A New Stream Cipher Inspired by Trivium

Home , Keystream, Shift register, Trivium (cipher)

1278 JOURNAL OF COMPUTERS, VOL. 7, NO. 5, MAY 2012

Quavium - A New Stream Cipher Inspired by Trivium

Yun Tian* Shanghai Jiaotong University/ School of Information Security Engineering, Shanghai, China Email: [email protected]

Gongliang Chen and Jianhua Li Shanghai Jiaotong University/ School of Information Security Engineering, Shanghai, China Email: {chengl, lijh888}@sjtu.edu.cn

Abstract—This paper is concerned with an extensive form of design secure stream ciphers. stream cipher Trivium. Trivium is extended to a scalable The original Trivium is a stream cipher with three form by the coupling connection of Trivium-like shift Trivium-like shift registers in series connection. We registers. The characteristic polynomial of k Trivium-like extend it to a scalable form and propose a new stream shift registers in coupling connection is proved to have a factor of (1+x)k. So k-order primitive polynomials are cipher - Quavium. Quavium is a stream cipher with four defined in this paper. As the main contribution, a new Trivium-like shift registers in coupling connection. But it stream cipher Quavium is proposed based on 4-round can also be used with three or even two Trivium-like shift Trivium-like shift registers and k-order primitive registers because the coupling connection keeps the polynomials. Quavium can also be used with 3 rounds. primitiveness of characteristic polynomials. The Experimental results show that Quavium is nearly as fast as experimental results on software using C++ code show Trivium and 3-round Quavium has a better performance. that the speed of keystream generation of Quavium is nearly the same as that of Trivium and 3-round Quavium Index Terms—stream cipher, Trivium, k-order primitive has a better performance. polynomials, Quavium, Trivium-like shift registers The rest of this paper is organized as follows: in Section II, we briefly review Trivium. Then, Trivium-like shift registers and k-order primitive polynomials are I. INTRODUCTION proposed in Section III. In Section IV, the specification of A stream cipher is a symmetric encryption algorithm Quavium is presented. The implementation performance which takes a stream of plaintext, a secret key and an IV and security analysis of Quavium and 3-round Quavium as input and then operates the plaintext with key stream are shown in Section V. Finally, some conclusions are generated by the key and IV, typically bit by bit. drawn in Section VI. Although block ciphers seem to be perfectly adequate for use in nearly all areas, stream ciphers are still desirable in II. TRIVIUM a few niche areas, which is pointed out by Adi Shamir at Trivium is a lightweight stream cipher designed to the first ECRYPT State of the Art of Stream Ciphers 64 workshop in October 2004[1]. These niche areas were generate up to 2 bits of key stream from an 80-bit secret identified as: key and an 80-bit initial value (IV). The process consists 1) Exceptional encryption performance in software, of two phases: first the internal state of the cipher is where the luxury of additional hardware is not available initialized using the key and the IV, then the state is to speed up encryption; repeatedly updated and used to generate key stream bits. 2) Any reasonable kind of encryption performance in There are 288 bits in the internal state. hardware environments where the available resources A. Brief Description of Trivium[2] such as gate count or power might be heavily restricted. Let s1, …, s288 be the 288 internal bits. zi is the Trivium[2] is one of the promising new stream ciphers keystream generated at time i (i = 0, 1, …). A complete proposed in the ECRYPT Stream Cipher description of the generation keystream phase is given by Project(eSTREAM). It has got high scores in evaluation the following simple pseudo-code: due to its good performance and high security. Its for i = 1 to N do simplicity and clarity perfectly demonstrate a new way to ←+ tss16693 ←+ tss2 162 177 * Corresponding author. ←+ tss3 243 288

