LIZARD - A Lightweight Stream Cipher for Power-constrained Devices

Time-memory-data (TMD) tradeoff attacks limit the security level of many classical stream ciphers (like E 0 , A5/1, Trivium, Grain) to 1 / 2 n , where n denotes the inner state length of the underlying keystream generator. In this paper, we present Lizard, a lightweight stream cipher for power-constrained devices like passive RFID tags. Its hardware efficiency results from combining a Grain-like design with the FP (1)-mode, a recently suggested construction principle for the state initialization of stream ciphers, which offers provable 2 / 3 n -security against TMD tradeoff attacks aiming at key recovery. Lizard uses 120-bit keys, 64-bit IVs and has an inner state length of 121 bit. It is supposed to provide 80-bit security against key recovery attacks. Lizard allows to generate up to 2 18 keystream bits per key/IV pair, which would be sufficient for many existing communication scenarios like Bluetooth, WLAN or HTTPS.

[1]  Axel Poschmann,et al.  Lightweight cryptography: cryptographic engineering for a pervasive world , 2009, IACR Cryptol. ePrint Arch..

[2]  Eli Biham,et al.  Conditional Estimators: An Effective Attack on A5/1 , 2005, Selected Areas in Cryptography.

[3]  Elena Dubrova,et al.  A Scalable Method for Constructing Galois NLFSRs With Period $2^n-1$ Using Cross-Join Pairs , 2013, IEEE Transactions on Information Theory.

[4]  Bin Zhang,et al.  Another Tradeoff Attack on Sprout-Like Stream Ciphers , 2015, ASIACRYPT.

[5]  Martin Hell,et al.  Grain: a stream cipher for constrained environments , 2007, Int. J. Wirel. Mob. Comput..

[6]  Subhadeep Banik,et al.  Some Results on Sprout , 2015, INDOCRYPT.

[7]  Willi Meier,et al.  Fast correlation attacks on certain stream ciphers , 1989, Journal of Cryptology.

[8]  Martin. Feldhofer Comparison of Low-Power Implementations of Trivium and Grain , 2007 .

[9]  Frederik Armknecht,et al.  Lightweight Authentication Protocols on Ultra-Constrained RFIDs - Myths and Facts , 2014, RFIDSec.

[10]  Andrei Popov,et al.  Prohibiting RC4 Cipher Suites , 2015, RFC.

[11]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[12]  Matthias Krause,et al.  On stream ciphers with provable beyond-the-birthday-bound security against time-memory-data tradeoff attacks , 2018, Cryptography and Communications.

[13]  J G Willis Review , 2012, Speculum.

[14]  Martin Hell,et al.  Espresso: A stream cipher for 5G wireless communication systems , 2015, Cryptography and Communications.

[15]  Dirk Stegemann Extended BDD-Based Cryptanalysis of Keystream Generators , 2007, Selected Areas in Cryptography.

[16]  Willi Meier,et al.  The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption , 2005, CRYPTO.

[17]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[18]  Antoine Joux,et al.  Algebraic and Correlation Attacks against Linearly Filtered Non Linear Feedback Shift Registers , 2008, Selected Areas in Cryptography.

[19]  Alex Biryukov,et al.  Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[20]  S. Babbage Improved “exhaustive search” attacks on stream ciphers , 1995 .

[21]  Frederik Armknecht,et al.  On Ciphers that Continuously Access the Non-Volatile Key , 2017, IACR Trans. Symmetric Cryptol..

[22]  Claude Carlet,et al.  Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts , 2016, EUROCRYPT.

[23]  Bruce Schneier,et al.  Applied cryptography (2nd ed.): protocols, algorithms, and source code in C , 1995 .

[24]  Jovan Dj. Golic On the Security of Nonlinear Filter Generators , 1996, FSE.

[25]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[26]  Orr Dunkelman,et al.  Treatment of the initial value in Time-Memory-Data Tradeoff attacks on stream ciphers , 2008, Inf. Process. Lett..

[27]  Alexander Maximov,et al.  Cryptanalysis of Grain , 2006, FSE.

[28]  Martin Hell,et al.  Grain-128a: a new version of Grain-128 with optional authentication , 2011, Int. J. Wirel. Mob. Comput..

[29]  Alex Biryukov,et al.  Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers , 2000, ASIACRYPT.

[30]  Orhun Kara,et al.  Practical Cryptanalysis of Full Sprout with TMD Tradeoff Attacks , 2015, SAC.

[31]  Adi Shamir,et al.  Breaking Grain-128 with Dynamic Cube Attacks , 2011, IACR Cryptol. ePrint Arch..

[32]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[33]  Jason Smith,et al.  The SIMON and SPECK Families of Lightweight Block Ciphers , 2013, IACR Cryptol. ePrint Arch..

[34]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[35]  Bart Preneel,et al.  Analysis of Grain's Initialization Algorithm , 2008, AFRICACRYPT.

[36]  M. Benaissa,et al.  Hardware performance of eStream phase-III stream cipher candidates , 2008 .

[37]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[38]  Matthias Krause BDD-Based Cryptanalysis of Keystream Generators , 2002, EUROCRYPT.

[39]  Guang Gong,et al.  Periods on Two Kinds of nonlinear Feedback Shift Registers with Time Varying Feedback Functions , 2011, Int. J. Found. Comput. Sci..

[40]  Damith C. Ranasinghe,et al.  Networked RFID Systems and Lightweight Cryptography: Raising Barriers to Product Counterfeiting , 2010 .

[41]  B. Preneel,et al.  Trivium Specifications ? , 2022 .

[42]  Martin Hell,et al.  The Grain Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[43]  María Naya-Plasencia,et al.  Cryptanalysis of Full Sprout , 2015, Annual International Cryptology Conference.

[44]  Xiaoyun Wang,et al.  Cryptanalysis of Stream Cipher Grain Family , 2009, IACR Cryptol. ePrint Arch..

[45]  Frederik Armknecht,et al.  On Lightweight Stream Ciphers with Shorter Internal States , 2015, FSE.

[46]  Thomas Siegenthaler,et al.  Decrypting a Class of Stream Ciphers Using Ciphertext Only , 1985, IEEE Transactions on Computers.

[47]  Willi Meier,et al.  Conditional Differential Cryptanalysis of Grain-128a , 2012, CANS.

[48]  Elena Dubrova,et al.  A List of Maximum Period NLFSRs , 2012, IACR Cryptol. ePrint Arch..

[49]  Vahid Aminghafari,et al.  Fruit: ultra-lightweight stream cipher with shorter internal state , 2016, IACR Cryptol. ePrint Arch..

[50]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.