream ciphers and relevant authenticated encryption and software platforms.
schemes in hardware and software. The implementation
details of the typical cipher versions are presented, as
stated by their designers, and a benchmark analysis is 3. STREAM CIPHER DESIGN
performed on low-cost embedded devices. The remainder
of this paper is structured as follows: Section 2 presents 3.1. General features
related work and relevant surveys, Section 3 presents the
general design approaches for stream ciphers, Section 4 Stream ciphers are an alternative type of symmetric
presents the stream ciphers that are typically examined cryptosystem to block ciphers [21]. They are based on the
in the context of LWC and their main features, Section idea of the One-Time Pad (OTP) cipher, known as Vernam
5 features performance evaluation and benchmark of cipher [22]. OTP utilizes a completely random keystream
the presented algorithms and identifies the most suitable and each digit of the keystream is combined with one digit
and secure solutions for different types of applications, from plaintext to produce a digit of ciphertext. OTP was
Section 6 refers future work of stream cipher design and proved to be unbreakable [23], however, the keystream
digits have to be completely random and, moreover, the
keystream must have the same length as the plaintext.
Thus, OTPs introduce significant practical management weaknesses in key scheduling and extract the initial state
and maintenance problems, and are considered impractical from the memory.
for wide use. Side-channel attacks measure electromagnetic emission
Stream ciphers address these issues by sacrificing a or power consumption during the processing of the data
degree of security: they apply a secret key, which is used to from the cipher. The goal is to derive useful informaiton
generate a pseudorandom keystream. The secret key is the about the algorithm’s internal processes.
symmetric key and the pseudorandom keystream generated In distinguishing attacks, the attacker tries to distinguish
is used in the same way as the keystream in OTPs. the key stream from a purely random sequence. Such
However, the fact that the keystream is not completely attacks can turn into complete key recovery.
random introduces security concerns. The keystream must Correlation attacks analyse the linear functions of
be random enough to ensure that if an attacker knows the the cipher and determine the produced keystream by
keystream, he cannot recover the secret key or derive the observing the output bits. Linear attacks correlate the
cipher’s internal state. linear functions of selected keystream bits or linear
The keystream period is a significant security factor functions of selected keystream and state bits. Similarly,
for stream ciphers. It stands for the number of encrypted algebraic attacks resolve systems of algebraic equations
bits or blocks that are processed before the keystream is that are utilized for the production of the key or state
repeated. If this is exhausted and the keystream is repeated, bits. One popular stream cipher design approach utilizes
cryptanalysis could potentially decrypt the sequential non-linear components with masking of block ciphers.
ciphertext bits [21]. Thus, the keystream period should be Linear masking distinguishes a non-linear characteristic
larger than the size of the plaintext that will be encrypted. If that exhibits some bias. Missing linear combinations,
the keystream period elapses, a different key or nonce must derived from the linear functions of the cipher, are applied
be used to re-initialize the cipher; a longer period implies to the output and discover the traces of this distinguished
fewer instances that this will have to take place. characteristic.
After initialization, all stream ciphers require a few Cube attacks are a relatively new attack type and can
clock cycles to encrypt a bit. Yet, the initialization process be applied to almost any cryptosystem. The attack takes
is also essential in determining the applicability of a stream advantage of the existence of a low degree polynomial
cipher. Stream ciphers with fast initialization phase are representation of a single output bit as a function of the
suitable for applications where many short messages have key and plaintext bits. These bits are summed over all
to be processed. On the other hand, when few and large possible values of a subset of the plaintext bits to detect
messages must be encrypted, stream ciphers with fast linear equations in the key bits, which can be efficiently
encryption are appropriate. Thus, stream ciphers cannot be solved.
easily classified in terms of performance, as it depends on Time/Memory/Data tradeoffs explore the general struc-
both the initialization and en/decryption operations. ture of a cipher and summarize the analysis results in
large tables. At attack phase, these precomputed tables are
3.2. Cryptanalysis and attacks utilized in order to retrieve the key of the actual data that is
being processed.
Attackers aim to exploit stream cipher designs in order Guess-and-determine attacks guess a part of the state
to discover the key that is used for de/encryption. and try to reconstruct the whole state based on the
Then, they can recover part or the whole communication keystream that is actually observed.
processed by this key. Passive attacks exploit the output Slide attacks correlate two copies of the same
or the initialization/resynchronization phases. They mainly encryption process that are one round out of order. The
analyse design flaws. Active attacks insert, delete or replay two relevant plaintexts are lined up, trying to find a match.
ciphertext bits (e.g. fault attack) and try to misuse the The attack reveals the key in the state update of the cipher.
communication channel. They are countered by strong data In divide and conquer strategy, the cipher is disassem-
integrity and authentication mechanisms. bled into basic components. A few bits are determined
Exhaustive key search is a brute force attack where an in each state and the most vulnerable components are
attacker tries out all possible combinations until she finds attacked first. Designs that exhibit high correlation immu-
out the key. The computational complexity can’t exceed nity are less vulnerable to such attacks.
the key size in bits but can also be lower. All ciphers A survey of cryptanalysis techniques for stream
are vulnerable to these attack. The lower bound of the ciphers is presented in [19], where the exhaustive key
exhaustive key search complexity for a cipher denotes the search, related key, side channel analysis, distinguishing,
intuitive limit that all the other attack types try to improve correlation, algebraic, linear masking, time-memory
upon. tradeoff and guess-and-determine attacks are explained.
The re-initialization process of a cipher design is The fault, chosen-IV, cube and slide attacks are
another target of attacks. If the input is related to the additionally described in a later survey [20], along with
internal state without sufficient non-linearity when the the proposed mechanisms to mitigate them.
new keys are produced, an attacker can determine the
related keys and the initial one. Chosen-IV attacks exploit
LFSRs are a common choice for stream ciphers (e.g. optimum outcome is a pseudorandom keystream with good
[27, 28, 29]). They are easy and fast to implement in statistical properties. Their main advantage is the level of
hardware and their properties can be studied and analyzed confusion and diffusion that they achieve. Moreover, they
mathematically. However, their linear nature means they can be directly implemented in hardware.
are not secure unless they are used along with additional A Tree Party Machine (TPM) [42] is a multi-layer
components to introduce nonlinearity. There are two styles feed-forward neural network. Although it is not a common
of LFSR according to the shift operation. Fibonacci LFSR choice in cryptography, it has been applied to stream
is the typical style, where each bit is copied to its right cipher design [43] due to the level of randomness that
neighbor and the bits are right shifted. The rightmost bit it achieves. In the common topology, two TPMs update
is the output. The new leftmost bit that is inserted is the their weight vectors by mutual learning based on each
parity of some special bits, called taps. Galois LFSR is other’s output in order to achieve the weight space
the alternative style, where the bits are right shifted, except synchronization. The common inputs vary dynamically at
from the tap bits. The rightmost bit of the taps is XOR- each learning iteration, but kept identical throughout all
ed with the previous output bit before the copy is done. mutual learning time. The TPM properties guarantee that
The original rightmost bit from the taps is both the new given the mutually exchanged TPM output over an open
leftmost bit that is inserted and the output. Galois LFSRs channel, an eavesdropper cannot exactly determine which
are considered more efficient in hardware than Fibonacci internal weight vectors has been updated each time. Thus,
LFSRs as they introduce lower gate delay and thus lower the eavesdropper cannot derive the final synchronized
clock cycle time. weight vectors. These final weight vectors are mapped to a
FCSRs are arithmetic analogs of LFSRs [30]. They shared key.
