Cryptography Reference
In-Depth Information
linearity of the cipher, as the one applicable to plain LFSRs shown in the previous
section.
Encryption with Trivium
Almost all modern stream ciphers have two input parameters: a key k and an ini-
tialization vector IV . The former is the regular key that is used in every symmetric
crypto system. The IV serves as a randomizer and should take a new value for every
encryption session. It is important to note that the IV does not have to be kept secret,
it merely must change for every session. Such values are often referred to as nonces ,
which stands for “number used once”. Its main purpose is that two key streams pro-
duced by the cipher should be different, even though the key has not changed. If this
were not the case, the following attack becomes possible. If an attacker has known
plaintext from a first encryption, he can compute the corresponding key stream. The
second encryption using the same key stream can now immediately be deciphered.
Without a changing IV , stream cipher encryption is highly deterministic. Methods
for generating IV s are discussed in Sect. 5.1.2. Let's look at the details of running
Trivium:
Initialization Initially, an 80-bit IV is loaded into the 80 leftmost locations of reg-
ister A , and an 80-bit key is loaded in the 80 leftmost locations of register B .All
other register bits are set to zero with the exception of the three rightmost bits of
register C , i.e., bits c 109 , c 110 and c 111 , which are set to 1.
Warm-up Phase
In the first phase, the cipher is clocked 4
×
288 = 1152 times. No
cipher output is generated.
Encryption Phase The bits produced hereafter, i.e., starting with the output bit of
cycle 1153, form the key stream.
The warm-up phase is needed for randomizing the cipher sufficiently. It makes
sure that the key stream depends on both the key k and the IV .
An attractive feature of Trivium is its compactness, especially if implemented
in hardware. It mainly consists of a 288-bit shift register and a few Boolean oper-
ations. It is estimated that a hardware implementation of the cipher occupies and
area of between about 3500 and 5500 gate equivalences, depending on the degree
of parallelization. (A gate equivalence is the chip area occupied by a 2-input NAND
gate.) For instance, an implementation with 4000 gates computes the key stream at
a rate of 16 bits/clock cycle. This is considerably smaller than most block ciphers
such as AES and is very fast. If we assume that this hardware design is clocked at a
moderate 125 MHz, the encryption rate would be 16bit
×
125MHz = 2 Gbit/sec. In
software, it is estimated that computing 8 output bits takes 12 cycles on a 1.5 GHz
Intel CPU, resulting in a theoretical encryption rate of 1 Gbit/sec.
Even though there are no known attacks at the time of writing, one should keep
in mind that Trivium is a relatively new cipher and attacks in the future are certainly
Search WWH ::




Custom Search