Analysis and hardware implementation of synchronization methods for stream ciphers by Huang, Yaping



Analysis and Hardware Implementation of 
Synchronization Methods for Stream Ciphers 
ST. JOHN"S 
by 
©Yaping Huang 
Master of Engineering 
A thesis submitted to the 
School of Graduate Studies 
in partial fulfillment of the 
requirements forth degree of 
Master of Enginee1ing. 
Department of Electrical and Computer Enginee1ing 
Memmial Uni er ity of ewfoundland 
April 12, 2010 
NEWFOU DLA 0 
Contents 
List of Tables ........... ..................... .............................................................. ... ......... .. .. ..... IV 
List of Figures ................................................................................................................... V 
List of Abbreviations ................................................................ .. .................. ....... .. .. .... VII1 
List of Symbols .... ... ......... ........ .. .... ..... .. .. ..... ..... ............. ..... .. ...... ......... ..... .. ... ....... ........ ... IX 
Abstract ............ .......... .......................................................................... ............................. X 
Acknowledgen1ents .......... : ..................... ................................................................ ........ XII 
Chapter 1 .. .. ................ ........ ...... ........ ........... .... ....... .... ..... ... ...... ...... .. .... ..... ..... ..... ..... .. ......... I 
Introduction ...... ...... .... ...... .... .. ........ .. ..... ... ..... ... .... ... .......... ... ....... .... ............ ... .................. ... I 
1.1 Introduction to cryptography ......... ... .............. ... ... .. .... ............. .. ................ ........... .... I 
1.2 Objective of this Thesis ............................................................................................ 3 
1.3 Outline of thi Thesis ..... .... .. .................... ..... .... ..... .............. .. .. ............................... .. 5 
Chapter 2 ............................................................................... ............................... ....... .. ...... 7 
Background .. .............. ... .. ........ ....................... ..................... .. .............................................. 7 
2.1 Classification of Stream Ciphers ....... .. ........... .. ... ... ... .. .. ..... .... ...... ... ....... ... ..... .......... 7 
2.2 Stream Cipher Structures ........ ....... ...... ....... .. ................. .. ... .. ....... ... .... .... ... .... .... .... . 10 
2.2. 1 FSR (Feedback Shift Register) ... ...... .... ........ .... ..... ... .......... ............................. 10 
2.2.2 Grain-128 ............................. ......................... .......................... .. ....................... 14 
2.3 Block Cipher Modes of Operation ................................................................. ... ...... 17 
2.3.1 Output Feedback (OFB) Mode ......... ..... ..... ... .... .. .. ... ........ ... ... ... ..... .. ..... ..... .. ... 17 
2.3.2 Cipher Feedback (CFB) Mode .... ........ ....... ............................................. ......... 19 
2.3.3 Statistical Cipher Feedback (SCFB) Mode ......... ....... ... ................. ... ... ..... ..... .. 20 
2.3.4 Optimized Cipher Feedback (OCFB) Mode ...... .. .. .............. .......... ... ..... ... .... ... 23 
2.4 Marker-ba ed Mode ............................. ............ .... .......... .. ............ ........... ..... .. .... ... .. 23 
2.5 Characteristics of SCFB Mode ... ..... ..... ..... ................. .. .... ... ... ..... .................... ....... 24 
2.5.1 OFB Block Size ............ .. .................. .. ............................................................. 25 
2.5.2 Resynchronization ....................................... ..................................................... 26 
2.5.3 En·or Propagation ...................... ... .... ... ..... .... .. ........ .... ... ..... .... ... ...... .. ..... ..... .. ... 28 
2.5.4 Comparison with Other Modes .......... ..... .................. .... ............. .............. ........ 30 
2.6 Digital Hardware Implementation Tools ................................................................ 31 
2.6.1 FPGA Implementation ............................................................................. ........ 31 
2.6.2 Software Implementation ........... ... ... ..... ..... ......... .. ....... ..... .. ........ ...... ...... ... ..... . 34 
2.7 Conclusion ..................................................................... ...... .... ..... ......... .. ............. .. 35 
Chapter 3 ... ..... ........ ... ...................................... ... ..... .. ....... ... .............................................. 36 
Analysis of Characteristic of AES-ba ed SCFB mode .............. ...... ............................... 36 
3.1 SCFB Pseudocode ................... .... ................ ...... .... .... ..... ........ .. ... ............ .... .. ...... ... . 36 
3.2 Synchronization Recovery Delay ........................................ ................................ ... 38 
3.3 En-or Propagation Factor. ......... .. .................. ........ ................... ........ .... .................... 45 
3.4 Conclusion ......................................... .. ........... ... ..... .. .... .......................................... 51 
Chapter 4 ......... ...... ... ..................... ...... .............................................................................. 53 
Analysis and Design of SCFB Mode Implementation of Grain-128 .. .... ... ............... ..... .. . 53 
4.1 SCFB Mode Applied to a Synchronou Stream Cipher. ................................... .... .. 53 
4.2 Systen1 Design ................................................. ...... ...... ..... ..... .. ............................... 57 
4.2.1 Primary Keystream Generator- KSGl ....... ...... ....... ....... ... ..................... ..... .... 58 
4.2.2 Setup Keystream Generator - KSG2 ............................................ ...... ... ..... ...... 60 
4.2.3 Counters .... .......... ................. .. ........ ..... ... .. .. .... .................................. ................ 62 
II 
4.2.4 Datapath of Encryption System .................... ............................... ...... .............. 63 
4.2.5 Controller of Encryption System ..... .... .... ...... ..... .. ............................. ..... ......... 68 
4.2.6 Decryption System ......... ............ ........... ................. ..................................... .. .. . 70 
4.2.7 Systen1 Interface ....... ........ ....... ......... ............. ..... ........ ............. ........................ . 72 
4.2.8 System on FPGA Board .......................... ........ ...................... ........................ ... 74 
4.3 FPGA Implementation .......... .... ... ........... .... ........ ........ ......... ... .......... ...................... 75 
4.3.1 FPGA Board Configuration ....... .... ................................ ............ ........ ....... ..... .. 78 
4.4 Testing and Synthesis Results .. ................................................. .... .... ....... ......... ..... . 79 
4.5 Analysis of SRD and EPF .................. ............. ............................. ....... .. .................. 81 
4.5.1 Synclu·onization Recovery Delay .. .... ..... ....... ................................. .............. ... 82 
4.5.2 Error Propagation Factor ... ........ .... ......................... ... ...... ............ .............. ....... 84 
4.6 Comparison of Characteristics of SCFB mode based on AES and Grain-128 .. ..... 86 
4.6. 1 Synchronization Recovery Delay ............ .... ............ ................. .......... ............. 86 
4.6.2 EITor Propagation Factor. .................. ................... ...... ...................................... 87 
4. 7 Conclusion ... .................. .. .. ...... ......... .. ......... ................ .... ..... ....... .. ..... ... .. .. .. ......... .. 89 
Chapter 5 .................................. ............................................... .. ......... ....... ... .. ................... 91 
Analysis and Hardware Implementation of Marker-based Synchronous Stream Cipher. 91 
5.1 Description of Marker Concept ................... ..................... ....... ......... ..... .... ...... ...... . 91 
5.2 Description ofResynchronization ..... .. .. .. ... .... ........... .......................... .................... 93 
5.3 Description of Data Register at Decryption Side .. ............. ... .................................. 95 
5.4 Desc1iption of System Design ........ ...... ................................. ..... ..... .. ............... ...... 97 
5.4.1 Description of KeyStream Generator.. ........... ........................... ....................... 98 
5.4.2 Description ofEncryption Datapath .......... ........ ........ .... ............ ...................... 99 
5.4.3 Description of Encryption Controller ........... ............................................ ..... 1 0 I 
5.4.4 Description of Decryption Datapath ........................... ............... ................... . 103 
5.4.5 Description of Decryption Controller ................ .... ............................... ......... 106 
5.5 Description ofFPGA Implementation .... ... ... ....... ...... ... .... .. .... .... ... .. ..... ................ 110 
5.6 Synthesis Re ults ......................... ..... .. ............ ..... ... ... ..... .................. .................... 111 
5.7 Characteristics of Marker-based Synchronization Implementation .. ........ ... ......... 11 2 
5.8 Comparison ofSCFB Mode and Marker-based Mode ............ ........ ..... ... ..... ........ 116 
5.9 Comparison ofFPGA implementation of AES and SCFB Mode and Marker-based 
Mode ....... ...... .. ....... ... ...... ... .. ..... ... ...... ..... ..... .. ... ....... ..... .... ... .... .. .......... .. .. ..... ..... ......... 117 
5.10 Conclusion ...... ..... ... .. ... .. ........ .... .. ............... ............... ................... ........ ....... ... .... 118 
Chapter 6 ........ ................ .......................................... .......................... ........... ... ..... ... ... .... 120 
Conclusion and Future Work ................ ...... ....... .... .... ....... .... .... .. ......... ........ .. .. ..... .......... 120 
6.1 Su1nn1a.ry ........... ....... .................... ...... ........ ... .... .... ......... ........ ........ ... ... .......... .. ..... 120 
6.2 Conclusions .. .. ... .......... ... .. ............ .. ... .... ......... .. .. ................ .... ...... ......................... 122 
6.3 Future Work .................... ...................... ........ .. ....... ........ ............ ...... ..................... 124 
Appendix .. ...... ...... .......... .................. .. .... .................. .......... ... ... .. ... ... ... .... .. .............. ........ 129 
III 
List of Tables 
Table 2.1. Summadze of SRD and EPF for OFB, CFB, and SCFB mode ....................... 30 
Table 3.1. Best sync pattern forn1at list for SRD ..... ... ... .... ...... ............. ..................... ... .... 44 
Table 3.2. Best ync pattern fonnat list for EPF ............................................................... 50 
Table 4.1. Input and output signals of structure of KSG 1 .. ... ..... ... ....... ........ ... ..... ............ 60 
Table 4.2. Input and output signals of structure of KSG2 ................................................ 62 
Table 4.3. Input and output signals of block diagram of encryption sy tem ....... ........... .. 64 
Table 4.4 Control ignals of transfer cycles of SCFB ystem interface ........................... 74 
Table 4.5. Mapping table of SCFB mode configured for Grain-128 ................................ 77 
Table 4.6. Test vectors of Grain-128 ........ ...... .. ......................... ...... .................. .... ........... 80 
Table 4. 7. Device utilization of SCFB configured by Stream Cipher .................. .. ........ .. 81 
Table 5.1. MSNum in tenns of marker position ............................................................. I 09 
Table 5.2. Device utilization ofmarker-ba ed mode .. ....... ........ .................................. ... 11 2 
IV 
List of Figures 
Figure 2.1. General mode of a synchronous stream cipher. ............ ............ ........................ 9 
Figure 2.2. General mode of a self-synchronizing stream cipher ................. ........... ...... ... 1 0 
Figure 2.3. Feedback shift register of length L [16] .................. ...... ........................ ....... .. 11 
Figure 2.4. Linear feedback shift register of length L [ 16] ........ ................. .. ... ...... .. ... ... ... 12 
Figure 2.5. Nonnal mode of onlinear combination generator ........... .......... ................ ..... 13 
Figure 2.6. the Geffe Generator ............ ..... ...... .......... .................................. .. ................ ... 14 
Figure 2. 7. An overview of the Grain-128 ......... ................................ ....... ... ...... .... ........ ... 15 
Figure 2.8. Initialization mode of stream cipher Grain-128 .... ......... ... ............................. 16 
Figure 2.9. Structure ofOFB mode ...... ....... ............ ....... ............... .... ... ... .... .. ......... .......... 18 
Figure 2.1 0. Structure of CFB mode .... ..... ......... .. ............ ..... ....... ........... ........................ .. 19 
Figure 2.11. Sh-ucture of SCFB mode .. ............ ............ ...... ......... ....... .... ..... ..... .. ..... .... ..... 21 
Figure 2.12. Synchronization cycle of SCFB mode .............. ................. ........... ........... .... 22 
Figure 2.13. Picture ofDigilent Nexys II board ...................... ..... .. ........... .. .... ........ .. .. ..... 34 
Figure 3.1. SCFB pseudocode [1 0] ....... .......... ... .... ... ... ....... ............. .. .... .. ...... ...... .. .... ....... 37 
Figure 3.2. SRD versus sync pattern size .... ........................ ........... ................... ............... 39 
Figure 3.3. SRD versus sync pattern with sync pattern size n = 4 ......... ............ ............... 40 
Figure 3.4. SRD versus sync pattern with ync pattern size n = 6 .... ............ .... .. .. ............ 41 
Figure 3.5. SRD versus sync pattem with sync pattern size n = 8 ...... .............. .............. .. 41 
Figure 3.6. EPF versus sync pattem size ................................. .................................... ..... 46 
Figure 3.7. EPF versus sync pattern with sync pattern size n = 4 .... ......... .. ... .. ............ .. ... 48 
Figure 3.8. EPF versus sync pattern with sync pattem size n = 6 ... ... .. ........... ...... ....... ..... 48 
Figure 3.9. EPF versus sync pattern with ync pattern size n = 8 ... ............ ............... ....... 49 
Figure 4.1. Structure of SCFB mode configured for stream cipher. .. ........ .. ........ .... ......... 55 
Figure 4.2. Synchronization cycle ofSCFB mode configured for sh·eam cipher .......... ... 56 
Figure 4.3. Structure of KSG 1 ...... ................. .. ... .... ..... ..... .. ................ .......... .......... ...... .... 59 
Figure 4.4. Structure of KSG2 ... .......... ... ........ ..... .. ............. .. .... .. .. .... .. ..... ...... ... ...... .. .. .. .. .. 61 
Figure 4.5. Block Diagram of Encryption System ....................... ... ........................... ....... 65 
v 
Figure 4.6. Structure of data path of encryption system .................................................... 66 
Figure 4.7. Block diagram of datapath of encryption system ........................................... 67 
Figure 4.8. FSM of controller of encryption system ......................................................... 68 
Figure 4.9. Block diagram of controller of encryption system ......................................... 70 
Figure 4.1 0. Block diagram of decryption system ..................................... :: ..................... 71 
Figure 4 .1 1. Block diagram of SCFB system interface .................................................... 73 
Figure 4.12. Block diagram of the implementation ofSCFB mode ................................. 75 
Figure 4.1 3. Block diagram of encryption with decryption system .................................. 76 
Figure 4.14. Block diagram of SCFB system with interface ............................................ 77 
Figure 4.15. Digilent Export main window [ 4] ................................................................. 78 
Figure 4.16. Digilent TransP01t Register VO window [ 4] ................................................ 79 
Figure 4.17. SRD versu sync pattern size with format ·'1 00 ... 00'' .................................. 83 
Figure 4.18. EPF versus sync pattern size with format " 1 00 ... 00'' ................................... 85 
Figure 4.19. Comparison of SRD based on AES and Grain-128 ...................................... 87 
Figure 4.20. Comparison of EPF based on AES and Grain-128 ...................................... 88 
Figure 5.1. Structure of marker-based syncl1ronous stream cipher .................................. 92 
Figure 5.2. Synchronization cycle of marker-based synchronous stream cipher ............. 93 
Figure 5.3. Structure of data register of marker-based mode .............. ............................. 96 
Figure 5.4. Block diagram ofLFSR ........................................................................ .. .. ...... 99 
Figure 5.5. Structure of LFSR ........................................................................................... 99 
Figure 5.6. Structure of datapath of encryption system .................................................. 100 
Figure 5.7. Block diagram of controller of encryption system ....................................... 102 
Figure 5.8. Flow chart of controller of encryption system ............................................. 1 03 
Figure 5.9. Structure of marker detector component of decryption system .............. .. .... 104 
Figure 5.1 0. Structure of datapath of decryption system ................................................ 105 
Figure 5.11. Block diagram of controller of decryption system ..................................... 107 
Figure 5.12. Flow chart of conh·oller of decryption system ........................................... 108 
Figure 5.13. Block diagram ofhardware implementation structure ofmarker-based mode 
............................................................ ....... ....... ........... ..................... .... ... .... .................... 110 
Figure 5.14. SRD versus COUNT_MAX .......................................... ........ .................... . 115 
VI 
Figure A 1. Simulation result of marker-ba ed stream cipher ......... ...... ..... .... ..... .... .. ...... 129 
Figure A2. Simulation result ofGrain-128 with keyl and lVl ... ..... .... ... ... ........ ......... .-. 130 
Figure A3. Simulation result of Grain-128 with key2 and IV2 ......... ..... ...... .... .. ....... .... . 130 
Figure A4. Simulation result of Grain-128 based SCFB mode with key I and lVI .. ..... 131 
Figure AS. Simulation result of Grain-128 ba ed SCFB mode with key2 and IV2 ..... .. 131 
Vll 
List of Abbreviations 
SCFB Statistical Cipher Feedback 
OFB Output Feedback 
CFB Cipher Feedback 
OCFB Optimized Cipher Feedback 
FPGA Field Programmable Gate Array 
DES Data Encryption Standard 
AES Advanced Encryption Standard 
XOR Exclusive Or 
FSR Feedback Shift Register 
LFSR Linear Feedback Shift Register 
NLFSR Non Linear Feedback Shift Register 
SRD Synchronization Recovery Delay 
EPF Error Propagation Factor 
KSG Key Stream Generator 
IV Initialization Vector 
CTSNUM Ciphetext Shift umber 
MSNUM Marker Shift Number 
Vlll 
f 
g 
h 
C(D) 
L 
p(xJ>x2 ,xJ 
q(x) 
m(x) 
Ki 
n 
k 
P(k) 
E{k} 
B 
Ek() 
a 
List of Symbols 
the state of the stream cipher for bit i 
the i-th bit for keystream 
the i-th bit for plaintext 
the i-th bit for ciphertext 
the next state function 
the function to produce the keystream 
the function to produce ciphe1text 
the feedback polynomial of LFSR 
the feedback bit of LFSR 
the length of LFSR 
the combining function of Geffe Generator 
the feedback polynomial ofNLFSR ofGrain-128 
the boolean function of Grain-128 
the key of Grain-128 
the size of synchronization pattem 
the size of OFB block 
the probability of the OFB block size k 
the expectation of the OFB block size k 
the size ofblock cipher 
the AES operation 
the initial N 
the selected sync pattem 
then-bit window 
the size of the TV 
IX 
Abstract 
In this thesis, we investigate two synchronization methods for stream ciphers. The first 
is statistical cipher feedback (SCFB) mode, which is a recently proposed mode of 
operation for block ciphers. The other is the marker-based mode, which is the 
synchronous stream cipher using "marker'' to regain synchronization. SCFB mode is a 
hybrid of OFB mode and CFB mode; hence, it has a high throughput and the capability of 
self-synchronizing. The marker-based synchronous stream cipher is also able to obtain 
synchronization under limited circumstances. 
In this thesis, SCFB mode and the marker-based mode are both implemented in digital 
hardware targeting the FPGA technology. The device we have used is the Xilinx Spartan-
3E FPGA. Commonly, SCFB mode is implemented by using the block cipher, AES, as 
the keystream generator; however, in our research, we use the stream cipher Grain-128, 
. as the keystream generator for SCFB mode implementation. The de igned system 
structure and synthesis results of the two modes are given in this thesis. Throughout our 
research, VHDL code and Modelsim PE Student Edition 6.5d are used to design and 
simulate the functionality of our systems. The behavior level description i synthesized 
by using Xilinx ISE Webpack I 0.1 tool and the .bit stream which is used to configure 
FPGA board is generated. The designed system is run on the Digilent Nexys ll FPGA 
board and tested. To download the .bit stream on to the FPGA board and transfer data 
between the computer and FPGA, the Digilent Adept Suite tool is used. 
Through the FPGA hardware implementation, we obtain that SCFB mode configured 
for a stream cipher, Grain-128, can run at the speed of 89Mbps on a real FPGA and an 
efficiency of SCFB mode is 100%. The marker-based mode can reach the speed of 113 
X 
Mbps and has an efficiency of 94%. Although the system of marker-based mode is a little 
faster and has Jess hardware complexity than SCFB mode, it is limited in its 
synchronization recovery. In contrast, SCFB mode can regain synchronization for any 
number of bit slips. Hence, SCFB mode is more suitable for high speed physical layer 
secmity. 
The perfom1ance analysis of SCFB mode and marker-based mode is also provided 
with respect to characteristics of synchronization recovery delay (SRD) and enor 
propagation factor (EPF). In pa1iicular, through the simulation of SRD and EPF versus 
varying sync patterns, we have found the best sync pattern forn1at for SCFB mode. The 
best sync patterns are unconelated, that is, the shifted version of the sync pattern do not 
match the bits from the original sync pattern. ln our research, we have used the sequence 
" 1 0000000·' as the sync pattern for SCFB mode implementation and as the marker for 
marker-based synchronous stream cipher implementation. 
XI 
Acknowledgements 
I would like to give my sincere gratitude to my supervisor, Dr. Howard Heys. During 
the past two years tudy, he has given me constant guidance, feedback, and 
encouragement to my research. He also gave me consistent trust and support to help me 
with my work and life in a foreign country. His two year's supervision will be the great 
asset in my future work. 
I also want to take this opportunity to thank all the members of Computer Engineering 
Research Laboratory (CERL) in Memorial University of ewfoundland during the two 
years. 
Thank you for all my friends for the precious friendship and generou upp01i. 
Thank you for my parents and my younger brother for their love and continuous 
encouragement during two years of my Master's study. 
I also would like to thank my husband, Hao Chen, for his elfle upport, great help 
and continuous encouragement in the pur ing of my Master degree. 
XIJ 
Chapter 1 
Introduction 
1. 1 Introduction to cryptography 
Cryptography, in Greek, literally means hidden writing or the rut of changing the plain 
text message [20]. Generally, it consists of encryption and decryption, which are the two 
complementary processes. The encryption process is to trm1sfonn the infonnation into 
unreadable fom1at except for the intended recipient; while the decryption process is to 
restore the encrypted message [20]. Cryptography was first used by the Egyptians some 
4000 years ago. During World War I m1d World War II, cryptography played a vital role 
[ 6]. Nowadays, with the rapid development of infonnation technology and the increasing 
usage of the Internet, network security has become a big concern; therefore, the study of 
cryptography is getting more necessary. 
Based on the public availability of the key, cryptography algorithms can be classified 
into two types: asymmetric (or public key) ciphers and symmetric (or conventional or 
single-key) ciphers [20]. In the asymmetric key ciphers, there is a pair ofkeys, with one 
of them for encryption and the other for decryption. These two keys are related to each 
other; however, it is computationally infeasible to determine the decryption key given the 
only knowledge of encryption algorithm m1d encryption key. One of the most fmnous 
public key ciphers is RSA, which is widely used in digital signatures and message 
authentication [20]. In symmetric key cryptography, both the sender and recipient share 
the same secret key. This secret key is known to both ends before the transmission starts 
and it must be securely kept. Usually, the decryption algorithm of the symmetric key 
cipher is similar to the encryption alg01ithm. 
Symmehic key ciphers can be categorized as block ciphers and stream ciphers [6]. A 
block cipher performs transfonnation on blocks of input data and produces blocks of 
output data; while the stream cipher continuously deals with a single unit of data, 
typically one bit or one byte at a time. The typical block size for block ciphers is 64 or 
128 bits, and the examples of modern block ciphers are DES (Data Encryption Standard) 
and AES (Advanced Encryption Standard) [18]. One interesting characteristic of block 
ciphers is that some modes of operation can perform as stream cipher , such as output 
feedback (OFB) mode and cipher feedback (CFB) mode. Block ciphers are often applied 
to those applications which operate on blocks of data, such as file transfer, e-mail , and 
databases. On the other hand, stream ciphers are more approp1iate for data 
communication channels or a browser/Web link, which requires encryption and 
decryption of a stream of data [6]. 
The stream cipher is very similar to the one-time pad cipher, both using the bitwise 
exclusive-OR (XOR) ·operation to combine the plaintext su·eam and the key stJ·eam [16]. 
ln encryption, the plaintext and the keystream sequence are XORed to produce the 
COJTesponding ciphe11ext; while in decryption, the ciphe11ext stream and the ame 
keystream sequence will be XORed to restore the original plaintext stream. The 
difference between the two ciphers is that a one-time pad cipher uses a genuine random 
number sequence for the keystream, whereas the stream cipher uses a pseudorandom 
number sequence for the keystream. In particular, the one-time pad cipher requires a key 
2 
length as long as the plaintext length, thus resulting in a huge problem of key 
management. However, the stream cipher uses a pseudorandom generator to produce the 
keystream and will require a much smaller secret key compared with that of the one-time 
pad cipher. Stream ciphers can be categorized as synchronous stream ciphers and self-
synchronizing stream ciphers. Although the security of stream ciphers is not as well 
understood as block ciphers, stream ciphers are typically faster and more compact than 
block ciphers, particularly in hardware implementations. It is conjectured that with a 
properly designed pseudorandom generator a stream cipher can be as secure as block 
cipher of comparable key length [19]. 
1.2 Objective of this Thesis 
Many synchronous stream ciphers have recently been proposed in forums, such as the 
ESTREAM stream cipher project [7]. However, the number of self-synchronizing stream 
ciphers is small , and not many of them have been fully analyzed. Therefore, the self-
ynchronizing stream cipher still has great research potential. The main objective of this 
thesis is to analyze and implement two synchronization methods for stream ciphers. One 
of them is the self-synchronizing stream cipher mode refen·ed to as tati tical cipher 
feedback (SCFB) mode, which is a recently proposed mode of operation for block ~iphers. 
