# New Family of Stream Ciphers as Physically Clone-Resistant VLSI-Structures

^{*}

## Abstract

**:**

^{323}possible different KSGs. If one unknown cipher from the KSG-class is randomly picked-up and stored irreversibly within a VLSI device, the device becomes physically hard-to-clone. The selected cipher is only usable by the device itself, therefore cloning it requires an invasive attack on that particular device. Being an unknown selection out of 2

^{323}possible KSGs, the resulting cipher is seen as a Secret Unknown Cipher (SUC). The SUC concept was presented a decade ago as a digital alternative to the inconsistent traditional analog Physically Unclonable Functions (PUFs). This work presents one possible practical self-creation technique for such PUFs as hard-to-clone unknown KSGs usable to re-identify VLSI devices. The proposed sample cipher-structure is based on non-linear merging of randomly selected 16 Nonlinear Feedback Shift Registers (NLFSRs). The created KSGs exhibit linear complexities exceeding 2

^{81}and a period exceeding 2

^{161}. The worst-case device cloning time complexity approaches 2

^{162}. A simple lightweight identification protocol for physically identifying such SUC structures in FPGA-devices is presented. The required self-reconfiguring FPGAs for embedding such SUCs are not yet available, however, expected to emerge in the near future. The security analysis and hardware complexities of the resulting clone-resistant structures are evaluated and shown to offer scalable security levels to cope even with the post-quantum cryptography.

## 1. Introduction

^{323}for a sample set of NLFSRs with a state size of 223 bits. Secondly, the resulting ciphers are optimized to be embedded at low-cost in future VLSI-devices to convert them into clone-resistant devices with long-term consistency. Finally, a simple generic-lightweight identification/authentication protocol is shown for VLSI-devices when using such SUC-based structures.

## 2. Proposed Digital Clone-Resistant Physical VLSI Structure

#### 2.1. The Concept of Secret Unknown Ciphers SUCs

**Definition**

**1.**

^{−1}, that is:

- The Trusted Authority (TA) uploads a software package as a smart cipher designer called “GENIE”. “The GENIE concept is taken from 1001-night miracles as a powerful, honest and obedient creature which can realize any wishes after getting out of Aladdin’s lamp”.
- The GENIE is then ordered to create a non-predictable cipher (SUC) with the help of the True Random Number Generator (TRNG) located within the SoC to assure randomized, unpredictable and unknown results. The GENIE stores the created SUC permanently at unknown location/s within the FPGA fabric and makes it usable for encrypting and decrypting data.
- The GENIE is then kicked-out (that is, deleted as a program and ordered to leave the device forever). The end result is a usable cipher which nobody knows. Notice that the created ciphers are basically different, even when having an unknown individual structure and unknown locations for each individual device.
- In this enrollment step, the TA (or any other TA’) challenges each SUC
_{u}by a set of t-cleartext patterns $\left\{X\right\}\text{}=\text{}\left({X}_{u,0}\dots \text{}{X}_{u,t-1}\right)$ to generate the corresponding t-ciphertext set $\left\{Y\right\}\text{}=\text{}\left({Y}_{u,0}\dots {\text{}\mathrm{Y}}_{u,t-1}\right)$ where ${Y}_{i}=SU{C}_{u}({X}_{i})$. Then, the TA stores the X/Y pairs on the corresponding area in its Units Individual Records (UIR) labeled by the serial number of the device $S{N}_{u}$. The X_{i}/Y_{i}pairs are to be used later by the TA/TA’ to identify and authenticate devices. Notice that multiple TA’s can operate completely independently for their own individual application by using the same SUC.

_{i}is deemed to be unpredictable.

#### 2.2. SUC Generic Use Protocol as Provable Physical Identity

_{u}) in a two-path protocol:

- Path-1: TA randomly selects one of the ${X}_{u,i}/{Y}_{u,i}$ pairs and challenges unit u with ${Y}_{u,i}$ by asking for X
_{u,i}. - Path-2: Unit u deploys its $SU{C}_{u}^{-1}$ to decrypt ${Y}_{u,i}$ as ${X}_{u,i}^{\prime}=SU{C}_{u}^{-1}({Y}_{u,i})$ and sends ${X}_{u,i}^{\prime}$ to TA. The TA then checks if ${X}_{u,i}={X}_{u,i}^{\prime}$, if true, then unit u is deemed as authentic. The used ${X}_{u,i}/{Y}_{u,i}$ pair is marked as consumed or deleted, and should never be used again.

#### 2.3. Kerckhoffs’s Principle (Shannon’s Maxim) and the SUC Concept

**1.****The Case of Published GENIE:**In worst case, the GENIE is assumed to be published. That is, the whole cipher design rules are known to the opponent. If the cipher class size = |SUC| is huge, that is:|SUC| = N and N is huge, that is N → ∞CE = Log_{2}N + kAs both the cipher and its key are unknown. Also, it is assumed that if the cipher designer is using state-of-the-art crypto knowledge, then the minimum value is CE_{min}= k, in the case that the attacker finds the cipher due to the design weakness of the GENIE. Assuming that the GENIE designer is a good up to date cryptographer, then the cloning entropy approaches:CE_{max}= Log_{2}N + k**2.****The Case of Unpublished GENIE:**To let SUC concept works, TA is not actually required to publish the GENIE. In that case, the minimum CE is:CE_{min}= Log_{2}N_{0}+ k_{0}is some unknown upper bound of the cipher class cardinality under consideration. The security analysis of the proposed family of KSG/stream ciphers is investigated by considering that the cipher design is publicly known. i.e. the NLFSRs’s feedback functions are known.