JOURNAL OF COMPUTERS, VOL. 7, NO. 5, MAY 2012 1279

←++ These attacks are state recovering and statistical tests. zttti 123 ←+ ⋅ + Although the analysis is applied to Bivium (a reduced ttsss1 1 91 92 171 version of Trivium from 3 to 2 rounds) is quite successful, ttsss←+ ⋅ + the results on Trivium are not good since the attacks are 2 2 175 176 264 no faster than exhaustive search. Raddum[6] presents a ←+ ⋅ + ttsss3 3 286 287 69 new technique to solve systems of equations associated ss"" s← ts s with Trivium and successfully breaks a reduced version (,1 2 , , 93 ) (,, 3 1 , 92 ) of Trivium, named Bivium-A in a day. But his attack is ← very complex when applied to the full cipher and is no (,,,ss94 95"" s 177 ) (,,, ts 1 94 s 176 ) ← faster than exhaustive search. Borghoff et al.[7] presents (,,,)(,,,)ss178 179"" s 288 ts 2 178 s 287 a numerical attack on Biviums. The estimated time 63.7 The initialization phase operates exactly the same as complexity of this attack on Bivium-B is about 2 the keystream generation phase except that it doesn't seconds. But the paper doesn’t show the application of generate keystream. The state is rotated over 4 full cycles the attack on the full version of Trivium. after the loading of key and IV. 4 full cycles means 4× 288 = 1152 clock cycles. III. TRIVIUM-LIKE SHIFT REGISTERS AND K-ORDER The design of Trivium is inspired by the block cipher PRIMITIVE POLYNOMIALS design principles[3]. S-box in a block cipher is Trivium has three rounds with similar structure. This substituted by a non-linear one-bit-output function. The inspires us to extend the structure to a scalable form. We diffusion matrix is changed to linear feedforward taps. In decompose the structure of Trivium and introduce order to generate keystream, output feedback (OFB) Trivium-like shift registers. After observing the mode of block ciphers is used and constructs the feedback characteristic polynomials of Trivium-like shift registers, taps in Trivium. we define k-order primitive polynomials. Unlike the B. Research on Trivium series connection of LFSRs, the series connection of Trivium-like shift registers will ensure the characteristic Trivium is designed to be both efficient and secure. polynomial to be a k-order primitive polynomial. During 3 phases of eSTREAM evaluation on the stream Quavium is an instantiated stream cipher based on cipher proposals, the performance of Trivium is Trivium-like shift registers and k-order primitive outstanding compared with other stream ciphers such as polynomials. A5/1 (e.g. [4]). Ref.[4] points out that Trivium Fig. 1 (a), (b), (c) illustrates the processes of 1, 2, 3- outperforms other eSTREAM candidates considered in round Trivium-like shift registers respectively. the paper in terms of the two most important optimization A 3-round Trivium-like shift register updates as criteria, minimum area and maximum throughput to area follows: ratio, by a factor of at least two. Until now, no attack has been successfully applied to Trivium. Maximov[5] studies two attacks on Trivium.

Figure 1. 1, 2, 3-round Trivium-like shift registers.

1280 JOURNAL OF COMPUTERS, VOL. 7, NO. 5, MAY 2012

ssss+ ←++ char() y mmmm31351 A =++++++++96 73 70 67 47 44 41 29 ssss+ ←++ yyyyyyyy mmmm64681 ssss ←++ yyyyyyy24+ 20 + 18 + 15 + 14 +++ 9 5 1 1 mmm279 We can get a 2-round Trivium-like shift register by =+(1)(1y 3 +++++yy 6 y 9 y 8 y 25 + y 17 + y 19 reducing one round in 3-round Trivium-like shift register. ++++++++44 35 41 38 34 31 67 77 It updates as follows: y yyyyyyy

ssss+ ←++ ++++++++70 88 43 39 93 84 81 80 mmmm31351 y yyyyyyy

ssss←++ +++++72 27 20 14 4 1 mmm246 yyyyy ) Similarly, a 1-round Trivium-like shift register = (y +1)3 gy ( ) , updates as follows: ←++ (2) ssss1 mm m 123 where g(y) is a primitive polynomials in F2[y]. The Trivium-like shift registers can be extended to k- Theorem 3.1 The characteristic polynomial of a k- round. A k-round Trivium-like shift register updates as round Trivium-like shift register chark(x) ∈F2[x] has a k follows: factor (x+1) , i.e. chark(x) can be written as: sss←+ + s =+k 1 mm23(1)13kk−+ m chark () x ( x 1)() g x ,

