A KeyRecovery Attack on 855round Trivium
Abstract
In this paper, we propose a keyrecovery attack on Trivium reduced to 855 rounds. As the output is a complex Boolean polynomial over secret key and IV bits and it is hard to find the solution of the secret keys, we propose a novel nullification technique of the Boolean polynomial to reduce the output Boolean polynomial of 855round Trivium. Then we determine the degree upper bound of the reduced nonlinear boolean polynomial and detect the right keys. These techniques can be applicable to most stream ciphers based on nonlinear feedback shift registers (NFSR). Our attack on 855round Trivium costs time complexity \(2^{77}\). As far as we know, this is the best keyrecovery attack on roundreduced Trivium. To verify our attack, we also give some experimental data on 721round reduced Trivium.
Keywords
Trivium Nullification technique Polynomial reduction IV representation Keyrecovery attack1 Introduction
Most symmetric cryptographic primitives can be described by boolean functions over secret variables and public variables. The secret variables are often key bits, the public variables are often plaintext bits for block ciphers and IV bits for stream ciphers. The ANF (algebraic normal form) representation of the output is usually very complex by repeatedly executing a simple iterative function, where the iterative function is a round function for block ciphers or a feedback function for stream ciphers based on nonlinear feedback shift registers. For stream ciphers, obtaining the exact output boolean functions is usually impossible. But if its degree is low, the cipher can not resist on many known attacks, such as higher order differential attacks [13, 15], cube attacks [1, 4], and integral attacks [14]. Hence, it is important to reduce the degree of polynomials for cryptanalysis of stream ciphers.
Trivium, based on a nonlinear feedback shift register (NFSR), is one of the finalists by eSTREAM project and has been accepted as ISO standard [2, 10]. Trivium has a simple structure, with only bit operations, so that it can be applicable to source restricted applications such as RFID. By iteratively using NFSR, the degree increases rapidly and the output is a complex boolean function over key and IV bits.
There have been lots of cryptanalysis of Trivium since its submission. The early results include the chosen IV statistical attack [6, 7], which was applied to keyrecovery attack on Trivium reduced to 672 rounds. Inspired by the message modification technique [20, 21], Knellwolf et al. invented the conditional differential tool [11], which was applicable to distinguishing stream ciphers based on NFSR. In [12], Knellwolf et al. proposed a distinguishing attack on 961round Trivium with practical complexity for weak keys.
Cube attacks are the major methods for recent cryptanalysis results of reduced round Trivium. In [4], Dinur and Shamir proposed a practical full key recovery on Trivium reduced to 767 rounds, using cube attacks. Afterwards, Aumasson et al. [1] provided the distinguishers of 790round Trivium with complexity \(2^{30}\). Then Fouque and Vannet [8] provided a practical full key recovery for 784/799 rounds Trivium. Todo et al. [19] proposed a keyrecovery attack on 832round Trivium, where one equivalent bit can be recovered with complexity of around \(2^{77}\), combined with division property [18]. All of these attacks exploited low degree properties of the ANF of the output bit over IV bits. As though the degree is not low, i.e., the degree is equal to the number of variables, there is a possibility to construct distinguishers if there are missing (IV) terms. In [3, 5], Dinur and Shamir exploited the density of IV terms, combined with nullification technique, and broke the fullround Grain128. Based on nullification technique [3, 5], degree evaluation and IV representation techniques were proposed and the missing IV terms can be obtained with probability 1 [9]. The degree upper bounds of Triviumlike ciphers were obtained [16] using the degree evaluation techniques. Then a keyrecovery attack on 835round Trivium was proposed in [17] using correlation cube attack with a complexity of \(2^{75}\). Though the cube attack and cube tester tools can be applied to obtain the lowdegree information, it is restricted by the computing ability. It is hard to execute cube tester programs of dimension more than 50 on a small cluster of cores.
The rest of the paper is organised as follows. In Sect. 2, some basic related preliminaries will be shown. The basic techniques used in this paper and the attack framework will be introduced in Sect. 3. Based on the Boolean polynomial reduction techniques and IV representation, a key recovery attack on 855round Trivium is proposed in Sect. 4, combined with a new nullification technique. Finally, Sect. 5 summarizes the paper.
2 Preliminaries
In this section, some basic notations used in this paper are introduced in the following subsections.