- Revealing the secret cipher components: An adversary is forced to reveal the randomly selected functions that are used in constructing the SUC.
- Breaking the resulting stream cipher: After revealing the SUC’s secret parameters, this SUC could be considered as a publicly known cipher, and an adversary should apply known cryptanalytical attack to break this SUC.

#### 2.4. State of the Art in Designing SUC Creating GENIEs

## 3. Designing a GENIE for Creating Unknown Keystream Generators

#### 3.1. Selected State of the Art on Key Stream Generators

#### 3.2. Creating SUCs Based on Random Keystream Generators

_{t}proceeds as follows:

- The GENIE triggers the TRNG and gets random numbers
- The GENIE selects randomly, for each NLFSR, a feedback function from a pre-defined set and loads it to the corresponding area in the FPGA fabric. Also, the GENIE generates a random initial state for each NLFSR.
- Furthermore, the combining function can also be selected randomly by fulfilling some conditions to ensure that the GENIE is going to generate SUCs with an acceptable minimum-security level.

#### 3.3. Description of the Created Random Keystream Generator

^{6}− 1, 2

^{7}− 1, …, 2

^{23}− 1) ≈ 2

^{161}which is considered as adequate.

#### 3.3.1. Selected Sets of Non-Linear Feedback Shift Registers

^{N}− 1 for each one. This section describes in details the NLFSRs design methodology.

**Definition**

**2.**

**Definition**

**3.**

^{N}, in which each N-bit tuple occurs exactly once in one period of the sequence [xxx].

**Definition**

**4.**

- Reverse form: ${f}_{r}({x}_{0},{x}_{1},\dots ,{x}_{N-1})={x}_{0}\oplus g({x}_{N-1},\dots ,{x}_{1})$
- Complement form: ${f}_{c}({x}_{0},{x}_{1},\dots ,{x}_{N-1})={x}_{0}\oplus 1\oplus g({x}_{1},\dots ,{x}_{N-1})$
- Reverse complement form: ${f}_{rc}({x}_{0},{x}_{1},\dots ,{x}_{N-1})={x}_{0}\oplus 1\oplus g({x}_{N-1},\dots ,{x}_{1})$

**Berlekamp-Massey (B-M) Algorithm attack:**In order to ensure that the attack complexity of B-M Algorithm is over 2^{80}; in terms of time complexity. Where the attack complexity is defined as L^{2}, where L is the B-M linear complexity of the total key stream sequence which should exceed 2^{40}.**Correlation immunity:**If an adversary succeeds to recover the randomly selected feedback functions, a correlation attack may be launched. As the designed correlation immunity of the combining function is 8, the total size of the shortest 9 (8+1) NLFSRs should be larger than 80. In that case the correlation attack complexity would become 2^{80}, which is considered as sufficiently secure for contemporary non-post-quantum cryptography.

#### 3.3.2. Cardinality of the Designed KSG Class

**Theorem**

**1.**

_{i}. The cardinality of all possible creatable KSGs is then:

#### 3.3.3. Keystream Boolean Combining Function F

- The linear part, which contains the monomials of degree one ${x}_{1}$ to ${x}_{8}$, which can be realized with two 4-LUTs,
- The non-linear part containing monomials of degree two and three, related to the terms ${x}_{9}$ to ${x}_{16}$ which can also be realized with another two 4-LUTs. The outputs of all four 4-LUTs are combined using one 4-LUT to generate the keystream ${Z}_{t}$.

**Definition**

**5.**

**Definition**

**6.**

_{n}):

## 4. Security Analysis

#### 4.1. Brute Force Attack

#### 4.1.1. Exhaustive Search Attack on the NLFSRs Initial States as Secret Key Seeds

^{100}, the resulting complexity is of the order of 2

^{323}. We conclude that the complexity of a brute force attack to guess all possible internal states is beyond the possible state of the art computational power. Therefore, the cipher is secure against such attacks.

#### 4.1.2. Stream Ciphers Linear Complexity and Berlekamp-Massey Algorithm

_{1},…,L

_{t}) provides only an upper bound for L(ζ). However, in the following corollary cases, it is still possible to derive a reasonable lower bound for the linear complexity of ζ.

**Lemma**

**1.**

_{1},…,σ

_{t}be nonzero output sequences of primitive binary NLFSRs of lengths N

_{1},…,N

_{t}, respectively, having the corresponding linear complexities L

_{1},…,L

_{t}. Let F(x

_{1},…,x

_{t}) be a Boolean function of algebraic degree d ≥ 1. A lower bound for the linear complexity of the sequence ζ = F(σ

_{1},…,σ

_{t}) is reached if the following two conditions are fulfilled:

- 1.
- The algebraic normal form (ANF) of F(x
_{1},…,x_{t}) contains a monomial${x}_{{i}_{1}},\dots ,{x}_{{i}_{d}}$of degree d for which the corresponding shift register lengths${N}_{{i}_{1}},\dots ,{N}_{{i}_{d}}$are pairwise relatively prime. - 2.
- For all monomials of degree d, which have the form${x}_{{i}_{1}}\dots {x}_{{i}_{j-1}}{x}_{{i}_{k}}{x}_{{i}_{j+1}}\dots {x}_{{i}_{d}}$, the following holds:$\mathrm{gcd}({N}_{{i}_{j}},{N}_{k})=1$.

