Trivium (cipher)
Encyclopedia
Trivium is a synchronous stream cipher
designed to provide a flexible trade-off between speed and gate count
in hardware, and reasonably efficient software implementation.
It was submitted to the Profile II (hardware) of the eSTREAM
competition by its authors, Christophe De Cannière and Bart Preneel
, and has been selected as part of the portfolio for low area hardware ciphers (Profile 2) by the eSTREAM project. It is not patented.
It generates up to 264 bit
s of output from an 80-bit key and an 80-bit IV
. It is the simplest eSTREAM entrant; while it shows remarkable resistance to cryptanalysis for its simplicity and performance, recent attacks leave the security margin looking rather slim.
s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.
No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.
(2); they can be represented as bit
s, with "+" being XOR and "•" being AND.
The output bits r0 ... r264−1 are then generated by
Given an 80-bit key k0 ... k79 and an l-bit IV v0 ... vl−1 (where 0 ≤ l ≤ 80), Trivium is initialized as follows:
The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.
To map a stream of bits r to a stream of bytes R, we use the little-endian mapping Ri = Σj=0 ... 7 2j r8i+j.
s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.
The same property allows an efficient bitslice implementation in software; performance testing by eSTREAM
give bulk encryption speeds of around 4 cycles/byte
on some x86 platforms, which compares well to the 19 cycles/byte of the AES
reference implementation on the same platform.
are known, but several attacks come close. The cube attack
requires 230 steps to break a variant of Trivium where the number of initialization rounds is reduced to 735; the authors speculate that these techniques could lead to a break for 1100 initialisation rounds, or "maybe even the original cipher". This builds on an attack due to Michael Vielhaber that breaks 576 initialization rounds in only 212.3 steps.
Another attack recovers the internal state (and thus the key) of the full cipher in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search). Reduced variants of Trivium using the same design principles have been broken using an equation-solving technique. These attacks improve on the well-known time-space tradeoff attack on stream ciphers, which with Trivium's 288-bit internal state would take 2144 steps, and show that a variant on Trivium which made no change except to increase the key length beyond the 80 bits mandated by eSTREAM Profile 2 would not be secure.
A detailed justification of the design of Trivium is given in.
Stream cipher
In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream . In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption...
designed to provide a flexible trade-off between speed and gate count
Gate count
In microprocessor design, gate count refers to the number of gates build with transistor and other electronic devices, that are needed to implement a design. Even with today's process technology providing what was formerly considered impossible numbers of gates on a single chip, gate counts remain...
in hardware, and reasonably efficient software implementation.
It was submitted to the Profile II (hardware) of the eSTREAM
ESTREAM
eSTREAM is a project to "identify new stream ciphers suitable for widespread adoption", organised by the EU ECRYPT network. It was set up as a result of the failure of all six stream ciphers submitted to the NESSIE project. The call for primitives was first issued in November 2004. The project was...
competition by its authors, Christophe De Cannière and Bart Preneel
Bart Preneel
Bart Preneel is a Belgian cryptographer and cryptanalyst. He is a professor at Katholieke Universiteit Leuven, in the COSIC group, president of the International Association for Cryptologic Research, and project manager of ECRYPT....
, and has been selected as part of the portfolio for low area hardware ciphers (Profile 2) by the eSTREAM project. It is not patented.
It generates up to 264 bit
Bit
A bit is the basic unit of information in computing and telecommunications; it is the amount of information stored by a digital device or other physical system that exists in one of two possible distinct states...
s of output from an 80-bit key and an 80-bit IV
Initialization vector
In cryptography, an initialization vector is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom...
. It is the simplest eSTREAM entrant; while it shows remarkable resistance to cryptanalysis for its simplicity and performance, recent attacks leave the security margin looking rather slim.
