A Key-Based Multi-Mode Clock-Controlled Stream Cipher for Real-Time Secure Communications of IoT

Abstract

With the rapid development of the Internet and wireless communications, as well as the popularization of personal communication systems, the security of real-time communications is demanded. The efficient technology of stream ciphers can satisfy this requirement of security. In this paper, to enhance the security strength of stream ciphers, we design a key-based multi-mode clock-controlled stream cipher for real-time secure communications of the Internet of things (IoT). The proposed stream cipher is equipped with a multi-mode depending on the key. The different working modes are shipped with different encrypting circuits depending on the user’s key. We analyze the period, the linear complexity, and use known attacks to verify the security strength of the proposed cipher. Compared with existing dual mode clock-controlled stream ciphers, the merits of our proposed cipher are its long period, high linear complexity, low hardware complex, low initialization clock, and simplicity in mode switching. Furthermore, the proposed cipher passes the FIPS PUB 140-1 and SP800-22 tests, obtaining at least 97.00%.

1. Introduction

Today, with the popularization of personal communication systems, such as cellular phones, PDAs, notebook computers, etc., and with the rapid development of the Internet of things (IoT), people can share information or transmit sensitive data by using these communication systems. There are a lot of information and communication services in the surrounding areas of human lives at present. These services are combined with various applications, for example, voice over Internet protocols, electronic commerce, distance learning, video conferencing, etc. These real-time streaming technologies provide convenience in terms of people’s instant requirement for information and communication.

The IoT provides convenience in terms of information transmission, but it is unsafe when transmitting unencrypted data via the openness of wireless communications. It is easy to be overheard without protection on such systems. For this reason, the most effective method is to encrypt the transmitted content to prevent the information from being directly known by eavesdropping. Even if the transmitted content is overheard from the channel, they will be nonsensical data. In order to achieve secure communications, cryptography is applied to protect privacy and to avoid fraud in secure communications in the IoT.

The security of the IoT can be achieved by implementing Secure Shell (SSH) and Transport Layer Security (TLS) protocols. However, they have heavy overheads that are not suitable for the resource-constrained environment of the IoT [1]. There are three basic popular communication protocols at the IoT application level; they are the CoAP (Constrained Application Protocol), MQTT (Message Queuing Telemetry Transport), and the XMPP (Advanced Message Queuing Protocol). The MQTT protocol is the most widely used protocol for the communication of these devices in IoT systems due to its low resource requirements [2]. Some cryptosystems have been proposed in IoT systems that communicate using the MQTT protocol, but they have not been widely accepted because of their performances [3,4]. For confidentiality, the cipher of an asymmetric cryptosystem, e.g., RSA, ECC, etc., is not suitable for the IoT, due to the computational load. In symmetric cryptosystems, stream ciphers outperform block ciphers because of their simple encrypting operation.

The stream cipher is a class of symmetric encryption algorithms, and it is generally much faster than block ciphers, so stream ciphers are widely used in digital communications and real-time transmissions. For the security demands of real-time communications, stream ciphers are used to meet the necessary requirements [5,6,7,8]. For example, the stream cipher A5/1 supports the confidentiality of mobile communications [9]. Similarly, in real-time communications of the IoT, security efficiency can benefit from using stream ciphers.

At the core of stream ciphers is the keystream generator. One of the basic structures of keystream generators is the linear feedback shift register (LFSR) [10]. For the attack of the Berlekamp-Massey algorithm, the output of the sequences of LFSRs is straightforwardly predictable. To resist this attack and spoil the linearity properties of LFSRs, there are three basic schemes that can be achieved, which include: a nonlinear combining function on the outputs of several LFSRs, a nonlinear filtering function on the contents of a single LFSR, and using the output of one (or more) LFSRs to control the clock of one or more other LFSRs, which are the clock-controlled LFSRs. All of these schemes require a nonlinear function to combine the outputs of LFSRs or control the input clock for clock-controlled LFSRs [10,11,12,13,14]. The clock-controlled based stream cipher A5/1 uses the nonlinear majority function as the nonlinear function to promote its security. Erguler and et al. proposed a clock-controlled stream cipher with dual modes, and that has two different clocking mechanisms to provide security enhancements [15].

Regarding the hardware of stream ciphers, a cipher with a multiple working nonlinear circuit is a strategy by which to gain the security strength of the output keystream. To further the security strength of stream ciphers, in this paper, we design a key-based multi-mode clock-controlled stream cipher for real-time secure communications using the IoT. The cipher is equipped with a multi cipher mode, depending on the secret key. The different modes are shipped with different encryption circuits depending on the user’s session key. We analyze the period, linear complexity, evaluate the randomness, and use known attacks to verify the security strength of the cipher. From the experimental results, the proposed cipher passes the FIPS PUB 140-1 and SP800-22 tests, attaining at least 97.00%. The contributions of this study can be briefly stated as follows:

• The proposed scheme employs multiple working modes depending on the user’s session key.
• The multiple working modes of the different working circuits include different nonlinear selecting functions and different nonlinear output combining functions.
• All of the nonlinear selecting functions and output combining functions provide the balance correlation probability. It prevents weakness for attackers to break through the stream cipher.
• The proposed scheme is one of hardware security, and is easy to implement using hardware.

This paper is organized as follows. Section 2 introduces the related research regarding stream ciphers. Then, we present our proposed scheme, describe each component of the proposed stream cipher, and specify the details of the design in Section 3. In Section 4, we consider statistical properties and some attacks with respect to our design. In addition, we present the results regarding the period and linear complexity of our scheme. Section 5 describes the test criteria and the experimental results for our proposed stream cipher. We use the Federal Information Processing Standards Publication 140-1 (FIPS PUB 140-1) [16] and the Special Publication 800-22 (SP800-22) [17] to perform the statistical tests for our scheme. Finally, we provide the conclusions in Section 6.

2. Preliminaries

The basic design of a stream cipher requires a short key and expands it into a binary pseudorandom number sequence. This sequence is also called the keystream. The keystream is XORed to the plaintext and generates the ciphertext. Similarly, the same keystream is used to decrypt through XORing with the cipher to recover the original plaintext [18]. Therefore, the keystream generator plays an important role in the research of stream ciphers. Generally speaking, the keystream generator can be composed of the finite state machine (FSM) and the output function. Among the design of many stream ciphers, the LFSR is the most common class of FSM due to its simplicity, speed of implementation in hardware, and the fact that it provides sequences with good statistical properties.

2.1. Linear Feedback Shift Register

The Linear Feedback Shift Register (LFSR) can be implemented in two ways. One is the Fibonacci structure, and the other is the Galois structure. The Fibonacci structure of a LFSR consists of a simple shift register and additive operations. Figure 1 shows the Fibonacci structure of a LFSR. At the time t, the LFSR of length L consists of L stages S_0+t, …, S_L−1+t, where t ≥ 0. Each stage is a D-type flip-flop and stores one bit. The output position of each D-type flip-flop that affects the next state is called the tap. The taps are sequentially XORed and then fed back into the leftmost bit. The Fibonacci structure of a LFSR can use a feedback polynomial to record the structure. We call the polynomial the connection polynomial f(x). It is defined as follows:

$$f(x)=1+{\displaystyle \sum _{i=1}^L{C}_i{x}^i=1+C_{1}x+}{C}_2{x}^2+\dots +C_L{x}^L$$

(1)

where L is called the degree of the connection polynomial and the C_i is called the feedback coefficient. In general, the additive operations are included in module 2. The feedback coefficient C_i (1 ≤ i ≤ L) that is not zero is the tap of the connection polynomial. For any feedback coefficient, C_i is either 0, meaning “no connection”, or 1, meaning it is sequentially XORed with the other taps and then fed back into the leftmost bit. Furthermore, the connection polynomial is called a characteristic polynomial.

