SNOW-V is a stream cipher proposed by Ekdahl et al. at IACR ToSC 2019(3) with an objective to be deployed as the encryption primitive in 5G systems. The stream cipher offers 256-bit security and is ...ready for deployment in the post-quantum era, in which as a rule of thumb (due to Grover’s algorithm), quantum security will vary as the square root of the classical security parameters. The authors further report good software performance figures in systems supporting the AES-NI instruction set. However, they only provide a theoretical analysis of the cipher’s hardware efficiency. In this paper, we aim to fill this gap. We look at the three most important metrics of hardware efficiency: area, speed and power/energy, and propose circuits that optimize each of these metrics and validate our results using three different standard cell libraries. The smallest SNOW-V circuit we propose occupies only around 4776 gate equivalents of silicon area. Furthermore, we also report implementations which consume as little as 12.7 pJ per 128 bits of keystream and operate at a throughput rate of more than 1 Tbps.
At the FSE conference of ToSC 2018, Kranz et al. presented their results on shortest linear programs for the linear layers of several well known block ciphers in literature. Shortest linear programs ...are essentially the minimum number of 2-input xor gates required to completely describe a linear system of equations. In the above paper the authors showed that the commonly used metrics like d-xor/s-xor count that are used to judge the “lightweightedness” do not represent the minimum number of xor gates required to describe a given MDS matrix. In fact they used heuristic based algorithms of Boyar-Peralta and Paar to find implementations of MDS matrices with even fewer xor gates than was previously known. They proved that the AES mixcolumn matrix can be implemented with as little as 97 xor gates. In this paper we show that the values reported in the above paper are not optimal. By suitably including random bits in the instances of the above algorithms we can achieve implementations of almost all matrices with lesser number of gates than were reported in the above paper. As a result we report an implementation of the AES mixcolumn matrix that uses only 95 xor gates. In FSE conference of ToSC 2019, Li et al. had tweaked the Boyar-Peralta algorithm to get low depth implementations of many matrices. We show that by introducing randomness in the tweaked algorithm, it is again possible to get low depth implementations with lesser number of gates than the above paper. As a result, we report a depth implementation of the AES mixcolumn matrix that uses only 103 xor gates, which is 2 gates less than the previous implementation. In the second part of the paper, we observe that most standard cell libraries contain both 2 and 3-input xor gates, with the silicon area of the 3-input xor gate being smaller than the sum of the areas of two 2-input xor gates. Hence when linear circuits are synthesized by logic compilers (with specific instructions to optimize for area), most of them would return a solution circuit containing both 2 and 3-input xor gates. Thus from a practical point of view, reducing circuit size in presence of these gates is no longer equivalent to solving the shortest linear program. In this paper we show that by adopting a graph based heuristic it is possible to convert a circuit constructed with 2-input xor gates to another functionally equivalent circuit that utilizes both 2 and 3-input xor gates and occupies less hardware area. As a result we obtain more lightweight implementations of all the matrices listed in the ToSC paper.
On Design of Robust Lightweight Stream Cipher with Short Internal State BANIK, Subhadeep; ISOBE, Takanori; MORII, Masakatu
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences,
2018/01/01, 2018-00-00, 20180101, Volume:
E101.A, Issue:
1
Journal Article
Peer reviewed
Open access
The stream cipher Sprout with a short internal state was proposed in FSE 2015. Although the construction guaranteed resistance to generic Time Memory Data Tradeoff attacks, there were some weaknesses ...in the design and the cipher was completely broken. In this paper we propose a family of stream ciphers LILLE in which the size of the internal state is half the size of the secret key. Our main goal is to develop robust lightweight stream cipher. To achieve it, our cipher based on the two-key Even Mansour construction and thus its security against key/state recovery attacks reduces to a well analyzed problem. We also prove that like Sprout, the construction is resistant to generic Time Memory Data Tradeoff attacks. Unlike Sprout, the construction of the cipher guarantees that there are no weak key-IV pairs which produce a keystream sequence with short period or which make the algebraic structure of the cipher weaker and easy to cryptanalyze. The reference implementations of all members of the LILLE family with standard cell libraries based on the STM 90nm and 65nm processes were also found to be smaller than Grain v1 while security of LILLE family depend on reliable problem in the symmetric cryptography.