Encryption Algorithm MLOL: Security and Efficiency Enhancement Based on the LOL Framework

Abstract

Authenticated encryption with associated data (AEAD) schemes based on stream ciphers, such as ASCON and MORUS, typically use nonlinear feedback shift registers (NFSRs) and linear feedback shift registers (LFSRs) to generate variable-length key streams. While these methods ensure message confidentiality and authenticity, they present challenges in security analysis, especially when automated evaluation is involved. In this paper, we present MLOL, a novel AEAD algorithm based on the LOL framework. MLOL combines authenticated encryption with optimizations to the LFSR structure to enhance both security and efficiency. The cost evaluation demonstrates that on specialized CPU platforms without SIMD instruction set support, MLOL achieves better performance in authenticated encryption speed compared to LOL-MINI with GHASH. Our security analysis confirms that MLOL provides 256-bit security against current cryptanalytic techniques. Experimental results demonstrate that MLOL not only inherits the excellent performance of LOL but also reduces the time complexity of the authenticated encryption process, providing more reliable security guarantees. It significantly simplifies security evaluation, making it suitable for automated analysis tools, and offers a feasible new approach for AEAD algorithm design.

1. Introduction

Stream ciphers play a critical role in modern communication systems, which provides efficient encryption mechanisms to ensure the confidentiality and integrity of information, particularly in real-time data transmission scenarios. They are essential in wireless communications and mobile networks, protecting against security threats like data theft and tampering. For example, SNOW3G [1] and ZUC-128 [2], which are widely used in 4G systems, enhance data encryption performance while meeting the real-time and efficiency requirements of mobile communication. With the advent of 5G, the paradigm of communication security has shifted [3], emphasizing software-defined virtual networks and higher computational efficiency on general-purpose CPUs. This evolution necessitates advanced cryptographic primitives optimized for speed and security in highly dynamic environments.

While 5G technology has significantly boosted mobile communication performance, it has also increased the security demands of these systems. The challenges are even greater for future 6G networks, where data transmission rates are expected to reach 100 Gbps to 1 Tbps [4]. With the rise of quantum computing, traditional symmetric-key cryptographic primitives are facing unprecedented security threats [5,6,7,8,9,10]. Quantum computing’s enhanced computational power can accelerate the decryption of existing cryptographic algorithms, posing a direct threat to cryptosystems based on finite mathematical structures. This has created an urgent need for more efficient and secure cryptanalysis algorithms and cryptosystems.

In 2023, Feng et al. introduced the LOL framework [11], a generalized design paradigm for stream cipher algorithms. This framework emphasizes flexibility and efficiency, addressing the dual requirements of high performance and robust security for beyond-5G systems. The LOL framework addresses challenges such as the high linear correlation often seen in direct connections between linear feedback shift registers (LFSRs) and finite state machines (FSMs) by incorporating nonlinear feedback shift registers (NFSRs) with high-capacity FSMs.

Motivations: The LOL framework adopts a “streaming password followed by MAC” strategy, rather than directly implementing an authenticated encryption scheme. This design provides greater flexibility and scalability by separating the encryption and message authentication modules, which strengthens the overall robustness of the scheme. However, this approach has some efficiency limitations. In particular, the additional MAC computation steps can lead to performance degradation, especially in high-throughput or resource-constrained scenarios. To address this, the algorithm needs to be improved by directly integrating the AEAD functionality [12], while maintaining the robustness of the existing design. This would reduce computational overhead, meeting both high-security and high-performance requirements while enhancing overall efficiency.

Contribution: In this paper, we present several key innovations and optimizations to improve both the performance and security of the original LOL framework. The new framework is named as MLOL. The main contributions are summarized below:

• Integration of encryption and authentication: We improve the LOL-MINI with GHASH algorithms [13] and propose the MLOL algorithm, which seamlessly integrates encryption and authentication processes. This integrated design enhances both the efficiency and security of the algorithm. By simplifying security evaluation and making the algorithm more compatible with automated analysis tools, MLOL offers a more efficient and practical solution for AEAD algorithm design;
• Enhanced LFSR design: We introduce a new LFSR [14] design that extends the LFSR construction in the LOL framework. By replacing the original two-branch generalized Feistel structure [15] with a four-branch generalized Feistel structure, the new design supports parallel computation. This significantly reduces computational complexity, while ensuring the generated sequence maintains maximum periodicity. Compared to the LFSR in the LOL framework, the LFSR in MLOL delivers higher computational efficiency, making it particularly suitable for resource-constrained environments [16];
• Performance evaluation: We performed a detailed comparison of the implementation costs between the core component LFSR and the full MLOL algorithm, benchmarking them against the original LOL framework. By analyzing the time complexity [17] of the LFSR implementation and the overall algorithm, we assessed the implementation efficiency of the MLOL algorithm;
• Comprehensive security analysis: A detailed security analysis of the MLOL algorithm confirms that it provides 256-bit security [18] against current cryptographic attack methods, ensuring robust protection.

The paper is structured as follows: In Section 2, we provide a detailed description of the MLOL algorithm process. In Section 3, we focus on the specific improvements and extensions made to the LFSR within the MLOL algorithm. In Section 4, we compare the implementation costs of the MLOL algorithm with LOL-MINI and GHASH, while also evaluating the performance of the enhanced LFSR against the original components. Section 5 concludes with a conclusion, and a thorough security analysis of the MLOL algorithm is presented in the Section 2.

2. MLOL Algorithm

2.1. Definitions

2.1.1. Variables and Symbols

Variables and Symbols	Definitions
$0^{\mathrm{n}}$	n bits of 0
$1^{\mathrm{n}}$	n bits of 1
AD	Linked data, <264 bits
M	Plaintext message string, <264 bits
C	Ciphertext message string, <264 bits
K	Working key, size 256 bits
N	Nonce value, size 128 bits
T	Label, size 128 bits
${\mathrm{T}}^{\mathrm{’}}$	Validation tag, size 128 bits
Roundload	Initialize the number of rounds to 12
t	The number of iteration rounds, i.e., state moments
┴	Authentication failure symbol

2.1.2. Conventions and Operations

Conventions and Operations	Definitions
$\mathrm{x}\in {\left\{\mathrm{0,1}\right\}}^{\mathrm{k}}$	0/1-bit string of length k bits x
$\left|\mathrm{x}\right|$	Bit length of x
$\mathrm{x}\oplus \mathrm{y}$	Bitwise addition modulo 2
$\mathrm{x}\left|\right|\mathrm{y}$	Bitstring x spliced with y
$\mathrm{L}\mathrm{e}\mathrm{n}\left(\mathrm{M}\right)$	Message M’s message block ${\mathrm{M}}_{\mathrm{i}}$ number
${\left(\mathrm{x}\right)}_2$	The binary representation of x
bin64(X)	Express the decimal number X as a 64-bit binary number, X < 264

2.2. Description of Algorithm Development

2.2.1. General Framework of the Algorithm

The overall framework of encryption and decryption of the MLOL algorithm is shown in Figure 1a and Figure 1b, respectively, where the relevant definitions are summarized in Section 2.1. The encryption and decryption processes are all composed of four parts: the initialization process, the associated data processing, the message processing, and the label generation.

2.2.2. Padding

Before detailing the steps of the algorithm, we first explain how the data are populated. The padding method used in this algorithm involves appending a message of length L to the original data, then representing the padded data in binary form. The padding process follows the 10* scheme: a “1” bit is added, followed by a series of “0” bits, ensuring that the total length of the associated data and plaintext message is a multiple of 128. If there are no associated data, the associated data processing step is skipped.

For $\mathrm{X}\in {\left\{\mathrm{0,1}\right\}}^{\le 128}$, and $\left|\mathrm{X}\right|\ne 0$, the padding function pad is defined by Equation (1).

$$\mathrm{pad}\left(\mathrm{X}\right)=\left\{\begin{array}{c}X\left|\right|1\left|\right|0^{127-\left|\mathrm{X}\right|},\left|\mathrm{X}\right|<128\\ X ,\left|\mathrm{X}\right|=128\end{array}\right\}$$

(1)

The specific fill forms of AD, M, and $\mathrm{len}\left(\mathrm{AD}\right)\left|\right|\mathrm{len}\left(\mathrm{M}\right)$ are shown as Equation (2).

$$\begin{gathered} \mathrm{pad}\left({\mathrm{A}\mathrm{D}}_{\mathrm{i}}\right)={\mathrm{A}\mathrm{D}}_{\mathrm{i}}\left|\right|1\left|\right|0^{127-\left|{\mathrm{A}\mathrm{D}}_{\mathrm{i}}\right|}; \\ \mathrm{pad}\left({\mathrm{M}}_{\mathrm{i}}\right)={\mathrm{M}}_{\mathrm{i}}\left|\right|1\left|\right|0^{127-\left|{\mathrm{M}}_{\mathrm{i}}\right|}; \\ \mathrm{pad}\left(\mathrm{len}\right(\mathrm{AD}\left)\right|\left|\mathrm{len}\right(\mathrm{M}\left)\right)=\mathrm{len}\left(\mathrm{AD}\right)\left|\right|\mathrm{len}\left(\mathrm{M}\right)\left|\right|1\left|\right|0^{127-\left|\mathrm{l}\mathrm{e}\mathrm{n}\left(\mathrm{A}\mathrm{D}\right)\left|\right|\mathrm{l}\mathrm{e}\mathrm{n}\left(\mathrm{M}\right)\right|}. \end{gathered}$$

(2)

2.2.3. Initialization Process

The initialization process is shown in Figure 2. During the initial step, the key K and nonce N will be loaded into states ${\mathrm{S}}_0,{\mathrm{S}}_1,{\mathrm{S}}_2$, and the ${\mathrm{L}}_0,{\mathrm{L}}_1,{\mathrm{L}}_2,{\mathrm{L}}_3$ and $\mathrm{N}$ states are set to 0, which are given by Equation (3).

$$\begin{gathered} {\mathrm{S}}_0^{\mathrm{t}}={\mathrm{K}}_{\mathrm{h}},{\mathrm{S}}_1^{\mathrm{t}}={\mathrm{K}}_{\mathrm{l}},{\mathrm{S}}_2^{\mathrm{t}}=\mathrm{N}\mathrm{o}\mathrm{n}\mathrm{c}\mathrm{e} \\ {\mathrm{L}}_0^{\mathrm{t}}={\mathrm{L}}_1^{\mathrm{t}}={\mathrm{L}}_2^{\mathrm{t}}={\mathrm{L}}_3^{\mathrm{t}}={\mathrm{N}}^{\mathrm{t}}=0 \end{gathered}$$

(3)