2.1 Notations
2.2 Brief Description of Trivium
Trivium can be described by a 288bit nonlinear feedback shift register \(s_{i}\) (\(1\le i\le 288\)). During the initialization stage, \(s_{1}\) to \(s_{80}\) are set to 80 key bits, \(s_{94}\) to \(s_{173}\) are set with 80 IV bits, \(s_{286}\), \(s_{287}\), \(s_{288}\) are set to 1s and the other state bits are set to zeros, i.e.,
\((s_1,s_2,\ldots ,s_{93})\leftarrow (K_0,\ldots ,K_{79},0,\ldots ,0)\)
\((s_{94},s_{95},\ldots ,s_{177})\leftarrow (IV_0,\ldots ,IV_{79},0,\ldots ,0)\)
\((s_{178},s_{179},\ldots ,s_{288})\leftarrow (0,\ldots ,0,1,1,1).\)
Then the NFSR is updated for 1152 rounds with the following updating function, i.e.,
\(\mathbf {for}\) \(i\leftarrow 1:4\cdot 288\) \(\mathbf {do}\)
\(t_{1}\leftarrow s_{66}+s_{91}\cdot s_{92}+s_{93}+s_{171}\)
\(t_{2}\leftarrow s_{162}+s_{175}\cdot s_{176}+s_{177}+s_{264}\)
\(t_{3}\leftarrow s_{243}+s_{286}\cdot s_{287}+s_{288}+s_{69}\)
\((s_{1},s_{2},\ldots ,s_{93})\leftarrow (t_3,s_{1},\ldots ,s_{92})\)
\((s_{94},s_{95},\ldots ,s_{177})\leftarrow (t_1,s_{94},\ldots ,s_{176})\)
\((s_{178},s_{179},\ldots ,s_{288})\leftarrow (t_2,s_{178},\ldots ,s_{287})\)
\(\mathbf {end~for}\)
After the initialization, the output bits \(o_{i}\) can be generated by the following functions.
\(\mathbf {for}\) \(i\leftarrow 1:N\) \(\mathbf {do}\)
\(t_{1}\leftarrow s_{66}+s_{91}\cdot s_{92}+s_{93}+s_{171}\)
\(t_{2}\leftarrow s_{162}+s_{175}\cdot s_{176}+s_{177}+s_{264}\)
\(t_{3}\leftarrow s_{243}+s_{286}\cdot s_{287}+s_{288}+s_{69}\)
\(o_{i}\leftarrow s_{66}+s_{93}+s_{162}+s_{177}+s_{243}+s_{288}\)
\((s_{1},s_{2},\ldots ,s_{93})\leftarrow (t_3,s_{1},\ldots ,s_{92})\)
\((s_{94},s_{95},\ldots ,s_{177})\leftarrow (t_1,s_{94},\ldots ,s_{176})\)
\((s_{178},s_{179},\ldots ,s_{288})\leftarrow (t_2,s_{178},\ldots ,s_{287})\)
\(\mathbf {end~for}\)
2.3 Representation of Boolean Functions for Stream Ciphers
2.4 Cube Attack and Cube Tester
Dynamic cube attack [5] is also introduced by Dinur and Shamir in FSE 2011. The basic idea is to find dynamic variables, which depend on some of the public cube variables and some private variables (the key bits), to nullify the complex function \(P = P_1 \cdot P_2 + P_3\), where the degree of \(P_{3}\) is relatively lower than the degree of P and \(P_{1} \cdot P_{2}\) is a complex function. Then guess the involved key bits and compute the dynamic cube variables to make \(P_1\) to be zero and the function is simplified greatly. The right guess of key bits will lead the cube sum to be zero otherwise the cube sums will be random generally.
Cube testers [1] are used to detect nonrandom properties. Suppose in Eq. 3, an IV term \({t_I}\) does not exist in the ANF of s, e.g. the coefficient \(g_{I}(k)=0\). Hence, the cube sum over cube \(C_{t_I}\) is definitely zero for different key guessing. However, if the IV term \({t_I}\) exists, the value of cube sum \(g_{I}(k)\) is dependent on the key guessing. This property was applied to break fullround Grain128 [5, 9].
3 Basic Ideas
3.1 New Observation of Boolean Polynomial Reduction
In this paper, we propose a new nullification technique based on a lemma as follows.
Lemma 1
Lemma 1 can be verified by \((P_1+1)z=(P_1+1)P_{1}P_2+(P_1+1)P_3=(P_1+1)P_3\). In our cryptanalysis of Trivium, \(P_{1}\) is a simple polynomial over several IV bits and key bits, while \(P_{2}\) is much more complex than \(P_{3}\). In our nullification technique, we multiply \(P_{1}+1\) in both sides of Eq. (4) to nullify the most complex polynomial \(P_2\) without changing \(P_3\). The result \((1+P_{1})z=(1+P_{1})P_{3}\) could be analyzed by considering \(P_{3}\) and \(1+P_{1}\) independently, and then multiply them together to get \((1+P_{1})z\).
3.2 Outline of Our Attack
Based on the novel observation in Sect. 3.1, our attack includes two phases, which are the preprocessing phase and online attack phase.
 1.
