Algebraic Analysis of Trivium-Like Ciphers (Poster)

Proceedings of the Twelfth Australasian Information Security Conference (AISC 2014), Auckland, New Zealand

Algebraic analysis of Trivium-like ciphers (Poster)

Sui-Guan Teo1 Kenneth Koon-Ho Wong1 Harry Bartlett2 Leonie Simpson2 Ed Dawson1

1Institute for Future Environments 2Science and Engineering Faculty Queensland University of Technology 2 George Street, Brisbane QLD 4000, Australia {teosuiguan, kwong87}@gmail.com, {h.bartlett, lr.simpson, e.dawson}@qut.edu.au

Abstract extended to ciphers in which q > 1 bits of internal state are non-linearly updated at each step and q or Trivium is a bit-based stream cipher in the final port- more linear combinations of the state are output as folio of the eSTREAM project. In this paper, we ap- keystream. However, whether these techniques can ply the algebraic attack approach of Berbain et al. be extended to ciphers in which q > 1 bits of inter- to Trivium-like ciphers and perform new analyses on nal state are non-linearly updated, while only q0 < q them. We demonstrate a new algebraic attack on linear combinations of the state-bits are output, has Bivium-A. This attack requires less time and memory not been demonstrated and is posed as an open ques- than previous techniques to recover Bivium-A’s ini- tion (Berbain et. al., 2009). tial state. Though our attacks on Bivium-B, Trivium and Trivium-N are worse than exhaustive keysearch, 1.1 Contributions of paper the systems of equations which are constructed are smaller and less complex compared to previous al- Our algebraic analysis on Trivium-like ciphers, we gebraic analyses. We also answer an open question provide an answer to Berbain et al.’s open ques- posed by Berbain et al. on the feasibility of ap- tion. Specifically, we use Bivium-A/B, Trivium and plying their technique on Trivium-like ciphers. Fac- Trivium-N as case-studies, as q0 < q in all cases. We tors which can affect the complexity of our attack on apply Berbain et al.’s method of representing the feed- Trivium-like ciphers are discussed in detail. Analy- back bits as linear combinations of internal state bits sis of Bivium-B and Trivium-N are omitted from this and keystream bits. manuscript. The full version of this paper is available To assist us in our analysis, we introduce a new on the IACR ePrint Archive. variable j, which describes the number of registers the keystream generation function takes inputs from. 1 Introduction We show that the value of j has a significant impact on the success of our algebraic attack on these ci- 0 Trivium (Canniéreand Preneel, 2005) is a bit-based phers. The values of q , q and j for the Trivium- stream cipher selected in the final portfolio of the like ciphers are given in Table 1. Some improvements eSTREAM project (Robshaw, 2008). Trivium uses achieved with this new method compared to exist- an 80-bit key and an 80-bit IV to initialise a 288- ing one are presented. Additionally, we investigate bit nonlinear feedback shift register (NLFSR). Each the effect which varying the keystream function and 64 feedback bit positions have on the complexity of our key-IV pair can be used to generate up to 2 bits analysis on the Trivium family. of keystream. Trivium’s structural simplicity makes it a popular cipher to cryptanalyse, but to date, no attacks in the public literature are faster than exhaus- Bivium-A Bivium-B Trivium Trivium-N tive keysearch. q 2 2 3 3 Algebraic attacks (Courtois and Meier, 2003) are q0 1 1 1 1 commonly applied to stream ciphers based on shift j 1 2 3 3 registers. To attack Trivium, Raddum (2006) used an algebraic relabelling technique, where the state- Table 1: Parameters for Trivium-like stream ciphers update bits are represented using new variables, instead of nonlinear combinations of initial state bits (Courtois and Pieprzyk, 2002). This prevents equations of high degrees from being generated. For 2 Trivium and its variants keystream generators which use a linear output function (as Trivium-like ciphers do), Berbain et. al. Trivium is commonly represented in the literature as (2009) expressed new feedback bits of an NLFSR as being based on three non-autonomous binary NLF- linear combinations of keystream bits and internal SRs: A, B, and C, of sizes 93, 84 and 111 bits re- state bits. By doing so, the equations representing spectively (Bernstein, 2006). We omit the descrip- the feedback bits of an NLFSR will always be lin- tion of the initialisation process for the cipher, as it ear. Berbain et al. claim that their technique can be has no impact on our analysis. The reader is referred to the specifications of Trivium (Canniéreand Pre- Copyright c 2014, Australian Computer Society, Inc. This neel, 2005) for a full treatment of its initialisation paper appeared at the Australasian Information Security processes. Let A denote the stages for register A Conference(ACSW-AISC 2014), Auckland, New Zealand, Jan- i uary 2014. Conferences in Research and Practice in Informa- and Ai(t) represent the contents of Ai at time t, for tion Technology (CRPIT), Vol. 149, Udaya Parampalli and Ian 0 ≤ i ≤ 92. Similar notations are used for registers B Welch, Ed. Reproduction for academic, not-for-profit purposes and C. The state-update functions of Trivium are as permitted provided this text is included.

