Skip to main content

Espresso: A stream cipher for 5G wireless communication systems

Abstract

The demand for more efficient ciphers is a likely to sharpen with new generation of products and applications. Previous cipher designs typically focused on optimizing only one of the two parameters - hardware size or speed, for a given security level. In this paper, we present a methodology for designing a class of stream ciphers which takes into account both parameters simultaneously. We combine the advantage of the Galois configuration of NLFSRs, short propagation delay, with the advantage of the Fibonacci configuration of NLFSRs, which can be analyzed formally. According to our analysis, the presented stream cipher Espresso is the fastest among the ciphers below 1500 GE, including Grain-128 and Trivium.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Notes

  1. A set is called full positive difference set if the positive pairwise differences between its elements are distinct [21]

References

  1. Olsson, M., Cavdar, C., Frenger, P., Tombaz, S., Sabella, D., Jantti, R.: 5green: Towards green 5g mobile networks. In: Int. Conf. on Wireless and Mobile Computing, Networking and Communications, pp 212–216 (2013)

  2. Ericsson White Paper: 5G radio access, June 2013. http://www.ericsson.com/res/docs/whitepapers/wp-5g.pdf

  3. Hell, M., Johansson, T., Maximov, A., Meier, W.: The Grain family of stream ciphers, New Stream Cipher Designs: The eSTREAM Finalists. LNCS 4986, 179–190 (2008)

    Google Scholar 

  4. Cannière, C., Preneel, B.: Trivium, New Stream Cipher Designs: The eSTREAM Finalists. LNCS 4986, 244–266 (2008)

    MATH  Google Scholar 

  5. Lidl, R., Niederreiter, H.: Introduction to Finite Fields and their Applications. Cambridge Univ. Press (1994)

  6. Dubrova, E.: A transformation from the Fibonacci to the Galois NLFSRs. IEEE Trans. Inf. Theory 55, 5263–5271 (2009)

    MathSciNet  Article  Google Scholar 

  7. Schneier, B.: Applied cryptography (2nd ed.): protocols, algorithms, and source code in C. John Wiley & Sons, Inc., NY (1995)

    MATH  Google Scholar 

  8. Daemen, J., Rijmen, V.: AES proposal: Rijndael. National Institute of Standards and Technology (2003)

  9. Robshaw, M.: Stream ciphers, Tech. Rep. TR - 701 (1994)

  10. De Cannière, C., Dunkelman, O., zević, M.K.: KATAN and KTANTAN— a family of small and efficient hardware-oriented block ciphers. In: Cryptographic Hardware and Embedded Systems—CHES 2009, vol. 5747, pp 272–288. Springer (2009)

  11. Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The led block cipher. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and Embedded Systems, CHES 2011. vol. 6917 of Lecture Notes in Computer Science, 326–341, Springer Berlin / Heidelberg (2011)

  12. Gong, Z., Nikova, S., Law, Y.: Klein: A new family of lightweight block ciphers. In: Juels, A., Paar, C. (eds.) RFID. Security and Privacy. vol. 7055 of Lecture Notes in Computer Science, 1–18, Springer Berlin Heidelberg (2012)

  13. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Cryptographic Hardware and Embedded Systems—CHES 2007, vol. 4727 of Lecture Notes in Computer Science, 450–466, Springer Berlin Heidelberg (2007)

  14. Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: An ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2011. vol. 6917 of Lecture Notes in Computer Science, 342–357, Springer (2011)

  15. Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: A lightweight block cipher for multiple platforms. In: Knudsen, L., Wu, H. (eds.) Selected Areas in Cryptography—SAC 2012. vol. 7707 of Lecture Notes in Computer Science, pp. 339–354, Springer Berlin Heidelberg (2013)

  16. Juels, A.: RFID security and privacy: a research survey. IEEE J. Sel. Areas Commun. 24, 381–394 (2006)

    Article  Google Scholar 

  17. Borghoff, J., Canteaut, A., Gneysu, T., Kavun, E., Knezevic, M., Knudsen, L., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S., Yaln, T.: Prince a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) Advances in Cryptology ASIACRYPT 2012. vol. 7658 of Lecture Notes in Computer Science, pp. 208–225, Springer Berlin Heidelberg (2012)

  18. Biham, E., Dunkelman, O.: Cryptanalysis of the A5/1 GSM stream cipher. In: INDOCRYPT ’00: Proceedings of the First International Conference on Progress in Cryptology, (London, UK), pp 43–51. Springer-Verlag (2000)