Set the number of initialization rounds to 12. Let Roundload = −11 and t represent the state moment. The initialization process is as follows:

For $\mathrm{Roundload}\le \mathrm{t}\le 0$, perform the following:

• Calculate ${\mathrm{G}}^{\mathrm{t}}=\mathcal{R}\left({\mathrm{S}}_2^{\mathrm{t}}\right)$, ${\mathrm{Z}}^{\mathrm{t}}={\mathrm{G}}^{\mathrm{t}}\oplus {\mathrm{N}}^{\mathrm{t}}$;
• Update the state of registers ${\mathrm{L}}_0,{\mathrm{L}}_1,{\mathrm{L}}_2,{\mathrm{L}}_3$, $\mathrm{N}$, whose steps are given by Equation (4);

  $$\begin{gathered} {\mathrm{F}}^{\mathrm{t}}=\mathrm{f}\left({\mathrm{L}}_0^{\mathrm{t}},{\mathrm{L}}_1^{\mathrm{t}}\right), \\ \left({\mathrm{L}}_0^{\mathrm{t}+1}\left|\right|{\mathrm{L}}_3^{\mathrm{t}+1}\right)=\left\{\begin{array}{c}{\mathrm{F}}^{\mathrm{t}}\oplus {\mathrm{Z}}^{\mathrm{t}},\mathrm{Roundload}\le \mathrm{t}<0\\ {\mathrm{F}}^{\mathrm{t}}\oplus {\mathrm{Z}}^{\mathrm{t}}\oplus {\mathrm{K}}_{\mathrm{h}},\mathrm{t}=0\end{array}\right., \\ {\mathrm{L}}_1^{\mathrm{t}+1}={\mathrm{L}}_2^{\mathrm{t}}, \\ {\mathrm{L}}_2^{\mathrm{t}+1}={\mathrm{L}}_3^{\mathrm{t}}, \\ {\mathrm{N}}^{\mathrm{t}+1}=\mathcal{R}\left({\mathrm{N}}^{\mathrm{t}}\right)\oplus \left({\mathrm{L}}_2^{\mathrm{t}}\right|\left|{\mathrm{L}}_3^{\mathrm{t}}\right)\oplus {\mathrm{Z}}^{\mathrm{t}}, \end{gathered}$$

  (4)
• Update the state of registers ${\mathrm{S}}_0,{\mathrm{S}}_1,{\mathrm{S}}_2$ according to Equation (5).

  $$\begin{gathered} {\mathrm{S}}_1^{\mathrm{t}+1}=\mathcal{R}\left({\mathrm{S}}_0^{\mathrm{t}}\right)\oplus {\mathrm{S}}_1^{\mathrm{t}},{\mathrm{S}}_2^{\mathrm{t}+1}=\mathcal{R}\left({\mathrm{S}}_1^{\mathrm{t}}\right)\oplus {\mathrm{S}}_2^{\mathrm{t}}, \\ {\mathrm{S}}_0^{\mathrm{t}+1}=\left\{\begin{array}{c}{\mathrm{F}}^{\mathrm{t}}\oplus {\mathrm{G}}^{\mathrm{t}}\oplus {\mathrm{S}}_0^{\mathrm{t}},\mathrm{Roundload}\le \mathrm{t}<0\\ {\mathrm{F}}^{\mathrm{t}}\oplus {\mathrm{G}}^{\mathrm{t}}\oplus {\mathrm{S}}_0^{\mathrm{t}}\oplus {\mathrm{K}}_{\mathcal{l}},\mathrm{t}=0\end{array}\right. \end{gathered}$$

  (5)

2.2.4. Associated Data Processing

Let ${\mathrm{A}\mathrm{D}}_1,\cdots ,{\mathrm{A}\mathrm{D}}_{\mathsf{\alpha }}$ represent the 128-bit data blocks obtained sequentially after padding the associated data AD. The associated data processing process is shown in Figure 3, where ${\mathrm{A}\mathrm{D}}_{\mathrm{t}}$ (for 1 $\le$ t $\le \mathsf{\alpha }$) is input in 128-bit chunks at each step. The t is the state moment, and the associated data processing flow is as follows:

• Calculate ${\mathrm{G}}^{\mathrm{t}}=\mathcal{R}\left({\mathrm{S}}_2^{\mathrm{t}}\right)$, ${\mathrm{Z}}^{\mathrm{t}}={\mathrm{G}}^{\mathrm{t}}\oplus {\mathrm{N}}^{\mathrm{t}}\oplus {\mathrm{A}\mathrm{D}}_{\mathrm{t}}$;
• Update the state of registers ${\mathrm{L}}_0,{\mathrm{L}}_1,{\mathrm{L}}_2,{\mathrm{L}}_3$, $\mathrm{N}$, whose steps are given by Equation (6);

  $$\begin{gathered} {\mathrm{F}}^{\mathrm{t}}=\left({\mathrm{L}}_0^{\mathrm{t}+1}\left|\right|{\mathrm{L}}_3^{\mathrm{t}+1}\right)=\mathrm{f}\left({\mathrm{L}}_0^{\mathrm{t}},{\mathrm{L}}_1^{\mathrm{t}}\right), \\ {\mathrm{L}}_1^{\mathrm{t}+1}={\mathrm{L}}_2^{\mathrm{t}}, \\ {\mathrm{L}}_2^{\mathrm{t}+1}={\mathrm{L}}_3^{\mathrm{t}}, \\ {\mathrm{N}}^{\mathrm{t}+1}=\left\{\begin{array}{c}\mathrm{R}\left({\mathrm{N}}^{\mathrm{t}}\right)\oplus \left({\mathrm{L}}_2^{\mathrm{t}},{\mathrm{L}}_3^{\mathrm{t}}\right) ,\mathrm{if} \mathrm{t}\%2=0\\ \mathrm{R}\left({\mathrm{N}}^{\mathrm{t}}\right)\oplus \left({\mathrm{L}}_2^{\mathrm{t}},{\mathrm{L}}_3^{\mathrm{t}}\right)\oplus {\mathrm{Z}}^{\mathrm{t}} ,\mathrm{if} \mathrm{t}\%2=1\end{array}\right. \end{gathered}$$

  (6)
• Update the state of registers ${\mathrm{S}}_0,{\mathrm{S}}_1,{\mathrm{S}}_2$ according to Equation (7);

  $$\begin{gathered} {\mathrm{S}}_0^{\mathrm{t}+1}={\mathrm{F}}^{\mathrm{t}}\oplus {\mathrm{Z}}^{\mathrm{t}}\oplus {\mathrm{S}}_0^{\mathrm{t}}, \\ {\mathrm{S}}_1^{\mathrm{t}+1}=\mathcal{R}\left({\mathrm{S}}_0^{\mathrm{t}}\right)\oplus {\mathrm{S}}_1^{\mathrm{t}}, \\ {\mathrm{S}}_2^{\mathrm{t}+1}=\left\{\begin{array}{c}\mathcal{R}\left({\mathrm{S}}_1^{\mathrm{t}}\right)\oplus {\mathrm{S}}_2^{\mathrm{t}} ,\mathrm{if} \mathrm{t}\%2=0\\ \mathcal{R}\left({\mathrm{S}}_1^{\mathrm{t}}\right)\oplus {\mathrm{S}}_2^{\mathrm{t}}\oplus {\mathrm{Z}}^{\mathrm{t}} ,\mathrm{if} \mathrm{t}\%2=1\end{array}\right. \end{gathered}$$

  (7)
• At time $\mathsf{\alpha }$, ${\mathrm{S}}_2^{\mathrm{t}}={\mathrm{S}}_2^{\mathrm{t}}\oplus 0^{127}‖1$.

2.2.5. Message Processing

${\mathrm{M}}_1,\cdots ,{\mathrm{M}}_{\mathsf{\beta }}$ denote the 128-bit data block of $\mathsf{\beta }$ obtained sequentially after padding the plaintext message M, and ${\mathrm{C}}_1,\cdots ,{\mathrm{C}}_{\mathsf{\beta }}$ denote the corresponding 128-bit ciphertext message block of $\mathsf{\beta }$.

The encryption and decryption processes are shown in Figure 4a,b, where ${\mathrm{M}}_{\mathrm{t}}$ (for $1\le \mathrm{t}\le \mathsf{\beta }$) is input in 128-bit chunks for encryption, and ${\mathrm{C}}_{\mathrm{t}}$ (for $1\le \mathrm{t}\le \mathsf{\beta }$) for decryption.

We first describe the steps of encryption. The encrypted message processing flow is as follows:

• Calculate ${\mathrm{G}}^{\mathrm{t}}=\mathcal{R}\left({\mathrm{S}}_2^{\mathrm{t}}\right)$, ${\mathrm{Z}}^{\mathrm{t}}={\mathrm{G}}^{\mathrm{t}}\oplus {\mathrm{N}}^{\mathrm{t}}\oplus {\mathrm{M}}_{\mathrm{t}-\mathsf{\alpha }}$. Output the 128-bit ciphertext data block ${\mathrm{C}}_{\mathrm{t}}$ = ${\mathrm{Z}}^{\mathrm{t}}$ at time t;
• Update the state of registers ${\mathrm{L}}_0,{\mathrm{L}}_1,{\mathrm{L}}_2,{\mathrm{L}}_3$, $\mathrm{N}$, whose steps are given by Equation (8);

  $$\begin{gathered} {\mathrm{F}}^{\mathrm{t}}=\left({\mathrm{L}}_0^{\mathrm{t}+1}\left|\right|{\mathrm{L}}_3^{\mathrm{t}+1}\right)=\mathrm{f}\left({\mathrm{L}}_0^{\mathrm{t}},{\mathrm{L}}_1^{\mathrm{t}}\right), \\ {\mathrm{L}}_1^{\mathrm{t}+1}={\mathrm{L}}_2^{\mathrm{t}}, \\ {\mathrm{L}}_2^{\mathrm{t}+1}={\mathrm{L}}_3^{\mathrm{t}}, \\ {\mathrm{N}}^{\mathrm{t}+1}=\left\{\begin{array}{c}\mathrm{R}\left({\mathrm{N}}^{\mathrm{t}}\right)\oplus \left({\mathrm{L}}_2^{\mathrm{t}},{\mathrm{L}}_3^{\mathrm{t}}\right) ,\mathrm{if} \mathrm{t}\%2=0\\ \mathrm{R}\left({\mathrm{N}}^{\mathrm{t}}\right)\oplus \left({\mathrm{L}}_2^{\mathrm{t}},{\mathrm{L}}_3^{\mathrm{t}}\right)\oplus {\mathrm{Z}}^{\mathrm{t}} ,\mathrm{if} \mathrm{t}\%2=1\end{array}\right. \end{gathered}$$

