## Energy, Performance, Area Versus Security Trade-offs for Stream Ciphers (2004)

Venue: | In The State of the Art of Stream Ciphers, Workshop Record (2004), ECRYPT |

Citations: | 10 - 0 self |

### BibTeX

@INPROCEEDINGS{Batina04energy,performance,,

author = {Lejla Batina and Joseph Lano and Nele Mentens and Sıddıka Berna Örs and Bart Preneel and Ingrid Verbauwhede},

title = {Energy, Performance, Area Versus Security Trade-offs for Stream Ciphers},

booktitle = {In The State of the Art of Stream Ciphers, Workshop Record (2004), ECRYPT},

year = {2004},

pages = {302--310}

}

### OpenURL

### Abstract

The goal of this submission is to provide a framework and platform to compare stream ciphers not only on their security level but also based on their energy consumption, performance and area cost. We describe the basic hardware assumptions, give the area, delay and power consumption values of some existing stream ciphers and give guidelines for the designs of future algorithms. Keywords: E0, A5/1, RC4, hardware implementation, power consumption 1

### Citations

213 | Algebraic attacks on stream ciphers with linear feedback
- Courtois, Meier
- 2003
(Show Context)
Citation Context ...uce new approaches, based on concepts coming from various fields such as block cipher design, chaos theory and random shuffles. No unification has been made in this field. Recently, algebraic attacks =-=[4]-=- have emerged as a new powerful class of attacks against LFSR-based stream ciphers. Though it is not yet entirely clear what the impact is of these attacks, this has incited researchers to search new ... |

32 |
New cryptographic primitives based on multiword T-functions
- Kipnis, Shamir
- 2004
(Show Context)
Citation Context ...methodologies that can replace the LFSRs and that are immune to the many classes of attacks that can be applied on LFSRs. Two proposals are the counter-assisted number generators [14] and t-functions =-=[10]-=-. 3 Area evaluation One NAND gate is considered to have a unit area in CMOS standard cell based hardware. According to this calculation, the different operations used in E0, A5/1 and RC4, the area of ... |

24 |
New Approaches to Stream Ciphers
- Rueppel
- 1984
(Show Context)
Citation Context ...oolean function (sometimes complemented with some nonlinear memory bits) and the irregular clocking of LFSRs. An extensive overview of the design and the cryptanalysis of such designs can be found in =-=[13]-=-. Two widely used stream ciphers based on this research are A5 [1] used in GSM mobile phones and E0 used in the Bluetooth standard [15]. In the 90s, many stream ciphers were proposed that achieve a hi... |

19 | Resynchronization weaknesses in synchronous stream ciphers
- Daemen, Govaerts, et al.
- 1994
(Show Context)
Citation Context ...oth values into the state of the stream cipher. However, it has been shown that this leads to cryptanalytic attacks and thus this resynchronization has to be done in a sufficiently nonlinear way, see =-=[5, 2]-=-. Resynchronizing thus induces some overhead: the algorithm has to perform several clocks before it can start outputting information. The shorter the packets, the more important this overhead becomes.... |

11 |
Hardware Implementation of the RC4 stream Cipher
- Kitsos, Kostopoulos, et al.
(Show Context)
Citation Context ... 637 A5/1 61-bit LFSR, 5 XOR gates, 3 AND gates, 2 OR gates 752 RC4 4 256-byte RAM, 4 8-bit register, 3 8-bit adder, 2-bit MUX 12 951.5 • A hardware implementation of RC4 is given by Kitsos et al. in =-=[7]-=-. It consists of a control and a storage unit. The storage unit is responsible for the key setup and key stream generation. The storage unit contains memory elements for the S-Box and K-Box, along wit... |

11 | Recent developments in the design of conventional cryptographic algorithms," This Volume
- Preneel, Rijmen, et al.
(Show Context)
Citation Context ...at achieve a high performance in software, such as LEVIATHAN (Cisco), MUGI (Hitachi-K.U. Leuven), RC4 (R. Rivest), SNOW (Lund University), SOBER (Qualcomm) and SEAL (IBM). An overview can be found in =-=[12]-=-. Because LFSRs have been very well-studied, some of these software-based stream ciphers use word-oriented versions of LFSRs. Other designs introduce new approaches, based on concepts coming from vari... |