77 CRPIT Volume 149 - Information Security 2014 follows: estimated that the complexity of recovering the initial 56  state of Bivium-B will take about 2 seconds. Eibach A24(t) ⊕ C45(t) et. al. (2010) achieved 239.12 for Bivium-B with some Ai(t + 1) = ⊕C0(t) ⊕ C1(t)C2(t) i = 92, optimisations. Other algebraic analysis on Bivium- Ai+1(t) 0 ≤ i ≤ 91. A/B use Boolean Satisfiability (SAT) solvers (Eibach  et. al., 2008; McDonald et. al., 2008) to recover the B6(t) ⊕ A27(t) initial state, which are also better than exhaustive Bi(t + 1) = ⊕A0(t) ⊕ A1(t)A2(t) i = 83, keysearch. Bi+1(t) 0 ≤ i ≤ 82.  3 New analysis of Trivium-like ciphers C24(t) ⊕ B15(t) C (t + 1) = ⊕B (t) ⊕ B (t)B (t) i = 110, i 0 1 2 In this section, we apply Berbain et al.’s approach  Ci+1(t) 0 ≤ i ≤ 109. to the analysis of Bivium-A and Trivium. Similar analyses have been applied to Bivium-B and Trivium- At time t, Trivium’s output function generates a N, which are available in the full version of our paper. keystream bit as follows: 3.1 New analysis of Bivium-A z(t) = A27(t) ⊕ A0(t) ⊕ B15(t) ⊕ B0(t) ⊕ C (t) ⊕ C (t), t ≥ 0 Bivium-A’s keystream bit zα−1 depends on two se- 45 0 quence bits produced by register B. The sequence We extend this representation of Trivium and con- bits of B after 83 iterations are unknown. Applying sider the keystream as a sequence related to the Berbain at al.’s technique to the equation we can de- three underlying register sequences. The initial termine the equation for calculating the sequence bit state sequences of A, B, C are (A0,A1,...,A92), Bα+83 for α ≥ 1: (B ,B ,...,B ) and (C ,C ,...,C ) respectively. 0 1 83 0 1 110 B = z ⊕ B New sequence bits Aα+92, Bα+83 and Cα+110 are pro- α+83 α+68 α+68 duced after α iterations of Trivium’s state-update function as follows: We present a a divide-and-conquer approach to recover the initial state of Bivium-A. This involves first A = A ⊕ C ⊕ C ⊕ C C (1) forming a system of equations to recover the contents α+92 α+23 α+44 α−1 α α+1 of register B. Another system of equations is then Bα+83 = Bα+5 ⊕ Aα+26 ⊕ Aα−1 ⊕ AαAα+1 (2) formed using the now known contents of register B Cα+110 = Cα+23 ⊕ Bα+14 ⊕ Bα−1 ⊕ BαBα+1 (3) to recover the contents of register A. The first system of equations consists of the following equations: The keystream bit can be expressed as a linear com- bination of sequence bits from A, B and C as follows: zα−1 ⊕ Bα−1 ⊕ Bα+14 = 0 (5) Bα+83 ⊕ zα+68 ⊕ Bα+68 = 0 (6) zα−1 = Aα+26 ⊕ Aα−1 where Equation 5 is a keystream equation for Bivium- ⊕ Bα+14 ⊕ Bα−1 ⊕ Cα+44 ⊕ Cα−1 (4) A and Equation 6 the new equation representing Note that the sequence-based approach is analogous Bivium-A’s sequence bit Bα+83 derived from our new to the relabelling approach of Raddum (2006). In analysis. For the first 69 iterations, we add two equa- this paper, we use these sequence equations in our tions and one variable into the system of equations: algebraic analysis. one equation representing the keystream, and one Bivium-A/B are reduced versions of Trivium util- equation and variable representing the sequence bit ising only two registers A, B with slightly modified for register B. For the last 39 iterations, we only add feedback functions. The reader is referred to Rad- the equations representing the sequence bits for B. dum (2006) for their specificiations. In Bivium-A, This gives us a final system of equations after 108 it- the keystream bit is generated using erations consisting of 192 variables in 177 equations. Solving this system of equations gives 215 possible so- zα−1 = Bα+14 ⊕ Bα−1 lutions. For each of these 215 possible solutions, we form which is composed with stages from only one register. the second system of equations to recover the initial The key and IV sizes remain the same as Trivium. state of A, substituting the sequence bits of B recovered in the first system of equations into the second system of equations. The second set of equations 2.1 Existing algebraic cryptanalysis equations consists of: Raddum (2006) constructed a system of equations for Trivium consisting of 954 equations in 954 variables. Aα+92 ⊕ Bα+14 ⊕ Bα−1 ⊕ BαBα+1 ⊕ Aα+23 = 0 Applying techniques from graph theory, it was esti- Bα+83 ⊕ Aα+26 ⊕ Aα−1 ⊕ AαAα+1 ⊕ Bα+5 = 0 mated that the initial state of Trivium can be recovered in about 2164 operations. Several attempts have After 108 iterations, we have a system of equations been made to solve Raddum’s system of equation, (Si- consisting of 201 variables in 216 equations. If the monetti et. al., 2008; Borghoff et. al., 2011; Schilling system can be solved, then the sequences of A and B and Raddum, 2012a,b). Other attacks on Trivium in- are recovered. An attacker can then use this initial clude SAT-solvers (McDonald et. al., 2008) and cube state to generate some keystream to check the validty attacks (Dinur and Shamir, 2009; Aumasson et. al., of the recovered initial state. 2009; Forque and Vannet, 2013). However, none were better than exhaustive keysearch for the original Triv- 3.1.1 Comparison of attacks ium proposal. Raddum (2006) used a relabelling approach to re- Details of the systems of equations formed for using cover the initial state of Bivium-A in about a day. He Raddum’s approach and our approach are shown in

