A Key-Recovery Attack on 855-round Trivium

  • Ximing Fu
  • Xiaoyun Wang
  • Xiaoyang Dong
  • Willi Meier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10992)


In this paper, we propose a key-recovery attack on Trivium reduced to 855 rounds. As the output is a complex Boolean polynomial over secret key and IV bits and it is hard to find the solution of the secret keys, we propose a novel nullification technique of the Boolean polynomial to reduce the output Boolean polynomial of 855-round Trivium. Then we determine the degree upper bound of the reduced nonlinear boolean polynomial and detect the right keys. These techniques can be applicable to most stream ciphers based on nonlinear feedback shift registers (NFSR). Our attack on 855-round Trivium costs time complexity \(2^{77}\). As far as we know, this is the best key-recovery attack on round-reduced Trivium. To verify our attack, we also give some experimental data on 721-round reduced Trivium.


Trivium Nullification technique Polynomial reduction IV representation Key-recovery attack 

1 Introduction

Most symmetric cryptographic primitives can be described by boolean functions over secret variables and public variables. The secret variables are often key bits, the public variables are often plaintext bits for block ciphers and IV bits for stream ciphers. The ANF (algebraic normal form) representation of the output is usually very complex by repeatedly executing a simple iterative function, where the iterative function is a round function for block ciphers or a feedback function for stream ciphers based on nonlinear feedback shift registers. For stream ciphers, obtaining the exact output boolean functions is usually impossible. But if its degree is low, the cipher can not resist on many known attacks, such as higher order differential attacks [13, 15], cube attacks [1, 4], and integral attacks [14]. Hence, it is important to reduce the degree of polynomials for cryptanalysis of stream ciphers.

Trivium, based on a nonlinear feedback shift register (NFSR), is one of the finalists by eSTREAM project and has been accepted as ISO standard [2, 10]. Trivium has a simple structure, with only bit operations, so that it can be applicable to source restricted applications such as RFID. By iteratively using NFSR, the degree increases rapidly and the output is a complex boolean function over key and IV bits.

There have been lots of cryptanalysis of Trivium since its submission. The early results include the chosen IV statistical attack [6, 7], which was applied to key-recovery attack on Trivium reduced to 672 rounds. Inspired by the message modification technique [20, 21], Knellwolf et al. invented the conditional differential tool [11], which was applicable to distinguishing stream ciphers based on NFSR. In [12], Knellwolf et al. proposed a distinguishing attack on 961-round Trivium with practical complexity for weak keys.

Cube attacks are the major methods for recent cryptanalysis results of reduced round Trivium. In [4], Dinur and Shamir proposed a practical full key recovery on Trivium reduced to 767 rounds, using cube attacks. Afterwards, Aumasson et al. [1] provided the distinguishers of 790-round Trivium with complexity \(2^{30}\). Then Fouque and Vannet [8] provided a practical full key recovery for 784/799 rounds Trivium. Todo et al. [19] proposed a key-recovery attack on 832-round Trivium, where one equivalent bit can be recovered with complexity of around \(2^{77}\), combined with division property [18]. All of these attacks exploited low degree properties of the ANF of the output bit over IV bits. As though the degree is not low, i.e., the degree is equal to the number of variables, there is a possibility to construct distinguishers if there are missing (IV) terms. In [3, 5], Dinur and Shamir exploited the density of IV terms, combined with nullification technique, and broke the full-round Grain128. Based on nullification technique [3, 5], degree evaluation and IV representation techniques were proposed and the missing IV terms can be obtained with probability 1 [9]. The degree upper bounds of Trivium-like ciphers were obtained [16] using the degree evaluation techniques. Then a key-recovery attack on 835-round Trivium was proposed in [17] using correlation cube attack with a complexity of \(2^{75}\). Though the cube attack and cube tester tools can be applied to obtain the low-degree information, it is restricted by the computing ability. It is hard to execute cube tester programs of dimension more than 50 on a small cluster of cores.

In this paper, we focus on the cryptanalysis on round-reduced Trivium. We first propose a novel observation of the Boolean polynomial and invent a new nullification technique for reducing the output Boolean polynomial. After nullification, we determine the degree upper bound of the reduced polynomial, which can serve as the distinguishers. In this process, large quantities of state terms arise to be processed. We present a series of techniques to help discard monomials, including degree evaluation and degree reduction techniques. Based on these reduction techniques for boolean polynomials, we propose the first key-recovery attack on 855-round Trivium with time complexity \(2^{77}\). We summarize the related results in Table 1.
Table 1.

Some related key-recovery results for reduced round Trivium.





















Sect. 4

The rest of the paper is organised as follows. In Sect. 2, some basic related preliminaries will be shown. The basic techniques used in this paper and the attack framework will be introduced in Sect. 3. Based on the Boolean polynomial reduction techniques and IV representation, a key recovery attack on 855-round Trivium is proposed in Sect. 4, combined with a new nullification technique. Finally, Sect. 5 summarizes the paper.

2 Preliminaries

In this section, some basic notations used in this paper are introduced in the following subsections.

2.1 Notations

2.2 Brief Description of Trivium

Trivium can be described by a 288-bit nonlinear feedback shift register \(s_{i}\) (\(1\le i\le 288\)). During the initialization stage, \(s_{1}\) to \(s_{80}\) are set to 80 key bits, \(s_{94}\) to \(s_{173}\) are set with 80 IV bits, \(s_{286}\), \(s_{287}\), \(s_{288}\) are set to 1s and the other state bits are set to zeros, i.e.,

\((s_1,s_2,\ldots ,s_{93})\leftarrow (K_0,\ldots ,K_{79},0,\ldots ,0)\)

\((s_{94},s_{95},\ldots ,s_{177})\leftarrow (IV_0,\ldots ,IV_{79},0,\ldots ,0)\)

\((s_{178},s_{179},\ldots ,s_{288})\leftarrow (0,\ldots ,0,1,1,1).\)

Then the NFSR is updated for 1152 rounds with the following updating function, i.e.,

\(\mathbf {for}\) \(i\leftarrow 1:4\cdot 288\) \(\mathbf {do}\)

   \(t_{1}\leftarrow s_{66}+s_{91}\cdot s_{92}+s_{93}+s_{171}\)

   \(t_{2}\leftarrow s_{162}+s_{175}\cdot s_{176}+s_{177}+s_{264}\)

   \(t_{3}\leftarrow s_{243}+s_{286}\cdot s_{287}+s_{288}+s_{69}\)

   \((s_{1},s_{2},\ldots ,s_{93})\leftarrow (t_3,s_{1},\ldots ,s_{92})\)

   \((s_{94},s_{95},\ldots ,s_{177})\leftarrow (t_1,s_{94},\ldots ,s_{176})\)

   \((s_{178},s_{179},\ldots ,s_{288})\leftarrow (t_2,s_{178},\ldots ,s_{287})\)

\(\mathbf {end~for}\)

After the initialization, the output bits \(o_{i}\) can be generated by the following functions.

