Sage Journals: Discover world-class research

Abstract

Distributed sensor networks have been widely applied to healthcare, environmental monitoring and management, intelligent transportation, and other fields in which network sensors collect and transmit information about their surrounding environment. Radio frequency identification technology transmits an object’s identification as a unique serial number—using radio waves as the transmission carrier—and is becoming an important building block for distributed sensor networks. However, the security of radio frequency identification systems is a major industrial concern that can significantly hinder the market growth of distributed sensor networks. Trivium is a well-known lightweight synchronous stream cipher that was submitted to the European eSTREAM project in April 2005. In this article, we generalize Trivium to the Trivium-Model algorithm and highlight that security is mainly determined by the internal state bits and the number of nonlinear terms. We propose principles for choosing parameters and generating better parameters that are feasible for low-cost radio frequency identification tags in distributed sensor networks. The new algorithm, named Micro-Trivium, requires less power and a smaller chip area than the original Trivium, which is proven using experimental data and results. Mathematical analysis shows that using Micro-Trivium is as secure as using Trivium.

Keywords

Trivium radio frequency identification distributed sensor network security Micro-Trivium

Introduction

Background

The Internet of Things (IoT) involves technology that connects objects and people by means of electronic devices. IoT applications are deployed in a variety of objects that are attached to terminal devices, such as sensors, actuators, and radio frequency identification (RFID) tags. RFID technology is applied to a variety of areas for target perception, control, and recognition as part of distributed sensor networks, including environmental monitoring and management, healthcare, and transportation systems management.^1–3 Before RFID systems can be deployed in critical infrastructures, such as emergency rooms and power plants, the security properties of their sensors must be fully examined.^3,4 In fact, the security of RFID systems is a major industrial concern that could significantly hinder the market growth of distributed sensor networks.

However, sensor networks are not traditional computing devices, and existing security models and methods are therefore inadequate. Instead, the security components must suit the low resource and power consumption of the devices.⁴

Trivium is a well-known lightweight synchronous stream cipher designed by C De Canniere and B Preneel,⁵ which was submitted to the European ECRYPT Stream Cipher Project (eSTREAM) project in April 2005. Trivium was designed to be hardware-oriented, such that the algorithm emphasizes effectiveness—particularly the effectiveness of hardware implementation—without weakening security. Compared with other stream ciphers (such as A5/1⁶), Trivium’s performance was shown to be superior during the three phases of eSTREAM evaluation on the stream cipher proposals.⁷

Trivium is designed as a lightweight algorithm that requires much less resource consumption than traditional cryptography techniques, such as AES (Advanced Encryption Standard), ECC (Elliptic Curve Cryptography), and hash-based algorithms.^8–11 However, it remains too costly for low-cost RFID tags in distributed sensor networks due to their extreme resource limitations.³ Therefore, we attempt to design a more lightweight Trivium-like algorithm to fit the environment of distributed sensor networks.

Related works

There has been no successful attack demonstrated against Trivium to date. Raddum¹² has tried to solve the equations of Trivium with a special technique, but his method is too complex when applied to the full cipher of Trivium, and the attack is no faster than an exhaustive search. Numerical attacks, as proposed by J Borghoff et al.,¹³ convert the equations system to a mixed-integer programming problem. However, the attack is only useful on Bivium, which is an inferior version of Trivium. Maximov and Biryukov¹⁴ study two attacks on Trivium, that is, state recovering and statistical tests. A state recovering attack is regarded as the most powerful attack against Trivium, but the estimated time complexity of this attack remains approximately $2^{83.5}$ s. The binary decision diagrams (BDD) attack through the boolean satisfiability problem (SAT) solver, as proposed by Eibach et al.,¹⁵ reveals a faster speed against Bivium. However, the potential to attack Trivium remains an open question. Considering that our algorithm is designed for distributed sensor networks, other attacks such as cube attacks and fault analyses are not suitable for such an environment.^16–19

Enhanced-Bivium, as proposed by Zhang et al.,²⁰ is an improved version of Bivium that is also designed for RFID systems. However, although Enhanced-Bivium can theoretically provide more security than the original Trivium, it has been shown to be less secure than Trivium. There has been no successful attack against Trivium-like algorithms, but there have been some successful attacks implemented against Bivium due to its two-layer structure, which is smaller than the three-layer structure of Trivium-like algorithms. This additional layer substantially increases the complexity of attacks. Although there has been no successful attack against Enhanced-Bivium to date, it will face more potential attacks than Trivium-like algorithms.