- The monomial ${x}_{13}{x}_{14}{x}_{15}{x}_{16}$ satisfies condition 1 in the previous lemma: The lengths of the corresponding shift registers contributing in a monomial having d = 4 are ${N}_{13}=19,\text{}{N}_{14}=21,\text{}{N}_{15}=22,\text{}{N}_{16}=23$ which are pairwise relatively prime.
- The other monomials in the ANF of the Boolean combining function are of degree less than the degree 4 of the monomial ${x}_{13}{x}_{14}{x}_{15}{x}_{16}$. therefore, condition 2 holds.

^{162}and a 2

^{82}= 2L disclosed KSG bits to break a created KSG.

#### 4.2. Correlation Attacks

^{100}possible combinations of feedback functions and about 2

^{223}initial states, trying to reveal the feedback functions is not feasible.

^{90}. However, this attack cannot be practically realized, since for each SUC the random feedback functions are unpredictable and are securely located inside the chip’s hardwired structure.

#### 4.3. Algebraic Attacks

**Fact**

**1.**

**[29].**For$2{N}_{j}\le {2}^{{N}_{j}}-{N}_{j}$, the k

^{th}entry in the monomial spectrum of the shift registers${A}_{j}$, with$1\le j\le 16$, contains${2}^{{N}_{j}-1}$different monomials having in general a degree of${N}_{j}-1$.

#### 4.4. Parity Check Attack

_{i}.

^{14}. Since the output should be independent and identically distributed, the expected number of cases that satisfy this condition in Equation (29) is:

#### 4.5. Side Channel Attacks

**Timing analysis:**It exploits dependencies between the execution time of an algorithm and the secret key bits. The proposed stream cipher design template does not include conditional branches, and hence any randomly generated stream cipher inside the FPGA will provide the response time for any key. Therefore, timing attacks are not feasible.**Power analysis:**Two major categories are discussed; Simple power analysis (SPA) uses a single measurement to reveal a secret key by searching for key dependent patterns in the power trace, while Differential Power Analysis (DPA) uses many power measurements that are evaluated by statistical analysis to reveal the secret key. In [31], a power analysis of stream ciphers which requires frequent resynchronization is investigated. Since, in SUC case, the internal state is selected randomly and unpredictably just once during the personalization of the SoC FPGA, there is no initial vector or key to manipulate from outside to allow such attacks.

## 5. Generic Use-Case of the Created Random KSG Structures for Authentication

#### 5.1. Protocol’s Enrollment Phase

#### 5.2. Identification Protocol

- Unit A sends its serial number $S{N}_{A}$ to the TA that checks for its existence in the TA unit’s identification records (UIR). If $S{N}_{A}\in UIR$, then TA accepts and continues otherwise it rejects and aborts the communication.
- The TA selects the next unused ${Y}_{i}$ and generates a random nonce ${R}_{T}$. Then, encrypts ${R}_{T}$ with a standard cipher by using ${Y}_{i}$ as a key and sends it concatenated to ${R}_{T}$ as ${E}_{{Y}_{i}}\left({R}_{T}\right)\left|\right|{R}_{T}$. Unit A generates the next response ${Y}_{i}$ and decrypts the received message as ${E}_{{Y}_{i}}^{-1}({E}_{{Y}_{i}}({R}_{T}))={R}_{T}^{\prime}$. If ${R}_{T}^{\prime}\ne {R}_{T}$, unit A rejects TA and keeps its state ${S}_{i-1}$. this retains system synchronization. Otherwise, ${R}_{T}^{\prime}={R}_{T}$ and TA is authentic.
- Unit A generates a random nonce ${R}_{A}$, encrypts it by the same ${Y}_{i}$ and sends it concatenated to ${R}_{A}$ as a response back to TA. TA decrypts the received message as ${E}_{{Y}_{i}}^{-1}({E}_{{Y}_{i}}({R}_{A}))={R}_{A}^{\prime}$. If ${R}_{A}={R}_{A}^{\prime}$, then unit A is deemed as authentic. Y
_{i}should never be used again.

#### 5.3. UIR Update Protocol

- The TA and unit A authenticate each other by using the final response ${Y}_{t-1}$ as in the identification protocol above.
- Unit A generates a random nonce R
_{A}and a new t-responses set vectors ${Y}_{0}^{*}\text{}\mathrm{to}\text{}{Y}_{t-1}^{*}$. Then, it sends the encrypted responses (ER) to TA. TA decrypts ER by using ${Y}_{t-1}$ as ${E}_{{Y}_{t-1}}^{-1}\left({E}_{{Y}_{t-1}}(ER)\right)={Y}_{0}^{*},{Y}_{1}^{*},\dots ,{Y}_{t-1}^{*}\Vert {R}_{A}^{\prime}$. If ${R}_{A}={R}_{A}^{\prime}$, the new response set is accepted.

