Skip to main content

FAN: A Lightweight Authenticated Cryptographic Algorithm

  • 1288 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12704)


The wide application of the low-end embedded devices has largely stimulated the development of lightweight ciphers. In this paper, we propose a new lightweight authenticated encryption with additional data (AEAD) algorithm, named as Fan, which is based on a first non-Grain-like small-state stream cipher that adopts a novel block-wise structure, inspired by the 4-blade daily electric fan. It takes a 128-bit key, a 64-bit initial vector (IV), and a 192-bit state, promising 128-bit security and up to 72-bit authentication tag with the IV-respecting restriction. It consists of a nonlinear spindle, four linear blades and an accumulator, and updates by constant mutual feedbacks between the linear and nonlinear parts, which rapidly provides highly confused level by parallel diffusing the fastest-changing state of spindle. The key is used both in the initialization and generation phases as part of input and state respectively, making Fan suitable for resource-constrained scenarios with internal state diminishment but no security loss. A thorough security evaluation of the entire AEAD mode is provided, which shows that Fan can achieve enough security margin against known attacks. Furthermore, Fan can be implemented efficiently not only in hardware environments but also in software platforms, whose operations are carefully chosen for bit-slice technique, especially the S-box is newly designed efficiently implemented by logic circuit. The hardware implementation requires about 2327 GE on 90 nm technology with a throughput of 9.6 Gbps. The software implementation runs about 8.0 cycle/byte.


  • Lightweight design
  • Authenticated encryption
  • Stream cipher
  • Small-state
  • Implementation efficiency

Supported by the National Natural Science Foundation of China (No. 61902030, 62002024, 62022018).

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-75539-3_13
  • Chapter length: 27 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   109.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-75539-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   139.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.


  1. 1.

    Since the self-synchronizing stream cipher mode can be seen as part of the AEAD mode, we do not describe this work mode separately in the following text.

  2. 2.

    \(m^t\) can be \(ad^t,p^t\) or some padding constant given in the following description.

  3. 3.

    \(rc_7\) is used as an initialization/encryption indicator.

  4. 4.

    FAN’s structure is fundamentally different from Enocoro’s, rather than incremental push. FAN divides the buffer in Enocoro into four blades to confuse entire state rapidly by parallel constant mutual feedbacks between nonlinear and linear parts; FAN adds a new component-accumulator to concentrate and maintain the properties from entire state, further disseminate back and participate in keystream generation; FAN’s spindle updates by S-P-S network rather than the S-XOR mode in Enocoro; FAN is a CKU cipher. Above all, to provide same security level but much better performance, FAN’s state is 196-bit, much smaller than Enocoro128v2’s 272-bit.

  5. 5.

    S-box of AES is not used in Fan for its large area requirement of 195 GE on 90 nm CMOS technology to implement its core operation - the inverse function.

  6. 6.

    AES-NI implements full AES rounds in a single instruction. Here, we use only the linear layer of AES, but not the S-box layer, hence we cannot simply use an AES-NI instruction by itself. However, combining AESENC and AESDECLAST yields the MixColumns layer. This still provides a large performance boost: in our experiments, the cost of one AES-NI instruction is similar to three simple XORs.

  7. 7.

    We normalize the measurement of software implementation rate by cycles/byte to reduce the impact of the CPUs. Here we only consider the performance of confidentiality without integrity for uniform comparison with other stream ciphers.


  1. ebacs: Ecrypt benchmarking of cryptographic systems.

  2. Ahmadi, H., Eghlidos, T.: Heuristic guess-and-determine attacks on stream ciphers. IET Inf. Secur. 3(2), 66–73 (2009).

    CrossRef  Google Scholar 

  3. Aminghafari, V., Hu, H.: Fruit: ultra-lightweight stream cipher with shorter internal state. IACR Cryptology ePrint Archive 2016, 355 (2016).

  4. Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Fast Software Encryption - 22nd International Workshop, FSE 2015, Istanbul, Turkey, 8–11 March 2015, Revised Selected Papers, pp. 451–470 (2015).

  5. Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000).

    CrossRef  Google Scholar 

  6. Canniere, C.D., Preneel, B.: Trivium specifications. eSTREAM, ECRYPT Stream Cipher Project, Citeseer (2005)

    Google Scholar 

  7. Canteaut, A., Duval, S., Leurent, G.: Construction of lightweight s-boxes using Feistel and MISTY structures. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 373–393. Springer, Cham (2016).

    CrossRef  Google Scholar 

  8. Dinur, I., Shamir, A.: Cube attacks on Tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009).

    CrossRef  Google Scholar 

  9. Esgin, M.F., Kara, O.: Practical cryptanalysis of full sprout with TMD tradeoff attacks. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 67–85. Springer, Cham (2016).

    CrossRef  Google Scholar 

  10. Faugère, J., Horan, K., Kahrobaei, D., Kaplan, M., Kashefi, E., Perret, L.: Fast quantum algorithm for solving multivariate quadratic equations. CoRR abs/1712.07211 (2017).

