1278 JOURNAL OF COMPUTERS, VOL. 7, NO. 5, MAY 2012 Quavium - A New Stream Cipher Inspired by Trivium Yun Tian* Shanghai Jiaotong University/ School of Information Security Engineering, Shanghai, China Email: [email protected] Gongliang Chen and Jianhua Li Shanghai Jiaotong University/ School of Information Security Engineering, Shanghai, China Email: {chengl, lijh888}@sjtu.edu.cn Abstract—This paper is concerned with an extensive form of design secure stream ciphers. stream cipher Trivium. Trivium is extended to a scalable The original Trivium is a stream cipher with three form by the coupling connection of Trivium-like shift Trivium-like shift registers in series connection. We registers. The characteristic polynomial of k Trivium-like extend it to a scalable form and propose a new stream shift registers in coupling connection is proved to have a factor of (1+x)k. So k-order primitive polynomials are cipher - Quavium. Quavium is a stream cipher with four defined in this paper. As the main contribution, a new Trivium-like shift registers in coupling connection. But it stream cipher Quavium is proposed based on 4-round can also be used with three or even two Trivium-like shift Trivium-like shift registers and k-order primitive registers because the coupling connection keeps the polynomials. Quavium can also be used with 3 rounds. primitiveness of characteristic polynomials. The Experimental results show that Quavium is nearly as fast as experimental results on software using C++ code show Trivium and 3-round Quavium has a better performance. that the speed of keystream generation of Quavium is nearly the same as that of Trivium and 3-round Quavium Index Terms—stream cipher, Trivium, k-order primitive has a better performance. polynomials, Quavium, Trivium-like shift registers The rest of this paper is organized as follows: in Section II, we briefly review Trivium. Then, Trivium-like shift registers and k-order primitive polynomials are I. INTRODUCTION proposed in Section III. In Section IV, the specification of A stream cipher is a symmetric encryption algorithm Quavium is presented. The implementation performance which takes a stream of plaintext, a secret key and an IV and security analysis of Quavium and 3-round Quavium as input and then operates the plaintext with key stream are shown in Section V. Finally, some conclusions are generated by the key and IV, typically bit by bit. drawn in Section VI. Although block ciphers seem to be perfectly adequate for use in nearly all areas, stream ciphers are still desirable in II. TRIVIUM a few niche areas, which is pointed out by Adi Shamir at Trivium is a lightweight stream cipher designed to the first ECRYPT State of the Art of Stream Ciphers 64 workshop in October 2004[1]. These niche areas were generate up to 2 bits of key stream from an 80-bit secret identified as: key and an 80-bit initial value (IV). The process consists 1) Exceptional encryption performance in software, of two phases: first the internal state of the cipher is where the luxury of additional hardware is not available initialized using the key and the IV, then the state is to speed up encryption; repeatedly updated and used to generate key stream bits. 2) Any reasonable kind of encryption performance in There are 288 bits in the internal state. hardware environments where the available resources A. Brief Description of Trivium[2] such as gate count or power might be heavily restricted. Let s1, …, s288 be the 288 internal bits. zi is the Trivium[2] is one of the promising new stream ciphers keystream generated at time i (i = 0, 1, …). A complete proposed in the ECRYPT Stream Cipher description of the generation keystream phase is given by Project(eSTREAM). It has got high scores in evaluation the following simple pseudo-code: due to its good performance and high security. Its for i = 1 to N do simplicity and clarity perfectly demonstrate a new way to ←+ tss16693 ←+ tss2 162 177 * Corresponding author. ←+ tss3 243 288 © 2012 ACADEMY PUBLISHER doi:10.4304/jcp.7.5.1278-1283 JOURNAL OF COMPUTERS, VOL. 7, NO. 5, MAY 2012 1279 ←++ These attacks are state recovering and statistical tests. zttti 123 ←+ ⋅ + Although the analysis is applied to Bivium (a reduced ttsss1 1 91 92 171 version of Trivium from 3 to 2 rounds) is quite successful, ttsss←+ ⋅ + the results on Trivium are not good since the attacks are 2 2 175 176 264 no faster than exhaustive search. Raddum[6] presents a ←+ ⋅ + ttsss3 3 286 287 69 new technique to solve systems of equations associated ss"" s← ts s with Trivium and successfully breaks a reduced version (,1 2 , , 93 ) (,, 3 1 , 92 ) of Trivium, named Bivium-A in a day. But his attack is ← very complex when applied to the full cipher and is no (,,,ss94 95"" s 177 ) (,,, ts 1 94 s 176 ) ← faster than exhaustive search. Borghoff et al.