78 Proceedings of the Twelfth Australasian Information Security Conference (AISC 2014), Auckland, New Zealand Technique Lin Quad Total K.S. Vars Exp If we substitute Equation 7 into the equation repre- eqns eqns eqns (bits) sols senting the sequence bit B84, we get the trivial equa- Raddum 177 222 399 177 399 1 tion B84 = B84. This does not allow us to express B84 Our approach: in terms of the sequence bits and keystream. There- - Step 1 177 0 177 177 192 215 fore, our technique only allows us to express the se- - Step 2 108 108 216 0 201 1 quence bits for a single register in terms of internal state and keystream bits. Therefore, the divide-and- Column headings: Number of Linear and Quadratic Equations, conquer approach used in our analysis of Bivium-A Total Number of Equations, followed by Keystream bits required, cannot be applied here. Number of Variables, and Number of Expected Solutions In the following analysis, we express the sequence bits Aα+93, Bα+84, and Cα+111 for α ≥ 1 using the Table 2: Details for the system of equations in sequence update function described in Section 2. This Bivium-A for both approaches. new system of equations starts oﬀ with 288 variables representing the inital state bits. For each of the ﬁrst 66 iterations, we add three new variables and four Table 2. As we are solving two systems of equations new equations to the system of equations, consisting separately, the complexity of our attack is likely to be of: less than that using Raddum’s technique. We investigate this with experimental work. The results are A ⊕ z ⊕ A ⊕ B shown in Table 3. The F 4 implementation in Magma α+92 α+65 α+65 α+80 ⊕Bα+65 ⊕ Cα+110 ⊕ Cα+65 = 0

No Guessing: Time Memory Keystream Bα+83 ⊕ Bα+5 ⊕ Aα+26 ⊕ Aα−1 ⊕ AαAα+1 = 0 (MB) (bits) Cα+110 ⊕ Cα+23 ⊕ Bα+14 ⊕ Bα−1 ⊕ BαBα+1 = 0 (Raddum, 2006) DNF 87040 177 Our approach 13.9 hrs 135.56 177 zα−1 ⊕ Aα+26 ⊕ Aα−1 ⊕ Bα+14

