A New Lightweight Stream Cipher Based on Chaos

: A chaotic system and two Nonlinear Feadback Shift Registers (NFSRs) are used to generate a new stream cipher in this paper. This design can be used for efficient encryption in resource-constrained devices or environments. The chaotic system is quantified and integrated with two NFSRs based on the technology of Field Programmable Gate Array (FPGA). Many analyses are made from the angle of entropy in order to verify the cryptographic characteristics of the stream cipher, and National Institute of Standards and Technology (NIST) statistical test is completed to analyze the cipher. The test results show that the stream cipher here has good cryptographic characteristics.


Introduction
In recent years, many resource-constrained equipment has been widely used.A device with limited computing power, storage space, and energy sources is called a resource-constrained device, such as smart cards Radio Frequency Identification (RFID) tag, wireless sensor, and personal digital power terminal.How to use secure and effective ciphers on these devices is a challenging problem.Many traditional ciphers are difficult to implement in this resource-constrained environment because of their own characteristics.Therefore, lightweight ciphers have attracted increasing attention.In 2013, National Institute of Standards and Technology (NIST) launched the lightweight stream ciphers project to study the performance of existing lightweight ciphers and to establish standards.In March 2017, NIST released the Lightweight Cryptography Report, which introduced the implementation of the project and the related achievements, and planned to develop the corresponding standards for lightweight cryptographic algorithms.As early as November 2004, the European Network of Excellent for Cryptology (ECRYPT) initiated the research project of eSTREAM [1], and convened the implementation of stream cipher algorithms for both hardware and software.Finally, four hardware-oriented winners were identified in 2008.Sprout [2], Fruit [3], LIZARD [4], Plantlet [5], Trivium [6], MICKEY [7], and Grain series ciphers [8][9][10] are some lightweight stream ciphers.However, as time goes on, a lot of progresses have been made in decoding areas, and some of the lightweight stream ciphers have been proved to be unsafe [11][12][13][14][15][16][17].As a new cryptographic theory, chaotic cryptography has been paid more and more attention by many cryptographers.Chaotic cryptography is widely used in image encryption [18][19][20][21][22], secure communication [23][24][25][26][27], neural network, and economics.However, a few scholars have tried to introduce chaotic systems into the field of lightweight encryption [28,29], and no one has tried to apply chaotic systems to lightweight stream ciphers.
This paper combines chaotic system with Nonlinear Feadback Shift Register (NFSR) for the first time on the basis of studying a large number of lightweight stream ciphers, and produces a new lightweight stream cipher system that is based on chaos.The methods of entropy analyses [30][31][32][33] Symmetry 2019, 11, 853 2 of 12 and NIST statistical tests are used to verify the performance of the lightweight stream cipher in order to verify the characteristics of the cipher.The results show that the lightweight cipher here is of better performance.
The structure is arranged, as follows: Section 2 describes the digitization process of Logistic chaotic sequence; Section 3 puts forward a lightweight stream cipher based on Logistic chaotic sequence; Section 4 elaborates the design principle of the lightweight stream cipher Logic; Section 5 carries out the entropy analyses of the system; Section 6 carries out the NIST statistical tests of the system; and Section 7 analyzes the hardware resources of the lightweight stream cipher.Section 8 analyzes the security of Logic system and Section 9 summarizes the whole paper.

Chaotic Sequence and Quantization
Chaos theory in non-linear science has been widely studied and applied in cryptography.Chaotic systems have a series of good cryptography properties, such as extreme sensitivity to initial conditions, pseudo-random behavior, and long-period instability, which are similar to the principles of diffusion and confusion in modern cryptography.A method of chaotic digitization is introduced in order to overcome the effect of finite precision.The expression of Logistic chaotic map is shown as: It can be expressed by a floating point and integer.Single precision floating point cannot meet the requirements of chaos.Double precision floating point occupies too much resources.Here, the integer expression is used, and decimal x(n) is written into binary expression.
The top L positions are taken because of the accuracy requirement, then Here Each of x(n) corresponds to a L-bit of binary X.In fact, X is the decimal representation of x(n), which takes L-bit and shifts to the right, so the Logistic chaotic map sequence can be expressed as: Here L = 32, µ = 4, which can satisfy the requirements of chaos and map to the whole interval (0, 1].