Main contributions

In this article, we aim to design a lightweight Trivium-like algorithm suitable for distributed sensor networks. Our main contributions are as follows:

Study the mathematical structure of Trivium and generalize it to the Trivium-Model algorithm.

Propose a “Micro-Trivium” algorithm with better parameters that can provide increased security and better performance in chip size and power consumption.

Propose the principles of choosing good parameters.

The remainder of the article is organized as follows. Section “Trivium-Model algorithm and Micro-Trivium” generalizes Trivium to the “Trivium-Model” algorithm and proposes the “Micro-Trivium” algorithm. The resource consumption of Trivium and Micro-Trivium is compared through experimental data in section “Emulation results for resource consumption.” The security of Trivium and Micro-Trivium is discussed in section “Security analysis.” Section “Discussion” discusses the results and explains the principles of choosing the parameters. The final section, section “Conclusion,” concludes.

Trivium-Model algorithm and Micro-Trivium

Trivium⁵ is designed to generate up to $2^{64}$ bits of key stream from an 80-bit secret key (Key) and an 80-bit initial value (IV). The process consists of two phases: first, the internal state of the cipher is initialized using the Key and IV and then the state is repeatedly updated and used to generate key stream bits. Trivium has a 288-bit internal state, which can be denoted as $s = (s_{1}, s_{2}, \dots, s_{288})$ . The structure of Trivium is given in Figure 1.

Figure 1.

Structure of Trivium.

Trivium consists of three registers with similar structures. Maximov and Biryukov¹⁴ proposed nine parameters to study Trivium’s security under two trivial attacks. However, these parameters are used only to define the size of the registers and are thus only useful to study the properties of the attacks. In this article, we propose a set of new parameters to study Trivium’s internal state. In detail, we generalize Trivium to a “Trivium-Model” algorithm by extracting the sequence index. Algorithm 1 shows the pseudo code of the Trivium-Model algorithm, where N stands for the number of output stream bits, $z = (z_{1}, z_{2}, \dots, z_{N})$ denotes the output stream, and $u_{1} < u_{2} < n_{1} < u_{3} < u_{4} < n_{2} < u_{5} < u_{6} < n_{3}$ are the parameters.

Algorithm 1 Trivium-Model algorithm.
for $i = 1$ to Ndo
$z_{i} \leftarrow s_{3 u_{1}} + s_{3 n_{1}} + s_{3 u_{3}} + s_{3 n_{2}} + s_{3 u_{5}} + s_{3 n_{3}}$
$t_{1} \leftarrow s_{3 u_{1}} + s_{3 n_{1}} + s_{3 n_{1} - 2} \cdot s_{3 n_{1} - 1} + s_{3 u_{4}}$
$t_{2} \leftarrow s_{3 u_{3}} + s_{3 n_{2}} + s_{3 n_{2} - 2} \cdot s_{3 n_{2} - 1} + s_{3 u_{6}}$
$t_{3} \leftarrow s_{3 u_{5}} + s_{3 n_{3}} + s_{3 n_{3} - 2} \cdot s_{3 n_{3} - 1} + s_{3 u_{2}}$
$(s_{1}, s_{2}, \dots, s_{3 n_{1}}) \leftarrow (t_{3}, s_{1}, \dots, s_{3 n_{1} - 1})$
$\begin{matrix} (s_{3 n_{1} + 1}, s_{3 n_{1} + 2}, \dots, s_{3 n_{2}}) \leftarrow (t_{1}, s_{3 n_{1} + 1}, \dots, s_{3 n_{2} - 1}) \end{matrix}$
$\begin{matrix} (s_{3 n_{2} + 1}, s_{3 n_{2} + 2}, \dots, s_{3 n_{3}}) \leftarrow (t_{2}, s_{3 n_{2} + 1}, \dots, s_{3 n_{3} - 1}) \end{matrix}$
end for

