Abstract
The wide application of the low-end embedded devices has largely stimulated the development of lightweight ciphers. In this paper, we propose a new lightweight authenticated encryption with additional data (AEAD) algorithm, named as Fan, which is based on a first non-Grain-like small-state stream cipher that adopts a novel block-wise structure, inspired by the 4-blade daily electric fan. It takes a 128-bit key, a 64-bit initial vector (IV), and a 192-bit state, promising 128-bit security and up to 72-bit authentication tag with the IV-respecting restriction. It consists of a nonlinear spindle, four linear blades and an accumulator, and updates by constant mutual feedbacks between the linear and nonlinear parts, which rapidly provides highly confused level by parallel diffusing the fastest-changing state of spindle. The key is used both in the initialization and generation phases as part of input and state respectively, making Fan suitable for resource-constrained scenarios with internal state diminishment but no security loss. A thorough security evaluation of the entire AEAD mode is provided, which shows that Fan can achieve enough security margin against known attacks. Furthermore, Fan can be implemented efficiently not only in hardware environments but also in software platforms, whose operations are carefully chosen for bit-slice technique, especially the S-box is newly designed efficiently implemented by logic circuit. The hardware implementation requires about 2327 GE on 90 nm technology with a throughput of 9.6 Gbps. The software implementation runs about 8.0 cycle/byte.
Supported by the National Natural Science Foundation of China (No. 61902030, 62002024, 62022018).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Since the self-synchronizing stream cipher mode can be seen as part of the AEAD mode, we do not describe this work mode separately in the following text.
- 2.
\(m^t\) can be \(ad^t,p^t\) or some padding constant given in the following description.
- 3.
\(rc_7\) is used as an initialization/encryption indicator.
- 4.
FAN’s structure is fundamentally different from Enocoro’s, rather than incremental push. FAN divides the buffer in Enocoro into four blades to confuse entire state rapidly by parallel constant mutual feedbacks between nonlinear and linear parts; FAN adds a new component-accumulator to concentrate and maintain the properties from entire state, further disseminate back and participate in keystream generation; FAN’s spindle updates by S-P-S network rather than the S-XOR mode in Enocoro; FAN is a CKU cipher. Above all, to provide same security level but much better performance, FAN’s state is 196-bit, much smaller than Enocoro128v2’s 272-bit.
- 5.
S-box of AES is not used in Fan for its large area requirement of 195 GE on 90 nm CMOS technology to implement its core operation - the inverse function.
- 6.
AES-NI implements full AES rounds in a single instruction. Here, we use only the linear layer of AES, but not the S-box layer, hence we cannot simply use an AES-NI instruction by itself. However, combining AESENC and AESDECLAST yields the MixColumns layer. This still provides a large performance boost: in our experiments, the cost of one AES-NI instruction is similar to three simple XORs.
- 7.
We normalize the measurement of software implementation rate by cycles/byte to reduce the impact of the CPUs. Here we only consider the performance of confidentiality without integrity for uniform comparison with other stream ciphers.
References
ebacs: Ecrypt benchmarking of cryptographic systems. https://bench.cr.yp.to/results-stream.html
Ahmadi, H., Eghlidos, T.: Heuristic guess-and-determine attacks on stream ciphers. IET Inf. Secur. 3(2), 66–73 (2009). https://doi.org/10.1049/iet-ifs.2008.0013
Aminghafari, V., Hu, H.: Fruit: ultra-lightweight stream cipher with shorter internal state. IACR Cryptology ePrint Archive 2016, 355 (2016). http://eprint.iacr.org/2016/355
Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Fast Software Encryption - 22nd International Workshop, FSE 2015, Istanbul, Turkey, 8–11 March 2015, Revised Selected Papers, pp. 451–470 (2015). https://doi.org/10.1007/978-3-662-48116-5_22
Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_1
Canniere, C.D., Preneel, B.: Trivium specifications. eSTREAM, ECRYPT Stream Cipher Project, Citeseer (2005)
Canteaut, A., Duval, S., Leurent, G.: Construction of lightweight s-boxes using Feistel and MISTY structures. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 373–393. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_22
Dinur, I., Shamir, A.: Cube attacks on Tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_16
Esgin, M.F., Kara, O.: Practical cryptanalysis of full sprout with TMD tradeoff attacks. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 67–85. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_4
Faugère, J., Horan, K., Kahrobaei, D., Kaplan, M., Kashefi, E., Perret, L.: Fast quantum algorithm for solving multivariate quadratic equations. CoRR abs/1712.07211 (2017). http://arxiv.org/abs/1712.07211