Logic Lightweight Stream Cipher
This paper presents a lightweight stream cipher, named Logic based on chaotic system and NFSR.Here, the algorithm is a hardware-oriented lightweight stream cipher algorithm, which can be applied in situations where hardware resources (gate number, energy consumption, and storage) are very limited.The algorithm uses 80-bit secret key.The main part of the algorithm is composed of Logistic chaotic system, two 40-level NFSRs, and three multiplexers.The structure diagram of Logic is shown in Figure 1.
The feedback polynomial

) (x f
of NFSR-2 is defined as: The filtering function

) (x h
of Logic system is a balanced boolean function with five variables and four orders, and its nonlinearity reaches a maximum of 12.It is defined as: As you can see from Figure 1, this is an efficient fusion of classical Grain series ciphers [4,[8][9][10] with Logistic chaotic ciphers.Different from Grain lightweight ciphers, the Logic cipher here adopts two NFSRs and extract Logistic chaotic ciphers effectively to affect the following three functions: the feedback polynomial g(x) of NFSR-1, the feedback polynomial f (x) of NFSR-2, and the filtering function h(x), so as to disturb the whole NFSRs system.
The states of NFSR-1 and NFSR-2 at time i are The feedback polynomial g(x) of NFSR-1 is defined as: x 24 ⊕ x 20 x 29 ⊕ x 31 x 37 ⊕ x 13 x 18 x 26 ⊕x 22 x 28 x 35 ⊕ x 14 x 24 x 30 x 37 ⊕ x 18 x 27 x 31 x 36 .
The feedback polynomial f (x) of NFSR-2 is defined as: The filtering function h(x) of Logic system is a balanced boolean function with five variables and four orders, and its nonlinearity reaches a maximum of 12.It is defined as: The variables x 0 , x 1 , x 2 , x 3 and x 4 correspond to the state bits s i+2 , s i+17 , s i+29 , c i+2 and b i+32 , respectively.
The output function is defined as: where A = {3, 7, 4, 15, 23, 28, 34, 37}.Before it outputs, Logic initializes the key stream.Let the secret key bits be k i and 0 ≤ i ≤ 79.The initial loading of registers is shown as In the initialization phase, Logic feeds back the output to both NFSR-1 and NFSR-2 for updating, and it starts to output the key stream after 80 runs.

Design Principles
The Logic stream cipher consists of four components: two NFSR combinations, a chaotic module, a filter function, and three multiplexers.

Two NFSRs
There are two NFSRs in this part, in which NFSR-2 feeds back data to the LSB of NFSR-1.Both of the NFSRs are initialized with the same clock.The initial secret key is generated by the chaotic sequence.The initial value of chaotic sequence is set in order to avoid zero state.After initialization, NFSR-1 and NFSR-2 update and flip state driven by the clock.

Digital Chaotic Module
The Logistic chaotic sequence is relatively simple and it consumes less hardware resources.Therefore, the chaotic sequence is chosen as the disturbance and obfuscation module of the whole system in the Logic stream cipher.The system is decomposed into a 32-bit digital chaotic system after initialization and digitization, then the bits l i+4 , l i+8 , l i+10 , l i+16 , l i+20 , l i+24 , and l i+28 are separately extracted for the multiplexer unit to select and extract.Subsequently, the data of NFSR-1, NFSR-2, filter function, and output function are disturbed and confused.

Filter Function
The five bits, b i+32 of NFSR-1, s i+2 , s i+17 , and s i+29 of NFSR-2, c i+2 of Logistic digital chaotic module are used to construct the filter function module.The filter function with five variables and algebraic degree 4 is a balanced Boolean function, which is of a maximum non-linearity of 12.

Multiplexer Unit
The multiplexer unit is composed of three multiplexers, namely C1 (MUX2-1), C2 (MUX2-1), and C3 (MUX2-1).The selection bits of C1 are from s i+19 of NFSR-1, the input bits are from l i+4 , and l i+8 of Logistic digital chaotic module.The selection bits of C2 are from s i+27 of NFSR-1, the input bits are from l i+10 and l i+16 of Logistic digital chaotic module.The selection bit of C3 are from b i+11 of NFSR-2, and the input bits are from l i+20 and l i+24 of the Logistic digital chaotic module.MUX2 − 1(l 1 l 2 , s) is defined as a two-choice multiplexer with input signal l 1 and l 2 and s represents the selection signal.

Entropy Analyses
In this part, entropy analyses are completed by comparing the lightweight cipher based on the chaotic Logistic function with our own Logic cipher system.