Figure 2 shows the structure of the Trivium-Model algorithm. The Key and IV are initialized in the following manner

$s (t) = {\begin{matrix} (s_{1}, s_{2}, …, s_{3 n_{1}}) \leftarrow (K_{1}, K_{2}, …, K_{80}, 0, …, 0) \\ (s_{3 n_{1} + 1}, s_{3 n_{1} + 2}, …, s_{3 n_{2}}) \leftarrow (I V_{1}, I V_{2}, …, I V_{80}, 0, …, 0) \\ (s_{3 n_{2} + 1}, s_{3 n_{2} + 2}, …, s_{3 n_{3}}) \leftarrow (0, …, 0, 1, 1, 1) \end{matrix}$ (1)

Figure 2.

Structure of the Trivium-Model algorithm.

Using this method, a Trivium-like algorithm can be presented by the parameters ${3 u_{1}, 3 u_{2}, 3 n_{1}}$ , ${3 u_{3}, 3 u_{4}, 3 n_{2}}$ , and ${3 u_{5}, 3 u_{6}, 3 n_{3}}$ . In fact, Trivium is a Trivium-Model algorithm, with the parameters shown in Table 1.

Table 1.

Parameters of Trivium.

$u_{1}$	$u_{2}$	$n_{1}$	$u_{3}$	$u_{4}$	$n_{2}$	$u_{5}$	$u_{6}$	$n_{3}$
22	23	31	54	57	59	81	88	96

In this article, we aim to select better parameters for the Trivium-Model algorithm, which will make it feasible to be used by distributed sensor networks while still guaranteeing security. For this purpose, we filter all possible parameters and simulate the results under state recovering attacks and statistical tests.¹⁴ Finally, we choose the best sets of parameters obtained, which is shown in Table 2, and the new algorithm is called “Micro-Trivium.”

Table 2.

Parameters of Micro-Trivium.

$u_{1}$	$u_{2}$	$n_{1}$	$u_{3}$	$u_{4}$	$n_{2}$	$u_{5}$	$u_{6}$	$n_{3}$
1	23	31	32	54	59	60	70	74

In the next section, we will compare the resource consumption of Micro-Trivium with Trivium and other algorithms.

Emulation results for resource consumption

All RFID tags in distributed sensor networks are labeled with a miniaturized integrated circuit (IC) equipped with antennae and some memory blocks.²¹ Reduced power consumption and chip size are our two major design objectives, as a low-cost RFID tag must be priced in the range from $ 0.50 to $1.00 to achieve a significant economic benefit.²² However, the silicon area of the chip determines the costs of the tag, and that area mainly depends on the number of logic gates.²³ Additionally, the available power budget is very small because the dissipated power directly influences the operational range of the tag.²³ The power consumption is largely based on the mean current consumption. Therefore, only 250–3000 gates and 15 µA can be used for security-related operations.^23–25 Trivium requires more than 3000 gates, which is not suitable for low-cost RFID tags in distributed sensor networks. Therefore, we aim to design a lightweight algorithm with fewer than 3000 gates and the smallest mean current consumption possible.

We simulate the Micro-Trivium algorithm in the form of Verilog code on Xilinx FPGA (field-programmable gate array) technology to determine whether it can be used for low-cost RFID tags. We use ISE Design Suite 9.1 to simulate the hardware property, which is based on 0.35 µm CMOS (complementary metal-oxide semiconductor) process technology. Implementing the Micro-Trivium data-path requires 2696 gates, and the mean current consumption is 0.52 µA. Table 3 lists the resource consumption of Trivium, Micro-Trivium, and other algorithms, where the comparison is based on power consumption and gate equivalent (GE) count.^23,26

Table 3.

Resource consumption of eight cipher algorithms.

