In recent years, the hardware implementation of stream ciphers has attracted the interest of many designers, mainly due to their low implementation area on a chip. However, to date, in comparison with block ciphers, side channel attacks have not been extensively analyzed for their applicability to stream cipher hardware implementations. However it has been shown that simple power analysis (SPA) attacks are applicable to stream ciphers based on one linear feedback shift register. In this paper, we extend the SPA method to stream ciphers with multiple linear feedback shift registers and multiple linear feedback shift registers with irregular clocking. Then we apply the proposed method to the wellknown stream ciphers E0 and LILI-128.
INTRODUCTION
The hardware realization of many stream ciphers is more efficient than many common block ciphers, often requiring less area on chip. Because of this advantage, stream ciphers are known as good candidates for devices in constrained environments, such as RFID tags, wireless communication devices and smart cards [1, 2] .
A side channel attack is based on information gained from the physical implementation of a cryptosystem, such as timing information [3] power consumption [4] or electromagnetic leaks [5, 6] . Some side channel attacks have been used to attack stream ciphers. For example, the template attack [7] can be applied by acquiring a device similar to one under attack and building a template of information based on power consumption for every possible key. Then capturing a trace of information (such as power consumption over time) and comparing to the templates, the correct key can be determined as the most likely one given the outcome of comparisons. In [8] , the fault attack has been used to attack different stream ciphers. A fault attack considers the information resulting from the injection of faults in the cipher hardware. In [9] , a scan chain based attack has been proposed. Also in [10] [11] , differential power analysis attack is reviewed for its applicability to stream ciphers.
Recently, the applicability of a simple power analysis, SPA, attack on stream ciphers has been identified in [12] . The proposed method is applicable to stream ciphers with just one linear feedback shift register (LFSR). Since a number of modern stream ciphers use more than one LFSR, the direct methodology in [12] has limited applicability. In this paper, we propose a method based on simple power analysis to attack stream ciphers with multiple LFSRs such as E0 [13] . Further, we consider the applicability of the attack to irregular clocking stream ciphers by examining LILI-128 [14] .
BACKGROUND
In this section, we introduce some of the basic background of stream cipher construction and power analysis.
Linear Feedback Shift Register
LFSRs are widely used as a component of a key stream generator in many proposed stream ciphers, due to their simple hardware structure and the good pseudo-random properties of the generated sequence. A right-shifting LFSR of length consists of bits and the output of each step (i.e., as the result of a clock) is the least significant bit (equal to right most bit). The bit values are shifted to the right at each step (i.e., on the rising edges of the clock, assuming positive edge-triggered register flip-flops), and the most significant bit is injected into the left most bit of the register after being produced as a linear combination of bits currently stored in the bit registers. It is well known that if the feedback is chosen as a primitive polynomial, the LFSR can make a sequence of bits with a maximal period of 2 . Since the register bit values and resulting outputs are generated from the linear combination of the previous bit values, the output sequence of the LFSR is easily predictable from previous outputs after steps.
The general structure of an LFSR is shown in Fig.1 , where each square represents a register bit or D-Flip-Flop. 
Power Dissipation in Electronic Circu
The total power dissipation of a CMOS int divided into two parts: static and consumption [15] . The static power dissipa which is consumed in transistors as l Dynamic power consumption is due to the c only when the transistors of the device are one logic state to another. This current flo discharge the peripheral capacitances, mostl wire capacitances. The frequency at whic switching (for example, the clock f synchronous sequential logic circuit), the ri of the input signal, and the length of a ga effect on the duration of the current spike For circuits clocked at reasonably high leakage current of the gate is negligible switching current. In the majority of electr dynamic supply current is dominant in CM most of the power is consumed in movin parasitic capacitance in the CMOS gates. speed devices dynamic power consumpt significant contributor in a hardware circu CMOS technology.
Simple Power Analysis (SPA) Attack
In a simple power analysis attack, the attack to measure the power consumed by the cry can be approached by putting a small r between the power supply and power alternatively, the ground and ground pin Using a high speed oscilloscope, the attac over time the input (or output) current whic to the overall power consumption of the d dynamic power dissipation is the major con high speed circuits, sampling the consumed idea of the number of switching t information then can be used to identify c the data within the device and in circumstances reveal secret information (su a cipher implemented within the device.
