Proc. of Int. Conf.

on Emerging Trends in Engineering and Technology

BSF-128: A New Synchronous Stream Cipher Design

Dr. M. U. Bokhari1, Shadab Alam2
1
Aligarh Muslim Univeristy/ Department of Computer Science, Aligarh, India
Email1: [email protected] , Email2: [email protected]

Abstract:- The main aim of this paper is to introduce a new synchronous stream cipher
based on128 bit key length. The new proposed design is named “BSF-128” and is primarily
based on a Non Linear Feedback Shift Register (NFSR), a Feedback with Carry Shift
Register (FCSR) and an S-Box.

Keywords:-LFSR, NFSR, FCSR, S-Box, Grain, Synchronous, Stream Cipher

I. INTRODUCTION
Secret key cryptography has been used since the early days of cryptography and is still in use, even after the
invention of public key cryptography due to its efficiency in terms of speed, error propagation and low
implementation costs. After the standardization of Block ciphers, the focus has significantly shifted towards
stream cipher standardization due its usefulness in applications where limited hardware resources are
available and very fast encryption is required. One of major such initiative was started by the European
Union in the form of “eSTREAM” [1] and Grain [2] was one of the selected candidate in hardware profile.
Grain uses two shift registers, one LFSR and one NFSR. Many cryptanalytic attacks [3, 4, 5, and 6] were
reported against Grain mainly due to the inherent weaknesses of LFSR’s. Though LFSR’s are widely being
used due to their good statistical properties but unfortunately LFSR based designs are susceptible to algebraic
and correlation attacks due to the inherent weakness of linearity [7, 8, 9, and 10]. A new primitive FCSR
(Feedback with Carry Shift Register) was proposed by Klapper and Goresky in [11]. As a substitute for
LFSR’s, FCSR’s not only have good statistical and pseudorandom properties like LFSR’s but are also
resistant to linear, algebraic and correlation attacks due to inherent non-linearity. A stream cipher Bean [12]
inspired by Grain that uses two FCSR’s in place NFSR and LFSR was also proposed to overcome the
weaknesses of LFSR based designs. But cryptanalytic attacks were reported against the BEAN cipher [13,
14] and inherent weaknesses in design were shown. The proposed stream cipher “BSF-128” is designed for
128 bit secret key applications and is based on Grain. In the next section the detailed design specifications of
the new proposed design BSF-128 has been given. In the last the analysis of the proposed design has been
explained.

II. DESIGN SPECIFICATION OF BSF-128

The new proposed design BSF-128 uses two shift registers, one NFSR and one FCSR of 128 bits length each.
Fibonacci architecture has been used for FCSR for ease of implementation but Ring or Galois architecture
can also be used for FCSR implementation. In BSF-128 an S-Box of 8x16 has proposed to be used. In this
design an S-Box tailored by ISRC, QUT and it is a combination of Skipjack S-Box and S-Box designed by
ISRC, QUT [15] has been used. The outline of the design structure of BSF-128 has been shown in figure-1.

DOI: 03.AETS.2013.3.289
© Association of Computer Electronics and Electrical Engineers, 2013
In this proposed design a primitive polynomial f(x) of degree 128 has been used as feedback polynomial of
FCSR. The function f(x) is defined as:
f(x) = 1+x2+x27+x29+x128 ……. (1)

The update function of FCSR is computed as:

i
b = Fi+F i+99+Fi+101+F i+126+mb ,
Fi+128= bmod2,
mbi+1 = ⌊Sb/2⌋ ……. (2)

The feedback polynomial of NFSR is defined as g(x):

g(x)= 1+x32+x37+x72 +x102+x128+x44x60+x61x125+x63x67

+x69 x101+x80 x88+x110 x111+x115x117 ……. (3)
Then the update function Nt of NFSR is defined as Nt+128 which also uses Ft derived from FCSR. Nt+128 is
defined as:
Nt+128 = Ft Nt Nt+26 Nt+56 Nt+91 Nt+96
Nt+3Nt+67 Nt+11Nt+13 Nt+17Nt+18 Nt+27Nt+59 Nt+40Nt+48 Nt+61Nt+65 Nt+68Nt+84 ……. (4)
These two shift registers store the state of the cipher. From these two we take 8 bits of which, 5 are from
FCSR and the remaining 3are from NFSR. Output bits are denoted by X, where X is a concatenation of X1=5
bits from FCSR& X2 = 3 bits from NFSR and is denoted as X= X1|| X2. The 3 inputs from NFSR are N t+31,
Nt+59and N t+75 and 5 inputs from FCSR as Ft+21, Ft+39, Ft+51, Ft+73 and Ft+120. The selection of input bits is
absolutely based on the fact they form a full positive different set (FPDS). This set of inputs is then passed
onto the S-Box.

g (x) f(x)

NFSR FCSR

3 Inputs || 5 Inputs

S-BOX (8x16)

