FAN: a lightweight authenticated cryptographic algorithm. (English) Zbl 07449882

Paterson, Kenneth G. (ed.), Topics in cryptology – CT-RSA 2021. Cryptographers’ track at the RSA conference 2021, virtual event, May 17–20, 2021. Proceedings. Cham: Springer. Lect. Notes Comput. Sci. 12704, 299-325 (2021).
Summary: The wide application of the low-end embedded devices has largely stimulated the development of lightweight ciphers. In this paper, we propose a new lightweight authenticated encryption with additional data (AEAD) algorithm, named as Fan, which is based on a first non-Grain-like small-state stream cipher that adopts a novel block-wise structure, inspired by the 4-blade daily electric fan. It takes a 128-bit key, a 64-bit initial vector (IV), and a 192-bit state, promising 128-bit security and up to 72-bit authentication tag with the IV-respecting restriction. It consists of a nonlinear spindle, four linear blades and an accumulator, and updates by constant mutual feedbacks between the linear and nonlinear parts, which rapidly provides highly confused level by parallel diffusing the fastest-changing state of spindle. The key is used both in the initialization and generation phases as part of input and state respectively, making Fan suitable for resource-constrained scenarios with internal state diminishment but no security loss. A thorough security evaluation of the entire AEAD mode is provided, which shows that Fan can achieve enough security margin against known attacks. Furthermore, Fan can be implemented efficiently not only in hardware environments but also in software platforms, whose operations are carefully chosen for bit-slice technique, especially the S-box is newly designed efficiently implemented by logic circuit. The hardware implementation requires about 2327 GE on 90 nm technology with a throughput of 9.6 Gbps. The software implementation runs about 8.0 cycle/byte.
For the entire collection see [Zbl 1476.94005].


68P25 Data encryption (aspects in computer science)
94A62 Authentication, digital signatures and secret sharing
94A60 Cryptography