\(\mathbf {for}\) \(i\leftarrow 1:N\) \(\mathbf {do}\)

   \(t_{1}\leftarrow s_{66}+s_{91}\cdot s_{92}+s_{93}+s_{171}\)

   \(t_{2}\leftarrow s_{162}+s_{175}\cdot s_{176}+s_{177}+s_{264}\)

   \(t_{3}\leftarrow s_{243}+s_{286}\cdot s_{287}+s_{288}+s_{69}\)

   \(o_{i}\leftarrow s_{66}+s_{93}+s_{162}+s_{177}+s_{243}+s_{288}\)

   \((s_{1},s_{2},\ldots ,s_{93})\leftarrow (t_3,s_{1},\ldots ,s_{92})\)

   \((s_{94},s_{95},\ldots ,s_{177})\leftarrow (t_1,s_{94},\ldots ,s_{176})\)

   \((s_{178},s_{179},\ldots ,s_{288})\leftarrow (t_2,s_{178},\ldots ,s_{287})\)

\(\mathbf {end~for}\)

Then the message can be encrypted by exclusive-or with \(o_{i}\). To outline our technique more conveniently, we describe Trivium using the following iterative expression. We use \(s_{w}^{r}\) (\(0\le w\le 2\)) shown in Eq. 1 to illustrate r-round (\(1\le r\le 1152\)) \(s_{1}\), \(s_{94}\) and \(s_{178}\) separately. Let \(z_{r}\) denote the output bit after r rounds of initialization. Then the initialization process can be illustrated by the following formula
$$\begin{aligned} \begin{array}{ll} s_{0}^{r}&{}=s_{2}^{r-66}+s_{2}^{r-109}s_{2}^{r-110}+s_{2}^{r-111}+s_{0}^{r-69},\\ s_{1}^{r}&{}=s_{0}^{r-66}+s_{0}^{r-91}s_{0}^{r-92}+s_{0}^{r-93}+s_{1}^{r-78},\\ s_{2}^{r}&{}=s_{1}^{r-69}+s_{1}^{r-82}s_{1}^{r-83}+s_{1}^{r-84}+s_{2}^{r-87}. \end{array} \end{aligned}$$
The \(s_{w}^{r}\) (\(0\le w\le 2\)) is denoted as internal state bit in this paper. The multiplication of state bits \(\displaystyle {\prod _{i\in I,j\in J}s_{i}^{j}}\) is denoted as a state term. The output can be described using the state terms as \(z_{r}=s_{0}^{r-65}+s_{0}^{r-92}+s_{1}^{r-68}+s_{1}^{r-83}+s_{2}^{r-65}+s_{2}^{r-110}\).

2.3 Representation of Boolean Functions for Stream Ciphers

Supposing that there are m IV bits, i.e., \(v_{0},v_{1},\ldots ,v_{m-1}\) and n key bits, i.e., \(k_{0},k_{1},\ldots ,k_{n-1}\), the Algebraic Normal Form (ANF) of the internal state bit or output bit s could be written as the following style:
$$\begin{aligned} s=\sum _{I,J}\prod _{i\in I}v_{i}\prod _{j\in J}k_{j}, \end{aligned}$$
where the sum operation is over field \(\mathbb {F}_2\). The \({\prod _{i\in I}v_{i}\prod _{j\in J}k_{j}}\) is also denoted as a state term of s and \(\prod _{i\in I}v_{i}\) is denoted as its corresponding IV term. Let IV term \(t_{I}=\prod _{i\in I}v_{i}\) be the multiplication of \(v_{i}\) whose indices are within I, the ANF of s can be rewritten as
$$\begin{aligned} s=\sum _{I}t_{I}g_{I}(k), \end{aligned}$$
where \(g_{I}(k)\) is the sum of the corresponding coefficient function of terms whose corresponding IV term is \(t_{I}\). The |I| is denoted as the degree of IV term \(t_{I}\), \(\deg (t_{I})\). The degree of s is \(\deg (s)=\texttt {max}_I\{\deg {(t_I)}\}\).

2.4 Cube Attack and Cube Tester

Cube attack [4] is introduced by Dinur and Shamir at EUROCRYPT 2009. This method is also known as high-order differential attack introduced by Lai [15] in 1994. It assumes the output bit of a cipher is a d-degree polynomial \(f(k_0...,k_{n-1},v_0...,v_{m-1})\) over GF(2). The polynomial can be written as a sum of two polynomials:
$$f(k_0...,k_{n-1},v_0...,v_{m-1})=t_I\cdot P+Q_{t_I}(k_0...,k_{n-1},v_0...,v_{m-1})$$
\(t_I\) is called maxterm and is a product of certain public variables, for example \((v_0,...,v_{s-1}),1\le s \le m\), which is called a cube \(C_{t_I}\); P is called superpoly; \(Q_{t_I}(k_0...,k_{n-1},v_0...,v_{m-1})\) is the remainder polynomial and none of its terms is divisible by \({t_I}\). The major idea of the cube attack is that the sum of f over all values of the cube \(C_{t_I}\) (cube sum) is:
$$\sum _{x'=(v_0,...,v_{s-1})\in C_{t_I}}f(k_0,...,k_{n-1},x',...v_{m-1}) = P$$
whose degree is at most d-s, where the cube \(C_{t_I}\) contains all binary vectors of length s and the other public variables are fixed to constants. In cube attack, P is a linear function over key bits. The key is recovered by solving a system of linear equations derived by different cubes \(C_{t_I}\).

Dynamic cube attack [5] is also introduced by Dinur and Shamir in FSE 2011. The basic idea is to find dynamic variables, which depend on some of the public cube variables and some private variables (the key bits), to nullify the complex function \(P = P_1 \cdot P_2 + P_3\), where the degree of \(P_{3}\) is relatively lower than the degree of P and \(P_{1} \cdot P_{2}\) is a complex function. Then guess the involved key bits and compute the dynamic cube variables to make \(P_1\) to be zero and the function is simplified greatly. The right guess of key bits will lead the cube sum to be zero otherwise the cube sums will be random generally.

Cube testers [1] are used to detect non-random properties. Suppose in Eq. 3, an IV term \({t_I}\) does not exist in the ANF of s, e.g. the coefficient \(g_{I}(k)=0\). Hence, the cube sum over cube \(C_{t_I}\) is definitely zero for different key guessing. However, if the IV term \({t_I}\) exists, the value of cube sum \(g_{I}(k)\) is dependent on the key guessing. This property was applied to break full-round Grain128 [5, 9].

3 Basic Ideas

3.1 New Observation of Boolean Polynomial Reduction

In this paper, we propose a new nullification technique based on a lemma as follows.

Lemma 1

Suppose z is the output polynomial of a cipher, and
$$\begin{aligned} z=P_{1}P_{2}+P_{3}. \end{aligned}$$
Then the polynomial can be reduced to a simpler one \((1+P_{1})z=(1+P_{1})P_{3}\) by multiplying \(1+P_{1}\) in both sides of Eq. (4) if \(\deg (P_{1}P_{2})>\deg ((1+P_{1})P_{3})\).

Lemma 1 can be verified by \((P_1+1)z=(P_1+1)P_{1}P_2+(P_1+1)P_3=(P_1+1)P_3\). In our cryptanalysis of Trivium, \(P_{1}\) is a simple polynomial over several IV bits and key bits, while \(P_{2}\) is much more complex than \(P_{3}\). In our nullification technique, we multiply \(P_{1}+1\) in both sides of Eq. (4) to nullify the most complex polynomial \(P_2\) without changing \(P_3\). The result \((1+P_{1})z=(1+P_{1})P_{3}\) could be analyzed by considering \(P_{3}\) and \(1+P_{1}\) independently, and then multiply them together to get \((1+P_{1})z\).

3.2 Outline of Our Attack

Based on the novel observation in Sect. 3.1, our attack includes two phases, which are the preprocessing phase and on-line attack phase.

In the preprocessing phase,
  1. 1.

    We apply the new nullification technique by determining \(P_{1}\), then multiply \(1+P_{1}\) in both sides of Eq. 4 and obtain the reduced polynomial \((1+P_{1})P_{3}\).

  2. 2.

    We study the polynomial \((1+P_{1})P_{3}\) and prove its upper bound degree to be d mathematically, then cubes of dimension d + 1 lead to distinguishers.

In the on-line phase, we guess the partial key bits in \(P_{1}\), and compute the cube sums of \((P_1+1)z\) over (\(d+1\))-degree IV terms:
  1. i

    For the right key guessing, \((P_1+1)z=(P_1+1)P_3\). Thus the cube sums must be zero.

  2. ii

    For the wrong key guessing, the equation becomes \( (P'_1+1)z=(P'_1+1)P_{1}P_2+(P'_1+1)P_3\), which is more complex and dominated by \(P_2\), thus the cube sums are not always zero.


We focus on constructing the distinguishers in the preprocessing phase and it costs most computing sources.

3.3 Constructing Distinguishers

After obtaining the reduced polynomial \((1+P_{1})P_{3}\), our major work is to study this polynomial and derive distinguishers. In our analysis, we demonstrate that the degree of the reduced polynomial is strictly lower than 70. As the degree is so high, such a result was hard to achieve in previous works. So we introduce various details of reducing polynomials in an iterative process.