Algorithm	Trivium	Micro-Trivium	Bivium	AES	MD5	SHA-1	SHA-256	ECC-192
µA@100 kHz	0.68	0.52	0.42	3.00	3.16	3.93	5.86	18.85
GE	3091	2696	2145	3400	8001	8120	10,868	23,600

GE: gate equivalent; AES: Advanced Encryption Standard.

As the results show, Bivium requires the least resource consumption. However, Bivium can be broken in $2^{37}$ s under a state recovering attack, which means that it has severe security threats.¹⁴ Micro-Trivium saves more than 20% in power consumption and more than 10% in chip area compared to Trivium—the best balance between performance and security—because there are 222 internal state bits in Micro-Trivium (as opposed to 288 in Trivium) and the degree of the characteristic polynomial of Micro-Trivium is lower than the degree of original Trivium. However, the internal state bits cannot be too small for security reasons. The parameters of Micro-Trivium are chosen to strike a balance between security and power consumption.

In the next section, the security analysis and comparisons between Micro-Trivium, Trivium, and Bivium will be provided.

Security analysis

Mathematical structure

If we denote the internal state bits of the Trivium-Model algorithm at time t as $s (t) = (s_{1} (t), s_{2} (t), \dots, s_{3 n_{3}} (t))$ , then the internal bits from time t to time t+1 can be expressed as follows

$s (t + 1) = A \cdot s (t) + b (t)$ (2)

where $A = (a_{ij})_{3 n_{3} \times 3 n_{3}}$ is the state-transition matrix of the algorithm with size $3 n_{3} \times 3 n_{3}$

$a_{ij} = {\begin{matrix} 1, & i = 1, j = 3 u_{2}, 3 u_{5}, 3 n_{2} \\ 1, & i = 3 n_{1} + 1, j = 3 u_{1}, 3 u_{4} \\ 1, & i = 3 n_{2} + 1, j = 3 u_{3}, 3 u_{6} \\ 1, & 1 < i \leq 3 n_{3}, j = i - 1 \\ 0, & otherwise \end{matrix}$ (3)

$b (t) = (b_{i} (t))_{3 n_{3}}$ is the nonlinear segment of the algorithm, which is treated as the vectors of bits

$b_{i} (t) = {\begin{matrix} s_{3 n_{3} - 2} (t) \cdot s_{3 n_{3} - 1} (t), & i = 1 \\ s_{3 n_{1} - 2} (t) \cdot s_{3 n_{1} - 1} (t), & i = 3 n_{1} + 1 \\ s_{3 n_{2} - 2} (t) \cdot s_{3 n_{2} - 1} (t), & i = 3 n_{2} + 1 \\ 0, & otherwise \end{matrix}$ (4)

Hence, we can obtain the theorem as shown below.

Theorem 1. The characteristic polynomial of the Trivium-Model algorithm is in the following form

$f (x) = (x^{3} + 1)^{3} \cdot g (x^{3})$ (5)

where $g (\cdot)$ is a primitive polynomial.

The property of the characteristic polynomial $f (x)$ can be evaluated by “k-order primitive polynomial,” which is defined as follows:

Definition 1. Given $f (x) = \sum_{i = 0}^{n} a_{i} x^{i}, n > k$ , $a_{i} \in GF (2), i = 0, 1, \dots, n$ , $f (x)$ is called a k-order primitive polynomial if $f (x) = (x + 1)^{k} \cdot g (x)$ , where $g (x)$ is a primitive polynomial.

Proposition 1. The characteristic polynomial of “Micro-Trivium” is a third-order primitive polynomial.

Proof. By equation (6), the transformation matrix of the “Micro-Trivium” can be expressed as follows

$\begin{matrix} f (x) = x^{222} + x^{213} + x^{171} + x^{132} + x^{123} + x^{90} \\ + x^{84} + x^{51} + x^{42} + 1 \\ = (x^{3} + 1)^{3} \cdot g (x^{3}) \end{matrix}$ (6)

where

$\begin{matrix} g (y) = y^{71} + y^{70} + y^{68} + y^{66} + y^{64} + y^{62} + y^{60} \\ + y^{58} + y^{56} + y^{53} + y^{52} + y^{49} + y^{48} + y^{45} \\ + y^{44} + y^{38} + y^{37} + y^{34} + y^{33} + y^{30} + y^{29} \\ + y^{27} + y^{24} + y^{23} + y^{20} + y^{19} + y^{16} + y^{15} \\ + y^{14} + y^{13} + y^{12} + y^{9} + y^{8} + y^{5} + y^{4} + y + 1 \end{matrix}$ (7)

and it can be verified that $g (\cdot)$ is a primitive polynomial.