  11. Hamann, M., Krause, M.: On stream ciphers with provable beyond-the-birthday-bound security against time-memory-data tradeoff attacks. Cryptogr. Commun. 10(5), 959–1012 (2018).

    MathSciNet  CrossRef  MATH  Google Scholar 

  12. Hell, M., Johansson, T., Maximov, A., Meier, W.: The grain family of stream ciphers. In: New Stream Cipher Designs - The eSTREAM Finalists, pp. 179–190 (2008).

  13. Hell, M., Johansson, T., Meier, W., Sönnerup, J., Yoshida, H.: An AEAD variant of the grain stream cipher. In: Carlet, C., Guilley, S., Nitaj, A., Souidi, E.M. (eds.) C2SI 2019. LNCS, vol. 11445, pp. 55–71. Springer, Cham (2019).

    CrossRef  Google Scholar 

  14. Hitachi, L.: Stream cipher Enocoro specification ver. 2.0 and evaluation report. CRYPTREC submission package (2010).

  15. Kumar, S., Haj-Yihia, J., Khairallah, M., Chattopadhyay, A.: A comprehensive performance analysis of hardware implementations of CAESAR candidates. IACR Cryptol. ePrint Arch. 2017, 1261 (2017).

  16. Robshaw, M., Billet, O. (eds.): New Stream Cipher Designs. The eSTREAM Finalists. LNCS, vol. 4986. Springer, Heidelberg (2008).

    CrossRef  MATH  Google Scholar 

  17. Maximov, A.: AES mixcolumn with 92 XOR gates. Cryptology ePrint Archive, Report 2019/833 (2019).

  18. Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Transactions on Symmetric Cryptology 2016(2), 52–79 (2016).

  19. National Institute of Standards and Technology: Advanced encryption standard. NIST FIPS PUB 197 (2001)

    Google Scholar 

  20. Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube attacks on non-blackbox polynomials based on division property. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 250–279. Springer, Cham (2017).

    CrossRef  Google Scholar 

  21. Todo, Y., Isobe, T., Meier, W., Aoki, K., Zhang, B.: Fast correlation attack revisited: cryptanalysis on full grain-128a, grain-128, and grain-v1. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 129–159. Springer, Cham (2018).

    CrossRef  Google Scholar 

  22. TSMC: TSMC 90nm cln90g process sage-xtm v3.0 standard cell library databook (March 2005 Release 11)

    Google Scholar 

  23. Wang, Q., et al.: Improved division property based cube attacks exploiting algebraic properties of superpoly. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 275–305. Springer, Cham (2018).

    CrossRef  Google Scholar 

  24. Zhang, B., Gong, X.: Another tradeoff attack on sprout-like stream ciphers. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 561–585. Springer, Heidelberg (2015).

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations


Editor information

Editors and Affiliations


7 Appendix 1: Test Vector

Test vectors for Fan are shown in hexadecimal notation as follows:

  1. 1.

    For \(K_i =\,\)0x00 for \(i=\,0,1,\ldots ,15\), \(IV_i =\,\)0x00 for \(i=\,0,1,\ldots ,7\), \(AD =\,\)0x00,...,0x00 with the length of 1000 bits, and \(P =\,\)0x00,...,0x00 with the length of 1000 bits, the 43 ciphertext blocks are





    982ede,9be801,4f4359, and the 72-bit tag is 3a4003,dfd872,051da1.

  2. 2.

    For \(K_i =\,\)0xff for \(i=\,0,1,\ldots ,15\), \(IV_i =\,\)0xff for \(i=\,0,1,\ldots ,7\), \(AD =\,\)0xff,...,0xff with the length of 1000 bits, and \(P =\,\)0xff,...,0xff with the length of 1000 bits, the 43 ciphertext blocks are





    b0cdd1,b71eff,c3761e, and the 72-bit tag is a8255a,f41333,05928c.

8 Appendix 2: AES MixColumn with 92 XOR Gates

The compact implementation of AES MixColumn with 92 XOR gates and depth 6 [17] is shown as follows.

figure e

9 Appendix 3: Comparison Outline Diagram for Different Phases

To show the differences for all phases, we focus on the spindle shown in Fig. 8, since the blades and accumulator update part are not differing much from each other.

10 Appendix 4: Gate Count for Fan

For the hardware implementation of Fan, the area requirement is occupied as shown in Table 7, according to the 90 nm Digital Standard Cell Library given in Table 6 referred to [22].

Fig. 8.
figure 8

The main difference: state update function of the spindle in different phases.

Table 6. Reference of 90 nm digital standard cell library
Table 7. Gate count for Fan

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Jiao, L., Feng, D., Hao, Y., Gong, X., Du, S. (2021). FAN: A Lightweight Authenticated Cryptographic Algorithm. In: Paterson, K.G. (eds) Topics in Cryptology – CT-RSA 2021. CT-RSA 2021. Lecture Notes in Computer Science(), vol 12704. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-75538-6

  • Online ISBN: 978-3-030-75539-3

  • eBook Packages: Computer ScienceComputer Science (R0)