## 6. Hardware Complexity

## 7. Conclusions

^{160}). The resulting randomized KSG-structures exhibit moderate implementation complexities. A sample prototype case showed that one SUC structure consumes relatively minor percentage of the FPGA resources; (0.61% of the LUTs, 3.71% of DFFs) for the smallest Microsemi SmartFusion®2 SoC FPGA M2S005 devices. A simple use-case generic lightweight identification/authentication protocol deploying such physical KSGs is also presented. Future work is in progress to fine-tune and optimize such KSGs as SUC structures for emerging VLSI technologies.

## Author Contributions

## Funding

## Conflicts of Interest

## Abbreviations

SoC | System on Chip |

SUC | Secret Unknown Cipher |

PUF | Physical(ly) Unclonable Function |

KSG | Key Stream Generator |

NLFSR | Nonlinear Feedback Shift Register |

ANF | Algebraic Normal Form |

RFF | Random Feedback Function |

RSC | Random Stream Cipher |

UIR | Users Individual Records |

TA | Trusted Authority |

## Appendix A

NLFSR | Length N_{i} | Set of Random Feedback Functions ${\mathit{S}}_{{\mathit{N}}_{\mathit{i}}}$ |
---|---|---|

A_{1} | 6 | 1,2,(1,2); 1,2,(2,4); 1,3,(1,5); 1,4,(1,4); 2,3,(1,3); 2,3,(1,5); 2,3,(2,3); 2,3,(2,4); 1,(1,2),(4,5); 1,(1,3),(3,5); 1,(2,3),(2,5); 2,(1,3),(2,4); 2,(1,3),(3,4); 2,(1,3),(3,5); 2,(1,5),(2,4); 2,(1,5),(4,5); 2,(2,3),(3,5); 2,(3,4),(3,5); 3,(1,4),(2,3); 3,(1,4),(2,4); 3,(1,4),(3,4); |

A_{2} | 7 | 1,2,(2,6); 1,4,(1,3); 1,5,(1,5); 1,5,(3,5); 1,5,(4,6); 2,4,(1,2); 2,4,(2,5); 1,(1,2),(5,6); 1,(1,5),(3,4); 1,(1,6),(4,5); 1,(2,3),(3,5); 1,(2,5),(3,5); 1,(2,5),(4,5); 1,(3,4),(4,5); 2,(1,2),(4,6); 2,(1,4),(3,4); 2,(1,5),(2,6); 2,(1,6),(2,4); 2,(1,6),(3,6); 2,(1,6),(5,6); 2,(2,4),(3,5); 2,(2,5),(4,6); 2,(2,6),(4,6); 2,(3,6),(5,6); 3,(1,2),(2,3); 3,(1,3),(1,6); 3,(1,4),(3,6); 3,(1,5),(3,5); 3,(1,6),(3,4); 3,(2,3),(4,5); 3,(2,5),(3,5); 1,2,3,4,(1,6); 1,2,3,4,(2,3); 1,2,3,4,(2,6); 1,2,3,6,(1,3); 1,2,3,6,(1,5); 1,2,3,6,(2,6); 1,2,4,5,(1,2); 1,2,4,5,(1,5); 1,2,4,5,(2,6) |

A_{3} | 8 | 1,5,(1,5); 1,6,(1,2); 1,6,(1,7); 1,6,(2,4); 1,6,(4,5); 1,6,(5,6); 2,5,(2,4); 2,5,(3,7); 2,5,(4,5); 3,4,(2,4); 3,4,(2,7); 3,4,(3,4); 3,4,(4,6); 3,4,(4,7); 3,4,(6,7); 1,(1,4),(2,4); 1,(1,6),(2,5); 1,(2,3),(2,4); 1,(2,4),(6,7); 1,(3,4),(4,7); 2,(1,3),(4,6); 2,(1,3),(5,7); 2,(1,5),(6,7); 2,(1,7),(2,3); 2,(3,7),(6,7); 3,(1,2),(2,4); 3,(1,4),(2,4); 3,(1,6),(3,6); 3,(1,6),(4,6); 3,(1,6),(4,7); 3,(2,3),(5,6); 3,(2,4),(6,7); 3,(2,6),(3,7); 1,2,3,5,(2,6); 1,2,3,6,(3,5); 1,2,3,6,(5,7); 1,2,4,5,(2,4); 1,2,4,7,(1,5); 1,2,5,7,(2,4); 1,3,4,7,(1,4); 1,3,4,7,(1,6); 1,3,4,7,(3,7) |

A_{4} | 9 | 1,6,(4,6); 1,6,(4,8); 2,4,(4,5); 3,4,(3,7); 1,(1,5),(2,5); 1,(1,6),(6,7); 1,(1,8),(2,7); 1,(1,8),(5,6); 1,(2,3),(3,8); 1,(2,8),(3,7); 1,(3,4),(3,5); 1,(3,7),(5,8); 2,(1,5),(4,6); 2,(1,6),(2,7); 2,(1,8),(3,4); 2,(2,7),(4,6); 2,(4,7),(5,6); 3,(1,2),(4,7); 3,(1,6),(1,7); 3,(1,7),(4,8); 3,(2,3),(4,7); 4,(1,3),(2,8); 4,(1,6),(3,6); 4,(2,3),(5,8); 4,(2,5),(2,8); 4,(2,7),(3,8); 4,(2,8),(6,7); 4,(3,5),(3,7); 1,2,3,4,(3,7); 1,2,3,7,(4,6); 1,2,4,7,(1,6); 1,2,5,6,(1,6); 1,2,5,6,(2,6); 1,2,5,8,(2,6); 1,2,6,7,(3,6); 1,3,4,5,(3,7); 1,3,5,7,(5,6); 1,3,5,8,(3,5); 1,4,6,7,(1,7); 2,3,4,7,(2,8) |

