A New Stream Cipher: Dicing

In a synchronous stream cipher, the ciphertext is generally made by bitwise adding (XOR) the plaintext with a binary sequence called keystream. In case that the cipher is abused or the plaintext of some ciphertext are known by some people, and so the keystream will become visible for them, the analysis for this case is called the plaintext-known analysis, a secure keystream should satisfy two basic conditions: The first is that the original key can not be recovered from the keystream, the second is that the contents of the bits in the keystream should be unpredictable for an adversary, in other words, for the adversaries the keystream should look like a random one, i.e. pseudo-random. Clearly, if the keystream sequence is periodic and the period is short, then it will be predictable, thus the keystream should have enough large period. It is known that the technique of the linear feedback shift registers (LFSR) is able to generate the larger periods of sequences, so LFSRs are often used in the stream ciphers as the component parts. However, LFSR also has an obvious weakness that the each bit in a LFSR's sequence is linearly related to the initial state, and so this implies that the initial state is easy deduced from some of the later bits in the sequence, the famous Berlekamp-Massey's algorithm is such a example of the algorithms. In the almost of known attacks such as correlation attacks, algebraic attacks and distinguishing attacks, etc. just exploited the weakness of LFSR. So, LFSR-based stream ciphers should interfere the linear relations in the bits of the LFSRs, the clock-controlled methods comes from this consideration.

The proposal cipher DICING may be taken as a clock-controlled one, but with a new mechanism of altering steps. It consists of a controller and a combiner. In the proposal cipher, we will substitute the LFSR with the LFSR-like called projector (Pr. measured in bytes and 32-bits words respectively, and if the meaning is explicit from the context, the low-index bit, byte and word will be omitted.

As general stream ciphers, the proposal cipher is also encrypt the plaintext and decrypt the ciphertext by adding bitwise a binary string called keystream, namely,

The keystream generator contains two main parts, a controller H and a combiner C. The controller , , 0 , 1 ,2 , . . .

The initial values 0 0 0 , , u ω τ and 0 v will be specified in the later. The startup includes two subprocesses keysetup and ivsetup, where the basic materials as the secret key and key-size will be input and the internal states will be initialized. Besides, in the keysetup we will make a key-defined the S-box ( ) S x from 0 ( ) S x and a diffusion transformation L . The process is as following.

For a string ρ of 8 bytes, we define an 8-bits vector V ρ and a 8 8

bit bit

and J is a key-defined permutation matrix, for the simplicity, here take 1.

, and [0, 7] , [8,15] byte byte

, and then define a new S-box ( ) S x and a transformation L on 4 K , In the ivsetup , the second step of the startup, the internal states will be initialized with the secret key and the initial value. In the generating keystream we will employ one mask of 16 bytes, which are denoted by η .

For a 32-bytes string ζ we define a bytes permutation φ :

( )

The internal states are initialized respectively as following . Note For a secret key, there is at most one IV such that 3 0.

After initializing, the process enters the recurrence part of generating keystream, each cycle includes two sub-processes of updating and combining. In the updating, all the states are updated from the time 1 tto the time t as stated in (2.2) ~ (2.4). Suppose that u and v are two 16-bytes strings, which are also viewed as 4 4

× matrices of bytes in the ordinary way. Denoted by T M the transposition of a matrix M , the combining function is defined as ( , ) (( ( ) ) ) .

Denoted by t z the keystream in the time t , ( 0) t > , then ( , )

We have summarized the whole process in a sketch as Fig. 1.

In this section, we firstly show some results about the periods of the keystream of the stream cipher Dicing, and then give an investigation with respect to standard cryptanalytic attacks. In the next, we give a discussion for Dicing in respect to the resistance to the main known attacks.

We known that the correlation equations of the components in combining or filter functions should be known is required for the correlation attack, distinguishing attack and algebraic attack. In the proposed cipher, the updating of the components t ω and t τ are controlled by Pr.’s 1 Γ and 2 Γ , and their correlations are not known for the adversaries, so these attacks will not be feasible.

As Dicing has a larger size of internal states, and their updating operations are multiplications of the finite field 128

(2 ) GF , and there are no the correspondences between some smaller isolated parts of the states and the keystream, hence there will be no flaws for the time/memory/data trade-off attacks and guess-and-determine attacks.

The initialization and combining functions also have protected DICING against the chosen-IV attacks, collision attacks and inversion attacks.

With our reference code, there are not found remarkable timing gaps for timing attack.

In the platform of 32-bit Windows OS and AMD Athlon(tm) 64 x2 Dual Core processor 3600+, 2.00G Borland C++ 5.0, the performance of DICING is as following

The algorithm DICING presented above is a very conservative one, the users who wish to strive for a faster rate may adopt the reduced versions and variants. In the following are some such ones, and we think the reduced one will also have sufficient security. 1. Simply take the combining function

and omit the Pr. 2 Γ .

2. In the case there are no attacks for conditional branching, the combining function may be taken as ( )

[0] 0, ( , ) ( ) [0] 1. (5.4)

The presented algorithm DICING was one of candidates for eSTREAM [1], [2], but with a little difference from [2] in (2.8) and (2.9), here the vector 1

V has been moved into S-box ( ) S x from the transformation ( ) A x .

are the primitive polynomials with degree 127 and 126 respectively, which expression are given in the List 1. They satisfy the simple recurrence equations

.2) The dices t D′ and t D ′ ′ are two integers to record the last eight bits of t α and t β respectively. The combiner C also contains two projectors 3

This content is AI-processed based on open access ArXiv data.