A Key-Based Multi-Mode Clock-Controlled Stream Cipher for Real-Time Secure Communications of IoT

: With the rapid development of the Internet and wireless communications, as well as the popularization of personal communication systems, the security of real-time communications is demanded. The efﬁcient technology of stream ciphers can satisfy this requirement of security. In this paper, to enhance the security strength of stream ciphers, we design a key-based multi-mode clock-controlled stream cipher for real-time secure communications of the Internet of things (IoT). The proposed stream cipher is equipped with a multi-mode depending on the key. The different working modes are shipped with different encrypting circuits depending on the user’s key. We analyze the period, the linear complexity, and use known attacks to verify the security strength of the proposed cipher. Compared with existing dual mode clock-controlled stream ciphers, the merits of our proposed cipher are its long period, high linear complexity, low hardware complex, low initialization clock, and simplicity in mode switching. Furthermore, the proposed cipher passes the FIPS PUB 140-1 and SP800-22 tests, obtaining at least 97.00%.


Introduction
Today, with the popularization of personal communication systems, such as cellular phones, PDAs, notebook computers, etc., and with the rapid development of the Internet of things (IoT), people can share information or transmit sensitive data by using these communication systems.There are a lot of information and communication services in the surrounding areas of human lives at present.These services are combined with various applications, for example, voice over Internet protocols, electronic commerce, distance learning, video conferencing, etc.These real-time streaming technologies provide convenience in terms of people's instant requirement for information and communication.
The IoT provides convenience in terms of information transmission, but it is unsafe when transmitting unencrypted data via the openness of wireless communications.It is easy to be overheard without protection on such systems.For this reason, the most effective method is to encrypt the transmitted content to prevent the information from being directly known by eavesdropping.Even if the transmitted content is overheard from the channel, they will be nonsensical data.In order to achieve secure communications, cryptography is applied to protect privacy and to avoid fraud in secure communications in the IoT.
The security of the IoT can be achieved by implementing Secure Shell (SSH) and Transport Layer Security (TLS) protocols.However, they have heavy overheads that are not suitable for the resource-constrained environment of the IoT [1].There are three basic popular communication protocols at the IoT application level; they are the CoAP (Constrained Application Protocol), MQTT (Message Queuing Telemetry Transport), and the XMPP (Advanced Message Queuing Protocol).The MQTT protocol is the most widely used protocol for the communication of these devices in IoT systems due to its low resource requirements [2].Some cryptosystems have been proposed in IoT systems that communicate using the MQTT protocol, but they have not been widely accepted because of their performances [3,4].For confidentiality, the cipher of an asymmetric cryptosystem, e.g., RSA, ECC, etc., is not suitable for the IoT, due to the computational load.In symmetric cryptosystems, stream ciphers outperform block ciphers because of their simple encrypting operation.
The stream cipher is a class of symmetric encryption algorithms, and it is generally much faster than block ciphers, so stream ciphers are widely used in digital communications and real-time transmissions.For the security demands of real-time communications, stream ciphers are used to meet the necessary requirements [5][6][7][8].For example, the stream cipher A5/1 supports the confidentiality of mobile communications [9].Similarly, in real-time communications of the IoT, security efficiency can benefit from using stream ciphers.
At the core of stream ciphers is the keystream generator.One of the basic structures of keystream generators is the linear feedback shift register (LFSR) [10].For the attack of the Berlekamp-Massey algorithm, the output of the sequences of LFSRs is straightforwardly predictable.To resist this attack and spoil the linearity properties of LFSRs, there are three basic schemes that can be achieved, which include: a nonlinear combining function on the outputs of several LFSRs, a nonlinear filtering function on the contents of a single LFSR, and using the output of one (or more) LFSRs to control the clock of one or more other LFSRs, which are the clock-controlled LFSRs.All of these schemes require a nonlinear function to combine the outputs of LFSRs or control the input clock for clock-controlled LFSRs [10][11][12][13][14].The clock-controlled based stream cipher A5/1 uses the nonlinear majority function as the nonlinear function to promote its security.Erguler and et al. proposed a clock-controlled stream cipher with dual modes, and that has two different clocking mechanisms to provide security enhancements [15].
Regarding the hardware of stream ciphers, a cipher with a multiple working nonlinear circuit is a strategy by which to gain the security strength of the output keystream.To further the security strength of stream ciphers, in this paper, we design a key-based multimode clock-controlled stream cipher for real-time secure communications using the IoT.The cipher is equipped with a multi cipher mode, depending on the secret key.The different modes are shipped with different encryption circuits depending on the user's session key.We analyze the period, linear complexity, evaluate the randomness, and use known attacks to verify the security strength of the cipher.From the experimental results, the proposed cipher passes the FIPS PUB 140-1 and SP800-22 tests, attaining at least 97.00%.The contributions of this study can be briefly stated as follows:

•
The proposed scheme employs multiple working modes depending on the user's session key.

•
The multiple working modes of the different working circuits include different nonlinear selecting functions and different nonlinear output combining functions.

•
All of the nonlinear selecting functions and output combining functions provide the balance correlation probability.It prevents weakness for attackers to break through the stream cipher.

•
The proposed scheme is one of hardware security, and is easy to implement using hardware.
This paper is organized as follows.Section 2 introduces the related research regarding stream ciphers.Then, we present our proposed scheme, describe each component of the proposed stream cipher, and specify the details of the design in Section 3. In Section 4, we consider statistical properties and some attacks with respect to our design.In addition, we present the results regarding the period and linear complexity of our scheme.Section 5 describes the test criteria and the experimental results for our proposed stream cipher.We use the Federal Information Processing Standards Publication 140-1 (FIPS PUB 140-1) [16] and the Special Publication 800-22 (SP800-22) [17] to perform the statistical tests for our scheme.Finally, we provide the conclusions in Section 6.

Preliminaries
The basic design of a stream cipher requires a short key and expands it into a binary pseudorandom number sequence.This sequence is also called the keystream.The keystream is XORed to the plaintext and generates the ciphertext.Similarly, the same keystream is used to decrypt through XORing with the cipher to recover the original plaintext [18].Therefore, the keystream generator plays an important role in the research of stream ciphers.Generally speaking, the keystream generator can be composed of the finite state machine (FSM) and the output function.Among the design of many stream ciphers, the LFSR is the most common class of FSM due to its simplicity, speed of implementation in hardware, and the fact that it provides sequences with good statistical properties.