A_{5} | 10 | 1,2,(8,9); 1,4,(3,7); 1,8,(6,7); 2,5,(1,5); 4,5,(2,6); 4,5,(4,8); 4,5,(4,9); 1,(1,2),(3,4); 1,(2,4),(2,5); 1,(2,8),(7,9); 1,(3,8),(4,7); 1,(4,8),(6,7); 2,(1,3),(4,7); 2,(1,4),(3,7); 2,(1,5),(3,5); 2,(1,5),(4,9); 2,(1,6),(1,7); 2,(1,7),(4,6); 2,(1,9),(5,9); 2,(3,5),(3,7); 2,(3,9),(8,9); 3,(1,2),(2,8); 3,(1,3),(7,9); 3,(1,6),(3,8); 3,(1,6),(6,9); 3,(2,3),(2,6); 3,(2,7),(8,9); 3,(2,8),(7,9); 3,(6,7),(8,9); 4,(1,3),(1,7); 4,(1,3),(7,8); 4,(1,3),(7,9); 4,(1,5),(1,9); 4,(1,5),(7,9); 4,(7,8),(7,9); 1,2,4,8,(1,5); 1,2,4,8,(2,4); 1,2,5,8,(5,9); 1,3,4,7,(3,6); 1,3,6,7,(1,6); 1,4,5,9,(1,9); 1,4,5,9,(4,9); 1,4,5,9,(5,9); 1,5,6,7,(2,8); 2,3,4,6,(3,6); 2,4,5,8,(2,4); 2,4,6,7,(1,6) |

A_{6} | 11 | 1,9,(1,4); 2,5,(1,9); 2,8,(6,9); 1,(1,7),(2,8); 1,(1,9),(2,7); 1,(2,3),(4,5); 1,(2,5),(3,4); 1,(2,7),(3,10); 1,(3,7),(3,8); 1,(3,7),(7,8); 2,(4,5),(6,10); 2,(4,6),(9,10); 2,(7,9),(8,10); 3,(1,6),(8,9); 3,(1,9),(5,10); 3,(2,7),(5,7); 3,(3,5),(6,9); 3,(3,6),(5,8); 3,(3,7),(7,10); 4,(1,2),(9,10); 4,(2,3),(2,10); 4,(3,7),(4,8); 5,(1,4),(6,9); 5,(2,8),(6,8); 5,(4,7),(6,7); 1,2,3,5,(4,6); 1,2,4,5,(4,6); 1,2,4,7,(2,3); 1,2,4,7,(4,9); 1,2,4,7,(8,9); 1,2,4,10,(1,9); 1,2,4,10,(3,9); 1,2,7,8,(1,9); 1,2,7,8,(9,10); 1,3,4,10,(6,10); 1,3,6,8,(6,8); 1,3,6,10,(7,9); 1,3,7,9,(1,8); 1,4,5,8,(5,7); 1,4,7,10,(1,9); 1,5,6,8,(5,9); 1,5,7,9,(2,8); 1,6,8,9,(2,6); 2,3,7,8,(4,10); 2,3,7,8,(6,10); 2,3,7,8,(7,10); 2,4,5,9,(5,9); 3,4,5,6,(2,10); 3,4,6,7,(2,3); 3,5,6,7,(4,8) |

A_{7} | 12 | 3,8,(3,9); 4,7,(1,7); 4,7,(4,7); 1,(2,3),(3,4); 1,(2,5),(3,10); 1,(2,8),(6,10); 1,(7,8),(8,10); 1,(8,11),(9,10); 2,(1,3),(3,6); 2,(1,7),(2,8); 2,(1,10),(1,11); 2,(2,3),(7,9); 2,(3,9),(3,11); 2,(3,9),(5,9); 2,(5,11),(8,11); 2,(7,9),(7,11); 3,(1,8),(7,10); 3,(5,11),(6,10); 1,2,3,5,(5,9); 1,2,5,9,(7,11); 1,2,6,11,(2,6); 1,3,6,7,(4,10); 1,3,6,9,(1,9); 1,3,6,9,(4,10); 1,3,7,10,(4,5); 1,4,8,10,(2,5); 1,5,6,8,(4,6); 1,5,6,8,(6,10); 1,5,6,11,(7,8); 1,5,7,9,(1,11); 1,5,9,10,(6,7); 2,3,4,10,(3,8); 2,3,6,8,(3,6); 2,3,6,10,(2,6); 2,3,6,10,(4,10); 2,5,6,10,(2,10) |