We introduce several techniques to discard monomials in advance during the iterative computation of the ANF representation of the output bit \((1+P_{1})P_{3}\). Suppose we are proving the upper bound degree of \((1+P_{1})P_{3}\)’s ANF to be d, then the following techniques are used to reduce the Boolean polynomial of \((1+P_{1})P_{3}\) by discarding monomials in advance. The whole process could be divided into the following three steps shown in Fig. 1.

  • Step 1. We compute forward to express the ANF of some internal state bits over IV bits and key bits. In Trivium, the internal state bits \(s_{i}^{j}\) (\(0\le i\le 2\), \(0\le j\le 340\)) are computed in a PC.

  • Step 2. During the iterative computation of the ANF representation of \((1+P_{1})P_{3}\) in the backward direction (decryption), we introduce the fast discarding monomial technique in Sect. 3.4, which includes the following two algorithms:
    • First, we propose the degree evaluation algorithm to obtain the degree bounds of internal state bits. As the monomials of \((1+P_{1})P_{3}\)’s ANF is a product of these internal state bits, the degree of a monomial is bounded by the sum of the degrees of the multiplied internal state bits, which is regarded as the degree estimation of the monomial. If the estimated degrees of monomials are lower than d, they are discarded directly.

    • Second, we exploit the iterative structure of Trivium, and find that the \((1+P_{1})P_{3}\)’s ANF contains many products of consecutive internal state bits. Thus, we pre-compute the degree reductions of those products, which is \(d_{t}=\sum _{i}\deg (x_{i})-\deg (\prod _{i}x_{i})\), where \(x_{i}\) is an internal state bit. Thus, the degree of a monomial is upper bounded by the difference value between the sum of the multiplied internal state bits and the corresponding degree reduction \(d_{t}\). If it is smaller than d, the monomial is discarded.

  • Step 3. For the left monomials of \((1+P_{1})P_{3}\)’s ANF, we introduce IV representation technique in Sect. 3.5 to determine the upper bound degree of \((1+P_{1})P_{3}\) or find the d-degree missing product of certain IV bits (missing IV term). In IV representation technique, the symbolic key bits in the internal state bits are removed and only IV bits are left. Combining with repeated IV term removing algorithm, we can simplify monomials of \((1+P_{1})P_{3}\)’s ANF without losing the missing IV term information. If we find an IV term is not in the IV representation of \((1+P_{1})P_{3}\), we can conclude that it is also not in \((1+P_{1})P_{3}\).

Fig. 1.

Framework of constructing distinguishers

3.4 Fast Discarding Monomial Techniques

In Step 2 of Fig. 1, during the iterative computation of the ANF representation of \((1+P_{1})P_{3}\) in the backward direction (decryption), there arise more and more state terms. We will give several techniques to simplify the polynomial by discarding monomials in advance. In this Step, repeated state terms arise according to the Trivium encryption scheme. The repeated state terms are removed using Algorithm 1. The complexity of Algorithm 1 is O(n), supposing there are n state terms.
Degree evaluation technique. As we are proving the degree of the Boolean polynomial \((1+P_{1})P_{3}\) to be d, thus many monomials with lower degree produced during the iterative computation backward (decryption) in Step 3 are deleted without consideration (we do not need to continue the iterative computation over those monomials). We estimate those monomials using degree information of the internal state bits in lower rounds. This section presents a degree evaluation algorithm for the internal state bits. For example, we are going to estimate the degree of \(b_{i}=b_{i-3}+b_{i-1}b_{i-2}\).
$$\begin{aligned} \begin{array}{ll} \deg (b_{i}) &{} =\deg (b_{i-3}+b_{i-1}b_{i-2})\\ &{}=\texttt {max}\{\deg (b_{i-3}), \deg (b_{i-1}b_{i-2})\}\\ &{}\le \texttt {max}\{\deg (b_{i-3}), \deg (b_{i-1})+\deg (b_{i-2})\} \end{array} \end{aligned}$$
If we continue to decompose \(b_{i}\), we find
$$\begin{aligned} \begin{array}{ll} b_{i-1}b_{i-2}&{}=(b_{i-4}+b_{i-2}b_{i-3})(b_{i-5}+b_{i-3}b_{i-4})\\ &{}=b_{i-4}b_{i-5}+b_{i-3}b_{i-4}+b_{i-2}b_{i-3}b_{i-5}+b_{i-2}b_{i-3}b_{i-4}, \end{array} \end{aligned}$$
If \(\deg (b_{i-1})=\deg (b_{i-2}b_{i-3})\) and \(\deg (b_{i-2})=\deg (b_{i-3}b_{i-4})\), then in Eq. (5), \(\deg (b_{i-1})+\deg (b_{i-2})\) may add \(\deg (b_{i-3})\) twice. So in order to obtain a more accurate degree estimation, we are willing to decompose \(b_i\) for several rounds backwards.
For Trivium, the ANFs of \(s_{i}^{j}\) (\(0\le i\le 2\), \(0\le j\le 340\)) are exactly obtained in a PC and their exact degrees can be obtained. For example, in the cryptanalysis of 855-round Trivium, we compute ANF of \(s_{i}^{j}\) (\(0\le i\le 2\), \(0\le j\le 340\)) over 75 free IV variables1, the degrees are shown in Table 2. To estimate the degree of \(s_{i}^{r}\) for \(r>340\), we decompose \(s_{i}^{r}\) until the state terms are the product of internal state bits \(s_{i}^{j}\) for \(j < end= \lfloor \frac{r}{32}\rfloor \times 32-128\) considering the efficiency tradeoff of the computation.
Table 2.

Degree \(\deg (s_i^j)\) of \(s_{i}^{j}\) for \(0\le i\le 2\), \(0\le j\le 340\)

For example, we estimate the degree upper bound of \(s_{1}^{341}\), where \( end=\lfloor \frac{r}{32}\rfloor \times 32-128=192\). We first express \(s_{1}^{341}\) using state bits in less rounds, and discard the state terms of degree lower than d.

  • Step 1. First, we express \(s_{2}^{341}=s_{1}^{272}+s_{1}^{259}s_{1}^{258}+s_{1}^{257}+s_{2}^{254}\) according to Eq. (1).

  • Step 2. According to Table 2 highlighted in red, let \(d=\texttt {max}\{\deg (s_{1}^{272}),\) \(\deg (s_{1}^{259})+\deg (s_{1}^{258}),\deg (s_{1}^{257}), \deg (s_{2}^{254}\} = \texttt {max}\{5,5+5,5,5\}=10\).

  • Step 3. Discarding the state terms of degree lower than 10, we get \(s_{2}^{341*}=s_{1}^{259}s_{1}^{258}\). Iteratively compute \(s_{2}^{341*}\) and discard state terms with degree lower than 10, there is no state term surviving. We reset \(d=d-1\) and repeat the above decomposition and discarding process. We can get the result \(s_{2}^{341**}=s_0^{166}s_0^{167}s_0^{193}+s_0^{167}s_0^{168}s_0^{192}+s_0^{166}s_0^{167}s_0^{168}+s_0^{165}s_0^{167}s_0^{168}+s_0^{167}s_0^{168}s_1^{180}+s_0^{166}s_0^{167}s_1^{181}\).