  19. Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104-bit wep in under a minute. Cryptology ePrint Archive, Report 2007/120 (2007). http://eprint.iacr.org/

  20. Golomb, S.: Shift Register Sequences. Aegean Park Press (1982)

  21. Golic, J.: On the security of nonlinear filter generators. In: Gollmann, D. (ed.) Fast Software Encryption. vol. 1039 of Lecture Notes in Computer Science, pp. 173–188, Springer Berlin / Heidelberg (1996)

  22. Braeken, A., Lano, J.: On the (im)possibility of practical and secure nonlinear filters and combiners. In: Proceedings of the 12th international conference on Selected Areas in Cryptography, SAC’05, (Berlin, Heidelberg), pp 159–174. Springer-Verlag (2006)

  23. Cusick, T.W., Stǎnicǎ, P.: Cryptographic Boolean functions and applications. San Diego, CA, USA: Academic Press (2009)

  24. Dubrova, E.: A scalable method for constructing Galois NLFSRs with period 2n−1 using cross-join pairs. IEEE Trans. Inf. Theory 1(59), 703–709 (2013)

    MathSciNet  Article  Google Scholar 

  25. Dubrova, E.: A method for generating full cycles by a composition of NLFSRs, Design, Codes and Cryptography (2012)

  26. Berbain, C., Gilbert, H., Maximov, A.: Cryptanalysis of Grain. In: Robshaw, M. (ed.) Fast Software Encryption 2006. vol. 4047 of Lecture Notes in Computer Science, pp. 15–29, Springer (2006)

  27. Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) Advances in Cryptology—CRYPTO 2002. vol. 2442 of Lecture Notes in Computer Science, pp. 288–303, Springer (2002)

  28. Golić, J.D.: Computation of low-weight parity check polynomials. Electron. Lett. 32(21), 1981–1982 (1996)

    Article  Google Scholar 

  29. Courtois, N., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) Advances in Cryptology—EUROCRYPT 2003. vol. 2656 of Lecture Notes in Computer Science, pp. 345–359, Springer (2003)

  30. Armknecht, F., Krause, M.: Algebraic attacks on combiners with memory. In: Boneh, D. (ed.) Advances in Cryptology—CRYPTO 2003. vol. 2729 of Lecture Notes in Computer Science, pp. 162–176, Springer (2003)

  31. Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) Advances in Cryptology—EUROCRYPT 2003. vol. 1807 of Lecture Notes in Computer Science, pp. 392–407, Springer (2000)

  32. Courtois, N., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) Advances in Cryptology—ASIACRYPT 2002. vol. 2501 of Lecture Notes in Computer Science, pp. 267–287, Springer (2002)

  33. Faugére, J.-C., Joux, A.: Algebraic cryptanalysis of Hidden Field Equation (HFE) cryptosystems using Gröbner bases. In: Boneh, D. (ed.) Advances in Cryptology—CRYPTO 2003. vol. 2729 of Lecture Notes in Computer Science, pp. 44–60, Springer (2003)

  34. Meier, W., Pasalic, E., Carlet, C.: Algebraic attacks and decomposition of Boolean functions. In: Advances in Cryptology—EUROCRYPT 2004. vol. 3027 of Lecture Notes in Computer Science, pp. 474–491, Springer (2004)

  35. Golić, J.: Cryptanalysis of alleged A5 stream cipher. In: Fumy, W. (ed.) Advances in Cryptology—EUROCRYPT 1997. vol. 1233 of Lecture Notes in Computer Science, pp. 239–255, Springer (1997)

  36. Babbage, S.: A space/time tradeoff in exhaustive search attacks on stream ciphers. In: European Convention on Security and Detection, no. 408 in IEE Conference Publication (1995)

  37. Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) Advances in Cryptology—ASIACRYPT 2000. vol. 1976 of Lecture Notes in Computer Science, pp. 1–13, Springer (2000)

  38. Hong, J., Sarkar, P.: New applications of time memory data tradeoffs. In: Roy, B. (ed.) Advances in Cryptology—ASIACRYPT 2005. vol. 3788 of Lecture Notes in Computer Science, pp. 353–372, Springer (2005)

  39. Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory IT-26, 401–406 (1980)

    MathSciNet  Article  MATH  Google Scholar 

  40. Mihaljevic, M.J., Gangopadhyay, S., Paul, G., Imai, H.: Internal state recovery of Grain-v1 employing normality order of the filter function. IET Inf. Secur. 6(2), 55–64 (2012)