We apply the new nullification technique by determining \(P_{1}\), then multiply \(1+P_{1}\) in both sides of Eq. 4 and obtain the reduced polynomial \((1+P_{1})P_{3}\).
 2.
We study the polynomial \((1+P_{1})P_{3}\) and prove its upper bound degree to be d mathematically, then cubes of dimension d + 1 lead to distinguishers.
 i
For the right key guessing, \((P_1+1)z=(P_1+1)P_3\). Thus the cube sums must be zero.
 ii
For the wrong key guessing, the equation becomes \( (P'_1+1)z=(P'_1+1)P_{1}P_2+(P'_1+1)P_3\), which is more complex and dominated by \(P_2\), thus the cube sums are not always zero.
We focus on constructing the distinguishers in the preprocessing phase and it costs most computing sources.
3.3 Constructing Distinguishers
After obtaining the reduced polynomial \((1+P_{1})P_{3}\), our major work is to study this polynomial and derive distinguishers. In our analysis, we demonstrate that the degree of the reduced polynomial is strictly lower than 70. As the degree is so high, such a result was hard to achieve in previous works. So we introduce various details of reducing polynomials in an iterative process.
We introduce several techniques to discard monomials in advance during the iterative computation of the ANF representation of the output bit \((1+P_{1})P_{3}\). Suppose we are proving the upper bound degree of \((1+P_{1})P_{3}\)’s ANF to be d, then the following techniques are used to reduce the Boolean polynomial of \((1+P_{1})P_{3}\) by discarding monomials in advance. The whole process could be divided into the following three steps shown in Fig. 1.

Step 1. We compute forward to express the ANF of some internal state bits over IV bits and key bits. In Trivium, the internal state bits \(s_{i}^{j}\) (\(0\le i\le 2\), \(0\le j\le 340\)) are computed in a PC.
 Step 2. During the iterative computation of the ANF representation of \((1+P_{1})P_{3}\) in the backward direction (decryption), we introduce the fast discarding monomial technique in Sect. 3.4, which includes the following two algorithms:

First, we propose the degree evaluation algorithm to obtain the degree bounds of internal state bits. As the monomials of \((1+P_{1})P_{3}\)’s ANF is a product of these internal state bits, the degree of a monomial is bounded by the sum of the degrees of the multiplied internal state bits, which is regarded as the degree estimation of the monomial. If the estimated degrees of monomials are lower than d, they are discarded directly.

Second, we exploit the iterative structure of Trivium, and find that the \((1+P_{1})P_{3}\)’s ANF contains many products of consecutive internal state bits. Thus, we precompute the degree reductions of those products, which is \(d_{t}=\sum _{i}\deg (x_{i})\deg (\prod _{i}x_{i})\), where \(x_{i}\) is an internal state bit. Thus, the degree of a monomial is upper bounded by the difference value between the sum of the multiplied internal state bits and the corresponding degree reduction \(d_{t}\). If it is smaller than d, the monomial is discarded.


Step 3. For the left monomials of \((1+P_{1})P_{3}\)’s ANF, we introduce IV representation technique in Sect. 3.5 to determine the upper bound degree of \((1+P_{1})P_{3}\) or find the ddegree missing product of certain IV bits (missing IV term). In IV representation technique, the symbolic key bits in the internal state bits are removed and only IV bits are left. Combining with repeated IV term removing algorithm, we can simplify monomials of \((1+P_{1})P_{3}\)’s ANF without losing the missing IV term information. If we find an IV term is not in the IV representation of \((1+P_{1})P_{3}\), we can conclude that it is also not in \((1+P_{1})P_{3}\).
3.4 Fast Discarding Monomial Techniques
Degree \(\deg (s_i^j)\) of \(s_{i}^{j}\) for \(0\le i\le 2\), \(0\le j\le 340\)
For example, we estimate the degree upper bound of \(s_{1}^{341}\), where \( end=\lfloor \frac{r}{32}\rfloor \times 32128=192\). We first express \(s_{1}^{341}\) using state bits in less rounds, and discard the state terms of degree lower than d.

Step 1. First, we express \(s_{2}^{341}=s_{1}^{272}+s_{1}^{259}s_{1}^{258}+s_{1}^{257}+s_{2}^{254}\) according to Eq. (1).

Step 2. According to Table 2 highlighted in red, let \(d=\texttt {max}\{\deg (s_{1}^{272}),\) \(\deg (s_{1}^{259})+\deg (s_{1}^{258}),\deg (s_{1}^{257}), \deg (s_{2}^{254}\} = \texttt {max}\{5,5+5,5,5\}=10\).