  • Step 4. Note that there is still a state bit \(s_{1}^{193}\) in \(s_{2}^{341**}\) that is bigger than end=192. So we continue to iteratively compute and discard state terms with degree lower than 9, and we get:
    $$\begin{aligned} \begin{array}{l} s_{2}^{341***}= s_2^{56}s_2^{57}s_2^{83}s_2^{84}s_2^{101}+s_2^{57}s_2^{58}s_2^{83}s_2^{84}s_2^{100}+s_2^{56}s_2^{57}s_2^{58}s_2^{83}s_2^{84}+\\ s_0^{97}s_2^{57}s_2^{58}s_2^{83}s_2^{84}+s_0^{98}s_2^{56}s_2^{57}s_2^{83}s_2^{84}+s_0^{124}s_2^{56}s_2^{57}s_2^{101}+s_0^{124}s_2^{57}s_2^{58}s_2^{100}+\\ s_0^{124}s_2^{56}s_2^{57}s_2^{58}+s_0^{124}s_2^{55}s_2^{57}s_2^{58}+s_2^{55}s_2^{57}s_2^{58}s_2^{83}s_2^{84}+s_0^{97}s_0^{124}s_2^{57}s_2^{58}\\ +s_0^{98}s_0^{124}s_2^{56}s_2^{57}+s_2^{57}s_2^{58}s_2^{82}s_2^{83}s_2^{102}+s_2^{58}s_2^{59}s_2^{82}s_2^{83}s_2^{101}+s_2^{57}s_2^{58}s_2^{59}s_2^{82}s_2^{83}+\\ s_2^{56}s_2^{58}s_2^{59}s_2^{82}s_2^{83}+s_0^{98}s_2^{58}s_2^{59}s_2^{82}s_2^{83}+s_0^{99}s_2^{57}s_2^{58}s_2^{82}s_2^{83}+s_0^{123}s_2^{57}s_2^{58}s_2^{102}+\\ s_0^{123}s_2^{58}s_2^{59}s_2^{101}+s_0^{123}s_2^{57}s_2^{58}s_2^{59}+s_0^{123}s_2^{56}s_2^{58}s_2^{59}+s_0^{98}s_0^{123}s_2^{58}s_2^{59}\\ +s_0^{99}s_0^{123}s_2^{57}s_2^{58}+s_2^{56}s_2^{57}s_2^{58}s_2^{59}s_2^{101}+s_0^{98}s_2^{56}s_2^{57}s_2^{58}s_2^{59}+s_2^{55}s_2^{56}s_2^{57}s_2^{58}s_2^{102}+\\ s_2^{55}s_2^{56}s_2^{58}s_2^{59}s_2^{101}+s_2^{55}s_2^{56}s_2^{57}s_2^{58}s_2^{59}+s_0^{98}s_2^{55}s_2^{56}s_2^{58}s_2^{59}+s_0^{99}s_2^{55}s_2^{56}s_2^{57}s_2^{58}+\\ s_0^{114}s_2^{57}s_2^{58}s_2^{102}+s_0^{114}s_2^{58}s_2^{59}s_2^{101}+s_0^{114}s_2^{57}s_2^{58}s_2^{59}+s_0^{114}s_2^{56}s_2^{58}s_2^{59}+s_0^{89}s_0^{90}s_2^{57}s_2^{58}s_2^{100}+\\ s_0^{98}s_0^{114}s_2^{58}s_2^{59}+s_0^{99}s_0^{114}s_2^{57}s_2^{58}+s_0^{115}s_2^{56}s_2^{57}s_2^{101}+s_0^{115}s_2^{57}s_2^{58}s_2^{100}+s_0^{115}s_2^{56}s_2^{57}s_2^{58}+\\ s_0^{115}s_2^{55}s_2^{57}s_2^{58}+s_0^{97}s_0^{115}s_2^{57}s_2^{58}+s_0^{98}s_0^{115}s_2^{56}s_2^{57}+s_0^{89}s_0^{90}s_2^{56}s_2^{57}s_2^{101}+\\ s_0^{89}s_0^{90}s_2^{56}s_2^{57}s_2^{58}+s_0^{89}s_0^{90}s_2^{55}s_2^{57}s_2^{58}+s_0^{89}s_0^{90}s_0^{97}s_2^{57}s_2^{58}+s_0^{89}s_0^{90}s_0^{98}s_2^{56}s_2^{57}. \end{array} \end{aligned}$$
  • Step 5. Here, there is no state bit in rounds more than \(end=192\), the expression ends and there are still state terms that survive. Then the current degree \(d=9\) is the estimated degree of \(s_{2}^{341}\).

  • Step 6. Note that, if there is no state item in \(s_{2}^{341***}\) surviving, which means the degree added twice or more shown in Eq. (6) happens to the iterative computation of \(s_{2}^{341}\). So the degree must be less than 9. We reset \(d=8\) and continue the above steps 3–5 to get a more accurate degree bound.

We summarise the above 6 steps as Algorithm 2. We only estimate degree of \(s_{i}^{r}\) for \(r\le 665\) and list the results in Table 3.
Table 3.

The estimated upper bound degree \(\mathcal {DEG}(s_i^j)\) of \(s_{i}^{r}\) for \(r\le 689\)

Degree reduction technique. In this part, we formally consider the property in Eq. (6), that \(\deg (b_{i-3})\) is added twice. We call it degree reduction. Define the degree reduction \(d_{t}\) as
$$\begin{aligned} d_{t}=\sum _{i\in I}\deg (x_{i})-\deg (\prod _{i\in I}x_{i}), \end{aligned}$$
where \(x_{i}\) is a state bit.

We pay attention to the degree reduction of the state term \({\prod _{j=l}^{l+t-1}s_{i}^{j}}\) for a specific \(i\in [0,2]\). This state term results from the iteration structure of Trivium scheme, whose high degree state terms come from the multiplication of \(s_{i}^{j}s_{i}^{j+1}\) shown in Eq. (1). After several rounds of iteration, the high degree state terms are in the form \({\prod _{j=l}^{l+t-1}s_{i}^{j}}\). Define the degree reduction \(d_{t}=\sum _{j=l}^{l+t-1}\deg (s_{i}^{j})-\deg (\prod _{j=l}^{l+t-1}s_{i}^{j})\).

The degree reduction can help discard state terms of lower degree dramatically, as it can help predict the change of degree before expression operation2. We take the state term \(s_{1}^{340}s_{1}^{341}\) as an example to illustrate the process to compute the degree reduction \(d_t\). Algorithm 2 is first used to obtain the degree of state bits as shown in Tables 2 and 3.

Let end be \(\lfloor \frac{r}{32}\rfloor \times 32-128=192\), too. The degree bound d is initialized as \(d=\mathcal {DEG}(s_{1}^{340})+\mathcal {DEG}(s_{1}^{341})\) and \(d_{t}=0\). Express the \(s_{1}^{340}s_{1}^{341}\) by one iteration using Eq. (1). Discard the state terms of degree lower than \(d-d_{t}=d\), there is no state term surviving. Increase the \(d_{t}\) by 1, such that \(d_{t}=1\). Express \(s_{1}^{340}s_{1}^{341}\) again and discard the state terms of degree lower than \(d-d_{t}=d-1\), the result is \(s_{0}^{249}s_{0}^{250}s_{1}^{262}+s_{0}^{248}s_{0}^{249}s_{1}^{263}\). Continue to compute iteratively, the remaining state terms are \(s_{0}^{170}s_{0}^{171}s_{0}^{180}s_{2}^{140}s_{2}^{141}+s_{0}^{170}s_{0}^{171}s_{0}^{181}s_{2}^{139}s_{2}^{140}+s_{0}^{171}s_{0}^{172}s_{0}^{179}s_{2}^{139}s_{2}^{140}+s_{0}^{171}s_{0}^{172}s_{0}^{180}s_{2}^{138}s_{2}^{139}\). There is no state bits \(s_{i}^{j}\) with j bigger than \(end=192\) in all the state terms, hence the expression ends. Degree reduction \(d_{t}=1\) is returned. Thus the \(\deg (s_{1}^{340}s_{1}^{341})\le \mathcal {DEG}(s_{1}^{340})+\mathcal {DEG}(s_{1}^{341}) - d_t= 7+7-1=13\). The degree reduction algorithm is shown in Algorithm 3

3.5 IV Representation Techniques

In the cryptanalysis of stream ciphers, the output is a boolean function over key and IV bits. But obtaining the exact expression is hard, thus we propose IV representation technique to reduce the computation complexity for obtaining the degree information.

Definition 1

(IV representation) Given a state bit \(s=\sum _{I,J}\prod _{i\in I}v_{i}\prod _{j\in J}k_{j}\), the IV representation of s is \(s_{IV}=\sum _{I}\prod _{i\in I}v_{i}\).

