An exhaustive review of the stream ciphers and their performance analysis

ABSTRACT


INTRODUCTION
Widely used applications like big data, cloud computing, and e-commerce have resulted in a growing demand for efficiency and security in data processing.The cryptography core and information security create lots of opportunities with real-time challenges.Providing high-level security with high-speed architecture at a low-cost implementation while considering low-resource constraints became a prominent demand for most applications.Wireless networks, device authentication, and radio-frequency identification (RFID) systems have low-resource constraints with low-cost implementation requirements.The lightweight block and stream ciphers protect attackers' information and provide data integrity and confidentiality [1], [2].Block ciphers are the primary choice in lightweight cryptography (LWC) and are easily designed with functionality.However, block ciphers use further as communication protocols, and they can't be designed using stream ciphers.The necessity of the initialization phase before the communications happen has significant drawbacks for the stream ciphers.The stream ciphers are suited to most application requirements where the input text is continuous or unknown.Stream ciphers are compact, easy to design, fast, less-power utilization, and suitable for lowconstrained devices [3], [4].
Stream ciphers have received more attention in recent years due to various research initiatives to develop secure stream ciphers.Research activities and competitions have been conducted in past decades to find novel architectures.As an effort, ECRYPT stream cipher project (eSTREAM) completion is among them Int J Reconfigurable & Embedded Syst ISSN: 2089-4864  An exhaustive review of the stream ciphers and their performance analysis (Raghavendra Ananth) 361 and was held by the european network of excellence for cryptology (ENEC) from 2004 to 2008.This competition promotes to finds of compact and novel stream ciphers for a wide range of usage.Later, the international organization for standardization and the international electrotechnical commission (ISO/IEC) standardized stream ciphers formed for LWC in the ISO/IEC 29192-3:2012 standard.Many stream ciphers proposals and concepts have been proposed [5], [6].Authentication is one of the prime security features to be considered in most applications, apart from confidentiality, and data integrity.Competition for authenticated encryption (AE): security, applicability, and robustness (CAESAR) conducts the cryptographic research community competition to find suitable cipher algorithms and should be advantaged over advanced encryption standards (AES) [7].The hardware-based stream ciphers are well-suited to low-resource-constrained devices and use direct cryptographic functions and basic operations without additional components [8].The stream ciphers have constructed software and hardware acceleration using cryptographic functions, feedback shift registers, and basic operations [9], [10].The cryptographic functions are categorized into either Boolean or vectorial functions with different cryptographic properties.The shift registers like divided into the linear feedback shift register (LFSR) and non-linear feedback shift register (NFSR) based on feedback mechanisms.
In addition, XOR and rotation operations commonly used essential functions while constructing the stream ciphers.
The performance characteristics of various stream ciphers are examined in this paper, both from a hardware and software perspective.The approach of the stream cipher is described in section 2, as well as an overview of its design with tabulation.In section 3, we'll go over security attacks and countermeasures.In section 4, the performance realization and its application usage are listed.The future trends of current stream ciphers are highlighted in section 5. Finally, the overall work in section 6 concludes.