Step 3. Discarding the state terms of degree lower than 10, we get \(s_{2}^{341*}=s_{1}^{259}s_{1}^{258}\). Iteratively compute \(s_{2}^{341*}\) and discard state terms with degree lower than 10, there is no state term surviving. We reset \(d=d1\) and repeat the above decomposition and discarding process. We can get the result \(s_{2}^{341**}=s_0^{166}s_0^{167}s_0^{193}+s_0^{167}s_0^{168}s_0^{192}+s_0^{166}s_0^{167}s_0^{168}+s_0^{165}s_0^{167}s_0^{168}+s_0^{167}s_0^{168}s_1^{180}+s_0^{166}s_0^{167}s_1^{181}\).
 Step 4. Note that there is still a state bit \(s_{1}^{193}\) in \(s_{2}^{341**}\) that is bigger than end=192. So we continue to iteratively compute and discard state terms with degree lower than 9, and we get:$$\begin{aligned} \begin{array}{l} s_{2}^{341***}= s_2^{56}s_2^{57}s_2^{83}s_2^{84}s_2^{101}+s_2^{57}s_2^{58}s_2^{83}s_2^{84}s_2^{100}+s_2^{56}s_2^{57}s_2^{58}s_2^{83}s_2^{84}+\\ s_0^{97}s_2^{57}s_2^{58}s_2^{83}s_2^{84}+s_0^{98}s_2^{56}s_2^{57}s_2^{83}s_2^{84}+s_0^{124}s_2^{56}s_2^{57}s_2^{101}+s_0^{124}s_2^{57}s_2^{58}s_2^{100}+\\ s_0^{124}s_2^{56}s_2^{57}s_2^{58}+s_0^{124}s_2^{55}s_2^{57}s_2^{58}+s_2^{55}s_2^{57}s_2^{58}s_2^{83}s_2^{84}+s_0^{97}s_0^{124}s_2^{57}s_2^{58}\\ +s_0^{98}s_0^{124}s_2^{56}s_2^{57}+s_2^{57}s_2^{58}s_2^{82}s_2^{83}s_2^{102}+s_2^{58}s_2^{59}s_2^{82}s_2^{83}s_2^{101}+s_2^{57}s_2^{58}s_2^{59}s_2^{82}s_2^{83}+\\ s_2^{56}s_2^{58}s_2^{59}s_2^{82}s_2^{83}+s_0^{98}s_2^{58}s_2^{59}s_2^{82}s_2^{83}+s_0^{99}s_2^{57}s_2^{58}s_2^{82}s_2^{83}+s_0^{123}s_2^{57}s_2^{58}s_2^{102}+\\ s_0^{123}s_2^{58}s_2^{59}s_2^{101}+s_0^{123}s_2^{57}s_2^{58}s_2^{59}+s_0^{123}s_2^{56}s_2^{58}s_2^{59}+s_0^{98}s_0^{123}s_2^{58}s_2^{59}\\ +s_0^{99}s_0^{123}s_2^{57}s_2^{58}+s_2^{56}s_2^{57}s_2^{58}s_2^{59}s_2^{101}+s_0^{98}s_2^{56}s_2^{57}s_2^{58}s_2^{59}+s_2^{55}s_2^{56}s_2^{57}s_2^{58}s_2^{102}+\\ s_2^{55}s_2^{56}s_2^{58}s_2^{59}s_2^{101}+s_2^{55}s_2^{56}s_2^{57}s_2^{58}s_2^{59}+s_0^{98}s_2^{55}s_2^{56}s_2^{58}s_2^{59}+s_0^{99}s_2^{55}s_2^{56}s_2^{57}s_2^{58}+\\ s_0^{114}s_2^{57}s_2^{58}s_2^{102}+s_0^{114}s_2^{58}s_2^{59}s_2^{101}+s_0^{114}s_2^{57}s_2^{58}s_2^{59}+s_0^{114}s_2^{56}s_2^{58}s_2^{59}+s_0^{89}s_0^{90}s_2^{57}s_2^{58}s_2^{100}+\\ s_0^{98}s_0^{114}s_2^{58}s_2^{59}+s_0^{99}s_0^{114}s_2^{57}s_2^{58}+s_0^{115}s_2^{56}s_2^{57}s_2^{101}+s_0^{115}s_2^{57}s_2^{58}s_2^{100}+s_0^{115}s_2^{56}s_2^{57}s_2^{58}+\\ s_0^{115}s_2^{55}s_2^{57}s_2^{58}+s_0^{97}s_0^{115}s_2^{57}s_2^{58}+s_0^{98}s_0^{115}s_2^{56}s_2^{57}+s_0^{89}s_0^{90}s_2^{56}s_2^{57}s_2^{101}+\\ s_0^{89}s_0^{90}s_2^{56}s_2^{57}s_2^{58}+s_0^{89}s_0^{90}s_2^{55}s_2^{57}s_2^{58}+s_0^{89}s_0^{90}s_0^{97}s_2^{57}s_2^{58}+s_0^{89}s_0^{90}s_0^{98}s_2^{56}s_2^{57}. \end{array} \end{aligned}$$(7)

Step 5. Here, there is no state bit in rounds more than \(end=192\), the expression ends and there are still state terms that survive. Then the current degree \(d=9\) is the estimated degree of \(s_{2}^{341}\).