For example, if a boolean polynomial is \(s=v_{0}k_{1}+v_{0}k_{0}k_{2}+v_{1}k_{1}k_{2}+v_{0}v_{1}k_{2}\), then its corresponding IV representation is \(s_{IV}=v_{0}+v_{0}+v_{1}+v_{0}v_{1}\).

IV representation with repeated IV terms Removing Algorithm. Due to neglection of key bits, there are lots of repeated IV terms. Here we give an algorithm to remove the repeated IV terms of \(s_{IV}\). The details of the algorithm are shown in Algorithm 4. This algorithm is based on a Hash function. First, an empty hash set is initialized. For each IV term \(T_{i}\), compute the hash value as \(H(T_{i})\) (Line 3), then determine if \(T_{i}\) is already in H. If not, then insert \(T_{i}\) into H (Lines 4–5). Applying Algorithm 4 to the above example, the result is \(v_{0}+v_{1}+v_{0}v_{1}\). Note that this algorithm is slightly different from Algorithm 1. If we apply Algorithm 1 to \(s_{IV}\), the result is \(v_{1}+v_{0}v_{1}\).

In the iterative computation process of the output bit of Trivium, it should be noted that if an IV term exists in s, it must also exist in \(s_{IV}\), but not the opposite. For example, \(x_1 = v_0(k_1k_2+k_0k_2)+v_1 + v_0v_1k_2\), \(x_2 = v_2k_0k_1 + v_1v_2k_1\) and \(s=x_1x_2\). We use the IV representations of \(x_1\) and \(x_2\) to approximate the IV representation of s. Thus, \(x_{1IV}=v_0+v_1+v_0v_1\), \(x_{2IV}=v_2+v_1v_2\), and \(s_{IV}=x_{1IV}x_{2IV}=v_0v_2+v_1v_2+v_0v_1v_2\). However, \(s=x_1x_2=v_1v_2(k_0k_1+k_1)\). So if we find an IV term is not in \(s_{IV}\), we can conclude that it is not in s either. We use this to determine the degree upper bound of the output ANF of Trivium.

After using IV representation combined with Algorithm 4, all the existent IV terms are left by ignoring their repetition. With collision-resistent hash function H, the time complexity of Algorithm 4 is O(n) for processing n IV terms. It needs several minutes to apply Algorithm 4 on 1 billion IV terms on a single core.

4 Key Recovery Attack on 855-round Trivium

In the attack on 855-round Trivium, all the 80-bit IV are initiated with free variables: \(IV_{i}=v_{i}\), \(i\in [0,79]\).

The output of 855-round Trivium can be described using the internal state bits:
$$\begin{aligned} z_{855}=s_{0}^{790}+s_{0}^{763}+s_{1}^{787}+s_{1}^{772}+s_{2}^{790}+s_{2}^{745}. \end{aligned}$$
As a first step of the attack on 855-round Trivium, we need to determine \(P_{1}\).

4.1 Determining the Nullification Scheme for the Output Polynomial of 855-round Trivium

For 855-round Trivium, the degree of output bit z is very high, as shown in [19]. So it is not easy to find the missing IV terms in the complex \(z=P_{1}P_{2}+P_{3}\). However, based on the new observation of Boolean polynomial introduced in Sect. 3.1. we can choose \(P_{1}\) to reduce the Boolean polynomial \((1+P_{1})z=(1+P_{1})P_{3}\) such that the degree of \((1+P_{1})P_{3}\) is lower. The lower, the better. In fact, the lower the degree of a state term, the less high degree IV terms it can deduce.

Degrees of state bits are obtained first in order to determine the high degree state terms. The exact Boolean polynomial of \(s_{i}^{j}\) for \(i\in [0,2]\) and \(j\in [0,340]\) can be obtained. The other degree upper bounds can be obtained by executing Algorithm 2.

For a search of \(P_1\), we use the decomposition of Trivium and preserve the high degree state terms (bigger than a given bound dependent on our computing ability in a PC), where the degree of state terms means the sum of degrees of each state bit in the earlier rounds involved. We decompose until all the state bits are within the range of [0, 276]. The key points to determine \(P_1\) come from 3 criteria: (1) the frequency of \(P_1\) is high; (2) the degree of \(P_1\) is low; (3) the equivalent key guesses in \(P_1\) are minimized. We calculate the frequency of state bits and find that \(s_1^{210}\) occurs in about \(\frac{3}{4}\) of all the preserved high state terms. The degree of \(s_1^{210}\) is 5 and can be reduced to 2 after nullifying the 5 IV bits, and there are only 3 equivalent key bits to be guessed. So we choose \(P_1= s_1^{210}\).

