Proceedings of the Twelfth Australasian Information Security Conference (AISC 2014), Auckland, New Zealand Algebraic analysis of Trivium-like ciphers (Poster) Sui-Guan Teo1 Kenneth Koon-Ho Wong1 Harry Bartlett2 Leonie Simpson2 Ed Dawson1 1Institute for Future Environments 2Science and Engineering Faculty Queensland University of Technology 2 George Street, Brisbane QLD 4000, Australia fteosuiguan, [email protected], fh.bartlett, lr.simpson, [email protected] Abstract extended to ciphers in which q > 1 bits of internal state are non-linearly updated at each step and q or Trivium is a bit-based stream cipher in the final port- more linear combinations of the state are output as folio of the eSTREAM project. In this paper, we ap- keystream. However, whether these techniques can ply the algebraic attack approach of Berbain et al. be extended to ciphers in which q > 1 bits of inter- to Trivium-like ciphers and perform new analyses on nal state are non-linearly updated, while only q0 < q them. We demonstrate a new algebraic attack on linear combinations of the state-bits are output, has Bivium-A. This attack requires less time and memory not been demonstrated and is posed as an open ques- than previous techniques to recover Bivium-A's ini- tion (Berbain et. al., 2009). tial state. Though our attacks on Bivium-B, Trivium and Trivium-N are worse than exhaustive keysearch, 1.1 Contributions of paper the systems of equations which are constructed are smaller and less complex compared to previous al- Our algebraic analysis on Trivium-like ciphers, we gebraic analyses. We also answer an open question provide an answer to Berbain et al.'s open ques- posed by Berbain et al. on the feasibility of ap- tion. Specifically, we use Bivium-A/B, Trivium and plying their technique on Trivium-like ciphers. Fac- Trivium-N as case-studies, as q0 < q in all cases. We tors which can affect the complexity of our attack on apply Berbain et al.'s method of representing the feed- Trivium-like ciphers are discussed in detail. Analy- back bits as linear combinations of internal state bits sis of Bivium-B and Trivium-N are omitted from this and keystream bits. manuscript. The full version of this paper is available To assist us in our analysis, we introduce a new on the IACR ePrint Archive. variable j, which describes the number of registers the keystream generation function takes inputs from. 1 Introduction We show that the value of j has a significant impact on the success of our algebraic attack on these ci- 0 Trivium (Canni´ereand Preneel, 2005) is a bit-based phers. The values of q , q and j for the Trivium- stream cipher selected in the final portfolio of the like ciphers are given in Table 1. Some improvements eSTREAM project (Robshaw, 2008). Trivium uses achieved with this new method compared to exist- an 80-bit key and an 80-bit IV to initialise a 288- ing one are presented. Additionally, we investigate bit nonlinear feedback shift register (NLFSR). Each the effect which varying the keystream function and 64 feedback bit positions have on the complexity of our key-IV pair can be used to generate up to 2 bits analysis on the Trivium family. of keystream. Trivium's structural simplicity makes it a popular cipher to cryptanalyse, but to date, no attacks in the public literature are faster than exhaus- Bivium-A Bivium-B Trivium Trivium-N tive keysearch. q 2 2 3 3 Algebraic attacks (Courtois and Meier, 2003) are q0 1 1 1 1 commonly applied to stream ciphers based on shift j 1 2 3 3 registers. To attack Trivium, Raddum (2006) used an algebraic relabelling technique, where the state- Table 1: Parameters for Trivium-like stream ciphers update bits are represented using new variables, instead of nonlinear combinations of initial state bits (Courtois and Pieprzyk, 2002). This prevents equations of high degrees from being generated. For 2 Trivium and its variants keystream generators which use a linear output func- tion (as Trivium-like ciphers do), Berbain et. al. Trivium is commonly represented in the literature as (2009) expressed new feedback bits of an NLFSR as being based on three non-autonomous binary NLF- linear combinations of keystream bits and internal SRs: A, B, and C, of sizes 93, 84 and 111 bits re- state bits. By doing so, the equations representing spectively (Bernstein, 2006). We omit the descrip- the feedback bits of an NLFSR will always be lin- tion of the initialisation process for the cipher, as it ear. Berbain et al. claim