Achterbahn (stream cipher)

Last updated March 10, 2023

In cryptography, Achterbahn is the name of a synchronous stream cipher algorithm submitted to the eSTREAM Project of the eCRYPT network. In the final specification the cipher is called ACHTERBAHN-128/80, because it supports the key lengths of 80 bits and 128 bits, respectively.^[1] Achterbahn was developed by Berndt Gammel, Rainer Göttfert and Oliver Kniffler. Achterbahn means rollercoaster (in German), though a literal translation of the term would be eight-track, which indicates that the cipher can encrypt eight bit streams in parallel.

ACHTERBAHN-128 is downward compatible and can produce the same keystream as ACHTERBAHN-80 if so desired. The keystream generator of ACHTERBAHN-128/80 is based on the design principle of the nonlinear combination generator, however it deploys primitive nonlinear feedback shift registers (NLFSR) instead of linear ones (LFSR).

Security

There are no known cryptanalytic attacks against ACHTERBAHN-128/80 for the tabulated parameters that are faster than brute force attack. Recent analysis showed that attacks are possible if larger frame (packet) lengths are used in a communication protocol.^[2]^[3]^[4] The cipher's authors recommend a maximum frame length of 2⁴⁴ bits.^[5] This value does however not imply practical limitations.

Performance

The ACHTERBAHN-128/80 stream cipher is optimized for hardware applications with restricted resources, such as limited gate count and power consumption. An implementation of ACHTERBAHN-80 has a design size of only 2188 gate equivalents (Nand-GE) in a standard CMOS technology and delivers a throughput of up to 400 Megabit/s. This makes it suitable for RFID tags.^{[ citation needed ]} A high-speed implementation with a throughput of 8 Gigabit/s has a design size of 8651 Nand-GE.^[6]

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks. Block ciphers are specified elementary components in the design of many cryptographic protocols and are widely used to encrypt large amounts of data, including in data exchange protocols. A block cipher uses blocks as an unvarying transformation.

In cryptography, RC4 is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.

A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream. Since encryption of each digit is dependent on the current state of the cipher, it is also known as state cipher. In practice, a digit is typically a bit and the combining operation is an exclusive-or (XOR).

In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Shannon's property of confusion. Mathematically, an S-box is a vectorial Boolean function.

A5/1 is a stream cipher used to provide over-the-air communication privacy in the GSM cellular telephone standard. It is one of several implementations of the A5 security protocol. It was initially kept secret, but became public knowledge through leaks and reverse engineering. A number of serious weaknesses in the cipher have been identified.

<span class="mw-page-title-main">Serpent (cipher)</span>

Serpent is a symmetric key block cipher that was a finalist in the Advanced Encryption Standard (AES) contest, where it was ranked second to Rijndael. Serpent was designed by Ross Anderson, Eli Biham, and Lars Knudsen.

Phelix is a high-speed stream cipher with a built-in single-pass message authentication code (MAC) functionality, submitted in 2004 to the eSTREAM contest by Doug Whiting, Bruce Schneier, Stefan Lucks, and Frédéric Muller. The cipher uses only the operations of addition modulo 2³², exclusive or, and rotation by a fixed number of bits. Phelix uses a 256-bit key and a 128-bit nonce, claiming a design strength of 128 bits. Concerns have been raised over the ability to recover the secret key if the cipher is used incorrectly.

Akelarre is a block cipher proposed in 1996, combining the basic design of IDEA with ideas from RC5. It was shown to be susceptible to a ciphertext-only attack in 1997.

In cryptography, MUGI is a pseudorandom number generator (PRNG) designed for use as a stream cipher. It was among the cryptographic techniques recommended for Japanese government use by CRYPTREC in 2003, however, has been dropped to "candidate" by CRYPTREC revision in 2013.

Bart Preneel is a Flemish cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group.

E0 is a stream cipher used in the Bluetooth protocol. It generates a sequence of pseudorandom numbers and combines it with the data using the XOR operator. The key length may vary, but is generally 128 bits.

eSTREAM is a project to "identify new stream ciphers suitable for widespread adoption", organised by the EU ECRYPT network. It was set up as a result of the failure of all six stream ciphers submitted to the NESSIE project. The call for primitives was first issued in November 2004. The project was completed in April 2008. The project was divided into separate phases and the project goal was to find algorithms suitable for different application profiles.

VEST (Very Efficient Substitution Transposition) ciphers are a set of families of general-purpose hardware-dedicated ciphers that support single pass authenticated encryption and can operate as collision-resistant hash functions designed by Sean O'Neil, Benjamin Gittins and Howard Landman. VEST cannot be implemented efficiently in software.

Grain is a stream cipher submitted to eSTREAM in 2004 by Martin Hell, Thomas Johansson and Willi Meier. It has been selected for the final eSTREAM portfolio for Profile 2 by the eSTREAM project. Grain is designed primarily for restricted hardware environments. It accepts an 80-bit key and a 64-bit IV. The specifications do not recommend a maximum length of output per pair. A number of potential weaknesses in the cipher have been identified and corrected in Grain 128a which is now the recommended cipher to use for hardware environments providing both 128bit security and authentication.

In cryptography, Mir-1 is a software-oriented stream cypher algorithm developed by Alexander Maximov. The algorithm was submitted to the eSTREAM project of the eCRYPT network in 2005. Mir-1 is named after the Russian space station Mir.

<span class="mw-page-title-main">Crypto-1</span> Stream cipher

Crypto1 is a proprietary encryption algorithm and authentication protocol created by NXP Semiconductors for its MIFARE Classic RFID contactless smart cards launched in 1994. Such cards have been used in many notable systems, including Oyster card, CharlieCard and OV-chipkaart.