are similar to LFSRs but with additional memory for
maintaining a carry from one stage to the next, forming
a finite device. They can be efficiently implemented in
a parallel architecture. However, FCSRs are periodic in 3.4.2. Non-linearity
nature and cannot be directly applied in cryptography [31]. Several schemes have been proposed to increase the
Except from the stream ciphers that are based on FSRs, security of the main LFSR design and introduce the needed
there are several alternative design types. nonlinearity. Examples include the non-linear combining
Ciphers that use modular add, rotate and XOR functions, the clock-controlled generators and the filter
operations (ARX) are popular due to their fast and cheap generators. With a non-linear combining function, the
implementation (e.g. [32, 33, 34]). These operations run outputs of several parallel LFSRs are passed to a non-
in constant time, reducing the feasibility of timing attacks. linear Boolean function. A clock-controlled generator
ARXs produce fast and compact implementations but their uses two LFSRs. In the ordinary setting, a LFSR is stepped
security properties are not well-studied. regularly. The generator implies that the LFSR must be
In contrast to ARX ciphers that use simple operation, clocked irregularly according to the output of the second
large table designs are proposed for high speed in software LFSR. When filter generators are used, the entire state
(e.g. [35, 36]). The state is maintained in large tables of a LFSR is fed into a non-linear filtering function.
and the content is updated at each round by non-linear Combinations of all these schemes are also examined in
functions. This approach exhibits among the fastest results the literature (e.g. [44, 45]).
at the cost of high memory consumption in both hardware Non-linear Feedback Shift Registers (NFSRs) are
and software. another core component, utilized by stream ciphers to
A Cellular Automata (CA) [37] is a regular grid of provide nonlinearity (e.g. [44, 45, 46]). Furthermore, they
cells, where each one has a finite number of states. The are more resistant to cryptanalytic attacks. Yet, only a few
cells update their state according to a fixed rule. The rule theoretical results exist for NFSRs. The security level of
determines the new state of each cell based on the current ciphers that make use of NFSRs depends on the difficulty
state of a cell and its neighbours. Given the rule, it is easy of analyzing the design itself. In hardware, they are
to determine the future states but very difficult to estimate typically slightly more complex than LFSRs and FCSRs.
the previous ones. In cryptography, CAs can act as an one- However, it is difficult to design a good NFSR, as there
way function whose inverse is hard to find (e.g. [38, 39]). are no simple and precise guidelines on building strong
Their hardware implementation is simple, while word-wise non-linear Boolean functions. These functions are used in
implementations can be efficient in software. Moreover, NFSRs to determine the balance between the zeroes and
parallel transformations are also possible, allowing to ones in the output, the nonlinearity, the algebraic degree
increase throughput. and the correlation immunity.
Chaotic maps [40] are maps that exhibit a chaotic The Welch-Gong (WG) functions are another family of
behaviour. They can be parameterized by a discrete- structures which, in contrast to NFSRs, can be analyzed
time parameter, like an iterated function. In cryptography, mathematically [47]. They are proven to guarantee
their ordinary setting is the mixture of the plaintext a variety of randomness properties, like ideal two-
with a keystream using bitwise operations [41]. The level autocorrelation, balance, long period, ideal tuple
distribution and high and exact linear complexity. These
properties satisfy security requirements for encryption and 4. STREAM CIPHER IN LWC
authentication [28].
The Substitution-boxes (S-box) are implemented in In this section, the authors survey stream ciphers that
the form of lookup tables which map m input bits to n have been applied in embedded systems. The widely
output bits. They are a common and well-studied choice in used ciphers and their vulnerabilities are highlighted, then
block ciphers, used to obscure the relationship between the focusing on recent research efforts and standards for LWC.
key and the ciphertext. S-boxes are also utilized by many
stream ciphers (e.g. [27, 31, 48, 49, 50, 51]) in order to 4.1. Traditional stream ciphers
enhance their nonlinearity features.
Finite state machines (FSMs) are mathematical Traditional ciphers for stream encryption and pertinent
models for computing sequential logic. At each time point, security issues are presented in [21]. As referred in said
the FSM is in one of a finite number of states. A transition work, ciphers RC4 [32], A5/1 [52] and E0 [52], although
to a new state is performed as a result of a triggering not completely compromised, suffer from serious security
event or condition. In stream cipher design, FSMs perform vulnerabilities and should not be used in new applications.
well in software and enhance protection against guess-and- RC4 is the most widely used software stream cipher
determine attacks [27]. and is included in popular protocols and standards, like
WEP, WPA and TLS. It has a simple design and is
remarkably fast. It relies solely on byte manipulations,
3.4.3. Design guidelines without an LFSR. RC4 is efficient in both hardware and
The maintenance of the internal state is the most space- software. However, security issues have been reported due
consuming part of a cipher. This burden is even heavier to its dated design, including criticism for its tenuous
in stream ciphers, as, comparatively, a larger percentage key scheduling process. Specifically, RC4 doesn’t take a
of the hardware implementation is used for storing the separate nonce with the input key, leaving it up to the
internal values. For example, a hardware implementation communication protocol to specify how to combine these
of the Grain stream cipher, presented in [44], requires 1294 two parameters and produce the keystream. One solution
gates, with the bulk of them being used for this task. In is a strong MAC that hashes the key with a nonce, but
more detail, the internal state must be at least twice the analysis revealed biased outputs of the keystream [53].
security level in bits [44]. The nonlinearity functionality, Thus, the keystream bytes can be correlated with the key
on the other hand, can be compact in hardware. ([54, 55]), a fact that was exploited, along with related
Thus, reducing the area factor of a stream cipher is effects, to break WEP ([56, 57]). The latest attack on
a difficult task. Stream cipher designers typically aim to RC4 requires 224 connections [58]. Although there are
reduce the size of the registers and the complexity of the no practical attacks on the cipher itself, the latest results
Boolean and filtering functions. speculate that well-equipped agencies (e.g. state-funded
In hardware, an LFSR uses flip-flops to maintain its entities) may have better attacks that render the cipher
state and XOR gates to compute the feedback. In order to insecure.
decrease the hardware area, designers can decrease the size A5/1 was designed to provide over-the-air communi-
of the internal state and the number of XORs. However, a cation privacy for the GSM cellular telephone standard
cipher with short registers and a simple feedback function has been widely used in GSM telephony in Europe and
can be vulnerable to cryptanalysis. the USA. In its design, three combined LFSRs with irreg-
An NFSR uses more complex Boolean operations or S- ular clocking are used to encrypt bursts of traffic, as is
boxes to form the feedback function. The area occupied required in GSM. A5/1 is nowadays considered insecure,
by these Boolean operations is larger than the one of the as attacks both in the cipher itself and its implementations
XORs of an LFSR, but the resulting number of required in GSM have been presented. Most of the cryptanalysis
flip-flops is smaller. was based on time-memory tradeoff and other known-
Word size is another important factor. In this regard, plaintext attacks, with many of them breaking the cipher in
bit- and binary-oriented stream ciphers are efficiently a few minutes or seconds ([59, 60, 61, 62]). In GSM, active
implemented in hardware, while word oriented ciphers are attacks and ciphertext-only analysis prove the protocol
preferable in software. to be insecure even when in the presence of a secure
In terms of hardware implementations, the most popular cipher [63]. The latest attacks utilize parallel computing
approach is to exploit LFSRs and NFSRs ([44, 45, 46]). platforms, like FPGAs and GPGPUs, to launch practical
For software implementations, using table-driven ciphers attacks on A5/1 and GSM at runtime ([64, 65]).
([41, 35]) or building blocks from block ciphers ([27, 31, E0 is used in Bluetooth. It uses 4 shift registers (SHR)
48, 49, 50, 51]) are suggested when aiming to achieve high to produce a sequence of pseudorandom numbers which
throughput rates. To increase the provided level of security, are XOR-ed with the data. It is also vulnerable and
larger internal states and mixing of algebraic domains practical attacks have been reported both for the cipher
([28, 29]) are often adopted. In general, it is proposed to and the Bluetooth protocol. Typically, E0 uses 128-bit
use simple operations that are implemented by the native key. However, analysis has decreased the security level
processor’s instruction set to increase speed. to 65 bits even when longer keys are used ([66, 67]).
hardware implementation requires 3800 GE, achieving 88 a type of NFSR and introduces nonlinearity to the cipher.