Step 6. Note that, if there is no state item in \(s_{2}^{341***}\) surviving, which means the degree added twice or more shown in Eq. (6) happens to the iterative computation of \(s_{2}^{341}\). So the degree must be less than 9. We reset \(d=8\) and continue the above steps 3–5 to get a more accurate degree bound.
The estimated upper bound degree \(\mathcal {DEG}(s_i^j)\) of \(s_{i}^{r}\) for \(r\le 689\)
We pay attention to the degree reduction of the state term \({\prod _{j=l}^{l+t1}s_{i}^{j}}\) for a specific \(i\in [0,2]\). This state term results from the iteration structure of Trivium scheme, whose high degree state terms come from the multiplication of \(s_{i}^{j}s_{i}^{j+1}\) shown in Eq. (1). After several rounds of iteration, the high degree state terms are in the form \({\prod _{j=l}^{l+t1}s_{i}^{j}}\). Define the degree reduction \(d_{t}=\sum _{j=l}^{l+t1}\deg (s_{i}^{j})\deg (\prod _{j=l}^{l+t1}s_{i}^{j})\).
The degree reduction can help discard state terms of lower degree dramatically, as it can help predict the change of degree before expression operation^{2}. We take the state term \(s_{1}^{340}s_{1}^{341}\) as an example to illustrate the process to compute the degree reduction \(d_t\). Algorithm 2 is first used to obtain the degree of state bits as shown in Tables 2 and 3.
3.5 IV Representation Techniques
In the cryptanalysis of stream ciphers, the output is a boolean function over key and IV bits. But obtaining the exact expression is hard, thus we propose IV representation technique to reduce the computation complexity for obtaining the degree information.
Definition 1
(IV representation) Given a state bit \(s=\sum _{I,J}\prod _{i\in I}v_{i}\prod _{j\in J}k_{j}\), the IV representation of s is \(s_{IV}=\sum _{I}\prod _{i\in I}v_{i}\).
For example, if a boolean polynomial is \(s=v_{0}k_{1}+v_{0}k_{0}k_{2}+v_{1}k_{1}k_{2}+v_{0}v_{1}k_{2}\), then its corresponding IV representation is \(s_{IV}=v_{0}+v_{0}+v_{1}+v_{0}v_{1}\).
IV representation with repeated IV terms Removing Algorithm. Due to neglection of key bits, there are lots of repeated IV terms. Here we give an algorithm to remove the repeated IV terms of \(s_{IV}\). The details of the algorithm are shown in Algorithm 4. This algorithm is based on a Hash function. First, an empty hash set is initialized. For each IV term \(T_{i}\), compute the hash value as \(H(T_{i})\) (Line 3), then determine if \(T_{i}\) is already in H. If not, then insert \(T_{i}\) into H (Lines 4–5). Applying Algorithm 4 to the above example, the result is \(v_{0}+v_{1}+v_{0}v_{1}\). Note that this algorithm is slightly different from Algorithm 1. If we apply Algorithm 1 to \(s_{IV}\), the result is \(v_{1}+v_{0}v_{1}\).
After using IV representation combined with Algorithm 4, all the existent IV terms are left by ignoring their repetition. With collisionresistent hash function H, the time complexity of Algorithm 4 is O(n) for processing n IV terms. It needs several minutes to apply Algorithm 4 on 1 billion IV terms on a single core.
4 Key Recovery Attack on 855round Trivium
In the attack on 855round Trivium, all the 80bit IV are initiated with free variables: \(IV_{i}=v_{i}\), \(i\in [0,79]\).
4.1 Determining the Nullification Scheme for the Output Polynomial of 855round Trivium
For 855round Trivium, the degree of output bit z is very high, as shown in [19]. So it is not easy to find the missing IV terms in the complex \(z=P_{1}P_{2}+P_{3}\). However, based on the new observation of Boolean polynomial introduced in Sect. 3.1. we can choose \(P_{1}\) to reduce the Boolean polynomial \((1+P_{1})z=(1+P_{1})P_{3}\) such that the degree of \((1+P_{1})P_{3}\) is lower. The lower, the better. In fact, the lower the degree of a state term, the less high degree IV terms it can deduce.
Degrees of state bits are obtained first in order to determine the high degree state terms. The exact Boolean polynomial of \(s_{i}^{j}\) for \(i\in [0,2]\) and \(j\in [0,340]\) can be obtained. The other degree upper bounds can be obtained by executing Algorithm 2.
