Towards low energy stream ciphers

Energy optimization is an important design aspect of lightweight cryptography. Since low energy ciphers drain less battery, they are invaluable components of devices that operate on a tight energy budget such as handheld devices or RFID tags. At Asiacrypt 2015, Banik et al. presented the block cipher family Midori which was designed to optimize the energy consumed per encryption and which reduces the energy consumption by more than 30% compared to previous block ciphers. However, if one has to encrypt/decrypt longer streams of data, i.e. for bulk data encryption/decryption, it is expected that a stream cipher should perform even better than block ciphers in terms of energy required to encrypt. In this paper, we address the question of designing low energy stream ciphers. To this end, we analyze for common stream cipher design components their impact on the energy consumption. Based on this, we give arguments why indeed stream ciphers allow for encrypting long data streams with less energy than block ciphers and validate our findings by implementations. Afterwards, we use the analysis results to identify energy minimizing design principles for stream ciphers

Transformation and Security Analysis of NLFSR-based Stream Ciphers

© 2020 Ge YaoThe Nonlinear Feedback Shift Register (NLFSR) based stream cipher is becoming the mainstream design of modern stream ciphers. The properties of high operation speed, small footprint in hardware and low power consumption make such ciphers preferable in resource constrained applications requiring secure communications. In the last decade, many NLFSR-based stream ciphers have been proposed, among which the Grain family ciphers are the most mature and well studied ciphers. However, security concerns hinder the development and application of such ciphers. Cryptanalytic attacks like the Time-Memory-Data Trade-Off (TMDTO) attack requires that the size of the internal state should be at least twice of the security level, which is conflict with the requirement of high efficiency. In order to optimise the trade-off between the performance and security, researchers focus on developing new ideas to design stream ciphers inheriting the efficiency of Grain family ciphers but remaining resist to the known attacks especially the TMDTO attack. To this end, new design ideas of using shorter Feedback Shift Registers (FSRs) or deploying single Galois NLFSR spark interest in this field. In this thesis, we aim to analyse the security of the newly designed stream ciphers and explore the theory of NLFSR to make progress in studying the NLFSR-based stream ciphers. This research aims to address four research questions. The four research questions and the corresponding contributions are detailed as follows. The first research question is about the security of small-state stream ciphers. As the initial design of small-state stream ciphers, Sprout is proved to be insecure. Its successors including Plantlet, Fruit and Lizard are also not as secure as expected. In this research, we aim to improve the Sprout cipher against the divide-and-conquer key recovery attack and analyze the security of all the small-state stream ciphers. By analyzing the four types of sieving and merging techniques used in the key recovery attack, we identify the design weakness in Sprout. Then we propose countermeasures to resist each type of the sieving and merging techniques. Five experiments are conducted to verify our theoretical improvements. The results of the first four experiments show that our countermeasures are effective and the result of the last experiment shows that the improved cipher resists the key recovery attack. Moreover, we analyze the attack results on Plantlet and Fruit and find that the countermeasures we propose are consistent with the improvements made in these. Finally, we summarize the design principles for small-state Sprout-like stream ciphers. The second research question is how to determine whether a Galois NLFSR is equivalent to a Fibonacci NLFSR. We refer to those equivalent ones as transformable Galois NLFSRs. The transformation between Fibonacci and Galois NLFSRs have been studied extensively, but still the equivalence is not fully established. To address this issue, we adopt the notion nonlinear recurrence and derive the necessary and sufficient condition for a Galois NLFSR to be equivalent to a Fibonacci NLFSR. We prove that the three types of transformable Galois NLFSRs discovered in literature satisfy this condition. Besides, we study several properties of the nonlinear recurrence and discover a special case where a Galois NLFSR is equivalent to two different Fibonacci NLFSRs. The third research question is how to transform an NLFSR between Fibonacci and Galois configurations. For the three types of transformable Galois NLFSRs, either no transformation algorithm has been proposed or the algorithm has very high complexity. There are several limitations and a common issue in existing algorithms. In this research, we aim to address all the issues. First, we give a formal description of a transformation algorithm. Second, we develop a compensation method. The basic idea is to build relations of the internal states of the NLFSR before and after transformation. According to the established relations, it is possible to construct the output function and compute the initial state for the transformed NLFSR. Based on this unified method, we propose transformation algorithms for all the three types of Galois NLFSRs. Moreover, we discover a new type of transformable Galois NLFSRs, namely Type-IV Galois NLFSRs. We show that this new type also satisfies the necessary and sufficient condition proposed to answer the second research question in Chapter 5. Based on the same compensation method, we propose transformation algorithms for the Type-IV Galois NLFSRs. All the proposed algorithms are easy to program and have polynomial time complexity. We provide a pesudocode for each algorithm. The fourth research question is about the security of maximum period Galois NLFSR-based stream ciphers. We reinterpret the design method and identify a conditional equivalence problem. We find that this problem can be addressed by the Type-II-to-Fibonacci transformation algorithm proposed in Chapter 6. Then we apply this algorithm on Espresso cipher. The Galois NLFSR used in the cipher is transformed to a Linear Feedback Shift Register (LFSR) with a nonlinear output function, which is often referred to as an LFSR filter generator. We mount the fast algebraic attack and the Ronjom-Helleseth attack on the transformed cipher and break it with computation complexity of 2^{68.50} and 2^{48.59} logical operations respectively, which is far lower than the claimed security level of 2^{128}. We then show that not only the Galois NLFSR in Espresso cipher, but also the entire class of maximum period Galois NLFSRs can be transformed back to LFSRs with precise output functions. Therefore, this kind of cipher is always equivalent to an LFSR filter generator. We discuss other related attacks and give suggestions for the future design