The output polynomial can be rewritten as
$$\begin{aligned} z=s_{1}^{210}P_{2}+P_{3}, \end{aligned}$$
where \(P_{2}\) and \(P_{3}\) do not contain \(s_{1}^{210}\). Polynomial \(P_{2}\) is so complex that it is hard to compute its degree and density information while \(P_{3}\) is relatively simple. Here \(P_{1}=s_{1}^{210}=v_{59}v_{60}v_{61}+v_{59}v_{60}v_{76}\) \(+v_{17}v_{59}v_{60}+v_{30}v_{31}v_{59}v_{60}+v_{32}v_{59}v_{60}+v_{59}v_{60}v_{62}+v_{59}v_{60}v_{77}+v_{59}v_{60}k_{20}\) \(+v_{59}v_{61}v_{73}v_{74}+v_{59}v_{73}v_{74}v_{76}+v_{17}v_{59}v_{73}v_{74}+v_{30}v_{31}v_{59}v_{73}v_{74}+v_{32}v_{59}v_{73}v_{74}+\) \(v_{59}v_{62}v_{73}v_{74}+v_{59}v_{73}v_{74}v_{77}+v_{59}v_{73}v_{74}k_{20}+v_{59}v_{60}v_{74}v_{75}+v_{59}v_{60}v_{75}v_{76}+\) \(v_{59}v_{73}v_{74}v_{75}+v_{59}v_{73}v_{74}v_{75}v_{76}+v_{59}v_{61}v_{75}+v_{59}v_{74}v_{75} +v_{17}v_{59}v_{75}+v_{30}v_{31}v_{59}v_{75}+\) \(v_{32}v_{59}v_{75}+v_{59}v_{62}v_{75}+v_{59}v_{75}v_{77}+v_{59}v_{75}k_{20}+v_{60}v_{61}v_{72}v_{73}+v_{60}v_{72}v_{73}v_{76}+\) \(v_{17}v_{60}v_{72}v_{73}+v_{30}v_{31}v_{60}v_{72}v_{73}+v_{32}v_{60}v_{72}v_{73}+v_{60}v_{62}v_{72}v_{73}+v_{60}v_{72}v_{73}v_{77}+\) \(v_{60}v_{72}v_{73}k_{20}+v_{61}v_{72}v_{73}v_{74}+v_{72}v_{73}v_{74}v_{76}+v_{17}v_{72}v_{73} v_{74}+v_{30}v_{31}v_{72}v_{73}v_{74}+\) \(v_{32}v_{72}v_{73}v_{74}+v_{62}v_{72}v_{73}v_{74}+v_{72}v_{73}v_{74}v_{77}+v_{72}v_{73}v_{74}k_{20} +v_{60}v_{72}v_{73}v_{74}v_{75}+\) \(v_{60}v_{72}v_{73}v_{75}v_{76}+v_{72}v_{73}v_{74}v_{75}v_{76}+v_{61}v_{72}v_{73}v_{75}+v_{17}v_{72}v_{73}v_{75}+v_{30}v_{31}v_{72}v_{73}v_{75}+\) \(v_{32}v_{72}v_{73}v_{75}+v_{62}v_{72}v_{73}v_{75}+v_{72}v_{73}v_{75}v_{77}+v_{72}v_{73}v_{75}k_{20} +v_{60}v_{61}v_{74}+v_{60}v_{74}v_{76}+\) \(v_{17}v_{60}v_{74}+v_{30}v_{31}v_{60}v_{74}+v_{32}v_{60}v_{74}+v_{60}v_{62}v_{74}+v_{60}v_{74}v_{77}+v_{60}v_{74}k_{20}+\) \(v_{17}v_{73}v_{74}+v_{30}v_{31}v_{73}v_{74}+v_{32}v_{73}v_{74}+v_{62}v_{73}v_{74}+v_{73}v_{74}v_{77}+v_{73}v_{74}k_{20} +\) \(v_{16}v_{60}v_{61}+v_{16}v_{60}v_{74}v_{75}+v_{16}v_{60}v_{76}+v_{16}v_{61}v_{73}v_{74}+v_{16}v_{73}v_{74}v_{75}+v_{16}v_{73}v_{74}v_{76}+\) \(v_{16}v_{61}v_{75} +v_{16}v_{74}v_{75}+v_{16}v_{17}+v_{16}v_{30}v_{31}+v_{16}v_{32}+v_{16}v_{62}+v_{16}v_{77}+v_{16}k_{20}+\) \(v_{29}v_{30}v_{60}v_{61}+v_{29}v_{30}v_{60}v_{74}v_{75}+v_{29}v_{30}v_{60}v_{76}+v_{29}v_{30}v_{61}v_{73}v_{74}+v_{29}v_{30}v_{73}v_{74}v_{75}+\) \(v_{29}v_{30}v_{73}v_{74}v_{76}+v_{29}v_{30}v_{61}v_{75}+v_{29}v_{30}v_{74}v_{75}+v_{17}v_{29}v_{30}+v_{29}v_{30}v_{31}+v_{29}v_{30}v_{32}+\) \(v_{29}v_{30}v_{62}+v_{29}v_{30}v_{77}+v_{29}v_{30}k_{20}+v_{31}v_{60}v_{61}+v_{31}v_{60}v_{74}v_{75} +v_{31}v_{60}v_{76}+\) \(v_{31}v_{61}v_{73}v_{74}+v_{31}v_{73}v_{74}v_{75}+v_{31}v_{73}v_{74}v_{76}+v_{31}v_{61}v_{75}+v_{31}v_{74}v_{75}+v_{17}v_{31}+\) \(v_{30}v_{31}+v_{31}v_{62}+v_{31}v_{77}+v_{31}k_{20}+v_{60}v_{61}+v_{61}v_{75}+v_{61}v_{74}v_{75}+v_{17}v_{61}+v_{30}v_{31}v_{61}+\) \(v_{32}v_{61}+v_{61}k_{20}+v_{60}v_{74}v_{75}v_{76}+v_{60}v_{76}+v_{73}v_{74}v_{75}v_{76}+v_{17}v_{76}+v_{30}v_{31}v_{76}+\) \(v_{32}v_{76}+v_{76}v_{77}+v_{76}k_{20}+v_{60}v_{61}k_{19}+v_{60}v_{74}v_{75}k_{19}+v_{60}v_{76}k_{19}+v_{61}v_{73}v_{74}k_{19}+\) \(v_{73}v_{74}v_{75}k_{19}+v_{73}v_{74}v_{76}k_{19}+v_{61}v_{75}k_{19}+v_{74}v_{75}k_{19}+v_{17}k_{19}+v_{30}v_{31}k_{19}+v_{32}k_{19}+\) \(v_{62}k_{19}+v_{77}k_{19}+k_{19}k_{20}+v_{34}v_{35}+v_{34}v_{48}v_{49}+v_{34}v_{50}+v_{35}v_{47}v_{48}+v_{47}v_{48}v_{49}+\) \(v_{47}v_{48}v_{50}+v_{35}v_{49}+v_{48}v_{49}+k_{57}+v_{69}+v_{4}v_{5}+v_{6}+v_{36}+v_{51}+v_{60}+v_{73}v_{74}+\) \(v_{75}+k_{63}+v_{62}v_{74}v_{75}+v_{74}v_{75}v_{77}+v_{75}v_{76}+v_{18}+v_{33}+v_{63}+v_{78}+k_{21}+k_{28}k_{29}+\) \(k_{3}+k_{30}+k_{12}+k_{37}k_{38}+k_{39}+v_{24}\).
IV Nullification. The degree of \(s_{1}^{210}\) is 5 and the IV bits involved in \(s_{1}^{210}\) are shown in Table 4.
Table 4.

Count of IV bits in \(s_{1}^{210}\) before IV nullification.

In order to simplify \(s_{1}^{210}\) so that it is easier to obtain the degree bound of \((1+s_{1}^{210})P_{3}\), we nullify \(v_{74}\), \(v_{60}\), \(v_{75}\), \(v_{30}\) and \(v_{48}\).

After nullifying the 5 IV bits, we obtain the simplified boolean function:
$$\begin{aligned} \begin{array}{l} s_{1}^{210}=v_{16}v_{17}+v_{16}v_{32}+v_{16}v_{62}+v_{16}v_{77}+v_{16}k_{20}+v_{17}v_{31}+v_{31}v_{62}+\\ v_{31}v_{77}+v_{31}k_{20}+v_{17}v_{61}+v_{32}v_{61}+v_{61}k_{20}+v_{17}v_{76}+v_{32}v_{76}+v_{76}v_{77}+\\ v_{76}k_{20}+v_{17}k_{19}+v_{32}k_{19}+v_{62}k_{19}+v_{77}k_{19}+k_{19}k_{20}+v_{34}v_{35}+v_{34}v_{50}+\\ v_{35}v_{49}+k_{57}+v_{69}+v_{4}v_{5}+v_{6}+v_{36}+v_{51}+k_{63}+v_{18}+v_{33}+v_{63}+\\ v_{78}+k_{21}+ k_{28}k_{29}+k_{3}+k_{30}+k_{12}+k_{37}k_{38}+k_{39}+v_{24}. \end{array} \end{aligned}$$
Here, the degree of \(s_{1}^{210}\) is 2 and key information equivalent to 3 bits in \(s_{1}^{210}\) are \(k_{19}\), \(k_{20}\) and \(k_{57}+k_{63}+k_{21}+k_{28}k_{29}+k_{3}+k_{30}+k_{12}+k_{37}k_{38}+k_{39}\). The IV bits involved in \(s_{1}^{210}\) are shown in Table 5.
After determining \(P_{1}=s_{1}^{210}\), we multiply \(1+s_{1}^{210}\) in both sides of Eq. (10), then \((1+s_{1}^{210})z=(1+s_{1}^{210})P_{3}\). Finding the non-randomness in \((1+s_{1}^{210})P_{3}\) will help us to construct the cube tester of 855-round Trivium. More specifically, we will determine the nonexistent IV terms of degree 70 in \((1+s_{1}^{210})P_{3}\). First, we will reduce the polynomial, then IV presentation technique is applied to determine the nonexistent IV terms. The framework is presented in Fig. 2 and details are shown in the following Sect. 4.2.
Table 5.

Frequency of IV bits in \(s_{1}^{210}\) after IV nullification.

Fig. 2.

Framework of determining the missing IV terms

4.2 Determining the Degree Bound of Reduced Polynomial

We are going to iteratively compute \((1+s_{1}^{210})P_{3}\). In each iteration, many state terms of \((1+s_{1}^{210})P_{3}\) are produced. Based on our computing ability, we can compute the IV terms of degree around 70. In computing the 70-degree IV terms, we use a cluster of 600–2400 cores. Since we are finding the 70-degree missing IV terms, state terms with degree less than 70 are removed without consideration, because they do not contain those 70-degree IV terms certainly. The removing process could be divided into 2 steps:
  1. 1.

    Deleting state terms according to degree evaluation;

  2. 2.

    Deleting state terms according to degree reduction.