The other is a self-synchronizing method for synchronous stream cipher , refened to as 
the marker-based mode. These two modes will be implemented in FPGA based hardware. 
The purpose for hardware implementation is to study the implementation issues and 
detennine complexity and speed of the two modes for a real implementation. The reason 
for FPGA implementation is that FPGAs are common target technology and only a 
3 
simple FPGA will be required. Therefore, in this thesis, the two designed systems will 
finally be implemented on the targeted Xilinx Spatian-3E FPGA, utilizing the Digilent 
Nexys II development board. 
However, first of all , we will examine the characteristics of SCFB mode, such as 
synchronization recovery delay (SRD) and en·or propagation factor (EPF). We will 
simulate the SCFB mode, which is configured for block cipher AES, through C code and 
gain the simulation results of SRD and EPF in terms of different sync pattern fom1at in 
the san1e length as well as varying length. The purpose of these simulations is to find out 
the preferable sync patterns· for SCFB mode. 
The original proposal for SCFB mode uses the block cipher, AES, a the keystream 
generator. However, in this thesis, SCFB mode will be configured by the tream cipher, 
Grain-128, as the keystream generator. This will be the second pati of our research topic. 
We will simulate this new approach and analyze the same characteristics SRD and EPF. 
Moreover, we will implement this mode in digital hardware on a Xilinx Spartan-3E 
FPGA and test it, as well. 
The original proposed hardware implementation of SCFB mode requires two queues to 
balance the speed of the AES operation and the whole system operation [ 1 0]. One of 
these two queues is the plaintext queue and the other is the ciphertext queue. While bit 
are being collected in the plaintext queue, bits will be removed from the head of the 
ciphertext queue at exactly the same rate [l 0]. This queuing implementation has high 
hardware complexity. In this thesis, we will implement the SCFB mode by using the 
stream cipher, Grain-128 , as the keysh·eam generator. Since there is no need of queues in 
this implementation, the hardware complexity is greatly reduced . 
4 
In the third part, we will discuss a newly designed self-synchronizing approach for 
synchronous stream ciphers, which is refe1Ted to as marker-based mode. This mode 
works by inse1iing an 8-bit marker every 128 bits ciphe1iext into the data leaving the 
transmitter. At the receiver, the incoming data is checked to see whether the marker is in 
the expected position in the data stream. If this 8-bit marker appears at the right position 
in every 136-bit data sequence, then both ends have maintained synchronization; 
otherwise, the synchronization is lost. Once the synchronization is lost, the receiver will 
be responsible for looking for the marker around the expected position, and adjust it 
synchronization to the new marker position. We wi ll investigate the same characteristics, 
SRD and EPF of this marker-based synchronous stream cipher, and also implement this 
system on the Xilinx Spartan-3E FPGA. 
In conclusion, this thesis will analyze and implement the self-synchronizing stream 
cipher based on SCFB mode and the synchronous stream cipher using a marker for 
synchronization. The characte1istics, such as SRD and EPF, of these two modes will be 
simulated and analyzed; as well , these two systems will be implemented on the targeted 
Xilinx Spmian-3E FPGA and tested. 
1.3 Outline of this Thesis 
The aim of this thesis is to analyze and perfotm FPGA hardware implementation of a 
self-synchronizing stream cipher based on SCFB mode and the marker-based 
synchronizing mode. There will be 6 chapters in total. 
Chapter 2 wil1 give the background knowledge. The main subject of this chapter wil l 
be stream ciphers. The topics will include the classification of sh·eam ciphers, stream 
5 
cipher design components, the self-synchronizing modes of operation, and the 
characteristics of stream ciphers. As well, it will introduce FPGA implementation tools. 
Among these topics, the modes of operation will be mainly discussed. It will consist of 
OFB mode, CFB mode, SCFB mode, Optimized Cipher Feedback (OCFB) mode, and the 
marker-based mode. 
In Chapter 3, the characteristics of SCFB mode, which uses the block cipher, AES, as 
the keystream generator, will be discussed. This will include analyzing SRD and EPF 
versus different sync patterns with the same length and vruying lengths. The purpose of 
this chapter is to find out the best sync pattern for this implementation approach of SCFB 
mode. 
Chapter 4 will present the design structure of SCFB mode using the stream cipher, 
Grain-128, as the keystream generator. Moreover, this chapter will describe FPGA 
implementation details of this system, as well as the system testing proce s. As well, it 
will analyze SRD and EPF versus the sync pattern f01mat "10000000". 
Chapter 5 will be very similar to Chapter 4, except for the study object being the newly 
designed marker-based mode. It will also give the design details and FPGA 
implementation process of the marker-ba ed mode. In addition, the analysis of 
characte1istics of this mode, like SRD, will be covered. 
Chapter 6 will draw a final conclusion of this thesis and provide directions for future 
work. 
6 
Chapter 2 
Background 
In this chapter, the background material for this thesis will be provided. The main subject 
will be stream ciphers. The topics of stream cipher will include the classification of 
stream ciphers, stream cipher design components, block cipher modes of operation, and 
the characteristics of stream ciphers. As well , FPGA implementation tools will be 
introduced. Among these topics, the block cipher modes of operation will be mainly 
discussed. It will consist of OFB mode, CFB mode, SCFB mode, and Optimized Cipher 
Feedback (OCFB) mode. 
2.1 Classification of Stream Ciphers 
Stream ciphers have memory to store the cipher state. Therefore, designers mu t consider 
the following two aspects when designing a stream cipher: how to describe the next state 
in terms of current state and how to express the ciphertext in tem1s of the state and the 
plaintext. The second concern is easy to solve because commonly stream ciphers use the 
XOR operation on the keystream and the plaintext to produce the ciphertext [14]. 
However, for the first issue, it is hard to choose the next state expression. Based on the 
next state function, stream ciphers may be divided into the categories of synchronous 
stream ciphers and self-synchronizing stream ciphers. 
7 
In a synchronous stream cipher, the keystream depends only on the key and the current 
state, but is independent of both plaintext and ciphe1iext. Such a stream cipher has no 
enor propagation because one ciphettext bit modification does not affect the decryption 
of other ciphertext bits. However, the sender and the receiver must be synchronized in 
order to maintain the conect restoration of the plaintext. If one bit of ciphe1iext is lost, 
inserted, or deleted during the transmission, decryption will fail for the subsequent bit , 
and the system has to be resynchronized. Re-synchronization can be achieved by either 
pe1iodically sending initialization vectors from transmitter to receiver through extra 
channel or including ' ·marker positions·' in the transmission and correct decryption of 
ciphetiext will be reestablished after one of the marker positions is determined [ 17]. This 
is refened to as the marker-based stream cipher mode and will be fully discussed in 
Chapter 5. 
The encryption process of synchronous stream cipher can be defined as follows [ 16]: 
o-i+ l = f(o-;,key ), 
k; = g( o-P key), and 
C; = h(ki' pJ 
Here, O"; represents the state of the stream cipher for bit i with o-0 being the initial state of 
the stream cipher, and k; , p; , c; represents the i-th bit for keystream, plaintext, and 
ciphertext, respectively. Function/is the next ·state function , g is the function to produce 
the keystream, and the ciphertext is produced by the function h. The encryption and 
decryption process for a synchronous stream ciphers· is shown in Figure 2.1. 
8 
Encryption Decryption 
p, c, 
key _ _J__-+l 
... c, r--• p, 
Figure 2.1. General mode of a synchronous stream cipher 
On the other hand, the keystream of a self-synchronizing stream cipher depends on the 
key and a fixed amount of the previous ciphe11ext [17]. Therefore, the self-synchronizing 
stream cipher can resume COJTect decryption if the keystream generated by the decryption 
unit is not synchronized with the encryption keystream [17]. But unlike the synchronous 
stream cipher which has no en·or propagation, the self-synchronizing stream cipher has 
significant eJTor propagation. Suppose that the next state depends on t previou ciphertext 
bits. If a single ciphertext bit is lost, inse11ed, deleted, or niodified, the decryption of the 
following 1 ciphertext bits will be affected until the receiver side is resynchronized with 
the sender. 
The encryption function of the self-synchronizing stream cipher can be described by 
the following equations [ 16]: 
k; = g (a-;, key ), and 
C; = h(k;, P; ). 
Here, O"; represents the state of the stream cipher for bit i with a-0 = (c_1 ,C_1+ 1 , ••• ,c_1 ) 
being the initial state, g is the function to produce the keystream, and h is the output 
9 
------- --------------------
function which is used to produce the ciphertext. The encryption and decryption of self-
synchronizing stream ciphers can be shown in Figure 2.2. 
key -
Encryption 
p, 
k, A 
... \!}_) ... c, key 
Decryption 
Figure 2.2. General mode of a self-synchronizing stream cipher 
2.2 Stream Cipher Structures 
... p , 
ln this section, we will describe the feedback shift register (FSR), which is the common 
building block for stream ciphers. FSRs can be divided into LFSRs (linear feedback shift 
registers) and N LFSRs (nonlinear feedback shift registers). Moreover, we will introduce 
the stream cipher Grain.:J28, which wi ll be used to configure SCFB mode in Chapter 4. 
2.2.1 FSR (Feedback Shift Register) 
When designing stream ciphers, the main work is to design the keystream generator, 
which is used to generate the pseudorandom keystream. This requires that the period of 
the generated keystream to be large, and various sequence patterns of a given length must 
be unifonnly distributed over the keystream as well [17]. There are many approaches to 
construct the keystream generator; however, the feedback shift register (FSR), in 
10 
particular, the linear feedback shift register (LFSR) is a basic building block often u ed 
when designing stream ciphers. The structure of a FSR oflength Lis given in Figure 2.3. 
output 
Figure 2.3. Feedback shift register of length L ]16) 
An FSR con ists of L stages numbered from 0 to L -1 . Each stage can store one bit 
and has one input and one output. The FSR is controlled by a clock. At each clock cycle, 
the content of stage i will be updated by that of the stage i + I ( 0 ~ i < L - I ). The 
content of stage 0 , either "0" or " 1 ", will be output to form the pat1s of the output 
equence; the new content of the stage L - 1 is the feedback bit s 1 = .f(s J- P s 1_2, ... , s1_L) , 
where .f is the Boolean function, and s1_; is the previous content of stage L- i ( 1 ~ i ~ L) 
[ 1 6]. Based on the Boolean function .r. a FSR can be classified as linear feedback shift 
register (LFSR) or nonlinear feedback shift register (NLFSR). If .f is a linear function, 
then the register will be a LFSR; otherwise, if ( is a nonlinear function , it will be a 
NLFSR. 
An LFSR of length L is depicted in Figure 2.4. The feedback polynomial or 
connection polynomial of this LFSR is C(D) = 1 + c1D + c2D 2 + ... + c~.DL with degree L 
[16], and the feedback bit can be uniquely determined by the following recursion: Sj = 
(c1s1- 1 + c2s1- 2 + ... + CLSJ- tJ mod 2 for j ~ L [ 16]. In order to generate a keystream with 
large period, the LFSR must have a primitive feedback polynomial with degree L. The 
I I 
maximum possible petiod of the sequence produced by each non-zero state of such an 
LFSR will be 2L -1 . Such a sequence is called an m-sequence, and the cotTesponding 
LFSR is called a maximum-length LFSR [16]. 
CL-1 CL 
output 
Figure 2.4. Linear feedback shift register of length L 1161 
The LFSR is widely used when designing stream ciphers. The rea on is that the LFSR 
can generate sequences with large period and good statistical prope1iies; also, the LFSR 
is we11-suited to hardware implementation. ln this thesis, the marker-based synchronous 
stream cipher will use an LFSR as the keystream generator. This is just for the simplicity 
of hardware implementation. However, in a practical implementation, for security 
reasons, <m LFSR itself cannot be directly used as the keystream generator because the 
Berlekamp-Massey algorithm can efficiently compute the feedback polynomial with only 
2L successive sequences, and then recover the initial state[ 19]. Therefore, additional 
devices should be applied when u ing LFSR in keystream generators. 
Commonly, three techniques are used to break the linearity of LFSR. First, combine 
the output sequence of several LFSRs using a nonlinear combining function. Second, use 
a filter function on the contents of a single LFSR. The last one is to control tl1e clock of 
one or mo"re LFSR with the output sequence of another LFSR [ 16). Therefore, sh·eam 
12 
ciphers based on LFSRs can be classified as nonlinear combination generators, nonlinear 
filter generators, and clock controlled generators, respectively. 
Figure 2.5 shows the normal mode of nonlinear combination generator. The notation p 
the nonlinear combining function. 
LFSR 2 ..... 
p ..... keystream 
LFSR n 
.... l 
Figure 2.5. Normal mode of nonlinear combination generator 
One example of nonlinear combination generators is the Geffe Generator. It is depicted 
in Figure 2.6. The Geffe Generator is con tructed by three LFSRs with length L ~, L2, and 
L3, respectively. Any two of these lengths are relatively prime. The combining function is 
as follows: 
The peliod of the Geffe Generator i (2 L' -I x2L2 -1 x2LJ -1 ). Although having large 
period and high linear complexity, the Gcffc Generator is cryptographically weak 
because it can be broken by the correlation attack [ 16]. 
13 
_ .,.. keystream 
I LFSR 3 XJ 
'----------
Figure 2.6. the Geffe Generator 
2.2.2 Grain-128 
So far, we have di cus ed the basic building block for many stream cipher , FSR. In this 
section, we will present one stream cipher, Grain-128, which targets hardware realization 
with limited resources in gate count, power consumption, and chip area [12]. In this 
thesis, the stream cipher Grain-128 will b used a the keystream generator in the SCFB 
mode implementation i~ Chapter 4. Grain-128 is a binary additive tream cipher with key 
size 128 bits and initialization vector (IV) ize 96 bits. It consists of three components: an 
LFSR, an NLFSR, and an output function. The overview of Grain-128 is shown in 
Figure 2.7. 
The content of the LFSR is denoted by s;, S ;+J, ... , S;+127. The function .fi.x) is the 
feedback or connection polynomial of the LFSR, which is p1imitive with degree 128. It is 
defined asj{x)= 1 + x32 + x47 + x58 + x90 + x121 + x128 [1 3]. In Figure 2.7, the XOR gate ha 
2 or more inputs as indicated. Therefore, the corresponding update function or the 
feedback bit of this LFSR based on the plimitive polynomial .f{x) can be computed as 
S;+l28= S; + S i+7 + S;+38 + i+70 + S;+81 + Si+96 (13). 
14 
7 2 
'--------1~ m(x) ~ 
~ 
' 
Figure 2.7. An overview of the Crain-128 
Similarly, the content of the NLFSR is denoted by b; ,b;+ ~> ·· · , b;+ 1 27 .The feedback 
polynomial q(x) i the um of one linear and one bent function. The small rectangle with 
11 5 11 7 
X X . 
It is defined as the following expression [ 13]: 
q(x) = 1 + x-~2 + x37 + xn + x' o2 + x' 2s + x44x6o + x6'x'2s 
+x63x67 +x69x'o' +xsoxss +x"ox'" +x"5xll7 
Therefore, the update function or feedback bit of this NLFSR can be calculated a 
follow , where the notation s; is the output bit ofthe LFSR [13): 
bi+ l28 = S; + b ; + b i+26 + b i+56 + bi+9 1 + bi+96 + b i+3b i+67 + b i+ l lbi+l3 + b i+ l7bi+ l 8 + 
b i+27 b i+59 + b i+40b i+48 + b i+6 lbi+65 + bi+68bi+84 
The block m(x) i a Boolean function of 9 inputs, where 2 inputs are taken from the 
NLFSR, and 7 inputs are from the LFSR. This function is of degree 3 and defined a 
15 
---------------------------
[ 13]. The keystream out of Grain-128 is computed as 
k; = I>i+J +m(x)+s;+93 , where A= {2,15,36,45,64,73,89} [13]. 
}EA 
Like most stream ciphers, Grain-128 also needs to be initialized with the key and the 
JV before outputting any keystream. The initialization mode of Grain-128 is depicted in 
Figure 2.8. The difference between the initialization mode and the normal operating 
mode, which is shown in Figure 2.7, is that the output bit in the initialization mode is fed 
back to update the feedback bit of both NLFSR and LFSR, without outputting any 
keystream. 
f(x) 
NLFSR 
7 2 7 
Figure 2.8. Initialization mode of stream cipher Grain-128 
Let the key bit be denoted by K; ( 0 ::; i ::; 127 ), and the IV bit be denoted by 
IV; ( 0 ::; i ::; 95 ). In the initialization phase, at first, the 128 key bits will be loaded into the 
NLFSR, b; = K; ( 0 ::; i ::; 127 ), and then the IV bits will be loaded into the first 96 states of 
16 
.---~~-----------------------·----
the LFSR, s; = 11~ ( 0 ~ i ~ 95 ). The last 32 states of the LFSR will be filled with ones, 
s; = 1 ( 96 ~ i ~ 127 ). After the key and IV are loaded, the cipher will be clocked 256 
times to mix the key and IV bits into the states ofboth NLFSR and LFSR. 
2.3 Block Cipher Modes of Operation 
As mentioned before, one of the advantages of block ciphers is that they can perform as 
stream ciphers using various modes of operation. Block ciphers can be used to generate 
the keystream in these modes. There are several conventional modes of operation for 
block ciphers, but in this section, we are going to discuss four sh·eam-OJiented 
transmission application modes: OFB mode, CFB mode, SCFB mode, and OCFB mode. 
In the discussion, the notation B represents the block cipher size in bits: B = 64 for DES, 
and B = 128 for AES. 
2.3.1 Output Feedback (OFB) Mode 
ln OFB mode, the block cipher output is not only used as the keystream to XOR the 
plaintext to produce the ciphettext, but also fed back to an input shift register of the 
system to generate the next data block. The general implementation structure of OFB 
mode is illustrated in Figure 2.9. Here, m could be any number from 1 to B. But to 
achieve high efficiency requirement, m will be equal to B. In this case, the whole output 
data block in every block cipher operation will be XORed with the plaintext block, and 
also fed back to the input register at the same time. Since the keystream of OFB mode i 
independent of the ciphertext, it fa ll s into the category of synchronou stream cipher. 
17 
key 
plaintext 
Input register 
-'-
block l 
cipher J 
111 
ENCRYPT 
key 
111 
ciphertext 
CHANNEL 
block 
cipher 
111 
DECRYPT 
Figure 2.9. Structure of OFB mode 
m 
plaintext 
-~ 
The primary advantage of OFB mode is that there is no error propagation delay, which 
means that one bit en·or in the ciphertext only affects the corresponding plaintext bit on 
the receiver side. However, once bit slips occur (one or more bits are erased or inserted) 
in the communication cha1mel, the system will lose synchronization. Resynchronization 
can be achieved by periodically sending an initialization vector (IV) through the signaling 
channel from the transmitter to the receiver. This approach will result in extra messaging 
overhead and associated delays while synchronizing. Hence, the rate of sending IVs is 
critical. If they are sent frequently, the resulting overhead will greatly increase; but if they 
are sent too infrequently, the system will lose synclu·onization for a long period time [I 0]. 
In conclusion, OFB mode has high implementation efficiency and no error propagation 
delay, but does not have the ability of self-synchronizing. Typically, OFB mode is 
applied to the stream-miented transmission over noisy channel (e.g. satel lite 
communication) [6]. 
18 
2.3.2 Cipher Feedback (CFB) Mode 
The structure of CFB mode is very similar to that of OFB mode, except the bits that are 
fed back to the input register to produce the next data block come from the preceding 
ciphertext. The general structure of CFB mode is shown in Figure 2.1 0. From the figure, 
we can see that in each block cipher operation, 111 bits ( 1 :::; 111 :::; B) out of the B bits of 
block cipher output are selected to XOR with the plaintext to produce the conesponding 
ciphertext bits. Meanwhile, these m ciphertext bits are fed back to the input register to 
produce the next block cipher output. 
key 
plaintext 
block 
cipher 
ENCRYPT 
111 
111 
111 
ciphertext 
CHANNEL 
[!ilPut register r 
block 
cipher 
DECRYPT 
Figure 2.10. Structure of CFB mode 
key 
plaintext 
_ ..,... 
Since the keystream depends on the ciphe1iext bits, CFB mode is capable of self-
synchronizing. When a bit slip occurs, the system can regain synchronization once the 
affected bits are shifted out of the input register. In the typical application, 111 is equal to 1 
to ensure that a loss or inse1iion of any number of bits can lead to resynchronization. That 
is to say, the slip event will eventually be shifted out of the input register at the receiver 
19 
side after B clock cycles. At this moment, both input registers at the transmitter and 
receiver sides are holding the same B ciphertext bits which are the following bits after the 
slip event; therefore, the system will be resynchronized. 
The disadvantage of CFB mode is that a bit error in the ciphet1ext will not only affect 
the cotTesponding plaintext bit, but also results in conuption of the fol lowing B plaintext 
bits at the receiver side. Moreover, CFB mode is far less efficient than OFB mode. That 
is, one block of data from the block cipher only produces m bits of ciphertext, where m = 
1 is commonly used to ensure recover from any number oflost or inset1ed bits [1 OJ. 
In conclusion, CFB mode offers a huge benefit of self-synchronizing, but also has 
large en·or propagation and low efficiency. 
2.3.3 Statistical Cipher Feedback (SCFB) Mode 
In the last two sections, we have discussed two important block cipher modes of 
operation: OFB mode and CFB mode. Each mode has its own advantages and 
disadvantages. In this section, we are going to present another self-synchronizing mode 
of operation, which we refer to as statistical cipher feedback (SCFB). mode. SCFB mode 
is ·a hybrid of OFB mode and CFB mode; therefore, it has the advantage of self-
synchronizing and disadvantage of significant enor propagation [15] . However, SCFB 
mode has the major advantage of being highly efficient for hardware implementations. 
The concept of SCFB mode is that initially it will work in OFB mode and scan the 
ciphe11ext bits. Once a certain data sequence, refened to as the sync pattern, is recognized, 
the cipher will switch to CFB mode, and the scan function will be turned off. During CFB 
mode, the following B ciphet1ext bits wi ll be colleoted as the new IV, and then fed back 
20 
to the input register to re-initialize OFB mode. After this, the cipher will work in OFB 
mode again. 
The general implementation structure of SCFB mode is given in Figure 2.11. From the 
figure, we can see that both the transmitter and receiver work in OFB mode initially. In 
this mode, each ciphertext bit goes into the n-bit scan window ( 4 ~ n ~ 12 i proposed_ 
[1 0]). This window will regularly be compared to the previously elected n-bit sync 
pattern. If the content of the window matches the sync pattern, both the transmitter and 
the receiver will stop scanning and start to collect the following B ciphertext bits. Now 
the cipher is working in CFB mode. After the collection of the new IV i complete, it will 
be loaded into the input shift register and then the cipher will work in OFB mode. Since 
both sides have collected the same ciphertext bits as new IV, the following data out of the 
block cipher will be the same, thus the system has been resynchronized. This indicates 
that SCFB mode is capable of self-synchronizing. 
[Input register ....,. 
key 
block l 
cipher 
[-o~ 
plaintext ? 
ENCRYPT 
ciphertext ~ 9 
Input register ] 
block 
cipher 
SCAN ~ ::)--
CHANNEL DECRYPT 
Figure 2.11. Structure of SCFB mode 
2 1 
key 
plaintext 
--~ 
One of the important points of SCFB mode is that during the new IV collection, the 
ciphetiext scanning function is suspended. That is to say, an~ bit patterns in the new IV 
which matches the sync pattern will be ignored. 
Since SCFB mode works either in OFB mode or in CFB mode, the ciphetiext bits of . 
SCFB mode can be categorized into three regions: the n-bit sync pattern, the B-bit IV, 
and the k-bit OFB block. The structure of this categorization is shown in Figure 2. 12. 
n B k n B 
_.. 
.. . sync IV OFB block sync IV . .. 
·-'-
~-------------------. 
Synchronization cycle 
Figure 2.12. Synchronization cycle of SCFB mode 
From the figure, we can see that the IV starts from the first bit following the sync 
pattern and lasts for B bits; the OFB block statis from the first bit fo llowing the IV, and 
ends at the first bit of the next sync pattern. Hence, the variable k is a random variable 
dependent on the location of the sync pattern appearing in the ciphetiext. These three 
regions together fonn one synchronization cycle. That means one synchronization cycle 
consists of n + B + k bits. If an individual bit error occurs in the OFB block, then it will 
only affect the cotTesponding bit on the receiver side. However, if a bit en·or occurs in the 
sync pattern region, the conect sync pattern will be missed at the receiver side and if a bit 
enor occurs in the IV region, an incorrect IV will be used at the receiver. In those two 
cases, the synchronization of the system will be lost until the next conect sync pattern is 
recognized. Thus many bits at the receiver side would possibly be cotTupted because of 
22 
only one bit en·or in the communication channel. As a result, the error propagation 
characteristic ofSCFB mode is much worse than that ofOFB mode. 
In conclusion, SCFB mixes OFB mode and CFB mode. It not only benefits from the 
capability of self-synchronizing, but also has high efficiency for hardware 
implementations. 
