Journal of Cryptographic Engineering

, Volume 8, Issue 1, pp 29–48 | Cite as

TriviA and uTriviA: two fast and secure authenticated encryption schemes

  • Avik ChakrabortiEmail author
  • Anupam Chattopadhyay
  • Muhammad Hassan
  • Mridul Nandi
Regular Paper


In this paper, we propose two hardware optimized authenticated encryption schemes: TriviA-v2 and uTriviA. Both TriviA-v2, an efficient hardware optimization of TriviA-0-v1, and uTriviA are based on (i) a stream cipher for generating keys for the ciphertext and the tag, and (ii) a pairwise independent hash to compute the tag. We have adopted one of the ISO-standardized stream ciphers for lightweight cryptography, namely Trivium , to obtain our underlying stream cipher. The main structure of TriviA-v2 remains same as TriviA-0-v1, except some changes in the internal functions. The stream cipher used both in TriviA-v2 and uTriviA has a 384-bit state, slightly larger than Trivium, and can accommodate a 128-bit secret key and IV. TriviA-v2 uses a pairwise independent hash which is an adaptation of the EHC or “Encode-Hash-Combine” hash that requires the optimum number of field multiplications and hence requires small hardware footprint. uTriviA uses a pairwise independent hash which is an adaptation of the HC or “Hash-Combine” hash which is close to EHC but does not use any encode function. We prove that TriviA-v2 construction has at least 128-bit security for privacy and 124-bit security of authenticity under the assumption that the underlying stream cipher produces a pseudorandom bit stream. The uTriviA construction achieves at least 128-bit security for privacy and 93-bit security of authenticity under the same assumption. We have implemented the designs in synthesizable RTL. Pre-layout synthesis using 65 nm standard cell technology reveals that TriviA-v2 is able to achieve a high throughput of 65.9 Gbps for an area of 21.2 KGE, whereas TriviA-0-v1 achieved a much higher hardware area. The uTriviA design achieves a hardware area of only 16.74 KGE, which is lowest among all the TriviA variants but with a lower throughput of 36.76 Gbps. Finally, we provide a brief comparison between the three constructions TriviA-0-v1, TriviA-v2 and uTriviA and the other standard implementations in terms of hardware area-efficiency metric.


Trivium Stream cipher Authenticated encryption Pairwise independent EHC TriviA uTriviA 



We would like to thank the reviewers for their detailed comments and suggestions for the betterment of our paper. Their suggestion regarding the choice of the primitive polynomial \(p_{32}(x)\) helped us to increase the area–throughput ratio for TriviA-v1, TriviA-v2 and uTriviA. We are thankful to that.