Linear Feedback Shift Register
The Linear Feedback Shift Register (LFSR) can be implemented in two ways.One is the Fibonacci structure, and the other is the Galois structure.The Fibonacci structure of a LFSR consists of a simple shift register and additive operations.Figure 1 shows the Fibonacci structure of a LFSR.At the time t, the LFSR of length L consists of L stages S 0+t , . . ., S L−1+t , where t ≥ 0. Each stage is a D-type flip-flop and stores one bit.The output position of each D-type flip-flop that affects the next state is called the tap.The taps are sequentially XORed and then fed back into the leftmost bit.The Fibonacci structure of a LFSR can use a feedback polynomial to record the structure.We call the polynomial the connection polynomial f (x).It is defined as follows: where L is called the degree of the connection polynomial and the C i is called the feedback coefficient.In general, the additive operations are included in module 2. The feedback coefficient C i (1 ≤ i ≤ L) that is not zero is the tap of the connection polynomial.For any feedback coefficient, C i is either 0, meaning "no connection", or 1, meaning it is sequentially XORed with the other taps and then fed back into the leftmost bit.Furthermore, the connection polynomial is called a characteristic polynomial.

Preliminaries
The basic design of a stream cipher requires a short key and expands it into a binary pseudorandom number sequence.This sequence is also called the keystream.The keystream is XORed to the plaintext and generates the ciphertext.Similarly, the same keystream is used to decrypt through XORing with the cipher to recover the original plaintext [18].Therefore, the keystream generator plays an important role in the research of stream ciphers.Generally speaking, the keystream generator can be composed of the finite state machine (FSM) and the output function.Among the design of many stream ciphers, the LFSR is the most common class of FSM due to its simplicity, speed of implementation in hardware, and the fact that it provides sequences with good statistical properties.

Linear Feedback Shift Register
The Linear Feedback Shift Register (LFSR) can be implemented in two ways.One is the Fibonacci structure, and the other is the Galois structure.The Fibonacci structure of a LFSR consists of a simple shift register and additive operations.Figure 1 shows the Fibonacci structure of a LFSR.At the time t, the LFSR of length L consists of L stages S0+t, …, SL−1+t, where t ≥ 0. Each stage is a D-type flip-flop and stores one bit.The output position of each D-type flip-flop that affects the next state is called the tap.The taps are sequentially XORed and then fed back into the leftmost bit.The Fibonacci structure of a LFSR can use a feedback polynomial to record the structure.We call the polynomial the connection polynomial f(x).It is defined as follows: where L is called the degree of the connection polynomial and the Ci is called the feedback coefficient.In general, the additive operations are included in module 2. The feedback coefficient Ci (1 ≤ i ≤ L) that is not zero is the tap of the connection polynomial.For any feedback coefficient, Ci is either 0, meaning "no connection", or 1, meaning it is sequentially XORed with the other taps and then fed back into the leftmost bit.Furthermore, the connection polynomial is called a characteristic polynomial.The Galois configuration of the LFSR is illustrated in Figure 2. It also consists of a shift register of length L. The Galois structure of a LFSR of length L can also use a feedback polynomial to record the structure of the LFSR.It is defined by the characteristic polynomial p(x): The Galois configuration of the LFSR is illustrated in Figure 2. It also consists of a shift register of length L. The Galois structure of a LFSR of length L can also use a feedback polynomial to record the structure of the LFSR.It is defined by the characteristic polynomial p(x):  The Galois LFSR does not concatenate every tap to produce the new input, but each tap is parallel to compute the new input bits.If the feedback polynomial of the LFSR is a primitive polynomial and the initial state of the LFSR is not all zero, the period of the output sequence of the LFSR is at most equal to 2 L − 1.Such a LFSR produces a sequence The Galois LFSR does not concatenate every tap to produce the new input, but each tap is parallel to compute the new input bits.If the feedback polynomial of the LFSR is a primitive polynomial and the initial state of the LFSR is not all zero, the period of the output sequence of the LFSR is at most equal to 2 L − 1.Such a LFSR produces a sequence with the longest period, and we call the sequence a maximal sequence or m-sequence.

LFSR-Based Stream Cipher
In this subsection, we introduce some LFSR-based stream ciphers.The A5/1 is a clock-controlled, LFSR-based stream cipher which is used for encrypting air transmissions in the GSM standard.The diagram of an A5/1 stream cipher is illustrated in Figure 3.It is composed of three LFSRs with different lengths and primitive feedback polynomials.Each LFSR is shifted, using clock cycles that are determined by a majority function.The major issue with A5/1 security is the short period problem.The cipher operation is based on three LFSRs, R1, R2, and R3, of lengths 19, 22, and 23 bits, respectively.The experiment shows that the period of A5/1 is equal to (4/3)(2 23 − 1) [19].Another basic issue is the collision problem.It means that A5/1 may result in the same keystream when the LFSR's different seeds are used.The Galois LFSR does not concatenate every tap to produce the new input, but each tap is parallel to compute the new input bits.If the feedback polynomial of the LFSR is a primitive polynomial and the initial state of the LFSR is not all zero, the period of the output sequence of the LFSR is at most equal to 2 L − 1.Such a LFSR produces a sequence with the longest period, and we call the sequence a maximal sequence or m-sequence.

