Table of Contents Author Guidelines Submit a Manuscript
Mathematical Problems in Engineering
Volume 2015 (2015), Article ID 616182, 6 pages
Research Article

Enhanced-Bivium Algorithm for RFID System

School of Information Security Engineering, Shanghai Jiaotong University, 800 Dongchuan Road, Shanghai 200240, China

Received 3 March 2015; Accepted 16 July 2015

Academic Editor: Anna Pandolfi

Copyright © 2015 Shiyong Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


RFID (radio frequency identification) is an emerging technology for automatic identification of physical objects using radio frequency. The security and privacy of the system is increasingly concerned and some light-weight encryption schemes such as Trivium and Bivium have been proposed. In this paper, the internal structure of Bivium is exploited and generalized to an algorithm called Bivium-Model. It is shown that the original Bivium has its inherent imperfections due to the improper parameter selection. A set of better parameters are given out to fix the security vulnerability of original Bivium. Emulation results also show that the Enhanced-Bivium algorithm achieves lower power consumption and lower die size.

1. Introduction

RFID (radio frequency identification) systems are used for the automatic retrieval of data about any object which is equipped with a small circuit called RFID tag. The tag retrieved by a reader device could be used for tracking of goods in industrial systems. In this paper we focus on passive tags that receive their energy from the reader field. For this kind of RFID tags, the field’s intensity and the received power consumption are both limited. Therefore, power-aware designing of the tag circuitry is necessary for RFID application [1].

On the other hand, the security and privacy of the system is increasingly concerned because a reader can scan and obtain the data from any tags if they are accessed without any authorization. Some encryption schemes were developed based on classic cipher algorithms such as Advanced Encryption Standard (AES) or Elliptic Curve Cryptography (ECC) [24]; Others utilised the hash-based algorithm, pseudo random number generator, and Cyclic Redundancy Check (CRC) function with some XOR and rotation operations [58].

However, these schemes are all based on traditional cryptography techniques, which are too costly for the RFID tags. In order to embed the cipher engine into the low-price passive tags, light-weight cipher design is needed.

Trivium is a notable light-weight stream cipher designed by De Cannire and Preneel, submitted to the European eSTREAM project in April 2005 [9]. It contains 3 rounds in each iteration. In 2007, Raddum proposed a reduced version of Trivium, named as Bivium [10]. He tried to reduce the process of Trivium from 3 to 2 rounds so as to further lower the complexity. However, Bivium has severe security problems. Maximov and Biryukov study two attacks on Trivium [11], which are state recovering and statistical tests. The former is regarded as the best result for attacking Bivium so far and the time complexity to break Bivium is about . Raddum also presents a technique to solve systems of equations associated with Trivium and successfully breaks Bivium in one day [10]. But his attack is very complex when applied to the full cipher and is not faster than exhaustive search. Borghoff et al. presents a numerical attack on Biviums. However, the estimated time complexity of this attack is about [12].

Based on the above work, in this paper we aim to design a 2-round Bivium-like cipher algorithm without compromising the security and still keeping low resource consumption. Our method is to exploit the internal structure of Bivium and generalize it to an algorithm called “Bivium-Model,’’ which can be used to analyze the root cause of Bivium’s weakness. By adjusting the parameters of “Bivium-Model,’’ an “Enhanced-Bivium’’ with better security and power performance will be proposed.

The following part of the paper is organized as follows. The generalized “Bivium-Model’’ algorithm will be described in Section 2. Section 3 will analyze the security of the original Bivium and then present an “Enhanced-Bivium.’’ Section 4 will compare the resource consumption of Trivium, Bivium, and Enhanced-Bivium through emulation results. The conclusion and future work will be given in Section 5.

Notation 1. Bold symbols in capital letter and small letter denote matrices and vectors, respectively. is the determinant of a square matrix. stands for the identity matrix. denotes the Galois field of two elements. means is divisible by .

2. Bivium-Model Algorithm

Trivium [9] is designed to generate up to  bits of key stream from an 80-bit secret key (Key) and an 80-bit initial value (IV). The process consists of two phases: first the internal state of the cipher is initialized using Key and IV; then the state is repeatedly updated and used to generate key stream bits. There are 288 bits in the internal state. Figure 1 shows the structure of the algorithm. Each iteration consists of 3 rounds with similar structure.

Figure 1: Structure of Trivium.

Bivium proposed by Raddum [10] is a reduced version of Trivium. It breaks the cipher into smaller parts and reconstructs these parts as 2 rounds. The internal state of Bivium drops to 177 bits. Denote the intermediate variable as , and the output stream as , with standing for the number of output bits. The complete process of the generation key-stream phase is given by the pseudo-code shown in Algorithm 1.

Algorithm 1: Bivium algorithm.

By extracting the sequence index of Algorithm 1, the process of Bivium can be generalized to a “Bivium-Model’’ algorithm, shown as Algorithm 2. , , and are the parameters of Algorithm 2. We will show in later section that these indices actually correspond to the degree of the characteristic polynomials.

Algorithm 2: Generalized “Bivium-Model” algorithm.

