基于状态位索引方法的小状态流密码算法Draco-F

张润莲; 范欣; 赵昊; 武小年; 韦永壮

doi:10.11999/JEIT240524

基于状态位索引方法的小状态流密码算法Draco-F

doi: 10.11999/JEIT240524

桂林电子科技大学计算机与信息安全学院桂林 541000

基金项目: 国家自然科学基金(62062026)，广西重点研发计划(桂科AB23026131)，广西研究生教育创新计划(YCSW2024347)

详细信息

作者简介:
张润莲：女，副教授，研究方向为信息安全与分布式计算

范欣：男，硕士生，研究方向为信息安全

赵昊：男，硕士生，研究方向为信息安全

武小年：男，教授，研究方向为信息安全与分布式计算

韦永壮：男，教授，研究方向为分组密码算法设计与分析

通讯作者:
张润莲　zhangrl@guet.edu.cn

中图分类号: TN918.1
计量
- 文章访问数: 93
- HTML全文浏览量: 27
- PDF下载量: 12
- 被引次数: 0
出版历程
- 收稿日期: 2024-06-25
- 修回日期: 2024-09-12
- 网络出版日期: 2024-09-19

The Small-state Stream Cipher Algorithm Draco-F Based on State-bit Indexing Method

School of Computer Science and Information Security, Guilin University of Electronic Technology, Guilin 541000, China

Funds: The National Natural Science Foundation of China (62062026), The Key Research and Development Program of Guangxi (guike AB23026131), The Innovation Project of Guangxi Graduate Education (YCSW2024347)

摘要

摘要: Draco算法是首次基于初始向量和密钥前缀组合(CIVK)方案构造的一个流密码设计实例，其声称对于时空数据折中(TMDTO)攻击具有完全可证明的安全性。但因Draco算法的选择函数存在周期小的结构缺陷，攻击者给出了突破其安全界限的分析结果。针对Draco算法存在的安全缺陷等问题，该文提出一种基于状态位索引和动态初始化的改进算法Draco-F算法。首先，Draco-F算法通过使用状态位索引的方法增加了选择函数的周期并降低硬件成本；其次，在保障非线性反馈移位寄存器(NFSR)状态位使用均匀性的前提下，Draco-F算法通过简化输出函数进一步降低算法的硬件成本；最后，Draco-F算法引入动态初始化技术以防止密钥回溯。对Draco-F算法的安全性分析和软硬件测试结果表明：相对于Draco算法，Draco-F算法避免了Draco算法的安全漏洞，可以以128 bit的实际内部状态提供128 bit的安全级别；同时，Draco-F算法具有更高的密钥流吞吐率和更小的电路面积。
- 流密码 /
- 初始向量和密钥前缀组合 /
- Draco /
- 状态位索引 /
- 动态初始化
Abstract: The Draco algorithm is an example of a stream cipher based on the Consisting of the Initial Value and Key-prefix (CIVK) scheme, claiming to have provable security against Time Memory Data TradeOff (TMDTO) attacks. However, its selection function has structural flaws, which have been exploited attackers to provide analyses that break its security boundaries. Addressing the security vulnerabilities and other issues in the Draco algorithm, an improved algorithm called Draco-F is proposed in this paper, which is based on state bit indexing and dynamic initialization. Firstly, the Draco-F algorithm extends the period of the selection function and reduces its hardware cost by employing the method of state bit indexing. Secondly, while ensuring the uniform usage of Nonlinear Feedback Shift Register (NFSR) state bits, the Draco-F algorithm further reduces the hardware cost of the algorithm by simplifying the output function. Finally, Draco-F introduces dynamic initialization techniques to prevent key backtracking. Security analysis and software-hardware testing results on the Draco-F algorithm show that, compared to the Draco algorithm, Draco-F avoids the security vulnerabilities in Draco, providing a 128 bit security level with an actual 128 bit internal state. Furthermore, the Draco-F algorithm has higher key stream throughput and a smaller circuit area.
- Stream cipher /
- Consisting of the Initial Value and Key-prefix (CIVK) /
- Draco /
- State bit indexing /
- Dynamic initialization

HTML全文

图 1 Draco算法结构图

下载: 全尺寸图片幻灯片

图 2 Draco-F算法结构图

下载: 全尺寸图片幻灯片

表 1 Draco-F算法随机性检验结果

编号	测试统计项	P-value值	通过率	检测结果
1	Frequency	0.048 716	0.99	Pass
2	BlockFrequency	0.851 383	0.99	Pass
3	CumulativeSums	0.488 509	0.99	Pass
4	Runs	0.383 827	0.98	Pass
5	LongestRun	0.798 139	1.00	Pass
6	Rank	0.955 835	1.00	Pass
7	FFT	0.275 709	1.00	Pass
8	NonOverlapingTemplate	0.543 258	0.989	Pass
9	OverlappinTemplate	0.122 325	1.00	Pass
10	Universal	0.419 021	0.99	Pass
11	ApproximteEntropy	0.514 124	1.00	Pass
12	RandomExcursions	0.531 523	0.996	Pass
13	RandomExcursionsVariant	0.454 231	0.996	Pass
14	Serial	0.498 609	0.995	Pass
15	LinearComplexity	0.236 810	1.00	Pass