The Galois configuration of the LFSR is illustrated in Figure 2. It also consists of a shift register of length L. The Galois structure of a LFSR of length L can also use a feedback polynomial to record the structure of the LFSR. It is defined by the characteristic polynomial p(x):

$$p(x)=1+{\displaystyle \sum _{i=1}^{L-1}{p}_i{x}^i+x^L=1+p_{1}x+p_2{x}^2+\cdots +p_{L-1}{x}^{L-1}+x^L}$$

(2)

The Galois LFSR does not concatenate every tap to produce the new input, but each tap is parallel to compute the new input bits. If the feedback polynomial of the LFSR is a primitive polynomial and the initial state of the LFSR is not all zero, the period of the output sequence of the LFSR is at most equal to 2^L − 1. Such a LFSR produces a sequence with the longest period, and we call the sequence a maximal sequence or m-sequence.

2.2. LFSR-Based Stream Cipher

In this subsection, we introduce some LFSR-based stream ciphers. The A5/1 is a clock-controlled, LFSR-based stream cipher which is used for encrypting air transmissions in the GSM standard. The diagram of an A5/1 stream cipher is illustrated in Figure 3. It is composed of three LFSRs with different lengths and primitive feedback polynomials. Each LFSR is shifted, using clock cycles that are determined by a majority function. The major issue with A5/1 security is the short period problem. The cipher operation is based on three LFSRs, R1, R2, and R3, of lengths 19, 22, and 23 bits, respectively. The experiment shows that the period of A5/1 is equal to (4/3)(2²³ − 1) [19]. Another basic issue is the collision problem. It means that A5/1 may result in the same keystream when the LFSR’s different seeds are used.

To reduce the weaknesses of A5/1, some solutions have been proposed in the literature. Erguler and Anarim, in 2005, proposed an A5/2 algorithm that consists of four registers and modified the clocking control mechanism to promote its security strength [20]. In 2006, Erguler and Erguler proposed a LFSR-based CCDM (Clock-Controlled with Dual Mode) stream cipher with a dual operating mode [15]. It is a novel clock-controlled stream cipher with Dual Mode, which is based on irregular clocking and operates with two different modes. The CCDM-Mode I merges eight 4 × 16 S-boxes of DES [21] for the keystream generation, and the CCDM-Mode II operates with a mutual clock-control mechanism. Zakaria and et al., in 2011, presented two modifications of A5/1 [22]. One is the changing of the original primitive polynomials of LFSR in A5/1. The second modification added two LFSRs and proposed five LFSRs in total. The scheme passed the randomness tests. Yohana, in 2015, improved A5/1 by means of a unit delay to increase the period of the keystream [23]. The keystream of the proposed methodology succeeded in randomness tests. In 2019, Sadkhan and Hamza added a fourth register and applied a new filtration function to A5/1 on each register to strengthen the original linear combination function and XOR operation [24]. The authors implemented hardware and made the generator more secure.

Sadkhan and Reza, in 2017, proposed a new method to investigate the best structure for the nonlinear combining function [10]. Based on LFSR, to build a nonlinear combination function consisting of n levels, the designers built it within the program and changed part of the chosen nonlinear combination function every time to observe the results. The scheme required the support of a powerful computer. In 2021, Prajapat and et al. proposed a security enhancement of the A5/1 stream cipher in GSM communications [14]. The scheme reduced the non-linear combinational generator (NLFSRs), reused the 32 bits of SRES generated by the A3 algorithm, and finally, combined the output stream with the remaining 32-bit of CGI (Cell Global Identity). From the results of the NIST Statistical Test, the scheme achieved enhanced security. In 2022, Kopparthi and et al. proposed a pseudorandom number generator based on a digital piecewise linear chaotic map with perturbation [25]. The basic algorithm for the pseudorandom number generator is based on chaos, rather than LFSR. The scheme increases the period of random sequence and succeeds in increasing security; its requirements in terms of hardware costs were also increased.

3. The Proposed Scheme

To promote the randomness and the chaos of the output keystream, we propose a multi-mode keystream generator. The different working modes are dependent on the input key. In this section, we introduce the proposed stream cipher. We apply a clock-controlled stream cipher and propose a key-based multi-mode clock-controlled stream cipher. The structure of the proposed cipher is based on multi-LFSR and is equipped with multiple cipher modes to enhance security. The mode selection is dependent on the secret key bits. For each cipher mode, the output sequences have a large period and a high linear complexity. In the following subsections, we present our proposed scheme and describe each component of the proposed stream cipher. Furthermore, we specify the details of the design.

3.1. Keystream Generator

To match the AES, the proposed key-based multi-mode clock-controlled stream cipher takes a 128-bit secret key denoted K_i, 0 ≤ i ≤ 127, and a 128-bit initialization vector denoted IV_i, 0 ≤ i ≤ 127, as its inputs. The cipher consists of four main building blocks, namely LFSRs, a clock controller, a mode controller, and an output generator. An overview of the blocks used in the stream cipher is illustrated in Figure 4.

The size of the internal state of the proposed keystream generator is 318 bits, which consists of six LFSRs: LFSR_α, LFSR_β, LFSR_γ, LFSR_a, LFSR_b, and LFSR_c, respectively. The main work of the LFSR_a, LFSR_b, LFSR_c, and output generator is to produce the keystream. The main work of the LFSR_α, LFSR_β, LFSR_γ, and the nonlinear functions is to control when LFSR_a, LFSR_b or LFSR_c, will be shifted. There are two clock operation modes in the clock controller and four output sequence generators in the output generator. They organize eight cipher operation modes. The responsibility of the mode controller is the selection of which cipher mode will operate; where the input of the mode controller is the part of secret key bits. The rightmost bits of LFSR_a, LFSR_b, and LFSR_c are inputted to the output generator to produce the keystream.

3.2. The LFSRs

The size of the internal state of the keystream generator is 318 bits, which consists of six LFSRs, namely LFSR_α, LFSR_β and LFSR_γ, LFSR_a, LFSR_b, and LFSR_c. The underlying LFSR_α, LFSR_β, LFSR_γ, LFSR_a, LFSR_b, and LFSR_c are six maximum-length LFSRs of lengths 31, 17, 13, 61, 89, and 107, respectively. The primitive feedback polynomials of the registers are defined as follows [26]:

LFSR_α: P_α(x) = x³¹ + x²⁵ + x²³ + x⁸ + 1

(3)

LFSR_β: P_β(x) = x¹⁷ + x¹⁶ + x¹² + x⁴ + 1

(4)

LFSR_γ: P_γ(x) = x¹³ + x⁸ + x⁵ + x³ + 1

(5)

LFSR_a: P_a(x) = x⁶¹ + x⁵⁹ + x⁵² + x⁴⁷ + x³⁸ + x³³ + 1

(6)

LFSR_b: P_b(x) = x⁸⁹ + x⁸¹ + x⁶⁸ + x³¹ + x²¹ + x¹⁸ + 1

(7)

LFSR_c: P_c(x) = x¹⁰⁷ + x⁸⁹ + x⁸⁴ + x⁴⁰ + x²⁹ + x²³ + 1

(8)

If the length of a LFSR is L and the LFSR is using the Fibonacci structure, it must be repeated L times to update each content of the register during initialization. In order to increase the efficiency of key initialization, we select different length LFSRs instead of a single LFSR. We use the Galois structure of a LFSR to speed up the operation of initialization.