LFSR-Based Stream Cipher
In this subsection, we introduce some LFSR-based stream ciphers.The A5/1 is a clockcontrolled, LFSR-based stream cipher which is used for encrypting air transmissions in the GSM standard.The diagram of an A5/1 stream cipher is illustrated in Figure 3.It is composed of three LFSRs with different lengths and primitive feedback polynomials.Each LFSR is shifted, using clock cycles that are determined by a majority function.The major issue with A5/1 security is the short period problem.The cipher operation is based on three LFSRs, R1, R2, and R3, of lengths 19, 22, and 23 bits, respectively.The experiment shows that the period of A5/1 is equal to (4/3)(2 23 − 1) [19].Another basic issue is the collision problem.It means that A5/1 may result in the same keystream when the LFSR's different seeds are used.To reduce the weaknesses of A5/1, some solutions have been proposed in the literature.Erguler and Anarim, in 2005, proposed an A5/2 algorithm that consists of four registers and modified the clocking control mechanism to promote its security strength [20].In 2006, Erguler and Erguler proposed a LFSR-based CCDM (Clock-Controlled with Dual Mode) stream cipher with a dual operating mode [15].It is a novel clock-controlled stream cipher with Dual Mode, which is based on irregular clocking and operates with two different modes.The CCDM-Mode I merges eight 4 × 16 S-boxes of DES [21] for the keystream generation, and the CCDM-Mode II operates with a mutual clock-control mechanism.Zakaria and et al., in 2011, presented two modifications of A5/1 [22].One is the changing of the original primitive polynomials of LFSR in A5/1.The second modification added two LFSRs and proposed five LFSRs in total.The scheme passed the To reduce the weaknesses of A5/1, some solutions have been proposed in the literature.Erguler and Anarim, in 2005, proposed an A5/2 algorithm that consists of four registers and modified the clocking control mechanism to promote its security strength [20].In 2006, Erguler and Erguler proposed a LFSR-based CCDM (Clock-Controlled with Dual Mode) stream cipher with a dual operating mode [15].It is a novel clock-controlled stream cipher with Dual Mode, which is based on irregular clocking and operates with two different modes.The CCDM-Mode I merges eight 4 × 16 S-boxes of DES [21] for the keystream generation, and the CCDM-Mode II operates with a mutual clock-control mechanism.Zakaria and et al., in 2011, presented two modifications of A5/1 [22].One is the changing of the original primitive polynomials of LFSR in A5/1.The second modification added two LFSRs and proposed five LFSRs in total.The scheme passed the randomness tests.Yohana, in 2015, improved A5/1 by means of a unit delay to increase the period of the keystream [23].The keystream of the proposed methodology succeeded in randomness tests.In 2019, Sadkhan and Hamza added a fourth register and applied a new filtration function to A5/1 on each register to strengthen the original linear combination function and XOR operation [24].The authors implemented hardware and made the generator more secure.
Sadkhan and Reza, in 2017, proposed a new method to investigate the best structure for the nonlinear combining function [10].Based on LFSR, to build a nonlinear combination function consisting of n levels, the designers built it within the program and changed part of the chosen nonlinear combination function every time to observe the results.The scheme required the support of a powerful computer.In 2021, Prajapat and et al. proposed a security enhancement of the A5/1 stream cipher in GSM communications [14].The scheme reduced the non-linear combinational generator (NLFSRs), reused the 32 bits of SRES generated by the A3 algorithm, and finally, combined the output stream with the remaining 32-bit of CGI (Cell Global Identity).From the results of the NIST Statistical Test, the scheme achieved enhanced security.In 2022, Kopparthi and et al. proposed a pseudorandom number generator based on a digital piecewise linear chaotic map with perturbation [25].The basic algorithm for the pseudorandom number generator is based on chaos, rather than LFSR.The scheme increases the period of random sequence and succeeds in increasing security; its requirements in terms of hardware costs were also increased.

The Proposed Scheme
To promote the randomness and the chaos of the output keystream, we propose a multi-mode keystream generator.The different working modes are dependent on the input key.In this section, we introduce the proposed stream cipher.We apply a clock-controlled stream cipher and propose a key-based multi-mode clock-controlled stream cipher.The structure of the proposed cipher is based on multi-LFSR and is equipped with multiple cipher modes to enhance security.The mode selection is dependent on the secret key bits.For each cipher mode, the output sequences have a large period and a high linear complexity.In the following subsections, we present our proposed scheme and describe each component of the proposed stream cipher.Furthermore, we specify the details of the design.

Keystream Generator
To match the AES, the proposed key-based multi-mode clock-controlled stream cipher takes a 128-bit secret key denoted K i , 0 ≤ i ≤ 127, and a 128-bit initialization vector denoted IV i , 0 ≤ i ≤ 127, as its inputs.The cipher consists of four main building blocks, namely LFSRs, a clock controller, a mode controller, and an output generator.An overview of the blocks used in the stream cipher is illustrated in Figure 4.The size of the internal state of the proposed keystream generator is 318 bits, w consists of six LFSRs: LFSRα, LFSRβ, LFSRγ, LFSRa, LFSRb, and LFSRc, respectively.main work of the LFSRa, LFSRb, LFSRc, and output generator is to produce the keystr The main work of the LFSRα, LFSRβ, LFSRγ, and the nonlinear functions is to control w LFSRa, LFSRb or LFSRc, will be shifted.There are two clock operation modes in the c controller and four output sequence generators in the output generator.They orga eight cipher operation modes.The responsibility of the mode controller is the selectio which cipher mode will operate; where the input of the mode controller is the pa secret key bits.The rightmost bits of LFSRa, LFSRb, and LFSRc are inputted to the ou generator to produce the keystream.

The LFSRs
The size of the internal state of the keystream generator is 318 bits, which consis six LFSRs, namely LFSRα, LFSRβ and LFSRγ, LFSRa, LFSRb, and LFSRc.The underl The size of the internal state of the proposed keystream generator is 318 bits, which consists of six LFSRs: LFSR α , LFSR β , LFSR γ , LFSR a , LFSR b , and LFSR c , respectively.The main work of the LFSR a , LFSR b , LFSR c , and output generator is to produce the keystream.The main work of the LFSR α , LFSR β , LFSR γ , and the nonlinear functions is to control when LFSR a , LFSR b or LFSR c , will be shifted.There are two clock operation modes in the clock controller and four output sequence generators in the output generator.They organize eight cipher operation modes.The responsibility of the mode controller is the selection of which cipher mode will operate; where the input of the mode controller is the part of secret key bits.The rightmost bits of LFSR a , LFSR b , and LFSR c are inputted to the output generator to produce the keystream.

The LFSRs
The size of the internal state of the keystream generator is 318 bits, which consists of six LFSRs, namely LFSR α , LFSR β and LFSR γ , LFSR a , LFSR b , and LFSR c .The underlying LFSR α , LFSR β , LFSR γ , LFSR a , LFSR b , and LFSR c are six maximum-length LFSRs of lengths 31, 17, 13, 61, 89, and 107, respectively.The primitive feedback polynomials of the registers are defined as follows [26]: (3) LFSR a : P a (x) = x 61 + x 59 + x 52 + x 47 + x 38 + x 33 + 1 ( 6) If the length of a LFSR is L and the LFSR is using the Fibonacci structure, it must be repeated L times to update each content of the register during initialization.In order to increase the efficiency of key initialization, we select different length LFSRs instead of a single LFSR.We use the Galois structure of a LFSR to speed up the operation of initialization.