←++ where g(x) ∈F2[x]. ssssmmmm+1 3135 Proof. We just prove the condition in which k = 3 and " proofs of other conditions are similar. ←++ The transformation matrix of a 3-round Trivium-like ssssmmmm+ 3(kkkk−−−−−+ 1)1 3( 1) 2 3( 1) 3( 1) 2 = shift register Aa()ij m× m satisfies that In Trivium, the 3-round Trivium-like shift register 99 =− ≤≤ updates as follows: ⎧1, ji 1, 1 im9 , ←++ ⎪ ssss94 66 93 171 ijmmm== ⎪ 1, 279 , , , ssss←++ = ⎪ =+ = 178 162 177 264 aij ⎨ im315 1, jmm , , . ←++ ⎪ ss1 243 s 288 s 69 im=+ 1, jmm = , ⎪ 648 Denote the internal state bits at time t (t = 0, 1, …) as ⎩⎪0, otherwise (s1(t), s2(t), … , s288(t)). Thus, the internal bits from time t to time t+1 is a linear transformation as (1). The characteristic polynomial chark(x) is T =−== ++ + charkij() x | xI A || B || b |, where (st12 ( 1), st ( 1)," , s 288 ( t 1)) (1) T −=−≤≤ji im =⋅Astst ( ( ), ( )," , s ( t )) , ⎧ 1, 1, 19 , 1 2 288 ⎪ T ijmmm== where means transposition of the vector. ⎪ 1, 279 , , , =+ = Aa= × is the transformation matrix of this ⎪ im 1, jmm , , ()ij 288 288 = 315 bij ⎨ . construction where im=+ jmm = ⎪ 648 1, , =− ≤≤ ⎧1, ji 1, 1 i 288, ⎪xij, =≤≤ , 1 im ⎪ 9 ij== 1, 69,243,288, ⎪ ⎪ ⎩0, otherwise = ⎪ == aij ⎨ ij 94, 66,171, . After elementary transformation of columns and Laplace ⎪ ij== 178, 162,264 extension, chark(x) becomes: ⎪ char() x ⎪ k ⎩0, otherwise m mmm−+ mmm −+ mmmmm −+−+ mm − =+9 986 + 953 + 98653 + 92 Characteristic polynomial of this linear shift register is xx x x x mmmm−+− mmmm −+− mmmmmm −+−+− the characteristic polynomial of A, denoted as charA. +++xxx9862 9532 986532 charA is given as: mmmmmm−+−+− mmmm −+− mmmm −+− =+++++288 219 210 201 141 132 ++++xxx976431 6431 9764 charA () x x x x x x x mm−−+−−− mmmm mm mm ++++++xxxxxx123 87 72 60 54 45 xx6 4++++ 97 31 xx 31 97 1 3 3 Let y = x + 1, so if y |chark(y + 1), then (x + 1) |chark(x). 42 27 15 ++++x xx 1 . It is easy to prove that the coefficients of 1-degree and 2- 3 Let y = x3 , then the characteristic polynomial degree monomials in chark(y+1) are all 0. So y |chark(y + 1). □ becomes:

JOURNAL OF COMPUTERS, VOL. 7, NO. 5, MAY 2012 1281

Inspired by the primitive polynomials used in linear char3 () x feedback shift registers(LFSRs), we introduce k-order 36261585754535149 primitive polynomials. =+(1)(x xxxxxxxx + + + + + + + n = i ∈ +++++++++x46xxxxxxxx 45 38 36 34 32 29 28 27 Definition 3.1 Given f ()xax∑ i , aGFi (2) , i=0 +++++++++x26xxxxxxxx 25 24 23 22 21 18 17 13 i = 0,1," , f ()x is called a k-order primitive +++++++12 9 8 5 4 k xxxxxx 1), polynomial (k < n) if f ()xx=+ ( 1) ⋅ gx (), where char() x gx()∈ F [] x is a primitive polynomial. 4 2 =+x 49288848379777573xxxxxxxx +++++++ Remark 1 k-order primitive polynomial extends the (1)( definition of primitive polynomial because 0-order +++++++++x71xxxxxxxx 70 69 68 67 66 65 62 58 primitive polynomial is a primitive polynomial. 57 55 54 53 52 51 50 49 48 We find that the characteristic polynomials of 1-round +++++++++x xxxxxxxx and 2-round Trivium-like shift registers in Trivium fail to +++++++++x45xxxxxxxx 44 36 35 32 31 29 28 27 be k-order primitive polynomials (see Appendix). But the tap of 3-round Trivium-like shift register is properly ++++++++xxxxxxx25 23 21 17 12 8 4 1). selected according to (2). The output function is f (,xxxx , , )=++ xx x x. IV. DESIGN SPECIFICATION OF QUAVIUM 1234 14 2 3 The output function of Trivium is simply the addition The length of key, initial value and internal state of 3 bits. But in Quavium, the output should be a required in Quavium is the same as Trivium, i.e. an 80-bit combination of 4 bits. So we choose a 4-variable boolean secret key, an 80-bit initial value and 288 internal state function. This function is balanced and 1st order bits. We use a 4-round Trivium-like shift register in correlation-immune. It also has optimal algebraic Quavium. The key stream generation is described as immunity. Fig. 2 is the overview of Quavium. follows: for i = 1 to N do ←+ tss1351 ←+ tss2 57 108 ←+ tss3 126 195 ←+ tss4 204 288 ←⋅++ ztttti 14 2 3 ←+ ⋅ + ttsss1 1 49 50 96 ←+ ⋅ + ttsss2 2 106 107 135 ←+ ⋅ + ttsss3 3 193 194 228 ←+ ⋅ + ttsss4 4 286 287 33 ← (,ss1 2 ,"" , s 51 ) (,, ts 4 1 , s 50 ) ss"" s← ts s (,,,52 53 108 ) (,,, 1 52 107 ) Figure 2 Quavium. ss""stss← (,109 110,, 195 ) (,,, 2 109 194 ) Denote the 80-bit secret key as (k1, k2, …, k80), the 80- (,,,)(,,,)ss"" s← ts s bit initial value (iv1, iv2, …, iv80). The initialization of 196 197 288 3 196 287 Quavium is the same as the keystream generation process The characteristic polynomials of 1-round, 2-round 3- except that it doesn't generate key stream. The state is k round and 4-round Trivium-like shift registers are all - rotated over 4 full cycles. Description of initialization order primitive polynomials: phase is as follows: charxx()=+ ( 1)( x16 + xxxxx 5 +++++ 4 3 2 1), ← 1 (,ss1 2 ,"" , s 51 ) (, kk 1 2 , , k 51 ) char2 () x ← (,,,ss52 53""" s 108 ) (,, k 52 kiviv 80 ,,, 1 28 )

=+(1)(x 23432313029282726xxxxxxxx +++++++ ss""" s← iviv (109 , 110 ,, 195 ) ( 28 ,, 80 ,0,,0) +++++++++x25xxxxxxxx 24 22 20 19 18 17 16 8 ← (ss196 , 197 ,"" , s 288 ) (0, ,0,1,1,1) ++++xxx642 1), for i = 1 to 4×288 do