Kbps of throughput [77]. The output of the LFSR is masked with the input of this
Practical fault analysis attacks require around 128-256 NFSR to balance its state.
faults and precomputed table of size 241.6 bytes to recover Grain adopts a bit-oriented architecture, which is
the complete internal state in about 238 steps [78]. appropriate for constrained hardware implementations.
HC is a cipher that has two main variants HC-128 and The simplest implementation produces 1 bit/cycle.
HC-256 [36] for 128- and 256-bit keys respectively, with However, it also offers the option to increase its speed
128-bit IVs. It uses two large secret tables, each one with by increasing the length of the processing word; one
512 32-bit elements, and operates on 32-bit words. At each can increase the number of bits at the expense of more
step, an element is updated using a non-linear feedback hardware (the rate can be increased up to 16 bits/cycle).
function and a 32-bit output is generated by a non- It provides higher levels security compared to the well-
linear output filtering function. HC is suitable for parallel known A5/1 and E0 ciphers, while providing small
computing and modern superscalar microprocessors as hardware complexity.
three consecutive steps can be computed in parallel. Grain uses 80-bit keys and 64-bit IVs. It requires about
The feedback and output functions of each step can 1294 GE for 1bit/cycle and 3239 GE for 16bits/cycle [44].
be performed simultaneously. It is now included in the In [84] a software implementation is reported for the 1
CyaSSL crypto library. bit/cycle rate that occupies 778 bytes of code and requires
As a table-driven cipher, it can yield impressive 107366 cycles for initialization and 617 cycles to generate
performance in software when large streams of data are the output.
encrypted. However, due to the initialization overhead, Grain-128 [85] is a version of the Grain cipher that
when small streams are processed, the performance is low supports 128-bit keys and 96-bit IVs, being designed
(as frequent re-initialization is required). It is estimated for applications that require higher level of security. The
that, in hardware, 52400 GE would be occupied just to minimum word length is 1 bit and the maximum is
cover the memory requirements [18]. 32 bits (the latter being a popular choice for software
No significant cryptanalytic advances have been implementations). It requires 1857 GE for 1 bit/cycle and
reported on HC [79, 80], and the cipher is considered safe. 4617 GE for 32 bits/cycle. Furthermore, Grain-128 is used
Its authors estimate a keystream period larger than 2256 as a building block for the state of the art hash function
bits. SQUASH [86].
SOSEMANUK is a synchronous stream cipher. The Several cryptanalysis results have been reported since
key size varies between 128 and 256 bits and the IV size is its selection in eSTREAM. The latest study [87] presents
128 bits. However, the provided security level is the same, a differential fault attack on the Grain family of ciphers,
at 128 bits, for all key sizes. It adopts some of the design under reasonable assumptions, which exploits certain
principles of the stream cipher SNOW 2.0 [81] and the properties of the Boolean functions and corresponding
block cipher Serpent [82]. SOSEMANUK performs better choices of the taps from the LFSR. An attacker injects a
than SNOW 2.0 as it has a faster IV setup phase and needs small number of faults and recovers the secret key.
less amount of static data. It uses an LFSR and a finite Trivium is an eSTREAM Profile 2 finalist and a
state machine (FSM) and operates on 32-bit words. For the standardized stream cipher for LWC (ISO/IEC 29192-
setup phase, a 24 rounds Serpent is used to fill the LFSR 3:2012). Its designers intended to explore how far a stream
and the FSM. At the keystream generation phase, 4 output cipher can be simplified without sacrificing its security,
words of the FSM are fed to Serpent’s third S-Box and then speed or flexibility. It is a synchronous, bit-oriented,
XOR-ed to the LFSR’s output words. stream cipher, which uses 80-bit keys and 80-bit IVs. It
In software, its implementation takes about 2000-5000 applies three SHR and forms a nonlinear internal state to
bytes of code depending on the platform and the compiler avoid building nonlinearity mechanisms for the keystream
and it achieves a throughput of 360 Kbps [27], while its output.
hardware implementation occupies 18819 GE and achieves In hardware [88], its implementation in standard CMOS
3200 Kbps of throughput [18]. technology requires 2017 GE. An implementation in a
An improved differential fault analysis attack requires custom design with dynamic logic and C2MOS flip-flops
around 4608 faults, 235.16 SOSEMANUK iterations and only occupies 749 GE.
223.46 bytes storage to recover the inner state [83]. It takes Even though it was not designed for software
about 11.35 hours on a PC to perform the attack. applications, it performs reasonably well in software as
well [68]. The initialization process requires 2050 cycles,
the key setup 55 cycles and the stream generation 12
4.2.2. Profile 2 hardware-oriented ciphers cycles/byte.
Grain was designed with an easy and compact hardware Due to its simplicity, several attacks have been reported.
implementation in mind. It is a synchronous stream cipher An improved differential fault analysis attack can recover
and utilizes both LFSR and a non-linear filtering function. the inner state of the cipher by just injecting 2 faults and
The LFSR ensures a minimum keystream period and using 420 keystream bits [89].
balances the output. The filtering function is considered as
CAvium [38] is another new proposal based on Trivium. WG-8 [29] is an updated version of WG-7 that counters
It utilizes CA with both nonlinear and linear rules, the abovementioned attack and improves its performance.
producing a secure design that can reach the desired It uses 80-bit keys and IVs, while the characteristic
setup state of a cipher much faster than the equivalent polynomial of the LFSR consists of 8 tap positions
LFSR and NFSR structures. Thus, CAvium significantly (F28). WG-8 inherits the good randomness properties of
reduces the long key setup phase of Trivium (from 1152 the WG cipher family and is resistant to most common
to 144 rounds) and counters the cryptanalysis attacks on attacks against stream ciphers. The cipher performs well in
the reduced round versions, while retaining comparable embedded software and exhibits low energy consumption.
complexity in hardware. No independent cryptanalysis In comparison to other lightweight stream ciphers, WG-
results are presented. 8 is 2-15 times faster while consuming 2-220 times less
energy. A key recovery attack requires 253 chosen IVs to
recover the key with 253.32 complexity, for specifically
4.4.2. Other proposals selected key-IV pairs [100]. The provided security level is
A2U2 [46] is a domain specific stream cipher. It was still adequate for WSN and RFID tags when these key-IV
designed for the extremely resource limited environment of pairs are avoided.
printed electronic RFID tags. In this application field, the CAR30 [39] is a novel stream cipher that, like CAvium,
area occupied for security has to be, at most, around 500 makes use of CA. It utilizes the classical Rule 30 of CA
GE, while the power consumption is limited to a few tens along with a maximum length linear hybrid CA. This
of Ws. Throughput should also be reasonable to permit real combination of a linear and a non-linear CA, and their
time interactions with a large numbers of tags. operation over a number of rounds, reduces the linearity
A2U2 is a synchronous stream cipher that uses 56-bit with the adjacent sequence at the production of the
keys. Principles from both stream and block ciphers were keystream, alleviating the relevant security issues of CA-
taken into account during its design phase. In order to based ciphers. Moreover, the proposed solution can use
achieve a small hardware area, A2U2 uses short-length different key and IV sizes without changing the design and
registers supported by compact functional blocks and reuse the structure of the cipher. CAR30 provides configurable
of hardware components. Its implementation is strongly security and extensibility to any key and IV length. The
based on efficient hardware design principles introduced proposed setting uses 128-bit keys and 120-bit IVs for
by the KATAN [97] block cipher. More specifically, it producing 128-bit blocks of keystream in each iteration.
adopts an LFSR-based counter and a combination of two Its statistical randomness properties were successfully
NSFRs, as proposed by KATAN. The LFSR operates as a evaluated against the NIST statistical test suite for random
counter during the initialization process and then continues and pseudorandom number generators for cryptographic
to operate as an LFSR. The feedback function of each applications [101]. No independent cryptanalysis results
NFSR provides the feedback to the other NFSR. Moreover, are presented.