[7] presents (,,,)(,,,)ss178 179"" s 288 ts 2 178 s 287 a numerical attack on Biviums. The estimated time 63.7 The initialization phase operates exactly the same as complexity of this attack on Bivium-B is about 2 the keystream generation phase except that it doesn't seconds. But the paper doesn’t show the application of generate keystream. The state is rotated over 4 full cycles the attack on the full version of Trivium. after the loading of key and IV. 4 full cycles means 4× 288 = 1152 clock cycles. III. TRIVIUM-LIKE SHIFT REGISTERS AND K-ORDER The design of Trivium is inspired by the block cipher PRIMITIVE POLYNOMIALS design principles[3]. S-box in a block cipher is Trivium has three rounds with similar structure. This substituted by a non-linear one-bit-output function. The inspires us to extend the structure to a scalable form. We diffusion matrix is changed to linear feedforward taps. In decompose the structure of Trivium and introduce order to generate keystream, output feedback (OFB) Trivium-like shift registers. After observing the mode of block ciphers is used and constructs the feedback characteristic polynomials of Trivium-like shift registers, taps in Trivium. we define k-order primitive polynomials. Unlike the B. Research on Trivium series connection of LFSRs, the series connection of Trivium-like shift registers will ensure the characteristic Trivium is designed to be both efficient and secure. polynomial to be a k-order primitive polynomial. During 3 phases of eSTREAM evaluation on the stream Quavium is an instantiated stream cipher based on cipher proposals, the performance of Trivium is Trivium-like shift registers and k-order primitive outstanding compared with other stream ciphers such as polynomials. A5/1 (e.g. [4]). Ref.[4] points out that Trivium Fig. 1 (a), (b), (c) illustrates the processes of 1, 2, 3- outperforms other eSTREAM candidates considered in round Trivium-like shift registers respectively. the paper in terms of the two most important optimization A 3-round Trivium-like shift register updates as criteria, minimum area and maximum throughput to area follows: ratio, by a factor of at least two. Until now, no attack has been successfully applied to Trivium. Maximov[5] studies two attacks on Trivium. Figure 1. 1, 2, 3-round Trivium-like shift registers. © 2012 ACADEMY PUBLISHER 1280 JOURNAL OF COMPUTERS, VOL. 7, NO. 5, MAY 2012 ssss+ ←++ char() y mmmm31351 A =++++++++96 73 70 67 47 44 41 29 ssss+ ←++ yyyyyyyy mmmm64681 ←++ 24+ 20 + 18 + 15 + 14 +++ 9 5 ssss yyyyyyy1 1 mmm279 We can get a 2-round Trivium-like shift register by =+(1)(1y 3 +++++yy 6 y 9 y 8 y 25 + y 17 + y 19 reducing one round in 3-round Trivium-like shift register. ++++++++44 35 41 38 34 31 67 77 It updates as follows: y yyyyyyy ssss+ ←++ ++++++++70 88 43 39 93 84 81 80 mmmm31351 y yyyyyyy ssss←++ +++++72 27 20 14 4 1 mmm246 yyyyy) Similarly, a 1-round Trivium-like shift register = (y +1)3 gy ( ) , updates as follows: ←++ (2) ssss1 mm m 123 where g(y) is a primitive polynomials in F2[y]. The Trivium-like shift registers can be extended to k- Theorem 3.1 The characteristic polynomial of a k- round. A k-round Trivium-like shift register updates as round Trivium-like shift register chark(x) ∈F2[x] has a k follows: factor (x+1) , i.e. chark(x) can be written as: sss←+ + s =+k 1 mm23(1)13kk−+ m chark () x ( x 1)() g x , ←++ where g(x) ∈F2[x]. ssssmmmm+1 3135 Proof. We just prove the condition in which k = 3 and " proofs of other conditions are similar. ←++ The transformation matrix of a 3-round Trivium-like ssssmmmm+ 3(kkkk−−−−−+ 1)1 3( 1) 2 3( 1) 3( 1) 2 = shift register Aa()ij m× m satisfies that In Trivium, the 3-round Trivium-like shift register 99 =− ≤≤ updates as follows: ⎧1, ji1, 1 im9 , ←++ ⎪ ssss94 66 93 171 ijmmm==1, , , , ⎪ 279 ssss←++ = =+ = 178 162 177 264 aij ⎨ im3151, jmm, , . ←++ ⎪ ss1 243 s 288 s 69 im=+1, jmm =, ⎪ 648 Denote the internal state bits at time t (t = 0, 1, …) as ⎩⎪0, otherwise (s1(t), s2(t), … , s288(t)). Thus, the internal bits from time t to time t+1 is a linear transformation as (1). The characteristic polynomial chark(x) is T =−== ++ + charkij() x | xI A || B || b |, where (st12 ( 1), st ( 1)," , s 288 ( t 1)) (1) T −=−≤≤ji im =⋅Astst( ( ), ( )," , s ( t )) , ⎧ 1, 1, 19 , 1 2 288 ⎪ T ijmmm== where means transposition of the vector. ⎪ 1, 279, , , =+ = Aa= × is the transformation matrix of this ⎪ im1, jmm, , ()ij 288 288 = 315 bij ⎨ .