In the approach taken in this paper, as we as [16] [17] [18] , the measured power consumpt edge of the clock is taken as proportional t bit registers changed in the system at that po f LFSR. uits tegrated circuit is dynamic power ation is the power leakage current. current that flows e switching from ows to charge or ly gate, drain and ch the device is frequency in a ise and fall times ate have a direct e and its amount.
frequencies, the compared to the ronic devices, the MOS circuits and ng charges in the Hence, for high ion is the most uit realization in k ker has the ability yptosystem. This resistor in series r input pin (or n) of the device. cker can measure ch is proportional device. Since the nsumed power in d power gives an transistors. This characteristics of the appropriate uch as the key) of ell as others such tion at the rising to the number of oint in time. This is referred to as the Hamming dista By taking samples of power data synchronous digital hardware, this about data stored in the registers dur of the cipher; this information is ex state values of the LFSRs used analyzed in this paper.
Review of SPA on LFSR-base
We first consider the attack pro applicable to stream ciphers base nonlinear combining function. The represented by the initial state bits o clock cycle each bit value is shifte the value of each bit in the registe consumption as mentioned above value of the register as the state current state is represented as a clock cycle is given as . T between and is given a calculated from: ∑ where represents the value o being the right most bit of the L exclusive-OR.
According to the Hamming distan the attack [12] , the dynamic pow cipher at clock cycle t is proportion successive clock cycles it can be s between the Hamming distances values:
1,0,1 . difference to be given by:
It can be seen that is proport dynamic power consumption at cycles or measured power differen . Substituting (1) we
. Hence, for a stream cipher constructed from one LFSR and a nonlinear combining function, using power difference values, it is straightforward to find the initial bit values of the LFSR and thereby determine the key stream sequence [1] . For this purpose, we can collect enough current samples to derive power difference values and write equations similar to equation (4), relating through the linear expressions of the LFSR to the bits of . Then we have a linear system of equations with unknown variables and equations, which is easily solved to determine the key, i.e. the initial state of the LFSR, .
EXTENSION OF SPA TO CIPHERS WITH MULTIPLE LFSRS
Consider now stream ciphers constructed from multiple LFSRs and a nonlinear combining function. We now consider the novel extension of the attack in [12] to such ciphers. A system with three LFSRs is illustrated in Fig.2 , where F represents a nonlinear combining function. For simplicity in the discussion, let us assume a stream cipher with two LFSRs, and , and bit values and where 0 and 0 where and are the sizes of the LFSRs. The overall power difference of two LFSRs, , at each clock can now be from 2, 1,0, 1, 2 . Since each LFSR could have a power difference of 1, 0 or 1, if the power difference for both LFSRs is the same and equal to 1 or 1, then the overall is 2 or 2, respectively. Although values of 2 or 2 indicate that both LFSRs must have non-zero power differences, other values of overall will not get us any useful information about the individual LFSRs. For example, if the overall 0, we cannot conclude whether both LFSR power differences are equal to zero or the power difference for one LFSR is equal to 1 and for the other one is equal to +1. Also, if the overall 1, we cannot distinguish for which LFSR the power difference is zero and for which LFSR the power difference is nonzero. However, for each clock cycle where overall 2, based on equation (4), we can conclude:
where and represent the -th bits of LFSR states at clock cycle .
To break the stream cipher, we need to determine the bits of the LFSRs at a particular point in time. Hence, we require enough power difference values with 2 to obtain linear equations using (5) to solve for unknown variables. The minimum number of power difference values to set up the equations is (if ) or (if ). However, the minimum is unlikely to be achieved since usable power difference values must satisfy 2. When we measure the consumed power of the circuit we should observe roughly five levels of power difference. The largest negative one should be assigned to 2 and the largest positive should be assigned to 2. The probability of a particular overall 2 is equal to 1/8, since this occurs when the individual shift registers both have power differences of 1 or 1, each of which occurs with a probability of 1/4. Hence, on average, we require 8
, power difference values to derive equations. Letting , , given power difference values, it can be shown that the probability that there are enough usable power differences to form equations is given by
Hence, for 80 and 800 power difference values, the probability that 80 equations can be derived is 800 98.77%. Assuming that all equations derived from the power differences are linearly independent, we can solve the system for the initial state bits of the two LFSRs by using two systems of equations. The systems of equations are linear and can be solved using appropriate mathematical tools such as Sage [19] . However, the equations derived from the power difference values and the feedbacks are not necessarily all linearly independent. In fact, for an -bit LFSR, given randomly generated linear equations of the LFSR initial state bit values, from [20] the probability that all equations are linearly independent is ∏ ! (7)
for . If , then gives the probability that randomly selected equations is enough to solve for the LFSR initial state bits. For example, for 80,
.289, implying that, with 80 equations, there is a 28.9% chance of being able to solve uniquely for the 80 state bits of the LFSR. Hence, in general, to ensure that we have a high probability of solving for bits when attacking the cipher based on two LFSRs, we should obtain somewhat more than , equations from the power differences.