STREAM CIPHERS
The stream ciphers are an alternative branch of the symmetric cryptosystem, which provides better speed and scalability for hardware-based approaches.The stream ciphers are classified based on functionality, represented in Figure 1.The LFSR based Stream ciphers are bit-oriented types.The key generation units are designed using a more significant number of LFSR units.An example of a combiner generator with non-linear features in E0 is represented in Figure 2.
The E0 is Bluetooth encryption that supports point-to-point communications in wireless networks.The E0 mainly contains four LFSRs with 4-bit memory.The memory bits are updated using C functions.The E0 uses a 128-bit key with a 74-bit initialization vector (IV).The keystream receives the composite output with a feedback mechanism.The E0 is used mainly in Bluetooth combiner with alternative mapping correlation analysis [11], [12].With an irregular clock control mechanism, the clock controller generator introduces nonlinear properties.In Figure 3, the clock controller generator is depicted.Two LFSR sets and a feedback controller are the key components.An example of a clock-controlled generator is A5/1 based stream cipher.This encryption technique is used in most global systems for mobile communications (GSM) based phones for air transmission encryption.The A1/5 cipher uses a 54-bit or 64-bit secret key for keystream generation and avoids the reduction of output efficiency [11].Mutual irregular clocking keystream generator is also called MICKEY stream cipher, which provides low complexity and fewer resource constraints with high security on the hardware platform.The MICKEY cipher uses an irregular clocking mechanism of shift registers with an optimization mechanism against the attacks.The MICKEY cipher generally uses an 80-bit key, whereas the MICKEY 2.0 cipher uses a 128-bit secret key with an IV of 80/128-bit [13]- [15].The MICKEY cipher uses two registers (R and S) with a feedback control mechanism to generate the keystream bit.