Hamann, M., Krause, M.: On stream ciphers with provable beyond-the-birthday-bound security against time-memory-data tradeoff attacks. Cryptogr. Commun. 10(5), 959–1012 (2018). https://doi.org/10.1007/s12095-018-0294-5
Hell, M., Johansson, T., Maximov, A., Meier, W.: The grain family of stream ciphers. In: New Stream Cipher Designs - The eSTREAM Finalists, pp. 179–190 (2008). https://doi.org/10.1007/978-3-540-68351-3_14
Hell, M., Johansson, T., Meier, W., Sönnerup, J., Yoshida, H.: An AEAD variant of the grain stream cipher. In: Carlet, C., Guilley, S., Nitaj, A., Souidi, E.M. (eds.) C2SI 2019. LNCS, vol. 11445, pp. 55–71. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16458-4_5
Hitachi, L.: Stream cipher Enocoro specification ver. 2.0 and evaluation report. CRYPTREC submission package (2010). http://www.hitachi.com/rd/yrl/crypto/enocoro/
Kumar, S., Haj-Yihia, J., Khairallah, M., Chattopadhyay, A.: A comprehensive performance analysis of hardware implementations of CAESAR candidates. IACR Cryptol. ePrint Arch. 2017, 1261 (2017). http://eprint.iacr.org/2017/1261
Robshaw, M., Billet, O. (eds.): New Stream Cipher Designs. The eSTREAM Finalists. LNCS, vol. 4986. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68351-3
Maximov, A.: AES mixcolumn with 92 XOR gates. Cryptology ePrint Archive, Report 2019/833 (2019). https://eprint.iacr.org/2019/833
Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Transactions on Symmetric Cryptology 2016(2), 52–79 (2016). https://doi.org/10.13154/tosc.v2016.i2.52-79
National Institute of Standards and Technology: Advanced encryption standard. NIST FIPS PUB 197 (2001)
Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube attacks on non-blackbox polynomials based on division property. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 250–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_9
Todo, Y., Isobe, T., Meier, W., Aoki, K., Zhang, B.: Fast correlation attack revisited: cryptanalysis on full grain-128a, grain-128, and grain-v1. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 129–159. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_5
TSMC: TSMC 90nm cln90g process sage-xtm v3.0 standard cell library databook (March 2005 Release 11)
Wang, Q., et al.: Improved division property based cube attacks exploiting algebraic properties of superpoly. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 275–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_10
Zhang, B., Gong, X.: Another tradeoff attack on sprout-like stream ciphers. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 561–585. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_23
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Appendices
7 Appendix 1: Test Vector
Test vectors for Fan are shown in hexadecimal notation as follows:
-
1.
For \(K_i =\,\)0x00 for \(i=\,0,1,\ldots ,15\), \(IV_i =\,\)0x00 for \(i=\,0,1,\ldots ,7\), \(AD =\,\)0x00,...,0x00 with the length of 1000 bits, and \(P =\,\)0x00,...,0x00 with the length of 1000 bits, the 43 ciphertext blocks are
e29535,b2b2ea,50e2ef,1b5efa,c60360,cb0f96,8befa5,a0320e,7aebab,487cb6,
3c1b7f,c59257,9dfb14,b11fec,6a5d00,0d9e2d,e90c43,d764f5,aeeeb8,16d92b,
dbef72,b18a89,5f3c53,63458e,c5598a,05192d,60a802,eaf8af,23cd9d,dfd45e,
d5861c,351acc,2c65ce,42ceed,4c6bf9,a1d5a7,9bca1a,76eeaf,f57e22,dc6a35,
982ede,9be801,4f4359, and the 72-bit tag is 3a4003,dfd872,051da1.
-
2.
For \(K_i =\,\)0xff for \(i=\,0,1,\ldots ,15\), \(IV_i =\,\)0xff for \(i=\,0,1,\ldots ,7\), \(AD =\,\)0xff,...,0xff with the length of 1000 bits, and \(P =\,\)0xff,...,0xff with the length of 1000 bits, the 43 ciphertext blocks are
2ee752,8fc727,71e76c,8ef6f2,35ba5d,766f7b,950166,f57fa4,aecc81,e8ec28,
1c5146,a5a477,9ad473,835004,169666,1fd55d,3e2df9,866f6a,744317,99f6c8,
083573,9cbb54,6a3003,e16638,f67cb5,3ec873,ea2220,dab472,f8fdeb,9dba39,
88f6d6,784c90,9f1875,34b40d,8547b1,9cc976,12d5b5,a43ed9,f62af8,160427,
b0cdd1,b71eff,c3761e, and the 72-bit tag is a8255a,f41333,05928c.
8 Appendix 2: AES MixColumn with 92 XOR Gates
The compact implementation of AES MixColumn with 92 XOR gates and depth 6 [17] is shown as follows.
9 Appendix 3: Comparison Outline Diagram for Different Phases
To show the differences for all phases, we focus on the spindle shown in Fig. 8, since the blades and accumulator update part are not differing much from each other.
10 Appendix 4: Gate Count for Fan
For the hardware implementation of Fan, the area requirement is occupied as shown in Table 7, according to the 90 nm Digital Standard Cell Library given in Table 6 referred to [22].
The main difference: state update function of the spindle in different phases.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Jiao, L., Feng, D., Hao, Y., Gong, X., Du, S. (2021). FAN: A Lightweight Authenticated Cryptographic Algorithm. In: Paterson, K.G. (eds) Topics in Cryptology – CT-RSA 2021. CT-RSA 2021. Lecture Notes in Computer Science(), vol 12704. Springer, Cham. https://doi.org/10.1007/978-3-030-75539-3_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-75539-3_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75538-6
Online ISBN: 978-3-030-75539-3
eBook Packages: Computer ScienceComputer Science (R0)