that their technique can be has no impact on our analysis. The reader is referred to the specifications of Trivium (Canni´ereand Pre- Copyright c 2014, Australian Computer Society, Inc. This neel, 2005) for a full treatment of its initialisation paper appeared at the Australasian Information Security processes. Let A denote the stages for register A Conference(ACSW-AISC 2014), Auckland, New Zealand, Jan- i uary 2014. Conferences in Research and Practice in Informa- and Ai(t) represent the contents of Ai at time t, for tion Technology (CRPIT), Vol. 149, Udaya Parampalli and Ian 0 ≤ i ≤ 92. Similar notations are used for registers B Welch, Ed. Reproduction for academic, not-for-profit purposes and C. The state-update functions of Trivium are as permitted provided this text is included. 77 CRPIT Volume 149 - Information Security 2014 follows: estimated that the complexity of recovering the initial 56 8 state of Bivium-B will take about 2 seconds. Eibach <A24(t) ⊕ C45(t) et. al. (2010) achieved 239:12 for Bivium-B with some Ai(t + 1) = ⊕C0(t) ⊕ C1(t)C2(t) i = 92; optimisations. Other algebraic analysis on Bivium- :Ai+1(t) 0 ≤ i ≤ 91: A/B use Boolean Satisfiability (SAT) solvers (Eibach 8 et. al., 2008; McDonald et. al., 2008) to recover the <B6(t) ⊕ A27(t) initial state, which are also better than exhaustive Bi(t + 1) = ⊕A0(t) ⊕ A1(t)A2(t) i = 83; keysearch. :Bi+1(t) 0 ≤ i ≤ 82: 8 3 New analysis of Trivium-like ciphers <C24(t) ⊕ B15(t) C (t + 1) = ⊕B (t) ⊕ B (t)B (t) i = 110; i 0 1 2 In this section, we apply Berbain et al.'s approach : Ci+1(t) 0 ≤ i ≤ 109: to the analysis of Bivium-A and Trivium. Similar analyses have been applied to Bivium-B and Trivium- At time t, Trivium's output function generates a N, which are available in the full version of our paper. keystream bit as follows: 3.1 New analysis of Bivium-A z(t) = A27(t) ⊕ A0(t) ⊕ B15(t) ⊕ B0(t) ⊕ C (t) ⊕ C (t), t ≥ 0 Bivium-A's keystream bit zα−1 depends on two se- 45 0 quence bits produced by register B. The sequence We extend this representation of Trivium and con- bits of B after 83 iterations are unknown. Applying sider the keystream as a sequence related to the Berbain at al.'s technique to the equation we can de- three underlying register sequences. The initial termine the equation for calculating the sequence bit state sequences of A; B; C are (A0;A1;:::;A92), Bα+83 for α ≥ 1: (B ;B ;:::;B ) and (C ;C ;:::;C ) respectively. 0 1 83 0 1 110 B = z ⊕ B New sequence bits Aα+92, Bα+83 and Cα+110 are pro- α+83 α+68 α+68 duced after α iterations of Trivium's state-update function as follows: We present a a divide-and-conquer approach to re- cover the initial state of Bivium-A. This involves first A = A ⊕ C ⊕ C ⊕ C C (1) forming a system of equations to recover the contents α+92 α+23 α+44 α−1 α α+1 of register B. Another system of equations is then Bα+83 = Bα+5 ⊕ Aα+26 ⊕ Aα−1 ⊕ AαAα+1 (2) formed using the now known contents of register B Cα+110 = Cα+23 ⊕ Bα+14 ⊕ Bα−1 ⊕ BαBα+1 (3) to recover the contents of register A. The first sys- tem of equations consists of the following equations: The keystream bit can be expressed as a linear com- bination of sequence bits from A, B and C as follows: zα−1 ⊕ Bα−1 ⊕ Bα+14 = 0 (5) Bα+83 ⊕ zα+68 ⊕ Bα+68 = 0 (6) zα−1 = Aα+26 ⊕ Aα−1 where Equation 5 is a keystream equation for Bivium- ⊕ Bα+14 ⊕ Bα−1 ⊕ Cα+44 ⊕ Cα−1 (4) A and Equation 6 the new equation representing Note that the sequence-based approach is analogous Bivium-A's sequence bit Bα+83 derived from our new to the relabelling approach of Raddum (2006). In analysis. For the first 69 iterations, we add two equa- this paper, we use these sequence equations in our tions and one variable into the system of equations: algebraic analysis. one equation representing the keystream, and one Bivium-A/B are reduced versions of Trivium util- equation and variable representing the sequence bit ising only two registers A; B with slightly modified for register B. For the last 39 iterations, we only add feedback functions. The reader is referred to Rad- the equations representing the sequence bits for B. dum (2006) for their specificiations. In Bivium-A, This gives us a final system of equations after 108 it- the keystream bit is generated using erations consisting of 192 variables in 177 equations. Solving this system of equations gives 215 possible so- zα−1 = Bα+14 ⊕ Bα−1 lutions. For each of these 215 possible solutions, we form which is composed with stages from only one register.