The structure of the Bivium-Model algorithm is given by Figure 2. Key and IV are loaded as follows:

Figure 2: Structure of Bivium-Model.

By this way, any of the Bivium-like algorithm can then be represented by and tuples.

Proposition 1. Bivium algorithm is a Bivium-Model algorithm, with parameters shown in Table 1.

Table 1: Parameters of Bivium.

3. Security Analysis and “Enhanced-Bivium’’

The original Bivium algorithm has some security problems. In this section, we will analyze its security based on the generalized “Bivium-Model’’ algorithm and adjust the parameters to induce a better performance.

We begin by studing the property of Bivium-Model algorithm. Denote the internal state bits at time as ; then the internal bits from time to time can be expressed aswhere is the state-transition matrix of the algorithm with size : is the nonlinear part of the algorithm which is treated as vectors of bits: Hence we can get the theorem as follows:

Theorem 2. The characteristic polynomial of Bivium-Model algorithm is in the following form:where is a polynomial.

Proof. is the state transformation matrix of Bivium-Model algorithm defined in (3). The characteristic polynomial isLet ; we have .
Denote ; we only need to prove that . That is to say, we need to prove that the constant coefficient and the monomial coefficient of are both .
The constant coefficient of isThe monomial coefficient of isTherefore,

Here, we define the term “-order primitive polynomial’’ to evaluate the property of the characteristic polynomial, .

Definition 3. Given , , , , is called a -order primitive polynomial if , where is a primitive polynomial.

Proposition 4. Primitive polynomial is 0-order primitive polynomial.

Proposition 5. The characteristic polynomial of the Bivium is not a 2-order primitive polynomial.

Proof. By (6), the transformation matrix of the Bivium can be expressed asHere is not a primitive polynomial and can be decomposed asTherefore is not a 2-order primitive polynomial.

From Proposition 5, we can see that the characteristic polynomial of the Bivium algorithm is not a 2-order primitive polynomial. Therefore, it cannot guarantee large periods, and this is the root cause for the state recovering attack on Bivium [11].

In order to the solve the imperfection of the original Bivium, we try to choose sets of better parameters. Direct calculation of all the 2-order primitive polynomials is too complex. Therefore we determine the parameters under the following conditions:(1)The characteristic polynomial of the new parameters is a 2-order primitive polynomial.(2)To reduce the resource consumption while keeping the security, we specially fix the value and the range of .(3)To improve the security, we suppose .

However, except for condition 1, the other 2 conditions do not necessarily result in the best parameter set. We just guarantee that the parameters that meet these conditions are more likely to be better. We use Maple to search the parameters [13]. The code is shown in Algorithm 3.

Algorithm 3: Maple code for parameter selection.

Algorithm 3 outputs more than 200 results, and we choose one of these parameter sets, shown in Table 2: and the resulting algorithm is referred to as “Enhanced-Bivium.’’

Table 2: Parameters of Enhanced-Bivium.

Proposition 6. The characteristic polynomial of “Enhanced-Bivium’’ is a 2-order primitive polynomial.

Proof. By (6), the transformation matrix of the “Enhanced-Bivium’’ can be expressed aswhereand it can be verified that is a primitive polynomial.
Therefore is a 2-order primitive polynomial.

According to Proposition 6, the new set of parameters ensure to be a 2-order primitive polynomial, thus making the resulting algorithm more resistant to the state recovering attack.

Note that the characteristic polynomial of the 3-round Trivium [9] can be derived in a similar way, expressed bywhere is a primitive polynomial which can be expressed asTherefore, we will have the following proposition.

Proposition 7. The characteristic polynomial of the Trivium algorithm is a 3-order primitive polynomial.

Finally, we compare the Trivium, Bivium, and Enhanced-Bivium under the state recovering attack. The result is shown in Table 3.

Table 3: Comparison of three algorithms under state recovering attack.

It is observed that the Trivium algorithm is most robust to state recovering attack. Bivium algorithm can be broken in time around , which is a relatively low level. “Enhanced-Bivium’’ performs much better than original Bivium due to its 2-order primitive structure.

4. Emulation Results for Resource Consumption

For hardware emulation, we use protocols for symmetric challenge-response techniques based on encryption which are defined in the ISO/IEC 9798-2 standard [14]. Unilateral authentication works as follows: there are two partners and . Both possess the same private key . sends a random number to . then encrypts the random number with the shared key and sends it back to . proofs the result and can verify the identity of .

In order to achieve a significant economic benefit from using RFID systems, tags will need to be priced under US$ 0.10 [15]. The available power consumption for the digital part of the RFID tag is amounting to 20 μA. Estimating the current consumption of the digital controller to be 5 μA, 15 μA remains for the Bivium-Model module which should not exceed a chip area of 5,000 gates [3]. In a word, the less gates, the better.

We use Verilog to simulate the “Enhanced-Bivium’’ algorithm as well as other algorithms and use Lattice Diamond which can offer tools optimized for FPGA architectures to simulate the hardware property and action on LFXP3C-5T100C. The implementation of the data-path of Enhanced-Bivium algorithm has a current consumption of 0.41 . The required hardware complexity is estimated to be 2109 gates. The resource consumption of Trivium, Bivium, Enhanced-Bivium, and AES algorithm are shown in Table 4 and the comparison is based on energy consumption and gate equivalent (GE) count.

