 Good afternoon. Today I'll be talking about the stream cipher atom that employs a short internal state as well as a double key filter. Now the main question to consider over here is why or how stream cipher with the short internal state is any different from a stream cipher with longer internal state for example. In each of the 2001 Alex Pyrruchov and Adish Amir published their seminal paper on time memory data trade-off attacks. And one of the main conclusions of that paper was that for a stream cipher to be secured against TMG trade-off attacks, the size of its internal state must be at least one and a half to two times the size of its secret key in bits. It was considered to be the rule of thumb for many years until FSE of 2015, during which Omnik and Mikhailov proposed a stream cipher sprout, whose internal state had size equal to the size of its secret key. Now, in spite of this sprout did not succumb to generic TMG trade-off attacks, like the ones described by Pyrruchov and Shamir. At the same time, it occupied much less area and hardware when compared to other stream ciphers that offered the same security levels. Now, let us try and understand why it was considered a rule of thumb that for a stream cipher to be secure, its internal state had to be one and a half to two times the size of its secret key. Now, we all know that any stream cipher is a finite state machine. So we have these states SFI, which are updated at every clock cycle by this function G. And let F be the function that maps any state SI to a key stream vector of the same length. Now, crypt analysis in this case reduces to inverting this one-way function F at any of the points here. In other words, given Zi, we try to invert this one-way function at any one of the points to get the state SI. And if the update function G is invertible, we can invert SI, get all the way back to S1, and then we can invert the mixing function to get the key. Now, the idea suggested by Birkhoff and Shamir to do this was to construct offline tables, which the attacker could then use in the online stage to find the key. So the idea was as follows. So the attacker chose, let's say, M number of random states from the internal state space of the stream cipher, and then iterated this function F to T number of times. And then he stored the endpoints of this table, endpoints of this chain in the table. So after having done so, what the attacker did is that he covered a fraction of the state space in one table. Now, in the online stage, the attacker tries to look for a given key stream segment in the table. And what he does is he tries to apply the function F multiple number of times to see if the iterated function over the key stream vector appears in the table. Let's say he finds it after I iterations of application in the function F. And as this goes back to the beginning of the chain and then applies the function F to love T minus one minus itimes to find the preimage of the key stream vector in the function F. Now, the author showed that this leads to a trade off curve of the form TM square and D square equals N square, but the limitation that T had to be larger than D square. Now, the M and D denote time, the memory and data complexity of this algorithm. Capital N is of course the size of the state space and the offline complexity P is given as capital N over T. Now, a typical point on this trade off curve is one where capital T and capital P are both equal to N over to enter the part two over three, which are both less than N. And capital K capital K be the size of the key space. And then if we choose capital N equal to capital K, or in other words, if the size of the internal state of the site for is equal to the size of the key. Then this of course is a valid attack because both the online and the offline complexities are less than K, which is the complexity of exhaustive search. Therefore, the authors proposed that capital N should be at least case square. The internal state should be at least twice the size of the key. If this were to be so then it would be impossible to find the point on this trade off curve where what capital T and capital P and less than K, which is the complexity of exhaustive search. So the main idea behind Sprout was to make the state update function G such that any function if mapping the internal state to the key stream vector. This would provide the secret key as in as input. And so it would not be possible to construct a function F that maps state to key stream without the input of this extra information which was secret key. This made the effective state size of the cycle around 160 bits, which was of course twice the size of the key and therefore a generic TMD attack like the ones described by Peter Coventry Meir can be avoided. Now this is the structure for Sprout and those who are familiar with the structure for the crane family of cyphers will probably recognize this. So it consists of non linear register and linear register connected by an XOR gate. Sprout additionally employs around key generation function that continuously updates the state by exploring to the update of the NFSL function over here. And this is the reason why it is not possible to construct a function that maps the only this internal state to the key stream vector without without the input of the key. So there were many cryptanalytic attempts on Sprout. The most devastating of which was proposed by Sjin and Karat SSE of the same year I think. And the problem lies in the non in the non linear key generation from the round key generation function that is employed by Sprout, which as you can see is a product of the key bit and the sum of certain bits from the register. So this kind of dance the design on its head. So we've already seen that