BSF 128 A New Synchronous Stream Cipher
BSF 128 A New Synchronous Stream Cipher
Abstract:- The main aim of this paper is to introduce a new synchronous stream cipher
based on128 bit key length. The new proposed design is named “BSF-128” and is primarily
based on a Non Linear Feedback Shift Register (NFSR), a Feedback with Carry Shift
Register (FCSR) and an S-Box.
I. INTRODUCTION
Secret key cryptography has been used since the early days of cryptography and is still in use, even after the
invention of public key cryptography due to its efficiency in terms of speed, error propagation and low
implementation costs. After the standardization of Block ciphers, the focus has significantly shifted towards
stream cipher standardization due its usefulness in applications where limited hardware resources are
available and very fast encryption is required. One of major such initiative was started by the European
Union in the form of “eSTREAM” [1] and Grain [2] was one of the selected candidate in hardware profile.
Grain uses two shift registers, one LFSR and one NFSR. Many cryptanalytic attacks [3, 4, 5, and 6] were
reported against Grain mainly due to the inherent weaknesses of LFSR’s. Though LFSR’s are widely being
used due to their good statistical properties but unfortunately LFSR based designs are susceptible to algebraic
and correlation attacks due to the inherent weakness of linearity [7, 8, 9, and 10]. A new primitive FCSR
(Feedback with Carry Shift Register) was proposed by Klapper and Goresky in [11]. As a substitute for
LFSR’s, FCSR’s not only have good statistical and pseudorandom properties like LFSR’s but are also
resistant to linear, algebraic and correlation attacks due to inherent non-linearity. A stream cipher Bean [12]
inspired by Grain that uses two FCSR’s in place NFSR and LFSR was also proposed to overcome the
weaknesses of LFSR based designs. But cryptanalytic attacks were reported against the BEAN cipher [13,
14] and inherent weaknesses in design were shown. The proposed stream cipher “BSF-128” is designed for
128 bit secret key applications and is based on Grain. In the next section the detailed design specifications of
the new proposed design BSF-128 has been given. In the last the analysis of the proposed design has been
explained.
DOI: 03.AETS.2013.3.289
© Association of Computer Electronics and Electrical Engineers, 2013
In this proposed design a primitive polynomial f(x) of degree 128 has been used as feedback polynomial of
FCSR. The function f(x) is defined as:
f(x) = 1+x2+x27+x29+x128 ……. (1)
g (x) f(x)
NFSR FCSR
3 Inputs || 5 Inputs
S-BOX (8x16)
Vt
Vt1 Vt2
8 LSB 8MSB
Vt3
8 LSB 8MSB
16 bit keystream Zt
A. S-Box
BSF-128 makes use of an S-Box of 8x16 configuration which takes 8 bit input and give output of 16 bits.
The S-Box used is a combination of Skipjack S-Box and an S-box designed by ISRC at QUT which has been
also used in SOBER t-16 cipher [15] as well as in a recently proposed design called Bokhari stream cipher
542
[16]. The 16 bit output from the S-box is then divided into two parts of 8 LSB’s (Least Significant Bits Vt1)
and 8 MSB’s (Most Significant Bits Vt2). The eight LSB’s are passed as such and the remaining eight MSB’s
(Vt2) are XORed ( ) with X and we get Vt3 of eight bits.Now Vt1 and Vt3 are concatenated which finally
give a 16 bit output keystream Zt.
B. Key Initialization
For key Initialization, 128 bit key is filled in NFSR and 128 bit IV (Initialization Vector) is filled in FCSR.
Padding with one’s is used if the key size is less than 128 bits. After loading the registers, the cipher is
clocked. The leftmost bit of the LSB’s is feedback to NFSR and the rightmost bit of the MSB’s is feedback to
FCSR in next clocking.
The cipher is clocked 256 times without outputting or producing any keystream for randomizing the contents
of two shift registers and flush out any previous stored values out of these registers. Once randomization is
done, keystream is generated. The initialization phase has been shown in figure 2.
g (x)
NFSR FCSR
3 Inputs || 5 Inputs
S-BOX (8x16)
Vt
Vt1 Vt2
8 LSB 8MSB
Vt3
8 LSB 8MSB
16 bit keystream Zt
0000000000000000000
Input Keystream
0000000000000
0000000000000000000
1. IV
0000000000000
cdba15cdad02d48b7a52
Output keystream
ad351b87a759
8000000000000000000
Input Keystream
0000000000000
8000000000000000000
2. IV
0000000000000
2cd802bc3bc30948ff3a
Output keystream
50ad105527a0
0123456789abcdef1234
Input Keystream
56789abcdef0
0123456789abcdef1234
3. IV
56789abcdef0
3538af8c7a0b1656f05f
Output keystream
8702ba0b936c
fffffffffffffffffffffffffffff
4. Input Keystream
fff
fffffffffffffffffffffffffffff
IV
fff
161001f90052f3b164e8
Output keystream
64008c2cf787
A. Statistical Tests
Key stream generated by BSF-128 stream cipher have been analysed using the NIST statistical test suite [17].
The 15 tests included in NIST test suite analyses the output sequences of keystreams for different desirable
statistical properties for cryptographic applications like randomness, linear complexity etc
No bias was found in any of the 15 tests conducted by NIST test suite for keystreams generated by BSF-128
and the keystream generated by BSF-128 stream cipher was found to cryptographically secure and random
for such applications and it possess sufficient properties to be secure against cryptanalytic attacks.
The algorithm has also been tested for extreme values of input key and IV and still the output keystrem
generated is totally random. Some test vectors have been given in Table 1
B. Security Claims
Any attack on BSF-128 stream cipher is believed to have a complexity greater than an exhaustive key search,
though we do not claim any mathematical proof of security. A brief Analysis of several attacks on BSF-128
stream cipher is mentioned below.