Table 4: Resource consumption of 4 cipher algorithm.

From the result, it can be seen that, compared to the 3-round Trivium, Bivium and Enhanced-Bivium have better performance due to less internal rounds. Furthermore, Enhanced-Bivium consumes even lower resources than the original Bivium; this is because the internal state bits of Enhanced-Bivium drops from 177 to 174 bits and the degree of the characteristic polynomial of the Enhanced-Bivium is lower than the degree of original Bivium.

5. Conclusion and Future Work

In this paper, an “Enhanced-Bivium’’ encryption scheme is proposed to meet the need of the RFID system in terms of high security and low resource consumption. The internal structure of Bivium is studied and generalized to “Bivium-Model’’ algorithm. A set of better parameters are given out to fix the security vulnerability of the original Bivium under state-recover attack. Emulation results show that it also achieves lower power consumption and die size.

We will continue to study the property of “Bivium-Model’’ algorithm. Future work will focus on the search of new parameters with better consideration of the balance of security and effectiveness.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.


This work was supported in part by International Researcher Exchange Project of National Science Foundation of China and Centre national de la recherche scientifique de France (NSFC-CNRS) under Grant no. 61211130104 and National Science Foundation of China under Grant no. 61271220.


  1. K. Finkenzeller, RFID-Handbook, Springer, Berlin, Germany; Carl Hanser, Munchen, Germany, 2nd edition, 2003.
  2. J.-S. Chou, Y. Chen, C.-L. Wu, and C.-F. Lin, “An efficient RFID mutual authentication scheme based on ECC,” Cryptology ePrint Archive Report 2011/418, IACR, 2011. View at Google Scholar
  3. M. Feldhofer, S. Dominikus, and J. Wolkerstorfer, “Strong authentication for RFID systems using the AES algorithm,” in Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES '04), Cambridge, Mass, USA, August 2004.
  4. T. A. Pham, M. S. Hasan, and H. Yu, “A RFID mutual authentication protocol based on AES algorithm,” in Proceedings of the UKACC International Conference on Control (CONTROL '12), pp. 997–1002, Cardiff, UK, September 2012. View at Publisher · View at Google Scholar · View at Scopus
  5. E.-J. Yoon, “Improvement of the securing RFID systems conforming to EPC Class 1 Generation 2 standard,” Expert Systems with Applications, vol. 39, no. 1, pp. 1589–1594, 2012. View at Publisher · View at Google Scholar · View at Scopus
  6. H. Li, Y. Ping, W. Xuan, and L. Pang, “A novel hash-based RFID mutual authentication protocol,” in Proceedings of the 7th International Conference on Computational Intelligence and Security (CIS '11), pp. 774–778, December 2011. View at Publisher · View at Google Scholar · View at Scopus
  7. T.-C. Yeh, Y.-J. Wang, T.-C. Kuo, and S.-S. Wang, “Securing RFID systems conforming to EPC class 1 generation 2 standard,” Expert Systems with Applications, vol. 37, no. 12, pp. 7678–7683, 2010. View at Publisher · View at Google Scholar · View at Scopus
  8. Y. Liu, “An efficient RFID authentication protocol for low-cost tags,” in Proceedings of the IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC '08), pp. 180–185, December 2008. View at Publisher · View at Google Scholar · View at Scopus
  9. C. De Cannire and B. Preneel, “TRIVIUM specifications,” eSTREAM , ECRYPT stream Cipher Project 2005/030, April 2005, View at Google Scholar
  10. H. Raddum, Cryptanalytic Results on Trivium, 2007,
  11. A. Maximov and A. Biryukov, “Two trivial attacks on TRIVIUM,” in SASC 2007: The State of the Art of Stream Ciphers, pp. 1–16, 2007. View at Google Scholar
  12. J. Borghoff, L. R. Knudsen, and M. Stolpe, “Bivium as a mixed-integer linear programming problem,” in Cryptography and Coding: 12th IMA International Conference, Cryptography and Coding 2009, Cirencester, UK, December 15–17, 2009. Proceedings, M. G. Parker, Ed., vol. 5921 of Lecture Notes in Computer Science, pp. 133–152, Springer, Heidelberg, Germany, 2009. View at Publisher · View at Google Scholar
  13. Maplesoft, division of Waterloo Maple, Incorporation,
  14. International Organization for Standardization, “Information technology—security techniques entity authentication mechanisms part 2: entity authentication using symmetric techniques,” ISO/IEC 9798-2, ISO/IEC, 1993. View at Google Scholar
  15. S. E. Sarma, S. A. Weis, and D. W. Engels, “RFID systems and security and privacy implications,” in Cryptographic Hardware and Embedded Systems—CHES 2002: 4th International Workshop Redwood Shores, CA, USA, August 13–15, 2002 Revised Papers, vol. 2523 of Lecture Notes in Computer Science, pp. 454–470, Springer, Berlin, Germany, 2002. View at Publisher · View at Google Scholar