  (8)
• Update the state of registers ${\mathrm{S}}_0,{\mathrm{S}}_1,{\mathrm{S}}_2$ according to Equation (9);

  $$\begin{gathered} {\mathrm{S}}_0^{\mathrm{t}+1}={\mathrm{F}}^{\mathrm{t}}\oplus {\mathrm{Z}}^{\mathrm{t}}\oplus {\mathrm{S}}_0^{\mathrm{t}}, \\ {\mathrm{S}}_1^{\mathrm{t}+1}=\mathcal{R}\left({\mathrm{S}}_0^{\mathrm{t}}\right)\oplus {\mathrm{S}}_1^{\mathrm{t}}, \\ {\mathrm{S}}_2^{\mathrm{t}+1}=\left\{\begin{array}{c}\mathcal{R}\left({\mathrm{S}}_1^{\mathrm{t}}\right)\oplus {\mathrm{S}}_2^{\mathrm{t}} ,\mathrm{if} \mathrm{t}\%2=0\\ \mathcal{R}\left({\mathrm{S}}_1^{\mathrm{t}}\right)\oplus {\mathrm{S}}_2^{\mathrm{t}}\oplus {\mathrm{Z}}^{\mathrm{t}} ,\mathrm{if} \mathrm{t}\%2=1\end{array}\right. \end{gathered}$$

  (9)
• At time $\mathsf{\alpha }+\mathsf{\beta }$, update the final states with ${\mathrm{S}}_1^{\mathrm{t}}={\mathrm{S}}_1^{\mathrm{t}}\oplus {\mathrm{K}}_{\mathrm{h}}$, ${\mathrm{S}}_2^{\mathrm{t}}={\mathrm{S}}_2^{\mathrm{t}}\oplus {\mathrm{K}}_{\mathrm{l}}$.

In addition, the decryption message processing flow is as follows:

• Calculate ${\mathrm{G}}^{\mathrm{t}}=\mathcal{R}\left({\mathrm{S}}_2^{\mathrm{t}}\right)$, ${\mathrm{Z}}^{\mathrm{t}}={\mathrm{C}}_{\mathrm{t}-\mathsf{\alpha }}$; output the 128-bit plaintext block of data ${\mathrm{M}}_{\mathrm{t}-\mathsf{\alpha }}$ = ${\mathrm{Z}}^{\mathrm{t}}\oplus {\mathrm{G}}^{\mathrm{t}}\oplus {\mathrm{N}}^{\mathrm{t}}$ at moment t;
• Update the state of registers ${\mathrm{L}}_0,{\mathrm{L}}_1,{\mathrm{L}}_2,{\mathrm{L}}_3,\mathrm{N}$, whose steps are given by Equation (8);
• Update the state of registers ${\mathrm{S}}_0,{\mathrm{S}}_1,{\mathrm{S}}_2$ according to Equation (9);
• At time $\mathsf{\alpha }+\mathsf{\beta }$, update the final states with ${\mathrm{S}}_1^{\mathrm{t}}={\mathrm{S}}_1^{\mathrm{t}}\oplus {\mathrm{K}}_{\mathrm{h}}$, ${\mathrm{S}}_2^{\mathrm{t}}={\mathrm{S}}_2^{\mathrm{t}}\oplus {\mathrm{K}}_{\mathrm{l}}$.

2.2.6. Label Generation Process

Let ${\mathrm{X}}_1$= bin64(|AD|), ${\mathrm{X}}_2$= bin64(|M|), and $\mathrm{X}=\left({\mathrm{X}}_1\left|\right|{\mathrm{X}}_2\right)$ denote one 128-bit data block. The label generation process is shown in Figure 5.

At the start of label generation, i.e., $\mathrm{t}=\mathsf{\alpha }+\mathsf{\beta },{\mathrm{N}}^{\mathrm{t}}={\mathrm{N}}^{\mathrm{t}}\oplus \mathrm{X}$, the label generation process is as follows:

For $\mathsf{\alpha }+\mathsf{\beta }+1\le \mathrm{t}\le \mathsf{\alpha }+\mathsf{\beta }+12$, the following is performed:

• Calculate ${\mathrm{G}}^{\mathrm{t}}=\mathcal{R}\left({\mathrm{S}}_2^{\mathrm{t}}\right)$, ${\mathrm{Z}}^{\mathrm{t}}={\mathrm{G}}^{\mathrm{t}}\oplus {\mathrm{N}}^{\mathrm{t}}$;
• Update the state of registers ${\mathrm{L}}_0,{\mathrm{L}}_1,{\mathrm{L}}_2,{\mathrm{L}}_3$, $\mathrm{N}$, whose steps are given by Equation (10);

  $$\begin{gathered} {\mathrm{F}}^{\mathrm{t}}=\mathrm{f}\left({\mathrm{L}}_0^{\mathrm{t}},{\mathrm{L}}_1^{\mathrm{t}}\right), \\ \left({\mathrm{L}}_0^{\mathrm{t}+1}\left|\right|{\mathrm{L}}_3^{\mathrm{t}+1}\right)={\mathrm{F}}^{\mathrm{t}}\oplus {\mathrm{Z}}^{\mathrm{t}}, \\ {\mathrm{L}}_1^{\mathrm{t}+1}={\mathrm{L}}_2^{\mathrm{t}}, \\ {\mathrm{L}}_2^{\mathrm{t}+1}={\mathrm{L}}_3^{\mathrm{t}}, \\ {\mathrm{N}}^{\mathrm{t}+1}=\mathcal{R}\left({\mathrm{N}}^{\mathrm{t}}\right)\oplus \left({\mathrm{L}}_2^{\mathrm{t}}\right|\left|{\mathrm{L}}_3^{\mathrm{t}}\right)\oplus {\mathrm{Z}}^{\mathrm{t}}, \end{gathered}$$

  (10)
• Update the state of registers ${\mathrm{S}}_0,{\mathrm{S}}_1,{\mathrm{S}}_2$ according to Equation (11);

  $$\begin{gathered} {\mathrm{S}}_0^{\mathrm{t}+1}={\mathrm{F}}^{\mathrm{t}}\oplus \mathrm{G}\oplus {\mathrm{S}}_0^{\mathrm{t}}, \\ {\mathrm{S}}_1^{\mathrm{t}+1}=\mathcal{R}\left({\mathrm{S}}_0^{\mathrm{t}}\right)\oplus {\mathrm{S}}_1^{\mathrm{t}}, \\ {\mathrm{S}}_2^{\mathrm{t}+1}=\mathcal{R}\left({\mathrm{S}}_1^{\mathrm{t}}\right)\oplus {\mathrm{S}}_2^{\mathrm{t}}, \end{gathered}$$

  (11)
• At the moment of $\mathsf{\alpha }+\mathsf{\beta }+12$, the output label $\mathrm{T}={\mathrm{Z}}^{\mathrm{t}}$.

3. Description of Parts in the MLOL Algorithm

Improved LFSR

In this paper, we propose an LFSR [14] construction method optimized for parallel hardware and software implementations. This method extends the two-branch generalized Feistel structure [15] in the LOL framework to a four-branch generalized Feistel structure. By utilizing the four-branch structure, we achieve a 50% reduction in operations while maintaining a large number of cycles in the sequence. The resulting LFSR offers key advantages, including support for parallel operations and high throughput. This method improves in both structural optimization and performance enhancement, especially on specialized CPU platforms without SIMD instruction set support. This makes it a highly efficient solution for LFSRs in high-performance cryptographic algorithms, communication systems, and other applications requiring fast state updates. LFSR Algorithm is as follow in Algorithm 1.

Algorithm 1 LFSR Algorithm

Input: Initial states ${\mathrm{a}}_{4\mathrm{l}-1},\dots ,{\mathrm{a}}_0\in \mathrm{F}$, $\mathrm{integer} \mathrm{l}>0$, matrix C, function σ. Output: LFSR internal states and sequence output. 1: Define internal state at step t:            ${\mathrm{X}}_0^{\mathrm{t}}=\left({\mathrm{a}}_{4\mathrm{l}-1}^{\mathrm{t}},\dots ,{\mathrm{a}}_7^{\mathrm{t}},{\mathrm{a}}_3^{\mathrm{t}}\right),{\mathrm{X}}_1^{\mathrm{t}}=\left({\mathrm{a}}_{4\mathrm{l}-2}^{\mathrm{t}},\dots ,{\mathrm{a}}_6^{\mathrm{t}},{\mathrm{a}}_2^{\mathrm{t}}\right),$            ${\mathrm{X}}_2^{\mathrm{t}}=\left({\mathrm{a}}_{4\mathrm{l}-3}^{\mathrm{t}},\dots ,{\mathrm{a}}_5^{\mathrm{t}},{\mathrm{a}}_1^{\mathrm{t}}\right),{\mathrm{X}}_1^{\mathrm{t}}=\left({\mathrm{a}}_{4\mathrm{l}-4}^{\mathrm{t}},\dots ,{\mathrm{a}}_4^{\mathrm{t}},{\mathrm{a}}_0^{\mathrm{t}}\right)$. 2: for each time step t = 0,1,2,… do 3: Compute feedback state ${\mathrm{F}}^{\mathrm{t}}$ by ${\mathrm{F}}^{\mathrm{t}}=\mathrm{f}\left({\mathrm{X}}_0^{\mathrm{t}},{\mathrm{X}}_1^{\mathrm{t}},{\mathrm{X}}_2^{\mathrm{t}},{\mathrm{X}}_3^{\mathrm{t}}\right)=\left(\left(\mathrm{C}\times {\mathrm{X}}_0^{\mathrm{t}}\right)\oplus \mathsf{\sigma }\left({\mathrm{X}}_1^{\mathrm{t}}\right),{\mathrm{X}}_0^{\mathrm{t}}\right)$ 4: Generate the output sequence at step t:                ${\mathrm{Z}}^{\mathrm{t}}=\left({\mathrm{X}}_2^{\mathrm{t}},{\mathrm{X}}_3^{\mathrm{t}}\right)$                    (12) 5: Update internal states:             $\left\{\begin{array}{c}\begin{array}{c}{\mathrm{X}}_0^{\mathrm{t}+1}=\left(\mathrm{C}\times {\mathrm{X}}_0^{\mathrm{t}}\right)\oplus \mathrm{\sigma }\left({\mathrm{X}}_1^{\mathrm{t}}\right)\\ {\mathrm{X}}_1^{\mathrm{t}+1}={\mathrm{X}}_2^{\mathrm{t}}\end{array}\\ {\mathrm{X}}_2^{\mathrm{t}+1}={\mathrm{X}}_3^{\mathrm{t}}\\ {\mathrm{X}}_3^{\mathrm{t}+1}={\mathrm{X}}_0^{\mathrm{t}}\end{array}\right.$                (13) 6: end for 7: return the sequence outputs ${\mathrm{Z}}^0,{\mathrm{Z}}^1,$….