  1. 1.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: ASIACRYPT. Lecture Notes in Computer Science, vol. 2501, pp. 531–545 (2000)Google Scholar
  2. 2.
    Jutla, C.: Encryption modes with almost free message integrity. J. Cryptol. 21, 547–578 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    CAESAR competition for authenticated encryption. Secur. Appl. Robust. (2014).
  4. 4.
    Cannière, C. D., Preneel, B.: “Trivium,” new stream cipher designs. In: The eSTREAM Finalists. Lecture Notes in Computer Science, vol. 4986, pp. 244–266 (2005)Google Scholar
  5. 5.
    Hell, M., Johansson, T., Meier, W.: Grain: a stream cipher for constrained environments. Int. J. Wirel. Mob. Comput. 2(4), 86–93 (2007)CrossRefGoogle Scholar
  6. 6.
    Babbage, S., Dodd, M.: The eSTREAM Finalists. pp. 191–209. Springer (2008)Google Scholar
  7. 7.
    eSTREAM The ECRYPT Stream Cipher Project.
  8. 8.
    International organization for standardization. In: ISO/IEC 29192-3:2012, Information technology—Security techniques—Lightweight cryptography—Part 3: Stream ciphers (2102).
  9. 9.
    Bernstein, D.J.: Cycle counts for authenticated encryption. In: Workshop Record of SASC 2007: The State of the Art of Stream Ciphers (2007)Google Scholar
  10. 10.
    Ferguson, N., Whiting, D., Schneier, B., Kelsey, J., Lucks, S., Kohno, T.: Fast encryption and authentication in a single cryptographic primitive. In: FSE. Lecture Notes in Computer Science, vol. 2887, pp. 330–346 (2003)Google Scholar
  11. 11.
    Whiting, D., Schneier, B., Lucks, S., Muller Phelix, F.: Fast Encryption and Authentication in a Single Cryptographic Primitive. (2004)
  12. 12.
    Muller, F.: Differential attacks against the Helix stream cipher. In: FSE. Lecture Notes in Computer Science, vol. 3017, pp. 94–108 (2004)Google Scholar
  13. 13.
    Wu, H., Preneel, B.: Differential-linear attacks against the stream cipher Phelix. In: FSE. Lecture Notes in Computer Science, vol. 4593, pp. 87–100 (2007)Google Scholar
  14. 14.
    Hell, M., Johansson, T., Maximov, A., Meier, W.: A Stream Cipher Proposal: Grain-128. In: International Symposium on Information Theory-ISIT. IEEE (2006)Google Scholar
  15. 15.
    ETSI/SAGE specification. In: Specification of the 3GPP Confidentiality and Integrity ALgorithms UEA2 and UIA2. Document 5: Design and Evaluation Report, Version 1.1. European Telecommunications (2006)Google Scholar
  16. 16.
    ETSI/SAGE specification. In: Specification of the 3GPP Confidentiality and Integrity ALgorithms UEA2 and UIA2. Document 2: SNOW 3G Specification. European Telecommunications (2006)Google Scholar
  17. 17.
    Sarkar, P.: Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector. Cryptogr. Commun. 6(3), 189–231 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Bernstein, D.J: The Poly1305-AES message-authentication code. In: FSE Lecture Notes in Computer Science, vol. 3557, pp. 32–49 (2005)Google Scholar
  19. 19.
    Chakraborti, A., Chattopadhyay, A., Hassan, M., Nandi M.: TriviA: a fast and secure authenticated encryption scheme. In: CHES. Lecture Notes in Computer Science, vol. 9293, pp. 330–353 (2015)Google Scholar
  20. 20.
    Chakraborti, A., Nandi, M.: TriviA-ck-v1. (2014)
  21. 21.
    Nandi, M.: On the minimum number of multiplications necessary for universal hash constructions. In: FSE. Lecture Notes in Computer Science, vol. 8540, pp. 489–508 (2014)Google Scholar
  22. 22.
    Helion technology. In: AES-CCM core.
  23. 23.
    Fan, X., Gong, G.: Specification of the stream cipher WG-16 based confidentiality and integrity algorithms. (2013)
  24. 24.
    Moon, T.K.: Error Control Coding: Mathematical Methods and Algorithms. Wiley, New York (2005)CrossRefzbMATHGoogle Scholar
  25. 25.
    Mansour, Y., Nissan, N., Tiwari, P.: The computational complexity of universal hashing. In: Twenty Second Annual ACM Symposium on Theory of Computing, pp. 235–243 (1990)Google Scholar
  26. 26.
    Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeet, B.: On families of hash functions via geometric codes and concatenation. In: CRYPTO. Lecture Notes in Computer Science, vol. 773, pp. 331–342 (1993)Google Scholar
  27. 27.
    den Boer, B.: A simple and key-economical unconditional authentication scheme. J. Comput. Secur. 2, 65–72 (1993)Google Scholar
  28. 28.
    Taylor, R.: Near optimal unconditionally secure authentication. EUROCRYPT 950, 244–253 (1995)zbMATHGoogle Scholar
  29. 29.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: EUROCRYPT. Lecture Notes in Computer Science, vol. 5479, pp. 278–299 (2009)Google Scholar
  30. 30.
    Fouque, P.A., Vannet, T.: Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks. In: FSE. Lecture Notes in Computer Science, vol. 8424 (2013)Google Scholar
  31. 31.
    National Institute of Standards and Technology. In: A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. NIST Special Publication 800-22rev1a (2010).
  32. 32.
    Maximov, A., Biryukov, A.: Two trivial attacks on Trivium. In: Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 4876, pp. 36–55 (2007)Google Scholar
  33. 33.
    Moore, G.E.: Cramming more components onto integrated circuits. In: Electronics Magazine, p. 4. (1965)
  34. 34.
    Grosso, V., Leurent, G., Standaert, F., Varici, K., Durvaux, F., Gaspar, L., Kerckhof, S.: SCREAM and iSCREAM Side-Channel Resistant Authenticated Encryption with Masking. (2014)
  35. 35.
    Good, T., Benaissa, M.: Hardware results for selected stream cipher candidates. In: State of the art of stream ciphers 2007 (SASC 2007), Workshop record (2007)Google Scholar
  36. 36.
    Mansouri, S.S., Dubrova, E.: An improved hardware implementation of the Grain-128a stream cipher. In: International Conference on Information Security and Cryptology (2012)Google Scholar
  37. 37.
    Aumasson, J.P., Jovanovic, P., Neves, S.: NORX: parallel and scalable AEAD. In: Computer Security-ESORICS, 19–36. Springer (2014).
  38. 38.
    Gro\(\beta \), H., Wenger, E., Dobraunig, C., Ehrenhofer, C.: Suit up! Made-to-Measure Hardware Implementations of ASCON. (2014)
  39. 39.
    Bhattacharjee, D., Chattopadhyay, A.: Efficient hardware accelerator for AEGIS-128 authenticated encryption. In: Inscrypt. Lecture Notes in Computer Science, vol. 8957, pp. 385–402 (2014)Google Scholar
  40. 40.
    Wu, H., Preneel, B.: AEGIS: a fast authenticated encryption algorithm. In: SAC. Lecture Notes in Computer Science, vol. 8282, pp. 185–201 (2013)Google Scholar
  41. 41.
    Agren, M., Hell, M., Johansson, T., Meier, W.: Grain-128a: a new version of Grain-128 with optional authentication. Int. J. Wirel. Mob. Comput. 5, 48–59 (2011)CrossRefGoogle Scholar
  42. 42.
    Gaj, K.: CERG: Cryptographic Engineering Research Group. (2016)
  43. 43.
    McGrew, D.A., Viega, J.: The Galois/Counter Mode of Operation (GCM). (2005)

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.Indian Statistical InstituteKolkataIndia
  2. 2.School of Computer Science and EngineeringNTUSingaporeSingapore
  3. 3.Institute of Computer ScienceUniversity of BremenBremenGermany

Personalised recommendations