3.3. Mode Controller

The responsibility of the mode controller is the selection of which cipher mode will operate in the system. We built a mode controller module, as shown in Figure 5. There are five input signals and three output signals in the mode controller, where the inputs of the mode controller are K₀, K₁, K₂, K₃, and K₄ of the secret key and the outputs are m₀, m₁, and m₂.

The signal m₀ is taken to control which clock operation mode will be operated, and it is generated by XORing K₀, K₁, K₂, K₃, and K₄. Here, ⊕ denotes logic XOR, the Boolean function of m₀ is given by:

m₀ = K₀ ⊕ K₁ ⊕ K₂ ⊕ K₃ ⊕ K₄

(9)

Another two output signals, m₁ and m₂, of the mode controller are taken to control which output sequence generator will operate. We use one of four quasigroups of Edon80 for a part of the mode controller. Since the four quasigroups are suitable for implementation, no hidden weaknesses can be imposed [27]. The quasigroup is shown in

Table 1. The quasigroup table.

Nr. 61		X
		0	1	2	3
Y	0	0	2	1	3
	1	2	1	3	0
	2	1	3	0	2
	3	3	0	2	1

. We let X be K₁K₀ and let Y be K₃K₂. The value X defines the row r of the quasigroup, and the value Y defines the column c. For the data on the (r, c) in Table 1, each r and c has a two-bit length, respectively. The result of (r, c) is a two-bit length, too. Then, we take the result of (r, c) to control which output sequence generator will operate.

In the hardware implementation, to reduce the gate numbers in order to store the quasigroup table, we use the Boolean functions and map the quasigroup table to logic [28]. Here, ⊕ denotes logic XOR and…denotes logic AND. The output signals m₁ and m₂ are computed by the Boolean functions as follows:

m₁ = K₀ · K₂ ⊕ K₁ ⊕ K₃

(10)

m₂ = K₀ ⊕ K₂

(11)

Finally, we obtain the logic circuit to implement the mode controller. The circuit of the mode controller is shown in Figure 6.

3.4. Clock Controller

The main work of the LFSR_a, LFSR_b, LFSR_c, and output generator is to produce the keystream. The respective rightmost bits of LFSR_a, LFSR_b, and LFSR_c are inputted into the output generator to produce the keystream, but the respective clock pulses of these three LFSRs are dependent on the clock controller. There are two clock operation modes in the clock controller, which are mode 0 and mode 1. Which outputs of the two modes will be outputted is determined according to the output signal m₀ of the mode controller. If m₀ = 0, then the outputs of mode 0 are outputted. On the other hand, if m₀ = 1, then the outputs of mode 1 are outputted.

The clock controller consists of three LFSRs and some nonlinear Boolean functions. The three LFSRs are LFSR_α, LFSR_β, and LFSR_γ, and the respective rightmost bits of these LFSRs are inputted into nonlinear Boolean functions, and then the outputs of the nonlinear Boolean functions are used to control whether LFSR_a, LFSR_b, or LFSR_c will be shifted. It means the clock controller controls respective clock pulses of the LFSR_a, LFSR_b, and LFSR_c. We describe how the clock controller controls the respective clock pulses of the LFSR_a, LFSR_b, and LFSR_c.

First, the respective rightmost bits of the LFSR_α, LFSR_β, and LFSR_γ are denoted by α_0t, β_0t, and γ_0t, respectively, at time t. They are inputted into the f_maj function and the f_and function, which are given by:

f_maj = (α_0t⋯β_0t) + (α_0t⋯γ_0t) + (β_0t⋯γ_0t)

(12)

f_and = α_0t⋯β_0t⋯γ_0t

(13)

where, +denotes logic OR and⋯denotes logic AND. For the mode of m₀ = 0, then f_maj function is selected. If α_0t = f_maj, then LFSR_a is shifted. While β_0t = f_maj and γ_0t = f_maj, then LFSR_b and LFSR_c are shifted, respectively. Similarly, for another mode of m₀ = 1, the f_and function will be selected. If α_0t = f_and, then LFSR_a is shifted. While β_0t = f_and and γ_0t = f_and, then LFSR_b and LFSR_c are shifted, respectively. According to the above, we define clk_ai, clk_bi, and clk_ci as the clocking condition of LFSR_a, LFSR_b, and LFSR_c, respectively, where i ∊ {0, 1}. For the mode of m₀ = 0, then clk_a0, clk_b0, and clk_c0 are selected. If clk_a0 = 1, then LFSR_a is shifted. While clk_b0 = 1 and clk_c0 = 1, then LFSR_b and LFSR_c are shifted, respectively. On the other hand, for the mode of m₀ = 1, then clk_a1, clk_b1, and clk_c1 are selected. If clk_a1 = 1, then LFSR_a is shifted. While clk_b1 = 1 and clk_c1 = 1, then LFSR_b and LFSR_c are shifted, respectively.

Next, we build two truth tables for the clocking conditions of the three LFSRs, LFSR_a, LFSR_b, and LFSR_c, which are shown in

Table 2. Clocking condition under m₀ = 0.

LFSRα	LFSRβ	LFSRγ	fmaj	LFSRa	LFSRb	LFSRc
α0t	β0t	γ0t		clka0	clkb0	clkc0
0	0	0	0	1	1	1
0	0	1	0	1	1	0
0	1	0	0	1	0	1
0	1	1	1	0	1	1
1	0	0	0	0	1	1
1	0	1	1	1	0	1
1	1	0	1	1	1	0
1	1	1	1	1	1	1

and

Table 3. Clocking condition under m₀ = 1.

LFSRα	LFSRβ	LFSRγ	fand	LFSRa	LFSRb	LFSRc
α0t	β0t	γ0t		clka1	clkb1	clkc1
0	0	0	0	1	1	1
0	0	1	0	1	1	0
0	1	0	0	1	0	1
0	1	1	0	1	0	0
1	0	0	0	0	1	1
1	0	1	0	0	1	0
1	1	0	0	0	0	1
1	1	1	1	1	1	1

. Then, we can simplify clk_a0, clk_b0, and clk_c0 into Boolean functions for clock operation mode 0, as well as clk_a1, clk_b1, and clk_c1 for clock operation mode 1. The simplified Boolean functions of the two clock operation modes are shown as follows:

Clock operation mode 0:

$$cl{k}_{a_0}={\overline{\alpha }}_{0t}{\overline{\beta }}_{0t}+{\alpha }_{0t}{\gamma }_{0t}+{\beta }_{0t}{\overline{\gamma }}_{0t}$$

(14)

$$cl{k}_{b_0}={\overline{\beta }}_{0t}{\overline{\gamma }}_{0t}+{\overline{\alpha }}_{0t}{\gamma }_{0t}+{\alpha }_{0t}{\beta }_{0t}$$

(15)

$$cl{k}_{c_0}={\overline{\beta }}_{0t}{\overline{\gamma }}_{0t}+{\alpha }_{0t}{\gamma }_{0t}+{\overline{\alpha }}_{0t}{\beta }_{0t}$$

(16)

Clock operation mode 1:

$$cl{k}_{a_1}={\overline{\alpha }}_{0t}+{\beta }_{0t}{\gamma }_{0t}$$

(17)

$$cl{k}_{b_1}={\overline{\beta }}_{0t}+{\alpha }_{0t}{\gamma }_{0t}$$

(18)

$$cl{k}_{c_1}={\overline{\gamma }}_{0t}+{\alpha }_{0t}{\beta }_{0t}$$

(19)

At each clock cycle, only one of the two clock operation modes will determine whether the LFSR_a, LFSR_b, or LFSR_c are shifted or not, since the signal m₀ is taken to switch which outputs of clock operation mode will output. Furthermore, each rightmost bit of LFSR_a, LFSR_b, and LFSR_c will input to the output generator to generate the keystream.