it's not possible to construct a function that maps only state to key stream. Not for Sprout at least, but the attackers observed that there is a class of states, a class of big states for which this sum is zero for 40 consecutive iterations. Now, when this happens, the contribution of the secret key to the state update function is essentially zero. And for all these class of big states now possible to device a function that maps only the internal state to the key stream. It turns out that all such states are easy to enumerate. The offline phase all the attack it has is to build a list of all such states and the corresponding key stream vectors that they produce and search on a table. In the online stage of the key stream segment exists on the table that hacker can form a set of polynomial equations in the secret key and the state variables. And turns out that this set of equations can be solid efficiently to give us the secret key. In the end the attack requires only two is what 33 steps and only 770 terabytes of memory, which is practical with respect to both time and space. So in every year of 2017, the same orders proposed the stream cipher plantlet, which pretty much fixed all the problems that sprouted. Now after the AC attack it was crystal clear that for any such design to survive the key, the run key function had to be linear. And so, in plantlet the authors changed around key function to key of team of team on it. And after this, there were, there was no longer a possibility that weak states would exist and so previous attack could be prevented. And there were other small design tweaks made, for example, in order to avoid LFS are falling into the old zero state. They changed the state update function during the key stream phase little. And furthermore they increase the size of the LFS are to 61 bits, which took the total in size of the internal state 201 bits. This was mainly done to prevent guessing the demon attacks of the type support by limo and now the sensor and crypto 2015. So they imposed another restriction total amount of key stream bits extractable reach key IP pair was limited to two to about 30 bits. Now, in every year of 2020 near collision attack was reported against plantlet. Okay, so the main idea was as follows. So the C1 and T2 B2 time intervals, both multiple ET. And the others observed that if LT one and LT two are internal states of pro of plantlet that deferred and only the 43rd LFS allocation. And these states produced the key stream vectors ZT one and ZT two, the difference of which had zero or one in 45 positions with probability one. So let us call this pattern B. And the reason why this happens is that the output function H that produces the key stream bit and plantlet is a Boolean function of 17 bits. The entire state is of size 101 bits. So, when a single LFS hard difference propagates one cycle to the left, so many times. It so happens that this difference sits on a registered location that does not provide any input to the output function. And so for all all such time intervals. The key stream bit produced by the two states have have to be equal with probability one. So this happens for 45 clock cycles. And therefore, the differential trail has zero or one with probability one in 45 positions. However, notice that the opposite is not true. If two key stream vectors ZT one and ZT two differ with the pattern B, then it is not necessary that they're produced by internal states that differ in the dimension. So, in the paper, the artist proved that given the key stream limitation imposed by the designers of plantlet. The probability that this situation occurs that we get to internal states that differ only by 43 probability that this occurs around to the bottom minus 55. So, the attacker repeats the process for two bar 55 different randomly generated IVs. After which you can expect to get key stream vectors generated by the state difference of E 43, the least once. And once this happens, the attacker can again formulate the system polynomial equations in the state and their secret key variables and solve them efficiently to get the key. We now come to the construction of our design, which we call Adam. The design philosophy has been to react previous attacks. And the reason within ourselves, how to provide best solutions that counteract these attacks. So this is what we came up with. So Adam is a stream cycle with the state size of 159 bits and 128 bits secret key. We have nonlinear register of 90 bits linear register of 60 bits and the decimal up counter of nine bits. So initially the IV and some constants are loaded on the registers and system, the finite state machine is allowed to execute for 511 cycles without using key stream bit. So, in this respect, you can see that the structure of Adam, at least during the initialization phase is quite similar to that. So what happens after initialization is quite interesting. Now the LFSR the 60 bit LFSR and the law and the nine bit decimal counter combined to get it to give us a bigger LFSR of size 69 bits, which is updated linearly. The last seven bits of the LFSR, let's call it deep determines which key bit is added to the NFS update function over here. And this is an additional key filter that is KT mod K of team 128. So it kind of uses two key filters to update the internal state at every clock cycle. So the remaining section of the remaining section presentation, we will try to prove. I will try to explain why both the key filters are necessary for the security of this frame cycle particular. So the KD filter, what he does is basically prevent a new collision attack like the one proposed. Yes, plantlet in plantlet for a single bit difference in the LFSR we have seen that there is the resultant key