A_{8} | 13 | 1,11,(5,9); 4,8,(9,10); 1,(1,7),(3,7); 1,(2,3),(6,11); 1,(2,5),(5,11); 1,(2,6),(6,8); 1,(2,9),(4,5); 2,(1,6),(9,12); 2,(7,10),(10,12); 3,(1,9),(2,11); 3,(4,6),(9,11); 3,(8,9),(9,10); 4,(1,3),(4,6); 4,(1,3),(10,12); 4,(2,9),(8,10); 5,(1,5),(4,9); 5,(1,12),(7,11); 5,(2,9),(4,5); 5,(3,6),(4,9); 5,(3,12),(9,11); 6,(1,5),(2,12); 1,2,4,5,(1,7); 1,2,10,11,(6,12); 1,3,4,6,(6,10); 1,4,5,10,(4,8); 1,5,6,7,(5,9); 1,5,7,9,(8,9); 1,5,7,11,(8,10); 1,7,10,11,(2,6); 1,8,9,10,(8,9); 2,3,8,11,(1,10); 2,5,6,11,(8,11); 2,6,7,10,(8,12); 3,4,5,12,(4,5); 3,5,6,10,(8,11); 3,5,7,10,(2,10) |

A_{9} | 14 | 1,2,(7,12); 1,(2,13),(4,12); 1,(5,12),(9,12); 2,(1,5),(3,11); 3,(1,6),(4,12); 3,(2,4),(6,12); 3,(2,12),(6,13); 3,(5,10),(7,12); 5,(2,4),(6,13); 6,(1,13),(5,9); 6,(5,9),(12,13); 1,2,3,5,(1,3); 1,2,4,7,(1,3); 1,4,5,8,(2,8); 1,4,5,13,(1,6); 1,4,7,11,(1,11); 1,6,10,12,(3,7); 1,6,10,12,(7,9); 1,7,9,12,(3,13); 2,3,5,7,(1,5); 2,3,10,12,(9,10); 2,5,6,12,(6,10); 2,7,9,11,(11,12); 4,5,6,8,(1,4); 4,6,7,10,(5,13) |

A_{10} | 15 | 5,9,(2,11); 2,(6,8),(12,14); 4,(2,11),(7,10); 4,(5,6),(5,14); 4,(6,10),(9,10); 4,(7,8),(12,14); 6,(8,11),(12,13); 7,(2,11),(10,13); 7,(3,12),(3,13); 1,3,7,11,(9,10); 1,4,5,12,(3,4); 1,4,6,11,(2,14); 1,4,9,10,(7,10); 1,5,11,13,(5,11); 2,3,9,10,(6,10); 2,3,9,13,(3,7); 2,4,10,14,(4,10); 3,4,5,10,(3,7); 3,5,7,8,(3,13); 4,5,7,10,(1,14); 4,8,12,14,(5,6); 4,9,11,14,(1,13); 5,6,11,14,(5,8); 5,6,12,13,(5,9) |

A_{11} | 16 | 2,13,(2,3); 3,(1,5),(5,7; 3,(2,13),(7,14); 5,(4,8),(6,12); 5,(4,12),(7,8); 7,(2,6),(10,13); 7,(8,14),(11,12); 1,2,3,9,(6,14); 1,5,13,14,(14,15); 1,11,12,13,(5,15); 2,5,10,14,(6,14); 2,6,11,12,(14,15); 2,7,8,10,(3,6); 2,7,8,13,(3,15); 4,8,9,10,(8,12) |

A_{12} | 17 | 1,(7,10),(9,15); 3,(6,9),(13,14); 5,(4,7),(6,13); 6,(2,9),(7,12); 7,(1,8),(9,14); 8,(10,12),(11,16); 1,3,9,12,(7,13); 1,3,12,14,(2,10); 1,5,9,11,(1,13); 1,7,11,13,(6,14); 2,4,9,12,(6,16); 3,6,7,10,(9,15); 3,8,11,12,(3,11); 4,6,10,16,(3,11); 5,6,9,14,(6,14) |

A_{13} | 19 | 7,10,(6,18); 9,12,(1,13); 2,(6,8),(8,10); 4,(5,16),(7,14); 6,(4,8),(17,18); 1,4,5,8,(5,15); 1,4,8,17,(1,13); 3,7,9,16,(3,17); 5,6,12,14,(2,18) |