2.3.4 Optimized Cipher Feedback (OCFB) Mode 
Optimized cipher feedback (OCFB) mode is another self-synchronizing mode of 
operation. Since it works ve1y similar to SCFB mode, we will not give details in this 
thesis. The description of OCFB mode can be found in [1] and the hardware 
implementation of OCFB mode can be found in [21 ]. It is much more efficient than CFB 
mode since it almost uses the whole block cipher output as the keystream. 
2.4 Marker-based Mode 
In Section 2.3 , we have introduced four important block cipher modes of operation: OFB 
mode, CFB mode, SCFB mode, and OCFB mode. Except for OFB mode, these modes 
are all capable of self-synchronizing. For a synchronous stream cipher, another approach 
to regain synchronization is to include markers in the transmitted data; coiTect decryption 
of ciphe1text will be established by synchronizing decryption based on the marker 
observed in the received data. This is referred to as the marker-based mode. 
The concept of this mode is to add an n-bit marker preceding every B bits of ciphertext 
during the transmission. In the implementation, every 128 bits of ciphettext following an 
23 
8-bit marker will be sent out as the transmission ciphertext data block. At the receiver 
side, the incoming data sequence will be continuously scanned to detem1ine the marker 
position. Once the marker is successfully recognized, the receiver will decrypt the 
ciphertext as the following 128 bits because it assumes that the bits following the marker 
position would be the ciphertext. However, when synchronization is lost due to bit slips 
in the communication channel, the receiver will not detect the marker in the expected 
position. In this case, it will search the area which is around the expected position, trying 
to find out the marker. If we assume that a limited number of bits can be lost or insetted, 
the marker will eventually be detected near the expected position. Hence, the new marker 
position will be adjusted and the receiver will be 'synchronized with the transmitter again . 
The detailed explanation and the hardware implementation of marker-based synchronous 
stream cipher mode will be given in Chapter 5. 
2.5 Characteristics of SCFB Mode 
SCFB mode has been discussed in Section 2.3.3. As mentioned, it is a hybrid of OFB 
mode and CFB mode, thus benefiting from high efficiency and self-synchronization. 
However, due to this mixed working modes, the bit slip and bit eJTor effects of such mode 
are much more complex than that of OFB mode and CFB mode. In this section, we will 
review three characteristics of SCFB mode: OFB block size, synchronization recovery 
delay (SRD), and error propagation factor (EPF). 
24 
2.5.1 OFB Block Size 
From Figure 2.1 2, we can see that the OFB block is between the new IV and the next 
sync pattern. Its size k depends on the position where the next sync pattern will appear. 
The sync pattern is always scanned for in OFB operating mode. Basically each n-bit 
ciphetiext sequence is taken to compare with the selected sync pattern. Once it matches, 
the OFB block will end; however, it will not include the recognized sync pattern. 
Because the keystream generator, AES, can produce a highly random data sequence, 
we assume that each ciphettext bit is equally likely to be "0" or ··1 ", and each bit is 
independent. Assuming that the k-th n-bit sequence sample will match the sync pattern, 
the variable k will follow the geometric disttibution if each n-bit sample is independent. 
Therefore, the probability of variable k is P(k)=(l - 1/2''/ · 1/2'', the expected value of k is 
given byE{k} = 2"- l , and the second moment ofk is given byE{k} =22"+1 - 3· 2" +1 
[1 0]. 
However, the n-bit sample of ciphertext is essentially sliding along a window, and this 
window will be compared to the sync pattern. Because there is an n - I bit overlap of 
windows, the n-bit ciphertext sample windows are not independent of each other. 
Therefore, the OFB block size k does not exactly follow the geomett·ic distribution; in 
particular, it is found that the distribution of the variable k is actually dependent on the 
sync pattern itself. In [I 0], the OFB block size k for sync pattern " 1 00 ... 00 'and " 111 ... 11" 
is fully discussed. The probability of variable k for the sync pattern " 100 ... 00" is given a 
follows [10]: 
25 
{ [I-" '-" P. (i)]·_!_,k>O L.J ,_Q 2" Pa(k) = I 
k =O 211! 
O,k <O 
So the expected value of k based on this probability distribution can be computed as 
E{k} = 2" - n, which is slightly different from the geometric distribution. 
Also, for sync pattern " I 11 ... 11 ", the probability distribution of variable k can be shown 
to be [1 0]: 
{ 
[ 1- " ' "
1 
Ph(i )]·- 1 1 ,k>O L... ,,.,o ?n+ 
Pb(k) = I -
~" ,k =O 
O,k <0 
Therefore, the expected value of variable k is computed as Eb {k} = 2 · (2" - I)- n , which 
has a significant difference from the geometric distribution. 
2.5.2 Resynchronization 
SCFB mode is capable ·of self-synchronizing. Once the sync pattern is recognized, the 
next ciphe1iext bits will be collected as the new IV. Since both the transmitter and the 
receiver are scanning for the sync pattern, synchronization will be regained. This is the 
ideal case where there is no slip or error occuJTence in the cipheiiext. However, in reality, 
the communication channel may be either slip prone or en·or prone and the 
synchronization may be delayed in these cases. Therefore, synchronization recovery 
delay (SRD) is used to charactelize there-synchronization properties of st:ream ciphers. 
SRD is defined as the expected number of bits following a sync loss due to a slip 
before the synchronization is regained [ 1 0]. It is assumed that SRD starts from the 
tem1ination of the slip event, thus it will not include the lost or in erted bit themselves. 
26 
So it is unnecessary to know how many bits will be lost or inserted in the communication 
channel. In order to minimize the con·uption of data due to a sync lost condition, the 
synchronization of stream ciphers must be regained as quickly as possible [ l 0]. That is, 
the smaller the SRD is, the better the re-synchronization properties will be. 
In SCFB mode, SRD represents the number of bits following the slip until the next 
sync pattern is properly detected and the new IV is correctly collected. Because the 
occurrence of a single bit slip may possibly result in a false synchronization, the SRD has 
a lower bound and upper bound, which are fully explained in [1 0]. In [I OJ, it is assumed 
that a slip will randomly occur and there are no other slip occurring in the 
synchronization cycle in which the slip tenninates. Based on this assumption, the lower 
bound of SRD lies in the case that the receiver resynchronizes at the next sync pattern, 
i.e., at the end of the next IV. If the slip occurs at the average position within the 
synchronization cycle, the re-synchronization will take (n + B + k )/2 plus the n + B bits 
required at the beginning of the next cycle [ 1 0]. In [ 1 OJ , it is shown that for large n, the 
lower bound of the SRD is approximated by 211 • 
However, in reality, a false synchronization is possible to occur due to a slip, thus 
resulting in longer delays in the re-synchronization process. This can happen in the case 
that slip occurs in the OFB block that results in a false sync pattern. If this false sync 
pattern is detected, the actual sync pattern might be ignored and collected as pmi of the 
false IV. Moreover, if the slip occurs in the sync/IV region, the sync pattern will be 
missed, thus the actual IV is mistakenly scanned for sync pattern. If it does contain the 
sync pattern, the receiver will detect it and collect the incorrect IV [ 1 0]. In those ca es, 
the synchronization will be lost until the next sync pattern is properly detected. But if the 
27 
OFB block size k exceeds n + B, the synchronization must be regained since the OFB 
block will be at the end of the false IV. Then the next valid sync pattern will be properly 
detected. The upper bound of SRD is derived in [1 0] based on the probability that a 
synchronization cycle has k ?. n +B. 
In reality, for small n, the re-synchronization is achieved very quickly since it is 
possible that the end of a false IV lies close to the end of the actual IV. In this case, it is 
likely that there is no sync pattem being detected before the OFB block starts. Hence, for 
small n, the upper bound of SRD is very loose. But for large n, the upper limit gets very 
tight and can reach 2" [I 0]. 
2.5.3 Error Propagation 
Enor propagation is also a very important characteristic for stream ciphers. For example, 
OFB mode does not have error propagation because a single bit enor in the channel onl y 
affects the conesponding position of the decrypted plaintext at the receiver. However, in 
CFB mode, the effect of an individual bit enor in the ciphertext is magnified at the 
receiver. That is, CFB mode has significant error propagation since the ciphertext bits 
will not only be used to restore the plaintext, but also serve as the input to the block 
cipher. 
En·or propagation is characterized by the error propagation factor (EPF), which is 
defined as the bit en·or rate at the output of the decryption divided by the probability of a 
bit enor in the communication channel [1 0] . It is assumed that bit errors occur randomly 
and independently in the communication channel [I 0] . 
28 
In Section 2.3 .3, we have discussed the synchronization cycle of SCFB mode, which is 
shown in Figure 2.12. Based on the different regions of this cycle, where bit eiTor could 
occur, five en·or scenarios are discussed in [I 0]. In this section, we will brjefly introduce 
these five cases. In case 1, the eiTor occurs in the n + B bits of sync/IV block, and then 
the sync will be lost in the entire cycle; therefore, half of the bits of the OFB block and 
the next sync/IV bits will be expected to be wrong. In case 2, the en·or occurs in the OFB 
block, but without generating any false sync pattern and then a single bit error will only 
result in one bit en·or at the output of the receiver. In cases 3 and 4, an en-or occurs in the 
OFB block and generates a false sync pattem. If the false sync pattem appears in the fir t 
k - (n + B )bits, then i/ 2 bits will be expected to have enors, where i represents the bit 
from the end of the false IV to the end of the actual IV. This is the case 3. In case 4, the 
false sync pattern appears in the last n + B bits of the OFB block and then the next sync 
pattern will be missed since it will be collected as part ofthe false IV. ln this case, half of 
the bits will be in eiTor until the next sync pattern is properly detected. The case 5 
describes that en·ors occur while the sync has already been lost. It is assumed that the 
en-ors and slips occur infrequently enough that an en·or occurs in isolation, so the case 5 
is ignored. 
Moreover, it is given in [ 1 0] that the probability that a bit en-or results in a false sync 
pattern is less than n/(2"- l). So for small n, case 3 and case 4 becomes much more likely. 
But as n increases, this probability decreases dramatically; so case 1 and case 2 become 
more significant. For large n, most ciphertext bits will fall into the OFB block due to its 
larger size. Hence, case 2 is more likely than case 1. However, the number of the 
decrypted bit en·ors at the output in case 1 is much bigger than in case 2, thus resulting in 
29 
larger EPF. Therefore, for large n, case 1 is still the main scenario to determine the error 
propagation factor [ 1 OJ. 
From the analysis of those 5 cases, the lower bound and upper bound of EPF for SCFB 
mode is shown in [1 0]. The lower bound is given by EPF > (11+B)/2. Since the upper 
bound is complex, we are not going to discuss it in detail in this thesis, but all can be 
found in [1 OJ. Moreover, it is shown that as 11 gets larger, the upper bound of EPF 
approaches 11 + B/ 2 + 1 . 
2.5.4 Comparison with Other Modes 
In Table 2.1 , we summarize the resynchronization and error propagation characteristics 
of OFB mode, CFB mode, and SCFB mode. 
Resynchronization Delay (SRD) En·or Propagation (EPF) 
OFB SRD = oo EPF = 1 
CFB SRD = B EPF = 1 + B/2 
SCFB SRD :::::: 211 for large 11 [ 1 OJ (n + B)/2 < EPF < 11 + B/2 + I 
[ 1 OJ 
for larger 11 
Table 2.1. Summarize of SRD and EPF for OFB, CFB, and SCFB mode 
ln conclusion, the characteristics of SCFB mode have been discussed in this section. 
Those included the re-synchronization prope1iy SRD and the error propagation EPF. 
30 
Moreover, these two meti·ics can also be applied to other stream ciphers which are able to 
resynchronize. As well, the OFB block size of SCFB mode was discussed. 
2.6 Digital Hardware Implementation Tools 
In this thesis, the characteristics of SCFB mode and the marker-based mode will be 
analyzed. Moreover, as mentioned before, in order to study the implementation issues 
and detem1ine the complexity and speed of these two systems at a real implementation 
the two modes will also be implemented in digital hardware. Since commonly, FPGAs 
are target technology and Digilent board is available for the device, these two modes will 
be implemented using an FPGA. In this section, we will briefly introduce the 
implementation tools. 
2.6.1 FPGA Implementation 
In this thesis, SCFB mode with stream cipher as the keystream generator and the marker-
based synchronous stream cipher have both been realized through FPGA hardware 
implementation. Specifically, the target device is the Xilinx Spartan-3E, and the Digilent 
Nexys II board is used as a development platfom1. During this implementation process, 
three CAD tools were used. They are Modelsim PE Student Edition 6.5, Xilinx lSE 
Design Suite 1 0.1 , and Digilent Adept Suite. 
Modelsim was mainly used to functionally simulate the VHDL code of the designed 
system. Through analyzing the obtained simulation results, the system was verified to be 
functionally working. The behavior level VHDL code, which was simulated by 
31 
----- --·--------------- ------
Modelsim, was synthesized by Xilinx ISE Project Navigator. This process includes 
synthesis, implementation, and generation of the bitstream. The implementation process 
consists of translate, map and place&route. 
The synthesis process will conve1i VHDL or Verilog code into a gate-level netlist, i.e. 
a complete circuit with logical elements (gates, flip flops etc) for the design. The 
synthesis process will check code syntax and analyze the hierarchy of the design which 
ensures that the design is optimized for the design architecture. By default, the Xilinx ISE 
uses built-in synthesizer XST (Xilinx Synthesis Technology). Other synthesizers can also 
be used. XST output is stored in NGC (Native Generic Circuit) fom1at [9]. 
The translate process merges all of the input netlists and design constnints and outputs 
a Xilinx NGD (Native Generic Database) file, which describes the logical design. This 
can be done by using NGD Build program. The design constraints include the assignment 
ofthe ports in the design to the physical elements (pins, switches, buttons) of the targeted 
device and the specified timing requirements of the design. This infonnation is stored in a 
file named UCF (U er Constraints File). Tool used to create or modify the UCF are 
PACE, Constraint Editor, and so on [9]. 
The map process divides the whole circuit with logical elements into sub blocks such 
that they can be fitted into the FPGA logic blocks. That is, the map process fits the logic 
defined by the NGD file into the targeted FPGA elements (Configurable Logic Blocks 
(CLB), Input Output Blocks (lOB)) and generates an NCD (Native Circuit Description) 
file which physically represents the design mapped to the components of FPGA. This can 
be done by using the MAP program [9]. 
32 
The place&route process is done by using PAR program. This process places the sub 
blocks from the map process into logic blocks according to the constraints and connects 
the logic blocks. By taking all the constraints into account, the PAR tool takes the 
mapped NCD file as input and produces a completely routed NCD file as output, which 
consists of the routing infonnation of the design [9]. 
After the synthesis and implementation process, the design must be downloaded on the 
FPGA. Therefore, the routed NCD file is given to the BITGEN program to generate a bit 
stream (a .BIT file) which is the acceptable fom1at for the FPGA. Thi .BIT file will 
finally be used to configure the target FPGA device. 
The Digilent Adept Suite was used to configure the FPGA board. It consists of four 
tools: Exp01t, Transpott, Ethemet Administrator, and USB Administrator [3]. In this 
research, only the first two of them have been used. The Export tool is used to load the 
bitstream onto the FPGA board and the Transp011 sends the data to the system on the 
FPGA board [3]. However, in order to use the Transpot1 to send and collect data to and 
fi·om the FPGA board, the designed system requires an interface, which will be 
responsible for writing and reading registers. This interface can also be described by 
VHDL code, and should be loaded onto the board, as well. The detailed information 
about the design of this interface can be found in [4] [5] . 
The FPGA device used in this thesis is the Xilinx Spartan-3E kit. It contains sufficient 
resources to study the implementation of our systems. A picture of the Digilent Nexys II 
FPGA board is given in Figure 2.13. This board is powered by the USB2 interface which 
is also used to transfer data between the board and the computer. In order to test the 
33 
designed system, the LEDs are used to indicate the testing results; as well , buttons are 
used to reset the system. 
Figure 2.13. Picture of Digilent Nexys H board 
2.6.2 Software Implementation 
In this thesis, SCFB mode and the marker-ba ed mode ha e been implemented in 
software. The characteri tics of re-synchronization and error propagation are simulated 
by Microsoft Visual C++ 2008 Express Edition. As well , MATLAB 7.0.4 has been used 
to plot all the simulation data. 
34 
2. 7 Conclusion 
In this chapter, we have discussed the fundamentals of stream ciphers, including the 
classification, the cipher structure, and the block cipher modes giving stream cipher 
operation. Stream ciphers are categorized as synchronous stream ciphers and self-
synchronizing stream ciphers. Synchronous stream ciphers have no error propagation, but 
require an extra signaling channel when re-synchronizing. Self-synchronizing stream 
ciphers are capable of self-synchronizing, but with significant en-or propagation. The 
main design component of stream cipher studied in this thesis are the linear feedback 
shift register (LFSR) and nonlinear feedback shift register (NLFSR). As well, the stream 
cipher Grain-128 was described, since it will be used as the keystream generator in 
Chapter 4. The main subject of this chapter was to talk about the block cipher modes of 
operation relevant to stream processing, which included output feedback mode (OFB), 
cipher feedback mode (CFB), statistical cipher feedback mode (SCFB), and optimized 
cipher feedback (OCFB) mode. In particular, the characteristics of SCFB mode, 
synchronization recovery delay (SRD), en-or propagation factor (EPF), and OFB block 
size, were fu ]]y explained. Moreover, the marker-based synchronous stream cipher mode 
was also introduced. In the end, the FPGA implementation CAD tools and software 
implementation tools were briefly discussed. 
35 
Chapter 3 
Analysis of Characteristics of AES-based SCFB mode 
ln [1 0], the characteristics of SCFB mode, which uses block cipher, AES, as the 
keystream generator, are theoretically analyzed. ln particular, the characteristics under 
the sync ·pattern fonnats "1 00 ... 00" and " 111...11 " are explained in detail. It is clear that 
the characteristics of SCFB mode are affected by the sync pattern format. 
In order to detem1ine the best sync pattem, which can provide the best performance for 
SCFB mode, in terms of short re-synchronization delay, and limited error effect, the SRD 
and EPF of varying sync patterns were simulated using the C programming language. 
The simulation results will be presented and analyzed in this chapter. 
3. 1 SCFB Pseudocode 
In the simulation, SCFB mode uses the block cipher, AES, as the keystream generator 
and the block size of AES is 128 bits. Since the structure of SCFB mode was discussed in 
Chapter 2, we will only present the pseudocode of SCFB mode here. The pseudocode 
describes the encryption operation in the transmitter. It is given in Figure 3.1. 
In this pseudo code, EJ) represents the AES operation, and X0 •• • X 8 _1 contains the 
initial IV, which is known to both transmitter and receiver. The notation Q0 ••• Q11 _ 1 is used 
36 
to represent the selected sync pattern, and the notation W0 •• • W,,_1 is the n-bit window 
which is cmTently compared to the sync pattern. The notation Z0 •• .Z 8 _1 is used to collect 
the new IV. In addition, the two flags loading_ IV and new _IV indicate that the IV is 
cuiTently being collected and the collection of IV has just finished, respectively. The C 
code is based on this pseudocode, but with a slight difference. In the pseudocode, the n-
bit window is initialized to zero at the beginning of operation, in order to use the sync 
pattern " 1 00 ... 00"; in the simulation, since we need to use varying sync patterns, we start 
to compare the window with the sync pattern only after the window has collected n 
ciphertext bits of the OFB block. 
lon.dingJ\1 f-- fi\lRe 
Xo . .. XB-1 f-- initial value 
Wo ... Wn - 1 f-- 0 ... 0 
jf--0 
do 
Yo ... Yu- 1 f-- EK(Xo ... XB- 1) 
newJ V f-- false 
if--0 
do 
CJ+; f-- PJ+ ; e }'; 
if loodingJV then 
zk f-- c,+k 
kt--1>+1 
if k = B then 
else 
loadingJ\1 f-- false 
newJV f-- true 
Xo .. . Xn- 1 f-- Zo . .. Za- 1 
Wo . . . Wn- 1 f-- 0 . . . 0 
Vl1o .. . Wn- 2Wn - 1 t- W1 ... W, 1C1~, 
ifWo ... W,_l = Qo ... Q,_ I then 
loadingJV f-- true 
lf--j+ i+ l 
kf--0 
if--i+ l 
if i = B and not newJ\1 then 
Xo ... XB- 1 t- Yo ... Ys - 1 
while i < B and not newJV 
jt-j+i 
while true 
Figure 3.1. SCFB pseudocode 1101 
37 
In addition, the simulation was running under the following constraints: 
• Simulation length: I 0 10 plaintext I ciphertext bits. 
• Bit slips occur every 105 bits after the effect of the last slip event is over; that is ~o 
say, a new slip event is generated at I 05 -th bit after the synchronization is 
regained. 
• En-or events occur every 105 bits after the effect of the last en-or event is over. In 
order to make sure that the effect of an en·or is over, the decrypted plaintext at the 
receiver will be tracked after an etTor is generated. A counter i set up while 
tracking. The counter will be incremented when the decrypted plaintext is conect; 
otherwise, it will be cleared. When the output of the counter reaches the value 
"1 00", we can be confident that the effect is over as this indicates that 1 00 
consecutive ciphetiext bits have been received en-or free. Assuming the decrypted 
plaintext bit is equally likely to be "0'' or " I", the probability of a random 
sequence of 100 bits having no error is 1/2100 = 7.8886x J0-31• This means it is 
highly improbable that cmTupted ciphertext bits will result in 100 consecutive 
expected bits of plaintext. 
In the following graphs, the horizontal axis labeled the ·'sync pattern' ' is repres~nting 
the decimal equivalent of the binary representation of the sync pattern with mo t 
significant bit as the first bit transmitted in the sync pattern. 
3.2 Synchronization Recovery Delay 
38 
In this section, we are going to present the simulation results of SRD versus varying sync 
patterns. Figure 3.2 shows the SRD in terms of sync pattern size n (4 ~ 11 ~12) with sync 
pattern forn1ats " 1 00 ... 00" and " 111 ... 11 '' . The lower bound of SRD based on the 
geometric distribution of k can be obtained by the following expression [ 1 OJ: 
9000 
8000 
7000 
6000 
5000 
0 
0::: 
(j) 
4000 
3000 
2000 
1000 
0 
4 
SRD > 'i(n + B)+ - 1 ((11 + B)E{k}+ E{e }] , 
2 2p 
SRD with format "10000000" and "11111111" 
SRD with format "100 ... 00" 
' 
-B- SRD with format "111 ... 11" --------·--....-
- + Lower Bound 
' ' 
' 
' 
····--·-1·----·-----:rL __-__ -__ -___ -__ -.,.r----- · -- ,.---- . ------,------------,------ --. 
' ' 
' ' 
' ' ' 
' ' ' 
' ' 
' ' 
' ' ' 
- --------1· -----------:-------- . -~ -:- ------·-·t·----------; 
' ' ' ' 
' ' 
' ' 
' ' 
' ' ' ' 
' ' ' ' ' 
·r·--------;-------- r .... J...... - -- .1. - --- .... J ' ' ' ' ' ' 
' ' ' 
. -.J __________ [_ __________ L_ _____ _ 
l ... --
' ' ' . 
...... - ................ ---------·-- ----- -· 
' ' 
' ' 
' ' 
' ' . 
I I I I I 
............... --- .. ---------- ... ------------' ------------·------------·---- -
I I I I 
I I I I 
1 I I I 
' ' ' 
' ' ' 
' ' ' 
' ' ' 
- -------~---·-- ------~-- -------- - i -.-- -- ------~.. -:- -
j i . j l i 
' ' ' I I I I 1 --}--- --------;------------:-- -----
5 6 7 8 9 10 
sync pattern size 
Figure 3.2. SRD versus sync pattern size 
12 
From this figure, we can see that as the sync pattern size 11 gets larger, SRD is also 
getting larger. Moreover, for larger ize 11 (n ~ 8), SRD increase very quickly as 11 
increases. This is because for larger size n, the expected value of OFB block size k is very 
large, and it grows exponentially. Therefore, it will take much longer delay to regain 
39 
synchronization. Also, it is clear that the sync pattern format " 1 00 ... 00" results in smaller 
SRD than " 111 .. . 11 " for large sync pattern size n (n > 5), especially very large n (n 2: 9). 
This will be explained later in this section. ln addition, this figure confinns that the sync 
pattern fonnat "1 00 .. . 00" is a better candidate than "111...11" with moderate sync pattem 
size n (n = 8, for example) since it leads to smaller SRD. 
Figure 3.3, Figure 3.4, and Figure 3.5 show the SRD in tenns of varying sync pattems 
with sync pattern size n = 4, 6, 8, respectively. 