Mode Controller
The responsibility of the mode controller is the selection of which cipher mode will operate in the system.We built a mode controller module, as shown in Figure 5.There are five input signals and three output signals in the mode controller, where the inputs of the mode controller are K 0 , K 1 , K 2 , K 3 , and K 4 of the secret key and the outputs are m 0 , m 1 , and m 2 .
Electronics 2023, 12, x FOR PEER REVIEW 7 of 24 mode controller are K0, K1, K2, K3, and K4 of the secret key and the outputs are m0, m1, and m2.The signal m0 is taken to control which clock operation mode will be operated, and it is generated by XORing K0, K1, K2, K3, and K4.Here, ⊕ denotes logic XOR, the Boolean function of m0 is given by: Another two output signals, m1 and m2, of the mode controller are taken to control which output sequence generator will operate.We use one of four quasigroups of Edon80 for a part of the mode controller.Since the four quasigroups are suitable for implementation, no hidden weaknesses can be imposed [27].The quasigroup is shown in Table 1.We let X be K1K0 and let Y be K3K2.The value X defines the row r of the quasigroup, and the value Y defines the column c.For the data on the (r, c) in Table 1, each r and c has a two-bit length, respectively.The result of (r, c) is a two-bit length, too.Then, we take the result of (r, c) to control which output sequence generator will operate.Nr. 61 The signal m 0 is taken to control which clock operation mode will be operated, and it is generated by XORing K 0 , K 1 , K 2 , K 3 , and K 4 .Here, ⊕ denotes logic XOR, the Boolean function of m 0 is given by: Another two output signals, m 1 and m 2 , of the mode controller are taken to control which output sequence generator will operate.We use one of four quasigroups of Edon80 for a part of the mode controller.Since the four quasigroups are suitable for implementation, no hidden weaknesses can be imposed [27].The quasigroup is shown in Table 1.We let X be K 1 K 0 and let Y be K 3 K 2 .The value X defines the row r of the quasigroup, and the value Y defines the column c.For the data on the (r, c) in Table 1, each r and c has a two-bit length, respectively.The result of (r, c) is a two-bit length, too.Then, we take the result of (r, c) to control which output sequence generator will operate.
In the hardware implementation, to reduce the gate numbers in order to store the quasigroup table, we use the Boolean functions and map the quasigroup table to logic [28].
Here, ⊕ denotes logic XOR and . . .denotes logic AND.The output signals m 1 and m 2 are computed by the Boolean functions as follows: Finally, we obtain the logic circuit to implement the mode controller.The circuit of the mode controller is shown in Figure 6.
Electronics 2023, 12, x FOR PEER REVIEW 8 of 24 Mode Controller

Clock Controller
The main work of the LFSRa, LFSRb, LFSRc, and output generator is to produce the keystream.The respective rightmost bits of LFSRa, LFSRb, and LFSRc are inputted into the output generator to produce the keystream, but the respective clock pulses of these three LFSRs are dependent on the clock controller.There are two clock operation modes in the clock controller, which are mode 0 and mode 1.Which outputs of the two modes will be outputted is determined according to the output signal m0 of the mode controller.If m0 = 0, then the outputs of mode 0 are outputted.On the other hand, if m0 = 1, then the outputs of mode 1 are outputted.
The clock controller consists of three LFSRs and some nonlinear Boolean functions.The three LFSRs are LFSRα, LFSRβ, and LFSRγ, and the respective rightmost bits of these LFSRs are inputted into nonlinear Boolean functions, and then the outputs of the nonlinear Boolean functions are used to control whether LFSRa, LFSRb, or LFSRc will be shifted.It means the clock controller controls respective clock pulses of the LFSRa, LFSRb, and LFSRc.We describe how the clock controller controls the respective clock pulses of the LFSRa, LFSRb, and LFSRc.
First, the respective rightmost bits of the LFSRα, LFSRβ, and LFSRγ are denoted by α0t, β0t, and γ0t, respectively, at time t.They are inputted into the fmaj function and the fand function, which are given by: where, +denotes logic OR and⋯denotes logic AND.For the mode of m0 = 0, then fmaj function is selected.If α0t = fmaj, then LFSRa is shifted.While β0t = fmaj and γ0t = fmaj, then LFSRb

Clock Controller
The main work of the LFSR a , LFSR b , LFSR c , and output generator is to produce the keystream.The respective rightmost bits of LFSR a , LFSR b , and LFSR c are inputted into the output generator to produce the keystream, but the respective clock pulses of these three LFSRs are dependent on the clock controller.There are two clock operation modes in the clock controller, which are mode 0 and mode 1.Which outputs of the two modes will be outputted is determined according to the output signal m 0 of the mode controller.If m 0 = 0, then the outputs of mode 0 are outputted.On the other hand, if m 0 = 1, then the outputs of mode 1 are outputted.
The clock controller consists of three LFSRs and some nonlinear Boolean functions.The three LFSRs are LFSR α , LFSR β , and LFSR γ , and the respective rightmost bits of these LFSRs are inputted into nonlinear Boolean functions, and then the outputs of the nonlinear Boolean functions are used to control whether LFSR a , LFSR b , or LFSR c will be shifted.It means the clock controller controls respective clock pulses of the LFSR a , LFSR b , and LFSR c .We describe how the clock controller controls the respective clock pulses of the LFSR a , LFSR b , and LFSR c .
First, the respective rightmost bits of the LFSR α , LFSR β , and LFSR γ are denoted by α 0t , β 0t , and γ 0t , respectively, at time t.They are inputted into the f maj function and the f and function, which are given by: where, +denotes logic OR and• • • denotes logic AND.For the mode of m 0 = 0, then f maj function is selected.If α 0t = f maj , then LFSR a is shifted.While β 0t = f maj and γ 0t = f maj , then LFSR b and LFSR c are shifted, respectively.Similarly, for another mode of m 0 = 1, the f and function will be selected.If α 0t = f and , then LFSR a is shifted.While β 0t = f and and γ 0t = f and , then LFSR b and LFSR c are shifted, respectively.According to the above, we define clk ai , clk bi , and clk ci as the clocking condition of LFSR a , LFSR b , and LFSR c , respectively, where i ∈ {0, 1}.For the mode of m 0 = 0, then clk a0 , clk b0 , and clk c0 are selected.If clk a0 = 1, then LFSR a is shifted.While clk b0 = 1 and clk c0 = 1, then LFSR b and LFSR c are shifted, respectively.On the other hand, for the mode of m 0 = 1, then clk a1 , clk b1 , and clk c1 are selected.If clk a1 = 1, then LFSR a is shifted.While clk b1 = 1 and clk c1 = 1, then LFSR b and LFSR c are shifted, respectively.Next, we build two truth tables for the clocking conditions of the three LFSRs, LFSR a , LFSR b , and LFSR c , which are shown in Tables 2 and 3.Then, we can simplify clk a0 , clk b0 , and clk c0 into Boolean functions for clock operation mode 0, as well as clk a1 , clk b1 , and clk c1 for clock operation mode 1.The simplified Boolean functions of the two clock operation modes are shown as follows: Clock operation mode 0: Clock operation mode 1: At each clock cycle, only one of the two clock operation modes will determine whether the LFSR a , LFSR b , or LFSR c are shifted or not, since the signal m 0 is taken to switch which outputs of clock operation mode will output.Furthermore, each rightmost bit of LFSR a , LFSR b , and LFSR c will input to the output generator to generate the keystream.