下载: 导出CSV

表 2 两种算法的软件实现性能

算法	初始化轮数	非易失性内部状态长度(bit)	密钥流吞吐率 (kbit/s)
Draco	512	129	308
Draco-F	动态变化	128	320

下载: 导出CSV

表 3 不同算法的硬件指标结果

算法	面积		功耗
算法	(μm²)	(GE)	(mW)
Grain-128a^[1]	13214.51	2911.33	0.479
Atom^[10]	14070.26	3099.86	0.383
Draco^[11]	10127.22	2231.15	0.309
Draco-F	10083.37	2221.49	0.315

下载: 导出CSV

参考文献(17)

[1]	ÅGREN M, HELL M, JOHANSSON T, et al. Grain-128a: A new version of Grain-128 with optional authentication[J]. International Journal of Wireless and Mobile Computing, 2011, 5(1): 48–59. doi: 10.1504/IJWMC.2011.044106.
[2]	EKDAHL P, JOHANSSON T, MAXIMOV A, et al. A new SNOW stream cipher called SNOW-V[J]. IACR Transactions on Symmetric Cryptology, 2019, 2019(3): 1–42. doi: 10.13154/tosc.v2019.i3.1-42.
[3]	AMIN GHAFARI V and HU Honggang. Fruit-80: A secure ultra-lightweight stream cipher for constrained environments[J]. Entropy, 2018, 20(3): 180. doi: 10.3390/e20030180.
[4]	ZIDARIČ N, MANDAL K, GONG G, et al. The welch-gong stream cipher-evolutionary path[J]. Cryptography and Communications, 2024, 16(1): 129–165. doi: 10.1007/s12095-023-00656-0.
[5]	冯秀涛. 3GPP LTE国际加密标准ZUC算法[J]. 信息安全与通信保密, 2011, 9(12): 45–46. doi: 10.3969/j.issn.1009-8054.2011.12.033. FENG Xiutao. ZUC algorithm: 3GPP LTE international encryption standard[J]. Information Security and Communications Privacy, 2011, 9(12): 45–46. doi: 10.3969/j.issn.1009-8054.2011.12.033.
[6]	KUMAR S and SARKAR S. Conditional TMDTO as a MILP instance[J]. IEEE Transactions on Information Theory, 2023, 69(5): 3330–3346. doi: 10.1109/TIT.2022.3230910.
[7]	ARMKNECHT F and MIKHALEV V. On lightweight stream ciphers with shorter internal states[C]. The 22nd International Workshop on Fast Software Encryption, Istanbul, Turkey, 2015: 451–470. doi: 10.1007/978-3-662-48116-5_22.
[8]	HAMANN M, KRAUSE M, and MEIER W. LIZARD-A lightweight stream cipher for power-constrained devices[J]. IACR Transactions on Symmetric Cryptology, 2017, 2017(1): 45–79. doi: 10.13154/tosc.v2017.i1.45-79.
[9]	MIKHALEV V, ARMKNECHT F, and MÜLLER C. On ciphers that continuously access the non-volatile key[J]. IACR Transactions on Symmetric Cryptology, 2017, 2017(2): 52–79. doi: 10.13154/tosc.v2016.i2.52-79.
[10]	BANIK S, CAFORIO A, ISOBE T, et al. Atom: A stream cipher with double key filter[J]. IACR Transactions on Symmetric Cryptology, 2021, 2021(1): 5–36. doi: 10.46586/tosc.v2021.i1.5-36.
[11]	HAMANN M, MOCH A, KRAUSE M, et al. The DRACO stream cipher: A power-efficient small-state stream cipher with full provable security against TMDTO attacks[J]. IACR Transactions on Symmetric Cryptology, 2022, 2022(2): 1–42. doi: 10.46586/tosc.v2022.i2.1-42.
[12]	HAMANN M and KRAUSE M. On stream ciphers with provable beyond-the-birthday-bound security against time-memory-data tradeoff attacks[J]. Cryptography and Communications, 2018, 10(5): 959–1012. doi: 10.1007/s12095-018-0294-5.
[13]	HAMANN M, KRAUSE M, MEIER W, et al. Design and analysis of small-state grain-like stream ciphers[J]. Cryptography and Communications, 2018, 10(5): 803–834. doi: 10.1007/s12095-017-0261-6.
[14]	HAMANN M, KRAUSE M, and MOCH A. Tight security bounds for generic stream cipher constructions[C]. The Selected Areas in Cryptography–SAC 2019: 26th International Conference, Waterloo, Canada, 2020: 335–364. doi: 10.1007/978-3-030-38471-5_14.
[15]	GÜL Ç and KARA O. A new construction method for keystream generators[J]. IEEE Transactions on Information Forensics and Security, 2023, 18: 3735–3744. doi: 10.1109/TIFS.2023.3287412.
[16]	BANIK S. Cryptanalysis of Draco[J]. IACR Transactions on Symmetric Cryptology, 2022, 2022(4): 92–104. doi: 10.46586/tosc.v2022.i4.92-104.
[17]	GAMMEL B, GÖTTFERT R, and KNIFFLER O. Achterbahn-128/80: Design and analysis[C]. ECRYPT Network of Excellence-SASC Workshop Record, Bochum, Germany, 2007: 152–165.