In Appendix, we develop a method to calculate a lower bound on the probability, given randomly generated linear equations with , of being able to fully solve the system. For example, if 80, it can be shown that obtaining 120 random equations will give a probability of over 99.99% of being able to solve for the 80 unknowns. Hence, for the cipher based on two LFSRs, if , 80 bits, then, from equation (6), 1200 power difference values will give a 98.99% probability of obtaining 120 equations, which according to the analysis of Appendix, will give a probability of 99.99% of being solvable for the LFSR initial state bit values. Hence, for ciphers based on two LFSRs of sizes 80 bits and less, 1200 power samples will give a very high probability of being able to successfully apply SPA.
APPLICATION OF THE ATTACK TO THE E0 STREAM CIPHER
The E0 stream cipher [13] is a well-known stream cipher, used in Bluetooth which is used in short range, high speed communications such as mobile cell phones, PCs, and computer accessories. It is based on four LFSRs ( , , , ) with lengths of 25, 31, 33 and 39 bits [13] . In addition to four LFSRs, four bit registers save the state of the cryptosystem as part of the nonlinear combining function. Hence, the equations used in the simple power analysis should be expanded to these four register bits. The output bit is a combination, derived from the current bit values of LFSRs and the former state or register values.
Since at each clock, four LFSRs and four register bits could be changed, the overall can be from 8, 7, 6, 5, 4, 3, 2, 1,0 . The useful or valid power differences are where , , and represent LFSR state bits. In addition, four equations can be written for the four register bits of the combiner.
Noting that the largest LFSR size is 39 bits based on the discussions in former section and Appendix, using 60 useful power difference values (i.e., 8) , with the probability of more than 99.2%, we can find 39 linearly independent equations to solve . To find 60 useful power differences, modified equations (6) and (7) for E0, shows 160000 power difference values with the probability of 98.0% is enough. Hence, with very high probability, 160000 power samples are enough to attack E0. Once the LFSR bit values are known, the four combining function state bits can be determined by exhaustively testing each possible value.
APPLICABILITY TO LILI-128
So far we have described an SPA attack on stream ciphers with regular clocks. In this section, we use SPA to attack a non-regular clocking LFSR stream cipher, LILI-128 [14] .
In LILI-128, two LFSRs are employed ( , ) to generate a random sequence.
is 39 bits in length and controls the clock of which is 89 bits in length. The bit values of 12 and 20 in are passed through a function with two bits output, to determine whether should be clocked one, two, three or four times to produce key stream bits [14] . Since it is not known how many bits is being clocked to produce each output bit, we cannot directly approach the equations for . Hence, at first we should find the bit values of . Two different architectures have been offered for LILI-128 [14] . In the first architecture, two clocks are employed with different speeds. The first clock is used for and the second one is for which is four times faster. If 12 1 and 20 1, then is clocked four times. To use SPA and set up the equations, we should wait until 2 for the first clock (i.e. the clock driving ). When 2, we can write:
No information can be obtained for , because is not known for . Hence, at this point we cannot find any equation for . More information could be obtained by considering power consumption correlated to the clock. If power consumption could be observed for between two consecutive clocks of indicating four shifts of we can conclude:
Using equation (9) and (10), we can set up a system of linear equations to find the bit values of . Finding the bit values of , we can use the former power difference values to find the equations for bit values of . In the second offered architecture for LILI-128 [14] , just one clock has been used for both LFSRs. is implemented using four copies of the feedback function and the irregular clocking is performed in one clock cycle. For this architecture, equation (10) can not be used; hence just equation (9) could be employed to realize bit values. Since the size of is 39 bits, 60 equations with the probability of more than 99.2% can provide 39 linearly independent equations. In the second architecture, 600 power samples can provide 60 usable power difference values, with the probability of 97.5%. Hence, the second architecture is susceptible to SPA with 600 power samples with high probability. In the first architecture with the probability of 1/8, equation (9) can be obtained and with the probability of (1/8) (1/2) equation (10) can be employed in the system. After collecting 300 power samples, with the probability of more than 98.2%, 60 equations can be obtained to solve state bits of . When bit registers of are known, finding bit registers of is similar to using SPA to attack one LFSR proposed in [12] . To break , if we collect 110 equations, with the probability of more than 99% we will have 89 linearly independent equations.
CONCLUSION
In this paper we have extended the former method of simple power analysis attack proposed for one LFSR-based stream ciphers to ciphers based on multiple LFSRs. Also, we extend the proposed method to stream ciphers with irregular clocking LFSRs.
In order to use the proposed methods, we applied them to well known stream ciphers E0 which includes four LFSRs and four bit registers and LILI-128 which includes two LFSRs, one with irregular clocking. We have shown that E0 could be broken with probability of 98%, using 16000 power samples and LILI-128 is susceptible to SPA, with the probability of 98% with 300 power samples.