Stream Ciphers Classification
The word-orient stream ciphers work on 8-bit to 32-bit with LFSR with finite state machine (FSM) or non-linear filter generation combinations.SNOW series (1.0, 2.0, and 3.0).The SNOW 1.0 cipher uses a 128bit secret key with a 32-bit word size.The SNOW-based stream cipher representation is shown in Figure 4.It contains two registers, finite field operation with a feedback mechanism, non-linear FSM with two memory units, and XOR operation as output to generate the running key [16], [17].SNOW 2.0 cipher uses a 128/512bit secret key with an IV of 128-bit.The ZUC is a stream cipher used as a 3 rd generation partnership project (3GPP) encryption standard and developed for Chinese studies for inclusion in the 4 th generation (4G) or long term evolution (LTE) project.The ZUC cipher uses a 128-bit secret key size with an IV of 128-bit, and it is built with LFSR-based architecture.The ZUC architecture mainly includes LFSR layers, a Bit recognition layer, and non-linear function and key loading.The ZUC cipher mainly focuses more on timing attacks [18].The SOSEMANUK is one of the software-based eSTREAM projects, which uses a 128/256-bit secret key with an IV of 128-bit for a 32-bit word length.The stream cipher uses most of the features and working principles of SNOW 2.0 with SERPENT-based transformations.The efficiency and security analysis is improved than the SNOW 2.0 stream cipher [19].
The LFSR and NFSR combination is constructed using the GRAIN family to enhance the cryptographic properties.The GRAIN family targets hardware-based constrained environments to improve the gate count, memory, and power consumption features.The GRAIN family has three stream ciphers: GRAIN-v1, GRAIN-128, and GRAIN-128a.The GRAIN-v1 considers 80-key with 80-bit IV using NFSR and LFSR [20].The GRAIN-128 considers a 128-bit key with 1V of 96-bit [21].The GRAIN stream cipher mainly has two shift registers, LFSR and NFSR, and output functions are represented in Figure 5.The key initialization mechanism is crucial for realizing the attack scenarios in the GRAIN cipher using IV and XOR operations.The small-state-based stream cipher is introduced with continuous key use to solve the hardware complexity, illustrated in Figure 6.The TRIVIUM series [22] stream ciphers are hardware featured with simple architecture and are interconnected with three NFSRs with low-degree feedback mechanisms, and quadratic filter functions are represented in Figure 7.The TriviA cipher [23] generates the keys for ciphertext and tags and provides independent hash pairs to calculate the tag.The "encode-hash combine" or ECH hash creates distinct hash pairs.The TriviA provides a 124-bit security key for authentication and a 128-bit key for privacy.The TRIVIUM is one of the eSTREAM finalist hardware stream ciphers and uses an 80-bit secret key size with an IV of 80-bit [24].The TRIVIUM cipher can generate up to 264 keystream bits with a 288-bit internal state.The cipher can solve bit-oriented issues with strong security and performance efficiency.The hardware based fast and secured AE is introduced as TriviA, which uses a 128-bit secret key size with an IV of 80-bit.Fruit-2.0 is a stream cipher that is ultra-lightweight and has a more straightforward internal state system [25].The Fruit 2.0 cipher has an 80-bit secret key and a 70-bit IV.Fruit 2.0 is used to strengthen against related-key attacks with a modified initialization process.
The Platelet stream cipher is well suited for lower-constraint devices and does not rely on non-volatile memory (NVM) [26].The Platelet cipher improves the security weakness by storing the key in non-rewritable NVM and rewritable NVM.Platelet cipher uses a 128-bit secret key size with an IV of 40-bit.The Platelet uses An exhaustive review of the stream ciphers and their performance analysis (Raghavendra Ananth) 363 double-layer LFSRs with NLFSR combination as an internal mechanism for key storing.The adaptation of the new stream from the TRIVIUM is the QUAVIUM cipher [27] to improve the performance.QUAVIUM cipher uses a 128-bit secret key size with an IV of 80-bit.The QUAVIUM uses shift registers and k-order primitive polynomials with three round structures for keystream generation.The Kreyvium is a low-depth stream cipher like TRIVIUM and is used for homomorphic compression evaluation [28].Kreyvium cipher uses a 128-bit secret key size with an IV of 80-bit.The Kreyvium cipher added a 288-bit internal state without increasing the multiplicative depth corresponding to key and IV than the original TRIVIUM cipher.The PANAMA is a combination of fast hashing and stream cipher cryptographic modules, and it achieves high performance with low operation with a high degree of parallelism [29].The module reaches 4.7 bits/cycle at stream cipher mode and 5.1 bits/cycle at hashing mode.The PANAMA performs high-end parallel tasks and is suitable for very long-instruction word (VLIW) based processors.PANAMA cipher uses a 256-bit secret key size without an IV process.The Enocoro and MUGI are two typical examples of PANAMA-like stream ciphers suitable for software and hardware implementations.The Enocoro uses an 80/128-bit secret key size with an IV of 64-bit.The MUGI uses a 128-bit secret key size with an IV of 128-bit.
The random-shuffled stream ciphers use random-shuffled tables to generate random permutations to achieve higher efficiency using software environments.The RC4 stream cipher [30] is byte-oriented and used against state recovery attacks.The RC4 uses a random table containing 0 to 255 with permutation mode to calculate the two-bytes index-pointer replacements.RC4 cipher uses 8 to 2048-bit secret key size without an IV process.The typical RC4-based keystream generation is illustrated in Figure 8.The numerical table initializes key mixing, followed by the keystream generation phase.The table will be modified in each iteration and generates the output keystream.However, RC4 is still weak against distinguishing attacks.The RC4 is adopted with the new version as an RC4 hardware acceleration suite (RC4-A) [31] to speed up the cipher process in ASIC environments.The RC4-A provides better flexibility, performance, and resource minimization in hardware environments.The performance of the RC4-A will be enhanced using multiported static random access memory (RAM), loop unrolling, state replication, and splitting.The HC-128 is a simple, secure, and software-efficient stream cipher and uses a 128-bit secret key size with an IV of 128-bit [32].It can generate up to 264 keystream bits from each IV/key pair.In contrast, HC-256 [33] uses a 128-bit secret key size with an IV of 256-bit.The HC-128/256 is suitable for modern superscalar microprocessors and supports a high level of parallelism.
The addition rotation XOR (ARX) based ciphers are one of the modern stream ciphers, and their round function contains hybrid operations like modulo addition, interworld rotation, and XOR operation.The ARX ciphers are simple, fast, easy software implementation, and run constantly.Salsa20 and Chacha ciphers use 32-bit module addition, rotation, and XOR operations with the help of the hash function.The Salsa20 is the first eSTREAM based software project, and the Chacha cipher is a modified version of Salsa20 with a new round function that creates more diffusion.Salsa20 cipher uses a 128/256-bit secret key with an IV of 64-bit.Chacha cipher uses a 256-bit secret key with an IV of 32-bit.The Salsa20 cipher is typically faster than the AES cipher.Chacha is a new variant of salsa20, designed to improve the diffusion per round and also used to improve the cryptoanalysis resistance [34], [35].The ARX-based round function for Chacha is illustrated in Figure 9.The Rabbit stream cipher was one of the fast encryption standards in 2003 and an eSTREAM-based software project finalist [36].It uses a 128-bit secret key size with an IV of 64-bit as an input to generate the 128-bit random output data in each iteration.The Rabbit examines the security for algebraic and correlation attacks by arranging the key/IV setup parameters.The MORUS is an authenticated stream cipher with 128/256 bits of secret keys and a 128-bit IV [37].MORUS v1 uses the status update function to avoid collisions during the initialization and encryption/decryption stages.
The sponge structural-based stream ciphers are designed based on sponge structure with LFSR or permutations, and one of its internal state outputs is directly considered a keystream sequence.The KECCAK and ASCON are examples of sponge structural-based stream ciphers.The KECCAK is a sponge construction type cipher that uses more random permutations, allows multiple inputs, and provides any amount of data outputs [38].The KECCAK cipher uses a 128-bit secret key without an IV process.The KECCAK cipher provides better authentication features without using any additional authentication module.The ASCON is one of the CAESAR finalists' ciphers and known AE modules [39].The ASCON cipher uses a 128-bit secret key with an IV of 128-bit.The ASCON uses a substitution permutation network (SPN) structure with a fixed permutation of an iterative process.It performs both software and hardware implementations with better performance and cost.The ASCON is best known for cube and key recovery attacks.The A2U2 is one of the AE ciphers commonly used in printed electronics-based RFID tags [40].The A2U2 uses two NFSRs followed by a key-bit mixing mechanism with a shrinking filter to generate the ciphertext.A2U2 cipher uses a 56-bit secret key without an IV process.The welch gong (WG)-7 is a lightweight stream cipher used for RFID authentication and encryption [41].WG-7 cipher uses an 80-bit secret key with an IV of 81-bit.The WG-7 consists of 23-stage LFSRs for keystream generation.The WG-7 is secure against time/data/memory trade-off attacks.The WG-8 is a lightweight stream cipher used for low resource constraints smart devices [42].To generate the ciphertext, the WG-8 uses 20-stage LFSRs with feedback polynomial and transformation modules.The WG-8 cipher uses an 80-bit secret key with an IV of 80-bit.The WG-8 is capable of resisting the most common security attacks.The hummingbird (HB) is an ultra-lightweight stream cipher commonly used in high-volume consumer devices like smart cards, RFID tags, and wireless devices [43].HB cipher uses a 16-bit block size, 64/256-bit secret key with an IV of 64-bit.The HB encryption mainly contains four 16-bit block ciphers, followed by an internal state register updation unit and a 16-bit LFSR module.The 16-bit block cipher is constructed using a typical substitution permutation (SP) network.The HB-2 is a lightweight authentication encryption module targeted at low-constrained devices [44].HB 2.0 cipher uses a 128-bit secret key with an IV of 64-bit.GRAIN-128a is a new version of GRAIN-128 with authentication features [45].GRAIN-128a cipher uses a 128-bit secret key with an IV of 96-bit.GRAIN-128a was used to strengthen all known attacks.The Rabbit-MAC is a lightweight AE module commonly used in wireless sensor networks (WSNs) [46].The Rabbit-MAC cipher uses a 128-bit secret key without an IV process and generates the 128-bit random data at the output side for each iteration.The pseudo-random data is XOR'ed with plaintext/ciphertext to generate the encryption/decryption process in Rabbit-MAC.ACRON is a lightweight authenticated cipher and uses a 128-bit secret key with an IV of 128-bit [47].The authentication tag length must be less than or equal to 128 bits.The six LFSRs are concatenated, followed by feedback bits in the ACRON structure.The ACRON is capable of resisting traditional and statistical attacks.The Sablier is one of the hardware-based stream ciphers built with authentication features [48].The Sablier v1 cipher uses an 80-bit secret key with an IV of 80-bit.The Sablier performs the authentication mechanism using shift registers and accumulators in keystream generation.
An exhaustive review of the stream ciphers and their performance analysis (Raghavendra Ananth) The BEAN is a lightweight stream cipher module designed based on the GRAIN cipher [49].The BEAN cipher uses two FCSRs followed by an S-Box and filtering.The BEAN cipher uses an 80-bit secret key with an IV of 64-bit.The BEAN cipher utilizes fewer hardware resources than the GRAIN cipher.The BEAN cipher can be resistant to most traditional attacks.The new scalable stream cipher with rule 30 is CAR30.The CAR30 cipher is constructed using the cellular automata (CA) rule 30 with maximum length CA followed by XOR operation to generate the ciphertext.The CAR30 is implemented both on software and hardware platform.In general, the CAR30 can scale up to any key size and IV.Most current works on CAR30 use a 128-bit secret key with an IV of 120-bit [50].The CAR30 provides better throughput than other GRAIN and TRIVIUM ciphers.TinyStream is a new lightweight stream cipher algorithm for WSNs.TinyStream cipher uses a 128bit secret key without an IV process [51].The TinyStream cipher is constructed using tree parity machine (TPM) with a loop system mechanism.The summary of the stream cipher types and their algorithms is tabulated in Table 1.The list of the stream ciphers with functionality is tabulated in Table 2.The stream cipher type, secret key size, and IV size are mentioned in the ciphers tabulation.