Load 15 correct bits Time Memory Keystream ⊕Bα−1 ⊕ Cα+44 ⊕ Cα−1 = 0 into register B: (MB) (bits) After 66 iterations, similar to Bivium-A, the (Raddum, 2006) 8.95 s 13.34 177 Our approach 3.29 s 13.31 177 keystream equations become redundant, and we can stop adding variables and equations into the system. This gives us a final system of equations consisting Table 3: Time, memory, and data complexities for of 486 variables in 264 equations. The comparison of recovering initial state of Bivium-A both systems of equations is shown in Table 4. (Bosma et. al., 1997) was used. Note that this is equivalent to Gaussian elimination in Step 1 of our Technique Lin Quad Total K.S. Vars Exp approach. We attempt to solve the system of equa- eqn. eqn. eqn. (bits) sols tions in two ways: (1) without guessing any bits and Raddum 288 666 954 288 954 1 (2) load 15 correct initial state bits of Register B. Our approach 132 132 264 132 486 2222 Overall, our approach gave more favourable results under both scenarios. The full attack wth no guess- Column headings as per Table 2 ing did not finish (DNF) using Raddum’s attack after exhausting the assigned 85 GB of memory. Al- Table 4: Details for the system of equations in Triv- though McDonald et. al. (2008) solved the Bivium-A ium system in 16 seconds using SAT solvers, they reported 4660 hours to solve the same system using F4. It is Our system of equations has less quadratic equa- difficult to directly compare the effectiveness of our tions compared to Raddum’s technique. Raddum’s approach against others (Raddum, 2006; McDonald technique has 666 quadratic equations, compared to et. al., 2008) as different hardware platforms and soft- 132 quadratic equations in ours. The drawback of ware implementations can have significant effects on our system of equations however, is that our system the time and memory required to recover the initial of equations have a greater excess of variables over state of Bivium-A. equations to Raddum’s technique. In Raddum’s technique, solving a system consisting of 954 variables in 954 equations should yield a unique solution. In con- 3.2 New algebraic analysis on Trivium trast, solving our system of equations consisting of Using Berbain et al.’s approach, we can determine the 486 variables in 264 equations using the F4 algorithm equation describing the sequence bits for registers A, will yield 2222 possible solutions, which is worse than B and C: exhaustive keysearch. This will be discussed further in Section 4.2. Aα+92 = zα+65 ⊕ Aα+65 ⊕ Bα+80 ⊕ Bα+65 ⊕ Cα+110 ⊕ Cα+65 4 On Berbain et al.’s Open Question Bα+83 = zα+68 ⊕ Aα+95 ⊕ Aα+68 ⊕ B ⊕ C ⊕ C In this section, we answer the open question posed α+68 α+112 α+67 by Berbain et. al. (2009) by showing how it may be Cα+110 = zα+65 ⊕ Aα+92 ⊕ Aα+65 possible to recover the initial states of some Trivium- ⊕ Bα+80 ⊕ Bα+65 ⊕ Cα+65 like ciphers faster than exhaustive keysearch using our analysis. Two factors are considered: However, we can not use all three sets of equations simultaneously since they are actually equivalent. For • The relationship between j (the number of reg- example, calculating B84 requires knowledge of the isters the keystream generation function takes as sequence bit A96. The equation representing A96 is: input to generate keystream) and q (the number of registers whose internal state is updated A96 = z69 ⊕ A69 ⊕ B84 ⊕ B69 ⊕ C114 ⊕ C69 (7) at each iteration).

