基于状态位索引方法的小状态流密码算法Draco-F  

作　　者：张润莲 范欣 赵昊 武小年 韦永壮 ZHANG Runlian;FAN Xin;ZHAO Hao;WU Xiaonian;WEI Yongzhuang(School of Computer Science and Information Security,Guilin University of Electronic Technology,Guilin 541000,China)

机构地区：[1]桂林电子科技大学计算机与信息安全学院,桂林541000

出　　处：《电子与信息学报》2025年第1期271-278,共8页Journal of Electronics & Information Technology

基　　金：国家自然科学基金(62062026);广西重点研发计划(桂科AB23026131);广西研究生教育创新计划(YCSW2024347)。

摘　　要：Draco算法是首次基于初始向量和密钥前缀组合(CIVK)方案构造的一个流密码设计实例,其声称对于时空数据折中(TMDTO)攻击具有完全可证明的安全性。但因Draco算法的选择函数存在周期小的结构缺陷,攻击者给出了突破其安全界限的分析结果。针对Draco算法存在的安全缺陷等问题,该文提出一种基于状态位索引和动态初始化的改进算法Draco-F算法。首先,Draco-F算法通过使用状态位索引的方法增加了选择函数的周期并降低硬件成本;其次,在保障非线性反馈移位寄存器(NFSR)状态位使用均匀性的前提下,Draco-F算法通过简化输出函数进一步降低算法的硬件成本;最后,Draco-F算法引入动态初始化技术以防止密钥回溯。对Draco-F算法的安全性分析和软硬件测试结果表明:相对于Draco算法,Draco-F算法避免了Draco算法的安全漏洞,可以以128 bit的实际内部状态提供128 bit的安全级别;同时,Draco-F算法具有更高的密钥流吞吐率和更小的电路面积。Objective The Draco algorithm is a stream cipher based on the Consisting of the Initial Value and Key-prefix(CIVK)scheme.It claims to provide security against Time Memory Data TradeOff(TMDTO)attacks.However,its selection function has structural flaws that attackers can exploit.These weaknesses can compromise its security.To address these vulnerabilities and lower the hardware costs associated with the Draco algorithm,this paper proposes an improved version called Draco-F.This new algorithm utilizes state bit indexing and dynamic initialization.Methods Firstly,to address the small cycle problems of the selection function and the high hardware costs in the Draco algorithm,the Draco-F algorithm introduces a new selection function.This function employs state bit indexing to extend the selection function’s period and reduce hardware costs.Specifically,the algorithm generates three index values based on 17 status bits from two Nonlinear Feedback Shift Registers(NFSRs).These index values serve as subscripts to select three bit of data stored in non-volatile memory.The output bit of the selection function is produced through specified nonlinear operations on these three bit of data.Secondly,while ensuring uniform usage of NFSR state bits,the Draco-F algorithm further minimizes hardware costs by simplifying the output function.Finally,Draco-F incorporates dynamic initialization techniques to prevent key backtracking.Results and Discussions Security analysis of the Draco-F algorithm,including evaluations against universal TMDTO attacks,zero stream attacks,selective IV attacks,guessing and determining attacks,key recovery attacks,and randomness testing,demonstrates that Draco-F effectively avoids the security vulnerabilities encountered by the original Draco algorithm,thereby offering enhanced security.Software testing results indicate that the Draco-F algorithm achieves a 128-bit security level with an actual 128-bit internal state and higher key stream throughput compared to the Draco algorithm.Additionally,hardware tes

关 键 词：流密码 初始向量和密钥前缀组合 Draco 状态位索引 动态初始化 

分 类 号：TN918.1[电子电信—通信与信息系统]