Output Generator
The output generator takes sequence a 0t , b 0t , and c 0t as its input, which are the respective rightmost bits of LFSR a , LFSR b , and LFSR c at time t.There are four output sequence generators in the output generator.The sequence outputs are denoted by z 0t , z 1t , z 2t and z 3t .According to the selected mode, the output signals m 1 and m 2 of the mode controller are taken to control which output sequence generator will operate.For example, if m 2 = 0 and m 1 = 0, then output sequence generator 0 (OSG 0 ) will be operated, and so on.Table 4 lists the operating conditions under m 2 and m 1 .
The output sequence generators are given as follows: Output Sequence Generator 0 (OSG 0 ): In this generator, we use exclusive-or operation with a 0t , b 0t , and c 0t to produce keystream z 0t , which is given by: The output-inputs correlation probability of OSG 0 is demonstrated in Table 5.All correlations between inputs and output are both 1/2.
Electronics 2023, 12, 1076 10 of 24 Output Sequence Generator 1 (OSG 1 ): In this generator, we use two Dawson's summation generators to produce the keystream.The diagram of Dawson's summation generator (DSG) is shown in Figure 7 and the functions are defined as follows [29]: Output-Inputs: Output Sequence Generator 1 (OSG1): In this generator, we use two Dawson's summation generators to produce the keystream.The diagram of Dawson's summation generator (DSG) is shown in Figure 7 and the functions are defined as follows [29]: Here aj, bj, and cj−1 denote the input sequences of DSG, and cj−1 is cj delayed one clock.The initial state of the bit, cj−1, is defined to be zero.In addition, the DSG has high resistance against correlation attacks [29], due to all its output-inputs correlation probabilities being ½, as demonstrated in Table 6.Here a j , b j , and c j−1 denote the input sequences of DSG, and c j−1 is c j delayed one clock.The initial state of the bit, c j−1 , is defined to be zero.In addition, the DSG has high resistance against correlation attacks [29], due to all its output-inputs correlation probabilities being 1 /2 , as demonstrated in Table 6.
In Figure 1, we use two DSGs to generate keystream z 1t .The diagram of OSG 1 is shown in Figure 8.The functions can be written as follows: In Figure 1, we use two DSGs to generate keystream z1t.The diagram of OSG1 is shown in Figure 8.The functions can be written as follows: DSG1: DSG2: The initial state of the bits, ft−1 and et−1, are defined to be zero and the output function of the OSG1 can be sorted as follows: We also sort the respective correlation probabilities of the output-inputs, output-dt and output-et, of OSG1.All of them are equal to 1/2, which is demonstrated in Table 7.
DSG 2 : The initial state of the bits, f t−1 and e t−1 , are defined to be zero and the output function of the OSG 1 can be sorted as follows: We also sort the respective correlation probabilities of the output-inputs, output-d t and output-e t , of OSG 1 .All of them are equal to 1/2, which is demonstrated in Table 7.
Output Sequence Generator 2 (OSG 2 ): The OSG 2 is shown in Figure 9.In this generator, we build a hybrid carry bit g t and merge it with DSG to generate keystream z 2t , which can be defined as follows: Output Sequence Generator 2 (OSG2): The OSG2 is shown in Figure 9.In this generator, we build a hybrid carry bit gt and merge it with DSG to generate keystream z2t, which can be defined as follows: The initial state of the bits, gt−1, is defined to be zero.All of the correlation probabilities of the output-inputs and the output-gt of OSG2 are equal to 1/2, which are demonstrated in Table 8.
The output sequence generator 2.
The initial state of the bits, g t−1 , is defined to be zero.All of the correlation probabilities of the output-inputs and the output-g t of OSG 2 are equal to 1/2, which are demonstrated in Table 8.
Output Sequence Generator 3 (OSG 3 ): The OSG 3 is shown in Figure 10.In this generator, we establish another hybrid carry bit h t , and output functions then merge them with DSG to generate keystream z 3t ; which can be defined as follows: Output Sequence Generator 3 (OSG3): The OSG3 is shown in Figure 10.In this generator, we establish another hybrid carry bit ht, and output functions then merge them with DSG to generate keystream z3t; which can be defined as follows: The initial state of the bits, ht−1, is defined to be 0. The correlation probabilities of the output-inputs and the output-ht of OSG3 are both 1/2, which are demonstrated in Table 9.The initial state of the bits, h t−1 , is defined to be 0. The correlation probabilities of the output-inputs and the output-h t of OSG 3 are both 1/2, which are demonstrated in Table 9.

Key/IV Setup
The inputs of the keystream generator are called seeds.The requirements of these seeds are that they must be random and unpredictable before generating the keystream.For this reason, we must use the key initialization procedure to perform the requirement.In this subsection, we describe the computation of the initial inner state before starting the keystream generation.First, part bits of the secret key are collaterally loaded into the 318-bit initial state of the cipher.Then, the remaining bits of the secret key and the 128-bit initialization vector are fed into the 318-bit initial state of the cipher using the key initialization procedure.We generalize the Key/IV Setup into two phases, the initial filling phase and the key initialization procedure phase.It works as follows.

Security Properties
The long period, high linear complexity, and good statistical properties are three of the basic requirements for pseudorandom binary sequences in cryptographic applications.In this section, we consider the period, linear complexity, statistical properties, and some attacks with respect to our design.Due to the proposed scheme, the multi-clocking keystream generator and the periods of each LFSR affect each other by current states.We provide the mathematical results regarding the period and linear complexity of our scheme.