A_{14} | 21 | 1,15,17,19,(13,15); 2,7,12,17,(4,10); 3,5,9,13,(15,17); 4,8,9,11,(3,11) |

A_{15} | 22 | 1,(4,10),(11,18); 5,(4,12),(7,14); 1,6,8,12,(10,17); 1,10,16,18,(3,21); 5,6,11,15,(9,21) |

A_{16} | 23 | 3,(13,19),(18,19); 2,6,10,14,(5,13); 3,11,16,18,(4,19) |

## References

- Wael, A.; Ayoub, M. Physical and Mechatronic Security, Technologies and Future Trends for Vehicular Environment. In Proceedings of the VDI-Fachtagung Automotive Security, VDI Berichte, Nürtingen, Germany, 27 September 2017; Volume 2310, pp. 73–95. [Google Scholar]
- Maes, R.; Verbauwhede, I. Physically Unclonable Functions: A Study on the State of the Art and Future Research Directions. In Towards Hardware-Intrinsic Security; Springer: Berlin, Germany, 2010; pp. 3–37. ISBN 978-3-642-14451-6, 978-3-642-14452-3. [Google Scholar]
- Sadeghi, A.-R.; Visconti, I.; Wachsmann, C. Enhancing RFID Security and Privacy by Physically Unclonable Functions. In Towards Hardware-Intrinsic Security; Springer: Berlin/Heidelberg, Germany, 2010. [Google Scholar]
- Tuyls, P.; Batina, L. RFID-tags for anti-counterfeiting. In Proceedings of the Cryptographers’ Track at the RSA Conference, San Jose, CA, USA, 13–17 February 2006; pp. 115–131. [Google Scholar]
- Škoric, B.; Tuyls, P.; Ophey, W. Robust key extraction from physical uncloneable functions. In Proceedings of the Applied Cryptography and Network Security, New York, NY, USA, 7–10 June 2005; Volume 3531, pp. 407–422. [Google Scholar]
- Guajardo, J.; Kumar, S.S.; Schrijen, G.-J.; Tuyls, P. FPGA Intrinsic PUFs and Their Use for IP Protection. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2007, Vienna, Austria, 10–13 September 2007; Volume 4727, pp. 63–80. [Google Scholar]
- Bösch, C.; Guajardo, J.; Sadeghi, A.-R.; Shokrollahi, J.; Tuyls, P. Efficient Helper Data Key Extractor on FPGAs. Cryptogr. Hardw. Embed. Syst.
**2008**, 5154, 181–197. [Google Scholar] - Dodis, Y.; Ostrovsky, R.; Reyzin, L.; Smith, A. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, 28 May–1 June 2006. [Google Scholar]
- Nedospasov, D.; Seifert, J.-P.; Helfmeier, C.; Boit, C. Invasive PUF Analysis. In Proceedings of the Fault Diagnosis and Tolerance in Cryptography (FDTC), Washington, DC, USA, 20 August 2013; pp. 30–38. [Google Scholar]
- Rührmair, U.; Sölter, J.; Sehnke, F.; Xu, X.; Mahmoud, A.; Stoyanova, V.; Dror, G.; Schmidhuber, J.; Burleson, W.; Devadas, S. PUF modeling attacks on simulated and silicon data. IEEE Trans. Inf. Forensics Secur.
**2013**, 8, 1876–1891. [Google Scholar] [CrossRef] - Merli, D.; Schuster, D.; Stumpf, F.; Sigl, G. Side-Channel Analysis of PUFs and Fuzzy Extractors. In Proceedings of the International Conference on Trust and Trustworthy Computing, Pittsburgh, PA, USA, 22–24 June 2011; Springer: Berlin/Heidelberg, Germany, 2011; pp. 33–47. [Google Scholar]
- Mahmoud, A.; Rührmair, U.; Majzoobi, M.; Koushanfar, F. Combined Modeling and Side Channel Attacks on Strong PUFs. IACR Cryptol. ePrint Arch.
**2013**, 2013, 632. [Google Scholar] - Adi, W.; Mars, A.; Mulhem, S. Generic identification protocols by deploying Secret Unknown Ciphers (SUCs). In Proceedings of the 2017 IEEE International Conference on Consumer Electronics—Taiwan (ICCE-TW), Taipei, Taiwan, 12–14 June 2017; pp. 255–256. [Google Scholar]
- Mars, A.; Adi, W. Converting NV-FPGAs into Physically Clone-Resistant Units by Digital Mutations. 2019; submitted for publication. [Google Scholar]
- Mars, A.; Adi, W.; Mulhem, S.; Hamadaqa, E. Random stream cipher as a PUF-like identity in FPGA environment. In Proceedings of the Seventh International Conference on Emerging Security Technologies (EST), Canterbury, UK, 6–8 September 2017; pp. 209–214. [Google Scholar]
- Mars, A.; Adi, W. Clone-Resistant Entities for Vehicular Security. In Proceedings of the IEEE 13th International Conference on Innovations in Information Technology (IIT), Al Ain, UAE, 18–19 November 2018. [Google Scholar]
- Mars, A.; Adi, W. New Concept for Physically-Secured E-Coins Circulations. In Proceedings of the 2018 NASA/ESA Conference on Adaptive Hardware and Systems, Edinburgh, UK, 6–9 August 2018. [Google Scholar]
- Kerckhoffs, A. LA CRYPTOGRAPHIE MILITAIRE. Available online: http://www.petitcolas.net/kerckhoffs/la_cryptographie_militaire_i.htm (accessed on 2 April 2019).
- eSTREAM, the ECRYPT Stream Cipher Project. Available online: http://www.ecrypt.eu.org/stream/ (accessed on 2 April 2019).
- Gammel, B.M.; Göttfert, R.; Kniffler, O. The Achterbahn stream cipher. eSTREAM
**2005**. submitted. [Google Scholar] - Johansson, T.; Meier, W.; Müller, F. Cryptanalysis of Achterbahn. In Proceedings of the International Workshop on Fast Software Encryption, Graz, Austria, 15–17 March 2006; Springer: Berlin/Heidelberg, Germany; Volume 4047, pp. 1–14. [Google Scholar]
- Chan, A.H.; Games, R.A.; Key, E.L. On the complexities of de Bruijn sequences. J. Comb. Theory Ser. A
**1982**, 33, 233–246. [Google Scholar] [CrossRef] - Dubrova, E. A List of Maximum Period NLFSRs. IACR Cryptol. ePrint Arch.
**2012**, 2012, 166. [Google Scholar] - Courtois, N.T.; Meier, W. Algebraic Attacks on Stream Ciphers with Linear Feedback. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, 4–8 May 2003. [Google Scholar]
- Gammel, B.M.; Göttfert, R.; Kniffler, O. Status of Achterbahn and Tweaks. In Proceedings of the SASC 2006-Stream Ciphers Revisited, Leuven, Belgium, 2–3 February 2006. [Google Scholar]
- Siegenthaler, T. Correlation-immunity of nonlinear combining functions for cryptographic applications (Corresp.). IEEE Trans. Inf. Theory
**1984**, 30, 776–780. [Google Scholar] [CrossRef] - Meier, W.; Staffelbach, O. Fast correlation attacks on certain stream ciphers. J. Cryptol.
**1989**, 1, 159–176. [Google Scholar] [CrossRef] - Courtois, N.T. Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In Proceedings of the CRYPTO 2003: Advances in Cryptology, Santa Barbara, CA, USA, 17–21 August 2003; Volume 2729, pp. 176–194. [Google Scholar]
- Gammel, B.; Göttfert, R.; Kniffler, O. Achterbahn-128/80: Design and analysis. In Proceedings of the ECRYPT Workshop SASC 2007—The State of the Art of Stream Ciphers, Bochum, Germany, 31 January–1 February 2007. [Google Scholar]
- Gierlichs, B.; Batina, L.; Clavier, C.; Eisenbarth, T.; Gouget, A.; Handschuh, H.; Kasper, T.; Lemke-Rust, K.; Mangard, S.; Moradi, A.; et al. Susceptibility of eSTREAM Candidates towards Side Channel Analysis. In Proceedings of the ECRYPT Workshop SASC 2008–The State of the Art of Stream Ciphers, Lausanne, Switzerland, 13 February 2008. [Google Scholar]
- Lano, J.; Mentens, N.; Preneel, B.; Verbauwhede, I. Power analysis of synchronous stream ciphers with resynchronization mechanism. In Proceedings of the ECRYPT Workshop SASC 2004–The State of the Art of Stream Ciphers, Brugge, Belgium, 14–15 October 2004; pp. 327–333. [Google Scholar]
- Hell, M.; Johansson, T.; Meier, W. Grain-A Stream Cipher for Constrained Environments. Int. J. Wirel. Mob. Comput.
**2007**, 2, 86–93. [Google Scholar] [CrossRef] - Babbage, S. The stream cipher MICKEY 2.0. In New Stream Cipher Designs; Springer: Berlin, Germany, 2006. [Google Scholar]
- De Cannìere, C.; Preneel, B. TRIVIUM Specifications. eSTREAM: the ECRYPT Stream Cipher Project. 2006. Available online: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.59.9030 (accessed on 6 April 2019).
- Good, T.; Benaissa, M. Hardware performance of eStream phase-III stream cipher candidates. In Proceedings of the ECRYPT Workshop SASC 2008–The State of the Art of Stream Ciphers, Lausanne, Switzerland, 13 February 2008; pp. 163–173. [Google Scholar]