Therefore, $f (x)$ is a third-order primitive polynomial.

In fact, the characteristic polynomial of Trivium is also a third-order primitive polynomial. Notably, the characteristic polynomial of the 3-round Trivium⁵ can be derived in a similar manner and expressed as follows

$\begin{matrix} f (x) = x^{288} + x^{219} + x^{210} + x^{201} + x^{141} + x^{132} \\ + x^{123} + x^{87} + x^{72} + x^{60} + x^{54} + x^{45} \\ + x^{42} + x^{27} + x^{15} + 1 \\ = (x^{3} + 1)^{3} \cdot g (x^{3}) \end{matrix}$ (8)

where $g (\cdot)$ is a primitive polynomial that can be expressed as

$\begin{matrix} g (y) = y^{93} + y^{92} + y^{89} + y^{88} + y^{85} + y^{84} + y^{81} + y^{80} \\ + y^{77} + y^{76} + y^{73} + y^{72} + y^{70} + y^{68} \\ + y^{67} + y^{44} + y^{43} + y^{41} + y^{39} + y^{38} + y^{35} + y^{34} \\ + y^{31} + y^{30} + y^{27} + y^{25} + y^{23} \\ + y^{20} + y^{19} + y^{17} + y^{14} + y^{13} + y^{12} + y^{9} + y^{8} \\ + y^{6} + y^{4} + y + 1 \end{matrix}$ (9)

Therefore, we have the following proposition.

Proposition 2. The characteristic polynomial of the Trivium algorithm is a third-order primitive polynomial.

Therefore, Trivium and Micro-Trivium have the similar mathematical structure.

Attack analysis

Now, we compare Trivium and Micro-Trivium under the state recovering attack and statistical tests. The state recovering attack is considered the most powerful attack against Trivium. Statistical tests, also known as linear distinguishing attacks, continue to be one of the most powerful tools for analyzing stream ciphers. The descriptions of the two attacks are presented in Algorithms 2 and 3.

Algorithm 2 State recovering attack on the Trivium-Model algorithm.
for $t = 0$ to $⌈ time ⌉$ do
Assume $s_{3 n_{1} - 2} (3 i + 1) \cdot s_{3 n_{1} - 1} (3 i + 1) = s_{3 n_{2} - 2} (3 i + 1) \cdot s_{3 n_{2} - 1} (3 i + 1) = s_{3 n_{3} - 2} (3 i + 1) \cdot s_{3 n_{3} - 1} (3 i + 1) = 0, 0 \leq i < g_{a}, 0 \leq k < g_{c}$
Collect d linear equations on $T_{0} (t)$ with probability $1$ and $\sum_{w = 1}^{4} l_{w}$ more linear equations with total probability $p_{l}$ .
for each guess of the remaining $n_{3} - d - \sum_{w = 1}^{4} l_{w}$ bits in $T_{0} (t)$ do
Derive the state of $T_{0} (t)$ using the linear equations collected in the last step.
Collect $2 n_{3}$ linear equations on $T_{1} (t)$ and $T_{2} (t)$ .
Recover the state of $T_{1} (t)$ and $T_{2} (t)$ by the linear equations collected in the previous step and verify the solution in time $O (1)$ .
end for
end for