A2U2 uses irregular changes in the feedback and filter The design can be implemented efficiently in both
functions. hardware and software. In hardware, CAR30 achieves
A2U2 is the most compact stream cipher of the ones higher throughput than Grain and Trivium. In software, it
examined in this study. It was estimated that the smaller is faster than Rabbit. Moreover, the initialization process
version would require 284 GE and achieve 50 Kbps is fast (160 cycles), which makes CAR30 suitable for
throughput. encrypting small messages.
However, an ultra-efficient chosen plaintext attack is TinyStream [43] is a novel 128-bit stream cipher for
presented in [98], which fully recovers the secret key of wireless sensor networks (WSN), based on TinySec [102].
A2U2. It queries the encryption function on the victim tag It employs a TPM to achieve keystream randomness,
twice and solves 32 spare systems of linear equations; it which is the main feature of the cipher. The 128-bit
only takes 0.16 seconds to break the cipher on a laptop keystream is generated for each state rotation and this
computer. approach passes the full ENT randomness test [103]. In
WG-7 [28] is an updated version of the WG cipher software, it requires 65024 bytes of ROM and 1659184
which was a candidate in eSTREAM Profile 2 and bytes of RAM. TinyStream is more efficient than TinySec
which was faster than the other candidates and consumed in terms of computation and power consumption. No
less memory. WG-7 uses 80-bit keys, 81-bit IVs and is independent cryptanalysis results are presented.
parameterized for RFID tags. It is a synchronous stream
cipher and utilizes an LFSR of 23 stages over finite fields
4.5. Lightweight authenticated encryption
F27. The LFSR feeds a nonlinear filtering function which
is based on a WG transformation. Authenticated encryption (AE) is a cryptographic opera-
However, a distinguishing attack is presented in [99]. tion that simultaneously provides confidentiality, integrity
The polynomial of the LFSR allows an attacker to and authenticity over processed data. The encryption pro-
distinguish the keystream that is generated by the cipher duces the ciphertext along with an authentication tag. The
from a truly random keystream due to the small number of decryption is combined in a single step with integrity
tap positions in the LFSR. validation. It retrieves the plaintext and produces an error
and the tag are not given as output when the verification to attacks or not recommended for use in new applications
fails. and, thus, should be avoided. ASC-1 security is bounded
ACORN is bit-wise and is efficient in both hardware as it requires a mechanism to ensure that round keys are
and software. The hardware cost is slightly higher uniformly random. Concerning the newer cipher proposals,
than Trivium. The software implementation is fast and, i.e. Quavium, CAvium, CAR30 and TinyStream, further
moreover, 32 steps can be computed simultaneously and independent cryptanalysis must be conducted to verify
the cipher can be parallelized. In comparison to AES- their security properties before they can be endorsed.
GCM, ACORN is more hardware efficient. In software, it AES-CTR is the typical and widely-accepted choice
produces smaller code size and is more efficient in general for stream encryption. It is efficient on many embedded
computing devices without AES-NI [112] capability. devices, and, where applicable, it should be preferred.
Automated analysis on CAESAR candidates indicates It is used as a benchmark for stream encryption and its
that ACORN represents significantly elevated adaptive performance is the aim of new proposals.
chosen plaintext attack risks [113], but no attack is However, AES-CTR is not always an option, especially
presented so far. in constrained devices (e.g. low-power embedded systems
Sablier [34] is another CAESAR candidate. It and RFIDs) and in applications where high throughput
is a hardware-oriented stream cipher with built-in is required. Enocoro can be applied in such cases. The
authentication. The latter does not decelerate encryption cipher is designed and supported by a large industrial
due to a carefully designed leak extraction strategy that is entity in embedded electronics and is a standardized
applied on the internal state. The cipher uses 80-bit keys cipher for LWC. It is efficient in hardware and performs
and IVs. It takes 64 rounds to initialize and produced tag is reasonably well in software. Enocoro is optimized for low
32 bits. A new internal structure is proposed to produce power consumption and can be used in compact control
the keystream, consisting of only bitwise XOR, bitwise equipment and low cost sensors. The encryption process
logical AND, and bitwise intra-word rotations. Sablier’s consumes 1/10th the amount of power of AES and is faster
constrained device hardware implementation is 16 times than AES-CTR. For RFID tags, WG-8 is another attractive
faster than Trivium and requires 1925 GE. A practical state solution, as it is fast and consumes low energy.
recovery attack for Sablier v1 is presented in [114]. Cryptographic libraries suitable for embedded systems,
ASC-1 [115] is an authenticated encryption stream like Crypto++ and CyaSSL, adopt the eSTREAM Profile
cipher that utilizes AES with 128-bit key as a building 1 finalists Salsa20 and HC. Both of them were designed to
block. In more detail, it uses 128-bit keys to encrypt three outclass the AES-CTR in software. The main advantage
128-bit blocks of plaintext, using a 56-bit IV for each of these ciphers is the fast encryption stage. Salsa20 is
block. Thus, the plaintext is processed in a CFB-like mode. fast and has a short initialization phase, which makes it
However, this encryption strategy is also its main drawback suitable for Internet protocols and applications where a
as it only encrypts messages that consist of three 128- large number of packets are processed. On the other hand,
bit blocks. Also, its designers consider that the cipher is HC can be parallelized, and is thus appropriate for parallel
safe when the security problem is bounded to the case of computing applications and superscalar microprocessors
distinguishing if the round keys are uniformly random or [120]. The cipher excels in domains where large streams
are generated by a key scheduling algorithm. must be processed.
ALE [116] is another AES-based lightweight authen- For authenticated encryption, ACORN is an attractive
ticated encryption scheme. It is also inspired by ASC-1 choice, as it surpasses AES-GCM in embedded hardware
and the stream cipher LEX [117] (an eStream candidate and software. It can be parallelized, complying with
based on AES). ALE uses 128-bit keys and IVs and the latest norm of parallel computing, and, as AES,
encrypts plaintext of up to 245 bytes. It utilizes AES in supports the AES-NI for higher efficiency. As a candidate
order to benefit from the high security of the cipher and in the CEASAR competition, it has undergone detailed
the performance of the AES-NI assembly instruction set. cryptanalysis, enhancing its acceptability status. For
However, its security has already been compromised by WSNs and RFID tags, WG-8 is the best choice as
cryptanalysts [118, 119]. it fortifies security and improves energy efficiency. It
is specifically designed with wireless sensor and RFID
applications in mind. It has short initialization phase
5. MAIN RESULTS and fast de/encryption process making it suitable for
encrypting many short messages, as is usually the case in
5.1. Discussion these domains.
Self-synchronizing ciphers seems to be of no interest
Table II summarizes the features of each cipher and the to the industry and there is limited effort in designing
best cryptanalysis results. The ciphers are referred in such ciphers. Secure synchronous ciphers constitute the
chronological order. main candidates for embedded systems. The designing
RC4, A5/1, E0, Trivium, Rabbit, SOSEMANUK, of the non-linearity part is an important factor along
MICKEY 2.0, BEAN, WG-7, A2U2, ALE, Sablier, and with efficient sophisticated functions for computing the
the Grain and Hummingbird cipher families are vulnerable
algebraic immunity of the cipher for a large number of the throughput/slices metric (the higher the value, the
inputs. better).
In authenticated encryption schemes the production of Table III, summarizes the best FPGA implementations.
a robust authentication tag is also a core target. Other than The implementations were based on the latest embedded
the discrete attacks on the cipher or the tag themselves, hardware designs for each cipher (AES [121], Enocoro-
attention must also be paid in types of attacks that exploit 128 [49], WG-8 [29], Salsa20 [18], HC-256 [18]). The
vulnerabilities in both primitives to disclose data (e.g. authors implement the most efficient variants of each
[108]). Several schemes that encrypt the message and cipher, based on the throughput/slice metric.
produce the MAC simultaneously are vulnerable to attacks The relevant features in ASIC are also summarized,
(e.g. [50, 107, 116]). To this end, the encrypt-then-MAC based on the original implementation details. The metrics
approach (where the message is encrypted first and then of throughput, gate equivalent (GE) and figure of merit
the authentication tag is produced) is widely adopted (e.g. (FOM) are used to characterize each cipher in ASIC.