eBACS; Enocoro; Fruit; eSTREAM; FAN
Full Text: DOI


[1] ebacs: Ecrypt benchmarking of cryptographic systems. https://bench.cr.yp.to/results-stream.html
[2] Ahmadi, H.; Eghlidos, T., Heuristic guess-and-determine attacks on stream ciphers, IET Inf. Secur., 3, 2, 66-73 (2009)
[3] Aminghafari, V., Hu, H.: Fruit: ultra-lightweight stream cipher with shorter internal state. IACR Cryptology ePrint Archive 2016, 355 (2016). http://eprint.iacr.org/2016/355
[4] Armknecht, F., Mikhalev, V.: On lightweight stream ciphers with shorter internal states. In: Fast Software Encryption - 22nd International Workshop, FSE 2015, Istanbul, Turkey, 8-11 March 2015, Revised Selected Papers, pp. 451-470 (2015). doi:10.1007/978-3-662-48116-5_22 · Zbl 1382.94050
[5] Biryukov, A.; Shamir, A.; Okamoto, T., Cryptanalytic time/memory/data tradeoffs for stream ciphers, Advances in Cryptology — ASIACRYPT 2000, 1-13 (2000), Heidelberg: Springer, Heidelberg · Zbl 0980.94013
[6] Canniere, C.D., Preneel, B.: Trivium specifications. eSTREAM, ECRYPT Stream Cipher Project, Citeseer (2005)
[7] Canteaut, A.; Duval, S.; Leurent, G.; Dunkelman, O.; Keliher, L., Construction of lightweight s-boxes using Feistel and MISTY structures, Selected Areas in Cryptography - SAC 2015, 373-393 (2016), Cham: Springer, Cham · Zbl 1396.94064
[8] Dinur, I.; Shamir, A.; Joux, A., Cube attacks on Tweakable black box polynomials, Advances in Cryptology - EUROCRYPT 2009, 278-299 (2009), Heidelberg: Springer, Heidelberg · Zbl 1239.94045
[9] Esgin, MF; Kara, O.; Dunkelman, O.; Keliher, L., Practical cryptanalysis of full sprout with TMD tradeoff attacks, Selected Areas in Cryptography - SAC 2015, 67-85 (2016), Cham: Springer, Cham · Zbl 1396.94074
[10] Faugère, J., Horan, K., Kahrobaei, D., Kaplan, M., Kashefi, E., Perret, L.: Fast quantum algorithm for solving multivariate quadratic equations. CoRR abs/1712.07211 (2017). http://arxiv.org/abs/1712.07211
[11] Hamann, M.; Krause, M., On stream ciphers with provable beyond-the-birthday-bound security against time-memory-data tradeoff attacks, Cryptogr. Commun., 10, 5, 959-1012 (2018) · Zbl 1390.94839
[12] Hell, M., Johansson, T., Maximov, A., Meier, W.: The grain family of stream ciphers. In: New Stream Cipher Designs - The eSTREAM Finalists, pp. 179-190 (2008). doi:10.1007/978-3-540-68351-3_14
[13] Hell, M.; Johansson, T.; Meier, W.; Sönnerup, J.; Yoshida, H.; Carlet, C.; Guilley, S.; Nitaj, A.; Souidi, EM, An AEAD variant of the grain stream cipher, Codes, Cryptology and Information Security, 55-71 (2019), Cham: Springer, Cham · Zbl 1432.94136
[14] Hitachi, L.: Stream cipher Enocoro specification ver. 2.0 and evaluation report. CRYPTREC submission package (2010). http://www.hitachi.com/rd/yrl/crypto/enocoro/
[15] Kumar, S., Haj-Yihia, J., Khairallah, M., Chattopadhyay, A.: A comprehensive performance analysis of hardware implementations of CAESAR candidates. IACR Cryptol. ePrint Arch. 2017, 1261 (2017). http://eprint.iacr.org/2017/1261
[16] Robshaw, M.; Billet, O., New Stream Cipher Designs. The eSTREAM Finalists (2008), Heidelberg: Springer, Heidelberg · Zbl 1259.94006
[17] Maximov, A.: AES mixcolumn with 92 XOR gates. Cryptology ePrint Archive, Report 2019/833 (2019). https://eprint.iacr.org/2019/833
[18] Mikhalev, V., Armknecht, F., Müller, C.: On ciphers that continuously access the non-volatile key. IACR Transactions on Symmetric Cryptology 2016(2), 52-79 (2016). doi:10.13154/tosc.v2016.i2.52-79
[19] National Institute of Standards and Technology: Advanced encryption standard. NIST FIPS PUB 197 (2001)
[20] Todo, Y.; Isobe, T.; Hao, Y.; Meier, W.; Katz, J.; Shacham, H., Cube attacks on non-blackbox polynomials based on division property, Advances in Cryptology - CRYPTO 2017, 250-279 (2017), Cham: Springer, Cham · Zbl 1406.94081
[21] Todo, Y.; Isobe, T.; Meier, W.; Aoki, K.; Zhang, B.; Shacham, H.; Boldyreva, A., Fast correlation attack revisited: cryptanalysis on full grain-128a, grain-128, and grain-v1, Advances in Cryptology - CRYPTO 2018, 129-159 (2018), Cham: Springer, Cham · Zbl 1436.94096
[22] TSMC: TSMC 90nm cln90g process sage-xtm v3.0 standard cell library databook (March 2005 Release 11)
[23] Wang, Q.; Shacham, H.; Boldyreva, A., Improved division property based cube attacks exploiting algebraic properties of superpoly, Advances in Cryptology - CRYPTO 2018, 275-305 (2018), Cham: Springer, Cham · Zbl 1444.94103
[24] Zhang, B.; Gong, X.; Iwata, T.; Cheon, JH, Another tradeoff attack on sprout-like stream ciphers, Advances in Cryptology - ASIACRYPT 2015, 561-585 (2015), Heidelberg: Springer, Heidelberg · Zbl 1382.94171
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.