Algorithm 3 Statistical tests attack on Micro-Trivium.
Given $z = (z_{1}, z_{2}, \dots)$ - the output stream of Micro-Trivium of length $2^{252}$
Init $P [2] = 0$ - a binary distribution, not normalized
for $t = 0$ to $2^{252} - 1$ do
$\begin{matrix} s = z_{t} + z_{t + 6} + z_{t + 12} + z_{t + 18} + z_{t + 24} + z_{t + 30} + z_{t + 36} + z_{t + 51} + z_{t + 57} + z_{t + 63} + z_{t + 69} + z_{t + 75} + z_{t + 84} + z_{t + 123} + \\ z_{t + 129} + z_{t + 132} + z_{t + 135} + z_{t + 138} + z_{t + 141} + z_{t + 144} + z_{t + 147} + z_{t + 150} + z_{t + 153} + z_{t + 156} + z_{t + 159} + z_{t + 162} + z_{t + 165} + \\ z_{t + 168} + z_{t + 174} + z_{t + 180} + z_{t + 189} + z_{t + 192} + z_{t + 195} + z_{t + 198} + z_{t + 201} + z_{t + 204} + z_{t + 207} + z_{t + 210} + z_{t + 216} \end{matrix}$
and assume the distributions as $P [s] + +$ .
end for
Calculate the distance $d = P [0] / 2^{252} - 0.5$
Make the final decision. ${\begin{matrix} z is from Micro - Trivium & , & d > 2^{- 126} / 2 \\ z is Random & , & d \leq 2^{- 126} / 2 \end{matrix}$

In Algorithm 2, $g_{a}, g_{b}, g_{c}$ are the chosen parameters; $d = \min {u_{1} + g_{a}, u_{3} - n_{1} + g_{b}, u_{5} - n_{2} + g_{c}}$ is the number of linear equations; $p_{g} = 0 . 75^{g_{a} + g_{b} + g_{c}}$ is the probability that $g_{a} + g_{b} + g_{c}$ terms produce zeroes; w is the number of small terms for the nonlinear segment of the remaining nonlinear equations from $T_{0} (t)$ ; $l_{w}$ is the number of nonlinear equations with the sum of w terms; $p_{w} = \sum_{i = 0}^{⌊ \frac{w}{2} ⌋} (\begin{matrix} w \\ 2 i \end{matrix}) 0 . 75^{w - 2 i} 0 . 25^{2 i}$ is the probability that the sum of w terms is zero; and $p_{l} = Π_{w = 1}^{4} p_{w}^{l_{w}}$ is the probability that the nonlinear segment of the l equation is zero. Then, the breaking complexity time of the state recovering attack can be expressed by¹⁴

$t i m e = 2^{n_{3} - d - \sum_{w = 1}^{4} l_{w}} \cdot p_{g}^{- 1} \cdot p_{l}^{- 1}$ (10)

The detailed parameters of Trivium, Bivium, and Micro-Trivium under the state recovering attack are shown in Table 4. The results of Trivium, Bivium, and Micro-Trivium under the two attacks are shown in Table 5.

Table 4.

Parameters of three algorithms under state recovering attack.

Parameter	Trivium	Bivium	Micro-Trivium
$g_{a} : g_{b} : g_{c}$ .	46 : 37 : 42	$0 : 0 : -$	57 : 58 : 56
d	59	22	57
$p_{g}$	$2^{- 51.9}$	$1$	$2^{- 71.0}$
$l_{1} : l_{2} : l_{3} : l_{4}$	5 : 5 : 4 : 1	0 : 0 : 0 : 0	1 : 0 : 1 : 0
$p_{l}$	$2^{- 9.7}$	$1$	$2^{- 1.2}$
Keystream	$2^{61.5}$	$1$	$2^{72.2}$
Breaking complexity	$2^{83.5}$	$2^{37}$	$2^{87.2}$

Table 5.

Comparison of three algorithms under two attacks.