[109, 111]). The throughput metric is the same as in FPGA. GE
Nevertheless, it should be pointed out that choosing corresponds to the number of logic gates that are required
a secure cipher does not guarantee the security of the to implement the cipher and represents the complexity
underlying application. As practice has shown, the design and occupied area (similar to the slices metric in FPGAs).
of the protocol itself is equally important. Potential FOM is calculated as throughtput/GE 2 . It is aggregate
oversights in protocol design can compromise the security metric for estimating the size and performance tradeoff
of the implementation, a characteristic case of this being (as the throughput/slices in FPGAs. The most efficient
the WEP protocol. implementations in ASIC are presented by the FOM metric
(the higher the value, the better). Table IV, summarizes the
best ASIC implementations.
5.2. Performance evaluation WG-8, Enocoro and AES achieve lightweight imple-
Providing a fair comparative analysis of the presented mentations that are suitable for embedded systems (less
ciphers is not a trivial task, as they are implemented than 3000 GE). WG-8 is the most compact and more
in different platforms and the measured parameters efficient. Enocoro also performs well and is the only secure
aren’t correlated in a straightforward manner. However, standardized stream cipher for LWC. AES has moderate
the authors held a constrained benchmark analysis in performance but high power consumption. The secure
hardware and software, focusing on the secure ciphers eStream ciphers, Salsa20 and HC, produce large imple-
identified above (AES, Enocoro, WG-8, Salsa20, HC). mentations and aren’t appropriate for embedded hardware.
The comparison contributes to the classification and the The internal memory of HC128 alone requires around
conclusions mentioned above. 524KB, resulting in about 262000 slices in FPGA or
In general, the new ciphers are designed with AES-CTR 524000 GE in ASIC.
performance in mind and are more efficient. However, the
confidence on AES and its tested robustness is an obstacle
5.2.2. Software
new proposals have to overcome in order to be widely
Similarly, in software, the ciphers are implemented in C
adopted.
and evaluated on a low-cost credit-card-sized BeagleBone
embedded device (AM3359 ARM Cortex A8 single
5.2.1. Hardware core CPU, 720 MHz, 256MB RAM, Ubuntu OS). All
The potential hardware solutions are limited, as implementations are assessed over a common benchmark
presented in the previous sections. The authors implement suite.
the five ciphers in Verilog. The cipher designs are evaluated The metrics of throughput, ROM, RAM and combine
on a low-cost Xilinx Spartan3 XC3S1000 FPGA (7680 metric (CM) were used. Throughput is the same as
slices, 630 MHz, 55KB RAM). in hardware. ROM and RAM measures the code and
The metrics of throughput, latency, maximum fre- runtime memory requirements in KB. CM is calculated as
quency, power, and occupied flip-flops (FF) and slices (ROM × encryption cyles)/block size.
are used to characterize each cipher. Throughput counts The software implementations are based on the
the Mbps that the cipher’s encryption operation achieves. latest embedded software designs for each cipher (AES
Latency is the number of clock cycles that are required [122]/AES-CTR [49], Enocoro-128 [49] WG-8 [29],
to process a single block. Maximum frequency in MHz Salsa20 [16], HC-128 [122]). The best reported variants
is the frequency limit that is accomplished by an imple- of each cipher are implemented, based on the CM
mentation. The Xilinx Power Estimator is utilized for the metric. Table V, aggregates the most attractive software
power consumption estimation in Watts. FF constitute the implementations.
amount of memory elements that are used. Slices represent Salsa20 achieves the best performance, being fast and
the hardware area of the implementation, consisting of all with a short initialization phase. Enocoro and WG-8 also
the memory and computational components. The overall perform well with low code and memory requirements. HC
efficiency and performance/size tradeoff is estimated by is the fastest cipher, while AES is the slowest cipher.
12. S. Weis, Security and privacy in radio-frequency 28. Y. Luo, Q. Chai, G. Gong, X. Lai, A Lightweight
identification devices, Faculty of the Massachusetts Stream Cipher WG-7 for RFID Encryption and
Institute of Technology (M.I.T.), (2003). Authentication, IEEE Global Telecommunications
13. C. Manifavas, G. Hatzivasilis, K. Fysarakis, K. Rantos, Conference (GLOBECOM 2010), (2010), pp. 1-6.
Lightweight cryptography for embedded systems – 29. X. Fan, K. Mandal, G. Gong, WG-8 A Lightweight
a comparative analysis, SETOP 2013, Egham, UK, Stream Cipher for Resource-Constrained Smart
Springer, LNCS, vol. 8247, (2013), pp. 333-349. Devices, 9th International Conference QShine 2013,
14. G. Hatzivasilis, E. Gasparis, A. Theodoridis, C. Man- Greader Noida, India, January 11-12, Springer, LNCS,
ifavas, ULCL: an Ultra-Lightweight Cryptographic vol. 115, (2013), pp. 617-632.
Library for embedded systems, MeSeCCS 2014, Lis- 30. A. Klapper, A survey of feedback with carry shift
bon, Portugal, (2014). registers, SETA 2004, Springer, LNCS, vol. 3486,
15. L. Batina, J. Lano, N. Mentens, S. B. Ors, B. Preneel, (2005), pp. 56-71.
I. Verbauwhede, Energy, performance, area versus 31. N. Kumar, S. Ojha, K. Jain, S. Lal, BEAN:
security trade-offs for stream ciphers, The State of the a Lightweight Stream Cipher, 2nd international
Art of Stream Ciphers: Workshop Record, (2004), pp. conference on Security of Information and Networks
302-310. (SIN ’09), (2009), pp. 168-171.
16. T. Eisenbarth, C. Paar, A. Poschmann, S. Kumar, L. 32. G. Paul, S. Maitra, RC4 stream cipher and its variants,
Uhsadel, A Survey of Lightweight Cryptography – Discrete Mathematics and Its Applications, CRC
Implementations, IEEE Design and Test of Computers, press, (2011).
IEEE, vol. 24, issue 6, (2007), pp. 522-533. 33. D. J. Bernstein. The Salsa20 family of stream
17. N. Fournel, M. Minier, S. Ubeda, Survey and ciphers, CR.YP.TO, (2007), available online:
benchmark of stream ciphers for wireless sensor http://cr.yp.to/snuffle/salsafamily-20071225.pdf,
networks, IFIP WISTP 2007, Springer, LNCS, vol last visit: 01.07.2015.
4462, (2007), pp. 202-214. 34. B. Zhang, Z. Shi, C. Xu, Y. Yao, Z. Li, Sablier
18. T. Good, M. Benaissa, Hardware Results for Selected v1, CAESAR competition, (2014), available online:
Stream Cipher Candidates, SASC 2007, Bochum, http://competitions.cr.yp.to/round1/sablierv1.pdf, last
Germany, (2007), pp. 191-204. visit: 01.07.2015.
19. M. U. Bokhari, S. Alam, F. S. Massodi, Cryptanalysis 35. H. Wu, The Stream Cipher HC-128, New Stream
Techniques for Stream Cipher: A Survey, International Cipher Designs The eSTREAM Finalists, Springer,
Journal of Computer Applications, vol. 60, no. 9, LNCS, vol. 4986, (2008), pp. 39-47.
(2012), pp. 29-33. 36. H. Wu, A New Stream Cipher HC-256, FSE 2004,
20. G. Banegas, Attacks in stream ciphers: a survey, Springer, LNCS, vol. 3017, (2004), pp. 226-244.
IACR, eprint, article 677, (2014). 37. S. Wolfram, Cryptography with cellular automata,
21. A. Klein, Introduction to stream ciphers, Stream Crypto-85, Springer, LNCS, vol. 218, (1986), pp. 429-
Ciphers, Springer, (2013), pp. 1-13. 432.