3.5. Output Generator

The output generator takes sequence a_0t, b_0t, and c_0t as its input, which are the respective rightmost bits of LFSR_a, LFSR_b, and LFSR_c at time t. There are four output sequence generators in the output generator. The sequence outputs are denoted by z_0t, z_1t, z_2t and z_3t. According to the selected mode, the output signals m₁ and m₂ of the mode controller are taken to control which output sequence generator will operate. For example, if m₂ = 0 and m₁ = 0, then output sequence generator 0 (OSG₀) will be operated, and so on.

Table 4. The operating condition under m₂ and m₁.

m2	m1	Operating OSGi
0	0	OSG0
0	1	OSG1
1	0	OSG2
1	1	OSG3

lists the operating conditions under m₂ and m₁.

The output sequence generators are given as follows:

Output Sequence Generator 0 (OSG₀): In this generator, we use exclusive-or operation with a_0t, b_0t, and c_0t to produce keystream z_0t, which is given by:

z_0t = a_0t ⊕ b_0t ⊕ c_0t

(20)

The output-inputs correlation probability of OSG₀ is demonstrated in

Table 5. Correlation probability of OSG₀.

a0t	b0t	c0t	z0t	Correlation Probability
0	0	0	0	Output-Inputs: prob(z0t = a0t) = ½ prob(z0t = b0t) = ½ prob(z0t = c0t) = ½
0	0	1	1
0	1	0	1
0	1	1	0
1	0	0	1
1	0	1	0
1	1	0	0
1	1	1	1

. All correlations between inputs and output are both 1/2.

Output Sequence Generator 1 (OSG₁): In this generator, we use two Dawson’s summation generators to produce the keystream. The diagram of Dawson’s summation generator (DSG) is shown in Figure 7 and the functions are defined as follows [29]:

z_j = a_j ⊕ b_j ⊕ c_j−1

(21)

c_j = b_j ⊕ (a_j ⊕ b_j) · c_j−1

(22)

Here a_j, b_j, and c_j−1 denote the input sequences of DSG, and c_j−1 is c_j delayed one clock. The initial state of the bit, c_j−1, is defined to be zero. In addition, the DSG has high resistance against correlation attacks [29], due to all its output-inputs correlation probabilities being ½, as demonstrated in

Table 6. Correlation probability of DSG.

aj	bj	cj−1	cj	zj	Correlation Probability
0	0	0	0	0	Output-Inputs: prob(zj = aj) = ½ prob(zj = bj) = ½ prob(zj = cj−1) = ½ Output-cj: prob(zj = cj) = ½
0	0	1	0	1
0	1	0	1	1
0	1	1	0	0
1	0	0	0	1
1	0	1	1	0
1	1	0	1	0
1	1	1	1	1

.

In Figure 1, we use two DSGs to generate keystream z_1t. The diagram of OSG₁ is shown in Figure 8. The functions can be written as follows:

DSG₁:

z_1t = f_t ⊕ c_0t ⊕ e_t−1

(23)

e_t = c_0t ⊕ (f_t ⊕ c_0t)⋯e_t−1

(24)

DSG₂:

f_t = a_0t ⊕ b_0t ⊕ d_t−1

(25)

d_t = b_0t ⊕ (a_0t ⊕ b_0t)⋯d_t−1

(26)

The initial state of the bits, f_t−1 and e_t−1, are defined to be zero and the output function of the OSG₁ can be sorted as follows:

z_1t = a_0t ⊕ b_0t ⊕ c_0t ⊕ d_t−1 ⊕ e_t−1

(27)

d_t = b_0t ⊕ (a_0t ⊕ b_0t) · d_t−1

(28)

e_t = c_0t ⊕ (a_0t ⊕ b_0t ⊕ c_0t ⊕ d_t−1)⋯e_t−1

(29)

We also sort the respective correlation probabilities of the output-inputs, output-d_t and output-e_t, of OSG₁. All of them are equal to 1/2, which is demonstrated in

Table 7. Correlation probabilities of OSG₁.

a0t	b0t	c0t	dt−1	et−1	dt	et	z1t	Correlation Probability
0	0	0	0	0	0	0	0	Output-Inputs: prob(z1t = a0t) = ½ prob(z1t = b0t) = ½ prob(z1t = c0t) = ½ prob(z1t = dt−1) = ½ prob(z1t = et−1) = ½ Output-dt: prob(z1t = dt) = ½ Output-et: prob(z1t = et) = ½
0	0	0	0	1	0	0	1
0	0	0	1	0	0	0	1
0	0	0	1	1	0	1	0
0	0	1	0	0	0	1	1
0	0	1	0	1	0	0	0
0	0	1	1	0	0	1	0
0	0	1	1	1	0	1	1
0	1	0	0	0	1	0	1
0	1	0	0	1	1	1	0
0	1	0	1	0	0	0	0
0	1	0	1	1	0	0	1
0	1	1	0	0	1	1	0
0	1	1	0	1	1	1	1
0	1	1	1	0	0	1	1
0	1	1	1	1	0	0	0
1	0	0	0	0	0	0	1
1	0	0	0	1	0	1	0
1	0	0	1	0	1	0	0
1	0	0	1	1	1	0	1
1	0	1	0	0	0	1	0
1	0	1	0	1	0	1	1
1	0	1	1	0	1	1	1
1	0	1	1	1	1	0	0
1	1	0	0	0	1	0	0
1	1	0	0	1	1	0	1
1	1	0	1	0	1	0	1
1	1	0	1	1	1	1	0
1	1	1	0	0	1	1	1
1	1	1	0	1	1	0	0
1	1	1	1	0	1	1	0
1	1	1	1	1	1	1	1

.

Output Sequence Generator 2 (OSG₂): The OSG₂ is shown in Figure 9. In this generator, we build a hybrid carry bit g_t and merge it with DSG to generate keystream z_2t, which can be defined as follows:

z_2t = a_0t ⊕ b_0t ⊕ c_0t ⊕ g_t−1

(30)

g_t = g_t−1 ⊕ (a_0t ⊕ g_t−1 ⊕ c_0t)⋯b_0t

(31)

The initial state of the bits, g_t−1, is defined to be zero. All of the correlation probabilities of the output-inputs and the output-g_t of OSG₂ are equal to 1/2, which are demonstrated in

Table 8. Correlation probability of OSG₂.

a0t	b0t	c0t	gt−1	gt	z2t	Correlation Probability
0	0	0	0	0	0	Output-Inputs: prob(z2t = a0t) = ½ prob(z2t = b0t) = ½ prob(z2t = c0t) = ½ prob(z2t = gt−1) = ½ Output-gt: prob(z2t = gt) = ½
0	0	0	1	1	1
0	0	1	0	0	1
0	0	1	1	1	0
0	1	0	0	0	1
0	1	0	1	0	0
0	1	1	0	1	0
0	1	1	1	1	1
1	0	0	0	0	1
1	0	0	1	1	0
1	0	1	0	0	0
1	0	1	1	1	1
1	1	0	0	1	0
1	1	0	1	1	1
1	1	1	0	0	1
1	1	1	1	0	0

.