SRD with sync pattern size n = 4 
290 .-------------~--------------.-------------~ 
250 ' ' ------------------------- ----- ~ - ----- - ----.------ - . -------- ..... ----------------- -------------
' 
' ' 
----------------------------- -- ~ - ----- -- -- ------------ ________ ,_ -------------------------------
' ' 
240 
' ' 
' ' 
230 L_ ____________ _i~------------~------------~ 
0 5 10 15 
sync pattern 
Figure 3.3. SRD versus sync pattern with sync pattern size n = 4 
40 
SRD with sync pattern size n = 6 
300 ~----~----~----~------~----~----~------
290 ............ : 1 " r ······ 
' ' ' I I I I 
I 0 I I I 
~ :: : : •. .. ..  ] l :: :: [ : ~ : : :: 
200 ............ : JWt;~~: I : 
i \ i i • V'h 
sync pattern 
Figure 3.4. SRD versus sync pattern with sync pattem size n = 6 
SRD with sync pattern size n=8 
--- - -----------~------------- -r---
~ 550 
(/) 
500 
50 100 150 200 250 300 
sync pattern size 
Figure 3.5. SRD versus sync pattern with sync pattern size n = 8 
41 
~-----------~-------
From the figures, we can note that the complementary sync patterns result in similar 
SRD, which is expected, since there is no conceptual difference between "O"s and " 1 "s. 
In order to detennine the best sync pattern for SCFB mode using AES as the keystream 
generator, we have selected 20% of the total 211 sync patterns which result in smallest 
SRD for each sync pattern size n. The selected sync patterns are listed in Table 3.1. It is 
necessary to note that we only list the sync patterns with fom1ats " I xx .. . xx", i.e. , most 
significant bit is "1 "; however, complementary ones will also be preferable sync patterns. 
For sync pattern size n = 4 in Figure 3.3, the sync pattems "0000'' and " 1 11 1 ''result in 
the smallest SRD; however, for sync pattern size n = 6 and 11 = 8 in Figure 3.4 and Figure 
3.5, the sync pattern format "000 ... 00" and " 111 ... 11 " result in largest SRD. This can be 
explained as follows: 
Recall the expression for the expected value of OFB block size k, E{k} = 2" - n [1 0] 
for sync pattern fom1at " 100 ... 00" , and Eb{k } = 2·(211 - l) - n [10] for sync pattern fonnat 
" 111...11 ". When n is very small (n ~ 4), the value of k is much smaller than the block 
cipher size B. Once the sync pattern is falsely detected in the IV region due to a bit slip, 
then· part or all of the OFB block will be collected as part of the false IV (refer to Figure 
2.12). In this case, the larger the OFB block size, the less likely that the next sync pattern 
is collected as pa1i of the false IV. That is, the next actual sync pattern will highly 
probably be detected, thus resulting in recover from the sync loss. Now consider 11 = 4 for 
example: E{k} = 12 for sync pattern format " 100 ... 00" and E{k} = 26 for " 1 1 1.. .11 ". If 
the sync pattern is falsely detected at the 13-th bit to the 20-th bit in the IV region, the 
following 108 bits actual IV and 20 bits OFB block would be collected as the false IV. 
Since for sync pattern fonnat "111 .. . 11 ", the average OFB block size of 26 is large 
42 
enough that the next sync pattern would not be missed. But for sync pattern forn1at 
- " 1 OO ... oo··, the next sync pattern also needs to be collected as part of the false IV since 
the OFB block size k is not large enough. Th.erefore, the sync loss will be delayed until 
the next sync pattern is properly detected. Hence the sync pattern " I 000" results in larger 
SRD in Figure 3.3 than sync pattern "1 1 1 I ,._ 
However, when 11 gets larger (11 > 4), especially 11 is very large (11 ~ 8), the expected 
value of OFB block size k for both sync pattern format "1 00 ... 00" and ' 111 ... 11 " 
becomes huge compared to the block cipher size B. For example, for sync pattern size 11 = 
12, the average OFB block size E{k} = 4084 for " 100 ... 00" and 8178 for "111...11 ... In 
this case, SRD is mainly affected by the OFB block size and not by the effect o~ false re-
synchronization. Since the OFB block size for sync pattern format " 111 ... 11 ,. is almost 
twice the value of "1 OO ... oo··, it will result in much larger SRD. Hence, for sync pattern 
sizes 11 = 6 and 11 = 8 in Figure 3.4 and Figure 3.5, the sync pattern forn1at ·'000 ... 00" and 
" 111 ... 11 " result in the largest SRD. 
Moreover, from Figure 3.2, it can be seen that for sync pattern size n = 12, SRD of 
sync pattern format " 111 ... 11 ,. and " 1 00 ... 00" can reach values larger than 8000 and 4000, 
respectively. Therefore, in order to maintain modest SRD, the very large sync pattern size 
n should not .be selected when implementing SCFB mode using AES as the keystream 
generator. 
43 
Sync pattern size Sync pattern forn1at 
(n) (binary& decimal representation) 
4 1010(10), 1011(11), 1101(13), 1111(15) 
6 100000(32), 101000(40), 101111(47),110000(48), 110010(50), 
110100(52), 110101(53), 111000(56), 111001(57), 111010(58), 
1111100(60), 111101(61), 111110(62) 
8 10000000(128), 10000011(131), 10001011(139), 10010000(144), 
10010011 (147), 10010111 (151 ), 10011000 (152), 101 00000(160), 
10100011(163), 10100100(164), 10101000(168), 10101100(172), 
10101111 (175), I 011 0000(176), 10110011 (179), 10110 I 00(180), 
10110111(183), 10111000(184), 10111100(188), 11000000(192), 
11000001 (193), 1100001 0(194), 11000 I 00( 196), 11001 000(200), 
11001010(202), 11010000(208), 11010010(210), 11010100(212), 
11011 000(216), 110110 I 0 (218), 110111 00(220), 111 00000(224), 
111 00010(226), 111 00100(228), 11100101 (229), 111 00110(230), 
11101000(232), 11101001(233), 11101010(234), 11101100(236), 
11101101(237), 11110000(240), 11110001(241) 11110010(242), 
11110100(244), 11110101 (245), 11110110(246), 11111000(248), 
11111010(250), 11111100(252), 11111101(253), 11111110 (254) 
Table 3.1. Best sync pattern format list for SRD 
From Table 3.1 , we can see that for small sync pattern size n (n = 4 ), the sync pattern 
"111 ... 11"' is one of the best sync patterns for SRD. Of course, the complementary 
fonnat results in similar SRD. HoJever, for sync pattern size 11 = 6 and n = 8, the best 
sync patterns are uncon-elated. That is, the shifted sync pattern does not match bits from 
the original sync pattern as long as the number of shifted bits is within the sync pattern 
size n. Now consider 11 = 8, and sync pattern " 1 0000000" for example. Since in the 
implementation, the sync pattern window contains the cun-ent sync pattern, that is, the 
window contains the sequence "I 0000000". If it shifts left once, the content of sync 
44 
pattern window changes to "OOOOOOOx", where "x" is either " ]" or "0". It is clear to see 
that the shifted sync pattern will never match bits from original one as long as the shifted 
number of bits is within 8. Similarly, if it shifts right once, then the window will contain 
sequence "x 1 000000", where "x" is either "0" or " 1 " . It also can be concluded that the 
shifted sync pattern will not match the original one if it shifts less than 8 bits. To compare, 
we also consider the case of sync pattern "1 1111111 ". If it shifts left, as long as the input 
bits are " 1 "s, the shifted sync pattern will match the original one. The right shift is just 
similar to the left shift. Therefore, we can conclude that the best sync patterns which lead 
to small SRD are uncoiTelated. In particular, the sync pattern fonnat "1 00 ... 00" is among 
the best sync patterns for SRD. Hence, for large sync pattern size n (n > 4), the format 
"100 ... 00" will be one ofthe best sync patterns for SRD. 
3.3 Error Propagation Factor 
ln this section, we will present the simulation results ofEPF versus varying sync patterns. 
Figure 3.6 illustrates the EPF in tenns of sync pattern size n ( 4 ~ n ~ 12) with sync 
pattern fonnats " 1 00 ... 00" and " 111... 1 1 ". The lower bound of EPF can be calculated by 
EPF > (n+B)/2 [ 1 0] , with B = 128. From this figure, it can be seen that the EPF for small 
sync pattern size n (n ~ 6) is larger than that for large size. This is because for small size 
n, the OFB block size is very small, so bit errors mainly occur in the sync/IV region of 
synchronization cycle, thus resulting in missed synchronization very often and the EPF 
will be large. In contrast, the OFB block size k is very large for large sync pattern size n. 
45 
So bit errors wil1 mainly fall into OFB block of ynchronization cycle, which only leads 
to a single bit error at the receiver side. This will cause EPF to be small for large size 11. 
l.L. 
0... 
w 
EPF with format "10000000" and "11111111" 
100 ~--~~--~----~--
95 ' ......... ., ___________ _ 
90 
85 
EPF with format "100 ... 00" 
D- EPF with format "111.. .11" 
Lower Bound 
: 
' ' ?O[~~j'[· ~-~---~- ~--4[~--~--~---~-~--+~-~-~---~-r·-~==~.F=~~~~~i~~-r 
! I : I : 
65 ----------:-----------r·--------r·---------;-----·------:------------:------------r --- --- -
I I I I I I I : ...... ·· .. ·.::: .. :····: . . . :·····c : : . : :.J .... :. 60 
55 
' . 
' ' 
' ' 50 L---~----~-----L-----L-----L---~----~----~ 
12 4 5 6 7 8 9 10 11 
sync pattern size 
Figure 3.6. EPF versus sync pattern size 
From Figure 3.6, we can also see that EPF for sync pattern format " ] 0000000" drops 
to minimum at n = 7, and then slowly increase as 11 gets larger in general. Similarly, EPF 
for formats '·J I I I II II " drops and then has a slow general increase as n becomes larger. 
However, it has the minimum EPF at size 11 = 12. Since for size 11 = 12 with the sync 
pattern format " 111...11 ", the OFB block size is larger than 8000. In this ca e, almost all 
bit errors in the communication channel will occur in OFB block of synchronization' 
cycle, thus resulting in the minimum EPF. But generally, EPF varie over a small range 
of 70 to 85 for both sync pattern formats " I OOo'OOOO" and " 11111111 , .. 
46 
It also can be seen that generally, the EPF for the two sync pattern format are close, 
with only a slight difference. The EPF for format "1 00 ... 00" is smaller than that of 
" 111 ... 11 " for moderate sync pattern size n (7 :S n :S 1 0). But for sync pattern size n (n :S 6) 
and sync pattern size n (n ~ 11 ), the sync pattern format " 111 ... 1 I,. re ults in smaller EPF 
than that of format " I OO ... oo·'. This can be explained similarly to the SRD. 
For small size n, the expected value of OFB block size k is very small. A bit enor will 
mainly occur in the sync/IV region of synchronization cycle, thus resulting in missed 
synchronization frequently. Because the value of k for fonnat ·'111 ... 1 I" is larger than 
" 100 ... 00", it is le s pos ible that the next ync pattern being collected a the false rv for 
fom1at "111. .. 11 ,. than ·' IOO .. . oo··. Therefore, the next actual sync pattern for ·· 1 II.. . 1 1 .. 
will highly probably not be missed and thus synchronization will be regained quickly, 
while the sync pattern is missed and sync loss will be delayed until the next sync pattern 
being properly detected for " 100 ... 00'". 
For large ize n, the expected value of the OFB block size k is very large. Hence, bit 
enors will mainly fall in the OFB block of synchronization cycle, thus only affecting a 
single bit at the receiver side. Since the value k of sync pattern format " 11 1 ... 11 " is 
almost twice the value of fom1at " 100 ... 00", the probability that the bit error occurs in the 
OFB block will be much higher for '·ttl... ll ,. than ''100 ... 00", thus re ulting in smaller 
EPF. 
Figure 3.7, Figure 3.8, and Figure 3.9 illustrate the EPF in terms of varying sync 
patterns with the sync pattern size n = 4, 6, and 8, respectively. 
47 
lL 
a.. 
w 
lL 
a.. 
w 
EPF with sync pattern size n=4 
100,--------, 
95 
90 -·-·-------·------------ ----t--- . ---- ------ - - - - ~----- --
85 ------ ---- ---------- ----- ., ---- -- -- ·r-··-
75 ---- -----------------····-------- ------------···········---··----·-
70 
0 5 10 
sync pattern 
Figure 3.7. EPF versus sync pattern with sync pattern size 'n = 4 
EPF with sync pattern size n=6 
80 ,---.---~---.---~--~--
. ' 
o I t I 
----- -·----- .... ------ ... ----- ~---· -- -·---- .... - ---- -.--- _,_ ------------- ~ ..... .. -
' ' ' 
79 
' ' ' 
' ' ' 
' ' ' 
' ' 
' ' 
' ' 
-- ...... -... - . .._.. ---- ...... -----------.-------------- ~------------
' ' 
78 
' ' 
' ' 
' ' ' 
' ' ' 
' ' ' 77 ............ , -------------.------·•·••• r· .. .. i ..................... :-·····-······-~··•••• -•-
' ' 
' ' 
' ' 
' ' j--:i\----·-·-:----------f ~ ·- -- + - --·-·fh··- . --+----- -----
T \ . ! .. -'w i 1 . -.h \; o 'yl; 
: - ~ ------( ---- -·r - -----~--------------:----------- --·-
:--- --- --- - ----:---- ----- ----- :----... -.. ----. :- --------- --- -:-- ---- --- .... - ~ 73 
. ' ' ' ' t t I I 
. ' ' ' 
o I I I 
72 I I t I t• t ----------"'--·- ------ ----'-- -----------.I..- .. ----------,., _____ ---------'-----···- .. -~ ........... . I I I I I I 
I I I I I 
I I I I 
I I I I 
I I I I 
I I I I 
I I I I I 
. ... ----- __ _,_---------- .. -.. - -.----... -- .. ----------- ___ ... ---------··-- ~ ... 
I I I I I 71 
I I I I I 
I I I I I 
I I I I I 
I I I I I 
I I I f I 
sync pattern 
Figure 3.8. EPF versus sync pattern with sync pattern ize n = 6 
48 
15 
EPF with sync pattern size n=8 
80 .------,,------,-------.-------,------.----
79 .. - --------- ~-- - ------------- ~ -----
' 
78 ------------+--------------- ~ --------- -----· ' ' ------------ --r- --------------- .,--------------
' ' 
' ' 
' ' 
' ' 
' ' 
' ' 77 --------- --...:-- ------------- ~ -- -
76 
it 75 
w 
71 
50 100 
' ' 
' ' 
-. .. ~ -- - ---- - --- ·"- ------- --- -
' ' 
' 
___ ~.. ___________ _ 
150 200 250 
sync pattern siz e 
Figure 3.9. EPF versus sync pattern with sync pattem size n = 8 
300 
From those figures, we can similarly find that complementary sync patterns result in 
similar EPF. As well , in order to detennine the best sync pattern for EPF of SCFB mode 
using AES a the keystream generator, we have selected 20% of the total 2" sync patterns 
which result in smallest EPF. The selected sync patterns are listed in Table 3.2. Similar to 
SRD, we only list the sync patterns with formats " I xx ... xx", where the most significant 
bit is " 1''; however, complementary one will also be preferable sync pattern . 
For sync pattern ize n = 4 in Figure 3.7, the sync patterns "0000" and " 1111 '" result in 
the smallest EPF. As well , the sync pattem " 1000'' results in small EPF. For sync pattem 
size 11 = 6 in Figure 3.8, we can draw the same conclusion. For sync pattern ize 11 = 8 in 
Figure 3.9, the sync pattern "00000001 " lead to the smallest EPF. Also, the ync pattern 
"1 0000000" results in small EPF. 
49 
From Table 3 .2, we find that, except for the sync pattern format " 111...11 ", the best 
sync pattern for EPF for sync pattern size n = 6 and n = 8 are also uncoiTelated. That is, 
the shifted sync patterns will not match bits from the original sync pattern as long as the 
number of shifted bits is within the sync pattern size n. 
Sync pattern size Sync pattem format 
(n) (binary & decimal representation) 
4 1000(8), 1010(10), 1110(14), I111(15) 
6 100000(32), 101010(42), 101111(47), 110000(48), 110101(53), 
1IOI10(54), 1101II(55), I11000(56), II1011(59), 11II00(60), 
111101(61), 1I1110(62), I11II1(63) 
8 10000000(I28), 10000010(I30), 1000I100(140), 10001101(141), 
10001111(143), 1001 0000(144), 1001001 0(146), 1001 OI1 0(150), 
10011001(153), 10011011(155), 10011I01(157), 10011110(158), 
101 00000(1 60), 10101 000(168), I 0101001 (169), 1010101 0(170), 
I0101111(175), 10110100(180), 10110110(182), 10110111(183), 
1 0 1I1 000(184), 1 0 1I111 0( 190), I 0111111 (191 ), 1 1 000001 ( 193 ), 
11000011 ( 195), 11 001 000(200), 110011 00(204 ), 11 01000 I (209), 
I10IOOI0(210), 11010111(215), 11011000(216), 11011010(218), 
1101111 0(222), 110 1111I (223), 11100001 (225), 1II 0001 0(226), 
111001 00(228), 11100 II 0(230), 11100111 (231 ), 11101 000(232), 
1110I010(234), 11101I00(236), I1110000(240), 11110100(244), 
I111 01 01 (245), 1111 011 0(246), 1 ] 110 1I1 (24 7), 11111 000(248), 
11111011(251), 1111I100(252), 1I111101(253), 11111110(254) 
Table 3.2. Best sync pattern format list for EPF 
Overall, by analyzing the figures for EPF, we find that the value of EPF does not 
change much between varying sync patterns compared with SRD. Therefore, when 
50 
considering the selection of the best sync patterns for SCFB mode using AES as the 
keysh·eam generator, we should mainly focus on SRD. So the sync pattern forn1at 
"111 ... 1 1·' can not be selected as best sync pattern for large sync pattern size n (11 > 4) 
because it results in the largest SRD. In addition, from Figure 3.6 and Figure 3.2, we find 
that the small sync pattern size will result in large EPF, and the large sync pattern sizes 
will lead to huge SRD. Hence, when implementing SCFB mode using AES as keystream 
generator, the best sync pattern size will be moderate n (7 ~ 11 ~ 9), and the best sync 
pattems will be those which are uncorrelated. In pruiicular, the sync pattern with size 11 = 
8 and format " 1 00 ... 00" has been selected in our hardware implementation of SCFB 
mode configured for stream cipher Grain-128 in Chapter 4. 
3.4 Conclusion 
In this chapter, we presented the simulation results of characteristics of SCFB mode 
which uses the block cipher AES as the keystream generator. These simulations included 
SRD and EPF in terms of varying sync pattern size 11 ( 4 :S 11 ~12) for sync pattern formats 
" I 00 ... 00" and " 111 ... 11 " and SRD and EPF in terms of varying sync patterns for sync 
pattem sizes of 11 = 4, 6, and 8. Through the simulation results, we found the sync 
pattems which will result in small SRD and EPF when implementing SCFB mode in 
digital hardware. Those best ones are with moderate size 11 (7 ~ 11 ~ 9), and with 
unconelated format, that is, the shifted sync patterns will not match bits from original 
sync pattern as long as the number of shifted bits is within n. In particular, the SY11C 
51 
r-----------------------------------
pattern with size n = 8 and fom1at " 1 00 ... 00" has been selected when we implemented the 
SCFB mode in digital hardware in Chapter 4. 
52 
Chapter 4 
Analysis and Design of SCFB Mode Implementation of 
Grain-128 · 
In [22] , SCFB mode is implemented by using block cipher, AES, as the keystream 
generator. In this chapter, SCFB mode will be applied to the ynchronous stream cipher 
Grain-128. In order to study the implementation issues and detennine complexity and 
speed of this system in a real implementation, we will investigate the hard war design of 
this implementation, and implement the design and test it by using the Xilinx Spa11an-3E 
FPGA since commonly, FPGAs are target technology and the Digilent board is available 
for the device. 
4.1 SCFB Mode Applied to a Synchronous Stream Cipher 
The original proposed SCFB mode uses a block cipher, such as AES, as the keystream 
generator. In the hardware implementation of such a mode, a queuing system will be 
required to ensure the efficiency of system operation. Implementation details of such a 
system can be found in [22]. However, the hardware complexity will be high due to the 
usage of complex queues. In this thesis, SCFB mode will use a stream cipher instead of 
block cipher a the keystream generator, thus removing the necessity of queues in the 
hardware implementation. Except for the keystream generator, SCFB mode in such an 
implementation works the same way as the conventional block cipher implementation. 
53 
The ciphetiext is scanned for the sync pattern at both transmitter and receiver sides. Once 
the sync pattern is recognized, the scanning function will be turned off and the following 
B ciphertext bits will be collected as the new IV. This new IV will then be loaded into the 
keystrean1 generator to resynchronize the system. 
However, there is a disadvantage of such implementation if AES is just replaced by 
one stream cipher. For a synchronous system, once it starts to work, it must take one 
plaintext bit in and give one ciphertext bit out at every clock cycle. That i to say, at each 
clock cycle, the keystream bit used to encrypt the plaintext must be ready. But for most 
stream ciphers, they will often require some time to initialize with the key and the new JV 
before producing any output data. If the new IV is simply loaded into the keystream 
generator, there will be no keystream bits avai lable until the initialization process 
completes, which could take many clock cycles. Dming this initializahon period, the 
plaintext bits will need to be stalled due to the lack of keystream bits. As a block cipher 
mode, this results in a complex system of queues to ensure that data flows in and out of 
the system at a fixed rate [22). To overcome this problem, for SCFB mode configured for 
a stream cipher, we have simply duplicated the stream cipher used in the mode. Due to 
the very simple hardware complexity of the sb·eam cipher, this is a practical solution. 
There are two keystream generators in this implementation. One of them is refeiTed to 
as the primary keystream generator and the other to be the setup keystream generator. 
The primary keystream generator will be used to produce keystream to encrypt the 
plaintext, while the setup keystream generator is only used to fini h the initialization 
process with the key and the new IV. It will activate once the sync pattern is recognized 
in the ciphertext and the new IV is completely collected. Following the initialization 
54 
phase of the setup keysh·eam generator, the content of the primary keystream generator 
registers will be updated by that of the setup keystream generator. Hence, the following 
keystream will be generated based on this new IV. However, during the initialization 
phase of the setup keystream generator, the keystream produced by the primary 
keystream generator will be based on the previous IV, and the sync pattern recognition 
will be turned off. 
The general structure of SCFB mode configured for a stream cipher is given in Figure 
4.1. From the figure, we can see that the encryption system on the transmitter side and the 
decryption system on the receiver side have the same implementation structure. For 
example, in the encryption ystem, the two stream cipher blocks represent the primary 
keystream generator (KSG 1) and setup keystream generator (KSG2), respectively. 
Moreover, both keystream generators use the same key, which is initially known to 
sender and receiver before transmission starts. 
KSG1 KSG2 
plaintext ciphertext 
ENCRYPT DECRYPT 
Figure 4.1. Structure of SCFB mode configured for stream cipher 
In order to accommodate the modified operation of SCFB mode, the synchronization 
cycle is modified as shown in Figure 4.2. Recall that in the synchronization cycle of 
55 
SCFB mode using AES as the keystream generator in Figure 2.12, some ciphertext bit 
belong to the sync/IV region, others will fall into the OFB block. Similarly, the ciphertext 
of SCFB mode configured for a stream cipher can be divided as follows: n-bit sync 
pattern, B-bit IV, m-bit setup phase, and k-bit synchronous phase. Thi is shown in Figure 
4.2. 
n B m k n B 
... 
. . . sync IV Setup phase Synchronous sync IV .. . phase 
Synchronization cycle 
Figure 4.2. Synchronization cycle of SCFB mode configured for stream cipher 
The setup phase refers to the phase when the setup keystream generator initializes the 
keystream state with the key and the new IV. The synchronous phase indicates the phase 
before the sync pattern appears after the synchronization is regained. During the 
synchronization phase, the ciphettext is scanned for the sync pattern. Since the 
synchronization cycle refers to the beginning of the sync pattern to the beginning of next 
sync pattem, the synchronization cycle length of SCFB mode which uses the stream 
cipher as the keystream generator consists of n + B + m + k bits. In the hardware 
implementation, the stream cipher Grain-128 will be used as the keystream generator. 
Since it will take 256 clock cycles for Grain-128 to initialize, the setup phase is of 
duration m = 256. Since the size of IV for Grain-128 is 96, B = 96 in our implementation. 
56 
4.2 System Design 
In this section, the system design of SCFB mode configured for a stream cipher will be 
discussed. First of all , the design components including two keystream generators and 
three counters will be described from Section 4.2.1 to Section 4.2 .3. The encryption 
system consisting of the datapath and controller on the transmitter side will be discussed 
in Section 4.2.4 and Section 4.2.5. The simple description of the decryption system on the 
receiver side wi ll be given in Section 4.2.6. In the end, the design of system interface 
which is used to communicate between the FPGA board and the Adept Suite applications 
running on the computer will be explained. 
Moreover, in order to simplify reading, the pnmary keystream generator will be 
referred to as KSG 1, and the setup keystream generator will be KSG2. The hardware 
components related to KSG I will be marked as " I", and those of KSG2 will be indicated 
by "2"". As long as the size of stream cipher i small , the duplication will be practical. In 
our implementation, the stream cipher Grain-128 has been cho en as the keystream 
generator. Since the concept of Grain-128 has been discussed in Chapter 2, onl y its 
hardware implementation will be given in this section. Due to the varying behaviors of 
KSG 1 and KSG2, there will be a slight difference of hardware implementation between 
these two. Hence, the implementation structure of KSG 1 and KSG2 will be separately 
explained. 