Permutation Entropy
Permutation entropy [34] is used to measure the complexity of the time series.It introduces the idea of permutation when calculating the complexity of reconstructed sub sequence.

1.
There is a discrete time series x(1), x(2), . . ., x(N) with length N, then an embedding dimension m and a time delay τ are specified.
In other words, each subsequence X(i) of dimension m is mapped to one of m! permutations.4.
Through the above steps, the continuous m dimensional subspace is represented by a sequence of such symbols, in which the number of these symbols is m!.The probabilities of all symbols are expressed by p 1 , p 2 , . . ., p k , where k ≤ m!.

5.
The permutation entropy of the time series x(1), x(2), . . ., x(N) is: When p k = 1/m!, each symbol has the same probability, and the complexity of time series is the highest, so the permutation entropy is the highest.In addition, for the convenience of presentation, H(m) is usually normalized by dividing by ln(m!).The analysis results are shown in Table 1.

Approximate Entropy
Approximate Entropy (ApEn) [35] is a non-linear dynamic parameter that is used to quantify the regularity and unpredictability of time series fluctuations.It uses a non-negative number to represent the complexity of a time series and it reflects the possibility of new information occurring in the time series.The more complex the time series is, the greater the approximate entropy becomes.The algorithm is described, as follows: 1.
Let U(1), U(2), . . ., U(N) be a time series of dimension N, which is obtained by sampling at equal intervals.

2.
The relevant parameters m and r of the algorithm are defined, in which m is an integer that represents the length of comparison vectors and r is a real number using the measure of similarity.
Symmetry 2019, 11, 853 Here, d(i, j) = max a U(a) − U * (a) , U(a) is the element of a vector, which represents the distance between the vectors Y(i) and Y( j), which is determined by the maximum difference between the corresponding elements, and the range of j is [1, N − m + 1], where j and i can be equal.
The approximate entropy (ApEn) is defined as In the aspect of parameter selection, the parameter m is defined as m = 2, and the selection of r depends on the practical application scenarios, usually r = 0.2 * std, in which std represents the standard deviation of the original time series.According to the relevant literatures [31,32], it can be selected in practical application that d(i, j) ≤ r.If a time series is of significant regularity, its ApEn is relatively small.Correspondingly, a more complex time series corresponds to a larger entropy value.The analysis results are shown in Table 2.

Information Entropy
Information Entropy [36] is used to measure the uncertainty of random variables, which is directly related to the changing characteristics of the research.log(1/p) can be used to measure uncertainty.Here, p is the probability of something happening.The greater the probability is, the smaller the uncertainty becomes.The formula of information entropy, in fact, is the expectation of log(1/p), namely, the expectation of uncertainty.It represents the uncertainty of a system.The random variables under distribution X are independent of each other.The default base of log is 2, which is because the stream cipher system is binary.The expected coding length for coding samples according to the true distribution is illustrated as [33] as there are only two values for binary stream ciphers.The information entropy should be non-negative and have the maximum entropy value of 1.The analysis results are shown in Table 3. From the above entropy analyses, it can be concluded that the entropy of the cryptographic system in this paper is significantly better than that of the lightweight stream cipher that is based on the chaotic Logistic function alone, which also proves that the combination of NFSR and chaotic cryptography can improve the entropy characteristics of the overall cryptography.

Throughtput Analysis
Logic stream cipher uses two NFSRs and a chaotic sequence.After initialization, all of the components work under the drive of the same clock.After compiling, the throughput of the system can reach 78.98 Kbps at 100 kHz.

Algebraic Attack
A deterministic cipher cryptanalysis method was proposed at the EUROCRYPT2003 conference [38], which is called algebraic attack.The main idea of this method is to define the security of a cryptographic algorithm as solving a set of overdetermined multivariable nonlinear equations.The complexity of algebraic attack is mainly determined by the complexity of establishing large-scale multivariable nonlinear equations and solving the equations.The problem of solving large-scale multivariable nonlinear equations is an important problem in computational algebra.A new cryptographic criterion of boolean function, namely algebraic immunity, is proposed, with the development of algebraic attack.See [39,40] for research progress on algebraic immunity.The system can continuously improve the nonlinear degree of cryptography algorithm through self-feedback iterative update since the cipher here uses two NFSR in this paper, which greatly increases the difficulty for attackers to establish and solve nonlinear equations, which makes it difficult for algebraic attacks to obtain better analysis results for this system.