The entire LFSR state transition from time t to t+1 can be represented as the structure shown in Figure 6. It can be seen that the state of ${\mathrm{X}}_1$ is updated and the states of ${\mathrm{X}}_0,{\mathrm{X}}_2,{\mathrm{X}}_3$ are output. By appropriately choosing C and $\mathsf{\sigma }$, the LFSR defined above can be an m-sequence with a maximum $2^{2\mathrm{l}\mathrm{m}-1}$ period.

Proposition 1.

Given a particular irreducible polynomial of C$\times$ and a vector substitution $\sigma$, how can we prove that the LFSR defined above can be an m-sequence with a maximum $2^{2lm-1}$period?

Proof of Proposition 1.

The generating matrix of the LFSR can be derived from Equation (14).

$$\left({\mathrm{H}}^{\mathrm{t}+1},{\mathrm{L}}^{\mathrm{t}+1}\right)=\left({\mathrm{H}}^{\mathrm{t}},{\mathrm{L}}^{\mathrm{t}}\right)\cdot \mathrm{G}$$

(14)

where the generation matrix G consists of the following four $\mathrm{lm}\times \mathrm{lm}$-sized blocks:

$$\mathrm{G}=\left(\begin{array}{cc}{\mathrm{M}}_{\mathrm{C}}& {\mathrm{I}}_{\mathrm{l}\mathrm{m}}\\ {\mathrm{M}}_{\mathsf{\sigma }}& 0\end{array}\right)$$

where ${\mathrm{I}}_{\mathrm{l}\mathrm{m}}$ denotes the $\mathrm{lm}$-dimensional unit matrix. ${\mathrm{M}}_{\mathsf{\sigma }}$ corresponds to the randomly selected $\mathrm{l}$-dimensional permutation $\mathsf{\sigma }$, ${\mathrm{M}}_{\mathsf{\sigma }}$ is a blocked matrix consisting of $\mathrm{l}\times \mathrm{lm}$-dimensional matrices that satisfy the following condition: when the block position is $\left(\right(\mathsf{\sigma }\left(\mathrm{i}\right),\mathrm{i}\left)\right(\mathrm{i}=0,\dots ,\mathrm{l}-1)$, the block is an $\mathrm{m}$-dimensional unit matrix ${\mathrm{I}}_{\mathrm{m}}$; otherwise, the block is an all-0 matrix. ${\mathrm{M}}_{\mathrm{C}}$ in contrast to C $\times$, ${\mathrm{M}}_{\mathrm{C}}$ is a diagonal matrix of the following form:

$${\mathrm{M}}_{\mathrm{C}}=\left(\begin{array}{ccc}{\mathrm{M}}_{{\mathsf{\alpha }}_0}& \cdots & 0\\ ⋮& \ddots & ⋮\\ 0& \cdots & {\mathrm{M}}_{{\mathsf{\alpha }}_{\mathrm{l}-1}}\end{array}\right)$$

where ${\mathsf{\alpha }}_{\mathrm{i}}$ is the root of the following irreducible polynomial:

$${\mathrm{g}}_{\mathrm{i}}\left(\mathrm{y}\right)={\mathrm{y}}^{\mathrm{m}}+{\mathrm{b}}_{\mathrm{i},\mathrm{m}-1}{\mathrm{y}}^{\mathrm{m}-1}+\dots +{\mathrm{b}}_{\mathrm{i},0}\in {\mathbb{F}}_2\left[\mathrm{y}\right],0\le \mathrm{i}\le \mathrm{l}-1$$

where ${\mathrm{g}}_{\mathrm{i}}\left(\mathrm{y}\right)$ defines the finite field ${\mathbb{F}}_{2^{\mathrm{m}}}={\mathbb{F}}_2\left[\mathrm{y}\right]/{\mathrm{g}}_{\mathrm{i}}\left(\mathrm{y}\right)$ with $\left({\mathsf{\alpha }}_{\mathrm{i}}^{\mathrm{m}-1},\cdots ,{\mathsf{\alpha }}_{\mathrm{i}},1\right)$, which allows us to represent arbitrary m-bit vectors with elements of ${\mathbb{F}}_{2^{\mathrm{m}}}$ as follows:

$$\begin{gathered} {\mathrm{a}}_{2\mathrm{i}+1}=\left({\mathrm{a}}_{\mathrm{i},\mathrm{m}-1},\cdots ,{\mathrm{a}}_{\mathrm{i},1},{\mathrm{a}}_{\mathrm{i},0}\right){({\mathsf{\alpha }}_{\mathrm{i}}^{\mathrm{m}-1},\cdots ,{\mathsf{\alpha }}_{\mathrm{i}},1)}^{\mathrm{T}} \\ {\mathsf{\alpha }}_{\mathrm{i}}{\mathrm{a}}_{2\mathrm{i}+1}\mathrm{mod} {\mathrm{g}}_{\mathrm{i}}\left({\mathsf{\alpha }}_{\mathrm{i}}\right)={\mathrm{a}}_{\mathrm{i},\mathrm{m}-1}{\mathsf{\alpha }}_{\mathrm{i}}^{\mathrm{m}}+\cdots +{\mathrm{a}}_{\mathrm{i},1}{\mathsf{\alpha }}_{\mathrm{i}}^2+{\mathrm{a}}_{\mathrm{i},0}{\mathsf{\alpha }}_{\mathrm{i}} \\ ={\mathrm{a}}_{\mathrm{m}-1,\mathrm{i}}\left({\mathrm{b}}_{\mathrm{i},\mathrm{m}-1}{\mathsf{\alpha }}_{\mathrm{i}}^{\mathrm{m}-1}+\cdots +{\mathrm{b}}_{\mathrm{i},1}{\mathsf{\alpha }}_{\mathrm{i}}+{\mathrm{b}}_{\mathrm{i},0}\right)+{\mathrm{a}}_{\mathrm{i},\mathrm{m}-2}{\mathsf{\alpha }}_{\mathrm{i}}^{\mathrm{m}-1}+\cdots +{\mathrm{a}}_{\mathrm{i},1}{\mathsf{\alpha }}_{\mathrm{i}}^2+{\mathrm{a}}_{\mathrm{i},0}{\mathsf{\alpha }}_{\mathrm{i}} \\ =\left({\mathrm{a}}_{\mathrm{m}-1,\mathrm{i}}{\mathrm{b}}_{\mathrm{i},\mathrm{m}-1}+{\mathrm{a}}_{\mathrm{i},\mathrm{m}-2}\right){\mathsf{\alpha }}_{\mathrm{i}}^{\mathrm{m}-1}+\cdots +\left({\mathrm{a}}_{\mathrm{m}-1,\mathrm{i}}{\mathrm{b}}_{\mathrm{i},1}+{\mathrm{a}}_{\mathrm{i},0}\right){\mathsf{\alpha }}_{\mathrm{i}}+{\mathrm{a}}_{\mathrm{m}-1,\mathrm{i}}{\mathrm{b}}_{\mathrm{i},0} \\ =\left({\mathrm{a}}_{\mathrm{i},\mathrm{m}-1},\cdots ,{\mathrm{a}}_{\mathrm{i},1},{\mathrm{a}}_{\mathrm{i},0}\right){\mathrm{M}}_{{\mathsf{\alpha }}_{\mathrm{i}}}{({\mathsf{\alpha }}_{\mathrm{i}}^{\mathrm{m}-1},\cdots ,{\mathsf{\alpha }}_{\mathrm{i}},1)}^{\mathrm{T}} \end{gathered}$$

where ${\mathrm{M}}_{{\mathsf{\alpha }}_{\mathrm{i}}}$ is defined as follows:

$${\mathrm{M}}_{{\mathsf{\alpha }}_{\mathrm{i}}}=\left[\begin{array}{ccccc}{\mathrm{b}}_{\mathrm{i},\mathrm{m}-1}& {\mathrm{b}}_{\mathrm{i},\mathrm{m}-2}& \cdots & {\mathrm{b}}_{\mathrm{i},1}& {\mathrm{b}}_{\mathrm{i},0}\\ 1& 0& \cdots & 0& 0\\ 0& 1& \ddots & ⋮& ⋮\\ ⋮& \ddots & \ddots & 0& 0\\ 0& \cdots & 0& 1& 0\end{array}\right]$$

Calculate the characteristic polynomial $\mathsf{\eta }\left(\mathrm{x}\right)=\det (\mathrm{x}{\mathrm{I}}_{2\mathrm{l}\mathrm{m}}-\mathrm{G})$ of $\mathrm{G}$; if $\mathsf{\eta }\left(\mathrm{x}\right)$ is the principal polynomial, the LFSR can reach the maximum period. For the specific $\mathrm{l} \mathrm{and} \mathrm{m}$ setting, many can randomly generate $\left(\mathrm{C},\mathsf{\sigma }\right)$ and filter the combinations that satisfy the maximum period using the above method. □

In this paper, we will introduce an example of an LFSR construction. $\mathrm{C}$ and $\mathsf{\sigma }$ are selected and the specific construction process of LFSR includes QS1 to QS4:

QS1: Let $\mathrm{l}=4$, and choose four irreducible polynomials of the following form:

$$\begin{gathered} {\mathrm{g}}_0\left(\mathrm{y}\right)={\mathrm{x}}^{16}+{\mathrm{x}}^{14}+{\mathrm{x}}^{13}+{\mathrm{x}}^{12}+{\mathrm{x}}^{11}+{\mathrm{x}}^8+1 \\ {\mathrm{g}}_1\left(\mathrm{y}\right)={\mathrm{x}}^{16}+{\mathrm{x}}^{15}+{\mathrm{x}}^{12}+{\mathrm{x}}^{10}+1 \\ {\mathrm{g}}_2\left(\mathrm{y}\right)={\mathrm{x}}^{16}+{\mathrm{x}}^{13}+{\mathrm{x}}^{12}+{\mathrm{x}}^{11}+1 \\ {\mathrm{g}}_3\left(\mathrm{y}\right)={\mathrm{x}}^{16}+{\mathrm{x}}^{14}+{\mathrm{x}}^{13}+{\mathrm{x}}^{11}+1 \end{gathered}$$

QS2: constructs the matrix ${\mathrm{M}}_{{\mathsf{\alpha }}_0},{\mathrm{M}}_{{\mathsf{\alpha }}_1},{\mathrm{M}}_{{\mathsf{\alpha }}_2},{\mathrm{M}}_{{\mathsf{\alpha }}_3}$ based on the roots ${\mathsf{\alpha }}_0,{\mathsf{\alpha }}_1,{\mathsf{\alpha }}_2,{\mathsf{\alpha }}_3$ of the irreducible polynomial ${\mathrm{g}}_0\left(\mathrm{y}\right),{\mathrm{g}}_1\left(\mathrm{y}\right),{\mathrm{g}}_2\left(\mathrm{y}\right),{\mathrm{g}}_3\left(\mathrm{y}\right)$ and the diagonal matrix ${\mathrm{M}}_{\mathrm{c}}=\left[\begin{array}{cccc}{\mathrm{M}}_{{\mathsf{\alpha }}_0}& 0& 0& 0\\ 0& {\mathrm{M}}_{{\mathsf{\alpha }}_1}& 0& 0\\ 0& 0& {\mathrm{M}}_{{\mathsf{\alpha }}_2}& 0\\ 0& 0& 0& {\mathrm{M}}_{{\mathsf{\alpha }}_3}\end{array}\right]$.