Vt
Vt1 Vt2
8 LSB 8MSB

Vt3

8 LSB 8MSB

16 bit keystream Zt

Figure 1: Design Specification of BSF-128

A. S-Box
BSF-128 makes use of an S-Box of 8x16 configuration which takes 8 bit input and give output of 16 bits.
The S-Box used is a combination of Skipjack S-Box and an S-box designed by ISRC at QUT which has been
also used in SOBER t-16 cipher [15] as well as in a recently proposed design called Bokhari stream cipher
542
[16]. The 16 bit output from the S-box is then divided into two parts of 8 LSB’s (Least Significant Bits Vt1)
and 8 MSB’s (Most Significant Bits Vt2). The eight LSB’s are passed as such and the remaining eight MSB’s
(Vt2) are XORed ( ) with X and we get Vt3 of eight bits.Now Vt1 and Vt3 are concatenated which finally
give a 16 bit output keystream Zt.
B. Key Initialization
For key Initialization, 128 bit key is filled in NFSR and 128 bit IV (Initialization Vector) is filled in FCSR.
Padding with one’s is used if the key size is less than 128 bits. After loading the registers, the cipher is
clocked. The leftmost bit of the LSB’s is feedback to NFSR and the rightmost bit of the MSB’s is feedback to
FCSR in next clocking.
The cipher is clocked 256 times without outputting or producing any keystream for randomizing the contents
of two shift registers and flush out any previous stored values out of these registers. Once randomization is
done, keystream is generated. The initialization phase has been shown in figure 2.

g (x)

NFSR FCSR

3 Inputs || 5 Inputs

S-BOX (8x16)

Vt
Vt1 Vt2
8 LSB 8MSB
Vt3

8 LSB 8MSB

16 bit keystream Zt

Figure 2 : Overview of Key initialization of BSF-128

C. Algorithm of Key generation

(a) Load the registers with initial key and IV value, NFSR with key and FCSR with IV.
(b) Pass 3 bits X1 (Nt+31, Nt+59 and Nt+75) from NFSR and 5 bits X2 (Ft+21, Ft+39, Ft+51, Ft+73 and Ft+120) from
FCSR to an S-Box to generate Vt.
(c) Divide Vt into two parts Vt1& Vt2 of 8 bits each, and feedback, first LSBit of Vt1to NFSR and
XORed with Ft and used in conjunction with g(x) to update NFSR.
(d) Vt2 is XORed with X and we get Vt3. Last MSbit of V t3 is passed to FCSR in conjunction with f(x)
to update FCSR.
(e) Clock both the registers 256 times.
(f) Generate 16 bit output keystream Zt
Thus in a single iteration of keystream generation, BSF-128 produces 16 bits which results in very fast speed
of this cipher.
543
III. ANALYSIS OF CIPHER
In this section we have described the statistical analysis as well as other security claims of the proposed
cipher design.

TABLE 1: TEST VECTORS FOR BSF-128

S.No. Parameters Values

0000000000000000000
Input Keystream
0000000000000
0000000000000000000
1. IV
0000000000000
cdba15cdad02d48b7a52
Output keystream
ad351b87a759
8000000000000000000
Input Keystream
0000000000000
8000000000000000000
2. IV
0000000000000
2cd802bc3bc30948ff3a
Output keystream
50ad105527a0
0123456789abcdef1234
Input Keystream
56789abcdef0
0123456789abcdef1234
3. IV
56789abcdef0
3538af8c7a0b1656f05f
Output keystream
8702ba0b936c
fffffffffffffffffffffffffffff
4. Input Keystream
fff
fffffffffffffffffffffffffffff
IV
fff
161001f90052f3b164e8
Output keystream
64008c2cf787

A. Statistical Tests
Key stream generated by BSF-128 stream cipher have been analysed using the NIST statistical test suite [17].
The 15 tests included in NIST test suite analyses the output sequences of keystreams for different desirable
statistical properties for cryptographic applications like randomness, linear complexity etc
No bias was found in any of the 15 tests conducted by NIST test suite for keystreams generated by BSF-128
and the keystream generated by BSF-128 stream cipher was found to cryptographically secure and random
for such applications and it possess sufficient properties to be secure against cryptanalytic attacks.
The algorithm has also been tested for extreme values of input key and IV and still the output keystrem
generated is totally random. Some test vectors have been given in Table 1
B. Security Claims
Any attack on BSF-128 stream cipher is believed to have a complexity greater than an exhaustive key search,
though we do not claim any mathematical proof of security. A brief Analysis of several attacks on BSF-128
stream cipher is mentioned below.
Correlation Attack:- The use of NFSR in conjunction with FCSR provides a high level of non-linearity. The
tab sets and feedback functions have been chosen appropriately to disguise any short distance correlations.
The effect can be enhanced for long term correlation by regular modification of the state.
Guess and determine attacks:-The existence of Guess and Determine attack relies on the tap sets rather than
individual NFSR operations [18]. The taps selected for BSF-128 were such that they could resist Guess and

544
Determine attacks. The tap set used in NFSR state update function {31, 59, and 75} and FCSR update
function {21, 39, 51, 73 and 120} from a full positive difference set (FPDS) that prevents Guess and
Determine attacks.
Distinguishing Attacks:- A cipher cannot be considered strong enough for cryptographic applications if the
output sequence can be distinguished from a random sequence statistically.
BSF-128 is designed with complex initialization and update function with no linear masking to make it
immune to distinguishing attacks [19].

