Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 29192-3: Lightweight Cryptography — Part 3: Stream Ciphers
Trivium, Enocoro, and lightweight keystream generation for constrained platforms
Stream ciphers hold a special place in lightweight cryptography because their internal state machines map naturally to small, fast digital circuits. Unlike block ciphers, which must process data in fixed-size chunks, stream ciphers generate a continuous keystream that can be XORed with plaintext of arbitrary length — a property that is particularly valuable in protocols with variable-length packets. ISO/IEC 29192-3 standardises lightweight stream ciphers that achieve extremely compact hardware footprints while providing at least 80-bit security.
The defining advantage of a lightweight stream cipher is that the encryption and decryption datapaths are identical (XOR with keystream). This halves the hardware validation burden compared to a block cipher, where encryption and decryption often use different circuit paths.
Trivium — A Hardware-Optimised Keystream Generator
Design and Structure
Trivium uses a 288-bit internal state organised as three non-linear feedback shift registers (NLFSRs) of lengths 93, 84, and 111 bits. At each clock tick, the state is updated by tapping specific bit positions, feeding them through AND and XOR gates, and cycling the registers. The design is remarkable for its simplicity: the entire cipher can be described in fewer than 20 lines of C code, and a hardware implementation fits in approximately 2 600 GE — including key and IV setup logic. Each clock cycle produces one keystream bit, giving a throughput of 1 bit per cycle.
Trivium’s key and IV setup requires 1 152 initial clock cycles before the keystream is ready. In applications where the device frequently rekeys (e.g., per-packet keys), this setup latency must be factored into throughput calculations. For 100-byte packets at 10 MHz, this represents a roughly 14 % throughput penalty.
Enocoro — An Alternative NLFSR Design
Comparison with Trivium
Enocoro is a family of lightweight stream ciphers also included in the standard. Enocoro-128v2 uses a 320-bit internal state and produces 64 bits of keystream per clock cycle, offering higher throughput than Trivium at the cost of a modest area increase (~3 500 GE). Enocoro was designed with a focus on resistance to time-memory-data trade-off attacks, which can be a concern for Trivium when the IV length is short.
| Parameter | Trivium | Enocoro-128v2 | Grain-128a |
|---|---|---|---|
| Internal state (bits) | 288 | 320 | 256 |
| Key size (bits) | 80 | 128 | 128 |
| Keystream per cycle | 1 bit | 64 bits | 1 bit |
| Gate count (GE) | ~2 600 | ~3 500 | ~2 900 |
| Setup cycles | 1 152 | 640 | 256 |
| Target security | 80-bit | 128-bit | 128-bit |
Engineering Design Insights
Mode of Operation Considerations
Stream ciphers operate in a synchronous mode by default — the keystream depends only on the key and IV, not on the plaintext or ciphertext. This makes them naturally parallelisable and suitable for pipelined hardware. However, it also means that bit errors in transmission propagate 1:1 (no error extension), which is beneficial in noisy wireless channels. The downside: there is no built-in authentication. Engineers must combine a stream cipher with a separate MAC (such as those in ISO/IEC 29192-6) to provide authenticated encryption.
Side-Channel and Fault Attack Countermeasures
The standard mandates that implementations document resistance to simple power analysis (SPA) and fault injection. For Trivium, the linear feedback structure makes certain fault-injection attacks feasible if the state can be frozen. Recommended countermeasures include dual-rail logic, temporal redundancy, and state-masking techniques that add approximately 15–30 % to the area cost.
For short-packet wireless protocols (e.g., Bluetooth Low Energy advertising channels or IEEE 802.15.4 beacon frames), Trivium’s low setup overhead per packet and tiny gate count make it one of the most efficient encryption primitives available today.
Never reuse a (key, IV) pair with a stream cipher. Because the keystream is deterministic, reusing the same key and IV produces identical keystream, and XORing two ciphertexts cancels the keystream, revealing the XOR of the plaintexts. This is the most common implementation mistake with stream ciphers.
Frequently Asked Questions
Q1: Can Trivium be implemented efficiently in software on an 8-bit MCU?
Although Trivium was designed for hardware, its small state (288 bits) fits comfortably in the register file of most 8-bit MCUs. A bit-serial software implementation can achieve around 4–8 cycles per byte, which is acceptable for many low-data-rate sensor applications.
Although Trivium was designed for hardware, its small state (288 bits) fits comfortably in the register file of most 8-bit MCUs. A bit-serial software implementation can achieve around 4–8 cycles per byte, which is acceptable for many low-data-rate sensor applications.
Q2: What is the maximum data that can be safely encrypted with one key/IV pair?
The standard recommends a limit of 2⁴⁰ bits (approximately 128 GB) under a single key/IV combination for Trivium. Beyond this, the probability of internal state collision becomes non-negligible.
The standard recommends a limit of 2⁴⁰ bits (approximately 128 GB) under a single key/IV combination for Trivium. Beyond this, the probability of internal state collision becomes non-negligible.
Q3: How does Trivium compare to AES-CTR mode for lightweight use?
AES-CTR is a stream cipher mode built on a block cipher. A compact AES-128 implementation requires ~3 400 GE, while Trivium needs only ~2 600 GE. For applications constrained below 3 000 GE, Trivium is the preferred choice.
AES-CTR is a stream cipher mode built on a block cipher. A compact AES-128 implementation requires ~3 400 GE, while Trivium needs only ~2 600 GE. For applications constrained below 3 000 GE, Trivium is the preferred choice.
Q4: Are there any patents or licensing restrictions on Trivium?
Trivium was submitted to the eSTREAM project and is explicitly placed in the public domain. No licensing restrictions apply. Enocoro is also published as an open specification.
Trivium was submitted to the eSTREAM project and is explicitly placed in the public domain. No licensing restrictions apply. Enocoro is also published as an open specification.