QS3: Selection substitution $\mathsf{\sigma }:{\mathbb{F}}_{2^{16}}^4\to {\mathbb{F}}_{2^{16}}^4$ satisfies $\left({\mathrm{x}}_0,{\mathrm{x}}_1,{\mathrm{x}}_2,{\mathrm{x}}_3\right)\stackrel{\mathsf{\sigma }}{\to }({\mathrm{x}}_1,{\mathrm{x}}_2,{\mathrm{x}}_3,{\mathrm{x}}_0)$ and constructs the matrix ${\mathrm{M}}_{\mathsf{\sigma }}=\left[\begin{array}{cccc}0& 0& 0& {\mathrm{I}}_{16}\\ {\mathrm{I}}_{16}& 0& 0& 0\\ 0& {\mathrm{I}}_{16}& 0& 0\\ 0& 0& {\mathrm{I}}_{16}& 0\end{array}\right]$.

QS4: With matrix $\mathrm{G}=\left[\begin{array}{cccc}{\mathrm{M}}_{\mathrm{c}}& 0& 0& {\mathrm{I}}_{64}\\ {\mathrm{M}}_{\mathsf{\sigma }}& 0& 0& 0\\ 0& {\mathrm{I}}_{64}& 0& 0\\ 0& 0& {\mathrm{I}}_{64}& 0\end{array}\right]$, calculate the characteristic polynomial $\mathsf{\eta }\left(\mathrm{x}\right)=\det (\mathrm{x}{\mathrm{I}}_{256}-\mathrm{G})$ of $\mathrm{G}$ to obtain the principal polynomial as shown in the following equation:

$$\begin{gathered} {\mathsf{\eta }}_{256}\left(\mathrm{x}\right)={\mathrm{x}}^{256}+{\mathrm{x}}^{255}+{\mathrm{x}}^{253}+{\mathrm{x}}^{252}+{\mathrm{x}}^{248}+{\mathrm{x}}^{246}+{\mathrm{x}}^{244}+{\mathrm{x}}^{242}+{\mathrm{x}}^{241} \\ +{\mathrm{x}}^{240}+{\mathrm{x}}^{239}+{\mathrm{x}}^{238}+{\mathrm{x}}^{236}+{\mathrm{x}}^{233}+{\mathrm{x}}^{229}+{\mathrm{x}}^{228}+{\mathrm{x}}^{225} \\ +{\mathrm{x}}^{223}+{\mathrm{x}}^{222}+{\mathrm{x}}^{220}+{\mathrm{x}}^{219}+{\mathrm{x}}^{215}+{\mathrm{x}}^{209}+{\mathrm{x}}^{206}+{\mathrm{x}}^{203} \\ +{\mathrm{x}}^{202}+{\mathrm{x}}^{201}+{\mathrm{x}}^{200}+{\mathrm{x}}^{199}+{\mathrm{x}}^{197}+{\mathrm{x}}^{194}+{\mathrm{x}}^{193}+{\mathrm{x}}^{192} \\ +{\mathrm{x}}^{190}+{\mathrm{x}}^{189}+{\mathrm{x}}^{187}+{\mathrm{x}}^{182}+{\mathrm{x}}^{180}+{\mathrm{x}}^{176}+{\mathrm{x}}^{172}+{\mathrm{x}}^{171} \\ +{\mathrm{x}}^{170}+{\mathrm{x}}^{169}+{\mathrm{x}}^{168}+{\mathrm{x}}^{161}+{\mathrm{x}}^{160}+{\mathrm{x}}^{157}+{\mathrm{x}}^{156}+{\mathrm{x}}^{155} \\ +{\mathrm{x}}^{152}+{\mathrm{x}}^{151}+{\mathrm{x}}^{149}+{\mathrm{x}}^{146}+{\mathrm{x}}^{145}+{\mathrm{x}}^{144}+{\mathrm{x}}^{143}+{\mathrm{x}}^{141} \\ +{\mathrm{x}}^{137}+{\mathrm{x}}^{136}+{\mathrm{x}}^{135}+{\mathrm{x}}^{133}+{\mathrm{x}}^{129}+{\mathrm{x}}^{128}+{\mathrm{x}}^{127}+{\mathrm{x}}^{123} \\ +{\mathrm{x}}^{118}+{\mathrm{x}}^{116}+{\mathrm{x}}^{114}+{\mathrm{x}}^{111}+{\mathrm{x}}^{110}+{\mathrm{x}}^{109}+{\mathrm{x}}^{108}+{\mathrm{x}}^{105} \\ +{\mathrm{x}}^{101}+{\mathrm{x}}^{100}+{\mathrm{x}}^{96}+{\mathrm{x}}^{95}+{\mathrm{x}}^{94}+{\mathrm{x}}^{93}+{\mathrm{x}}^{89}+{\mathrm{x}}^{85}+{\mathrm{x}}^{82} \\ +{\mathrm{x}}^{80}+{\mathrm{x}}^{79}+{\mathrm{x}}^{78}+{\mathrm{x}}^{76}+{\mathrm{x}}^{72}+{\mathrm{x}}^{66}+{\mathrm{x}}^{64}+{\mathrm{x}}^{63}+{\mathrm{x}}^{62}+{\mathrm{x}}^{61} \\ +{\mathrm{x}}^{56}+{\mathrm{x}}^{54}+{\mathrm{x}}^{52}+{\mathrm{x}}^{49}+{\mathrm{x}}^{47}+{\mathrm{x}}^{41}+{\mathrm{x}}^{31}+{\mathrm{x}}^{29}+{\mathrm{x}}^{28}+{\mathrm{x}}^{25} \\ +{\mathrm{x}}^{24}+{\mathrm{x}}^{15}+1 \end{gathered}$$

4. Experimental Analysis and Discussion

We have outlined the encryption and decryption processes of the MLOL algorithm, along with the enhancements to the LFSR. A detailed security analysis is provided in the Section 2. In this section, we evaluate the performance of the MLOL algorithm by calculating the time complexity of the LFSR implementation, assessing the overall algorithm performance. The LOL-MINI with GHASH algorithm is used as a reference for comparison.

4.1. Cost Analysis of Improved LFSR Realization

The LOL framework proposes a large-bit-width-oriented LFSR [14] design approach. In this scheme, the × and $\mathsf{\sigma }$ operations are supported to be executed synchronously. The data stream is divided into high and low bits, which are stored in the H and L registers in byte units. Each byte can perform simultaneous left-shift followed by iso-orthogonal operations during execution. In the LFSR [14] design method proposed in this paper, the input data stream is stored in the four registers ${\mathrm{X}}_0$, ${\mathrm{X}}_1$, ${\mathrm{X}}_2$, and ${\mathrm{X}}_3$ in units of bytes. The design supports synchronized operation of × and $\mathsf{\sigma }$. Furthermore, half of the number of bytes in the improved LFSR [14] are subjected to simultaneous left-shifting, followed by XOR operations when executing the operation $\mathrm{C}\times$.

The degree of the LFSR is denoted as l, and the number of branches in the Feistel structure is denoted as m. Each branch is divided into n blocks, each of size d bits, where “ $n=l/(m\times d)$”. When m = 2, the constructed LFSR is used in the LOL framework, and when m = 4, in the MLOL algorithm.

When the total data length l and the bit length d remain unchanged, the LFSR operation in the MLOL algorithm reduces by half, as shown in

Table 1. Computational complexity comparison.

	The Number of Multiplications	The Number of XOR Operations
m = 2	$\mathrm{l}/(2 \times \mathrm{d})$	$\mathrm{l}/2$
m = 4	$\mathrm{l}/(4 \times \mathrm{d})$	$\mathrm{l}/4$

. This makes it more suitable for special domestic CPU platforms that do not support SIMD instruction sets, providing a diverse range of choices for the design of entropy sources in stream cipher algorithms.

In practical application scenarios, a 16-bit-length data stream with a byte length of 16 is often chosen as the input to a 256-level LFSR, and a 16-bit-length data stream with a byte length of 32 is chosen as the input to a 512-level LFSR. By choosing the appropriate matrix ${\mathrm{M}}_{\mathrm{c}}$ and matrix ${\mathrm{M}}_{\mathsf{\sigma }}$, we can construct LFSRs with maximum periods of up to $2^{256}-1$ and $2^{512}-1$, respectively.

4.2. Cost Analysis of MLOL and LOL Then GHASH Algorithm Implementation

The LOL framework designer provides LOL then GHASH and LOL then NHM-MAC authenticated encryption schemes based on LOL-MINI and LOL-DOUBLE constructs; the software performance of the two schemes is shown in the

Table 2. Comparison of GHASH and NMH-MAC encryption performance (Gbps).

Bytes	GHASH		NMH-MAC
	LOL-MINI	LOL-DOUBLE	LOL-MINI	LOL-DOUBLE
32	5.08	3.71	5.59	4.44
64	9.70	7.26	9.63	7.75
96	11.97	9.11	12.81	10.50
128	15.88	12.03	15.27	12.68
160	16.69	12.94	17.33	14.48
192	20.05	15.55	18.96	15.95
224	20.25	15.90	20.36	17.24
256	23.05	18.18	21.56	18.24
1024	36.05	29.77	30.83	27.45
2048	39.71	33.19	33.49	30.01
4096	41.71	35.25	34.52	31.44
8192	42.90	36.39	35.55	32.22
16,384	43.42	36.96	35.48	33.16

, and the performance of each scheme is in the following relationship when using the AVX2 instruction set:

LOL-MINI then GHASH > LOL-DOUBLE then GHASH > LOL-MINI then NMH-MAC > LOL-DOUBLE then NMH-MAC.