22. S. M. Bellovin, Frank Miller: Inventor of the One- 38. K. Sandip, M. Debdeep, C. D. Roy, CAvium
Time Pad, Cryptologia, vol. 35, issue 3, (2011), pp. Strengthening Trivium Stream Cipher Using Cellular
203-222. Automata, Journal of Cellular Automata, vol. 7, issue
23. C. E. Shannon, Communication theory of secrecy 2, (2012), pp. 179-197.
systems, Bell system technical journal, vol. 28, issue 39. S. Das, D. Roy Chowdhury, CAR30: A New Scalable
4, (1949), pp. 656-715. Stream Cipher with rule 30, Cryptography and
24. J. Daemen, J. Lano, and B. Preneel, Chosen Ciphertext Communications, vol. 5, issue 2, (2013), pp. 137-162.
Attack on SSS, eStream Report, article 2005/044, 40. A. N. Pisarchik, M. Zanin, Chaotic maps cryptography
(2005). and security, Encryption: Methods, Software and
25. E. KAasper, V. Rijmen, T. E. Bjorstad, C. Rechberger, Security, Nova Science Publishers, (2010), pp. 1-28.
M. Robshaw, G. Sekar, Correlated Keystreams in 41. M. Boesgaard, M. Vesterager, T. Pedersen, J.
Moustique, AFRICACRYPT 2008, Springer, LNCS, Christiansen, O. Scavenius, Rabbit: A New High-
vol. 5023, (2008), pp. 246-257. Performance Stream Cipher, FSE 2003, Springer,
26. A. Canteaut et. al, Ongoing research areas in sym- LNCS, vol. 2887, (2003), pp. 307-329.
metric cryptography, ECRYPT Information Society 42. M. Rosen-Zvi, E. K. Ido Kanter, W. Kinzel, Mutual
Technologies, Technical report D.STVL.4, (2006). learning in a tree parity machine and its application
27. C. Berbain, O. Billet, A. Canteaut, N. Courtois, to cryptography, Physical Review E, vol. 66, issue 6,
H. Gilbert, L. Goubin, A. Gouget, L. Granboulan, (2002), pp. 066135-066148.
C. Lauradoux, M. Minier, T. Pornin, H. Sibert, 43. T. Chen, L. Ge, X. Wang, C. Jiamei, TinyStream:
SOSEMANUK, a Fast Software-Oriented Stream A Lightweight and Novel Stream Cipher Scheme for
Cipher, New Stream Cipher Designs, Springer, LNCS, Wireless Sensor Networks, CIS 2010, (2010), pp. 528-
vol. 4986, (2008), pp. 98-118. 532.
44. M. Hell, T. Johansson, W. Meier, Grain a Stream Applications, Springer, LNCS, vol. 4867, (2007), pp.
Cipher for Constrained Environments, International 188-202.
Journal of Wireless and Mobile Computing, vol. 2, No 58. N. J. AlFardan, D. J. Bernstein, K. G. Paterson, B.
1/2007, 2007, pp. 86-93. Poettering, J. C. Schuldt, On the Security of RC4 in
45. S. Babbage, M. Dodd, The Stream Cipher MICKEY TLS, USENIX Security, (2013), pp. 305-320.
2.0, eStream Project, (2006), available online: 59. A. Biryukov, A. Shamir, D. Wagner, Real Time
http://www.ecrypt.eu.org/stream/p3ciphers/mickey/ Cryptanalysis of A5/1 on a PC, Fast Software
mickey p3.pdf, last visit: 01.07.2015. Encryption (FSE), Springer, LNCS, vol. 1978, (2001),
46. M. David, D. C. Ranasinghe, T. Larsen, A2U2: A pp. 1-18.
Stream Cipher for Printed Electronics RFID Tags, 60. P. Ekdahl and T. Johansson, Another attack on A5/1,
IEEE International Conference on RFID, (2011), pp. IEEE Transactions on Information Theory, vol. 49,
176-183. issue 1, (2003), pp. 284-289.
47. G. Gong, A. Youssef, Cryptographic properties of 61. E. Barkan and E. Biham, Conditional estimators:
the Welch-Gong transformation sequence generators, An effective attack on A5/1, Selected Areas in
IEEE Transactions on Information Theory, vol. 48, no. Cryptography, Springer, LNCS, vol. 3897, (2006), pp.
11, (2002), pp. 2837-2846. 1-19.
48. D. Watanabe, K. Ideguchi, J. Kitahara, K. Muto, H. 62. J. Shah and A. Mahalanobis, A new guess-
Furuichi, Enocoro-80: A Hardware Oriented Stream and-determine attack on the A5/1 stream cipher,
Cipher, Third International Conference on Availability, Cryptology ePrint Archive, IACR, report 2012/208,
Reliability and Security (ARES 08), vol. 1294, no. (2012).
1300, (2008), pp. 4-7. 63. E. Barkan, E. Biham, N. Keller, Instant ciphertext-
49. Systems Development Laboratory, Hitachi. only cryptanalysis of GSM encrypted communication,
Enocoro-128v2: A Hardware Oriented Stream Advances in Cryptology - CRYPTO 2003, Springer,
Cipher, Hitachi Ltd., (2009), available online: LNCS, vol. 2729, (2003), pp. 600-616.
http://www.hitachi.com/rd/yrl/crypto/enocoro/ 64. T. Guneysu, T. Kasper, M. Novotny, C. Paar, A.
enocoro spec 20100222.zip, last visit: 01.07.2015. Rupp, Cryptanalysis with COPACOBANA, IEEE
50. D. Engels, X. Fan, G. Gong, H. Hu, E.M. Smith, Transactions on Computers, vol. 57, issue 11, (2008),
Hummingbird: Ultra-Lightweight Cryptography for pp. 1498-1513.
Resource-Constrained Devices, Financial Cryptogra- 65. K. Nohl and C. Paget, GSM: SRSLY, 26th Chaos
phy and Data Security - FC 2010, Springer, LNCS, vol. Communication Congress (26C3), (2009), pp. 21-49.
6054, (2010), pp.318. 66. M. Hermelin and K. Nyberg, Correlation properties
51. D. Engels, M.-J. O. Saarinen, P. Schweitzer, E. M. of the Bluetooth combiner, Information Security and
Smith, The Hummingbird-2 Lightweight Authenti- Cryptology ICISC’99, Springer, LNCS, vol. 1787,
cated Encryption Algorithm, RFIDSec 2011, Amherst, (2000), pp. 17-29.
Massachusetts, USA, (2011), pp. 19-31. 67. S. R. Fluhrer, Improved key recovery of level 1
52. M. D. Galanis, P. Kitsos, G. Kostopoulos, N. Sklavos, of the Bluetooth encryption system, Foundations of
O. Koufopavlou, C. E. Goutis, Comparison of the Cryptography Basic Tools, Cambridge University
hardware architecture and FPGA implementations of Press, (2002).
stream ciphers, 11th IEEE International Conference on 68. Y. Lu and S. Vaudenay, Faster correlation attack
Electronis, Circuitsand Systems (ICECS 2004), IEEE, on Bluetooth keystream generator E0, Advances in
(2004), pp. 571-574. Cryptology CRYPTO 2004, Springer, LNCS, vol.