Degree evaluation phase. After nullifying the 5 IV bits in Sect. 4.1, the exact boolean functions and degrees of state bits \(s_{i}^{j}\) for \(0\le i\le 2\) and \(0\le j\le 340\) can be updated. Then we execute Algorithm 2 to obtain the degrees of the other state bits, partially in Tables 2 and 3. For example, given a state term \(b_1b_2\), we first find \(\mathcal {DEG}(b_1)\) and \(\mathcal {DEG}(b_2)\) in Tables 2 and 3, if \(\mathcal {DEG}(b_1)+\mathcal {DEG}(b_2)<70\), then \(\deg (b_1b_2)\le \mathcal {DEG}(b_1)+\mathcal {DEG}(b_2)<70\), delete \(b_1b_2\).
Degree reduction phase. In the structure of stream ciphers based on NFSR, degree reduction arises often due to the iterative structure. We use Algorithm 3 to obtain the degree reduction, which is shown in Tables 6, 7 and 8 for products of 2 consecutive state bits \(s_i^js_i^{j+1}\) (\(t=2\)), 3 consecutive state bits \(s_i^js_i^{j+1}s_i^{j+2}\) (\(t=3\)) and 4 consecutive state bits \(s_i^js_i^{j+1}s_i^{j+2}s_i^{j+3}\) (\(t=4\)), respectively. Note that we only list the degree reduction when \(j\ge 340\). The degree reduction for \(j<340\) is much easier to obtain in a PC.
Table 6.

Degree reductions \(d_t(s_i^js_i^{j+1})\) of \(s_i^js_i^{j+1}\) with \(t=2\)

In the cryptanalysis of Trivium, the degree reduction may be more complicated. Further degree reduction for \(t>4\) is hard to be obtained using PC for loop executing Algorithm 3. Some man-made work should be involved to obtain further degree reduction. The degree reduction can help discard state terms of lower degree dramatically. For example, if the state term \(b_{1}b_{2}\) goes through degree evaluation phase, that means \(\mathcal {DEG}(b_1)+\mathcal {DEG}(b_2)\ge 70\), then we check if \(\mathcal {DEG}(b_1)+\mathcal {DEG}(b_2)-d_t(b_1b_2)<70\). If yes, \(\deg (b_1b_2)<70\) and delete it.

For example, the Eq. (9) can be expressed furthermore using state bits: Open image in new window , can be discarded because their degree are lower than 68, shown in Table 3 highlighted in red, and the total degree of the multiplication of each one with \((1+s_{210})\) is lower than 70. In addition, the state terms highlighted in blue can be discarded by removing the repeated state terms. Furthermore, the output can be expressed using state bits in lower rounds and more state terms can be discarded.
Table 7.

Degree reductions \(d_t(s_i^js_i^{j+1}s_i^{j+2})\) of \(s_i^js_i^{j+1}s_i^{j+2}\) with \(t=3\)

Table 8.

Degree reductions \(d_t(s_i^js_i^{j+1}s_i^{j+2}s_i^{j+3})\) of \(s_i^js_i^{j+1}s_i^{j+2}s_i^{j+3}\) with \(t=4\)

After the above 2 steps to reduce \((1+s_{1}^{210})P_{3}\), the degrees of the left state terms are possibly higher or equal to 70. As the dimension is high, a cube tester over such a big dimension is far beyond our computing ability. For the left state terms, we use IV representation for each left state terms and remove the repeated IV terms using Algorithm 4 in order to determine the missing 70-degree IV terms. After the above steps, there is no 70-degree IV term in \((1+s_{1}^{210})P_{3}\). So the degree of \((1+s_{1}^{210})P_{3}\) is strictly lower than 70, which is summarized as the following Lemma 2.

Lemma 2

Set the \(v_{74}\), \(v_{60}\), \(v_{75}\), \(v_{30}\) and \(v_{48}\) to zeros, then the degree of \((1+s_{1}^{210})z_{855}\) is bounded by 70, where \(z_{855}\) is the output after 855-round initializations.

According to Lemma 2, we strictly prove that the degree of the reduced polynomial is lower than 70, so the sum over any selected cube of dimension 70 is zero, such that the distinguishers can be constructed.

4.3 Online Phase and Complexity Analysis

We first guess the 3 key bits in \(s^{210}_{1}\), i.e. \(k_{19}\), \(k_{20}\) and \(k_{57}+k_{63}+k_{21}+k_{28}k_{29}+k_{3}+k_{30}+k_{12}+k_{37}k_{38}+k_{39}\) as shown in Eq. (11), for the right guess the result is 0 while for wrong guesses, the result is 1 with probability \(\frac{1}{2}\). If the sum over cubes of dimension 70 is 1, then the key guess is wrong and dropped (Line 7). After the first cube sum, about half key bits remain, and sum over another cube again. The remaining guess is the key. The on-line phase is shown in Algorithm 5.

For each guess, we need to sum over a cube of dimension 70, so that the complexity is \(2^{3}\cdot 2^{70}+2^{2}\cdot 2^{70}+2^{1}\cdot 2^{70}\approx 2^{74}\).

After the above process, the bits \(k_{19}\), \(k_{20}\) and \(k_{57}+k_{63}+k_{21}+k_{28}k_{29}+k_{3}+k_{30}+k_{12}+k_{37}k_{38}+k_{39}\) can be determined. \(k_{19}\) and \(k_{20}\) are single master key bits. Let \(c=k_{57}+k_{63}+k_{21}+k_{28}k_{29}+k_{3}+k_{30}+k_{12}+k_{37}k_{38}+k_{39}\) (c is 0 or 1), then it can be rewritten as \(k_{57}=k_{63}+k_{21}+k_{28}k_{29}+k_{3}+k_{30}+k_{12}+k_{37}k_{38}+k_{39}+c\). We guess the other 77 key bits excluding \(k_{19}\), \(k_{20}\) and \(k_{57}\), the value \(k_{57}\) can be obtained directly. So the other 77 key bits excluding \(k_{19}\), \(k_{20}\) and \(k_{57}\) can be recovered by brute force. Thus the complexity to recover all the key bits is \(2^{77}\).

4.4 Experimental Verification

We apply a powerful nullification technique to reduce the output polynomial, and prove the degree bound of the reduced polynomial theoretically and recover key bits. To make the attack more clear, we give an attack instance. We give two attacks on 721-round Trivium: a distinguishing attack and a key-recovery attack.

Obtain the Degree Upper Bound of Output of 721-round Trivium. Initial \(IV_{i}=v_{i}\) with \(i\in [0,79]\). In the example attack on 721-round Trivium, we only use 40 freedom variables, i.e. set \(v_{2\cdot j+1}=0\) for \(j\in [0,39]\) and the other 40 IV bits are freedom variables.

The exact boolean functions of the first 340 state bits \(s_{i}^{j}\) for \(i\in [0,2]\) and \(j\in [0,340]\) can be obtained directly on PC. Hence, the degrees of them can be obtained directly. Degrees upper bounds of other state bits can be evaluated using Algorithm 2 and are shown in Table 9. Note that in Table 9, the estimated degrees of some state bits are larger than 40, e.g. \(\mathcal {DEG}(s_2^{665})=41\), which is because the accuracy of Algorithm 2 decreases for state bits with large rounds. Thus we only apply this algorithm to \(s_i^j\) for \(j\le 665\).
Table 9.

Degree upper bounds \(\mathcal {DEG}(s_i^j)\) of the state bits \(s_i^j\) for \(j\le 665\)

The output of 721-round Trivium is \(z_{721}=s_{0}^{656}+s_{0}^{629}+s_{1}^{653}+s_{1}^{638}+s_{2}^{656}+s_{2}^{611}\). According to Table 9, the 6 state terms (bits) highlighted in red are of degree lower than 40, so the degree of \(z_{721}\) is lower than 40, which can serve as distinguishers. This result can be obtained easily by rough computing.