SECURITY ATTACKS AND COUNTERMEASURE METHODS
This section analyzes different types of security attacks and their countermeasure methods.The attacker's main aim is to use cipher designs to find the secret key used in the encryption or decryption process.Two attacks happen: passive attacks and active attacks.Passive attacks occur in the initialization or output phases.The attacker retrieves the information, copies them, and uses it for harmful or malicious purposes.Whereas active attacks, the attackers are trying to recreate the original data in the form of an insert, replay or delete.These two attacks will modify the key information, or system resources will be damaged.
Furthermore, these attacks are extensively classified based on cryptography usage.Exhaustive key search is an attack (brute force) where attackers try to find all the possible core combinations to find the primary secret key.This type of attack's computational complexity remains lower and possesses more on plaintext and ciphertexts.The exhaustive key search is analyzed in detail using the TRIVIUM cipher [22], [24] with key recovery.Correlation attacks realize the cipher's linear function and calculate the keystream based on output observation.Algebraic attacks use the algebraic equations of the main cipher and are used further to generate the key bits.Similarly, linear attacks are also correlated with the linear functions of the defined keystream bits and initialization bits.
Distinguishing attacks are a type of attack in which attackers try to differentiate the keystream information from a random sequence feature.These attacks may recover the complete key details in the future.The side-channel attack is a type in which the attacker retrieves the data information from the cipher while calculating the power consumption or electromagnetic emission process.In this attack, the attacker hacks the complete information from the internal operations of the cipher technique.The related-key attack is a type of target attack happening during the re-initialization process of the cipher design operation.The attacker will generate the related keys only if the cipher technique does not use the non-linearity feature and is directly related to plain text and new-key generation.Similarly, the chosen-plain text or IV attacks use the key scheduling weakness and retrieve the useful initial state information from the main memory.The basic structure of the cipher realizes the time, memory-data trade-off attacks, and summarization of the related results in a larger table.