57 
4.2.1 Primary Keystream Generator- KSG1 
The hardware implementation structure of KSG 1 is given in Figure 4.3. Compared with 
the structure of Grain-128, four extra multiplexers are added in KSG I. Two of them are 
128-bit multiplexers and the other two are 1-bit multiplexers, actually, 2-input AND gates. 
128-bit multiplexers will be used to select input to Grain-128. In the Figure 4.3 , 
MUX 128 of NLFSRI is used to select the key or the output of NLFSR2 com ing from 
KSG2; MUX128 of LFSR1 is applied to decide the input between the IV and the output 
ofthe LFSR2 from KSG2. The notation IV&1s represents the 96-bit IV and 32-bit " l "s. 
Recall the concept of Grain-128 in Section 2.2.2: during the initialization process, the 
first 96 elements of LFSRl will be loaded by the initial IV and the last 32 elements will 
be fi lled with all " 1"s. 
58 
KEY 
SEL_MUX128_NFSR1 
SEL_NFSR1 
CLOCK CLEAR_KSG1 
NFSR2_0UT 
SEL_MUX128_LFSR1 
5 
I MUX \-
I 2 L_.~ :-,r a SEL_MUX1_NFR1 
T 
' 
IV&1s 
OUTPUT KEYSTREAM 
Figure 4.3. Structure of KSGI 
LFSR2_0UT 
J 
128 
SEL_LFSR1 
,---
7 
MUX \ 
0 
SEL_MUX1_LFSR1 
Moreover, recall there are two modes of the Grain-128: the ir1itialization mode and the 
operating mode. In the initialization mode, the cipher does not output any data bit; instead, 
the output bit is fed back to update both shift registers. But in the operating mode, the 
output bit is just output as the keystream, without feeding back. The 1-bit multiplexers 
are used for this purpose in KSG 1. Each multiplexer is connected to each shift register. It 
wil l simply input "0" to the update function when the cipher is in the operating mode. 
The initialization process of KSG 1 only occurs at the beginning of system operation; 
however, this could also be achieved by KSG2, thus getting rid of two 128-multiplexers 
in KSG I. This will be reflected in our future work. 
The input and output signals shown in Figure 4.3 are explained in Table 4.1. 
59 
SIGNAL LABEL DESCRIPTION COMMENT 
CLOCK clock signal to system comes from FPGA board 
CLEAR KSG1 clear signal to KSG 1 comes from the controller 
KEY 128-bit key input to comes from the outside of 
MUXI28 ofNLFSR1 system, the Adept tool, 
TransP01t, 1'Uru1ing on the 
computer, 111 our 
implementation 
NLFSR2 OUT 128-bit input signal to comes from the output of 
-
MUX128 ofNLFSR1 NLFSR2 in KSG2 
SEL MUX128 NLFSRl select signal of MUX128 of comes from the controller 
- -
NLFSRl 
SEL NLFSRl select signal ofNLFSRl comes from the controller 
IV&ls 96-bit IV and 32-bit "1 " s, comes from the outside of 
input signal to MUX128 of system, the Adept tool, 
LFSRI TransPort, running on the 
computer, 111 our 
implementation 
LFSR2 OUT 128-bit input signal to comes from the output of 
MUX 128 of LFSR I LFSR2 
SEL MUX128 LFSRl select signal of MUX128 of comes from the controller 
- -
LFSRI 
SEL LFSR1 select signal ofLFSRI comes from the controller 
SEL MUX1 NLFSR1 select signal of MUX1 of comes from the controller 
- -
NLFSRI 
SEL MUX1 LFSRI select signal of MUXI of comes from the controller 
- -
LFSRI 
OUTPUT KEYSTREAM output the key stream bit 
Table 4.1. Input and output signals of structure of KSGJ 
4.2.2 Setup Keystream Generator - KSG2 
The structure of KSG2 is shown in Figure 4.4, and it is much simpler than KSG I. From 
the figure, we can see that there are no 1-bit multiplexers for both shift registers. This is 
because the KSG2 only works in the initialization mode: the output bit is always feeding 
back to update functions . As well, KSG2 does not need 128-bit multiplexers because the 
input to the cipher is only the key and the new IV. Once the encryption system or 
decryption system sta1ts to work, the 128-bit key will be loaded into the NLFSR2, and 
60 
then the KSG2 will stop working until the collection of 96-bit new TV is complete. The 
new IV will be loaded into the first 96 elements of LFSR2, and the Ia t 32 bits of it will 
be filled with all " 1 "s. Then KSG2 will activate and sta11 to shift. After 256 clock cycles, 
the contents of NLFSR2 and LFSR2 will be loaded into the NLFSR I and LFSR I, 
respectively and KSG2 goes to idle again . It will be deactivated until the collection of the 
next new IV i complete in the next synchronization cycle of SCFB mode. 
After being updated with the new state, KSG 1 will produce the keystream based on the 
new IV. Since both the encryption and decryption systems work in the same way, 
synchronization will be regained. However, it is necessary to note that during the 
working period of KSG2 (i.e. , the setup phase), KSG I continuously generates keystream 
based on the previous IV . 
KEY 
NEWIV&1s 
SEL_NFSR2 
14 
' 126 SEL_LFSR2 
t 
NFSR2 
7 
CLOCK CLEAR_KSG2 NFSR2_0UT LFSR2_0UT 
Figure 4.4. Structure of KSG2 
The input and output signals shown in Figure 4.4 are explained in Table 4.2. 
61 
SIGNAL LABEL DESCRIPTION COMMENT 
CLOCK clock signal to KSG2 comes from the FPGA 
board 
CLEAR KSG2 clear signal to KSG2 comes from the controller 
KEY 128-bit key input to comes from outside of 
NLFSR2 system, the Adept tool , 
TransPort, running on the 
computer, In our 
implementation 
SEL NLFSR2 select signal ofNLFSR2 comes from the controller 
NEWIV&ls 96-bit new IV and 32-bit new IV is the collected 96 
" l "s bits of ciphe1iext following 
the recognized sync pattern 
SEL LFSR2 select signal to LFSR2 comes from the controller 
NLFSR2 OUT 128-bit output signal of used to update KSG I 
NLFSR2 
LFSR2 OUT 128-bit output signal of used to update KSG 1 
LFSR2 
Table 4.2. Input and output signals of structure of KSG2 
4.2.3 Counters 
In the implementation of SCFB mode using a stream cipher as the keystream generator in 
this thesis, there are three counters associated with the system controller, named 
SyncPattern_COUNTER, NewlY _COUNTER, and SETUP _COUNTER. ln this section, 
these three counters will be described. 
As discussed in Chapter 3, the sync pattern window will only stmi to compare with the 
actual sync pattern when it has collected 11 bits of ciphe1iext to avoid the problem 
between the format of the actual sync pattern and the initialization value of the sync 
pattern window. For this reason, the SyncPattern_ COUNTER is needed. Every cycle 
after sync being regained, the SyncPattern_COUNTER will start to increment until it 
reaches the value 11. Then it will hold this value until the sync pattern is recognized. 
62 
- ------ ----------
However, during the new IV collection and the initialization phase of KSG2, it will be 
cleared to zero. That is to say, the SyncPattem_ COUNTER is only enabled to count 
during the first few bits of sync pattern scanning phase (i.e. synchronous phase). 
The NewlY_ COUNTER works only in the new IV collection phase. Since the size of 
IV for Grain-128 is 96 bits, this counter will count to 96 and then be cleared to zero. It 
will be enabled again when the sync pattem i recognized in the next synchronization 
cycle and the new IV starts to be collected. 
The SETUP_ COUNTER is used when Grain-128 is in the initialization process. Since 
both KSG 1 and KSG2 are implemented by Grain-128, this counter will be needed when 
they initialize themselves. However, since KSG I only initializes at the beginning of the 
encryption or decryption system, the SETUP_ COUNTER will mainly work when KSG2 
is initializing with the key and the new IV. Since it will take 256 clock cycles for Grain-
128 to finish the initialization, this counter will count to the value of 256 every setup 
phase, and then be cleared to zero. 
4.2.4 Datapath of Encryption System 
The encryption system on the transmitter side consists of the data path and the controller. 
The datapath contains the functional component to perfom1 the data proces ing of SCFB 
mode configured for Grain-128; the controller will be implemented by a finite state 
machine to control the data processing operation of the datapath. The block diagram of 
the encryption system is given in Figure 4.5. It is impotiant to note that the 
LFSR _PlaintextGenerator is not included in the datapath of encryption systeni , since it is 
for the purpose of system testing. The meaning of these signals is also given in Table 4.3. 
63 
SIGNAL LABEL DESCRIPTION COMMENT 
IYKSGl tr initialization vector that is comes from the outside of 
-
used to initialize the LFSR the ~ystem, the Adept tool, 
ofthe KSGl TransPort, running on the 
computer, 111 our 
implementation 
IVPltGen tr initialization vector that is comes from the outside of 
used to initialize the LFSR the system, the TransP01i, 
of the plaintext generator in our implementation. For 
convenience in te ting, 111 
our system, the plaintext 
generator is just the LFSR 
which is the same one in 
Grain-128 
Keyln_tr initial key value which is comes from outside of the 
used to initialize the system, the TransPort, 111 
NLFSRs of both KSG 1 and our implementation 
KSG2 
Clk tr clock signal for the system comes from FPGA board 
reset tr control signal that makes connected to a button on the 
-
the state machine go into FPGA board. When the 
the INIT state whatever its button is pushed, the system 
current state is will be reset 
flag_tr output of the last register of hen it IS detected to be 
the interface, indicating ·' 11111111 ", it means that 
whether the TransP01i the TransPort has 
completes writing registers completed writing to the 
registers 
dout tr data bit transmitted out of when the controller is in the 
the encryption system IN IT, Load_PC, and 
Shift KSG1 state , the 
-
encryption sy tem end out 
all ·' 1 '·s; in others states, it 
sends out the ciphertext bits 
lediNIT tr control signal to the Led on It is lit when in these two 
the FPGA board, indicating states; otherwise, it 
whether the encryption becomes dark 
system in the INIT and the 
Shift KSG 1 state 
pltout_tr output · bit of the plaintext During the INIT, Load_PC, 
generator, which is used to and Shift_KSG1 states, this 
compare with the decrypted signal outputs '·]"' 
plaintext bit 
Table 4.3. Input and output signals of block diagram of encryption system 
64 
IVPitGen_tr 7 
/ 128 LFSR_PiaintextGenerator 
~ pltout_tr 
Keyln_tr 
Clk_tr 
reset_tr ~ dout_tr 
flag_tr 8 ENCRYPTION ~ lediNIT_tr 
128 SYSTEM IVKSG1_tr 
-------
Figure 4.5. Block Diagram of Encryption System 
In this section, the datapath of encryption system will be described. The description of 
controller of encryption system will be given in Section 4.2.5. The implementation 
structure of the datapath of the encryption system is shown in Figure 4.6. From the figure, 
we can see that there are two main components for this datapath: KSG 1 and KSG2. For 
the system testing purpose, we also give the component LFSR_PlaintextGenerator. As 
discussed before, KSGl is the p1imary keystream generator which is responsible for 
producing the key sequence; KSG2 is used to update the state of KSG 1 with the new IV 
when sync pattern is recognized in the ciphertext. Theoretically, the plaintext can be any 
data sequence as long as it is continuously sent into the encryption system at the rate of a 
single bit per clock. In our implementation, the plaintext is simply generated by an LFSR, 
which, for convenience, is the same structure as the one implemented in the Grain-1 28 
stream cipher. 
65 
~Tf-~ 
I ~"-'"'""~···~" R 
SEL_MUX1_Dout Lf 
- L~ 
PLT OUT 
ENCRYPTION 
SEL_MUX128_NFSR1 ---,/'-2--~ 
SEL_ MUX128_LFSR1 ---,1-1 2--
I 
128 
/ 
SEL MUX2 NFSR1 --SEL~MUX2~LFSR1 ~ 1 
r--~-L~~-~~-. 
2 
SEL_LFSR1 --j-.:.---. 
2 SEL_NFSR1 - 1F ..: KSG1 
CLEAR_KSG1 ---• 
... 1 
L----~----~ 
KEYSTREAM_OUT l 
PLAINTEXT 
OUT 
SEL_DEMUX1 -
CIPHERTEXT 
OUT 
cLR_NivR ---c__~ r + 
1 
-:-] New1V 
r----------2--.:-I Register 
SEL_NIVR -r-- o-1-c__~-----'
NewtV&1s 
CLEAR KSG2 ----o-1 
SEL_~FSR1~ KSG2 
128 
SyncPattem [--
Register r-
L 
KEY 
IV&1s 
• DATA_ OUT 
ENCRYPTION 
CLR_SPR 
SEL_SPR 
LFSR2_0UT 
I 128 
SEL_NFSR2 __j r t__--T-L=l__ ___ S_PR-_O_ U_T_ 
L----------~1-1~2~8 _, __ _____ 
I 
c___ CLOCK NFSR2_0 UT 
DATAPATH 
Figure 4.6. Sta·ucture of datapath of encryption system 
From Figure 4.6, we can also see that after the ciphetiext is produced by XORing the 
output of KSGl and the output of the plaintext generator, it is not only sent to the 
multiplexer, but also sent to the de-multiplexer. The multiplexer is used to output data of 
the encryption system selecting between " 1" and the ciphertext bit. The reason will be 
explained in Section 4.2.5. The 1-bit de-multiplexer is used to separate the ciphertext 
from the sync pattern and the new IV, which will be shifted into the sync pattern register 
and the new IV register, respectively. Corresponding with these two registers, the 
66 
SyncPattern_COUNTER and the NewlY _COUNTER will be invoked accordingly. 
Moreover, the block diagram of datapath of encryption system is shown in Figure 4.7. 
Again, this diagram also contains the plaintext generator. All signals shown on this 
diagram will either go to or come from the controller. 
128 
IVPitGen_dp ~ -
Clr_PitGen_dp -----.J 
2 Sei_LFSRPitGen_dp --f-~ 
Sel_mux2_LFSRPitGen_dp 
Clr_SPR_dp 
Sei_NIVR_dp 
Clr_NIVR_dp 
Clk_dp ----, 
Keyln_dp 
IVKSG1_dp 96 I 
En_sprCounter_dp ~ 
clr_sprCounter_dp __r-
8 
dout_sprCounter_dp ~  
En_nivrCounter_dp 
clr_nivrCounter_dp , 
96
...,
1 
dout_nivrCounter_dp 1+-=--J 
En_setupCounter_dp I 
clr_setupCounter_dp __ .,.. 
dout_setupCounter_dp .----f-2- 5---16 
LFSR_Piaintext 
Generator 
DATAPATH 
dataout_dp 
Sel_mux2_pltout_dp 
Sei_SPR_dp 
8 
winSP _dp 
.------- Sel_mux2_dout_dp 
.------- Sel_demux2_dp 
-- Sel_mux128_NFSR1_dp 
-- Sel_mux128_LFSR1_dp 
14-- - Clr_KSG1_dp 
~-- Sel_mux2_NFSR1_dp 
~ Sei_LFSR1_dp 
Sel_mux2_LFSR 1_ dp 
Sel_mux2_KSG2_dp 
Clr_KSG2_dp 
2 T- Sei_NFSR2_dp 
--;-3----- Sei_LFSR2_dp 
Figure 4.7. Block diagram of datapath of encryption system 
67 
4.2.5 Controller of Encryption System 
The controller of the encryption system is implemented by a finite state machine (FSM), 
as shown in Figure 4.8. There are eight states for this state machin : I IT, Load_PC, 
Shift_KSGl , CTGen, ewlYCollect, Load_NewiV, Shift_KSG2, and Load_KSG2. 
Flag= ·· 00000000 ·• 
F{,., •• " ' " ' " ---t'~ ~_others--:-~ 
Load_KSG2 \ 
.--' ( 
\\ 
Shift KSG1 Out_setupcounter<256 
- I ~ 
Out_setupcounter=256 
I 
_) 
Out_setupco\=256 
Out_setupcounter<256 
Shift_KSG2 ) 
----
Out NewiVCOUNTER=96 \ 
( CTGen 
!\ ncPallem=" 1111 111 1 ·· ~ ( 
/ NewlVCollect \ ('--
SyncPatteml=·· 11 1111 11 " ( ../ 
Out_NewiVCOUNTER<96 
Figure 4.8. FSM of controller of encryption system 
In the INIT state, all components are cleared to zero; meanwhile, the ystem is waiting 
for the input data, which will be obtained by letting the application tool running on the 
computer write to registers of the interface running on the FPGA board. Once the last 
68 
register, which is refeiTed to as ·'Flag", is written by ''11111111 ", KSG 1 will load the key 
and the initial TV. Since KSG1 and KSG2 share the same key value, KSG2 will also load 
the key. Otherwise, the Flag register will be empty, indicated by "00000000", thus 
keeping the controller remaining in INIT tate. 
After the key and the initial IV are loaded into the system, KSG 1 starts to initialize 
itself As discussed before, it will take 256 clock cycles to finish initialization, and all 
data bits will be fed back to update its state instead of being outputted as the keystream. 
In this state, the KSG2 remains idle. In fact KSG2 does not work until the collection of 
new IV is complete that is to say, it will start to work in the Load_New!V tate. 
In the Shift_KSG I tate, the SETUP_ COU TER will be enabled. When the output of 
this counter reaches the value "256", the controller will turn into the CTGen state. In this 
state, the ciphertext will be produced and the sync pattern scanning will be initiated. 
When the proper ync pattern is recognized in the ciphe1iext sequence, the state machine 
will go to the NewiVCollect state, where the NewlY_ COUNTER i going to be initiated. 
In this state, the sync pattern scanning will be su pended. 
After the NewlY _COUNTER increments to the value "96", KSG2 will load this new 
IV and start to shift. Again, the SETUP_ COUNTER is enabled to indicate whether the 
shifting phase of KSG2 is complete. Jt i worthwhile to mention that during the 
initializing state of KSG2, the KSG 1 will continuously generate keystream based on the 
previous IV. As well , the sync pattern scanning is still turned off. 
After shifting 256 clock cycles, the contents of KSG2 will be loaded in parallel into 
KSG 1. The state of KSG 1 will be updated. Then KSG 1 starts to produce keystream based 
on the new IV. As well , the sync pattern scanning will be turned on for the ciphe1iext 
69 
being produced by the new IV. For other unknown cases, the controller will directly 
return to the !NIT state. 
The block diagram of controller of encryption system is given in Figure 4.9. All signals 
shown on this figure will go to or come from either the datapath of encryption system or 
the plaintext generator. 
winSP _con ----r:_____, 
Sei_SPR_con .,. 
Clr_SPR_con .,. 
Sei_NIVR_con 
Clr_NIVR_con .,. 
Clk_con 
din_sprCounter_con 
~----.... Clr_PitGen_con 
Sei_LFSRPitGen_con 
2 ~--,.... Sel_mux2_LFSRPitGen_con 
Sel_mux2_pltout_con 
Sel_mux2_dout_con 
Sel_demux2_con 
Sel_mux128_NFSR1_con 
.... Sel_mux128_LFSR1_con 
Clr_KSG1_con 
Sei_NFSR 1_con 
_con 
' 
CONTROLLER 
En_nivrCounter_con - --i 
clr_nivrCounter_con .,. 
din_nivrCounter _con 
En_setupCounter_con 
clr_setupCounter_con ... 
dout_setupCounter _con 
f----... Sel_mux2_LFSR1_con 
Sel_mux2_KSG2_con 
Clr_KSG2_con 
__L__2_ -y-~ Sei_NFSR2_con 
2 
.,.. Sei_LFSR2_con 
IedlN lT _con 
Figure 4.9. Block diagram of controller of encryption system 
4.2.6 Decryption System 
As discussed before, for binary additive stream ciphers, the decryption process is just the 
same as encryption process, except that the plaintext in the XOR function is replaced by 
70 
the ciphertext. Therefore, the datapath and the controller of the decryption system of 
SCFB mode configured for Grain-128 will be very simi Jar to those of the encryption 
system. Since the implementation design of encryption system has been described in 
Section 4.2.4 and Section 4.2.5, only the block diagram of decryption system will given 
in this section. It is shown in Figure 4.1 0. 
128 IVKSG 1_re ---/------j~ 
Clk_re 
reset_re ~ 
flag_re ------,.'-----4~ 
datain_re 
DECRYPTION 
SYSTEM 
.... dout_re 
.... IedlN lT _re 
Figure 4.10. Block diagram of decryption system 
Compared to the block diagram of t~e encryption system, most signals shown on 
Figure 4.10 have the same meaning except one input signal and two output signals. The 
signal datain _re repr~sents the input data to the decryption system. Basically, it is the data 
bit out of the encryption system. The dout_re indicates the output data of the decryption 
system. It is " 1" when the controller is in the JNIT, Load_PC, and Shift_KSG 1 states; in 
other states, it will be the decrypted plaintext. Similarly, the IediN IT _ re signal will be 
connected to an LED on the FPGA board, indicating whether the decryption system is in 
the INIT, Load_PC, and Shift_KSGl states when it is lit; otherwise, the decryption 
system will be in the working mode. 
71 
4.2.7 System Interface 
In order to make the encryption system and decryption system run on a real piece of 
hardware, the initial value of Key and IV to KSG 1 and the initial value of IV to plaintext 
generator should be input into the system before it starts encryption and decryption. That 
is to say, the FPGA board needs to exchange data with the computer through the system 
interface. 
As discussed before, the FPGA board used in this thesis is the Digilent NEXYS II 
system board. From [4][5], it can be found that the Digilent Communication Interface 
DLL, dpcutil.dll , provides a set of API functions for application programs running on a 
Microsoft Windows based computer to exchange data with logic implemented in a 
Digilent system board. The logic implemented is set of registers in the gate anay. The 
application programs running on a host computer exchanges data with this logic by 
reading or writing these registers. Moreover, Digilent Communication interface modules 
will implement the interface which controls the reading and writing of registers. Since the 
data needed to be transfened to the designed system is 128 bits, the parallel pmi interface 
will be applied to our design . This interface is made up of an eight bit wide address 
register and a set of eight bit wide data registers. The address register holds the address of 
the data register cunently being accessed. Access to registers is accomplished via transfer 
cycles. There are four transfer cycles in total: address read, address write, data read, and 
data write [4]. Address read and address write cycles read or write address from or to the 
address register; while data read and data write cycles read or write data from or to the 
data register whose address is cunently held by the address register. 
72 
Since the key, the IV to the KSG I and the IV to the plaintext generator are 128 bits, 
96 bits, and 128 bits, respectively, 16, 12, and 16 registers will be assigned for each of 
these signals. As well , one address register and one flag register will also be implemented. 
Moreover, this interface will be implemented as a state machine to respond to the four 
transfer cycles. The block diagram of this interface is given in Figure 4.11. 
rgiVO 8 rgiV4 rgiV12 
rgiV1 rgiVS rgiV13 
rgiV6 rgiV14 
rgiV7 rgiV15 
mclk 
astb 
dstb 
pdb 
SCFB SYSTEM INTERFACE 
pwr 
pwait L 
rgFiag ~ 
rgpltO ~-:plt4 
rgplt1 
roolt2 rgplt6 
rgplt3 rgplt7 
rgplt12 
raolt13 
raolt14 
rgplt15 
rgKeyO rgKey1 rgKey2 
rgKey3 rgKe4 rgKeyS 
8 p.,, rgKey7 rgKey8 
7 8 
8 
~ l 
rgKey10 rgKey11 
Figure 4.11. Block diagram of CFB system intet·face 
In this figure, the notation rgiV (0-15) repre ent 128-bit value of the initial key to both 
KSGI and KSG2; the rgKey (0-ll) represent the 96-bit value ofthe initial IV to KSGI. 
The rgplt (0-15) represent the initialization vector to the plaintext generator, and the 
rgFlag is just the flag input to both encryption and decryption controller . The mclk 
indicates the master clock signal, which will be connected on the board. The rest of the 
73 
signals on this block diagram will be used to control the transfer cycles when reading and 
writing registers. The explanation of signals is given in Table 4.4. 
SIGNAL LABEL DESCRIPTION COMMENT 
pdb 8-bit data bus used for data transfer 
astb address strobe causing data to be read or 
written to the address 
register 
dstb data strobe causing data to be read or 
written to the data register 
pwr transfer direction control High=read, Low=write 
wait synchronization signal used to indicate whether the 
board IS ready to accept 
data or has data available 
Table 4.4 Control signals of t1·ansfer cycles of SCFB system interface 
4 .2:8 System on FPGA Board 
In this section, the system runnmg on the FPGA board will be desc1ibed. The block 
diagram of general implementation structure of SCFB mode configured for Grain-128 is 
shown in Figure 4.12. In this diagram, the testing components, Plaintext Generator and 
COMPARATOR, are included. Basically, the encryption system will send out the 
ciphertext as well as the corresponding plaintext at the rate of one bit per clock cycle. The 
ciphertext bit will then go into the decryption system to restore the plaintext. Eventually, 
the miginal plaintext bit which is out of the encryption system and the decrypted plaintext 
bit which is from the decryption system will be sent to the comparator. The output of the 
comparator will drive an LED on the FPGA board. If the LED is lit, it means the 
decrypted plaintext matches the original one. If this comparison LED is always lit while 
the system is running, it will verify that the encryption system and decryption system 
functions correctly. This is how the system is tested. 