Next, we give a more accurate bound of \(z_{721}\). In the following, we will determine whether \(z_{721}\)’s degree is bigger than 37. The 6 state bits are expressed using state bits in lower rounds again and substituted into \(z_{721}\), which is called the substitution or expression process in [9]. Then \(z_{721}=s_{2}^{590}+s_{2}^{546}s_{2}^{547}+\) \(s_{2}^{545}+s_{0}^{587}+s_{2}^{563}+s_{2}^{519}s_{2}^{520}+s_{2}^{518}+s_{0}^{560}+s_{0}^{587}+s_{0}^{561}s_{0}^{562}+s_{0}^{560}+s_{1}^{575}+s_{0}^{572}+\) \(s_{0}^{546}s_{0}^{547}+s_{0}^{545}+s_{1}^{560}+s_{1}^{587}+s_{1}^{573}s_{1}^{574}+s_{1}^{572}+s_{2}^{569}+s_{1}^{542}+s_{1}^{528}s_{1}^{529}+s_{1}^{527}+s_{2}^{524}\). According to degree upper bounds Table 9, \(\deg (s_{2}^{590})=27<37\) highlighted in blue, so \(s_{2}^{590}\) is removed. Then \(\deg (s_{2}^{546}s_{2}^{547})\le \mathcal {DEG}(s_{2}^{546})+\mathcal {DEG}(s_{2}^{547})=20+21=41\) and \(41\ge 37\), so the degree of \(s_{2}^{546}s_{2}^{547}\) is possibly bigger than 36 and left. After discarding all the state terms whose degrees are lower than 36, \(z_{721}|_{\deg >36}=s_{2}^{546}s_{2}^{547}+s_{1}^{573}s_{1}^{574}\). Continue substitution and expression process for \(z_{721}|_{\deg >36}\) and finally, there remain no state terms with degree bigger than 36, so that the degree bound of \(z_{721}\) is 36. The details of the above step are shown in Appendix A.

A Key-Recovery Attack on 721-round Trivium. Similar to the IV setting above for distinguishing 721-round Trivium, we set \(v_{2\cdot j+1}=0\) for \(j\in [0,39]\) and the other 40 IV bits are freedom variables.

According to our attack outline introduced in Sect. 3.2, we need to determine the nullification scheme first. We express the output of 721-round Trivium iteratively and calculate the frequency of state bits in the polynomial. Then we choose \(s_{1}^{290}\) as \(P_{1}\), the output can be rewritten as \(z_{721}=s_{1}^{290}P_{2}+P_{3}\). Multiply \(1+s_{1}^{290}\) with \(z_{721}\) such that the result is \((1+s_{1}^{290})z_{721}=(1+s_{1}^{290})P_{3}\). We study the reduced polynomial \((1+s_{1}^{290})P_{3}\). In order to decrease the number of key bits in \(s_{1}^{290}\), we choose to nullify \(v_{58}\), \(v_{64}\) and \(v_{72}\), so that there are 37 freedom variables. Set the degree bound to 32, we express \((1+s_{1}^{290})P_{3}\) using internal state bits furthermore and discard state terms whose degree are lower than \(32+d_{t}\), where \(d_{t}\) is the corresponding degree reduction. We use IV presentation, combined with Algorithm 4 in order to obtain the IV terms of degree higher than 32. Finally, there is no IV term. Hence, we prove that the degree of \((1+s_{1}^{290})z_{721}\) is lower than 32. Then the sum of \((1+s_{1}^{290})z_{721}\) over any selected cube of dimension 32 is zero. This process can be executed in an hour in a PC.

Guess the key bit involved in \(s_{1}^{290}\). For right guess, sum over a cube of dimension 32 is zero while for wrong guesses, the result is 1 with probability \(\frac{1}{2}\). The key bits involved in \(s_{1}^{290}\) are shown in Table 10. After 19 summations over cubes of dimension 32, the 19 key bits can be recovered. The complexity is about \(2\times 2^{19}\times 2^{32}=2^{52}\). The other key bits can be recovered using brute force with a complexity of \(2^{61}\). Hence, the total complexity of recovering all key bits of 721-round Trivium is \(2^{61}\).
Table 10.

The key bits involved in \(s_{1}^{290}\).

5 Conclusions

In this paper, we propose the Boolean polynomial reduction techniques and IV representation, which can be applicable to cryptanalysis of stream ciphers based on NFSRs. These techniques can help obtain more accurate degree bounds. We apply these techniques to the cryptanalysis of reduced round Trivium. For recovering the key bits of Trivium, we propose a new nullification technique. Combined with the distinguishers, we propose a key-recovery attack on 855 round Trivium, where 3 equivalent key bits can be recovered with complexity of \(2^{74}\). The other key bits can be recovered by brute force with a complexity of \(2^{77}\).

Furthermore, our flexible methods can be applied to attack more round of Trivium by adjustment of \(P_{1}\), which is our future work. In addition, the degree evaluation and degree reduction techniques can be applicable to other encryption primitives such as Grain family.


  1. 1.

    The other 5 IV bits are fixed as zero and their positions are given in Sect. 4.1.

  2. 2.

    The details are given in Sect. 4.2.



The authors would like to thank anonymous reviewers for their helpful comments. We also thank National Supercomputing Center in Wuxi for their support of Sunway TaihuLight, which is the most powerful supercomputer. This work was supported by the National Key Research and Development Program of China (Grant No. 2017YFA0303903), and National Cryptography Development Fund (No. MMJJ20170121), and Zhejiang Province Key R&D Project (No. 2017C01062).


  1. 1.
    Aumasson, J.-P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009). Scholar
  2. 2.
    De Cannière, C., Preneel, B.: Trivium. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 244–266. Springer, Heidelberg (2008). Scholar
  3. 3.
    Dinur, I., Güneysu, T., Paar, C., Shamir, A., Zimmermann, R.: An experimentally verified attack on full grain-128 using dedicated reconfigurable hardware. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 327–343. Springer, Heidelberg (2011). Scholar
  4. 4.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). Scholar
  5. 5.
    Dinur, I., Shamir, A.: Breaking grain-128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011). Scholar
  6. 6.
    Englund, H., Johansson, T., Sönmez Turan, M.: A framework for chosen IV statistical analysis of stream ciphers. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 268–281. Springer, Heidelberg (2007). Scholar
  7. 7.
    Fischer, S., Khazaei, S., Meier, W.: Chosen IV statistical analysis for key recovery attacks on stream ciphers. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 236–245. Springer, Heidelberg (2008). Scholar
  8. 8.
    Fouque, P.-A., Vannet, T.: Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 502–517. Springer, Heidelberg (2014). Scholar
  9. 9.
    Fu, X., Wang, X., Chen, J.: Determining the nonexistent terms of non-linear multivariate polynomials: how to break grain-128 more efficiently. IACR Cryptology ePrint Archive 2017, 412 (2017).
  10. 10.
    International Organization for Standardization (ISO): ISO/IEC 29192–3:2012, Information technology - Security techniques - Lightweight cryptography - Part 3: Stream ciphers (2012)Google Scholar
  11. 11.
    Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional differential cryptanalysis of NLFSR-based cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010). Scholar
  12. 12.
    Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional differential cryptanalysis of Trivium and KATAN. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 200–212. Springer, Heidelberg (2012). Scholar
  13. 13.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). Scholar
  14. 14.
    Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). Scholar
  15. 15.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography, pp. 227–233. Springer, Boston (1994). Scholar
  16. 16.
    Liu, M.: Degree evaluation of NFSR-based cryptosystems. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 227–249. Springer, Cham (2017). Scholar
  17. 17.
    Liu, M., Yang, J., Wang, W., Lin, D.: Correlation cube attacks: from weak-key distinguisher to key recovery. Cryptology ePrint Archive, Report 2018/158 (2018). Scholar
  18. 18.
    Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). Scholar
  19. 19.
    Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube attacks on non-blackbox polynomials based on division property. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 250–279. Springer, Cham (2017). Scholar
  20. 20.
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). Scholar
  21. 21.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Ximing Fu
    • 1
  • Xiaoyun Wang
    • 2
    • 3
    • 4
  • Xiaoyang Dong
    • 2
  • Willi Meier
    • 5
  1. 1.Department of Computer Science and TechnologyTsinghua UniversityBeijingChina
  2. 2.Institute for Advanced StudyTsinghua UniversityBeijingChina
  3. 3.School of MathematicsShandong UniversityJinanChina
  4. 4.Key Laboratory of Cryptologic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina
  5. 5.FHNWWindischSwitzerland

Personalised recommendations