1282 JOURNAL OF COMPUTERS, VOL. 7, NO. 5, MAY 2012

←+ + ⋅ + We also test the performance on C++ code using tsssss1 3 51 49 50 96 ←+ + ⋅ + Microsoft Visual Studio 2008. The processor used in the tsssss2 57 108 106 107 135 measurement is the Intel Core 2 Duo 2.00GHz. The result

tsssss←++⋅+ can be found in Table II. 3 126 195 193 194 228 ←++⋅+ tsssss4 204 288 286 287 33 ← TABLE II (,ss1 2 ,"" , s 51 ) (,, ts 4 1 , s 50 ) MEASURED PERFORMANCE ON ← AN INTEL CORE 2 DUO CPU 2.00GHZ (,,,ss52 53"" s 108 ) (,,, ts 1 52 s 107 ) ← Trivium Quavium 3-round (,,,)(,,,)ss109 110"" s 195 ts 2 109 s 194 Quavium ← Keystream 16.8 17.0 12.0 (,,,)(,,,)ss196 197"" s 288 ts 3 196 s 287 generation: cycles/byte cycles/byte cycles/byte

V. PERFORMANCE AND SECURITY OF QUAVIUM Table II shows that Quavium performs almost as fast A. Performance as Trivium using C++ code. 3-round Quavium is nearly 30 per cent faster than Trivium. Because char3(x) is also a 3-order primitive polynomial, we can just use the 3-round version of B. Security Quavium as a stream cipher. This version has an internal As discussed in Ref.[2] Section 4.1, Quavium and 3- state of 195 bits. It generates keystream as follows: round Quavium will also be resistant to correlation for i = 1 to N do attacks. The output function of Quavium is chosen to be ←+ st tss1351 1 -order correlation immune and optimally algebraic ←+ immune. Moreover, unlike the series or parallel tss2 57 108 connection of LFSRs, Quavium connects Trivium-like tss←+ shift registers in a coupling mode. So it is quite difficult 3126195 to apply algebraic attacks[9] on Quavium. Large cycles of ←++ zttti 123 initialization phase in Quavium also decrease the success ←+ ⋅ + rate of conditional differential cryptanalysis[10]. ttsss1 1 49 50 96 ←+ ⋅ + ttsss2 2 106 107 135 VI. CONCLUSION ←+ ⋅ + Trivium has been extended to a scalable form and ttsss3 3 193 194 33 ← Trivium-like shift registers have been introduced. (,ss1 2 ,"" , s 51 ) (,, ts 3 1 , s 50 ) Characteristic polynomials of k-round Trivium-like shift k (,,,ss"" s )← (,,, ts s ) registers are like (1+x) f(x) so k-order primitive 52 53 108 1 52 107 polynomials have been defined. A new stream cipher, ← (,,,)(,,,)ss109 110"" s 195 ts 2 109 s 194 Quavium, has been introduced. It is designed based on Based on the figures in Ref.[8] (i.e. 12 NAND gates Trivium-like shift registers and k-order primitive per Flip-flop, 2.5 gates per XOR and 1.5 gates per AND), polynomials. Quavium can also be used with 3-round the estimation of the gate count for Trivium, Quavium because the connection of Trivium-like shift registers and 3-round Quavium is listed in Table I. keeps the primitiveness of characteristic polynomials. But TABLE I Trivium with decreased rounds can not be used because ESTIMATION OF GATE COUNT FOR the characteristic polynomial of 2-round Trivium is not 2- TRIVIUM, QUAVIUM AND 3-ROUND QUAVIUM order primitive polynomial. The performance of Quavium 3-round both on hardware and software is almost as good as Trivium Quavium Quavium Trivium. 3-round Quavium has a better performance than Flip-flops: 288 288 195 Trivium. AND gates: 3 5 3 XOR gates: 11 13 11 APPENDIX CHARACTERISTIC POLYNOMIALS OF 1-ROUND NAND gate AND 2-ROUND TRIVIUM count: 3488 3496 2372 The characteristic polynomial of 1-round Trivium is: 31 9 8 char x=+++ x x x . Table I shows that Quavium extends Trivium to 4 1() 1 rounds and only increases 8 NAND gates. If available This is not a 1-order primitive polynomial. resources in hardware implementation environments are The characteristic polynomial of 2-round Trivium is: more heavily restricted, we can use 3-round Quavium =+++++++59 36 33 14 10 9 5 char2 () x x x x x x x x 1. because it costs only 68 per cent of NAND gate count of This is not a 2-order primitive polynomial. Trivium. However, Trivium can not simply be reduced to

2-round because the characteristic polynomial of 2-round Trivium is not 2-order primitive.