Period
One of the important attributes to be considered for a stream cipher is the period of the keystream.The period of a keystream s = s 0 , s 1 , s 2 , . . . is the smallest positive integer N if s i = s i+N for all i ≥ 0. If the period of the keystream is too short, it will result in different parts of the plaintext being encrypted in the identical bits of the keystream.The long period can avoid the keystream being reused when encrypting long plaintexts.
In our scheme, the internal state of the proposed cipher consists of LFSR α , LFSR β , LFSR γ , LFSR a , LFSR b , and LFSR c , and all of these LFSRs are six maximum-length LFSRs of lengths 31, 17, 13, 61, 89, and 107, respectively.The respective periods of LFSR α , LFSR β , LFSR γ , LFSR a , LFSR b , and LFSR c are denoted as P α , P β , P γ , P a , P b , and P c , respectively, and they are equal to 2 31 − 1, 2 17 − 1, 2 13 − 1, 2 61 − 1, 2 89 − 1, and 2 107 − 1, respectively.Notice that all of these periods are prime numbers.The main work of LFSR a , LFSR b , and LFSR c is to produce the keystream, but their respective clock pulses are dependent on the clock controller.The clock controller consists of LFSR α , LFSR β , LFSR γ , and some nonlinear Boolean functions, and its output sequences clk ai , clk bi , and clk ci , where i ∈ {0, 1}, are taken to control the respective clock pulses of LFSR a , LFSR b , and LFSR c .It means the periods of LFSR a , LFSR b , and LFSR c will be affected by the periods of clk ai , clk bi , and clk ci .Let us define the periods of clk ai , clk bi , and clk ci as P clkai , P clkbi , and P clkci , respectively.The periods P clkai , P clkbi , and P clkci can be written as [30]: where lcm(•) denotes the function of the least common multiple.Since all of the periods P α , P β , and P γ are prime numbers, P clkai , P clkbi , and P clkci can be simplified to: Next, the sequences clk ai , clk bi , and clk ci are taken to control the respective clock pulses of the LFSR a , LFSR b , and LFSR c .If clk ai = 1 and the clk edge trigger simultaneously occurs, then LFSR a is shifted, and for LFSR b and LFSR c .Let us define S a , S b , and S c as the number of 1's in the sequences clk ai , clk bi , and clk ci , respectively, in every period.The T a , T b , and T c represent affected periods of LFSR a , LFSR b , and LFSR c , respectively.Thus, the periods T a , T b , and T c can be written as [15]: Since all of the periods P a , P b , and P c are prime numbers, and they are greater than S a , S b , and S c , respectively, it means gcd(S k ; P k ) = 1 for k ∈ {a; b; c}.Thus, T a , T b , and T c can be simplified to: Finally, the output generator takes the respective rightmost bits of LFSR a , LFSR b , and LFSR c as its input to generate the keystream.The period T z of the keystream can be written as follows: It can be seen that, for the period of our proposed method, each cipher is high by considering the security requirements for each cipher mode.

Linear Complexity
Any periodic sequence can be generated by a Linear Feedback Shift Register (LFSR), since a linear recurrence (or a characteristic polynomial) can be implemented by using a LFSR.Given a periodic sequence, the Berlekamp-Massey algorithm [31] can be used to calculate this recurrence and linear complexity.The length of the shortest recurrence is defined as the linear complexity of a periodic sequence.
The linear complexity is also defined as the size of the shortest LFSR, which can reproduce the same sequence as the given sequence.If the keystream has a linear complexity LC = n, it can be reconstructed by a LFSR after examining only 2n bits of the keystream.Once the LFSR is generated by the attacker, they can break the stream cipher.Therefore, the high linear complexity of the keystream is a necessary condition and very important for the design of stream ciphers.The high linear complexity of a keystream means that it possesses higher non-predictability.
According to the Beth-Piper stop-and-go generator and the Gollmann cascade stopand-go generator in [30], we can provide the lower bound of the linear complexity of our scheme.For our scheme, we use the clock controller to control the respective clock pulses of the LFSR a , LFSR b , and LFSR c .Their respective clock pulses are dependent on the output sequences clk ai , clk bi , and clk ci of the clock controller, where i ∈ {0, 1}.We use P clkai , P clkbi , and P clkci to represent the respective periods of clk ai , clk bi , and clk ci .The primitive feedback polynomials of LFSR 1 , LFSR 2 , and LFSR 3 have degrees of L a , L b , and L c , respectively.The lower bound of the linear complexity LC of the proposed cipher can be written as follows: The linear complexity LC and characteristic polynomial of a keystream can be computed by the Berlekamp-Massey algorithm to obtain the linear complexity LC and characteristic polynomial of the keystream which costs approximately O(LC 2 ) [32].
The requirement of the linear complexity of the stream cipher is determined by different security levels.For example, when the computation cost of a stream cipher is required equal to the security strength of AES, it must to be approximately equal to O(2 128 ).For our scheme, the linear complexity LC of the proposed stream cipher is approximately equal to 2 69 .According to the above, the computation cost of the proposed cipher can be written as follows: It can be seen that the computation cost of our proposed cipher satisfies the security strength of AES, being even stronger than AES.

Statistical Properties
Good statistical properties for randomness are one of the basic important requirements for stream ciphers.The keystream of a good stream cipher not only has the feature of non-predictability, but also has good statistical properties for randomness.So, to implement a stream cipher, the capability to perform statistical tests for randomness must be incorporated.Randomness testing of random and pseudorandom number generators is used in many cryptographic, modeling, and simulation applications.The National Institute of Standards and Technology (NIST) has developed different criteria that may be employed to investigate the randomness of cryptographic applications.
In order to evaluate the randomness of the proposed keystream, we use the Federal Information Processing Standards Publication 140-1 (FIPS PUB 140-1) [16] and the Special Publication 800-22 (SP800-22) [17] to perform the statistical tests for our scheme.They are also issued by the NIST, where the FIPS PUB 140-1 standard is the security requirement for cryptographic modules and the SP800-22 is a statistical test suite for random and pseudorandom number generators for cryptographic applications.
For the FIPS PUB 140-1 standard, there are four test types in the random tests.The specifications of the recommended tests are based on a single bit stream of 20,000 consecutive output bits.To perform the FIPS PUB 140-1 tests, we sampled 100 different keystreams which were generated by 100 random keys and 100 random initialization vectors.Each keystream was a single bit stream of length 20,000 bits.The proposed cipher passed the FIPS PUB 140-1 tests by a proportion of at least 97.00%.
Furthermore, for the SP800-22 statistical test suite, there are fifteen test types in the statistical tests that were developed to test the randomness of binary sequences.These tests focus on a variety of different types of non-randomness that could exist in a sequence.For the SP800-22 statistical test suite, we sampled 100 different keystreams under the 100 secret keys, and initialization vectors were randomly chosen.Each sample was 10,000,000 bits in length.The proposed cipher passed the SP800-22 tests by a proportion of at least 98.00%, with a significance level of 0.01.