53. G. Paul, S. Rathi, S. Maitra, On Non-negligible Bias 3152, (2004), pp. 407-425.
of the First Output Byte of RC4 towards the First 69. Y. Lu, W. Meier, S. Vaudenay, The conditional
Three Bytes of the Secret Key, Designs, Codes and correlation attack: A practical attack on bluetooth
Cryptography, vol. 49, No 1-3, (2008), pp. 123-134. encryption, Advances in Cryptology CRYPTO 2005,
54. G. Paul and S. Maitra, Permutation after RC4 Key Springer, LNCS, vol. 3621, (2005), pp. 97117.
Scheduling Reveals the Secret Key, Selected Areas 70. NIST Special Publication 800-38A, Recommendation
in Cryptography (SAC), Springer, LNCS, vol. 4876, for block cipher modes of operation methods
(2007), pp. 360-377. and techniques, NIST, (2001), available online:
55. M. Akgun, P. Kavak, H. Demirci, New Results on http://csrc.nist.gov/publications/nistpubs/800-
the Key Scheduling Algorithm of RC4, INDOCRYPT, 38a/sp800-38a.pdf, last visit: 01.07.2015.
Springer, LNCS, vol. 5365, (2008), pp. 40-52. 71. A. Bogdanov, D. Khovratovich, and C. Rechbergerm,
56. A. Klein, Attacks on the RC4 stream cipher, Designs, Biclique Cryptanalysis of the full AES, ASIACRYPT
Codes and Cryptography, vol. 48, No 3, (2008), pp. 2011, Springer, LNCS, vol. 7073, (2011), pp. 344-371.
269-286. 72. C. De Canniere, B. Prenel, Trivium Specifica-
57. T. Erik, R.-P. Weinmann, A. Pyshkin, Breaking 104 tions, eStream Project, (2008), available online:
bit WEP in less than 60 seconds, Information Security http://www.ecrypt.eu.org/stream/p3ciphers/trivium/
trivium p3.pdf, last visit: 01.07.2015. and minimal assumptions, Cryptology ePrint Archive,
73. W. Dai, Crypto++ Library 5.6.2, Crypto++, (2013), IACR, report 2013/494, (2013).
available online: http://www.cryptopp.com/, last visit: 88. N. Mentens, J. Genoe, B. Preneel, I. Verbauwhede,
01.07.2015. A Low-Cost Implementation of Trivium, SASC 2008,
74. M. Subhamoy, P. Goutam, M. Willi, Salsa20 Lausanne, Switzerland, (2008), pp. 197204.
cryptanalysis: new moves and revisiting old styles, 9th 89. M. S. E. Mohamed, S. Bulygin, J. Buchmann,
International Workshop on Coding and Cryptography Improved Differential Fault Analysis of Trivium,
(WCC 2015), Paris, France, (2015). COSADE 2011, Darmstadt, Germany, (2011), pp. 147-
75. wolfSSL, CyaSSL Embedded SSL Library, 158.
wolfSSL Inc., (2014), available online: 90. T. Good, M. Benaissa, Hardware Performance of
http://www.yassl.com/yaSSL/Products-cyassl.html, eStream Phase-III Stream Cipher Candidates, SASC
last visit: 01.07.2015. 2008, Lausanne, Switzerland, (2008), pp. 163-174.
76. ISO/IEC 18033-4:2011, International 91. S. Banik, S. Maitra, S. Sarkar, Improved Differential
standard for IT Security techniques, Fault Attack on MICKEY 2.0, Cryptology ePrint
ISO/IEC, (2011), available online: Archive, IACR, report 2013/029, (2013).
http://webstore.iec.ch/preview/info isoiec18033- 92. L. Ding, J. Guan, Cryptanalysis of MICKEY family
4%7Bed2.0%7Den.pdf, last visit: 01.07.2015. of stream ciphers, Security and Communication
77. M. Boesgaard, M. Vesterager, J. Christiansen, Networks, Wiley, vol. 6, issue 8, (2013), pp. 936-941.
E. Zenner, The Stream Cipher Rabbit 1, 93. S. Babbage, M. Dodd, The Stream Cipher MICKEY-
eStream Project, (2007), available online: 128 2.0, eStream Project, (2006), available online:
http://www.ecrypt.eu.org/stream/p3ciphers/rabbit/ http://www.ecrypt.eu.org/stream/p2ciphers/
rabbit p3.pdf, last visit: 01.07.2015. mickey128/mickey128 p2.pdf, last visit: 01.07.2015.
78. A. Kircanski and A. M. Youssef, Differential fault 94. M Hell and T. Johansson, Security evaluation of
analysis of Rabbit, Selected Areas in Cryptography, stream cipher Enocoro-128v2, CRYPTEC Technical
Springer, LNCS, vol. 5867, (2009), pp. 197-214. Report, No. 2008, (2010).
79. A. Kircanski and A. M. Youssef, Differential fault 95. M. Agren, On Some Symmetric Lightweight Cryp-
analysis of HC-128, AFRICACRYPT 2010, Springer, tographic Designs, Doctoral Thesis, Department of
LNCS, vol. 6055, (2010), pp. 261-278. Electrical and Information Technology, Faculty of
80. P. Stankovski, S. Ruj, M. Hell, T. Johansson, Engineering, LTH, Lund University, (2012).
Improved distinguishers for HC-128, Design, Codes 96. Y. Tian, G. Chen, J. Li, Quavium - A New Stream
and Cryptography, Springer, vol. 63, issue 2, (2012), Cipher Inspired by Trivium, Journal of Computers, vol
pp. 225-240. 7, No 5, (2012), pp. 1278-1283.
81. P. Ekdahl, T. Johansson, A New Version of the Stream 97. C. De Canniere, O. Dunkelman, M. Knezevic,
Cipher SNOW, SAC 2002, Springer, LNCS, vol. 2595, KATAN & KTANTAN a Family of Small and
(2003), pp. 47-61. Efficient Hardware-Oriented Block Ciphers, CHES
82. R. Anderson, E. Biham, L. Knudsen, Serpent: 2009, Springer, LNCS, vol. 5747, (2009), pp. 272-288.
A Proposal for the Advanced Encryption 98. Q. Chai, X. Fan, G. Gong, An Ultra-Efficient Key
Standard, AES contest, (1998), available online: Recovery Attack on the Lightweight Stream Cipher
http://www.cl.cam.ac.uk/ rja14/Papers/serpent.pdf, A2U2, Cryptology ePrint Archive, IACR, 2011/247,
last visit: 01.07.2015. (2011).
83. Z. Ma and D. GU, Improved differential fault analysis 99. M. A. Orumiehchiha, J. Pieprzyk, R. Steinfeld,
of SOSEMANUK, 8th International Conference on Cryptanalysis of WG-7: A Lightweight Stream Cipher,
Computational Intelligence and Security (CIS), IEEE, Cryptography and Communications, vol. 4, issue 3-4,
(2012), pp. 487-491. (2012), pp. 277-285.
84. D. Otte, AVR-Crypto-Lib, AVR-Crypto-Lib, (2009), 100. L. Ding, C. Jin, J. Guan, Q. Wang, Cryptanalysis of
available online: http://www.das-labor.org/wiki/AVR- lightweight WG-8 stream cipher, IEEE Transactions
Crypto-Lib/en, last visit: 01.07.2015. on Information Forensics and Security, IEEE, vol. 9,
85. M. Hell, T. Johansson, A. Maximov, A Stream Cipher issue 4, (2014), pp. 645-652.
Proposal: Grain-128, IEEE International Symposium 101. NIST Special Publication 800-22 A, Statistical test
on Information Theory, Seattle, WA, (2006), pp. 1614- suit for random and pseudorandom number generators
1618. for cryptographic applications, NIST, (2010), available
86. A. Shamir, SQUASH A New MAC with Provable online: http://csrc.nist.gov/publications/nistpubs/800-
Security Properties for Highly Constrained Devices 22-rev1a/SP800-22rev1a.pdf, last visit: 01.07.2015.