79 CRPIT Volume 149 - Information Security 2014 • The largest index among the stages in a register Our new attack on Bivium-A can be prevented used for the output function and the size of each by making changes to the keystream output function. register. For example, suppose the output function of Bivium- A was, instead: 4.1 Relationship between j and q zα−1 = Bα−1 ⊕ Bα+82 In the case of Bivium-A, where j < q, we recovered the initial state of the cipher with a complexity The sequence bit B84, rewritten in terms of linear less than Raddum’s relabelling technique, which is al- combinations of keystream and internal state bits, is ready less than exhaustive key search. The complex- now B84 = z1 ⊕ B1. In this example, Dl = 83 and SR D 0 83 83 ity Tf of our new approach on Trivium-like ciphers SR = 0, so NA = 2 × 2 l = 2 × 2 = 2 , which with j < q is is larger than the number of possible keys. Conversely, assume Dl is a small value. We use Tf = T1 + (NA × T2) (8) Trivium to illustrate how this change reduces the number of solutions obtained when the system of where T1 and T2 are the time required to solve the equations was solved. Assume that the output func- first and second system of equations respectively, and tion for Trivium is instead: NA is the number of solutions obtained in solving the first system of equations. zα−1 = Aα ⊕ Aα−1 ⊕ Bα+14 ⊕ Bα−1 ⊕ Cα+44 ⊕ Cα−1 For Bivium-B, Trivium and Trivium-N, we have j = q. In this case, it is not possible to use a divide- In this case, Dl = 1 and SR = 111 + 84 = 195, which SR D 195 1 196 and-conquer approach to recover the initial state of gives NA = 2 × 2 l = 2 × 2 = 2 , a decrease the keystream generators. A single system of equa- by a factor of 226 in the number of possible solutions tions is needed. However, using our approach to compared to 2222 obtained from our analysis of Triv- build this system of equations is problematic. Since ium in Section 3.2. a keystream equation is essentially being used to rep- The size of the registers used in the formation of resent a sequence bit, additional keystream equations the first system of equations can have also an effect on become unavailable after after a certain number of the number of solutions obtained for the first system iterations. Adding further equations does not allow of equations. For example, suppose that Trivium’s us to reduce the number of solutions obtained when three registers, A, B, and C had lengths 198, 45 and the system of equations is solved and also adds to the 45 bits, where the output function used is the same complexity of solving these equations. as the original Trivium proposal. For this particular The complexity of recovering the initial state of 90 27 case, Dl = 27,SR = 45 + 45, and NA = 2 × 2 = Trivium-like ciphers where j = q is Tf = Ts + NA, 117 105 where T is the time taken to solve the system of 2 , a 2 factor decrease in the number of possible s solutions compared to the original Trivium. equations and NA is the number of solutions obtained when the system of equations is solved. 5 Conclusion 4.2 Output functions, registers sizes, and NA This paper analysed Trivium-like ciphers using the The number of solutions NA obtained when solv- approach of Berbain et al. Our analysis answers their ing Trivium-like equation systems can be determined open question and shows that it is possible, in some from the cipher specifications. Let SR be the total size cases, to extend their technique to keystream genera- of the registers whose sequence bit(s) is not written in tors which update q > 1 bits of internal state at each terms of keystream and internal state bits and whose iteration but only output q0 < q linear combinations stages are used during the construction of a system of the state bits. of equations for the cipher. When j < q, this system In particular, we demonstrated a new algebraic at- of equations is the first system of equations. When tack on Bivium-A. Our approach requires less time j = q, this system of equation is the sole system of and memory than previous techniques We demon- equations obtained. For the register whose sequence strated that if j < q, it may be possible to mount bit is written in terms of keystream and internal state a divide-and-conquer algebraic attack which is more bits, let Dl denote the largest index among the stages efficient than exhaustive key search. used as input to the output function. The size of For Trivium-like ciphers, we showed that both the the set of solutions, NA obtained when the system of sizes of the registers used in the construction of the equations is solved has been found to be: first system of equations and the selection of stages used as input to the output function can affect the SR Dl NA = 2 × 2 (9) complexity of our attack. For Bivium-A, changing the value of Dl can increase the complexity of the A summary of the results of our analyses of certain attack. However, in the case of Bivium-B, Trivium Trivium-like ciphers with regards to the number of and Trivium-N, even if the value of Dl is small, the equations, variables, solutions obtained, and their re- complexity of our algebraic attack is still worse than lationship with SR and Dl, is given in Table 5. exhaustive keysearch as the value of SR is larger than the keysize. Cipher Step 1 Step 2

SR Dl Eqn Var NA Eqn Var Soln Acknowledgements Bivium-A 0 15 177 192 215 216 201 1 The authors would like to thank anonymous reviewers Bivium-B 84 27 198 309 2111 N.A N.A N.A 222 for their helpful comments. Computational resources Trivium 195 27 264 486 2 N.A N.A N.A and services used in this work were provided by the HPC and Research Support Unit at Queensland Uni- Table 5: Details on systems of equations in our ap- versity of Technology, Brisbane, Australia. proaches for certain Trivium-like ciphers