TMDTO Attack
In 2000, Biryukov, Shamir and Wagner [41] proposed a new time/memory/data trade-off (TMDTO) attack against cipher cryptography.TMDTO has become an important method in restoring the internal state of cipher cryptography.Set as the mapping of the bit internal state to the output continuous bit key stream, the problem of restoring the internal state can be transformed into the problem of inverting a one-way function using the TMDTO method.The internal state restoration attack is a cipher text only attack method.The target of the attack is to restore the the internal state of the sequence cipher at a certain moment in the key flow generation stage.The internal state at subsequent moments can be calculated by the state update function according to the internal state at this moment, thus predicting the key flow.If the state update function is reversible, the internal state of the previous moment can be obtained, or even the key can be restored.In fact, Grain v1 [42] and MICKEY 1.0 [43] all suffered from internal state restoration attacks that were based on TMDTO.Among them, the analysis results of MICKEY 1.0 directly led to the design to improve the algorithm to get MICKEY 2.0.The secret key space of each NFSR is 2 40 since the system is composed of two independent NFSRs, so the secret key space of the whole system is 2 80 .Assuming that each key generates a 2 16 key stream, in the first step of the attack, if an attacker can obtain a 2 15 key stream, then the attacker will look for conflicts in the table.
Here is the probability that the attacker cannot find the conflict.The calculation process is as follows.
The attacker can repeat the first two steps to obtain a different key, then he can find the probability of the conflict calculation process, as follows.
The amount of data of this attack is 2 16 × 2 50 × 80 = 2 72.3 , and the computational complexity is 2 16 × 2 50 = 2 66 .If the cryptographic system can generate a stream of 2 16 key stream under each secret key, it can resist certain TMDTO attacks.

Fault Attack
Fault attack refers to the introduction of fault in cryptography algorithm in cryptography chip device, which results in wrong results of the cryptography device, and the analysis of the wrong results to obtain the key.It is known that such attacks have been successfully applied to Grain ciphers [44].It requires that the attacker insert a single bit error in the NFSR during the initialization phase, so that the attacker can reset the password and obtain the correct key flow.This kind of error attack can be prevented if mirror image or mask is used in the hardware, since the two-stage NFSR is adopted in the hardware design of this system [45].

Linear Approximation Attack
As mentioned in reference [46], the Grain cipher cryptography will resist the linear approximation attack if the NFSR used and the output function of the cryptography system have high nonlinearity and good elasticity.The NFSRs and system output function that were selected in this paper have high nonlinearity and good elasticity.Therefore, the system can resist certain linear approximation attacks.

Correlation Attack
Complexity theory can be used to analyze the computational complexity of cryptography and algorithms.The linear complexity of a periodic random time series is similar to its periodic length.Logic stream ciphers use two NFSRs, a chaotic system, and three multiplexers.According to empirical tests, the approximate period length should be above O(2 80 ).Therefore, it can be estimated that its linear complexity is also above O(2 80 ), and it can be considered as a lifetime secret key.In terms of related attacks, since NFSR-2 performs XOR calculations with NFSR-1 through feedback function g(x), it is inferred that all the bits in NFSR-1 are balanced, and it can be assumed that NFSR-2 is independent of each bit that is generated in NFSR-1.In the aspect of algebraic attack, the filter function h(x) here is a five-variable four-order balanced boolean function.Due to the use of two sets of NFSRs, and the input of the filter being exclusive or obtained from NFSR-1, NFSR-2, and chaotic sequence, the system is greatly improved and the system can resist correlation attack.

Conclusions
In this paper, the chaotic system is added to the lightweight stream cipher cryptosystem for the first time.Digitizing the Logistic chaotic sequence and combining it with NFSRs and multiplexers generate a new lightweight stream cipher cryptosystem.The tests of permutation entropy, approximate entropy, and information entropy of the cipher show that the system has good complexity.The NIST statistical test shows that the stream cipher that is generated by the system has good statistical characteristics.The analysis of hardware resource and throughput proves that the design can be effectively applied in resource-constrained devices or environments for encryption.

1 .
As you can see from Figure1, this is an efficient fusion of classical Grain series ciphers[4,[8][9][10] with Logistic chaotic ciphers.Different from Grain lightweight ciphers, the Logic cipher here adopts two NFSRs and extract Logistic chaotic ciphers effectively to affect the following three functions: the feedback polynomial to disturb the whole NFSRs system.

Table 5 .
Comparison with other lightweight ciphers.