Such as RFID Tags, FSE 2008, Springer, LNCS, vol. 102. C. Karlof, N. Sastry, D. Wagner, TinySec: a link layer
5086, (2008), pp. 144-157. security architecture for wireless sensor networks,
87. S. Sarkar, S. Banik, S. Maitra, Differential Fault SenSys ’04, (2004), pp. 162-175.
Attack against Grain family with very few faults
103. J. Walker, ENT - A Pseudorandom Number 116. A.Bogdanov, F. Mendel, F. Regazzoni, V. Rijmen, E.
Sequence Test Program, ENT, (2008), available Tischhauser, ALE: AES-Based Lightweight Authenti-
online: http://www.fourmilab.ch/random/, last visit: cated Encryption, FSE’13, Springer, LNCS, (2013).
01.07.2015. 117. A. Birykov, A New 128-bit Key Stream Cipher
104. M.-J.O. Saarinen, Cryptanalysis of Hummingbird-1, LEX, eStream Project, (2005), available online:
FSE 2011, Springer, LNCS, vol. 6733, (2011), pp. http://www.ecrypt.eu.org/stream/ciphers/lex/lex.pdf,
328341. last visit: 01.07.2015.
105. ISO/IEC 18000-6, International standard for param- 118. D. Khovratovich, C. Rechberger, The LOCAL
eters for air interface communications at 860 MHz attack: Cryptanalysis of the authenticated encryption
to 960 MHz, ISO/IEC, (2013), available online: scheme ALE, Cryptology ePrint Archive, IACR, report
http://www.iso.org/iso/home/store/catalogue ics/ 2013/357, (2013).
catalogue detail ics.htm?csnumber=59644, last visit: 119. S. Wu, H. Wu, T. Huang, M. Wang, W. Wu,
01.07.2015. Leaked-State-Forgery Attack against the Authenti-
106. M.-J.O. Saarinen, Related-key attacks against full cated Encryption Algorithm ALE, ASIACRYPT 2013,
Hummingbird-2, Cryptology ePrint Archive, IACR, Springer, LNCS, vol. 8269, (2013), pp. 377-404.
2013/070, (2013). 120. K. Ayesha, B. Deblin, P. Goutam, C. Anupam,
107. M. Agren, M. Hell, T. Johanson, W. Meier, A New Optimized GPU implementation and performance
Version of Grain-128 with Optional Authentication, analysis of HC series of stream ciphers, Information
International Journal of Wireless and Mobile Comput- Security and Cryptology (ICISC 2012), Springer,
ing, vol. 5, issue 1, (2011), pp. 48-59. LNCS, vol. 7839, (2013), pp. 293-308.
108. S. Banik, S. Maitra, S. Sarkar, A Differential Fault 121. A. Moradi, A. Poschmann, S. Ling, C. Paar, H. Wang,
Attack on Grain-128a using MACs, 2nd International Pushing the limits: a very compact and a threshold
Conference SPACE 2012, Chennai, India, Springer, implementation of AES, Advances in Cryptology
LNCS, (2012), pp. 111-125. - EUROCRYPT 2011, Spinger, LNCS, vol. 6632,
109. R. Tahir, Y. Javed, A. R. Cheema, Rabbit-MAC: (2011), pp. 69-88.
Lightweight Authenticated Encryption in Wireless 122. G. Meiser, T. Eisenbarth, K. Lemke-Rust, C. Paar,
Sensor Networks, IEEE International Conference Software implementation of eSTREAM profile I
on Information and Automation, Zhangjiajie, China, ciphers on embedded 8-bit AVR microcontrollers,
(2008), pp. 573-577. Workshop Record State of the Art of Stream Ciphers
110. M. Bellare, C. Namprempre, Authenticated Encryp- (SASC 07), (2007).
tion: Relations among notions and analysis of the 123. K. Fysarakis, G. Hatzivasilis, I. Papaefstathiou,
generic composition paradigm, ASIACRYPT 2000, C. Manifavas, RtVMF – A secure Real-time Vehi-
Springer, LNCS, vol. 1976, (2000), pp. 531-545. cle Management Framework with critical inci-
111. H. Wu, ACORN: A Lightweight dent response, IEEE Pervasive Computing Magazine
Authenticated Cipher, CAESAR com- (PVC) – Special Issue on Smart Vehicle Spaces, IEEE,
petition, (2014), available online: January-March, (2016).
http://competitions.cr.yp.to/round1/acornv1.pdf, 124. K. Fysarakis, G. Hatzivasilis, I. G. Askoxylakis,
last visit: 01.07.2015. C. Manifavas, RT-SPDM: Real-time Security, HCI
112. Intel Software Network Rev 3.01, AES International 2015, Los Angeles, CA, USA, Springer,
Instructions Set, Intel, (2008), available online: LNCS, vol. 9190, (2015), pp. 1-12.
https://software.intel.com/sites/default/files/article/
165683/aes-wp-2012-09-22-v01.pdf, last visit:
01.07.2015.
113. M.-J. O. Saarinen, BRUTUS: identifying cryptana-
lytic weaknesses in CAESAR first round candidates,
Cryptology ePrint Archive, IACR, report 2014/850,
(2014).
114. X. Feng and F. Zhang, A practical state recovery
attack on the stream cipher Sablier, 8th International
Conference on Network and System Security (NSS
2014), Springer, LNCS, (2014), pp. 198-208.
115. G. Jakimoski, S. Khajuria, ASC-1: An Authenticated
Encryption Stream Cipher, Selected Areas in Cryptog-
raphy 2012, Springer, LNCS, vol. 7118, (2012), pp.
356-372.
Cipher Key size Block size IV Latency Throughput Max frequency Power FFs Slices Throughput
(bits) (bits) (bits) (cycles / block) (MBps) (MHz) (W) / Slices
Better is Lower Higher Lower Lower Lower Higher
WG-8 80 1 80 1 2112 192 0.016 207 398 0.66
Enocoro-128 128 1 64 1 900 118 0.008 239 292 0.38
Enocoro-128 128 1 64 1 1200 149 0.008 362 442 0.33
AES 128 128 - 226 8754 77 0.078 781 5948 0.18
WG-8 80 11 80 1 190 190 0.005 85 137 0.17
Salsa20 256 32 64 2 990 19.4 0.012 1286 2036 0.06
HC-128 128 512 128 - - - - - >> 262000 -
Table III. Hardware implementations of stream ciphers on FPGA ordered by the slices/throughput metric (the higher the value, the
better)
Cipher Key size Block size IV Latency Throughput at 100 KHz Tech Area (GE) FOM
(bits) (bits) (bits) (cycles / block) (MBps) (µm)
Better is Lower Higher Lower Higher
WG-8 [29] 80 11 80 1 1100 0.65 3942 0.00884
Enocoro-128 [49] 128 1 64 1 800 0.09 4100 0.00594
WG-8 [29] 80 1 80 1 100 0.65 1786 0.00391
Enocoro-80 [49] 80 1 80 1 - 0.09 2700 -
AES [121] 128 128 - 226 56.64 0.35 2400 0.00122
Salsa20 [18] 256 32 64 2 99 0.13 12126 0.00008
HC-256 [18] 256 - 256 - - 0.13 >> 524000 -
Table IV. Hardware implementations of stream ciphers on ASIC ordered by the FOM metric (the higher the value, the better)
Cipher Key size Block size IV Initialization Encryption ROM RAM Throughput at 720 MHz CM
(bits) (bits) (bits) (cycles) (cycles) (KB) (KB) (MBps)
Better is Lower Lower Lower Lower Higher Lower
Salsa20 128 512 64 460 29491 4.8 8.27 12.5 276
Salsa20 256 512 64 460 29729 4.8 8.35 12.4 278
Enocoro-128 128 1 64 4870 138 3.8 7.56 5.2 526
WG-8 80 1 80 1379 69 6.6 0.59 10.4 456
HC-128 128 512 128 2082876 17388 77.2 16.58 21.2 2621
AES 128 128 - 6953 20480 22.2 88 4.5 3552
AES-CTR 128 128 128 469.6 21942 22.3 88.5 4.2 3822
Table V. Software implementations of stream ciphers on BeagleBone ordered by the CM metric (the lower, the better)