80 Proceedings of the Twelfth Australasian Information Security Conference (AISC 2014), Auckland, New Zealand References Fouque, P. A., Vannet, T. (2013), Improving Key Re- covery to 784 and 799 rounds of Trivium using Op- Akers, S. B. (1978), Binary Decision Diagrams. IEEE timized Cube Attacks, in S. Moriai, ed, ‘Fast Soft- Transactions on Computers 27(6), 509–516. ware Encryption (FSE 2013)’. To appear. Aumasson, J. P., Dinur, I., Meier, W. and Shamir, A. McDonald, C., Charnes, C., Pieprzyk, J. (2008), An (2009), Cube Testers and Key Recovery Attacks on Algebraic Analysis of Trivium Ciphers based on the Reduced-Round MD6 and Trivium. in O. Dunkel- Boolean Satisfiability Problem, in ‘Fourth Interna- man, ed, ‘Fast Software Encryption (FSE 2009)’. tional Workshop on Boolean Functions: Cryptog- Lecture Notes in Computer Science, Vol. 5665, raphy and Applications’, pp. 173-184. Springer, pp. 1–22. Raddum, H. (2006), Cryptanalytic Results on Triv- Berbain, C., Gilbert, H. and Joux, A. (2009), Al- ium. eSTREAM, ECRYPT Stream Cipher Project, gebraic and Correlation Attacks against Linearly Report 2006/039. http://www.ecrypt.eu.org/ Filtered Non Linear Feedback Shift Registers, in stream/papersdir/2006/039.ps R.M. Avanzi, L. Keliher and F. Sica, eds, ‘Selected Areas in Cryptography (SAC 2008)’. Lecture Notes Schilling, T. E. and Raddum, H. (2012), Analysis of in Computer Science, Vol. 5381, Springer. pp. 184– Trivium Using Compressed Right Hand Side Equa- 198. tions, in H. Kim, ed, ‘Information Security and Cryptology (ICISC 2011)’. Lecture Notes in Com- Bernstein, D. , A reformulation of TRIVIUM. Sub- puter Science, Vol. 7259, Springer, pp. 18–32. mission to Phorum: ecrypt forum. http://www. ecrypt.eu.org/stream/phorum/read.php?1,448 Schilling, T. E. and Raddum, H. (2012), Solving Com- pressed Right Hand Side Equation Systems with Borghoff, J., Knudsen, L.R. and Matusiewicz, K. Linear Absorption. in T. Helleseth, J. Jedwab, eds, (2010), Hill Climbing Algorithms and Trivium. in ‘Sequences and Their Applications (SETA 2012)’. A. Biryukov, G. Gong and D. R. Stinson, eds, ‘Se- Lecture Notes in Computer Science, Vol. 7280, lected Areas in Cryptography (SAC 2010)’. Lecture Springer. pp. 291–302. Notes in Computer Science, Vol. 6544, Springer, pp. 57–73. Simonetti, I., Perret, L., Faug`re, J. C. (2008), Al- gebraic Attack Against Trivium, in ‘First Interna- Bosma, W., Cannon, J. J. and Playoust, C. (1997), tional Conference on Symbolic Computation and The Magma algebra system. I. The user language. Cryptography, SCC 2008’. LMIB. pp. 95–102. Journal of Symbolic Computation 24(3-4), 235– 265. Canniére, C. D. and Preneel, B. , Trivium, in M.J.B. Robshaw, O. Billet, eds, ‘New Stream Ci- pher Designs: The eSTREAM Finalists’. Lecture Notes in Computer Science, Vol. 4986, Springer, pp. 244–266. Courtois, N. T. and Meier, W. (2003), Algebraic At- tacks on Stream Ciphers with Linear Feedback, in E. Biham, ed, ‘Advances in Cryptology — EURO- CRYPT 2003’. Lecture Notes in Computer Science, Vol. 2656, Springer, pp. 345–359. Courtois, N. T. and Pieprzyk, J. (2002), Cryptanal- ysis of Block Ciphers with Overdefined Systems of Equations, in Y. Zheng, ed, ‘Advances in Cryptol- ogy — ASIACRPYT 2002’. Lecture Notes in Com- puter Science, Vol. 2501, Springer, pp. 267-287. Dinur, I., Shamir, A. (2009), Cube Attacks on Tweakable Black Box Polynomials, in A. Joux, ed, ‘Advances in Cryptology — EUROCRYPT 2009’. Lecture Notes in Computer Science, Vol. 5479, Springer, pp. 278–299. Eibach, T., Pilz, E. and Völkel, G. (2008), Attack- ing Bivium Using SAT Solvers, in H.K. Büning, X. Zhao, eds, ‘Theory and Applications of Satis- fiability Testing — SAT 2008’. Lecture Notes in Computer Science, Vol. 4996, Springer, pp. 63–76. Eibach, T., Pilz, E. and Völkel, G. (2010), Optimising GröbnerBases on Bivium. Mathematics in Com- puter Science 3(2), 159–172. Robshaw, M. (2008), New Stream Cipher Designs. Lecture Notes in Computer Science, Vol. 4986, Springer. Faugère,J. C. (1999), A new efficient algorithm for computing Gröbnerbases (F4). Journal of Pure and Applied Algebra 139, 61–88.