Since the authentication encryption scheme in this paper is based on LOL-MINI design, and the performance of the LOL-MINI then GHASH scheme implementation is better than LOL-MINI then NMH-MAC, we will compare the MLOL scheme with the LOL-MINI with GHASH scheme implementation cost to illustrate the advantages of the MLOL authentication encryption scheme. The two authentication encryption structures are shown in Figure 7 and Figure 8.

Let the length of authenticated encrypted linked data AD be $\mathsf{\alpha }$ and the length of encrypted message be $\mathsf{\beta }$, so that the initialization iteration function of LOL-MINI then GHASH is ${\mathrm{P}}_{\mathrm{a}}^{\mathrm{G}}$, the keystream output iteration function is ${\mathrm{P}}_{\mathrm{b}}^{\mathrm{G}}$, the initialization iteration and label generation iteration function of MLOL is ${\mathrm{P}}_{\mathrm{a}}^{\mathrm{Z}}$, and the iteration function of the linked data processing phase and encryption phase is ${\mathrm{P}}_{\mathrm{b}}^{\mathrm{Z}}$. ${\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}$ is the multiplication on the domain, denoted by multiplying H on ${\mathbb{F}}_{2^{128}}$. $\mathrm{O}\left(\mathrm{F}\right)$ is the computational complexity of the function $\mathrm{F}$. Then, two schemes to complete data encryption contain the following operations:

• LOL-MINI then GHASH: 12 rounds of initialization iterations, $\mathsf{\beta }+2$ rounds of keystream output iterations, $\mathsf{\alpha }+\mathsf{\beta }{\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}$ operations, $\mathsf{\alpha }+2\mathsf{\beta }$ 128-bit specific XOR;

  $$12\cdot \mathrm{O}\left({\mathrm{P}}_{\mathrm{a}}^{\mathrm{G}}\right)+\left(\mathsf{\beta }+2\right)\cdot \mathrm{O}\left({\mathrm{P}}_{\mathrm{b}}^{\mathrm{G}}\right)+\left(\mathsf{\alpha }+\mathsf{\beta }\right)\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)+(\mathsf{\alpha }+2\mathsf{\beta })\cdot \mathrm{O}\left(⨁\right)$$
• MLOL: 12 rounds of initialization iterations, 12 rounds of label generation iterations, $\mathsf{\alpha }+\mathsf{\beta }$ rounds of keystream output iterations, $\mathsf{\alpha }+\mathsf{\beta }+3$ number of 128-bit specific XOR.

  $$24\cdot \mathrm{O}\left({\mathrm{P}}_{\mathrm{a}}^{\mathrm{Z}}\right)+\left(\mathsf{\alpha }+\mathsf{\beta }\right)\cdot \mathrm{O}\left({\mathrm{P}}_{\mathrm{b}}^{\mathrm{Z}}\right)+(\mathsf{\alpha }+\mathsf{\beta }+3)\cdot \mathrm{O}\left(⨁\right)$$

  where ${\mathrm{P}}_{\mathrm{a}}^{\mathrm{G}}$, ${\mathrm{P}}_{\mathrm{b}}^{\mathrm{G}}$, ${\mathrm{P}}_{\mathrm{a}}^{\mathrm{Z}}$, ${\mathrm{P}}_{\mathrm{b}}^{\mathrm{Z}}$ iterations contain the basic operations at a time as shown in Table 3.

  Table 3. Comparison of basic operations included in ${\mathrm{P}}_{\mathrm{a}}^{\mathrm{G}}$, ${\mathrm{P}}_{\mathrm{b}}^{\mathrm{G}}$, ${\mathrm{P}}_{\mathrm{a}}^{\mathrm{Z}}$, ${\mathrm{P}}_{\mathrm{b}}^{\mathrm{Z}}$ (units: number of iterations).

  Basic Operation	${\mathbf{P}}_{\mathbf{a}}^{\mathbf{G}}$	${\mathbf{P}}_{\mathbf{b}}^{\mathbf{G}}$	${\mathbf{P}}_{\mathbf{a}}^{\mathbf{Z}}$	${\mathbf{P}}_{\mathbf{b}}^{\mathbf{Z}}$
  $\mathrm{C}\times$	8	8	4	4
  R function (math.)	4	4	4	4
  128-bit specific XOR	9	7	8.5	7.5

  Table 3. Comparison of basic operations included in ${\mathrm{P}}_{\mathrm{a}}^{\mathrm{G}}$, ${\mathrm{P}}_{\mathrm{b}}^{\mathrm{G}}$, ${\mathrm{P}}_{\mathrm{a}}^{\mathrm{Z}}$, ${\mathrm{P}}_{\mathrm{b}}^{\mathrm{Z}}$ (units: number of iterations).

  Basic Operation	${\mathbf{P}}_{\mathbf{a}}^{\mathbf{G}}$	${\mathbf{P}}_{\mathbf{b}}^{\mathbf{G}}$	${\mathbf{P}}_{\mathbf{a}}^{\mathbf{Z}}$	${\mathbf{P}}_{\mathbf{b}}^{\mathbf{Z}}$
  $\mathrm{C}\times$	8	8	4	4
  R function (math.)	4	4	4	4
  128-bit specific XOR	9	7	8.5	7.5

Below, we give a comparison of the computational complexity of LOL-MINI with GHASH and MLOL after conversion to basic operations, as shown in

Table 4. Comparison of LOL-MINI with GHASH and MLOL base operations (units: number of iterations).

Basic Operation	LOL-MINI then GHASH	MLOL
$\mathrm{C}\times$	$112+8\mathsf{\beta }$	$96+4\cdot (\mathsf{\alpha }+\mathsf{\beta })$
R function (math.)	$56+4\mathsf{\beta }$	$96+4\cdot (\mathsf{\alpha }+\mathsf{\beta })$
128-bit specific XOR	$122+9\mathsf{\beta }+\mathsf{\alpha }$	$207+8.5\cdot (\mathsf{\alpha }+\mathsf{\beta })$
${\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}$	$\mathsf{\alpha }+\mathsf{\beta }$	0

.

Thus, the difference in computational complexity between LOL-MINI with GHASH and MLOL is as follows:

$$\left(16+4\mathsf{\beta }-4\mathsf{\alpha }\right)\cdot \mathrm{O}\left(\mathrm{C}\times \right)+\left(4\mathsf{\alpha }-30\right)\cdot \mathrm{O}\left(\mathrm{R}\right)+(0.5\mathsf{\beta }-7.5\mathsf{\alpha }-85)\cdot \mathrm{O}\left(⨁\right)+(\mathsf{\alpha }+\mathsf{\beta })\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)$$

In the actual encryption process operation, the length of the associated data is much smaller than the length of the encrypted data, so we simplify the above equation to obtain the following:

$$\left(16+4\mathsf{\beta }\right)\cdot \mathrm{O}\left(\mathrm{C}\times \right)+\left(-30\right)\cdot \mathrm{O}\left(\mathrm{R}\right)+(0.5\mathsf{\beta }-85)\cdot \mathrm{O}\left(⨁\right)+\left(\mathsf{\beta }\right)\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)$$

Below, we give a comparison of the difference in computational complexity between LOL-MINI then GHASH and MLOL for different lengths of encrypted data, as shown in

Table 5. Difference in computational complexity between LOL-MINI then GHASH and MLOL.

Data Length (Bytes)	Computational Complexity Difference
32	$1040\cdot \mathrm{O}\left(\mathrm{C}\times \right)+43\cdot \mathrm{O}\left(⨁\right)+256\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
64	$2064\cdot \mathrm{O}\left(\mathrm{C}\times \right)+171\cdot \mathrm{O}\left(⨁\right)+512\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
96	$3088\cdot \mathrm{O}\left(\mathrm{C}\times \right)+299\cdot \mathrm{O}\left(⨁\right)+760\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
128	$4112\cdot \mathrm{O}\left(\mathrm{C}\times \right)+427\cdot \mathrm{O}\left(⨁\right)+1024\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
160	$5136\cdot \mathrm{O}\left(\mathrm{C}\times \right)+555\cdot \mathrm{O}\left(⨁\right)+1280\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
192	$6160\cdot \mathrm{O}\left(\mathrm{C}\times \right)+683\cdot \mathrm{O}\left(⨁\right)+1536\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
224	$7184\cdot \mathrm{O}\left(\mathrm{C}\times \right)+811\cdot \mathrm{O}\left(⨁\right)+1792\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
256	$8208\cdot \mathrm{O}\left(\mathrm{C}\times \right)+939\cdot \mathrm{O}\left(⨁\right)+2048\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
1024	$32784\cdot \mathrm{O}\left(\mathrm{C}\times \right)+4011\cdot \mathrm{O}\left(⨁\right)+8192\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
2048	$65552\cdot \mathrm{O}\left(\mathrm{C}\times \right)+8107\cdot \mathrm{O}\left(⨁\right)+16384\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
4096	$131088\cdot \mathrm{O}\left(\mathrm{C}\times \right)+16299\cdot \mathrm{O}\left(⨁\right)+32768\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
8192	$262160\cdot \mathrm{O}\left(\mathrm{C}\times \right)+32683\cdot \mathrm{O}\left(⨁\right)+65536\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$
16384	$524304\cdot \mathrm{O}\left(\mathrm{C}\times \right)+65451\cdot \mathrm{O}\left(⨁\right)+131072\cdot \mathrm{O}\left({\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}\right)-30\cdot \mathrm{O}\left(\mathrm{R}\right)$

.

As can be seen from Table 5, with the growth of encrypted data, the computational complexity of LOL-MINI then GHASH will significantly exceed that of MLOL, mainly due to the fact that the additional $\mathrm{C}\times$ operations as well as the ${\mathrm{M}\mathrm{U}\mathrm{L}}_{\mathrm{H}}$ operations in LOL-MINI then GHASH increase significantly with the increase in encrypted data, so in practical application scenarios, the performance of MLOL outperforms that of LOL-MINI then GHASH.

The software performance of the MLOL, LOL-MINI, and GHASH schemes without using the AVX2 instruction set is shown in

Table 6. Comparison of MLOL and LOL-MINI then GHASH encryption performance.

Bytes	MLOL (Gbps)	LOL-MINI then GHASH (Mbps)
32	2.618	2035.708
64	3.091	4049.903
96	4.171	6740.899
128	4.076	8821.297
160	4.984	9043.705
192	6.500	9643.268
224	6.950	9806.630
256	7.186	10,706.156
1024	10.539	15,750.597

. The performance of the two schemes follows the following relationship:

MLOL > LOL-MINI then GHASH

5. Security Analysis of MLOL

Different update functions are employed in the key generation process, thereby ensuring resistance to sliding attacks, similar to the LOL framework. A thorough analysis of other potential attacks is provided in the following sections.