Time-Memory-Data Tradeoff Attack
In 1980, Hellman introduced a general technique for breaking arbitrary block ciphers called a time-memory tradeoff attack.It can also be generalized to the general problem of inverting one-way functions.Babbage and Golić, and later, Biryukov, Shamir, and Wagner, pointed out that a different tradeoff attack called a time-memory-data tradeoff attack is applicable to stream ciphers.Several stream ciphers have been broken by time-memorydata tradeoff attacks, including the famous GSM encryption scheme A5/1 [31].
The time-memory-data tradeoff attack consists of two phases; i.e., the pre-computation phase and the online phase.In the pre-computation phase, the attacker builds large tables relating to the behavior of the system in question.During the online phase, the attacker obtains actual data produced from an unknown key, and his goal is to use the pre-computed tables to find the key as quickly as possible.There are five parameters for any time-memorydata tradeoff attack [33,34]: -N denotes the size of the search space -P denotes the time required for the pre-computation phase -M denotes the size of memory used to store the pre-computed tables -T denotes the time required for the online phase -D denotes the amount of output data available to the attacker The requirement for the attack is that T and M should be smaller than N, since the sum or maximum of T and M is usually signified by the complexity of the time-memory-data tradeoff attack.
For the Babbage-Golić tradeoff attack described in [34], it assumes that the size of the internal state of the stream cipher in N bits and D different keystreams of length logN are given.The goal of this attack is to recover one of the internal states from any one of the given keystreams.Once a state is found, the corresponding internal states are derived from the rest of the plaintext by running the generator forwards from this known state.For this time-memory-data tradeoff attack, the memory requirement is M = N/D.It suffices to search the entries in the table D times and the time complexity is T = D with the precomputation time P = M.By ignoring some of the available data, the T can be reduced from T towards 1, and thus, generalize the tradeoff to TM = N and P = M for any 1 ≤ T ≤ D. T = M constitutes an attack of Another enhanced tradeoff attack, as described in [34], was presented by Biryukov and Shamir.This attack combined the works of Hellman and Babbage-Golić to launch a new time-memory-data tradeoff attack on steam ciphers.It assumed that the internal state could take N different values.As with the work of Babbage-Golić, the aim of this attack is to recover any one of the many internal states of the stream cipher for D different keystreams that are given.In the tradeoff attack by Biryukov-Shamir, the parameters of which satisfy the relation P = N/D and TM 2 D 2 = N 2 for 1 ≤ T ≤ D. T = M = N 1/2 with D = N 1/4 constitutes an attack.
In fact, Babbage suggested that a secret key length of k bits is required and a state size of at least 2k bits is required as a design principle of stream ciphers.Similarly, Golić stated that a simple way of increasing security is to make the internal memory size larger.
According to the above, we know the time-memory-data tradeoff attack can be applied when the state size of the stream cipher is too small.A necessary condition on the state size of a stream cipher is that it has to be at least two times the secret key length.For our scheme, the proposed stream cipher takes the 128-bit secret key.In order to avoid time-memory-data tradeoff attacks, the size of the internal state must to be at least 256.However, the size of the internal state of the proposed cipher is 318 bits, which means that the size of the search space N = 2 318 > 2 256 .This gives T = M = D = N 1/2 = 2 159 for the Babbage-Golić tradeoff and T = M = N 1/2 = 2 159 , D = N 1/4 = 2 79.5 for the Biryukov-Shamir tradeoff attack, respectively.The results show that they are not better than an exhaustive key search, so the proposed stream cipher can resist against these attacks.

Correlation Immunity Properties
Correlation immunity as a measure of resistance against ciphertext-only correlation attacks in stream ciphers was defined by Siegenthaler [35].As shown in Figure 12, there is a nonlinear function f with n input sequences x = {x 0 , x 1 , . . ., x n−1 }.If the correlation between output sequence z and m input sequences is statistically independent, then the function has correlation immunity of order m, where m ≤ n.Therefore, the mutual information between the output sequence z and any subset of m input sequences is zero.Another enhanced tradeoff attack, as described in [34], was presented by Biryuk and Shamir.This attack combined the works of Hellman and Babbage-Golić to launc new time-memory-data tradeoff attack on steam ciphers.It assumed that the internal st could take N different values.As with the work of Babbage-Golić, the aim of this attac to recover any one of the many internal states of the stream cipher for D differ keystreams that are given.In the tradeoff attack by Biryukov-Shamir, the parameters which satisfy the relation In fact, Babbage suggested that a secret key length of k bits is required and a state s of at least 2k bits is required as a design principle of stream ciphers.Similarly, Golić sta that a simple way of increasing security is to make the internal memory size larger.
According to the above, we know the time-memory-data tradeoff attack can applied when the state size of the stream cipher is too small.A necessary condition on state size of a stream cipher is that it has to be at least two times the secret key length.our scheme, the proposed stream cipher takes the 128-bit secret key.In order to av time-memory-data tradeoff attacks, the size of the internal state must to be at least 2 However, the size of the internal state of the proposed cipher is 318 bits, which means t the size of the search space N = 2 318 > 2 256 .This gives T = M = D = N 1/2 = 2 159 for the Babba Golić tradeoff and T = M = N 1/2 = 2 159 , D = N 1/4 = 2 79.5 for the Biryukov-Shamir tradeoff atta respectively.The results show that they are not better than an exhaustive key search the proposed stream cipher can resist against these attacks.

Correlation Immunity Properties
Correlation immunity as a measure of resistance against ciphertext-only correlat attacks in stream ciphers was defined by Siegenthaler [35].As shown in Figure 12, th is a nonlinear function f with n input sequences x = {x0, x1, …, xn−1}.If the correlat between output sequence z and m input sequences is statistically independent, then function has correlation immunity of order m, where m ≤ n.Therefore, the mut information between the output sequence z and any subset of m input sequences is ze The m-th order correlation immune function f with n input sequences is defined follows: The m-th order correlation immune function f with n input sequences is defined as follows:

and (s1
where the x i1 , x i2 , . . ., x im denote the input variables for 0 ≤ i 1 < i 2 < . . .< i m ≤ n − 1, and (s 1 , s 2 , . . . , then f is also called the m-resilient function. For our scheme, we proposed four output sequence generators (OSGs) to produce the keystream, which was described in Section 3.5.The four OSGs consist of nonlinear Boolean functions, except OSG 0 .All of these OSGs satisfy the properties of being balanced and correlation immune of order one.The four OSGs, namely OSG 0 , OSG 1 , OSG 2 , and OSG 3 , take sequence a 0t , b 0t , and c 0t as their inputs, and their output sequences are denoted by z 0t , z 1t , z 2t , and z 3t , respectively.All of the output-inputs correlation probabilities of each OSG are listed as follows: where d t and e t are carry bits of Dawson's method in OSG 1 , g t and h t are respective hybrid carry bits of OSG 2 and OSG 3 .After delaying one clock, they are fed back as extra inputs of OSG 1 , OSG 2 , and OSG 3 , respectively.It is apparent that the output bit is uncorrelated to all the individual input bits for each OSG.The proposed stream cipher is deemed secure and it can resist against some correlation attacks.