For a search of \(P_1\), we use the decomposition of Trivium and preserve the high degree state terms (bigger than a given bound dependent on our computing ability in a PC), where the degree of state terms means the sum of degrees of each state bit in the earlier rounds involved. We decompose until all the state bits are within the range of [0, 276]. The key points to determine \(P_1\) come from 3 criteria: (1) the frequency of \(P_1\) is high; (2) the degree of \(P_1\) is low; (3) the equivalent key guesses in \(P_1\) are minimized. We calculate the frequency of state bits and find that \(s_1^{210}\) occurs in about \(\frac{3}{4}\) of all the preserved high state terms. The degree of \(s_1^{210}\) is 5 and can be reduced to 2 after nullifying the 5 IV bits, and there are only 3 equivalent key bits to be guessed. So we choose \(P_1= s_1^{210}\).
Count of IV bits in \(s_{1}^{210}\) before IV nullification.
In order to simplify \(s_{1}^{210}\) so that it is easier to obtain the degree bound of \((1+s_{1}^{210})P_{3}\), we nullify \(v_{74}\), \(v_{60}\), \(v_{75}\), \(v_{30}\) and \(v_{48}\).
Frequency of IV bits in \(s_{1}^{210}\) after IV nullification.
4.2 Determining the Degree Bound of Reduced Polynomial
 1.
Deleting state terms according to degree evaluation;
 2.
Deleting state terms according to degree reduction.
Degree reductions \(d_t(s_i^js_i^{j+1})\) of \(s_i^js_i^{j+1}\) with \(t=2\)
In the cryptanalysis of Trivium, the degree reduction may be more complicated. Further degree reduction for \(t>4\) is hard to be obtained using PC for loop executing Algorithm 3. Some manmade work should be involved to obtain further degree reduction. The degree reduction can help discard state terms of lower degree dramatically. For example, if the state term \(b_{1}b_{2}\) goes through degree evaluation phase, that means \(\mathcal {DEG}(b_1)+\mathcal {DEG}(b_2)\ge 70\), then we check if \(\mathcal {DEG}(b_1)+\mathcal {DEG}(b_2)d_t(b_1b_2)<70\). If yes, \(\deg (b_1b_2)<70\) and delete it.
Degree reductions \(d_t(s_i^js_i^{j+1}s_i^{j+2})\) of \(s_i^js_i^{j+1}s_i^{j+2}\) with \(t=3\)
Degree reductions \(d_t(s_i^js_i^{j+1}s_i^{j+2}s_i^{j+3})\) of \(s_i^js_i^{j+1}s_i^{j+2}s_i^{j+3}\) with \(t=4\)
After the above 2 steps to reduce \((1+s_{1}^{210})P_{3}\), the degrees of the left state terms are possibly higher or equal to 70. As the dimension is high, a cube tester over such a big dimension is far beyond our computing ability. For the left state terms, we use IV representation for each left state terms and remove the repeated IV terms using Algorithm 4 in order to determine the missing 70degree IV terms. After the above steps, there is no 70degree IV term in \((1+s_{1}^{210})P_{3}\). So the degree of \((1+s_{1}^{210})P_{3}\) is strictly lower than 70, which is summarized as the following Lemma 2.
Lemma 2
Set the \(v_{74}\), \(v_{60}\), \(v_{75}\), \(v_{30}\) and \(v_{48}\) to zeros, then the degree of \((1+s_{1}^{210})z_{855}\) is bounded by 70, where \(z_{855}\) is the output after 855round initializations.
According to Lemma 2, we strictly prove that the degree of the reduced polynomial is lower than 70, so the sum over any selected cube of dimension 70 is zero, such that the distinguishers can be constructed.
4.3 Online Phase and Complexity Analysis
For each guess, we need to sum over a cube of dimension 70, so that the complexity is \(2^{3}\cdot 2^{70}+2^{2}\cdot 2^{70}+2^{1}\cdot 2^{70}\approx 2^{74}\).
After the above process, the bits \(k_{19}\), \(k_{20}\) and \(k_{57}+k_{63}+k_{21}+k_{28}k_{29}+k_{3}+k_{30}+k_{12}+k_{37}k_{38}+k_{39}\) can be determined. \(k_{19}\) and \(k_{20}\) are single master key bits. Let \(c=k_{57}+k_{63}+k_{21}+k_{28}k_{29}+k_{3}+k_{30}+k_{12}+k_{37}k_{38}+k_{39}\) (c is 0 or 1), then it can be rewritten as \(k_{57}=k_{63}+k_{21}+k_{28}k_{29}+k_{3}+k_{30}+k_{12}+k_{37}k_{38}+k_{39}+c\). We guess the other 77 key bits excluding \(k_{19}\), \(k_{20}\) and \(k_{57}\), the value \(k_{57}\) can be obtained directly. So the other 77 key bits excluding \(k_{19}\), \(k_{20}\) and \(k_{57}\) can be recovered by brute force. Thus the complexity to recover all the key bits is \(2^{77}\).