5.1. Full Diffusion Round Analysis

The number of rounds in the full-diffusion [19] loop in stream cipher initialization is an evaluation of the minimum number of initialization iterations that each state bit of the input has gone through to affect all state bits. For this algorithm, the number of full-diffusion rounds is related to the specific parameter and component choices as well as the loading states of the working and message keys. Here, we load the loading states of the working and message keys into the fast-diffusion FSM instead of the traditional LFSR, making it possible to achieve a smaller number of full-diffusion rounds.

Table 7. Diffusion table.

Rounds	${\mathbf{L}}_0$	${\mathbf{L}}_1$	${\mathbf{L}}_2$	${\mathbf{L}}_3$	N	${\mathbf{S}}_0$	${\mathbf{S}}_1$	${\mathbf{S}}_2$
1	3	3	33	33	33	33	33	33
2	39	69	162	161	161	161	161	417
3	235	329	353	289	289	289	289	673
4	495	647	736	417	417	417	417	801
5	808	992	896	545	545	545	801	929
6	1152	1152	1024	673	673	929	1057	1057
7	1280	1280	1152	801	1057	1185	1185	1185
8	1408	1408	1280	1184	1312	1312	1312	1312
9	1408	1408	1408	1408	1408	1408	1408	1408

shows the total number of output state bits affected by any bit of the input state after rounds 1 to 9, where 1408 = 128 × 11 indicates that full diffusion is reached.

5.2. Guess-And-Determine Attack

Guess-and-determine attacks [20,21,22,23] are commonly used tools to achieve state recovery in the keystream generation phase. We first perform the guess-and-determine attack following a clockwise strategy. In each step, the keystream block of MLOL involves two state units. Since the internal state consists of six units, the adversary needs to consider at least three consecutive steps to obtain information about the whole internal state. For MLOL, the guessing should be based on ${\mathrm{Z}}^{\mathrm{t}}$, ${\mathrm{Z}}^{\mathrm{t}+1}$, ${\mathrm{Z}}^{\mathrm{t}+2}$, ${\mathrm{N}}^{\mathrm{t}}$, ${\mathrm{N}}^{\mathrm{t}+1}$, ${\mathrm{N}}^{\mathrm{t}+2}$ with time complexity $2^{384}$ and irreducible to ${\mathrm{L}}_1^{\mathrm{t}}$; the guessing path is shown in

Table 8. MLOL guessing paths.

Time	Operation	Variables	Relations	Complexity
t	Guess Determine	$$\begin{gathered} {\mathrm{N}}^{\mathrm{t}} \\ {\mathrm{S}}_2^{\mathrm{t}} \end{gathered}$$	$\mathcal{R}\left({\mathrm{S}}_2^{\mathrm{t}}\right)$$={\mathrm{Z}}^{\mathrm{t}}⨁{\mathrm{N}}^{\mathrm{t}}$	$2^{128}$
t + 1	Guess Determine Determine Determine Determine	$$\begin{gathered} \begin{array}{c}{\mathrm{N}}^{\mathrm{t}+1}\\ \left({\mathrm{L}}_2^{\mathrm{t}},{\mathrm{L}}_3^{\mathrm{t}}\right)\\ \left({\mathrm{L}}_1^{\mathrm{t}+1},{\mathrm{L}}_2^{\mathrm{t}+1}\right)\\ {\mathrm{S}}_2^{\mathrm{t}+1} \\ {\mathrm{S}}_1^{\mathrm{t}}\end{array} \end{gathered}$$	$\begin{array}{c}\left({\mathrm{L}}_2^{\mathrm{t}},{\mathrm{L}}_3^{\mathrm{t}}\right)=\mathrm{R}\left({\mathrm{N}}^{\mathrm{t}}\right)⨁{\mathrm{N}}^{\mathrm{t}+1}\\ {\mathrm{L}}_1^{\mathrm{t}+1}={\mathrm{L}}_2^{\mathrm{t}}{\mathrm{L}}_2^{\mathrm{t}+1}={\mathrm{L}}_3^{\mathrm{t}}\\ \mathcal{R}\left({\mathrm{S}}_2^{\mathrm{t}+1}\right)={\mathrm{Z}}^{\mathrm{t}+1}⨁{\mathrm{N}}^{\mathrm{t}+1}\\ \mathcal{R}\left({\mathrm{S}}_1^{\mathrm{t}}\right)={\mathrm{S}}_2^{\mathrm{t}+1}⨁{\mathrm{S}}_2^{\mathrm{t}}\end{array}$	$2^{256}$
t + 2	Guess Determine Determine Determine Determine	$$\begin{gathered} {\mathrm{N}}^{\mathrm{t}+2} \\ {\mathrm{L}}_0^{\mathrm{t}} \\ {\mathrm{S}}_2^{\mathrm{t}+2} \\ {\mathrm{S}}_1^{\mathrm{t}+1} \\ {\mathrm{S}}_0^{\mathrm{t}} \end{gathered}$$	$\begin{array}{c}\left({\mathrm{L}}_2^{\mathrm{t}+1},{\mathrm{L}}_3^{\mathrm{t}+1}\right)=\mathrm{R}\left({\mathrm{N}}^{\mathrm{t}+1}\right)⨁{\mathrm{N}}^{\mathrm{t}+2}\\ {\mathrm{L}}_2^{\mathrm{t}+1}={\mathrm{L}}_3^{\mathrm{t}},{\mathrm{L}}_3^{\mathrm{t}+1}={\mathrm{L}}_0^{\mathrm{t}}\\ \mathcal{R}\left({\mathrm{S}}_2^{\mathrm{t}+2}\right)={\mathrm{Z}}^{\mathrm{t}+2}⨁{\mathrm{N}}^{\mathrm{t}+2}\\ \mathcal{R}\left({\mathrm{S}}_1^{\mathrm{t}+1}\right)={\mathrm{S}}_2^{\mathrm{t}+2}⨁{\mathrm{S}}_2^{\mathrm{t}+1}\\ \mathcal{R}\left({\mathrm{S}}_0^{\mathrm{t}}\right)={\mathrm{S}}_1^{\mathrm{t}}⨁{\mathrm{S}}_1^{\mathrm{t}+1}\end{array}$	$2^{384}$

, and three additional keystream blocks are needed for filtering. In addition to the above, which only considers the round-by-round strategy, two consecutive keystream blocks involve at least two AES round functions, and each of them requires guessing a 128-bit block. Therefore, the “guess-and-determine” attack on MLOL is well above the bounds of $2^{256}$.

5.3. Algebraic Attack

Algebraic attacks [24] are a class of cryptanalytic techniques that target cryptographic algorithms by solving a system of algebraic equations. In an algebraic attack, the adversary constructs multiple nonlinear equations based on unknown key bits or state bits and solves the resulting system of equations. It is well known that the S-box of AES can be represented by a set of 23 linearly independent bi-affine quadratic equations, involving 80 terms in total: 64 quadratic terms and 16 linear terms [25]. Based on these observations, a system of equations was developed for MLOL, and the total number of terms was calculated. It is evident that the number of terms and equations increases exponentially as the number of rounds in the cipher increases.

We can see that the number of variables is always greater than the number of equations in

Table 9. System of equations for MLOL linearized algebraic attack.

Linear equations	128 × (5T − 2)
Quadratic equations	368 × 4T
Equation	2112T − 256
Linear term	128 × (8T + 3)
Quadratic	(64 × 16) × 4T
Item	5120T + 384

, so MLOL is resistant to linearized algebraic attacks. Moreover, the complexity of the equation solving process is higher than $2^{256}$ for both recovering the internal state and the secret key. Therefore, MLOL is resistant to algebraic attack.

5.4. Forgery Attack

Information security has two primary objectives: confidentiality and integrity. While encryption ensures the confidentiality of a message, it does not provide integrity protection, leaving the message vulnerable to tampering. An adversary could modify the ciphertext to alter the plaintext. In open network communications, both message authentication and data confidentiality are required, with authentication sometimes taking precedence over confidentiality. A forgery attack [26] targets authenticated encryption algorithms specifically.

A forgery attack usually involves an attacker encrypting two different plaintexts $\mathrm{P}$ and ${\mathrm{P}}^{\prime }$ starting from the same internal state of the cryptographic algorithm, and after multiple state updates, the resulting internal states are correlated or identical with high probability. If the final internal states are correlated with high probability, the attacker is able to guess the label ${\mathrm{P}}^{\prime }$ with high probability from the label $\mathrm{T}$. If the final internal states are identical, the attacker can obtain the triple $({\mathrm{P}}^{\prime },{\mathrm{C}}^{\prime },\mathrm{T})$. In general, the attacker constructs ${\mathrm{P}}^{\prime }$ by introducing a difference to the plaintext $\mathrm{P}$.

We have analyzed the forgery attack on MLOL, and the specific attack steps include QS1 to QS4:

QS1 asks once for the authenticated encryption result of a message $(\mathrm{N},\mathrm{K},\mathrm{AD},{\mathrm{M}}_0,{\mathrm{M}}_1,\dots ,{\mathrm{M}}_{\mathrm{i}},{\mathrm{M}}_{\mathrm{i}+1},\dots ,{\mathrm{M}}_{\mathrm{m}},{\mathrm{C}}_0,{\mathrm{C}}_1,\dots {\mathrm{C}}_{\mathrm{i}},{\mathrm{C}}_{\mathrm{i}+1},\dots ,{\mathrm{C}}_{\mathrm{m}},\mathrm{T})$.

QS2 constructs an authenticated encryption result for a message $\left(\mathrm{N},\mathrm{K},\mathrm{A}\mathrm{D},{\mathrm{M}}_0^{\prime },{\mathrm{M}}_1^{\prime },\dots ,{\mathrm{M}}_{\mathrm{i}}^{\prime },{\mathrm{M}}_{\mathrm{i}+1}\dots ,{\mathrm{M}}_{\mathrm{m}},{\mathrm{C}}_0^{\prime },{\mathrm{C}}_1^{\prime },\dots ,{\mathrm{C}}_{\mathrm{i}}^{\prime },{\mathrm{C}}_{\mathrm{i}+1}\dots ,{\mathrm{C}}_{\mathrm{m}},\mathrm{T}\right)$.