Experimental Results
In this chapter, the criteria tests and experimental results are described.First, we use the Verilog hardware description language to describe the behavior of the proposed stream cipher.Next, the simulation results of the keystream are taken to evaluate the statistical properties for randomness according to the FIPS PUB 140-1 and SP800-22 packages.Using the 100 secret keys and with initialization vectors randomly chosen, we sampled 100 different keystreams to utilize the statistical test suite.Finally, we provide a performance comparison between the CCDM stream ciphers.

Statistical Random Number Tests
Good statistical properties for randomness are one of the basic important requirements for stream ciphers.Any cryptographic modules that implement a random or pseudorandom number generator shall incorporate this capability to perform statistical tests for randomness.The NIST has developed different criteria that may be employed to investigate the randomness of cryptographic applications.In order to evaluate the randomness of the proposed keystream, we use the Federal Information Processing Standards Publication 140-1 (FIPS PUB 140-1) and the Special Publication 800-22 (SP800-22) to perform the statistical tests for our scheme.

Random Test Results under FIPS PUB 140-1
As required by FIPS PUB 140-1, the proposed cipher must perform four different test types.These tests include a monbit test, a prker test, a runs test and a long runs test.According to the specifications of FIPS PUB 140-1, these tests were based on a stream of 20,000 consecutive bits.To determine the randomness properties of our scheme, we randomly chose 100 secret keys and initialization vectors, and used them to generate 100 different keystreams for our scheme.Then, we sampled 100 different keystreams to perform the FIPS PUB 140-1 tests, where each keystream was a single bit stream of 20,000 consecutive bits.The test results are shown in Table 10.The proposed cipher passes the FIPS PUB 140-1 tests by a proportion of at least 97.00%.We sampled 100 different keystreams to perform the SP800-22 statistical test suite with 100 secret keys and initialization vectors that were randomly chosen.Each sample was 10,000,000 bits in length.Notice, in the cases of the Random Excursions test and the Random Excursions variant test, the requirement for the number J must be greater than 500.As mentioned above, the proposed cipher passed the SP800-22 test suite with a proportion of at least 98.00%.The test results are shown in Table 11. Figure 13 is the comparison chart of p-values between A5/1, Prajapat's scheme [14], and the proposed scheme.The parameter p-value is calculated during testing, which is the strength of the randomness of the dataset.Each p-value corresponds to the probability that the bit sequence of the dataset under testing is random.If it is equal to 1, then the bit sequence has ideal randomness.From the figure, it can be seen that the proposed scheme made progress in the NIST statistical tests.

Performance
We compare the performance of the proposed scheme against other stream ciphers in this subsection.The CCDM [15] stream cipher is based on irregular clocking and operating on two different modes, but it does not refer to the design of the key initialization and the operation of mode selection.On the other hand, the proposed scheme has low key initialization cycles and simplicity in terms of mode switching.We used the Verilog hardware description language as our design entry to describe the behavior of the keybased multi-mode clock-controlled stream cipher.The proposed design was synthesized using TSMC 0.18 µm CMOS technology.After synthesis, it showed that the gate level design contained about 5599 gates.Furthermore, our proposed scheme was allowed to run at a working frequency up to 284 MHz.Table 12 shows the comparison results of our design with some other stream ciphers in ASIC [14,15,36].The results shown are under different CMOS processes.The power cannot be reliably scaled between different processes and libraries, but the gate count can be scaled to a 0.13 µm process for comparison.Furthermore, the initialization cycle of our design is somewhat smaller than other ciphers.In addition, the proposed cipher is able to run on low-end IoT devices, such as ESP32, ATmaga328, Arduino, or Raspberry Pi IoT platforms.

Conclusions
In this paper, we proposed a key-based multi-mode clock-controlled stream cipher to enhance the security of stream ciphers.The proposed multi-mode depended on the secret key.The different modes were shipped with different encrypting circuits depending on the user's session key.We also analyzed the period, linear complexity, and used known attacks to verify the security strength of the cipher.
We presented the mathematical results regarding the period and linear complexity of the proposed cipher.The results showed that the period of the proposed stream cipher was enough to consider the security requirements for each cipher mode.On the other hand, the linear complexity of the proposed stream cipher satisfied the security strength of AES, and was even stronger than AES.For good statistical properties for randomness, the proposed cipher passed the FIPS PUB 140-1 tests by a proportion of at least 97.00% and passed the SP800-22 test suite by a proportion of at least 98.00%.The experimental results showed that the proposed stream cipher possessed a considerably good randomness property.Regarding security, the proposed cipher could resist against time-memory-data tradeoff attacks and some correlation attacks.In terms of the confidentiality of the IoT, the stream cipher outperformed other symmetric ciphers and asymmetric ciphers.Our proposed stream cipher with a multiple-mode encryption scheme could be applied to the actual IoT environment and promotes the security strength of ciphers.
LFSRs have the advantage of high operation speeds in hardware security.The eight operation modes and the output of 1-bit per clock in the proposed scheme represent its limitations, but these could be ingeniously extended.To elasticize the stream cipher, the designs of an optimized structure for secure hardware circuits will be an interesting research direction.Furthermore, the application of these circuits when merged with cellular automata, chaos, and multi-mode operations represent potential future works.

Figure 1 .
Figure 1.The Fibonacci structure of a LFSR.

Figure 1 .
Figure 1.The Fibonacci structure of a LFSR.

Figure 2 .
Figure 2. The Galois structure of a LFSR.

Figure 2 .
Figure 2. The Galois structure of a LFSR.

Figure 4 .
Figure 4.The block diagram of keystream generator.

Figure 5 .
Figure 5.The module of the mode controller.

Figure 5 .
Figure 5.The module of the mode controller.

Figure 6 .
Figure 6.The circuit of the mode controller.

Figure 6 .
Figure 6.The circuit of the mode controller.

Electronics 2023 ,
12, x FOR PEER REVIEW 19 o from T towards 1, and thus, generalize the tradeoff to TM = N and P = M for any 1 ≤ D. T = M constitutes an attack of T = M = D = N 1/2 .

Figure 12 .
Figure 12.A nonlinear function f with n input sequences.

Table 4 .
The operating condition under m 2 and m 1 .

Table 6 .
Correlation probability of DSG.

Table 6 .
Correlation probability of DSG.

Table 12 .
Performance comparison with some stream ciphers.