stream difference had zero or one in 45 positions with probably one. In atom this figure is only 18. So the attacker will have to spend more computational resources to identify or to assert in whether given key stream difference as emanated from a particular single bit LFSR difference or not. And this kind of pushes the total complexity of the near collision attack to the one required to solve two to the power 141 equation systems, which is of course much larger than exhaustive search. Now, so one may wonder why this figure for atom is only 18, given the fact that atom has much larger internal state. Now for plantlet of any other stream cycle with the green structure. Any difference at the end of the LFSR is shifted left towards by at most one bit in the next cycle. However, in atom it is different. Because the last seven bits also can also control which key bit is added on to the update function. So, potentially one may have the case, when for which a single bit LFSR difference also introduces a difference in the NFS are in the next cycle. So as a result any difference in the last seven bits of the LFSR gets diffused in terms of it very quickly. Even if there is a difference in not in the last seven bits of the LFSR consider a difference in the in any internal bit of the LFSR. This difference is fed back to the last LFSR bit in less than 13 cycles through the LFSR update function. So this being the case. Any difference in the internal state in the internal state of the LFSR gets diffused into the entire internal state very very quickly. And this prevents a differential field of good enough property being formed. So, one may not really ask why the second key filter this key of team 128 by this is necessary. So in order to show why this is necessary we will consider a variant of atom, which is not employed the second filter. And they will show that this variant of atom which does not employ a second filter be sure a very simple TND trade off attack. Now, the first observe that there exists weak LFSR states for which Dean that is the last seven bits of the LFSR takes value from this set. One, two, four, one, two, four, eight up to 128 for trouble to successfully iterations. Now, when this happens is that the set of key and the set of key update and the set of key bits that updates the internal state has got nothing to only seven. It only consists of the key bits K1 K2 up to 128. Now, when this happens, just like in the time the attack against proud, we can think of constructing a function that maps the state, the internal state to the key stream vector that requires only seven bits of key as input. Now the idea is we store all these states and key stream bits in a table and in the online stage, we look for the key stream and try to solve for the state and the key. Note for this deed to have to take values only from the set for capital T successfully iterations. We need that the LFSR into the initial LFSR state satisfy this system of linear equations. This is a linear equation with the rank T plus six, which means that there are total of two is about 63 minus T LFSR initial states satisfies these conditions. Since the system is linear, all these states can easily integrate it. And the idea is to store in a table all these states and the key stream vectors that produces. So we store in a table. So in the offline state we store in the table. So all the two to the bar 90 LFSR states all the two to the bar seven keys and all the two to the bar 63 minus TV LFSR states and the corresponding key stream bits that it produces the offline complexity is around to the bar 160 minus T and memory complexity in bits is around 160 times that and in the online stage, the attacker will simply look for this key stream bits in the table and then extract the corresponding internal state and try to solve for the key. So it was shown in the paper that those online complexity in this exercise result a result to around to the bar 173 minus T. And given the offline complexity stood by 60 minus T. For a value of T around 60 both of these complexities are less than 128. So this is just the complexity of the search. This is why there's this additional Katie more than 28 filters necessary. When we have the Katie modern 28 filter this ensures that any function that maps keys and the state to the key stream bits to the state to any key stream bits. We cannot formally dysfunction with less than capital T secret key bits. And so this attack is automatically prevent. And so there are some other security arguments. For example, the number of initialization run this set to 511, which ensures that the LFSR enters the second stage with the value 511 or one ff in the last nine bits. And this kind of ensures that the LFSR never gets stuck in the old state. Are you extensively with respect to security against linear different from getting determined attacks. We request the readers to refer to the paper for more details. So we implemented the circuit of our construction hardware. In the course of three centers and libraries were used of different feature sizes. And we compared our construction to other stream ciphers that provide down 28 bits of security like rain hundred 28. Craveium and is encounter mode. And in this slide, we present only results for the open source library now get free five. And this is the cypher that for 128 bit security are in blue, blue background. And we can see that with respect to hardware area, energy and power consumption. Atom, compared favorably to all the other cypher stat. Offer a great bit of security. So this thing brings me to the end of our presentation. I hope you found it both informative and interesting. If you have any other questions, please feel free to contact any of those by email. Thank you.