74 
SCFB 
SYSTE 
M 
INTERF 
ACE 
SyncPatte 
rn_COUN 
TER 
DATAPATH 
ENCRYPTION SYSTEM 
CIPHER 
TEXT 
COMPARATOR 
DATAPATH 
DECRYPTION SYSTEM 
ENCRYPTION TO DECRYPTION SYSTEM 
XILINX Spartan 3E-500 FG320 Board 
Figure 4.12. Block diagram of the implementation of SCFB mode 
4.3 FPGA Implementation 
In Section 4.2, the system design of SCFB mode configured for Grain-1 28 including 
components for the artificial generation of plaintext to test the encryption and decryption 
operation was fully described. In this section, the FPGA implementation of the designed 
system will briefly be discussed. The detailed infonnation about the implementation 
process can be found in Section 2.6.1. The CAD tool ISE Webpack was used to complete 
the system synthesis, implementation, and generation of the bit stream to configure the 
FPGA board. 
In Figure 4.12, only the general connection between the system components was given. 
However, in order to clarify the FPGA board configuration, the block diagram of the full 
75 
encryption I decryption system and the sy tem with the interface are given in Figure 4.13 
and Figure 4.14, respectively. 
ln Figure 4.13, the input signals will be connected to the conesponding signals of both 
the encryption and decryption systems. The output signals, ledlDLE_tr and lediDLE_re, 
will come from the lediNIT_tr of the encryption system and the ledJNIT_re of the 
decryption system, respectively. The signal ledComp_ttr come fi·om the output of 
comparator, and will be connected to one of the LEDs on the FPGA board. 
Keyln_ttr 
Clk_ttr 
reset_ttr 
flag_ttr 
IVKSG1_ttr IVPitGen_ttr 
1281 
ENCRYPTION TO 
DECRYPTION 
SYSTEM 
L.,.. lediDLE_tr 
.,... lediDLE_re 
ledComp_ttr 
Figure 4.13. Block diagram of encryption with decryption ystem 
Figure 4.14 shows the block diagram of SCFB system with the interface. Eventually, 
only these ten signal need to be connected to pins on the FPGA board. The signal 
INITLed_re, LedComp, and INITLed_tr will separately drive three LEDs, and the 
BtnReset signal will be connected to one button. The remaining signal will be connected 
to coiTesponding pins to control the transfer cycles of register writing and reading. The 
mapping of these signals and pin numbers are given in Table 4.5. 
76 
BtnReset 
mclk 
astb 
dstb SCFB SYSTEM WITH 
INTERFACE 
pdb f~l 
pwait ~I 
INITLed_re LedComp INITLed_tr 
Figure 4.14. Block diagram of SCFB system with interface 
PORT NAME PIN 
mclk B8 
astb V14 
dstb U14 
pwr V16 
pwait N9 
pdb(O) R14 
pdb(l) R13 
pdb(2) P13 
pdb(3) Tl2 
pdb( 4) Nil 
pdb(5) Rll 
pdb(6) PlO 
pdb(7) RIO 
LedComp J 14 
INITLed tr R4 
INITLed re F4 . 
BtnReset Bl8 
Table 4.5. Mapping table ofSCFB.mode configured for Grain-128 
77 
4.3.1 FPGA Board Configuration 
As discussed in Section 2.6.1, the Digilent Adept Suite is the GUI application that will be 
used to configure the FPGA board in this thesis. It consists of four tools: ExPort, 
TransP01i, Ethernet Administrator, and USB Administrator. Only the first two of them 
will be used. The ExPort programs Xilinx FPGAs, CPLDs, and PROMs using a JT AG 
connection and the TransPort enables data transfer with the FPGA on a connected system 
board. 
The FPGA board in our implementation is connected to the PC through a USB port. 
Once the board is power on, the ExPort will detect this device and show its connection on 
the main window. After that, the .bit synthesis file will need to be added to program the 
system board. The Digilent ExPort main window is shown in Figure 4.15. 
Chain 
Toolbar 
::::trogram entire 
nitJalize Scan Chatn-
Box 
Connection 
Manager 
Ftle Select Ltst 
b,u\o-Detect U 
::onfigure OeVl 
SB check box 
ce Table 
on 
er 
rom ltst 
Configurati 
File Manag 
Conftg Ftle List 
Remove Ftle f 
Add File to list 
~"'"'"'"D<l'ort 
m< coo•ol ~ 
:: ~ 
t:omectian 
TOt 
_j I B1owce. •• J ~ jXBO<Wdlomojod 3 ---j;1 AWI.Oetect USB 1 I Cor'{~gt~a(mfJa TOO XBoau[)emo.jed 
I lnitNiize C.._., I I Progra. Chatn I 
lni ti;,Uzation conplete. 
Device 1 : XC3S2DO 
Oeuice 2: XCFI2S 
tniti;,11zing scan chain ... 
Found Deuice. JDCODE: 16d4<:193 
lnitiillization conplete. 
AddFJe I I I oeuice 1: XC2C256 
< 
Ready 
Figure 4.15. Digilent Export main window 141 
78 
~[g)~ 
,.. 
v 
) 
Scan Chain 
Window 
B"owse for Ftle 
Aistgned Ftle 
Device tJame 
Device Icon 
Bypass Select 
Scan Chain 
Control 
Buttons 
Message 
Window 
After the FPGA board is programmed by Export, the TransPort will need to input 
initial values to the designed system. The TransPort can either load files or store files or 
deal with single registers. Since only several registers need to be written in our 
implementation, the Register 1/0 window is given in Figure 4.16. Recall the state 
machine of the system interface, each register was assigned a specific address; therefore, 
writing to registers involves filling the address and corresponding data field. 
F 
Digilent TransPort 1.2 
Load File I Store File Register 1/0 I Properties I 
Register 1/0--------------------, 
ADDRESS DATA READ DATA WRITE 
~ ...:..:J 
~ ~ 
.....::J 2:J 
.....::J 2:J 
.....::J ~ 
.....::J ~ 
.....::J ~ 
~ 2:J 
[ Read Display Format 
r Decimal Ci" Hex Read All Write All 
Figure 4.16. Digilent TransPort Register 1/0 window [4) 
4.4 Testing and Synthesis Results 
In order to demonstrate the correctness of Grain-128, the functional simulation of this 
design is completed by Modelsim. The test vectors are given in Table 4.6. For simplicity 
79 
of reading, they are translated into hexadecimal strings; hence, the mo t significant bit of 
the first hex value represents index 0 (i.e. the key and IV bits are sent into system from 
left to right; the keystream bits are obtained from left to tight). The patiial simulation 
results can be found in Appendix. 
Keyl 00000000000000000000000000000000 
IVl 0000000000000000000000 
Keysh·eam Ofd9deefeb6fad43 7bf4 3 fce3 5 849cfe 
Key2 0123456789abcdefl23456789abcdef0 
IV2 0123456789abcdefl2345678 
Keystream db032afD788498b57cb894fffu6bb96 
Table 4.6. Test vectors of Grain-128 
As discussed before, the designed system of SCFB mode configured for stream cipher 
Grain-128 is synthesized by ISE Webpack free CAD tools from Xilinx. From the 
synthesis repmi, we have obtained the timing information for the designed system after 
synthesis. The minimum clock period is 6.472 ns, so the maximum frequency is 1/6.472 
ns or 155MHz. Since the designed sy tern produces ciphertext at the rate of 1 bit per 
clock cycle, the throughput of the system can reach 155Mbps. In addition, we also 
obtained the timing infom1ation from the place&route rep01i which shows the actual 
frequency of designed system running on an FPGA board. The minimum clock period is 
11.295 ns, so the maximum frequency is 89MHz. It means that our designed system can 
run at the speed of 89Mbps on a real FPGA. Besides timing, we have also obtained the 
device utilization of this design, which is an important metric when assessing the 
hardware implementation of a system. The selected device in our implementation IS 
Xilinx Spartan-3E, and the device utilization is given in Table 4.7. 
80 
Used Available Utilization 
#of Slices 1549 4656 33% 
# of Slices Flip Flops 1787 9312 19% 
# of 4 input LUTs 2826 9312 30% 
# ofiOs 17 
# ofbonded lOBs 17 232 7% 
# ofGCLKs 1 24 4% 
Table 4.7. Device utilization of SCFB configured by stream cipher 
In order to simplify understanding of these resources, we will briefly describe the 
FPGA architecture. The detailed architecture varies for different types of FPGA, but 
commonly, FPGA is made of configurable logic block (CLB), input output block (JOB), 
and wires for internal connections. The CLB consists of slices; each slice consists of 
logic cells. Each logic cell consists of look up tables (LUT), flip flop , and connection to 
adjacent cells, and other components, such as multiplexers. The JOB also includes LUTs 
and flip flops [8]. 
Compared to SCFB mode configured for AES, the advantage of SCFB mode 
configured by Grain-128 is to get rid of queues in the hardware implementation, thus 
greatly reducing the hardware compfexity. 
4.5 Analysis of SRD and EPF 
In Chapter 2, the characteristics of the SCFB mode based on AES were discussed; in 
pmiicular, the SRD and EPF were analyzed. In this section, the simulation results of SRD 
and EPF versus varying sync pattern sizes of SCFB mode configured for Grain-128 will 
be presented. The simulation was undertaken based on the following constraints: 
• Simulation length: I 010 plaintext I ciphertext bits. 
81 
• Bit slips occur at a rate of 105 after the effect of the last slip event is over; that is 
to say, a new slip event is generated at I 05 -th bit after the synchronization is 
regained. 
• Enor events occur at a rate of I 05 after the effect of the last error event is over. In 
order to make sure that the effect of an enor is over, the decrypted plaintext at the 
receiver will be tracked after an error is generated. A counter is set up when 
tracking. The counter will be incremented when the decrypted plaintext is conect; 
otherwise, it will be cleared. When the output of the counter reaches the value 
·'1 oo··, we can be confident that the effect is over as this indicates that 100 
consecutive ciphet1ext bits have been received en·or free. Assuming the decrypted 
plaintext bit is equally likely to be "0'' or "I ", the probability of a random 
sequence of 100 bits having no en·or is l l i 00 = 7.8886x J0-31 • This means it is 
highly improbable that conupted ciphertext bits will result in I 00 consecutive 
expected bits of plaintext. 
• Sync pattern size n ranges from 4 to 12, and sync pattern format is '·JOO ... OO'". 
4.5.1 Synchronization Recovery Delay 
For SCFB mode configured for AES, the sync pattern scanning is di abled only at the 
new IV collection phase; however, for SCFB mode which uses stream cipher, Grain-128, 
as the keystream generator, the sync pattem scanning is turned off at both the new IV 
collection and the setup phase of the stream cipher. This will result in a longer 
synchronization cycle than SCFB mode configured for AES. Hence, the re-
synchronization of SCFB mode configured for a stream cipher will take longer. 
82 
SRD in terms of varying sync pattern sizes under the format ' 1 00 ... 00' IS gJVen m 
Figure 4.17. The lower bound can be obtained by the expression [11]: 
SRD ~ }_ . [ 3(n + a Y + 4(n + a)· E {k} + E {e }] 
2 n +a +E{k} 
where k represents size of synchronous phase and E{k} = 2" - 1, E{e} = 22" +1 - 3. 2" + 1 
[ 1 OJ, a represents the size of the IV and setup phase and a = 96 + 256 = 352. The 
probability of the sync pattem occurrence is approximated as the geometric distribution. 
SRD with SyncPattern "100 ... 00" 
4500 ~--~----~----~----~----~----~----~----ffi 
~ 2500 
(f) 
. . . 
---------- .,------------ r ----------- -.---------
' ' ' 
' ' ' 
' ' ' 
Lower Bound 
' ' 
' ' 
' ' 
' ' I I I I 
t I I I I I 
r·- --- - -- -. ------- - - - --- , - -- --------,------------T·-----------.------ ----
' j I I I I 
I I I I I 
I I I I I 
I I I I I 
I I I I I 
I I I I I 
I I I I I 
1 I I I I I I 
I I • I I I I 
----------.,------------r----------- , -----------1·-----------,----------- , ... --------,--- -------
' I I I I I I 
I I I I I I I 
I I I I I I 
I I I I I 
I I I I I 
I I I I 
I I I I 
I I I I 
I I I I I I I 
- -- ------.------------r·--·- · ----- ., ------------,---- ----- --,----- -------T·----------- ----------
' I I I I I 
I I I I I I 
I I I I I I 
I I I I I I 
I I I I I I 
I I I I I I 
t I I I 1 t 
I I 1 I I I 
: : I I I : I:: : . r 
5 6 7 8 9 10 11 
sync pattem size 
Figure 4.17. SRD versus sync pattern size with format "100 ... 00" 
12 
In Figure 4.17, we can see that as the sync pattern size n increases, the SRD increases 
as well. The SRD is close to but a little higher than the lower bound for smaller size 11 
( 11 <8); however, for large size n, the SRD follows almost exactly the lower bound. This 
83 
is because for smaller size n, the length of the synchronous phase, which is 211 - I on 
average, has a smaller value. Once there is a false sync pattern detected in this block, the 
next actual sync pattern and part of the IV will be collected as the false IV, thus 
synchronizahon loss is delayed until the next sync pattern is properly recognized; 
however, a larger sync pattern length n can result in larger k, and a false synchronization 
is more likely to be conected at the recognition of the next sync pattern. 
4.5.2 Error Propagation Factor 
As discussed m Chapter 2, the enor propagation factor, EPF, shows the effect to the 
decrypted plaintext at the receiver by bit enors occuning in the communication channel. 
EPF is defined as the average number of enors in the decrypted plaintext as a result of a 
bit en·or in the channel [1 0]. When an en·or occurs in the sync pattern/ [V pha e, one bit 
eJTOr in the ciphertext will not only affect the conesponding decrypted plaintext at the 
receiver, but also affect other bits in the subsequent synchronization cycle due to a loss of 
synchronization. However, when a _hit en·or appears in the setup phase or the synchronou 
phase, it will only result in one bit enor in the decrypted plaintext. 
Figure 4.18 illu trate the EPF versus varying sync pattern sizes under the forn1at 
I 
" 100 ... 00". Similarly, the lower bound ofEPF is derived as the following expression [11]: 
l EPF~l+ - [n + B] 
2 
where B = 96, and it is assumed that the probability of occmTence of sync pattern follows 
the geometJic distribution. 
From this figure, we can see that EPF is very large for small size n (n ~ 4), but 
dramatically decreases as n gets larger. It drops to a minimum around n = 9, I 0, and II. 
84 
This is becau e for larger 11 , the size of the synchronous phase k is large, and the 
occurrence of an error in such period increases. Eventually, most errors will appear in the 
synchronous phase, and only leads to one bit en-or at the receiver side, thus resulting in 
small EPF. However, once bit eJTors occur in sync/IV region for large ync pattern size 
of 11 , the resulted e1Tors in the decrypted plaintext at the receiver ide will be very large 
since it will take longer to resynchronize for large 11. Generally, EPF is far away from 
lower bound for sync pattern n ~ 7, but getting close to lower bound as 11 2: 8. The 
minimum spot is a little lower than the lower bound; this is because the simulation 
running under limited length, and it is the statistical results. 
EPF with SyncPattern "100 ... 00" 
90 ~----~----~--~~----~--~~--~----~----~ 
l.L 
Cl.. 
w 
75 
-e-- Simulation ' ' 
' ' ' ... ., .......................... ., ........ .. 
' ' ' 
' ' ' 
' ' ' 
Lower Bound 
' ' ' 
' ' ' 
' ' ' 
' ' ' 
' ' ' 
' ' ' .,------------,------------., --- --- ....................... , ...... ---- ,------- ---
' ' ' ' ' 
' ' ' 
' ' ' 
' ' ' 
' ' ' 
' ' ' I I I I 
' ' ' I I • 0 I I 
--------,.-----------,--- ---------,------------... -----------,-----·------,-----------
' I I I I I 
I I I I I I 
I I I I I I 
I I I I I I 
I I I I I I 
I I I I I I 
0 I I I I I 
I I I I I I 
I I I I I I 
-·--r-·----- ---1-- -- --- ·:-- ---- ___ i ___________ r _______ ·r-- ---- -
-... , ----r---------r ------ -·1·----.. ·---:------------:--- ----- ·r 
' ' ' 
' ' 
' ' 
• • • • • • J • • • • -- - --L-- • - • • - • ~ • • • • ! • • • • .. • • •-- • -~- -- • - -•-- • • • f - • • - • - • • .. - ·:· • .. -
' ' 
' ' 
' ' 
•• .......... J ................... L •• 
' ' 
' ' 
' ' 
' ' 
---L----~-----L---~ --L----~- ___L_ 
11 5 6 7 8 9 10 
sync pattern size 
Figure 4.18. EPF versus sync pattern ize with format " 100 ... 00" 
85 
12 
4. 6 Comparison of Characteristics of SCFB mode based on AES 
and Grain-128 
ln Chapter 3, the characteristics of SCFB mode using block cipher AES as the keystream 
generator was simulated and analyzed and in [I 0], the AES-based SCFB mode was 
implemented in digital hardware. In our research, SCFB mode was implemented by using 
the stream cipher Grain-128 as the keystream generator. The characteristics of such an 
implementation was also simulated and analyzed. In this section, we will compare the 
characteristics of these two methods of SCFB mode implementation, focusing on SRD 
and EPF. 
4.6.1 Synchronization Recovery Delay 
Figure 4.19 shows the comparison of SRD of AES-based and Grain-] 28 ba ed SCFB 
mode implementation with the sync pattern format "1 00 ... 00". From this figure, it can be 
seen that the SRD of AES-based SCFB mode is smaller than that of Grain-128 based. 
This is because the synchronization cycle of Grain-128 based SCFB mode needs extra 
setup period, which is 256 bits in length, compared with the AES-ba ed SCFB mode. 
Hence, it will take longer time for Grain-128 based SCFB mode to resynchronize, and 
result in larger SRD. Moreover, we can also see that as the sync pattem size n gets larger, 
the difference of SRD between the two kinds of implementation becomes smaller because 
the synchronous phase begins to determine the synchronization cycle and the effect of 
setup phase becomes less significant. For very large size n (n = 11 , 12), the values of two 
SRD are very close. 
SRD with SyncPattern "100 ... 00" 
4500 ~--~----~----~----~----~----~----~--~ 
0 
0::: 
(/) 
' ' ' 
SCFB AES 
--------- -; ------------ ~----------- ... -------
' ' ' 
' ' 
' ' 
-e SCFB Grain-128 
' ' 
' ' I I I I I I 
I 1 I I I I 
I I I I I I 
---------T----------r··---------r··-----·-r··--------:·---------·r··-------
• I I I I I 
- --------:------------r ----------T ----------1------------:--------- ---:-----------
••••-••••!-•••••• : T ~•••••••••• :----- --:--•• -•• -.J ____ -- ---
0 
0 
' ' 0 
---------- -. ------------ .. ----------- .. -- - -- --- ·-- --------·----- ------ -- --------·----------
I I I I I I 
I I I I I I 
I I I I I I 
I I I 1 1 
I I I I 
I I I I 
I I I I 
1 I I I I 
.,. --- ·r- ------ ,. -- - ---r·-------.. -- ------ --- l ·-----------,---------- -
' I I I I 
I I I I 
I I I I 
' ' ' _______ l ____________ t ____________ l __________ _ 
' ' ' 
' ' ' 
' ' ' 
0 ' ' 
O L---~----~-----L-----L----~----~----L---~ 
4 5 6 7 8 9 10 11 12 
sync pattern size 
Figure 4.19. Comparison of SRD based on AES and Grain-128 
4.6.2 Error Propagation Factor 
Figure 4 .20 shows the comparison of EPF for AES-based an.d Grain-1 28 based SCFB 
mode implementation with the sync pattern format "1 00 ... 00". From this figure, we find 
that EPF of Grain-128 based SCFB mode changes dramatically, while there is only a 
slight change of EPF of AES-based SCFB mode. As well, the lower bound is smaller 
which is because the IV of Grain-128 based SCFB mode is 96 bits, but it is 128 bits for 
AES-based SCFB mode. 
87 
EPF with SynaPattern "100 .. . 00" 
00 ,---~----~----~--~----~--~----~--~ 
' ' 
SCFB AES 
' ' 
---- ----o------------.., -- -- -
' ' 
' ' 
' ' 
0 SCFB Grain-128 
' ' 
--------- r ------ ••••- --•-r•••••••••••T••••••••••• 
' ' 
' ' 
' ' 
75 
12 
sync pattern size 
Figure 4.20. Comparison of EPF based on AES and Grain-128 
It a! o can be seen that the value of EPF of Grain-128 based S FB is smaller than 
AES-based SCFB at most sync pattern izes. This can be explained a EPF for AES-
based SCFB mode approaches the lower bound at (n+B)/2 and EPF for Grain-128 based 
SCFB approaches the lower bound at l+(n+B)/2. Since B=96 for Grain- 128, but B=l28 
for AES, EPF for Grain-128 based SCFB mode is smaller than AES-ba ed SCFB mode. 
Overall, the difference of EPF between AES-ba ed and Grain-1 28 ba ed SCFB mode 
implementation i much le significant than SRD. Hence, the hardware implementation 
of SCFB mode which uses stream cipher Grain-128 as the keystream generator will take 
longer to resynchronize due to sync los than SCFB mode configured for the block cipher 
AES. However, the error propagation characteristics of the two implementations are 
similar. 
88 
4. 7 Conclusion 
In this chapter, SCFB mode configured for stream cipher Grain-128 was analyzed and 
implemented. The concept of such an implementation is to duplicate the keystream 
generator, thus getting rid of queues in the hardware implementation. The two keystream 
generators are refeJTed to as KSG 1 and KSG2. KSG 1 generates the keystream to produce 
the ciphertext; KSG2 is responsible for initializing itself with the new IV and then 
updating the state of KSG 1. 
Compared with SCFB mode configured for AES, the synchronization cycle length of 
such an implementation is longer since the sync pattern scanning wa turned off not only 
in the new IV collection phase but also in the setup phase of KSG2. Since it would take 
256 clock cycles for Grain-128 to initialize itself, the synchronization cycle of SCFB 
mode configured for Grain-128 would cover n + k + 352 ciphertext bits. 
Moreover, the system design of SCFB mode configured for Grain-128 was fully 
de cribed, which included the datapath and controller of the encryption system on the 
transmitter side, the decryption system on the receiver side, the system interface, and the 
system structure on FPGA board. The designed system was synthesized and implemented 
on the FPGA board by ISE Webpack CAD tool and Digilent Adept Suite tool. It could 
run at the speed of 89Mbps on the targeted Xilinx Spartan-3E FPGA. As well due to the 
elimination of queues, the hardware complexity of designed system is greatly reduced. 
The simulation results of SRD and EPF versus varying sync pattern sizes with the sync 
pattern fonnat " 1 00 ... 00" was presented and analyzed. Compared with SCFB mode 
configured for AES, it would take longer for our implementation to resynchronize due to 
the longer synchronization cycle; however, the error propagation characteristic is similar. 
89 
The partial simulation result ofRTL ofGrain-128 based SCFB mode can be found in 
Appendix. 
90 
Chapter 5 
Analysis and Hardware Implementation of Marker-based 
Synchronous Stream Cipher 
Stream ciphers can be categorized as self-synchronizing or synclu-onous. A self-
synchronizing stream cipher can be resynchronized by the cipher itself; however, a 
synchronous stream cipher needs extra infom1ation to regain synchronization once 
synchronization is lost between the encryption and decryption. Usually, there are two 
ways to achieve re-synchronization for synchronous stream ciphers. One of them is to 
send the initialization vector from the encryption side to the decryption side through the 
signaling channel; the other is to include a marker in the data stream indicating the 
position of the ciphertext bits. In this chapter, the latter approach which i refened to as 
the marker-based synchronous stream cipher will be analyzed and implemented. ln order 
to study the implementation issues and detem1ine complexity and speed of marker-based 
synchronous · stream cipher for a real implementation, it will be impl.emented in digital 
hardware using the Xi Jinx Spatian-3E FPGA since FPGAs are common targeted 
technology and the Digilent board is available for the device. 
5.1 Description of Marker Concept 
The basic idea of marker-based synchronous stream ciphers is to include extra bits at a 
particular position of ciphertext at a regular rate from the encryption side. The decryption 
side will detect the included bit sequence, which is refened to as the marker, in the 
91 
incoming data stream. When the marker is recognized at the expected position of one 
data cycle, it will indicate that synchronization is ma.intained between both sides; 
otherwise, synchronization is assumed to be lost. In this case, the receiver will check the 
positions which are around the expected marker position, either ahead of it or behind of it, 
trying to identify the marker. If it is assumed that only small number of bit slips or 
insetiions occur in the channel, the marker should be near the expected position. Once the 
marker is found, the new marker position will be set. Hence, synchronization is regained. 
The structure of marker-based synchronous stream cipher is shown in Figure 5.1 . 
. . . .------.. 