Algorithm	Trivium	Bivium	Micro-Trivium
State recovering attack	$2^{83.5}$	$2^{37}$	$2^{87.2}$
Statistical tests	$2^{144}$	$2^{32}$	$2^{252}$

Discussion

Compared with the original Trivium and Bivium, Micro-Trivium has the best performance in terms of security under both the state recovering attack and statistical tests. In fact, from (10), the breaking complexity of the state recovering attack is mainly determined by the internal state bits and the parameters $g_{a}, g_{b}, g_{c}$ . Here, the number of internal state bits is $3 n_{2}$ for Bivium and $3 n_{3}$ for Trivium and Micro-Trivium. $g_{a}, g_{b}, g_{c}$ must be large enough to derive enough linear equations, and the number of internal state bits should be as large as possible through (10). However, hardware restrictions limit the size of this number. The number of Bivium’s internal state bits is too small, leading to security vulnerabilities. Although the number of Micro-Trivium’s internal state bits is smaller than Trivium’s, $g_{a}, g_{b}, g_{c}$ of Micro-Trivium are much larger because the number of nonlinear terms in Micro-Trivium increases much faster than that of Trivium in terms of the choice of parameters. A comparison of the nonlinear terms of the three algorithms is shown in Figure 3, where the Y-value is the number of nonlinear terms and the X-value is the normalization value of the internal rounds.

Figure 3.

Comparison of nonlinear terms among the three algorithms.

Therefore, Micro-Trivium performs best under the state recovering attack. In the statistical tests, we should assume that all the AND terms are zero to make the linear features more prominent. With this reasoning, Micro-Trivium is difficult to distinguish as a result of its additional terms. Therefore, Micro-Trivium performs best with a balance between security and resource consumption.

Finally, we present the principles of determining the parameters of the Trivium-Model algorithm:

The characteristic polynomial of the parameters should be a third-order primitive polynomial.

The number of nonlinear term parameters should increase as rapidly as possible with the same $n_{3}$ .

The best value of $n_{3}$ from above principle 1 and principle 2 should be chosen to balance resource consumption and the ability to defend against attacks.

In fact, the parameters of Micro-Trivium are chosen based on these principles.

Conclusion

In this article, we study the internal structure of Trivium and generalize Trivium to the “Trivium-Model” algorithm. A set of better parameters is given to the Trivium-Model algorithm to make it feasible for low-cost RFID tags in distributed sensor networks while guaranteeing security. Emulation results also show that Micro-Trivium not only consumes less power and has a smaller chip size but also performs better under the state recovering attack and statistical tests. Therefore, this new algorithm is promising in its ability to meet the needs of RFID tags in distributed sensor networks.

Footnotes

Academic Editor: Daniel Menasche

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research,authorship,and/or publication of this article: This work was supported in part by the International Researcher Exchange Project of the National Science Foundation of China and Centre National de la Recherche Scientifique de France (NSFC-CNRS) under Grant No. 61211130104 and the National Science Foundation of China under Grant No. 61271220.

References

Tseng

Chen

Huang

CH.

Integrating transducer capability to GS1 EPCglobal identify layer for IoT applications. IEEE Sens J 2015; 15(10): 5404–5415.

Tseng

Chen

Huang

CH.

A design of GS1 EPCglobal application level events extension for IoT applications. IEICE T Inf Syst 2016; E99-D: 30–39.

Peris-Lopez

Hernandez-Castro

Estevez-Tapiador

. RFID systems: a survey on security threats and proposed solutions. Lect Note Comput Sci 2006; 4217: 159–170.

Anand

Cronin

Sherr

. Sensor network security: more interesting than you think. In: Proceedings of the HotSec 06: 1st USENIX workshop on hot topics in security, Vancouver, BC, Canada, 31 July 2006.

De Canniere

Preneel

. TRIVIUM specifications. eSTREAM, ECRYPT stream cipher project. Report no. 2005/030, April 2005, http://www.ecrypt.eu.org/stream

Biham

Dunkelman

Cryptanalysis of the A5/1 GSM stream cipher. In: Roy

Okamoto

(eds) Progress in cryptology INDOCRYPT 2000. Berlin: Springer, 2000, pp.43–51.

Gaj

Southern

Bachimanchi

Comparison of hardware performance of selected phase II eSTREAM candidates, 2007, http://www.ecrypt.eu.org/stream/papersdir/2007/026.pdf

Chou

Chen

. An efficient RFID mutual authentication scheme based on ECC. IACR Cryptol ePrint Arch 2011; 2011: 418.

