A New Stream Cipher: Dicing

In this paper, we will propose a new synchronous stream cipher named DICING, which can be viewed as a clock-controlled one but with a new mechanism of altering steps. It has satisfactory performance and there have not been found weakness for the known attacks, the key sizes can be 128bits and 256bits respectively.

💡 Research Summary

The paper proposes a new synchronous stream cipher called DICING. Its main novelty lies in replacing the traditional linear‑feedback shift register (LFSR) with a “projector” – a state element that evolves by multiplication in a binary extension field GF(2^m) (m = 126, 127, 128, etc.) rather than by bit‑wise shift. Two projectors (Γ₁ and Γ₂) together with two 8‑bit counters (called “dices”, D′ and D″) form the controller. The dice values are simply the low‑order 8 bits of the states of Γ₁ and Γ₂ and are used to dynamically control the update steps of two additional projectors (Γ₃ and Γ₄) that generate the keystream components ω and τ. This creates a variable‑step clock‑controlled mechanism that differs from classic shrinking or stop‑and‑go generators.

Key and IV handling is deliberately complex. The secret key K (128 bits or 256 bits) is split into 8‑byte words, subjected to two linear transformations A and B, XORed, and then used to derive a key‑dependent S‑box Sₓ. A further linear diffusion L is applied to four 32‑bit words, producing a set of non‑linear mappings that are later used in the initialization. The IV, 32 bytes long, is mixed with a constant derived from the integer part of 57·e and with four fixed 32‑byte strings (ξ₀…ξ₃). The result of this mixing initializes the four projector states (α, β, ω, τ) and two 16‑byte buffers u and v. A special rule resets ω and τ if the dice value becomes zero during initialization.

Keystream generation proceeds in two phases per cycle: an “updating” phase where all four projectors and both dice are advanced according to the recurrence relations (2.2)–(2.4), and a “combining” phase where the buffers u and v are XORed, combined with the current dice values, and finally output as a 128‑bit block zₜ. The authors claim a throughput of 10 cycles per byte (≈160 cycles per 128‑bit block) on a 32‑bit Windows platform with an AMD Athlon 64×2 3600+ CPU compiled by Borland C++ 5.0. Reported initialization costs are 5 200 cycles for the key setup and 2 280 cycles for the IV setup.

The security analysis focuses on period length and resistance to known attacks. Because the projectors are driven by primitive polynomials, their individual periods are 2¹²⁶‑1, 2¹²⁷‑1, and 2¹²⁸‑1. By combining them, the authors derive an overall keystream period on the order of 2³⁸⁰ (equations 3.1–3.6). They argue that the dynamic, key‑dependent dice control makes correlation, algebraic, and distinguishing attacks infeasible, as the attacker cannot obtain the necessary correlation equations. They also claim immunity to time‑memory‑data trade‑off, guess‑and‑determine, chosen‑IV, collision, and inversion attacks, and report no observable timing variations in their reference implementation.

Despite these claims, the paper lacks rigorous proofs. The period analysis assumes independence of the component periods without addressing possible common factors introduced by the combining function. No formal security model (e.g., PRF, IND‑CPA) is presented, and the resistance to modern algebraic attacks (e.g., Gröbner‑basis methods) is not quantified. The key‑dependent S‑box construction is described only at a high level, leaving open the possibility of weak S‑boxes for certain keys. Side‑channel resistance (timing, power, electromagnetic) is merely mentioned as “no remarkable gaps,” without systematic measurement.

Implementation details are sparse. The performance numbers are based on an outdated compiler and CPU; no comparison with contemporary hardware (e.g., ARM Cortex‑A78, Intel AVX‑512) is provided. The code is not released, making reproducibility difficult. Moreover, the algorithm’s complexity (multiple field multiplications, S‑box look‑ups, matrix transpositions) may lead to higher constant factors on modern architectures than the claimed 2× speed‑up over AES.

The paper also discusses reduced versions and variants, such as omitting one or both dice, simplifying the combining function, or replacing the four projectors with a single 256‑bit projector. While these variants may improve speed, the authors provide no security analysis for them, leaving open the question of whether the reductions introduce exploitable linearities.

In summary, DICING introduces an interesting concept—field‑multiplication‑based projectors controlled by dynamic dice—to break the linearity inherent in LFSR‑based stream ciphers. However, the design is intricate, the security arguments are largely heuristic, and the implementation claims are not substantiated on modern platforms. For DICING to be considered for standardization or practical deployment, a thorough cryptanalytic evaluation (including algebraic, differential, and side‑channel analyses) and a reference implementation with open‑source code and benchmarked performance on current hardware would be essential.