ENCRYPTION CHANNEL DECRYPTION 
Figure 5.1. Structure of marker-based synchronous stream cipher 
In order to simplify the implementation of the marker-based synchronous stream 
cipher, we assume that the marker and the ciphetiext unit will be n bit and B bits, 
respectively. Under this assumption, the keystream generator could be implemented by 
counter mode of block cipher, like AES, where B = 128. The marker pattern we have 
selected in our implementation is " 10000000", thus n = 8. Section 5.7 will give the 
explanation about the selection ofthe marker. 
Figure 5.2 gives the synchronization cycle structure of marker-based synchronous 
stream cipher. It is clear to see from this figure that every B bits of ciphertext will be 
followed by an n-bit marker, thus the syn~hronization cycle length of the marker-based 
92 
synchronous stream cipher is 17 + B bits. Variable k will be used in there-synchronization 
at the receiver side, and it will be explained in Section 5.2 and Section 5.3. 
8 n 8 n 8 n 
. . . . Ciphertext Marker Ciphertext E-k--' Marker E--k-7 Ciphertext Marker . .. 
Synchronization cycle 
Figure 5.2. Synchronization cycle of marker-based synchronous stream cipher 
5.2 Description of Resynchronization 
In this section, we are going to describe how the decryption side regains synchronization, 
and we wi ll use Figure 5.2 as an illustration. Assume that in the implementation, then-bit 
marker is sent first and then followed by the B-bit ciphertext. When the 17 + B bits of data 
sequence arrive at the decryption side, the marker detector will start to scan for the 
marker. If there is no slip occunence in the channel, the marker will appear in the 
expected positiol1. Therefore, the system will collect the following B bits as ciphertext to 
be XORed with the keystream to retrieve the plaintext. However, when the marker is not 
detected at the expected position, the marker detector will scan f01ward and backward of 
this position, looking for the marker. 
As Figure 5.2 shows, the marker detector will span over k bits ahead and k bits behind 
of the expected position looking for the marker. Assume the data is received from right to 
left in Figure 5.2, and the marker is scanned for along a sliding 17-bit window, then it will 
93 
range from the (B - k)-th bit of the cmTent cycle, over the n bits, to the k-th bit of the 
previous cycle. If the marker appears at the right of the expected position (i.e. part of 
marker bits was included in the B bits of previous ciphertext), it will indicate that a slip 
occuned in the communication channel, and thus part of the marker was collected as 
ciphertext in the previous cycle. Accordingly, the same number of next marker bits has 
also been collected as the current ciphertext. Therefore, when the system starts to collect 
the next marker, it will only need to collect the remaining number of marker bits since the 
other bits have already been collected. In this way, the following B bits will still be the 
actual ciphertext bits, thus regaining the system synchronization. Otherwise, if the marker 
is found at the left of the expected position (i.e. part of the marker was included in the B 
bits of cun·ent ciphe1iext), it means that there were inse1iions in the communication 
channel. Those inse1ied bits were collected as pmi of the previous cipheiiext, thus the 
same number of actual previous ciphe1iext bits was pushed to the current marker region. 
Accordingly, this number of cunent ciphertext bits was also pushed to the next marker 
region. Therefore, in order to collect the actual B bits of ciphe1iext in the next 
synchronization cycle, the system needs to collect not only the n bits of next marker, but 
also the extra bits of delayed ciphe1iext from cunent cycle. The re-synchronization will 
be achieved by this way. 
The above tw~ cases are based on the assumptions that slips do not occur in the marker 
itself, and also there is no enor occurring to result in a misinterpreted marker (e.g. the 
actual marker is missed due to a bit enor and a false marker is identified in an incOITect 
position). In order to avoid problems resulting from these scenarios in the actual 
implementation, the marker detector will not make any decision until the marker is 
94 
detected COUNT MAX times at the same position. The simple way i to set up a 
counter for each position; increment this counter when the marker appears, but hold it 
when the marker does not appear in every synchronization cycle. When the output of the 
counter reaches COUNT_MAX, the cone ponding position will be detem1ined as the 
expected marker position. Then all counter are cleared to zero, and start to increment as 
appropriate in the following cycles. 
However, it is possible that more than one counter reaches COUNT_MAX at the same 
time. In this case, one good approach is to increment this number until there is only one 
counter output that reaches it at one time. But in order to reduce hardware complexity, we 
applied the fixed COUNT _MAX method in our implementation. In order to find out the 
reasonable value for COUNT _MAX, we simulated the characteri tics of SRD under the 
varying COUNT_ MAX values of I , 2, 5, 10, and 20, respectively. The simulation results 
and explanation will be given in Section 5.7. Through the analysi of simulation results, 
we have selected COUNT MAX to be 2 in our implementation. 
5.3 Description of Data Register at Decryption Side 
In this section, the data register, which plays an imp01iant role in th implementation, 
will be discussed. As mentioned in Section 5.2, the marker detector will pan it scanning 
backward and forward of the expected marker position when the marker is not found. 
However, for stream ciphers, data is processed at the rate of one bit per clock cycle; thus 
the data bits of previous synchronization cycle will be gone in the current cycle. Hence, 
95 
this data register is required at the decryption side. While the incoming data sequence 
goes to the separated marker or ciphertext register, it is also shifted into the data register. 
This register is used to hold the k bits of data from the previous cycle and n + B bits 
data of the current cycle, which represent the marker and the ciphetiext, respective! y. The 
structure of the data register is given in Figure 5.3. 
Basically, during one synchronization cycle, the incoming data is shifted into the data 
register at the fixed amount of n + B bits. Therefore, when the data in the cutTent cycle 
has completed shifting, there are still k bits of data, which come from the previous cycle, 
not shifted out of the register. In the usual circumstance, those previous k bits and the first 
k bits of the cmTent ciphertext, as well as the n bits of marker 'Will form the scanning 
window for the expected marker position. 
Ciphertext k bits 
. k+1l~l W(2k~ 
W(2k-1 
Marker k bits 
-~ 
~'-W2 
~w1 
Figure 5.3. Structure of data register of marker-based mode 
The marker is essentially scanned for along a sliding window of length n; hence, there 
are 2k + 1 windows in total , which are denoted as w~, w2, ... , w2k+J shown in Figure 5.3. If 
there is no slip or en·or occurrence, the marker should appear at position Wk+ J· However, 
96 
if there are bit slips, the marker will appear at position w 1 to wk since part of the marker 
was inconectly collected as the previous ciphetiext; on the other hand if there are 
insertions, the marker will appear at position wk+2 to w2k+I since pa1i of the previous 
ciphertext was pu hed to the cunent marker region. 
In response to detected slips or insetiion , the marker detector will decide how many 
bits are to be collected as the marker during the next synchronization cycle to achieve re-
synchronization. Because the total cycle size is fixed at n + B, if k bits are slipped in the 
previous cycle, then just n- k bits need to be collected dUJing the next cycle because the 
next k bits of marker have already been collected as the cutTent ciphetiext; otherwise, if k 
bits are inserted in the previous cycle, then n + k bits have to be coli cted in the next 
cycle because k bits of current ciphertext have not been shifted into the data register yet. 
In our implementation, it is assumed that the marker-based synchronous stream cipher 
could resynchronize for up to 4-bit slip occutTence or insetiion occurrence; therefore, k = 
4 in our implementation, and the total number of windows that will be canned for the 
marker is 9. 
5.4 Description of System Design 
Like SCFB mode in Chapter 4, the marker-based synchronous stream cipher has also 
been implemented on Xilinx Spatian-3E FPGA board to study the implementation issues 
and detennine complexity and speed of this sy tem for a real implementation; as well , the 
CAD tool ISE Webpack and Digilent Adept Suite have been u ed to synthesize and 
97 
h·ansfer the initialization vector from the computer to the FPGA board. Before synthesi 
functional simulation has been done through ModelSim PE Student Edition 6.5. 
The encryption system at the transmitter side and the decryption system at receiver 
ide have been designed. The ·plaintext to the encryption system will be compared with 
the decrypted plaintext from the decryption system. The compatison result will drive an 
LED on the board, which will illuminate when the two are the same and darken when 
different. As mentioned before, the keystream generator can be implemented by counter 
mode of block cipher, like AES, but for simplicity, an LFSR has been chosen as the 
keystream generator in our implementation. 
5.4.1 Description of KeyStream Generator 
The chosen LFSR ha the ame primitive polynomial as the LFSR in Grain-128 , and the 
primitive polynomial is .f(x) = l + x 32 + x 47 + x 58 + x90 + x 12 1 + x 128 . The I ngth of this 
LFSR is 128 bit , with each element denoted as s127 ,s126 , •• • ,s0 from left to right. Since thi 
LFSR is designed as a right shift regi ter, its updated function can be written as 
The block diagram of this LFSR is given in Figure 5.4. From thi figure, we can ee 
that this LFSR has 128-bit parallel load in port and 128-bit parallel out pmi. Only the 
least significant bit of the out pOii will be used to output the keystream in our 
implementation. The CLR_LFSR signal wil l be connected to an asynchronous clear 
signal and the SEL _ LFSR represents the control signal for its working mode. In our 
design, the two-bit select signal ' ·OO" means to load and "01 ,. means to shift right, and 
other combinations will clear the 128-bit register. 
98 
Regln_LFSR 
128 
CLK_LFSR ---~ ... ~' 
..1 CLR_LFSR LFSR 
SEL_LFSR 4 
-f 128 
RegOut_LFSR 
Figure 5.4. Block diagram of LFSR 
The hardware design structure of this LFSR is shown in Figure 5.5. From left to right, 
this register is denoted as most significant bit 127 to least significant bit 0. The simp) 
exclusive or operation will produce the updated bit, and the key tream will be generated 
at the rate of one bit per clock cycle. 
127 ................................................................................................................................ ...................... ............... ... o 1 
I 0 f--Ker b1t out-+ 
Figure 5.5. Structure of LFSR 
5.4.2 Description of Encryption Datapath 
The datapath of the encryption system is hown in Figure 5.6. From this figure, we can 
see that there are mainly three component for the encryption system: the marker register, 
99 
the encryption keystream generator, and the multiplexer. Similar to implementation of 
SCFB mode in Chapter 4, we added a plaintext generator (labeled PlaintextRegister) for 
testing purposes. It does not belong to the datapath of encryption system. 
sei_MR_MTR_DTP marl<er_MTR_DTP IV_MTR_DTP '1' sei_MUX_MTR_DTP 
J 2 ~ 8 ' 128 I 2 
clk_MT 
I ~~I ,----1 ' R_DTP 
DTP 
-
' - .~ TR_DTP Encrypt1on ~~ 1 KerStream Generator 01 
TP 128 r~ • r \ I PlaintextRegister I \_~ 
clr_MTR 
sei_CLFSR_M 
plt_MTR_D 
t + I 
: CiphertextCounter 
MTR_DTP 
+ ~ Marl<erCounter ~ 
-
DTP ~ - DATAPATH 
,--
sei_PTR_ 
clr_CTC 
I 3 7 
EN_MC_DTP ~ EN_CTC_DTP 
Dout_TX 
pltou_MTR_DTP clr_MC_DTP Mcou_MTR_DTP CTCout_MTR_DTP 
Figure 5.6. Structure of datapath of enCI'yption system 
The keystream generator, which is the LFSR, has been discussed in Section 5.4.1. The 
marker register is used to hold the n-bit marker, n = 8, in our implementation. In order 
for the selected marker to be downloaded once at the beginning of the working system, 
the marker register was designed to be a right circular shift register, that is, the least 
significant bit is not only shifted out but also fed back to the most significant bit of the 
100 
register. When the 8 bits of marker complete shifting, the register still contains the same 
8 bit marker, which can be sent out in the next synchronization cycle. 
In order to produce the pseudorandom plai ntext sequence, the plaintext register is 
designed. Basically, it is just the same LFSR that is used as the keystream generator 
except that the least significant bit is also used to compare with the decrypted plaintext 
bit. The 128-bit initialization vector will be loaded into this register before the system 
sta1is to work, and then plaintext bits will be continuously produced. The multiplexer is 
mainly used to switch between the marker bits and the ciphe1iext bits, under the control 
of marker counter and ciphertext counter, respectively. 1t will output ·'] ., while the 
system is jdle. 
5.4.3 Description of Encryption Controller 
Figure 5.7 shows the block diagram of the controller of the encryption system of marker-
based mode. This controller will provide the control signals for the different components 
in the datapath; meanwhile, it will take in the output of marker counter and cipheiiext 
counter to make con·esponding decisions. The reset_ MTR _CON signal and the 
start_MTR_CON signal will eventually come from two buttons of the FPGA board, and 
they wi ll either reset or start to transmit data of the encryption system. 
101 
clk_MTR_CON 
reset_MTR_ CON 
start_MTR_CON 
flag_MTR_CON 
sei_MUX_MTR_CON 
CTCout_MTR_CON MCout_MTR_CON 
7 
clr_MC_CON 
clr_CTC_CON 
clr_MTR_CON Controller 
Encryption I EN_ CTC_CON 
EN_MC_CON 
/ 2 
sei_PTR_MTR_CON 
sei_MR_MTR_CON sei_CLFSR_MTR_CON 
Figure 5.7. Block diagram of controller of encryption system 
Figure 5.8 gives the flow chart of the controller of encryption system of marker-based 
mode. There are five states for this controller: INIT, Load, IDLE, MarkerShifting, and 
CiphertextShifting. In the INJT state, all components are cleared to zero and waiting for 
the computer to write to the registers of the FPGA board, similar to that of SCFB mode in 
Chapter 4. When the last register, which is referred to as the flag_MTR_CO , is w1itten 
to with " 1111111 I ", the ystem will go into the Load state, where the marker register, the 
keystream generator, and the plaintext register loading the 8-bit marker pattern, the 128-
bit keystream generator IV, and the 128-bit plaintext IV, respectively. Once the start 
button is pu hed, the encryption sy tem star1s to send the marker; otherwise, it will 
remain idle, and keep ending " 1 "s. When the 8-bit marker has been ent out, the system 
will stm1 to send ciphe11ext bits. In this state, the plaintext register and the keystrem11 
generator start to shift right. After sending out B bits of cipher1ext (B = 128 in our 
implementation), the system begins to send a marker again. It will always send th 
102 
alternating marker and ciphertext until being reset, at which point it return to the INJT 
state. 
NO 
I 
NO 
L__ 
flag_MTR_CON = "11111111"? 
YES 
NO start_MTR_CON = '1 ' ? 
YES 
MCout_MTR_CON < "111 "? 
~ertext) 
\ Shifting 
~ CTCout_MTR_CON < "1111111 "? 
Figm·e 5.8. F low chart of controller of encryption system 
5.4.4 Description of Decryption Datapath 
As discussed in Section 5.1, the marker detector at the decryption side will keep scanning 
for the marker and adjust to the new marker po ition in each synchronization cycle to 
maintain sync with the encryption ide. As mentioned in Section 5.3, in our 
implementation, the marker detector is designed to span over 9 window that is, k = 4, 
103 
which will cover 16 data bits in total: the 8 bits of original marker and e~ch 4 bits of 
ciphertext from the cunent and the previous synchroniza6on cycle, respectively. Since 
the marker detector is critical in the decryption system, it will be firstly described in thi s 
section. Basically, the marker detector consists of 9 detector components, with each 
component having the same structure and targeted to each of the 9 windows. The 
structure of each detector component is given in Figure 5.9. 
I Window 1-
7 
-
EN_WC 
Clk_WC 
MarkerDetectorComponent 
Marker 
comparator 
Window Counter 
Output_WC j COMPARATOR [ 
COUNT_MAX ~c_l -----
__ .,. Out_check 
Out_wiricounter 
Figure 5.9. Structure of marker detector component of decryption system 
From this figure, we can see that the detector component includes the marker 
comparator, the window counter, and the counter comparator. Since the data sequence 
" I 0000000" is used as the marker, the marker comparator is designed as a NOT gate 
combined with an OR gate, with its input coming from the 8-bit window. If the window 
contains the actual marker, the marker comparator will output "0"; otherwise, it will 
104 
output " I" . This output signal will be sent to the controller to control the counter of each 
window. The window counter will be incremented by "1" if the window matches the 
marker, and its output will be compared with the COUNT_ MAX, which is the value of 2 
as mentioned before. The comparator will then output ''1" when the window counter 
outputs 2; otherwise, it will output "0'·. As well , this output will be sent to the controller 
to adjust to the new marker position. The datapath of the decryption system of marker-
based mode is shown in Figure 5.10. 
·o· 
set_decooer 
output_ReMC_ROP 
EN_ReCTC_ROP 
Clr_ReCTC_ROP 
Outpui_ReCTC_RDP 
IDLEout_MRE_OTP ,_ __ _, 
Oout_MRE_OTP - ----' 
EN_'NCJ_RDP 
dr_~Mncounter3_ROP 
Datapath of Decryption System 
oul_ W!neounler3 _ ROP 
out_check3 ,_ __ _, 
,----j- EN_V><:2_RDP 
r-----+-- do_.,ncounw:!_ROP 
out_WincounteQ_ROP 
I.--+---+ out_chect::2 
EN_V\oC4_ROP 
dr_wmcountero4_ROP 
out_check4 
EN_WC6_ROP 
dr_WII'ICOI.mtef6_RDP 
EN_~8_RDP 
dr_Wincounter8_RDP 
out_Wincounter8_RDP 
out_ checkS 
EN_V><:9_RDP 
dr_WII"'CCYnter9_RDP 
out_WII'lCOI.J"'ter9_ROP 
out_check9 
Figure 5. 10. Structure of datapath of decryption system 
From this figure, we can see that the main component of this datapath is the 140-bit 
data register and the 9 marker detector components. The content of the data register is 
105 ' 
denoted as 139 to 0, and the incoming data bit is shifting from left to right. The 8 most 
significant bits of this data register, from bit 139 to bit 132, is referred to as the 
FirstMarker which indicates whether the data transmission starts. It will be detected by 
the controller. The last 16 bits, from bit 15 to bit 0, is divided as 9 windows, with each 
window containing 8 bits data and being inputted to the conesponding marker detector 
component. The first bit of the data register is used to XOR the keyst~eam bit. 
The incoming data includes the alternating marker and ciphe1text bits, but the 
keystream generated by the keystream generator can only be used to restore the plaintext 
when the incoming data is the ciphertext. Hence, the multiplexor is required to select 
from "0" and the actual keystream. It will output "0" when the incoming data i the idle 
bits and the marker; otherwise, it will output the actual keystream from the keystream 
generator. As well, the marker counter and the ciphe1text counter are required. The output 
of the XOR operation will be sent to a decoder to separate the marker and idle bits from 
the restored plaintext bits. 
5.4.5 Description of Decryption Controller 
In this section, the controller of the decryption system of marker-based mode will be 
described. The block diagram of this controller is given in Figure 5.11. All signals of the 
controller will be connected to the conesponding signals of the datapath, thus comprising 
the decryption system. 
] 06 
in_check1_MRE_CON in_check1_MRE_CON 
clr_winc1_MRE_CON clr_winc1_MRE_CON 
EN_WC1_CON EN_WC1_CON 
FirstMarker _M R E_ CON in_check1_MRE_CON 
clr_MRE_CON 
clr_winc1_MRE_CON 
clk_MRE_CON EN_WC1_CON 
reset_MRE_CON 
in_check1_MRE_CON 
regflag_MRE_CON 
clr_winc1_MRE_CON 
EN_CTC_CON 
EN_WC1_CON 
clr_CTC_MRE_CON in_check1_MRE_CON 
in_CTC_MRE_CON Controller clr_winc1_MRE_CON 
in_MC_MRE_CON Decryption 
clr_MC_MRE_CON 
EN_WC1_CON 
in_check1_MRE_CON 
EN_MC_CON clr_winc1_MRE_CON 
sei_DeLFSR_MRE_CON EN_WC1_CON 
sel_mux_MRE_ CON in_check1_MRE_CON 
sel_decoder_MRE_CON clr_winc1_MRE_CON 
sei_DR_MRE_CON EN_WC1_CON 
in_winout 
in check1 MRE CON in check1 MRE CON 
clr~winc1_MRE_CON clr_winc1_MRE_CON 
EN_WC1_CON EN_WC1_CON 
Figure 5.11. Block diagram of controller of decryption system 
The flow chart of the controller of the decryption system is shown in Figure 5.12. 
Similar to that of the encryption system, there are also five states in the decryption system: 
INJT, Load, IDLE, Ciphe1iextReceiving, and MarkerReceiving. In the INIT state, all 
components are cleared to zero, and waiting fo r the computer to w1ite to the registers in 
the interface, which includes 16 IV registers, containing the 128-bit initialization vector 
for the keystream generator, one 8-bit marker register, and one 8-bit register used as the 
flag. Usually, the flag register will be the last register to be written by the computer. It 
will indicate that all registers have been completely written and are ready to be loaded 
into the decryption system. 
107 
Once all data required has been loaded, the controller will go to the IDLE state. Since 
the encryption system will keep sending "1 "s before it starts to transmit the marker and 
ciphertext, the decryption system will just be detecting the FirstMarker and keep 
receiving " 1 "s in the IDLE state. When the first marker is recognized, the controller will 
turn into the CiphertextReceiving state because it is assumed that the following data will 
be the ciphertext. Wl1en the ciphertext counter outputs 128, the controller will go to the 
MarkerReceiving state, and the marker counter starts to work immediately. 
regFiag_MRE_CON = "11111111 "? 
NO FirstMarker MRE CON = "00000001 "? 
I I YES - -
NO 
Marker ) 
Receiving 
in_CTC_MRE_CON < CTSNum? 
in_MC_MRE_CON < MSNum ? 
Figure 5.12. Flow chart of controller of decryption system 
In this controller, there are two important parameters: 'CTSNum" and ·'MSNum·'. 
CTSNum is short for ciphertext shift number, and MSNum is short for marker shift 
108 
number. These two parameters are used to resynchronize the system when sync is lost. 
Theoretically, in every synchronization cycle, the total amount of data which is shifted 
into the data register is 136, including 8 bits of marker and 128 bits of ciphertext. 
However, if there is slip occmTence in the communication channel, the number of 
cunent ciphetiext and marker will be less than 136, thus part of data bits from next cycle 
will be mistakenly collected. Since it is assumed that the maximum amount of slipping is 
4 bits, pati of the first 4 bits of next marker will be falsely collected as the ciphertext in 
the cun·ent cycle. Similarly, if there is an insertion occunence in the communication 
channel, the number of actual ciphertext and marker will be larger than 136, thus part of 
the data of current cycle will be delayed to the next cycle. Since we also assume that the 
maximum number of inserted bits is 4, part ofthe last 4 bits of the cun·ent ciphertext will 
be delayed to the next cycle. Therefore, MSNum for the next synchronization cycle will 
change according to the decision made by the marker detector. Hence, synchronization 
can be regained between the transmitter and the receiver. 
Slip or Insertion Marker Position MSNum for next cycle 
4 bit slips Window 1 4 
3 bit slips Window 2 5 
2 bit slips Window 3 6 
1 bit slip Window 4 7 
No slips or insertions Window 5 8 
1 bit insetiion Window 6 9 
2 bit insertions Window 7 10 
3 bit insertions Window 8 11 
4 bit insertions Window 9 12 
Table 5.1. MSNum in terms of marker position 
Table 5.1 g1ves the corresponding MSNum based on which window is the marker 
position. ln the FPGA implementation, since we do not simulate the slips and insetiions, 
109 
MSNum is fixed to be 8. However, we tested the designed system in tenns of slips and 
insertions by using Modelsim, and the synchronization is regained as shown in Table 5.1 . 
5.5 Description of FPGA Implementation 
So far, the design details of the encryption system and decryption system have been 
separately discussed. In this section, the FPGA implementation of marker-based mode 
wi ll be described. The general structure is shown in Figure 5.13. 
H13 B18 V14 U14 N9 BB V16 R1 O,P10,R11 ,N11 ,T12,P13,R13,R14 
1 ~L,~ ~~~ ~ Pdb(7), ... ,Pdb(O) 
start Bin resetBtn astb dstb pwait mclk pwrite 
I r r t I I 8 / 
f f r r-' r t 
astb 
,-
dstb pwait mclk pwr Pdb(7), ... ,Pdb(O) 
INTERFACE 
rgplt0,rgplt1 , .. ,rgplt14,rgplt15 rgMK rgiVO,rgiV1 , ... ,rgiV14,rgiV1 5 rgFiag 
I 
1?R I L 128 I 128 8 I 8 
u reset_MT clock_MT +- .. 
IV_MR ~ regFiag_MR clk_MR +-
start_MT ftag_MT IV_MT DECRYPTION reset_MR 
SYSTEM 
plaintext_MT ENCRYPTION marker_MT .-
Plaintext SYSTEM Dout_MT din_MR depltout_MR IDLEout_MR 
Generator JL 
pltout_MT Compare 
Encryption System to Decryption System component 
J 
t 
LedComp LediDLE 
XILINX Sparton 3E-500 FPGA Board J14j L R4 
Figure 5.13. Block diagram of hardware implementation structure of marker-based mode 
110 
As discussed before, the implementation process and the testing are the same as that of 
SCFB mode configured for a stream cipher in Chapter 4. Basically, the data out of the 
encryption system is sent to the decryption ·system, and each plaintext bit is compared to 
the COITesponding decrypted plaintext. The comparison result will drive an LED on the 
FPGA board. As well , there are two buttons on the board to start and reset the system. 