N_{i} | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 19 | 21 | 22 | 23 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|

$\left|{\mathrm{A}}_{\mathrm{i}}\right|$ | 84 | 160 | 168 | 160 | 188 | 200 | 144 | 144 | 100 | 96 | 60 | 60 | 36 | 16 | 20 | 12 |

KSG Components | Resources Usage | % of Usage for M2S005 | % of Usage for M2S150 | ||||
---|---|---|---|---|---|---|---|

LUTs | DFFs | LUTs | DFFs | LUTs | DFFs | ||

NLFSRs | Shift registers | 0 | 223 | 0 | 3.71 | 0 | 0.15 |

Feedback Functions | 32 | 0 | 0.52 | 0 | 0.02 | 0 | |

Feedback Functions | 5 | 0 | 0.09 | 0 | 0.005 | 0 | |

Total | 37 | 223 | 0.61 | 3.71 | 0.025 | 0.15 |

Function | DFF | AND2 | XOR2 |
---|---|---|---|

Gate Count | 8 | 1.5 | 2.5 |

Components | Grain | Our KSGs | Trivium | MICKEY2 | ||
---|---|---|---|---|---|---|

Best Case | Worst Case | |||||

Components | DFF (State Size) | 160 | 223 | 223 | 288 | 200 |

XOR2 | - | 63 | 95 | 11 | - | |

AND2 | - | 29 | 29 | 3 | - | |

Gate count | 1294 | 1985 | 2065 | 2580 | 3188 | |

Total Power | 109.4 | 120 | 120 | 175.1 | 196.5 |

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Mars, A.; Adi, W.
New Family of Stream Ciphers as Physically Clone-Resistant VLSI-Structures. *Cryptography* **2019**, *3*, 11.
https://doi.org/10.3390/cryptography3020011

**AMA Style**

Mars A, Adi W.
New Family of Stream Ciphers as Physically Clone-Resistant VLSI-Structures. *Cryptography*. 2019; 3(2):11.
https://doi.org/10.3390/cryptography3020011

**Chicago/Turabian Style**

Mars, Ayoub, and Wael Adi.
2019. "New Family of Stream Ciphers as Physically Clone-Resistant VLSI-Structures" *Cryptography* 3, no. 2: 11.
https://doi.org/10.3390/cryptography3020011