JOURNAL OF COMPUTERS, VOL. 7, NO. 5, MAY 2012 1283

ACKNOWLEDGMENT 345–359, E. Biham Eds. Heidelberg: Springer, 2003, doi: 10.1007/3-540-39200-9_21. This work was supported by the National Natural [10] S. Knellwolf, W. Meier and M. Naya- Science Foundation of China (Grant No. 61071078) and Plasencia, ”Conditional differential cryptanalysis of the National Basic Research Program of China(Grant NLFSR-based cryptosystems”, in LNCS, vol. 6477, pp. Nos. 2010CB731403, 2010CB731406). 130-145, M. Abe Eds. Heildelberg: Springer, 2010, doi: 10.1007/978-3-642-17373-8_8. REFERENCES Yun Tian was born in Shanghai China in 1985. She received [1] ECRYPT Network of Excellence in Cryptology. In the B.S. degree in information security from School of Workshop on The State of the Art of Stream Ciphers Information Security Engineering, Shanghai Jiaotong University, (SASC 2004), 2004. Shanghai, China, in 2008. [2] C. De Cannière and B. Preneel. “TRIVIUM specification”, She is currently working toward a PhD candidate in School of http://www.ecrypt.eu.org/stream/p3ciphers/trivium/trivium Information Security, Shanghai Jiaotong University. Her current _p3.pdf, 2007. research interests include information security and stream [3] C. De Cannière, “Trivium: a stream cipher construction ciphers. inspired by block cipher design principles”, in LNCS, vol. 4176, S. K. Katsikas et al., Eds. Heidelberg: Springer, 2006, pp. 171–186, doi:10.1007/11836810_13. Gongliang Chen was born in Zhejiang Province, China, in [4] K. Gaj, G. Southern and R. Bachimanchi, ”Comparison of 1961. He received B.S degree from department of mathematics hardware performance of selected phase II eSTREAM in Peking University in 1983. He received M.S. degree and PhD candidates”,http://www.ecrypt.eu.org/stream/papersdir/200 degree from Beijing Institute of Applied Mathematics and 7/026.pdf, 2007. Universite st-etienne in 1986 and 1993 respectively. [5] A. Maximov, A. Biryukov. “Two trivial attacks on He is currently a professor of School of Information Security TRIVIUM”, In SASC2007: The State of the Art of Stream Engineering, Shanghai Jiaotong University, China. His current Ciphers, pp.1-16, 2007. research interests include information security, theory of [6] H. Raddum, “Cryptanalytic results on Trivium”, cryptography and computer networks. http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps, 2007. [7] J. Borghoff, L. R. Knudsen and M. Stolpe, “Bivium as a Jianhua Li was born in Jiangxi Province, China, in 1965. He mixed-integer linear programming problem”, in LNCS received B.S. M.S. and PhD degrees from Shanghai Jiaotong vol.5921, M. G. Parker Eds. Heidelberg: Springer, 2009, University in 1986, 1991 and 1998 respectively. pp. 133-152, doi:10.1007/978-3-642-10868-6_9. He is currently a professor of Department of Electronic [8] J. Lano, N. Mentens, B. Preneel and I. Verbauwhede, Engineering and School of Information Security Engineering, “Power analysis of synchronous stream ciphers with Shanghai Jiaotong University, China. His current research resynchronization mechanism”, In ECRYPT Workshop, interests include information security, information processing SASC-The State of the Art of Stream Ciphers, pp.327-333, and computer networks. 2004. [9] N. T. Courtois and W. Meier, “Algebraic attacks on stream ciphers with linear feedback”, in LNCS, vol. 2656, pp.