Output Sequence Generator 3 (OSG₃): The OSG₃ is shown in Figure 10. In this generator, we establish another hybrid carry bit h_t, and output functions then merge them with DSG to generate keystream z_3t; which can be defined as follows:

z_3t = a_0t ⊕ b_0t ⊕ c_0t ⊕ h_t−1

(32)

h_t = a_0t · (b_0t ⊕ c_0t ⊕ h_t−1) ⊕ b_0t ⊕ c_0t

(33)

The initial state of the bits, h_t−1, is defined to be 0. The correlation probabilities of the output-inputs and the output-h_t of OSG₃ are both 1/2, which are demonstrated in

Table 9. Correlation probability of OSG₃.

a0t	b0t	c0t	ht−1	ht	z3t	Correlation Probability
0	0	0	0	0	0	Output-Inputs: prob(z3t = a0t) = ½ prob(z3t = b0t) = ½ prob(z3t = c0t) = ½ prob(z3t = ht−1) = ½ Output-ht: prob(z3t = ht) = ½
0	0	0	1	0	1
0	0	1	0	1	1
0	0	1	1	1	0
0	1	0	0	1	1
0	1	0	1	1	0
0	1	1	0	0	0
0	1	1	1	0	1
1	0	0	0	0	1
1	0	0	1	1	0
1	0	1	0	0	0
1	0	1	1	1	1
1	1	0	0	0	0
1	1	0	1	1	1
1	1	1	0	0	1
1	1	1	1	1	0

.

3.6. Key/IV Setup

The inputs of the keystream generator are called seeds. The requirements of these seeds are that they must be random and unpredictable before generating the keystream. For this reason, we must use the key initialization procedure to perform the requirement. In this subsection, we describe the computation of the initial inner state before starting the keystream generation. First, part bits of the secret key are collaterally loaded into the 318-bit initial state of the cipher. Then, the remaining bits of the secret key and the 128-bit initialization vector are fed into the 318-bit initial state of the cipher using the key initialization procedure. We generalize the Key/IV Setup into two phases, the initial filling phase and the key initialization procedure phase. It works as follows.

3.6.1. Initial Filling Phase

The 128-bit secret key K is denoted by K = K₀, …, K₁₂₇ and the 128-bit initialization vector IV is denoted by IV = IV₀, …, IV₁₂₇. The internal states of LFSR_α, LFSR_β, and LFSR_γ are denoted by α_i, β_I, and γ_I, respectively, where:

α_i, 0 ≤ i ≤ 30

(34)

β_i, 0 ≤ i ≤ 16

(35)

γ_i, 0 ≤ i ≤ 12

(36)

The internal states of LFSR_a, LFSR_b, and LFSR_c are denoted by a_i, b_i, and c_i, respectively, where:

a_i, 0 ≤ i ≤ 60

(37)

b_i, 0 ≤ i ≤ 88

(38)

c_i, 0 ≤ i ≤ 106

(39)

The initial filling of each LFSR is carried out as follows:

(a₆₀, a₅₉, …, a₁, a₀) ← (K₅₉, K₅₈, …, K₀, 1)

(40)

(α₃₀, α₂₉, …, α₁, α₀) ← (K₈₉, K₈₈, …, K₆₀, 1)

(41)

(b₈₈, b₈₇, …, b₁, b₀) ← (K₈₇, K₈₆, …, K₀, 1)

(42)

(β₁₆, β₁₅, …, β₁, β₀) ← (K₁₀₅, K₁₀₄, …, K₈₈, 1)

(43)

(c₁₀₆, c₁₀₅, …, c₁, c₀) ← (K₁₀₅, K₁₀₄, …, K₀, 1)

(44)

(γ₁₂, γ₁₁, …, γ₁, γ₀) ← (K₁₁₇, K₁₁₆, …, K₁₀₆, 1)

(45)

Notice that only part bits of the secret key are collaterally loaded into the 318-bit initial state of the cipher. The 38-bit secret key and 128-bit initialization vector have not been used yet.

3.6.2. Key Initialization Procedure Phase

After part bits of the 128-bit secret key are collaterally loaded into the 318-bit initial state of the cipher, the remaining 38-bit secret key and the 128-bit initialization vector are fed into the cipher using the key initialization procedure, which is described in Figure 11. We must use 166 cycles to perform this procedure. Here, we use the parameters seed_αt, seed_βt, and seed_γt to denote the remaining bits of the secret key and the initialization vector, for 0 ≤ t ≤ 165. The parameters seed_αt, seed_βt, and seed_γt are given as follows:

(seed_α165, ..., seed_α0) ← (IV₁₂₇, ..., IV₀, K₁₂₇, …, K₉₀)

(46)

(seed_β165, ..., seed_β0) ← (0, ..., 0, IV₁₂₇, ..., IV₀, K₁₂₇, …, K₁₀₆)

(47)

(seed_γ165, ..., seed_γ0) ← (0, ..., 0, IV₁₂₇, ..., IV₀, K₁₂₇, …, K₁₁₈)

(48)

During the key initialization procedure, the respective rightmost bits of LFSR_a, LFSR_b, and LFSR_c are still inputted to OSG₁, OSG₂, and OSG₃. The output sequences z_1t, z_2t, and z_3t of OSG₁, OSG₂, and OSG₃, respectively, are fed back and XORed with seed_αt, seed_βt, and seed_γt, respectively, into the leftmost bit of LFSR_α, LFSR_β, and LFSR_γ in parallel, where 0 ≤ t ≤ 165. Note that there is no bit of the keystream output during this initialization procedure, and each LFSR is clocked 166 times using the clk clock. It means that each LFSR is clocked in the normal way by ignoring the clocking controller.

4. Security Properties

The long period, high linear complexity, and good statistical properties are three of the basic requirements for pseudorandom binary sequences in cryptographic applications. In this section, we consider the period, linear complexity, statistical properties, and some attacks with respect to our design. Due to the proposed scheme, the multi-clocking keystream generator and the periods of each LFSR affect each other by current states. We provide the mathematical results regarding the period and linear complexity of our scheme.

4.1. Period

One of the important attributes to be considered for a stream cipher is the period of the keystream. The period of a keystream s = s₀, s₁, s₂, … is the smallest positive integer N if s_i = s_i+N for all i ≥ 0. If the period of the keystream is too short, it will result in different parts of the plaintext being encrypted in the identical bits of the keystream. The long period can avoid the keystream being reused when encrypting long plaintexts.