Feldhofer

Dominikus

Wolkerstorfer

Strong authentication for RFID systems using the AES algorithm. In: Proceedings of the workshop on cryptographic hardware and embedded systems (CHES), Cambridge, MA, 11–13 August 2004.

10.

Pham

Hasan

A RFID mutual authentication protocol based on AES algorithm. In: Proceedings of the UKACC international conference on control, Cardiff, 3–5 September 2012.

11.

Yin

Wang

. A novel hash-based RFID mutual authentication protocol. In: Proceedings of the seventh international conference on computational intelligence and security (CIS), Sanya, China, 3–4 December 2011, pp.774–778. IEEE.

12.

Raddum

Cryptanalytic results on Trivium, 2007, http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps

13.

Borghoff

Knudsen

Stolpe

Bivium as a mixed-integer linear programming problem. In: Parker

(ed.) Lecture notes in computer science (vol. 5921). Heidelberg: Springer, 2009, pp.133–152.

14.

Maximov

Biryukov

Two trivial attacks on TRIVIUM. In: Adams

Miri

Wiener

(eds) Selected areas in cryptography (SAC 2007). Lecture notes in computer science (vol. 4876). Berlin, Heidelberg: Springer, 31 January–1 February 2007, pp.1–16.

15.

Eibach

Pilz

Steck

Comparing and optimising two generic attacks on bivium. In: Proceedings of workshop on the state of the art of stream ciphers (SASC2008), Lausanne, 13–14 February 2008, pp.57–68. http://www.uni-ulm.de/fileadmin/website_uni_ulm/iui.inst.190/Mitarbeiter/eibach/comparing-and-optimising.pdf

16.

Dinur

Shamir

. Cube attacks on tweakable black box polynomials. In: Joux

(ed.) EUROCRYPT 2009 (vol. 5479). Heidelberg: Springer, 2009, pp.278–299.

17.

Zhang

Chen

. Cube attack on reduced-round quavium. Adv Comput Sci Res 2015.

18.

Fouque

Vannet

. Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks. In: Moriai

(ed.) FSE 2013 (vol. 8424). Heidelberg: Springer, 2014, pp.502–517.

19.

Hoch

Shamir

Fault analysis of stream ciphers. In: Joye

Quisquater

(eds) CHES 2004 (vol. 3156). Heidelberg: Springer, 2004, pp.240–253.

20.

Zhang

Gongliang

Zhou

. Enhanced-Bivium algorithm for RFID system. Math Probl Eng 2015; 2015: 616182.

21.

Nawaz

Ahmed

Mujahid

RFID system: design parameters and security issues. World Appl Sci J 2013; 23(2): 236–244.

22.

Sarma

Weis

Engels

DW.

RFID systems and security and privacy implications. Cryptogr Hardw Embed Syst 2002; 2523: 454–470.

23.

Feldhofer

Comparison of low-power implementations of Trivium and grain. In: Proceedings of the workshop on the state of the art of stream ciphers (SASC 2007), Bochum, 31 January–1 February 2007, pp.236–246. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.182.864&rep=rep1&type=pdf

24.

GS1 EPCglobal tag data standards version 1.4, http://www.epcglobalinc.org/standards/

25.

Chien

HY.

SASI: a new ultralightweight RFID authentication protocol providing strong authentication and strong integrity. IEEE T Depend Secure 2007: 4(4): 337–340.

26.

Feldhofer

Wolkerstorfer

. Hardware implementation of symmetric algorithms for RFID security. In: Kitsos

Zhang

(eds) RFID security: techniques, protocols and system-on-chip design. Berlin: Springer, 2008, pp.373–415.

Micro-Trivium: A lightweight algorithm designed for radio frequency identification systems

Abstract

Keywords

Introduction

Background

Related works

Main contributions

Trivium-Model algorithm and Micro-Trivium

Emulation results for resource consumption

Security analysis

Mathematical structure

Attack analysis

Discussion

Conclusion

Footnotes

Declaration of conflicting interests

Funding

References