Correlation Attack:- The use of NFSR in conjunction with FCSR provides a high level of non-linearity. The
tab sets and feedback functions have been chosen appropriately to disguise any short distance correlations.
The effect can be enhanced for long term correlation by regular modification of the state.
Guess and determine attacks:-The existence of Guess and Determine attack relies on the tap sets rather than
individual NFSR operations [18]. The taps selected for BSF-128 were such that they could resist Guess and
544
Determine attacks. The tap set used in NFSR state update function {31, 59, and 75} and FCSR update
function {21, 39, 51, 73 and 120} from a full positive difference set (FPDS) that prevents Guess and
Determine attacks.
Distinguishing Attacks:- A cipher cannot be considered strong enough for cryptographic applications if the
output sequence can be distinguished from a random sequence statistically.
BSF-128 is designed with complex initialization and update function with no linear masking to make it
immune to distinguishing attacks [19].
IV. CONCLUSION
In this paper, design of a new synchronous stream cipher named BSF-128 has been proposed which uses 128
bit secret key and IV size of 128 bits. The design is based on NFSR, FCSR and an S-Box. A complete
description of the algorithm as well as some analysis of the cipher’s cryptographic strengths has been
discussed in the paper. The statistical analysis of the cipher’s output has been done and no bias has been
found in the generated keystreams. On the basis of analysis of this stream cipher, we assume that this cipher
to be secure against any cryptanalytic attack with complexity less than the exhaustive key search attack.
REFERENCES
[1] Robshaw, M. (2008). The eSTREAM project. In New Stream Cipher Designs(pp. 1-6). Springer Berlin Heidelberg.
[2] Hell, M., Johansson, T., Maximov, A., & Meier, W. (2006, July). A stream cipher proposal: Grain-128.
In Information Theory, 2006 IEEE International Symposium on (pp. 1614-1618). IEEE.
[3] Maximov, A. (2006, March). Cryptanalysis of the Grain family of stream ciphers. In Proceedings of the 2006 ACM
Symposium on Information, computer and communications security (pp. 283-288). ACM.
[4] Dinur, I., & Shamir, A. (2011, January). Breaking Grain-128 with dynamic cube attacks. In Fast Software
Encryption (pp. 167-187). Springer Berlin Heidelberg.
[5] Bjøstad, T. E. (2013). Cryptanalysis of Grain using Time/Memory/Data Tradeoffs.
[6] Banik, S., Maitra, S., &Sarkar, S. (2012). A differential fault attack on the grain family of stream ciphers.
In Cryptographic Hardware and Embedded Systems–CHES 2012 (pp. 122-139). Springer Berlin Heidelberg.
[7] Meier, W., &Staffelbach, O. (1989). Fast correlation attacks on certain stream ciphers. Journal of Cryptology, 1(3),
159-176.
[8] Menezes, A. J., Van Oorschot, P. C., & Vanstone, S. A. (2010). Handbook of applied cryptography. CRC press.
[9] Mihaljevic, M. J., &Golic, J. D. (1990, January). A fast iterative algorithm for a shift register initial state
reconstruction given the noisy output sequence. InAdvances in Cryptology—AUSCRYPT'90 (pp. 165-175). Springer
Berlin Heidelberg.
[10] Siegenthaler, T. (1985). Decrypting a class of stream ciphers using ciphertext only. Computers, IEEE Transactions
on, 100(1), 81-85.
[11] Klapper, A., &Goresky, M. (1994, January). 2-adic shift registers. In Fast Software Encryption (pp. 174-178).
Springer Berlin Heidelberg.
[12] Kumar, N., Ojha, S., Jain, K., & Lal, S. (2009, October). BEAN: a lightweight stream cipher. In Proceedings of the
2nd international conference on Security of information and networks (pp. 168-171). ACM.
[13] Ågren, M., & Hell, M. (2011, November). Cryptanalysis of the stream cipher BEAN. In Proceedings of the 4th
international conference on Security of information and networks (pp. 21-28). ACM.
[14] WANG, H., HELL, M., JOHANSSON, T., & ÅGREN, M. (2013). Improved Key Recovery Attack on the BEAN
Stream Cipher [IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E96.
A (2013), No. 6 pp. 1437-1444]. IEICE Transactions on Fundamentals of Electronics, Communications and
Computer Sciences, 96(7), 1683_e1-1683_e1.
[15] Hawkes, P., &Rose, P. (2000). Primitive specification and supporting documentation for SOBER-t16 submission to
NESSIE. In Proceedings ofFirst NESSIE Workshop, 13-14 November 2000, Heverlee, Belgium
https://www.cosic.esat.kuleuven.be/nessie/workshop/
[16] Bokhari, M. U., &Masoodi, F. (2012, October). BOKHARI: A new software oriented stream cipher: A proposal.
In Information and Communication Technologies (WICT), 2012 World Congress on (pp. 128-131). IEEE.
[17] Rukhin, A., & Soto, J. (2001). A Statistical Test Suite for Random and Pseudo-random Number Generators for
Cryptographic Applications, NIST.
http://csrc.nist.gov/groups/ST/toolkit/rng/index.html
[18] Hawkes, P., & Rose, G. G. (2003). Primitive Specification for SOBER-128.IACR Cryptology ePrint Archive, 2003,
81.
[19] Coppersmith, D., Halevi, S., &Jutla, C. (2002). Cryptanalysis of stream ciphers with linear masking. In Advances in
Cryptology—CRYPTO 2002 (pp. 515-532). Springer Berlin Heidelberg.
545