IV. CONCLUSION
In this paper, design of a new synchronous stream cipher named BSF-128 has been proposed which uses 128
bit secret key and IV size of 128 bits. The design is based on NFSR, FCSR and an S-Box. A complete
description of the algorithm as well as some analysis of the cipher’s cryptographic strengths has been
discussed in the paper. The statistical analysis of the cipher’s output has been done and no bias has been
found in the generated keystreams. On the basis of analysis of this stream cipher, we assume that this cipher
to be secure against any cryptanalytic attack with complexity less than the exhaustive key search attack.

REFERENCES
[1] Robshaw, M. (2008). The eSTREAM project. In New Stream Cipher Designs(pp. 1-6). Springer Berlin Heidelberg.
[2] Hell, M., Johansson, T., Maximov, A., & Meier, W. (2006, July). A stream cipher proposal: Grain-128.
In Information Theory, 2006 IEEE International Symposium on (pp. 1614-1618). IEEE.
[3] Maximov, A. (2006, March). Cryptanalysis of the Grain family of stream ciphers. In Proceedings of the 2006 ACM
Symposium on Information, computer and communications security (pp. 283-288). ACM.
[4] Dinur, I., & Shamir, A. (2011, January). Breaking Grain-128 with dynamic cube attacks. In Fast Software
Encryption (pp. 167-187). Springer Berlin Heidelberg.
[5] Bjøstad, T. E. (2013). Cryptanalysis of Grain using Time/Memory/Data Tradeoffs.
[6] Banik, S., Maitra, S., &Sarkar, S. (2012). A differential fault attack on the grain family of stream ciphers.
In Cryptographic Hardware and Embedded Systems–CHES 2012 (pp. 122-139). Springer Berlin Heidelberg.
[7] Meier, W., &Staffelbach, O. (1989). Fast correlation attacks on certain stream ciphers. Journal of Cryptology, 1(3),
159-176.
[8] Menezes, A. J., Van Oorschot, P. C., & Vanstone, S. A. (2010). Handbook of applied cryptography. CRC press.
[9] Mihaljevic, M. J., &Golic, J. D. (1990, January). A fast iterative algorithm for a shift register initial state
reconstruction given the noisy output sequence. InAdvances in Cryptology—AUSCRYPT'90 (pp. 165-175). Springer
Berlin Heidelberg.
[10] Siegenthaler, T. (1985). Decrypting a class of stream ciphers using ciphertext only. Computers, IEEE Transactions
on, 100(1), 81-85.
[11] Klapper, A., &Goresky, M. (1994, January). 2-adic shift registers. In Fast Software Encryption (pp. 174-178).
Springer Berlin Heidelberg.
[12] Kumar, N., Ojha, S., Jain, K., & Lal, S. (2009, October). BEAN: a lightweight stream cipher. In Proceedings of the
2nd international conference on Security of information and networks (pp. 168-171). ACM.
[13] Ågren, M., & Hell, M. (2011, November). Cryptanalysis of the stream cipher BEAN. In Proceedings of the 4th
international conference on Security of information and networks (pp. 21-28). ACM.
[14] WANG, H., HELL, M., JOHANSSON, T., & ÅGREN, M. (2013). Improved Key Recovery Attack on the BEAN
Stream Cipher [IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences E96.
A (2013), No. 6 pp. 1437-1444]. IEICE Transactions on Fundamentals of Electronics, Communications and
Computer Sciences, 96(7), 1683_e1-1683_e1.
[15] Hawkes, P., &Rose, P. (2000). Primitive specification and supporting documentation for SOBER-t16 submission to
NESSIE. In Proceedings ofFirst NESSIE Workshop, 13-14 November 2000, Heverlee, Belgium
https://www.cosic.esat.kuleuven.be/nessie/workshop/
[16] Bokhari, M. U., &Masoodi, F. (2012, October). BOKHARI: A new software oriented stream cipher: A proposal.
In Information and Communication Technologies (WICT), 2012 World Congress on (pp. 128-131). IEEE.
[17] Rukhin, A., & Soto, J. (2001). A Statistical Test Suite for Random and Pseudo-random Number Generators for
Cryptographic Applications, NIST.
http://csrc.nist.gov/groups/ST/toolkit/rng/index.html
[18] Hawkes, P., & Rose, G. G. (2003). Primitive Specification for SOBER-128.IACR Cryptology ePrint Archive, 2003,
81.
[19] Coppersmith, D., Halevi, S., &Jutla, C. (2002). Cryptanalysis of stream ciphers with linear masking. In Advances in
Cryptology—CRYPTO 2002 (pp. 515-532). Springer Berlin Heidelberg.

545