10 |
VLSI Digital Signal Processing Systems: Design and Implementation
- Parhi
- 1999
(Show Context)
Citation Context ... gate count is 932.s4 Performance evaluation 4.1 Performance for bulk encryption Stream ciphers are sequential in nature, which means they cannot be pipelined. LFSRs are examples of bit serial design =-=[11]-=-. To get performance you need to clock very high. In general the throughput can be defined as given by Eq. (1). Throughput = N ∗ clock frequency, (1) where N is the number of bits produced in every cl... |

10 | Guaranteeing the diversity of number generators
- Shamir, Tsaban
(Show Context)
Citation Context ...rchers to search new methodologies that can replace the LFSRs and that are immune to the many classes of attacks that can be applied on LFSRs. Two proposals are the counter-assisted number generators =-=[14]-=- and t-functions [10]. 3 Area evaluation One NAND gate is considered to have a unit area in CMOS standard cell based hardware. According to this calculation, the different operations used in E0, A5/1 ... |

8 |
Hardware Implementation of Bluetooth Security
- Kitsos, Sklavos, et al.
- 2003
(Show Context)
Citation Context ...ful to compare different designs. We now discuss the stream ciphers E0, RC4 and A5/1 in more detail. • The only published hardware implementation of the E0 stream cipher was given by Kitsos et al. in =-=[8]-=-. It is synthesized, placed and routed using the XILINX fieldprogrammable gate array (FPGA) (Virtex-E V2600E-FG1156). The system clock frequency is 15 MHz. It uses 895 configurable logic blocks (CLBs)... |

5 |
Power characterization of LFSRs
- Brazzarola, Fummi
- 1999
(Show Context)
Citation Context ...h one output capacitance as load, respectively. Brazzarola and Fummi analyze the problem of selecting the set of primitive polynomial LFSRs that minimize their switching activity working in isolation =-=[3]-=-. All latches of a LFSR make the same number of switches in one period. The behavior of all latches is characterized by the behavior of the first latch translated in the time. They give the following ... |

5 |
A note to low-power linear feedback shift registers
- Hamid, Chen
- 1998
(Show Context)
Citation Context ...it not for cryptographic applications. Hamid and Chen proposed to use polynomials with two coefficients having the following format; P(x) = 1 + x 1/n + x n , where n is the order of the polynomial in =-=[6]-=-. Equations for power dissipation in case of the conventional serial and their LFSRs are shown below. Here the power dissipated by each clock is included in the power dissipation of the D flip-flop, t... |

3 |
Specification of the Bluetooth System, Version 1.2, available from www.bluetooth.org/spec
- Bluetooth
- 2003
(Show Context)
Citation Context ...the design and the cryptanalysis of such designs can be found in [13]. Two widely used stream ciphers based on this research are A5 [1] used in GSM mobile phones and E0 used in the Bluetooth standard =-=[15]-=-. In the 90s, many stream ciphers were proposed that achieve a high performance in software, such as LEVIATHAN (Cisco), MUGI (Hitachi-K.U. Leuven), RC4 (R. Rivest), SNOW (Lund University), SOBER (Qual... |

2 |
A5 (Was: Hacking Digital Phones), sci.crypt post
- Anderson
- 1994
(Show Context)
Citation Context ...bits) and the irregular clocking of LFSRs. An extensive overview of the design and the cryptanalysis of such designs can be found in [13]. Two widely used stream ciphers based on this research are A5 =-=[1]-=- used in GSM mobile phones and E0 used in the Bluetooth standard [15]. In the 90s, many stream ciphers were proposed that achieve a high performance in software, such as LEVIATHAN (Cisco), MUGI (Hitac... |

2 |
Extending the Resynchronization Attack (extended version). Cryptology ePrint Archive, Report 2004/232. http://eprint.iacr. org
- Armknecht, Lano, et al.
- 2004
(Show Context)
Citation Context ...oth values into the state of the stream cipher. However, it has been shown that this leads to cryptanalytic attacks and thus this resynchronization has to be done in a sufficiently nonlinear way, see =-=[5, 2]-=-. Resynchronizing thus induces some overhead: the algorithm has to perform several clocks before it can start outputting information. The shorter the packets, the more important this overhead becomes.... |

1 |
A reconfigurable linear feedback shift register (LFSR) for the Bluetooth system
- Kitsos, Sklavos, et al.
(Show Context)
Citation Context ...en LFSRs do not depend on the switching activity of the latches since it is the same, but only on the XOR gates. Kitsos et al. proposed a reconfigurable LFSR design consisting of two basic components =-=[9]-=-. The first is the LFSR Data Component, which contains a collection of 16 linear feedback polynomials. The polynomial degree vary from 8 to 128 according to the Bluetooth system. The second is the LFS... |