QS3: If there exists a differential path that satisfies $(\mathrm{0,0},0,{\mathrm{M}}_0\oplus ∆{\mathrm{M}}_0,{\mathrm{M}}_1\oplus ∆{\mathrm{M}}_1,\dots ,{\mathrm{M}}_{\mathrm{i}}\oplus ∆{\mathrm{M}}_{\mathrm{i}},{\mathrm{M}}_{\mathrm{i}+1},\dots {\mathrm{M}}_{\mathrm{m}},{\mathrm{C}}_0\oplus ∆{\mathrm{C}}_0,{\mathrm{C}}_1\oplus ∆{\mathrm{C}}_1,\dots ,{\mathrm{C}}_{\mathrm{i}}\oplus ∆{\mathrm{C}}_{\mathrm{i}},0,\dots ,\mathrm{0,0})$, then the attack is successful.

QS4: Let the initial difference of the internal state be $\left(∆{\mathrm{M}}_0,{∆\mathrm{S}}_0,{∆\mathrm{S}}_1,∆{\mathrm{S}}_2,∆\mathrm{N},∆\mathrm{Z}\right)$, the difference after $\mathrm{i}$ rounds of iteration $\left(∆{\mathrm{M}}_0^{\mathrm{i}},{∆\mathrm{S}}_0^{\mathrm{i}},{∆\mathrm{S}}_1^{\mathrm{i}},∆{\mathrm{S}}_2^{\mathrm{i}},∆{\mathrm{N}}^{\mathrm{i}},∆{\mathrm{Z}}^{\mathrm{i}}\right)$; then, if there is a differential feature $\left(∆{\mathrm{M}}_0^0>0,{∆\mathrm{S}}_0^0=0,{∆\mathrm{S}}_1^0=0,∆{\mathrm{S}}_2^0=0,∆{\mathrm{N}}^0=0,∆{\mathrm{Z}}^0=0\right)\stackrel{\mathrm{p}\mathrm{r}}{\to }\left(∆{\mathrm{M}}_0^{\mathrm{t}},{∆\mathrm{S}}_0^{\mathrm{t}}=0,{∆\mathrm{S}}_1^{\mathrm{t}}=0,∆{\mathrm{S}}_2^{\mathrm{t}}=0,∆{\mathrm{N}}^{\mathrm{t}}=0,∆{\mathrm{Z}}^{\mathrm{t}}=0\right)$, $\mathrm{pr}>2^{-128}$, then it is equivalent to the introduction of the difference in the M/AD inhalation phase; after i rounds of operation, the difference within the algorithm is 0, and you can construct a message with a different input message and the same output label, which is regarded as a successful attack.

We have performed a distinguisher search for the correlated data processing phase as well as the message encryption phase of MLOL, and the minimum number of active S-boxes that satisfy the above differential characteristics is 43. Since the differential probability of S-boxes for AES is $2^{-6}$, then $\mathrm{pr}=2^{-258}$, and the scheme is resistant to forgery attacks.

5.5. Integral Analysis

Integral analysis [27] is a chosen-plaintext attack method, where the attacker selects a set of plaintexts, encrypts them, and if the attacker can predict the integral value of the resulting output multiset after r rounds, an integral distinguisher for the algorithm has been found.

For the MLOL algorithm, we assess the number of rounds required to resist integral analysis during the initialization phase by determining how many iterations of the SP function are necessary. We can demonstrate that the MLOL algorithm is resistant to integral analysis after n iterations of the SP function during the initial keystream output. Since the LOL framework is block-based, the keystream can be expressed as a simplified function of the initialization vector (IV). We rely on the number of iterations of the round function R to assess the algorithm’s resistance to integral attacks. Since MLOL follows the LOL framework and uses the round function R from AES, and AES does not have effective integral distinguishers for five rounds or more, the initialization phase of MLOL must involve more than six rounds of R iterations. The output expression of the keystream after seven rounds of the MLOL algorithm can be simplified as follows:

$$\begin{gathered} Z^{-7}=\mathrm{R}\left(\mathrm{R}\right(\mathrm{R}\left(\mathrm{R}\right(\mathrm{R}\left(\mathrm{R}\right(\mathrm{I}\mathrm{V}\left)\right))\oplus \mathrm{I}\mathrm{V})\oplus \mathrm{R}\left(\mathrm{I}\mathrm{V}\right)\oplus \mathrm{R}\left(\mathrm{I}\mathrm{V}\right)\oplus \mathrm{R}\left(\mathrm{I}\mathrm{V}\right)\left)\right) \\ \oplus \mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.\oplus \mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\oplus \mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\oplus \mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.\right.\oplus \mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\oplus \mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.\left)\right) \\ \oplus \mathrm{R}\left(\mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.\right.\oplus \mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\oplus \mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\oplus \mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.\oplus \mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\oplus \mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.\right.\left)\right) \\ \oplus \mathrm{R}\left(\mathrm{R}\left(\mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.\right.\right.\left)\right))\oplus \mathrm{R}\left(\mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.\right.\oplus \mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right))\right.\oplus \mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.))\oplus \mathrm{R}\left(\mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\left)\right)\right.\right.\right. \\ \oplus \mathrm{R}\left(\mathrm{R}\left(\mathrm{R}\left(\mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.\right.\right.\right.\left)\right))\oplus \mathrm{R}\left(\mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.\right.\oplus \mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right))\right.\oplus \mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\right.\right.))\oplus \mathrm{R}\left(\mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\left)\right)\right.\right.\right.) \\ \oplus \mathrm{R}\left(\mathrm{R}\left(\mathrm{R}\left(\left.\mathrm{I}\mathrm{V}\right)\left)\right)\right.\right.\right. \end{gathered}$$

It follows that a keystream of seven rounds of initialization of MLOL can go through six rounds of AES round function, so MLOL with a total of 12 rounds of initialization can resist integral analysis.

5.6. Differential Analysis

The core principle of differential cryptanalysis [28] involves analyzing the relationship between the input differences of cipher components and the resulting output differences. While initially developed for block ciphers, differential cryptanalysis can also be applied to stream ciphers.

• Truncated differential analysis

For truncated differential analysis of the MLOL algorithm, we focus on its resistance to such attacks during the initialization and label generation phases.

Initialization phase: We evaluate the algorithm’s ability to withstand truncated differential analysis under the correlated key-selective IV model, where the injected differential involves both the key and IV components. A byte-based MILP (Mixed Integer Linear Programming) [29] technique is employed to identify high-probability differential characteristics and to estimate an upper bound on the probability of differential propagation. This upper bound is determined by the minimum number of active S-boxes in the distinguisher. The results for the minimum number of differentially active S-boxes at various stages (i.e., after several rounds) following the introduction of the differential in the initialization phase are as shown in

Table 10. Number of differential active S-boxes.

1	2	3	4	5	6	7	8	9	10	11	12
0	6	17	34	39	47	51	59	63	67	72	77

.

Label generation phase: We evaluate the resistance of the algorithm to truncated differential analysis under the chosen plaintext model, where differential locations are injected as either plaintext or correlated data. A byte-based MILP (Mixed Integer Linear Programming) technique is employed to identify high-probability differential characteristics and determine an upper bound on the probability of differential propagation, which is constrained by the minimum number of active S-boxes required by the distinguisher. The results for the minimum number of differentially active S-boxes at various numbers of taps, following the introduction of the differential in the label generation phase, are as shown in

Table 11. Number of differential active S-boxes.

1	2	3	4	5	6	7	8	9	10	11	12
0	6	17	34	39	47	51	59	63	67	72	77

.

2.

Impossible differential analysis

For the impossible differential analysis of MLOL, we mainly consider the ability to resist impossible differential analysis in the initialization phase and label generation phase of the MLOL algorithm.

Initialization phase: We evaluate the ability of the MLOL algorithm to resist impossible differential analysis under the correlated key-selective IV model, where the injected differential involves both key and IV components. A byte-based MILP (Mixed Integer Linear Programming) technique is employed to identify high-probability impossible differential distinguishers, as well as to determine the security bound of the MLOL algorithm by calculating the minimum number of rounds required for the existence of an impossible differential distinguisher. The results for the impossible differential distinguishers at various stages (i.e., after several rounds) following the introduction of the differential in the initialization phase are as shown in

Table 12. Impossible differential analysis results for the initialization phase.

Round	Impossible Differential Differentiator
1	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
2	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
3	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
4	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
5	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
6	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
7	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$

.

Label generation phase: We evaluate the resistance of the MLOL algorithm to impossible differential analysis under the chosen plaintext model, where differential locations are injected as plaintext or correlated data. A byte-based MILP (Mixed Integer Linear Programming) technique is employed to identify impossible differential distinguishers and to determine the security bound of the MLOL algorithm by calculating the minimum number of rounds required for the existence of an impossible differential distinguisher. The results for the impossible differential distinguishers at various stages, following the introduction of differentials in the label generation phase, are as shown in

Table 13. Results of impossible difference analysis in the label generation phase.

Round	Impossible Differential Differentiator
1	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
2	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
3	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
4	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
5	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
6	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$
7	$\left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0}\right)\to \left(\mathrm{1,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},\mathrm{0,0},0\right)$

.

6. Summary

In this paper, we propose a novel AEAD algorithm design based on the LOL framework [11], which we refer to as MLOL. This new design significantly simplifies security evaluation while being better suited for automated analysis tools, providing an efficient and practical approach to AEAD algorithm [12] design.

Specifically, we enhance the core component of the LOL framework, the LFSR, by introducing a new construction method. This involves extending the original two-branch Feistel structure into a four-branch generalized Feistel structure [15]. This design maximizes the periodicity of the generated sequence while enabling parallel computation. The four-branch structure reduces computational complexity by 50%. As the volume of encrypted data increases, the computational complexity of the LFSR [14] in the LOL framework becomes significantly higher than that of the LFSR with the generalized Feistel structure.

For the above improvements, we have conducted an exhaustive performance evaluation and a comprehensive security analysis study. By comparing the time complexity of the MLOL algorithm with that of the LOL-MINI then GHASH algorithm, we can see that the computational complexity [17] of the LOL-MINI then GHASH algorithm will greatly increase with the increase in encrypted data due to the additional C× operation and ${\mathrm{MUL}}_{\mathrm{H}}$ operation in LOL-MINI then GHASH. It will significantly exceed the computational complexity of MLOL, and the performance of MLOL outperforms that of LOL-MINI then GHASH. In addition, we have conducted a comprehensive security analysis of the MLOL algorithm, and the results demonstrate that the algorithm offers a security strength of 256 bits against current cryptographic analysis techniques.

In summary, the MLOL algorithm, as an important improvement of the LOL framework, provides higher efficiency and security and is able to meet the demands of high-performance and high-security application scenarios. These innovations and optimizations provide a new direction for the design and development of the AEAD algorithm [12].