PERFORMANCE ANALYSIS AND APPLICATIONS
This section discusses the hardware realization of the stream ciphers and their performance analysis.Most of the authors implemented the stream ciphers using the field programmable gate array (FPGA) platform.The stream ciphers are constructed with macroblocks using hardware description language (HDL) and later implemented on FPGA.The performance metrics include area in terms of slices, maximum operating frequency (Fmax) in terms of MHz, latency in terms of clock cycles (CC), throughput (Mbps), and efficiency Int J Reconfigurable & Embedded Syst ISSN: 2089-4864  (Mbps/Slice).The design module uses program logic blocks, and programmable interconnects on FPGA.The FPGA contains configurable logic blocks (CLBs), input-output blocks (IOBs), dedicated multipliers, a digital clock manager (DCM), and block RAMs.The CLBs are constructed using slices and lookup tables (LUTs).The slice definition is varied based on FPGA device selection.For example, one slice contains a minimum of two 4-input LUT, Flip-flops, adder tree, and multiplexors on Spartan-3 FPGA.The LUT holds the design information in the Boolean equations and Truth table.The maximum operating frequency is obtained after synthesis operation based on design architecture using the Xilinx tool.The latency is analyzed based on the execution of the design to generate the first output in the simulation process.The latency is calculated regarding CC in hardware realization.The throughput is measured based on input data width, frequency, and latency parameters.So, throughput = (input width * Fmax)/latency.The hardware efficiency is measured in terms of throughput per slice.The summary of the performance analysis of the other stream ciphers is listed in Table 4.

