Provable security against generic attacks on stream ciphers

Abstract

Abstract Recent lightweight hardware-based stream cipher designs keep an external non-volatile internal state that is not part of the cipher’s hardware module. The purpose of these so-called small-state ciphers is to keep the size of the hardware and the power consumption low. We propose a random oracle model for stream ciphers. This will allow us to analyse the recent small-state stream cipher designs’ resistance against generic attacks and, in particular, time-memory-data tradeoff attacks. We analyse the conventional construction underlying stream ciphers like Grain and Trivium, constructions continuously using the external non-volatile secret key during keystream generation like Sprout, Plantlet, Fruit, and Atom, constructions continuously using the external non-volatile IV, and constructions using a combination of the IV and the key like DRACO. We show the tightness of all bounds by first presenting the time-memory-data tradeoff attacks on the respective constructions, establishing the upper bound on security, and then presenting the proof of security to establish the lower bound on security. In this work, we extend the theoretical work done by Hamann et al. who introduced the DRACO stream cipher at FSE 2023. We use the same random oracle model as the aforementioned work and apply it to the earlier work by Hamann et al. presented at SAC 2019, which showed security for two of the four constructions we consider in this work. Our model is equivalent but allows for a much simpler proof of security. Furthermore, we provide a proof of security for stream ciphers continuously using the secret key during keystream generation, giving upper and lower bounds for all four generic stream cipher constructions proposed so far.