Description
Trivium's 288-bit internal state consists of three shift registerShift register
In digital circuits, a shift register is a cascade of flip flops, sharing the same clock, which has the output of any one but the last flip-flop connected to the "data" input of the next one in the chain, resulting in a circuit that shifts by one position the one-dimensional "bit array" stored in...
s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.
No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.
Specification
Trivium may be specified very concisely using three recursive equations. Each variable is an element of GFFinite field
In abstract algebra, a finite field or Galois field is a field that contains a finite number of elements. Finite fields are important in number theory, algebraic geometry, Galois theory, cryptography, and coding theory...
(2); they can be represented as bit
Bit
A bit is the basic unit of information in computing and telecommunications; it is the amount of information stored by a digital device or other physical system that exists in one of two possible distinct states...
s, with "+" being XOR and "•" being AND.
- ai = ci−66 + ci−111 + ci−110 • ci−109 + ai−69
- bi = ai−66 + ai−93 + ai−92 • ai−91 + bi−78
- ci = bi−69 + bi−84 + bi−83 • bi−82 + ci−87
The output bits r0 ... r264−1 are then generated by
- ri = ci−66 + ci−111 + ai−66 + ai−93 + bi−69 + bi−84
Given an 80-bit key k0 ... k79 and an l-bit IV v0 ... vl−1 (where 0 ≤ l ≤ 80), Trivium is initialized as follows:
- (a−1245 ... a−1153) = (0, 0 ... 0, k0 ... k79)
- (b−1236 ... b−1153) = (0, 0 ... 0, v0 ... vl−1)
- (c−1263 ... c−1153) = (1, 1, 1, 0, 0 ... 0)
The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.
To map a stream of bits r to a stream of bytes R, we use the little-endian mapping Ri = Σj=0 ... 7 2j r8i+j.
Performance
A straightforward hardware implementation of Trivium would use 3488 logic gateLogic gate
A logic gate is an idealized or physical device implementing a Boolean function, that is, it performs a logical operation on one or more logic inputs and produces a single logic output. Depending on the context, the term may refer to an ideal logic gate, one that has for instance zero rise time and...
s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.
The same property allows an efficient bitslice implementation in software; performance testing by eSTREAM
ESTREAM
eSTREAM is a project to "identify new stream ciphers suitable for widespread adoption", organised by the EU ECRYPT network. It was set up as a result of the failure of all six stream ciphers submitted to the NESSIE project. The call for primitives was first issued in November 2004. The project was...
give bulk encryption speeds of around 4 cycles/byte
Cycles per byte
Cycles per byte is a unit of measurement which indicates the number of clock cycles a microprocessor will perform per byte of data processed in an algorithm. It is commonly used as a partial indicator of real-world performance in cryptographic functions....
on some x86 platforms, which compares well to the 19 cycles/byte of the AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
reference implementation on the same platform.
Security
, no cryptanalytic attacks better than brute force attackBrute force attack
In cryptography, a brute-force attack, or exhaustive key search, is a strategy that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system that would make the task easier...
are known, but several attacks come close. The cube attack
Cube attack
The cube attack is a method of cryptanalysis applicable to a wide variety of symmetric-key algorithms, published by Itai Dinur and Adi Shamir in a September 2008 preprint...
requires 230 steps to break a variant of Trivium where the number of initialization rounds is reduced to 735; the authors speculate that these techniques could lead to a break for 1100 initialisation rounds, or "maybe even the original cipher". This builds on an attack due to Michael Vielhaber that breaks 576 initialization rounds in only 212.3 steps.
Another attack recovers the internal state (and thus the key) of the full cipher in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search). Reduced variants of Trivium using the same design principles have been broken using an equation-solving technique. These attacks improve on the well-known time-space tradeoff attack on stream ciphers, which with Trivium's 288-bit internal state would take 2144 steps, and show that a variant on Trivium which made no change except to increase the key length beyond the 80 bits mandated by eSTREAM Profile 2 would not be secure.
A detailed justification of the design of Trivium is given in.