4.4 Experimental Verification
We apply a powerful nullification technique to reduce the output polynomial, and prove the degree bound of the reduced polynomial theoretically and recover key bits. To make the attack more clear, we give an attack instance. We give two attacks on 721round Trivium: a distinguishing attack and a keyrecovery attack.
Obtain the Degree Upper Bound of Output of 721round Trivium. Initial \(IV_{i}=v_{i}\) with \(i\in [0,79]\). In the example attack on 721round Trivium, we only use 40 freedom variables, i.e. set \(v_{2\cdot j+1}=0\) for \(j\in [0,39]\) and the other 40 IV bits are freedom variables.
Degree upper bounds \(\mathcal {DEG}(s_i^j)\) of the state bits \(s_i^j\) for \(j\le 665\)
The output of 721round Trivium is \(z_{721}=s_{0}^{656}+s_{0}^{629}+s_{1}^{653}+s_{1}^{638}+s_{2}^{656}+s_{2}^{611}\). According to Table 9, the 6 state terms (bits) highlighted in red are of degree lower than 40, so the degree of \(z_{721}\) is lower than 40, which can serve as distinguishers. This result can be obtained easily by rough computing.
Next, we give a more accurate bound of \(z_{721}\). In the following, we will determine whether \(z_{721}\)’s degree is bigger than 37. The 6 state bits are expressed using state bits in lower rounds again and substituted into \(z_{721}\), which is called the substitution or expression process in [9]. Then \(z_{721}=s_{2}^{590}+s_{2}^{546}s_{2}^{547}+\) \(s_{2}^{545}+s_{0}^{587}+s_{2}^{563}+s_{2}^{519}s_{2}^{520}+s_{2}^{518}+s_{0}^{560}+s_{0}^{587}+s_{0}^{561}s_{0}^{562}+s_{0}^{560}+s_{1}^{575}+s_{0}^{572}+\) \(s_{0}^{546}s_{0}^{547}+s_{0}^{545}+s_{1}^{560}+s_{1}^{587}+s_{1}^{573}s_{1}^{574}+s_{1}^{572}+s_{2}^{569}+s_{1}^{542}+s_{1}^{528}s_{1}^{529}+s_{1}^{527}+s_{2}^{524}\). According to degree upper bounds Table 9, \(\deg (s_{2}^{590})=27<37\) highlighted in blue, so \(s_{2}^{590}\) is removed. Then \(\deg (s_{2}^{546}s_{2}^{547})\le \mathcal {DEG}(s_{2}^{546})+\mathcal {DEG}(s_{2}^{547})=20+21=41\) and \(41\ge 37\), so the degree of \(s_{2}^{546}s_{2}^{547}\) is possibly bigger than 36 and left. After discarding all the state terms whose degrees are lower than 36, \(z_{721}_{\deg >36}=s_{2}^{546}s_{2}^{547}+s_{1}^{573}s_{1}^{574}\). Continue substitution and expression process for \(z_{721}_{\deg >36}\) and finally, there remain no state terms with degree bigger than 36, so that the degree bound of \(z_{721}\) is 36. The details of the above step are shown in Appendix A.
A KeyRecovery Attack on 721round Trivium. Similar to the IV setting above for distinguishing 721round Trivium, we set \(v_{2\cdot j+1}=0\) for \(j\in [0,39]\) and the other 40 IV bits are freedom variables.
According to our attack outline introduced in Sect. 3.2, we need to determine the nullification scheme first. We express the output of 721round Trivium iteratively and calculate the frequency of state bits in the polynomial. Then we choose \(s_{1}^{290}\) as \(P_{1}\), the output can be rewritten as \(z_{721}=s_{1}^{290}P_{2}+P_{3}\). Multiply \(1+s_{1}^{290}\) with \(z_{721}\) such that the result is \((1+s_{1}^{290})z_{721}=(1+s_{1}^{290})P_{3}\). We study the reduced polynomial \((1+s_{1}^{290})P_{3}\). In order to decrease the number of key bits in \(s_{1}^{290}\), we choose to nullify \(v_{58}\), \(v_{64}\) and \(v_{72}\), so that there are 37 freedom variables. Set the degree bound to 32, we express \((1+s_{1}^{290})P_{3}\) using internal state bits furthermore and discard state terms whose degree are lower than \(32+d_{t}\), where \(d_{t}\) is the corresponding degree reduction. We use IV presentation, combined with Algorithm 4 in order to obtain the IV terms of degree higher than 32. Finally, there is no IV term. Hence, we prove that the degree of \((1+s_{1}^{290})z_{721}\) is lower than 32. Then the sum of \((1+s_{1}^{290})z_{721}\) over any selected cube of dimension 32 is zero. This process can be executed in an hour in a PC.