Eventually, the control signals of data transmission between the computer and the board 
will be connected to the pins on the FPGA board, which is also shown in Figure 5.13. 
5. 6 Synthesis Results 
Similar to SCFB mode in Chapter 4, the designed system is synthesized by using the ISE 
Webpack CAD tools. Because this tool has been described in detail in Chapter 4, only the 
synthesis results of marker-based mode will be given in this section. 
From the synthesis report, we obtained the timing infom1ation as follows: the 
minimum clock period is 5.507 ns, and therefore the maximum fi·equency is I /5.507 ns = 
181.594 MHz. Even though this system produces data at the rate of one bit per clock 
cycle, the efficiency can not reach 100% because there are only 128 bits of ciphertext for 
every 136 bits transmitted. The efficiency of this system is ·128/136 = 0.941176, and the 
throughput of this system is 1/5.507 ns x 0.941176 = 171 Mbps. Moreover, we have also 
obtained the timing information after place & route. The minimum clock period is 8.305 
ns, and thus the maximum frequency is 120.409 MHz. According to efficiency of this 
system, the actual throughput of the designed system running on a FPGA board i 
120.409 MHz x 0.941176 = 113 Mbps. Besides timing, we also obtained the device 
111 
utilization of the targeted Xilinx Spartan-3E FPGA after synthesis, which is given in 
Table 5.2. 
Used Available Utilization 
#of Slices 556 4656 11% 
#of Slice Flip Flops 723 9312 7% 
# of 4 input LUTs 1035 93 12 11% 
# oflOs 17 
# ofbonded lOBs 17 232 7% 
# ofGCLKs 1 24 4% 
Table 5.2. Device utilization of marker-based mode 
5. 7 Characteristics of Marker-based Synchronization 
Implementation 
As discussed in Section 5.2, the marker detector wi ll decide one window position as the 
new marker position only after the marker has been detected at this position 
COUNT_ MAX times. This is main ly to avoid the cases that more than one marker is 
detected at one time due to slip or eJTor occurrence in the communication channel. In 
order to find the reasonable value for COUNT_MAX, we have simulated SRD of marker-
based synchronou stream cipher under varying COUNT_ MAX of values I, 2, 5, 1 0, and 
20. In addition, for marker selection, we have taken conclusions of best sync pattern for 
SCFB mode obtained in Chapter 3 into consideration because the marker and the sync 
pattern are both scanned for in the similar way, which is to slide along an n-bit window. 
As with SCFB mode, we consider a marker size of 8. We have simulate<;! three marker 
fom1ats: " 10000000", ·'01111111 ", and "1111111 1", for comparison. 
The simulation was taken under the following constraints: 
112 
• Simulation length: 10 10. 
• Slip event generation rate: I 05. 
• Number of slips generated at each slip event is random: 1, 2, 3, or 4. 
Since the case for in ertions will be the same as slips, we will only present the 
simulation results for slips. 
Figure 5.14 shows the simulation results of SRD in tem1s of varying COUNT_ MAX 
with the marker being " I 0000000", "01111111 ", and "11111 L 11 ", respectively. From 
this figure, it can be seen that no matter what marker pattern being used COUNT_MAX 
= 1 results in very large SRD, but COUNT_ MAX = 2 leads to the smallest. As well, as 
COUNT _MAX increases, SRD increases when COUNT MAX ~ 2. This can be 
explained as follows: 
In every synchronizahon cycle, 16 data bits which form 9 window positions will be 
scanned for the marker at the receiver side. It is possible that more than one position 
contains the marker when being scanned. For example, if the detected 16 bits are all ·1 ' s, 
then 9 windows all contain marker for marker pattern " 1111 1 1 L 1 ' . If the detected 16 bits 
are the sequence " 1 00000001 0000000'. with rightmost bit being received first, two 
windows, window I and window 9, contain the marker for marker pattern ' ·1 0000000" . 
But for the designed system, it will only decide to adjust to the new marker position when 
there is only one window containing the marker. So, if COUNT_ MAX = 1, and marker 
appears at more than one window position, the system will do nothing to resynchronize 
until the marker has been properly detected in the following cycles, thus resulting in very 
large SRD. Moreover, there is also possibility that bit erTor in the communication channel 
results in a false marker that is detected at the receiver. If the marker only needs to be 
113 
detected once, COUNT_ MAX = 1, before the corresponding window position being 
adjusted to a new marker position, it will lead to a false synchronization. Therefore, 
COUNT_MAX = 1 leads to high SRD. 
However, COUNT _MAX = 2 results in the smallest SRD, as shown in Figure 5.14. 
This is because the possibility that the same multiple windows contain the marker during 
two successive synchronization cycles is small. For example, if the marker used is 
" 1 0000000", it is only possible that two windows, which are window 1 and window 9, 
contain the marker at one cycle. The possibility for marker appearing at these two 
windows during COUNT_MAX successive cycles IS 1/216xco NT_M AX. When 
COUNT_MAX = 2, this possibility is 2.3283 x 10-10, which is very sniall. That means it is 
highly possible that the system will only detect one window position containing marker 
when COUNT_MAX = 2, thus it will adjust to the new marker position and regain 
synchronization, resulting in small SRD. In addition, it is easy to see that a 
COUNT_ MAX increases, the value for this possibility'will greatly decrease. That is, the 
extra delay due to multiple window positions containing the marker when 
resynchronizing will get far smaller. However, as COUNT_MAX gets larger, it will take 
more cycles to resynchronize. Since the ynchronization cycle length is 136 bits, large 
COUNT MAX will lead to very large synchronization delay. Therefore SRD becomes 
larger when COUNT_ MAX gets larger. 
114 
SRD \€rsus COUNT MAX X 104 
2 . 5 [---:--:-:-:-:--;r::===:r:::===c::::=::::r==::.~ 
marker "11111111" 
marker "10000000" 
--e- marker "01111111" 
2 ...... r· .. r .. r . f .. ···r : 
~ 1.5 .... T • ; • r ; , r . 
(/) 
I I I I I 
: J: :: :·: J: J:: .1:: . . r ·;·i········; ... 
0.5 -···'-· -1·:.::··,-
i : : : i ---f --t- -r- . 
0 
0 
: i : --t +-!!--[ 
2 4 6 8 10 12 14 16 18 
COUNT MAX 
Figure 5.14. SRD versus COUNT_MAX 
20 
Moreover, from this figure, it can al o be seen that comple!11entary marker pattern 
results in the same SRD. Also, marker pattern "1 0000000" results in smaller SRD than 
' 11111 f 11 " . This is because the possibility for multiple window positions containing the 
marker at one cycle will be much higher. Similarly, we can conclude that the best marker 
for marker-based synchronous stream cipher is uncorrelated. That is, the shifted markers 
will never match bits fonn the original marker. The SRD for marker " 1 0000000'. with 
COUNT _MAX = 2 is around 200. That means the system can resynchronize very quickly. 
Hence, in our implementation, the COUNT MAX has been chosen to be 2, and the 
marker pattern is " 1 0000000". 
The error propagation for marker-based synchronous stream cipher is very limited 
because bit errors in the communication channel will only affect the corresponding bit at 
115 
the receiver side. Moreover, the possibility of a fa lse synchronization due to hit error i 
also limited by COUNT_MAX = 2. 
5.8 Comparison of SCFB Mode and Marker-based Mode 
In the previOus chapters, we have discussed the characteristics and ·hardware 
implementation of SCFB mode and marker-based mode. In this section, we will give a 
short compruison of these two modes. 
SCFB mode is the self-synchronizing stream cipher, so it .is capable of self-
synchronizing from bit slips; marker-based mode is a synchronous stream cipher, but it 
also has the ability of resynchronizing for a limited range of slips or insertions. 
Specifically, the marker-based mode can recover from multiple bits of slips or insertions 
of 1, 2, 3, or 4 bits in our implementation. 
Both modes were implemented on the same Xi linx Spartan-3E FPGA. SCFB mode 
configured for .a stream cipher, Grain-128, can run at the speed of 89Mbps. But the 
marker-based mode can reach the speed of 113 Mbps. The device utilization of marker-
based mode is also smaller than SCFB mode. Although this is mainly because we have 
used a simple LFSR as the keystream generator for marker-based mode instead of a more 
complex block cipher such as AES, it is clear that the hardware complexity generally for 
the marker-based system is very small. In addition, SCFB mode can reach the efficiency 
of I 00%, but marker-based mode can only reach 94% because of the overhead of extra 
marker bits in the communication channel. 
116 
Under the same parameters for implementing SCFB mode and marker-based mode (B 
= 128, n = 8, and sync pattern I marker of "1 0000000"), SRD of SCFB mode configured 
for Grain-128 is around 700, but it is around 200 for marker-based mode. Hence, 1narker-
based mode synchronizes more quickly. Moreover, SCFB mode has significant en-or 
propagation, but marker-based mode almost has no error propagation. 
However, the marker-based mode is limited in its synchronization recovery, that is, it 
cannot regain synchronization when the number of bit slips or insertions is larger than k, 
where k=4 for our implementation. But SCFB mode can resynchronize no matter how 
many bit slips or inse1iions occur in the communication channel. Therefore, SCFB mode 
should still be the fir t choice in a real implementation. 
5.9 Comparison of FPGA implementation of AES and SCFB 
Mode and Marker-based Mode 
In this section, we will give a brief comparison of AES implementation and SCFB mode 
and marker-based mode implementation targeting the same device, Xilinx Spruian-3E 
FPGA board. Specifically, we will compare the implementation outcomes ofHelion AES 
cores with our design. 
The Helion AES cores offer separate encryption and decryption cores for optimum 
flexibility. The encryptor core accepts a 128-bit plaintext input block, and generates a 
con·esponding 128-bit cipheJiext output block using a supplied 128-, 192-, or 256-bit 
AES key [2]. The decryptor core provides the reverse function, generating plaintext from 
supplied ciphertext, using a similar AES key as was used for encryption. Targeting the 
117 
Xilinx Spartan-3E FPGA device, the maximum frequency of Helion AES core is 116.0 
Mhz, and the total number of Slices and LUTs is 384 and 767 [2], respectively. 
ln our implementation, the maximum frequency of SCFB mode which uses stream 
cipher Grain-128 a the keystream generator is 89MHz. The total number of Slices and 
LUTs is 1549 and 2826, respectively. For marker-based ynchronization mode, the 
maximum is 120.409 MHz and the total number of Slices and LUTs is 556 and 1035, 
respectively. 
From the outcomes, we can see that the Helion AES core ha less hardware complexity 
than SCFB mode configured for Grain-128 and marker-based synchronization mode and 
it is faster than SCFB mode of our implementation. Therefore, the marker-ba ed mode 
can use AES as the keystream generator. It will be secure and have moderate hardware 
complexity. 
5. 10 Conclusion 
In this chapter, the marker-based synchronous stream cipher was analyzed and 
implemented. The concept of the marker-based mode is to include an n-bit marker every 
B bits of ciphertext at the transmitter side. At the receiver, the marker detector is used to 
detect the marker at the expected position. When it is not found, the marker detector will 
span its scanning around the expected position, trying to recognize the marker and adjust 
to the new marker position. This new marker position is then used to regain 
synchronization with the transmitter. 
The marker-based mode was designed and implemented on the FPGA board. It 
included the encryption system, the decryption system, and the sy tem interface. The 
118 . 
plaintext at the tran mitter was compar d with the decrypted plaintext at the rycei er to 
test the designed system. The compari on result was used to drive an LED on the board. 
ln the hardware implementation, Modelsim was used to simulate the behavior of 
designed system, and ISE Webpack wa u ed to ynthesize it. The Adept Suite was used 
to configure the FPGA board with the generated bit stream and transmit the required 
initialization vector to the system. The designed system can run at the peed of 113 
Mbps. As well, the simulation results of SRD versus varying COUNT _MAX were 
presented. The e results explained why COU T _MAX was chosen to be 2, and marker 
was chosen to be ·'I 0000000'" in our implementation. The pat1ia1 simulation results of 
RTL ofmarker-ba ed stream cipher can be found in Appendix. 
119 
Chapter 6 
Conclusion and Future Work 
6.1 Summary 
Ciphers can be either symmetric key (private key) or asymmetric key (public key). In a 
symmetric key system, the sender and the receiver share certain infonnation, the secret 
key, for both encryption and decryption, and the secret key must be secretly kept. 
Commonly, symmetric key ciphers can be subdivided into block ciphers and stream 
ciphers. Block ciphers encrypt large block sizes (e.g. 64 bits, 128 bits) with a fixed 
transformation, but stream ciphers operate on data units as small as a single bit with a 
time-varying transfonnation [ 19] . 
There are two classifications of stream ciphers: synchronous stream ciphers and self-
synchronizing stream ciphers. For synchronous stream ciphers, the keystream generation 
is independent ofboth plaintext and ciphe1iext and, hence, a single error in the ciphe1iext 
only affects the conesponding plaintext bit at the decryption side. However, once the 
synchronization between the encryption and decryption sides is lost due to a slip 
occun·ence in the communication channel, it is difficult to resynchronize. Usually, it will 
need a signaling channel to send an initialization vector, which will result in extra 
overhead. 
Alternatively, self-synchronizing stream ciphers are capable of self-synchronizing in 
case the synchronization is lost due to bit sl ips in the communication channel. This is 
120 
because the keystream generation is dependent on the previous ciphettext, and eventually, 
the effect of slips will be over, thus regaining the synchronization. Even though this kind 
of cipher structure could cause large error propagation, it avoids usage of an extra 
signaling chatmel, which is a significant advantage. 
However, most streatn ciphers nowadays belong to the synchronous stream cipher 
category; therefore, self-synchronizing stream ciphers have great research potential. In 
this thesis, we mainly focused on a recently proposed self-synchronizing stream cipher 
based on a block cipher mode, which was refened to as Statistical Cipher Feedback 
(SCFB) mode. In the traditional SCFB mode, the keystream generator was configured by 
a block cipher, such as AES; but in our implementation, the keystream was generated by 
the stream cipher, Grain-128. Moreover, we also studied a synchronous stream cipher 
mode, which was refen·ed to as the marker-based mode. Using a marker-based technique, 
it is possible to regain synchronization in limited circumstances. 
There were five main chapters in this the is. Chapter 1 introduced the objective and 
outline of this thesis. Chapter 2 gave the general background knowledge, which included 
the stream cipher design components, the self-synchronizing mode of stream ciphers, the 
characteristics of SCFB mode, and the FPGA hardware implementation tools. 
In Chapter 3, the simulation results of characteristics of SCFB mode configured for 
AES were presented. Those characteristics included synchronization recovery delay 
(SRD) and enor propagation factor (EPF). Through analyzing the simulation results, the 
best sync pattern which will result in small SRD and EPF were considered to be sync 
patterns with moderate size (7-s n 'S9) and being uncorrelated. In patiicular, the sync 
121 
pattern "I 0000000", which wa selected in our implementation, is among those best sync 
patterns. 
The content of Chapter 4 and Chapter 5 were very similar. In Chapter 4, the concept of 
SCFB mode which u ed stream cipher Grain-128 as the keystream generator was 
described along with the hardware design of this mode. The designed system was finally 
implemented on a FPGA board. It can run at the speed of 89Mbps. Besides, the FPGA 
synthesis tools were described, including the JSE Webpack and Adept Suite. 
In Chapter 5, it gave the concept of marker-ba ed synchronous stream cipher as well as 
the hardware design details. The designed system was also implemented on a FPGA 
board, and it can reach the speed of I 13 Mbps. 
6.2 Conclusions 
Jn this thesis, we mainly focused on the analysis and implementation of two 
synchronization methods for stream ciphers. One of them is SCFB mode and the other is 
marker-based mode. In order to study implementation issues and determine complexity 
and speed for a real implementation, the two modes were implemented and tested on 
targeted Xilinx Spartan-3E FPGA since FPGAs are common technology and Digilent 
Nexys II board i available for the device. 
Through analyzing the simulation re ults in Chapter 3, we found the best sync pattern 
which will result in small SRD and EPF when implementing SCFB mode in digital 
hardware. Those best ones are with moderate size n (7 :::::: n :S 9), and with uncorrelated 
format, that is, the shifted sync patterns will not match bits from original sync pattern a 
122 
long as the number of shifted bits is within size n. In particular, the ync pattern with size 
n = 8 and format " 100 ... 00" has been selected when we implemented the SCFB mode 
using the stream cipher, Grain-128, as the keystream generator in digital hardware in 
Chapter 4. 
Compared with the implementation of SCFB mode configured for AES, the 
synchronization cycle length of Grain-128 based SCFB mode implementation is longer 
since the sync pattern scanning was turned off not only in the new IV collection phase but 
also in the setup phase of KSG2. Hence, it would take longer for our implementation to 
resynchronize, that is, SRD is larger than AES-based SCFB mode implementation; 
however, the en·or propagation characteristics of the two implementations are similar. 
Comparing the SCFB mode and marker-based mode, we can conclude that SCFB 
mode is a self-synchronizing stream cipher, so it is capable of self-synchronizing from bit 
slips; marker-based mode is synchronous tJ·eam cipher, but it also has the ability of 
resynchronizing for a limited range of slips or insertions. Specifically, the marker-based 
mode can recover from multiple bits of slips or inser1ions of 1, 2, 3, or 4 bits in our 
implementation. Under the similar parameters for implementing SCFB mode and marker-
based mode (B = 128, n = 8, and sync pattern I marker of" 1 0000000"), SRD of SCFB 
mode configured for Grain-128 is around 700, but it is around 200 for marker-based 
mode. Hence, marker-based mode synchronizes more quickly. Moreover, it is clear that 
the hardware complexity generally for the marker-based is very small. However, the 
marker-based mode is limited in its synchronization recovery, that is, it cannot regain 
synchronization when the number ofbit slips or insertions is larger. But SCFB mode can 
resynchronize no matter how many bit slips or insertions occur in the communication 
123 
channel. Moreover, SCFB mode can reach the efficiency of I 00%, but marker-ba ed 
mode can only reach 94% because of the overhead of extra marker bits in the 
communication channel. Therefore, SCFB mode should still be the first choice in a real 
implementation. 
Both modes were implemented on the same Xilinx Spattan-3E FPGA. SCFB mode 
configured for a stream cipher, Grain-128, can run at the speed of 89Mbps. But the 
marker-based mode can reach the speed of 113 Mbps. The device utilization of marker-
based mode is also smaller than SCFB mode. This is mainly because we have used a 
simple LFSR as the keystream generator for marker-based mode instead of a more 
complex block cipher such as AES. 
6.3 Future Work 
Although the hardware implementation and simulation of SCFB mode configured by 
Grain-128 and marker-based synchronous stream cipher were presented in this thesis, 
there are still future work left to be considered. This is listed below: 
• Change the design of KSG I and KSG2 in Chapter 4, making sure the 
initialization of KSG 1 at the strut of system is accomplished by KSG2. Hence, 
KSG 1 is only used to generate the keystream, and KSG2 is responsible for all 
initializations. 
• Use counter mode of a block cipher, like AES, or a stream cipher, like Grain-128, 
as the keystream generator for implementation of marker-based mode, then 
124 
compare the speed and device utilization of SCFB mode and marker-based mode 
to obtain more persuasive results. 
• Improve the designed system of SCFB mode configured for Grain- 128 to increase 
its FPGA implementation speed. 
• Implement the marker-based mode on FPGA board with changeable MS um 
ba ed on slip and insertion generations. 
• Implement SCFB mode and the marker-based mode targeting other hardware 
technologies, e.g .. 13 Jll11 CMOS technology, ASIC. 
125 
References 
[1] A. Alkas ar A. Geraldy, B. Pfitzmann and A-R. Sadeghi, .. Optimized self-
synchronizing mode of operation,'· Fast Software Encryption Work hop - FSE 2001, 
Yokohama, Japan , Apr 2001. 
[2] AES Fast Encryptor and Decryptor (Helion). [Online]. Available: http:// 
www .xilinx.com/products/ipcenter/Fast_ AES _ Encryptor_ Decryptor.htm 
[3] Digilent Nexys2 Board Reference Manual. [Online]. Available: Digilent Website, 
http://www.digilentinc.com/Products 
[4) Digilent Parallel Interface Mode Reference Manual. [Onhne]. Available: Digilent 
Website, http://www.digilentinc.com/Product 
[5) Digilent Port Communications Programmers Reference Manual. [Online]. Available: 
Digilent Website, http://www.digilentinc.com/Products 
[6] W. Diffie and M. Hellman , "P1ivacy and authentication: An inh·oduction to 
cryptography," Proceedings of the IEEE, vol. 67, pp. 397 - 427, March 1979. 
[7] The eSTREAM Project. [Online]. Available: http://www.ecrypt.eu.org/ tream 
126 
[8] FPGA lnfonnation. [Online]. Available: http://www.sc1ibd.com/doc/FPGA-
lnfonnation 
[9] FPGA Design Flow. [Online]. A vaiable: http://www.scribd.com/doc/FPGA-Design-
Flow 
[1 0] Howard M. Heys, "Analysis of the statistical cipher feedback mode of block 
ciphers;' IEEE Transactions on Computers, vol. 52, Issue 1, pp. 77-92, Jan 2003. 
[I 1] Howard M. Heys and L. Zhang, "Pipelined Statistical Cipher Feedback: A New 
Mode for High Speed Self-Synchronizing Stream Encryption," Submission to IEEE 
Transactions on Computers, 2009. 
[ 12] M. Hell, T. Johansson, and W. Meier, "Grain - A Stream Cipher for Constrained 
Environments," [Online]. Available: http://www.ecrypt.eu.org/stream/ciphers/grain 
(13] M. Hell, T. Johansson, and W. Meier, '·A Stream Cipher Proposal: Grain- 128," IEEE 
International Symposium, pp.l614 - 1618, July 2006. 
[14] Y. Huang, "Modern Stream Ciphers,'' Project Rep011, Memmial University of 
Newfoundland, 2008. 
[ 15] 0. Jung and C. Ruland, "Encryption with statistical self-synchronization in 
synchronous broadband networks," Cryptographic Hardware and Embedded Systems -
CHES '99s, Lecture Notes in Computer Science, vol. 1717, pp. 340-352, 1999. 
127 
[16] A. Menezes, P. van Oor chot and S. Vanstone, Handbook of Applied 
Cryptography, 1st ed. CRC Press, 1997. 
[ 17] U.M. Maurer, "New approaches to the design of self-synchronization stream 
ciphers; · Advance in Cly ptology - EUROCRYPT '91, pp. 458 - 471 , 1991. 
[18] National ln titute of Standards and Technology. [Online] . Available: http:// 
www.csrc.nist.gov/encryptionlaes 
[19] M.J.B. Robshaw ''Stream Ciphers," RSA Laboratories Technical Report, TR-701 
Version 2.0, July 1995. 
[20] William Stallings, Clyptography and Network Security, Principles and Practice, 
3rd ed. Prentice Hall 2003. 
[21] F. Yang, "Analysis and implementation of statistical cipher feedback mode and 
optimized cipher feedback mode," Master's Thesis, Memorial University of 
Newfoundland, 2004. 
[22] L. Zhang, "New Methods for the Implementation of Statistical Cipher Feedback 
Mode," Master' s Thesis, Memorial University of Newfoundland, 2008. 
128 
Appendix 
Figure Al shows the partial simulation results ofRTL implementation or code of marker-
based stream cipher. The two signals "sig_ depltout_mr" and "sig_pltout_mt" represent 
the decrypted plaintext from the decryption system and the plaintext :fi·om the encryption 
system, respectively. The signal "comled" represents the comparison result which will 
drive an LED on the FPGA board. Since the two signals match, that is, the decrypted 
plaintext and the plaintext are the same, the signal "com led" is "1 " . The compari son LED 
will always illuminate when the system is working. 
Figure Al. Simulation result of marker-based stream cipher 
As shown in Table 4.6, in order to test the conect functionality of stream cipher Grain-
128, we used two pairs of key and N vectors. The partial simulation results in shown in 
Figure A2 and Figure A3, respectively. The two signals "key" and " iv" represent the key 
and IV, and the following signal "keystreamout" represents the keystream. The 
. keystream is matching the result of Table 4.6. 
129 
Figure A2. Simulation result of Grain-128 with keyl and IVI 
Figure A3. Simulation result of Grain-128 with key2 and IV2 
Figure A4 and Figure AS show the partial simulation results of R TL of Grain-128 
based SCFB mode with key] and IVl and key2 and IV2, respectively. The three signals 
"keyin _ttr", "ivksgl _ttr" and " ivplgen _ttr" represent the initial key and IV for the 
keystream generator, Grain-128, and IV for the plaintext generator. The signal 
" ledcomp_ttr" represents the comparison result of plaintext from the encryption system 
represented by the signal "sig_pltout_ tr" and decrypted plaintext from the decryption 
130 
system represented by the following signal "sig_dout_re" . The "ledcomp_ttr" signal will 
eventually drive an LED on the FPGA board. Since the two signals "sig__pltout_t:r" and 
"sig_ dout_re" match, that is, the plaintext and the decrypted plaintext are the same, the 
" ledcomp_ttr" is " 1 " . The comparison LED will always illuminate when the system is 
working. 
Figure A4. Simulation result of Grain-128 based SCFB mode with keyl and lVI 
Figure AS. Simulation result of Grain-128 based SCFB mode with key2 and IV2 
131 