In our scheme, the internal state of the proposed cipher consists of LFSR_α, LFSR_β, LFSR_γ, LFSR_a, LFSR_b, and LFSR_c, and all of these LFSRs are six maximum-length LFSRs of lengths 31, 17, 13, 61, 89, and 107, respectively. The respective periods of LFSR_α, LFSR_β, LFSR_γ, LFSR_a, LFSR_b, and LFSR_c are denoted as P_α, P_β, P_γ, P_a, P_b, and P_c, respectively, and they are equal to 2³¹ − 1, 2¹⁷ − 1, 2¹³ − 1, 2⁶¹ − 1, 2⁸⁹ − 1, and 2¹⁰⁷ − 1, respectively. Notice that all of these periods are prime numbers. The main work of LFSR_a, LFSR_b, and LFSR_c is to produce the keystream, but their respective clock pulses are dependent on the clock controller. The clock controller consists of LFSR_α, LFSR_β, LFSR_γ, and some nonlinear Boolean functions, and its output sequences clk_ai, clk_bi, and clk_ci, where i ∊ {0, 1}, are taken to control the respective clock pulses of LFSR_a, LFSR_b, and LFSR_c. It means the periods of LFSR_a, LFSR_b, and LFSR_c will be affected by the periods of clk_ai, clk_bi, and clk_ci. Let us define the periods of clk_ai, clk_bi, and clk_ci as P_clkai, P_clkbi, and P_clkci, respectively. The periods P_clkai, P_clkbi, and P_clkci can be written as [30]:

$$P_{cl{k}_{ai}}=lcm(P_{\alpha }, P_{\beta }, P_{\gamma })=lcm(2^{31}-1, 2^{17}-1, 2^{13}-1)$$

(49)

$$P_{cl{k}_{bi}}=lcm(P_{\alpha }, P_{\beta }, P_{\gamma })=lcm(2^{31}-1, 2^{17}-1, 2^{13}-1)$$

(50)

$$P_{cl{k}_{ci}}=lcm(P_{\alpha }, P_{\beta }, P_{\gamma })=lcm(2^{31}-1, 2^{17}-1, 2^{13}-1)$$

(51)

where lcm(·) denotes the function of the least common multiple. Since all of the periods P_α, P_β, and P_γ are prime numbers, P_clkai, P_clkbi, and P_clkci can be simplified to:

P_clkai = P_clkbi = P_clkci = P_αP_βP_γ = (2³¹ − 1)(2¹⁷ − 1)(2¹³ − 1) ≅ 2⁶¹

(52)

Next, the sequences clk_ai, clk_bi, and clk_ci are taken to control the respective clock pulses of the LFSR_a, LFSR_b, and LFSR_c. If clk_ai = 1 and the clk edge trigger simultaneously occurs, then LFSR_a is shifted, and for LFSR_b and LFSR_c. Let us define S_a, S_b, and S_c as the number of 1’s in the sequences clk_ai, clk_bi, and clk_ci, respectively, in every period. The T_a, T_b, and T_c represent affected periods of LFSR_a, LFSR_b, and LFSR_c, respectively. Thus, the periods T_a, T_b, and T_c can be written as [15]:

$$T_a=\frac{P_{cl{k}_{ai}}\times P_a}{\gcd (S_a, P_a)}$$

(53)

$$T_b=\frac{P_{cl{k}_{bi}}\times P_b}{\gcd (S_b, P_b)}$$

(54)

$$T_c=\frac{P_{cl{k}_{ci}}\times P_c}{\gcd (S_c, P_c)}$$

(55)

Since all of the periods P_a, P_b, and P_c are prime numbers, and they are greater than S_a, S_b, and S_c, respectively, it means gcd(S_k; P_k) = 1 for k ∊ {a; b; c}. Thus, T_a, T_b, and T_c can be simplified to:

$$T_a=\frac{P_{cl{k}_{ai}}\times P_a}{\gcd (S_a, P_a)}\cong 2^{61}\times (2^{61}-1)$$

(56)

$$T_b=\frac{P_{cl{k}_{bi}}\times P_b}{\gcd (S_b, P_b)}\cong 2^{61}\times (2^{89}-1)$$

(57)

$$T_c=\frac{P_{cl{k}_{ci}}\times P_c}{\gcd (S_c, P_c)}\cong 2^{61}\times (2^{107}-1)$$

(58)

Finally, the output generator takes the respective rightmost bits of LFSR_a, LFSR_b, and LFSR_c as its input to generate the keystream. The period T_z of the keystream can be written as follows:

$$T_z=lcm(T_a, T_b, T_c)\cong 2^{(61+61+89+107)}\cong 2^{318}$$

(59)

It can be seen that, for the period of our proposed method, each cipher is high by considering the security requirements for each cipher mode.

4.2. Linear Complexity

Any periodic sequence can be generated by a Linear Feedback Shift Register (LFSR), since a linear recurrence (or a characteristic polynomial) can be implemented by using a LFSR. Given a periodic sequence, the Berlekamp-Massey algorithm [31] can be used to calculate this recurrence and linear complexity. The length of the shortest recurrence is defined as the linear complexity of a periodic sequence.

The linear complexity is also defined as the size of the shortest LFSR, which can reproduce the same sequence as the given sequence. If the keystream has a linear complexity LC = n, it can be reconstructed by a LFSR after examining only 2n bits of the keystream. Once the LFSR is generated by the attacker, they can break the stream cipher. Therefore, the high linear complexity of the keystream is a necessary condition and very important for the design of stream ciphers. The high linear complexity of a keystream means that it possesses higher non-predictability.

According to the Beth-Piper stop-and-go generator and the Gollmann cascade stop-and-go generator in [30], we can provide the lower bound of the linear complexity of our scheme. For our scheme, we use the clock controller to control the respective clock pulses of the LFSR_a, LFSR_b, and LFSR_c. Their respective clock pulses are dependent on the output sequences clk_ai, clk_bi, and clk_ci of the clock controller, where i ∊ {0, 1}. We use P_clkai, P_clkbi, and P_clkci to represent the respective periods of clk_ai, clk_bi, and clk_ci. The primitive feedback polynomials of LFSR₁, LFSR₂, and LFSR₃ have degrees of L_a, L_b, and L_c, respectively. The lower bound of the linear complexity LC of the proposed cipher can be written as follows:

$$\begin{array}{ll}LC& =P_{cl{k}_{ai}}{L}_a+P_{clk}{}_{{}_{bi}}{L}_b+P_{cl{k}_{ci}}{L}_c\\ & \cong 2^{61}\times 61+2^{61}\times 89+2^{61}\times 107\\ & \cong 2^{61}\times 257\\ & \cong 2^{69}\end{array}$$

(60)

The linear complexity LC and characteristic polynomial of a keystream can be computed by the Berlekamp-Massey algorithm to obtain the linear complexity LC and characteristic polynomial of the keystream which costs approximately O(LC²) [32].

The requirement of the linear complexity of the stream cipher is determined by different security levels. For example, when the computation cost of a stream cipher is required equal to the security strength of AES, it must to be approximately equal to O(2¹²⁸). For our scheme, the linear complexity LC of the proposed stream cipher is approximately equal to 2⁶⁹. According to the above, the computation cost of the proposed cipher can be written as follows:

$$O(L{C}^2)=O({(2^{69})}^2)=O(2^{138})>O(2^{128})$$

(61)

It can be seen that the computation cost of our proposed cipher satisfies the security strength of AES, being even stronger than AES.

4.3. Statistical Properties

Good statistical properties for randomness are one of the basic important requirements for stream ciphers. The keystream of a good stream cipher not only has the feature of non-predictability, but also has good statistical properties for randomness. So, to implement a stream cipher, the capability to perform statistical tests for randomness must be incorporated. Randomness testing of random and pseudorandom number generators is used in many cryptographic, modeling, and simulation applications. The National Institute of Standards and Technology (NIST) has developed different criteria that may be employed to investigate the randomness of cryptographic applications.

