# TriviA and uTriviA: two fast and secure authenticated encryption schemes

## Abstract

In this paper, we propose two hardware optimized authenticated encryption schemes: TriviA-v2 and uTriviA. Both TriviA-v2, an efficient hardware optimization of TriviA-0-v1, and uTriviA are based on (i) a stream cipher for generating keys for the ciphertext and the tag, and (ii) a pairwise independent hash to compute the tag. *We have adopted one of the ISO-standardized stream ciphers for lightweight cryptography, namely * Trivium *, to obtain our underlying stream cipher*. The main structure of TriviA-v2 remains same as TriviA-0-v1, except some changes in the internal functions. The stream cipher used both in TriviA-v2 and uTriviA has a 384-bit state, slightly larger than Trivium, and can accommodate a 128-bit secret key and IV. TriviA-v2 uses a *pairwise independent hash which is an adaptation of the * EHC or “Encode-Hash-Combine” hash that requires the optimum number of field multiplications and hence requires small hardware footprint. uTriviA uses a *pairwise independent hash which is an adaptation of the * HC or “Hash-Combine” hash which is close to EHC but does not use any encode function. We prove that TriviA-v2 construction has at least 128-bit security for privacy and 124-bit security of authenticity under the assumption that the underlying stream cipher produces a pseudorandom bit stream. The uTriviA construction achieves at least 128-bit security for privacy and 93-bit security of authenticity under the same assumption. We have implemented the designs in synthesizable RTL. Pre-layout synthesis using 65 nm standard cell technology reveals that TriviA-v2 is able to achieve a high throughput of 65.9 Gbps for an area of 21.2 KGE, whereas TriviA-0-v1 achieved a much higher hardware area. The uTriviA design achieves a hardware area of only 16.74 KGE, which is lowest among all the TriviA variants but with a lower throughput of 36.76 Gbps. Finally, we provide a brief comparison between the three constructions TriviA-0-v1, TriviA-v2 and uTriviA and the other standard implementations in terms of hardware area-efficiency metric.

## Keywords

Trivium Stream cipher Authenticated encryption Pairwise independent EHC TriviA uTriviA## Notes

### Acknowledgments

We would like to thank the reviewers for their detailed comments and suggestions for the betterment of our paper. Their suggestion regarding the choice of the primitive polynomial \(p_{32}(x)\) helped us to increase the area–throughput ratio for TriviA-v1, TriviA-v2 and uTriviA. We are thankful to that.