    Article  Google Scholar 

  41. Mihaljevic, M.J., Gangopadhyay, S., Paul, G., Imai, H.: Generic cryptographic weakness of k-normal Boolean functions in certain stream ciphers and cryptanalysis of Grain-128. Period. Math. Hung. 65(2), 205–227 (2012)

    MathSciNet  Article  MATH  Google Scholar 

  42. Bernstein, D.J.: Understanding brute force. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/036 (2005). http://www.ecrypt.eu.org/stream

  43. Dinur, I., Shamir, A.: Cube Attacks on Tweakable Black Box Polynomials. In: Joux, A. (ed.) Advances in Cryptology—EUROCRYPT 2009. vol. 5479 of Lecture Notes in Computer Science, pp. 278–299, Springer (2009)

  44. Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential attack. Available at: http://eprint.iacr.org/2007/413/ (2007)

  45. Saarinen, M.-J.O.: Chosen-IV statistical attacks on eStream stream ciphers, Proc. Stream Ciphers Revisited (SASC’06) (2006)

  46. Stankovski, P.: Greedy distinguishers and nonrandomness detectors. In: Gong, G., Gupta, K.C. (eds.) Progress in Cryptology—INDOCRYPT 2010. vol. 6498 of Lecture Notes in Computer Science, pp. 210–226, Springer (2010)

  47. Biham, E., Dunkelman, O.: Differential cryptanalysis in stream ciphers. Cryptology ePrint Archive, Report 2007/218 (2007). http://eprint.iacr.org/

Download references

Acknowledgments

This work carried out during the research visits of authors at the security group at Ericsson Research in 2013-2014 and supported by the grants SM12-0005 and SM12-0025 from the Swedish Foundation for Strategic Research. The authors would like to thank Mats Näslund and Ben Smeets from Ericsson Research for their help with this work, for sharing their expertise and providing many valuable comments and suggestions on the design.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Elena Dubrova.

Appendix: Test vectors

Appendix: Test vectors

In producing the text vectors, the byte order is treated as taking the Least Significant Bit (LSB) first. Thus the LSB of the first byte of the key is index 0 of the state, the LSB of the second byte is index 8, etc. Similarly, for the IV the LSB of the first byte is index 128 of the state, etc. The keystream bytes KS are also filled with LSB first.

Test vector 1:

$$\begin{array}{@{}rcl@{}} \text{key}[0], \text{key}[1],\ldots, \text{key}[15] &=& \text{00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F}\\ \text{IV}[0], \text{IV}[1],\ldots, \text{IV}[11] &=& \text{00 01 02 03 04 05 06 07 08 09 0A 0B}\\ \text{KS}[0], \text{KS}[1],\ldots, \text{KS}[19] &=& \text{E6 AF DE 2F AC B5 C8 9A AB E9 36 1B F8 13} \\ &&\text{9C 96 A6 3D E3 9F} \end{array} $$

Test vector 2:

$$\begin{array}{@{}rcl@{}} \text{key}[0], \text{key}[1],\ldots, \text{key}[15] &=& \text{0F 0E 0D 0C 0B 0A 09 08 07 06 05 04 03 02 01 00}\\ \text{IV}[0], \text{IV}[1],\ldots, \text{IV}[11] &=& \text{0F 0E 0D 0C 0B 0A 09 08 07 06 05 04}\\ \text{KS}[0], \text{KS}[1],\ldots, \text{KS}[19] &=& \text{FF 54 4B 4C 38 4F C3 11 F3 43 FC 97 B4 B5 46}\\ &&\text{31 E3 2D 22 F2} \end{array} $$

The treatment of bits presented above is made with the purpose of interpreting the Appendix test vectors only. The stream cipher is bit-oriented and if a certain application finds in more appropriate or efficient to treat the order of bits differently when assigning bytes, it will still a valid use of the cipher. In such a case, the application has to define how it treats the bit order.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Dubrova, E., Hell, M. Espresso: A stream cipher for 5G wireless communication systems. Cryptogr. Commun. 9, 273–289 (2017). https://doi.org/10.1007/s12095-015-0173-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12095-015-0173-2

Keywords

  • Stream cipher
  • Encryption
  • FSR
  • Wireless
  • 5G

Mathematics Subject Classification (2010)

  • 94A60
  • 68P25
  • 11T71