In order to evaluate the randomness of the proposed keystream, we use the Federal Information Processing Standards Publication 140-1 (FIPS PUB 140-1) [16] and the Special Publication 800-22 (SP800-22) [17] to perform the statistical tests for our scheme. They are also issued by the NIST, where the FIPS PUB 140-1 standard is the security requirement for cryptographic modules and the SP800-22 is a statistical test suite for random and pseudorandom number generators for cryptographic applications.

For the FIPS PUB 140-1 standard, there are four test types in the random tests. The specifications of the recommended tests are based on a single bit stream of 20,000 consecutive output bits. To perform the FIPS PUB 140-1 tests, we sampled 100 different keystreams which were generated by 100 random keys and 100 random initialization vectors. Each keystream was a single bit stream of length 20,000 bits. The proposed cipher passed the FIPS PUB 140-1 tests by a proportion of at least 97.00%.

Furthermore, for the SP800-22 statistical test suite, there are fifteen test types in the statistical tests that were developed to test the randomness of binary sequences. These tests focus on a variety of different types of non-randomness that could exist in a sequence. For the SP800-22 statistical test suite, we sampled 100 different keystreams under the 100 secret keys, and initialization vectors were randomly chosen. Each sample was 10,000,000 bits in length. The proposed cipher passed the SP800-22 tests by a proportion of at least 98.00%, with a significance level of 0.01.

4.4. Time-Memory-Data Tradeoff Attack

In 1980, Hellman introduced a general technique for breaking arbitrary block ciphers called a time-memory tradeoff attack. It can also be generalized to the general problem of inverting one-way functions. Babbage and Golić, and later, Biryukov, Shamir, and Wagner, pointed out that a different tradeoff attack called a time-memory-data tradeoff attack is applicable to stream ciphers. Several stream ciphers have been broken by time-memory-data tradeoff attacks, including the famous GSM encryption scheme A5/1 [31].

The time-memory-data tradeoff attack consists of two phases; i.e., the pre-computation phase and the online phase. In the pre-computation phase, the attacker builds large tables relating to the behavior of the system in question. During the online phase, the attacker obtains actual data produced from an unknown key, and his goal is to use the pre-computed tables to find the key as quickly as possible. There are five parameters for any time-memory-data tradeoff attack [33,34]:

-

N denotes the size of the search space

-

P denotes the time required for the pre-computation phase

-

M denotes the size of memory used to store the pre-computed tables

-

T denotes the time required for the online phase

-

D denotes the amount of output data available to the attacker

The requirement for the attack is that T and M should be smaller than N, since the sum or maximum of T and M is usually signified by the complexity of the time-memory-data tradeoff attack.

For the Babbage-Golić tradeoff attack described in [34], it assumes that the size of the internal state of the stream cipher in N bits and D different keystreams of length logN are given. The goal of this attack is to recover one of the internal states from any one of the given keystreams. Once a state is found, the corresponding internal states are derived from the rest of the plaintext by running the generator forwards from this known state. For this time-memory-data tradeoff attack, the memory requirement is M = N/D. It suffices to search the entries in the table D times and the time complexity is T = D with the pre-computation time P = M. By ignoring some of the available data, the T can be reduced from T towards 1, and thus, generalize the tradeoff to TM = N and P = M for any 1 ≤ T ≤ D. T = M constitutes an attack of T = M = D = N^1/2.

Another enhanced tradeoff attack, as described in [34], was presented by Biryukov and Shamir. This attack combined the works of Hellman and Babbage-Golić to launch a new time-memory-data tradeoff attack on steam ciphers. It assumed that the internal state could take N different values. As with the work of Babbage-Golić, the aim of this attack is to recover any one of the many internal states of the stream cipher for D different keystreams that are given. In the tradeoff attack by Biryukov-Shamir, the parameters of which satisfy the relation P = N/D and TM²D² = N² for 1 ≤ T ≤ D. T = M = N^1/2 with D = N^1/4 constitutes an attack.

In fact, Babbage suggested that a secret key length of k bits is required and a state size of at least 2k bits is required as a design principle of stream ciphers. Similarly, Golić stated that a simple way of increasing security is to make the internal memory size larger.

According to the above, we know the time-memory-data tradeoff attack can be applied when the state size of the stream cipher is too small. A necessary condition on the state size of a stream cipher is that it has to be at least two times the secret key length. For our scheme, the proposed stream cipher takes the 128-bit secret key. In order to avoid time-memory-data tradeoff attacks, the size of the internal state must to be at least 256. However, the size of the internal state of the proposed cipher is 318 bits, which means that the size of the search space N = 2³¹⁸ > 2²⁵⁶. This gives T = M = D = N^1/2 = 2¹⁵⁹ for the Babbage-Golić tradeoff and T = M = N^1/2 = 2¹⁵⁹, D = N^1/4 = 2^79.5 for the Biryukov-Shamir tradeoff attack, respectively. The results show that they are not better than an exhaustive key search, so the proposed stream cipher can resist against these attacks.

4.5. Correlation Immunity Properties

Correlation immunity as a measure of resistance against ciphertext-only correlation attacks in stream ciphers was defined by Siegenthaler [35]. As shown in Figure 12, there is a nonlinear function f with n input sequences x = {x₀, x₁, …, x_n−1}. If the correlation between output sequence z and m input sequences is statistically independent, then the function has correlation immunity of order m, where m ≤ n. Therefore, the mutual information between the output sequence z and any subset of m input sequences is zero.

The m-th order correlation immune function f with n input sequences is defined as follows:

prob[f(x) = 1|x_i1 = s₁, x_i2 = s₂, …, x_im = s_m] = prob[f(x) = 1]

(62)

prob[f(x) = 0|x_i1 = s₁, x_i2 = s₂, …, x_im = s_m] = prob[f(x) = 0]

(63)

where the x_i1, x_i2, …, x_im denote the input variables for 0 ≤ i₁ < i₂ < … < i_m ≤ n − 1, and (s₁, s₂, …, s_m) ∊ {0, 1}^m. If f is balanced, prob[ f(x) = 1] = prob[ f(x) = 0] = 1/2, then f is also called the m-resilient function.

For our scheme, we proposed four output sequence generators (OSGs) to produce the keystream, which was described in Section 3.5. The four OSGs consist of nonlinear Boolean functions, except OSG₀. All of these OSGs satisfy the properties of being balanced and correlation immune of order one. The four OSGs, namely OSG₀, OSG₁, OSG₂, and OSG₃, take sequence a_0t, b_0t, and c_0t as their inputs, and their output sequences are denoted by z_0t, z_1t, z_2t, and z_3t, respectively. All of the output-inputs correlation probabilities of each OSG are listed as follows:

prob[z_0t = a_0t] = prob[z_0t = b_0t] = prob[z_0t = c_0t] = 1/2

(64)

prob[z_1t = a_0t] = prob[z_1t = b_0t] = prob[z_1t = c_0t] = prob[z_1t = d_t] = prob[z_1t = e_t] = 1/2

(65)

prob[z_2t = a_0t] = prob[z_2t = b_0t] = prob[z_2t = c_0t] = prob[z_2t = g_t] = 1/2

(66)

prob[z_3t = a_0t] = prob[z_3t = b_0t] = prob[z_3t = c_0t] = prob[z_3t = h_t] = 1/2

(67)

where d_t and e_t are carry bits of Dawson’s method in OSG₁, g_t and h_t are respective hybrid carry bits of OSG₂ and OSG₃. After delaying one clock, they are fed back as extra inputs of OSG₁, OSG₂, and OSG₃, respectively.