## References

- 1.Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: ASIACRYPT. Lecture Notes in Computer Science, vol. 2501, pp. 531–545 (2000)Google Scholar
- 2.Jutla, C.: Encryption modes with almost free message integrity. J. Cryptol.
**21**, 547–578 (2008)MathSciNetCrossRefzbMATHGoogle Scholar - 3.CAESAR competition for authenticated encryption. Secur. Appl. Robust. (2014). http://competitions.cr.yp.to/caesar.html
- 4.Cannière, C. D., Preneel, B.: “Trivium,” new stream cipher designs. In: The eSTREAM Finalists. Lecture Notes in Computer Science, vol. 4986, pp. 244–266 (2005)Google Scholar
- 5.Hell, M., Johansson, T., Meier, W.: Grain: a stream cipher for constrained environments. Int. J. Wirel. Mob. Comput.
**2**(4), 86–93 (2007)CrossRefGoogle Scholar - 6.Babbage, S., Dodd, M.: The eSTREAM Finalists. pp. 191–209. Springer (2008)Google Scholar
- 7.eSTREAM The ECRYPT Stream Cipher Project. http://www.ecrypt.eu.org/stream
- 8.International organization for standardization. In: ISO/IEC 29192-3:2012, Information technology—Security techniques—Lightweight cryptography—Part 3: Stream ciphers (2102). http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56426
- 9.Bernstein, D.J.: Cycle counts for authenticated encryption. In: Workshop Record of SASC 2007: The State of the Art of Stream Ciphers (2007)Google Scholar
- 10.Ferguson, N., Whiting, D., Schneier, B., Kelsey, J., Lucks, S., Kohno, T.: Fast encryption and authentication in a single cryptographic primitive. In: FSE. Lecture Notes in Computer Science, vol. 2887, pp. 330–346 (2003)Google Scholar
- 11.Whiting, D., Schneier, B., Lucks, S., Muller Phelix, F.: Fast Encryption and Authentication in a Single Cryptographic Primitive. http://www.ecrypt.eu.org/stream/ (2004)
- 12.Muller, F.: Differential attacks against the Helix stream cipher. In: FSE. Lecture Notes in Computer Science, vol. 3017, pp. 94–108 (2004)Google Scholar
- 13.Wu, H., Preneel, B.: Differential-linear attacks against the stream cipher Phelix. In: FSE. Lecture Notes in Computer Science, vol. 4593, pp. 87–100 (2007)Google Scholar
- 14.Hell, M., Johansson, T., Maximov, A., Meier, W.: A Stream Cipher Proposal: Grain-128. In: International Symposium on Information Theory-ISIT. IEEE (2006)Google Scholar
- 15.ETSI/SAGE specification. In: Specification of the 3GPP Confidentiality and Integrity ALgorithms UEA2 and UIA2. Document 5: Design and Evaluation Report, Version 1.1. European Telecommunications (2006)Google Scholar
- 16.ETSI/SAGE specification. In: Specification of the 3GPP Confidentiality and Integrity ALgorithms UEA2 and UIA2. Document 2: SNOW 3G Specification. European Telecommunications (2006)Google Scholar
- 17.Sarkar, P.: Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector. Cryptogr. Commun.
**6**(3), 189–231 (2014)MathSciNetCrossRefzbMATHGoogle Scholar - 18.Bernstein, D.J: The Poly1305-AES message-authentication code. In: FSE Lecture Notes in Computer Science, vol. 3557, pp. 32–49 (2005)Google Scholar
- 19.Chakraborti, A., Chattopadhyay, A., Hassan, M., Nandi M.: TriviA: a fast and secure authenticated encryption scheme. In: CHES. Lecture Notes in Computer Science, vol. 9293, pp. 330–353 (2015)Google Scholar
- 20.Chakraborti, A., Nandi, M.: TriviA-ck-v1. http://competitions.cr.yp.to/round1/triviackv1.pdf (2014)
- 21.Nandi, M.: On the minimum number of multiplications necessary for universal hash constructions. In: FSE. Lecture Notes in Computer Science, vol. 8540, pp. 489–508 (2014)Google Scholar
- 22.Helion technology. In: AES-CCM core. http://www.heliontech.com/aes_ccm.htm
- 23.Fan, X., Gong, G.: Specification of the stream cipher WG-16 based confidentiality and integrity algorithms. http://cacr.uwaterloo.ca/techreports/2013/cacr2013-06.pdf (2013)
- 24.Moon, T.K.: Error Control Coding: Mathematical Methods and Algorithms. Wiley, New York (2005)CrossRefzbMATHGoogle Scholar
- 25.Mansour, Y., Nissan, N., Tiwari, P.: The computational complexity of universal hashing. In: Twenty Second Annual ACM Symposium on Theory of Computing, pp. 235–243 (1990)Google Scholar
- 26.Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeet, B.: On families of hash functions via geometric codes and concatenation. In: CRYPTO. Lecture Notes in Computer Science, vol. 773, pp. 331–342 (1993)Google Scholar
- 27.den Boer, B.: A simple and key-economical unconditional authentication scheme. J. Comput. Secur.
**2**, 65–72 (1993)Google Scholar - 28.Taylor, R.: Near optimal unconditionally secure authentication. EUROCRYPT
**950**, 244–253 (1995)zbMATHGoogle Scholar - 29.Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: EUROCRYPT. Lecture Notes in Computer Science, vol. 5479, pp. 278–299 (2009)Google Scholar
- 30.Fouque, P.A., Vannet, T.: Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks. In: FSE. Lecture Notes in Computer Science, vol. 8424 (2013)Google Scholar
- 31.National Institute of Standards and Technology. In: A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. NIST Special Publication 800-22rev1a (2010). http://csrc.nist.gov/groups/ST/toolkit/rng/documentation_software.html
- 32.Maximov, A., Biryukov, A.: Two trivial attacks on Trivium. In: Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 4876, pp. 36–55 (2007)Google Scholar
- 33.Moore, G.E.: Cramming more components onto integrated circuits. In: Electronics Magazine, p. 4. http://download.intel.com/museum/Moores_Law/Articles-Press_Releases/Gordon_Moore_1965_Article.pdf (1965)
- 34.Grosso, V., Leurent, G., Standaert, F., Varici, K., Durvaux, F., Gaspar, L., Kerckhof, S.: SCREAM and iSCREAM Side-Channel Resistant Authenticated Encryption with Masking. http://competitions.cr.yp.to/round1/screamv1.pdf (2014)
- 35.Good, T., Benaissa, M.: Hardware results for selected stream cipher candidates. In: State of the art of stream ciphers 2007 (SASC 2007), Workshop record (2007)Google Scholar
- 36.Mansouri, S.S., Dubrova, E.: An improved hardware implementation of the Grain-128a stream cipher. In: International Conference on Information Security and Cryptology (2012)Google Scholar
- 37.Aumasson, J.P., Jovanovic, P., Neves, S.: NORX: parallel and scalable AEAD. In: Computer Security-ESORICS, 19–36. Springer (2014). https://eprint.iacr.org/2015/034.pdf
- 38.Gro\(\beta \), H., Wenger, E., Dobraunig, C., Ehrenhofer, C.: Suit up! Made-to-Measure Hardware Implementations of ASCON. https://eprint.iacr.org/2015/034.pdf (2014)
- 39.Bhattacharjee, D., Chattopadhyay, A.: Efficient hardware accelerator for AEGIS-128 authenticated encryption. In: Inscrypt. Lecture Notes in Computer Science, vol. 8957, pp. 385–402 (2014)Google Scholar
- 40.Wu, H., Preneel, B.: AEGIS: a fast authenticated encryption algorithm. In: SAC. Lecture Notes in Computer Science, vol. 8282, pp. 185–201 (2013)Google Scholar
- 41.Agren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of Grain-128 with optional authentication. Int. J. Wirel. Mob. Comput.
**5**, 48–59 (2011)CrossRefGoogle Scholar - 42.Gaj, K.: CERG: Cryptographic Engineering Research Group. https://cryptography.gmu.edu/athenadb/fpga_auth_cipher/table_view (2016)
- 43.McGrew, D.A., Viega, J.: The Galois/Counter Mode of Operation (GCM). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf (2005)