The key bits involved in \(s_{1}^{290}\).
5 Conclusions
In this paper, we propose the Boolean polynomial reduction techniques and IV representation, which can be applicable to cryptanalysis of stream ciphers based on NFSRs. These techniques can help obtain more accurate degree bounds. We apply these techniques to the cryptanalysis of reduced round Trivium. For recovering the key bits of Trivium, we propose a new nullification technique. Combined with the distinguishers, we propose a keyrecovery attack on 855 round Trivium, where 3 equivalent key bits can be recovered with complexity of \(2^{74}\). The other key bits can be recovered by brute force with a complexity of \(2^{77}\).
Furthermore, our flexible methods can be applied to attack more round of Trivium by adjustment of \(P_{1}\), which is our future work. In addition, the degree evaluation and degree reduction techniques can be applicable to other encryption primitives such as Grain family.
Footnotes
Notes
Acknowledgement
The authors would like to thank anonymous reviewers for their helpful comments. We also thank National Supercomputing Center in Wuxi for their support of Sunway TaihuLight, which is the most powerful supercomputer. This work was supported by the National Key Research and Development Program of China (Grant No. 2017YFA0303903), and National Cryptography Development Fund (No. MMJJ20170121), and Zhejiang Province Key R&D Project (No. 2017C01062).
References
 1.Aumasson, J.P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reducedround MD6 and Trivium. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642033179_1CrossRefGoogle Scholar
 2.De Cannière, C., Preneel, B.: Trivium. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 244–266. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540683513_18CrossRefGoogle Scholar
 3.Dinur, I., Güneysu, T., Paar, C., Shamir, A., Zimmermann, R.: An experimentally verified attack on full grain128 using dedicated reconfigurable hardware. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 327–343. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642253850_18CrossRefGoogle Scholar
 4.Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642010019_16CrossRefGoogle Scholar
 5.Dinur, I., Shamir, A.: Breaking grain128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642217029_10CrossRefGoogle Scholar
 6.Englund, H., Johansson, T., Sönmez Turan, M.: A framework for chosen IV statistical analysis of stream ciphers. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 268–281. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540770268_20CrossRefGoogle Scholar
 7.Fischer, S., Khazaei, S., Meier, W.: Chosen IV statistical analysis for key recovery attacks on stream ciphers. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 236–245. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540681649_16CrossRefGoogle Scholar
 8.Fouque, P.A., Vannet, T.: Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 502–517. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662439333_26CrossRefGoogle Scholar
 9.Fu, X., Wang, X., Chen, J.: Determining the nonexistent terms of nonlinear multivariate polynomials: how to break grain128 more efficiently. IACR Cryptology ePrint Archive 2017, 412 (2017). http://eprint.iacr.org/2017/412
 10.International Organization for Standardization (ISO): ISO/IEC 29192–3:2012, Information technology  Security techniques  Lightweight cryptography  Part 3: Stream ciphers (2012)Google Scholar
 11.Knellwolf, S., Meier, W., NayaPlasencia, M.: Conditional differential cryptanalysis of NLFSRbased cryptosystems. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 130–145. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642173738_8CrossRefGoogle Scholar
 12.Knellwolf, S., Meier, W., NayaPlasencia, M.: Conditional differential cryptanalysis of Trivium and KATAN. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 200–212. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642284960_12CrossRefGoogle Scholar
 13.Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3540605908_16CrossRefGoogle Scholar
 14.Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). https://doi.org/10.1007/3540456619_9CrossRefGoogle Scholar
 15.Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography, pp. 227–233. Springer, Boston (1994). https://doi.org/10.1007/9781461526940_23CrossRefGoogle Scholar
 16.Liu, M.: Degree evaluation of NFSRbased cryptosystems. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 227–249. Springer, Cham (2017). https://doi.org/10.1007/9783319636979_8CrossRefGoogle Scholar
 17.Liu, M., Yang, J., Wang, W., Lin, D.: Correlation cube attacks: from weakkey distinguisher to key recovery. Cryptology ePrint Archive, Report 2018/158 (2018). https://eprint.iacr.org/2018/158CrossRefGoogle Scholar
 18.Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468005_12CrossRefGoogle Scholar
 19.Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube attacks on nonblackbox polynomials based on division property. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 250–279. Springer, Cham (2017). https://doi.org/10.1007/9783319636979_9CrossRefGoogle Scholar
 20.Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_2CrossRefGoogle Scholar
 21.Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_2CrossRefGoogle Scholar