It is apparent that the output bit is uncorrelated to all the individual input bits for each OSG. The proposed stream cipher is deemed secure and it can resist against some correlation attacks.

5. Experimental Results

In this chapter, the criteria tests and experimental results are described. First, we use the Verilog hardware description language to describe the behavior of the proposed stream cipher. Next, the simulation results of the keystream are taken to evaluate the statistical properties for randomness according to the FIPS PUB 140-1 and SP800-22 packages. Using the 100 secret keys and with initialization vectors randomly chosen, we sampled 100 different keystreams to utilize the statistical test suite. Finally, we provide a performance comparison between the CCDM stream ciphers.

5.1. Statistical Random Number Tests

Good statistical properties for randomness are one of the basic important requirements for stream ciphers. Any cryptographic modules that implement a random or pseudorandom number generator shall incorporate this capability to perform statistical tests for randomness. The NIST has developed different criteria that may be employed to investigate the randomness of cryptographic applications. In order to evaluate the randomness of the proposed keystream, we use the Federal Information Processing Standards Publication 140-1 (FIPS PUB 140-1) and the Special Publication 800-22 (SP800-22) to perform the statistical tests for our scheme.

5.1.1. Random Test Results under FIPS PUB 140-1

As required by FIPS PUB 140-1, the proposed cipher must perform four different test types. These tests include a monbit test, a prker test, a runs test and a long runs test. According to the specifications of FIPS PUB 140-1, these tests were based on a stream of 20,000 consecutive bits. To determine the randomness properties of our scheme, we randomly chose 100 secret keys and initialization vectors, and used them to generate 100 different keystreams for our scheme. Then, we sampled 100 different keystreams to perform the FIPS PUB 140-1 tests, where each keystream was a single bit stream of 20,000 consecutive bits. The test results are shown in

Table 10. Random Test Results under FIPS PUB 140-1.

FIPS PUB 140-1 Tests	Pass Rate under 20,000 bits/Sample
Monobit Test	100.00%
Poker Test	97.00%
Runs Test	100.00%
Long Run Test	100.00%

. The proposed cipher passes the FIPS PUB 140-1 tests by a proportion of at least 97.00%.

5.1.2. Statistical Test Results under NIST SP800-22

We sampled 100 different keystreams to perform the SP800-22 statistical test suite with 100 secret keys and initialization vectors that were randomly chosen. Each sample was 10,000,000 bits in length. Notice, in the cases of the Random Excursions test and the Random Excursions variant test, the requirement for the number J must be greater than 500. As mentioned above, the proposed cipher passed the SP800-22 test suite with a proportion of at least 98.00%. The test results are shown in

Table 11. Statistical Test under NIST SP800-22.

No.	Statistical Tests	p-Value	Pass Rate Under 107 bits/Sample
1	Frequency	0.874153	100.00%
2	Block Frequency	0.934875	98.00%
3	Runs	0.938110	100.00%
4	Longest Runs of Ones	0.987412	98.00%
5	Rank	0.841558	99.00%
6	Discrete Fourier Transform	0.994201	100.00%
7	Non-Overlapping Templates Matching	0.835479	98.98%
8	Overlapping Templates Matching	0.885029	99.00%
9	Universal Statistical	0.847512	98.00%
10	Linear Complexity	0.928920	99.00%
11	Serial	0.974116	99.00%
12	Approximate Entropy	0.844743	99.00%
13	Cumulative Sums	0.841321	99.00%
14	Random Excursions	0.954667	98.63%
15	Random Excursions Variant	0.985103	99.11%

. Figure 13 is the comparison chart of p-values between A5/1, Prajapat’s scheme [14], and the proposed scheme. The parameter p-value is calculated during testing, which is the strength of the randomness of the dataset. Each p-value corresponds to the probability that the bit sequence of the dataset under testing is random. If it is equal to 1, then the bit sequence has ideal randomness. From the figure, it can be seen that the proposed scheme made progress in the NIST statistical tests.

5.2. Performance

We compare the performance of the proposed scheme against other stream ciphers in this subsection. The CCDM [15] stream cipher is based on irregular clocking and operating on two different modes, but it does not refer to the design of the key initialization and the operation of mode selection. On the other hand, the proposed scheme has low key initialization cycles and simplicity in terms of mode switching. We used the Verilog hardware description language as our design entry to describe the behavior of the key-based multi-mode clock-controlled stream cipher. The proposed design was synthesized using TSMC 0.18 μm CMOS technology. After synthesis, it showed that the gate level design contained about 5599 gates. Furthermore, our proposed scheme was allowed to run at a working frequency up to 284 MHz.

Table 12. Performance comparison with some stream ciphers.

Stream Ciphers	Key (bits)	Initialization Cycle	Bits/Cycle	Max. Clock Freq. (MHz)	Gate Count	Process (mm)
Trivium	80	1152	1	327.9	2580	0.13
Grain128	128	256	1	925.5	1857	0.13
F-FCSR-16	128	258	16	317.5	8072	0.13
Mickey128	128	IVlength + 128 + 160	1	413.2	5039	0.13
Decim128	128	1152	0.25	309.6	3819	0.13
Edon80	80	160	1	243.3	13,010	0.13
CCDM [15]	128	-	1	237.4	7486	0.19
Prajapat’s [14]	64	-	1	297.6	4871	0.16
Proposed scheme	128	166	1	284.2	5599	0.18

shows the comparison results of our design with some other stream ciphers in ASIC [14,15,36]. The results shown are under different CMOS processes. The power cannot be reliably scaled between different processes and libraries, but the gate count can be scaled to a 0.13 μm process for comparison. Furthermore, the initialization cycle of our design is somewhat smaller than other ciphers. In addition, the proposed cipher is able to run on low-end IoT devices, such as ESP32, ATmaga328, Arduino, or Raspberry Pi IoT platforms.

6. Conclusions

In this paper, we proposed a key-based multi-mode clock-controlled stream cipher to enhance the security of stream ciphers. The proposed multi-mode depended on the secret key. The different modes were shipped with different encrypting circuits depending on the user’s session key. We also analyzed the period, linear complexity, and used known attacks to verify the security strength of the cipher.

We presented the mathematical results regarding the period and linear complexity of the proposed cipher. The results showed that the period of the proposed stream cipher was enough to consider the security requirements for each cipher mode. On the other hand, the linear complexity of the proposed stream cipher satisfied the security strength of AES, and was even stronger than AES. For good statistical properties for randomness, the proposed cipher passed the FIPS PUB 140-1 tests by a proportion of at least 97.00% and passed the SP800-22 test suite by a proportion of at least 98.00%. The experimental results showed that the proposed stream cipher possessed a considerably good randomness property. Regarding security, the proposed cipher could resist against time-memory-data tradeoff attacks and some correlation attacks. In terms of the confidentiality of the IoT, the stream cipher outperformed other symmetric ciphers and asymmetric ciphers. Our proposed stream cipher with a multiple-mode encryption scheme could be applied to the actual IoT environment and promotes the security strength of ciphers.

LFSRs have the advantage of high operation speeds in hardware security. The eight operation modes and the output of 1-bit per clock in the proposed scheme represent its limitations, but these could be ingeniously extended. To elasticize the stream cipher, the designs of an optimized structure for secure hardware circuits will be an interesting research direction. Furthermore, the application of these circuits when merged with cellular automata, chaos, and multi-mode operations represent potential future works.