This article summarizes publicly known attacks against block ciphers and stream ciphers. Note that there are perhaps attacks that are not publicly known, and not all entries may be up to date.

In cryptography, Mutual Irregular Clocking KEYstream generator (MICKEY) is a stream cipher algorithm developed by Steve Babbage and Matthew Dodd. The cipher is designed to be used in hardware platforms with limited resources, and was one of the three ciphers accepted into Profile 2 of the eSTREAM portfolio. The algorithm is not patented and is free for any use.

PRESENT is a lightweight block cipher, developed by the Orange Labs (France), Ruhr University Bochum (Germany) and the Technical University of Denmark in 2007. PRESENT was designed by Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Christof Paar, Axel Poschmann, Matthew J. B. Robshaw, Yannick Seurin, and C. Vikkelsoe. The algorithm is notable for its compact size.

Prince is a block cipher targeting low latency, unrolled hardware implementations. It is based on the so-called FX construction. Its most notable feature is the alpha reflection: the decryption is the encryption with a related key which is very cheap to compute. Unlike most other "lightweight" ciphers, it has a small number of rounds and the layers constituting a round have low logic depth. As a result, fully unrolled implementation are able to reach much higher frequencies than AES or PRESENT. According to the authors, for the same time constraints and technologies, PRINCE uses 6–7 times less area than PRESENT-80 and 14–15 times less area than AES-128.

References

↑ Gammel, Berndt M.; Göttfert, Rainer; Kniffler, Oliver (30 June 2006). "ACHTERBAHN-128/80" (PDF). ECRYPT Stream Cipher Project Report.
↑ Naya-Plasencia, María (March 26–28, 2007). Cryptanalysis of Achterbahn-128/80 (PDF). Fast Software Encryption, 14th International Workshop. Revised Selected Papers, Lecture Notes in Computer Science. Vol. 4593. Luxembourg: Springer. pp. 73–86. ISBN 978-3-540-74617-1.
↑ Naya-Plasencia, María (July 4–6, 2007). Cryptanalysis of Achterbahn-128/80 with a New Keystream Limitation (PDF). Research in Cryptology: Second Western European Workshop, WEWoRC. Revised Selected Papers, Lecture Notes in Computer Science. Vol. 4945. Bochum, Germany: Springer. pp. 142–152. ISBN 978-3-540-88352-4.
↑ Gammel, Berndt M.; Göttfert, Rainer; Kniffler, Oliver (Jan 31 – Feb 1, 2007). Achterbahn-128/80: Design and Analysis. Workshop Record of The State of the Art of Stream Ciphers - SASC. Ruhr University Bochum, Germany. pp. 152–165. Archived from the original on July 24, 2007.
↑ Göttfert, Rainer; Gammel, Berndt M. (July 1–6, 2007). Helleseth, T.; Kumar, V.; Ytrehus, Ø. (eds.). On the frame length of Achterbahn-128/80 (PDF). Proceedings of the 2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks. Solstrand, Norway. pp. 91–95. ISBN 978-1-4244-1199-3.
↑ Gammel, Berndt M.; Göttfert, Rainer; Kniffler, Oliver (30 June 2006). "ACHTERBAHN-128/80" (PDF). Achterbahn home page.{{cite journal}}: Cite journal requires |journal= (help)

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Gammel, Berndt M.; Göttfert, Rainer; Kniffler, Oliver (30 June 2006). "ACHTERBAHN-128/80" (PDF). ECRYPT Stream Cipher Project Report.

[2] Naya-Plasencia, María (March 26–28, 2007). Cryptanalysis of Achterbahn-128/80 (PDF). Fast Software Encryption, 14th International Workshop. Revised Selected Papers, Lecture Notes in Computer Science. Vol. 4593. Luxembourg: Springer. pp. 73–86. ISBN 978-3-540-74617-1.

[3] Naya-Plasencia, María (July 4–6, 2007). Cryptanalysis of Achterbahn-128/80 with a New Keystream Limitation (PDF). Research in Cryptology: Second Western European Workshop, WEWoRC. Revised Selected Papers, Lecture Notes in Computer Science. Vol. 4945. Bochum, Germany: Springer. pp. 142–152. ISBN 978-3-540-88352-4.

[4] Gammel, Berndt M.; Göttfert, Rainer; Kniffler, Oliver (Jan 31 – Feb 1, 2007). Achterbahn-128/80: Design and Analysis. Workshop Record of The State of the Art of Stream Ciphers - SASC. Ruhr University Bochum, Germany. pp. 152–165. Archived from the original on July 24, 2007.

[5] Göttfert, Rainer; Gammel, Berndt M. (July 1–6, 2007). Helleseth, T.; Kumar, V.; Ytrehus, Ø. (eds.). On the frame length of Achterbahn-128/80 (PDF). Proceedings of the 2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks. Solstrand, Norway. pp. 91–95. ISBN 978-1-4244-1199-3.

[6] Gammel, Berndt M.; Göttfert, Rainer; Kniffler, Oliver (30 June 2006). "ACHTERBAHN-128/80" (PDF). Achterbahn home page.{{cite journal}}: Cite journal requires |journal= (help)

[1]

[2]

[3]

[4]

[5]

[6]

	ACHTERBAHN-80	ACHTERBAHN-128
Max. key length	80 bit	128 bit
Max. IV length	80 bit	128 bit
Max. frame length	2⁴⁴	2⁴⁴
Internal state	297 bit	351 bit