FUTURE TRENDS
The keystream generation is an essential part of the stream ciphers and the main functional requirement for most application domains.The stream ciphers' preamble remains the same, with their high performance and efficiency as the block ciphers.The recent trends towards IoT indicate that the millions of embedded devices are interconnected with resource constraints capabilities and interaction mechanisms with corresponding users.Social mobility and smart city applications need to include a distributed framework to transmit high amounts of cipher data securely.Most of the present industries, like 5 th generation wireless networks, vehicular adhoc-networks, smart camera-based Urban-surveillance, and green networking, will focus more on security to secure their data from attackers.
Stream ciphers are the best option rather than block ciphers for streaming applications.However, research is still improving cipher usage in a well-organized manner.Currently, parallel computing systems are widely used in most embedded system applications.So, incorporating a lightweight stream cipher with highdegree parallelism is challenging in maintaining desired performance.Most current stream ciphers focus more on basic operations with cipher structures and can resist most of the existing attacks.However, these ciphers must incorporate most cryptographic properties for further security evaluation and performance analysis.Focus on internal state architecture resource utilization and power consumption while implementing the lightweight Int J Reconfigurable & Embedded Syst ISSN: 2089-4864  An exhaustive review of the stream ciphers and their performance analysis (Raghavendra Ananth) 369 ciphers.Implementing the AE methods using stream ciphers is still in demand because of the current trends in IoT usage.Security feature improvements using stream ciphers on cloud computing applications remain an open research spot.

CONCLUSION
As embedded or IoT gadgets increase in our daily lives, pervasive computing becomes a reality.Networked computers have undergone a significant change in their architecture, usage, and number to protect the security of those sources and the data kept on or transmitted to them.This manuscript presents an exhaustive review of the stream ciphers for low-constrained devices.The traditional and benchmarked stream cipher's design and authenticated ciphers are analyzed.The resistive streams ciphers for corresponding attacks are highlighted.The implemented results of these stream ciphers are examined in detail using the FPGA platform.From this, GRAIN-128.GRAIN-128A, TRIVIUM, and MICKEY stream ciphers provide better security and performance results than other ciphers.The most appropriate stream ciphers for corresponding application requirements are highlighted based on cryptographic functionalities.The requirements and systematic plans for future designs are highlighted.

Figure 2 .
Figure 1.Classification of the stream ciphers

Table 4 .
Performance analysis of stream ciphers

Table 6 .
Applications of the stream ciphers