Keywords

1 Introduction

A nonlinear feedback shift register (NFSR) is a common component in modern cryptographic primitives, especially in radio-frequency identification devices (RFID) and wireless sensor networks applications. NFSRs are known to be more resistant to cryptanalytic attacks than linear feedback shift registers (LFSRs). Built on NFSRs are many well known lightweight cryptographic algorithms, including the stream ciphers Trivium [8, 10] and Grain [1, 27, 28] that have been selected in the final eSTREAM portfolio of hardware-oriented stream ciphers, the authenticated cipher ACORN [44] that has been selected as one of the third-round candidates in the CAESAR competition, the block cipher family KATAN/KTANTAN [9], and the hash function Quark  [4, 5]. Among them, Trivium has attracted the most attention for its simplicity and performance, while it shows remarkable resistance to cryptanalysis. Inspired by the design of Trivium, a number of various cryptographic algorithms have been successively developed, for instance the block cipher family KATAN/KTANTAN, the authenticated cipher ACORN and the stream ciphers Kreyvium [11] and TriviA-SC  [13].

Most cryptographic primitives, including NFSR-based cryptosystems, can be described by tweakable Boolean functions, which contain both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). The algebraic degree of these Boolean functions plays an important role in the security of the corresponding primitives. In fact, a cryptographic primitive with low algebraic degree is vulnerable to many known attacks, such as higher order differential attacks [30, 32, 35], algebraic attacks [15,16,17,18], cube attacks [19,20,21,22], and integral attacks [31].

For NFSR-based cryptosystems, cube attacks and higher order differential attacks are the most powerful cryptanalytic tools among the known attacks. The best known key recovery attacks faster than an exhaustive search on Trivium are cube attacks on its variant when the initialization is reduced to 799 rounds out of 1152 [21, 26], and the best known distinguishing attacks on Trivium are reduced to 839 rounds derived by cube testers [3, 33]. Note that here are not included the possible key recovery attacks with unknown probability, such as [41], or the attacks for a small percentage of weak keys, such as [29]. The weaknesses in the cipher Grain-128 against cube testers [2, 39] partially leads to the design of Grain-128a [1]. Actually, the full Grain-128 was broken in theory by dynamic cube attacks [19, 22]. All of these attacks exploit low-degree relations of the tweakable Boolean functions formed by the cryptosystems, that is, low-degree relations between the IV bits and keystream bits.

It is difficult to compute the exact value of the algebraic degree for modern cryptographic primitives. After the development of cryptanalysis in the past three decades, several theoretical tools have been developed to estimate the upper bound on the algebraic degree of iterated permutations, and concurrently exploited to attack iterated ciphers [6, 7, 12, 40].

Yet for NFSR, there are few tools for estimating its algebraic degree, besides symbolic computation and statistical analysis. The known techniques highly depends on computational capabilities, and the cryptanalytic results are limited by existing computational resources. For instance, thus far the cubes with size larger than 54 have never been utilized in cryptanalysis of an NFSR-based cryptosystem, in either cube attacks or cube testers. To gain better attacks, the cryptanalysts have to utilize extremely the computational resources, e.g., using dedicated reconfigurable hardware [19]. This usually requires high financial cost or high energy consumption. While dynamic cube attacks [19, 22] can reach much higher attack complexity, they are still limited by the size of the cubes.

1.1 Our Contributions

In this paper, we devote our attention to evaluating the algebraic degree of NFSR-based cryptosystems. For the conquest of the existing limitation as mentioned above, we exploit a new technique, called numeric mapping, to iteratively estimate the upper bound on the algebraic degree of the internal states of an NFSR. Based on this new tool, we develop an algorithm for estimating the algebraic degree of NFSR-based cryptosystems.

As an illustration, we refine and apply our algorithm to Trivium-like ciphers, including Trivium, Kreyvium and TriviA-SC. Trivium uses an 80-bit key and an 80-bit IV, while Kreyvium and TriviA-SC both use a 128-bit key and a 128-bit IV. These three ciphers all have 1152 rounds of initialization. Our refined algorithm gives an upper bound on the algebraic degree of a Trivium-like cipher over a given set of input variables with any size, e.g., all the key and IV bits, all or part of the IV bits. It has linear time complexity in the number of initialization rounds, and needs a negligible amount of memory. In other words, it is almost as fast as the cipher (up to at most a factor of some constant). Further, by this algorithm we perform several experiments on round-reduced Trivium, Kreyvium and TriviA-SC, and obtain various upper bounds on the algebraic degree by setting different input variables. As a result, we confirm that the maximum numbers of initialization rounds of Trivium, Kreyvium and TriviA-SC such that the generated keystream bit does not achieve maximum algebraic degree are at least 907, 982 and 1121 (out of the full 1152 rounds) respectively when taking all the key and IV bits as input variables; these numbers of rounds turn out to be 793, 862 and 987 while taking all the IV bits as input variables.

We further apply our algorithm to take advantage of the cubes with large size in cube testers, which is considered to be impossible for an NFSR-based cryptosystem in the literatures. In the experiments, we set the key bits as symbolic constants, i.e., the algebraic degree of any key bit is considered to be 0 on the cube variables. This is consistent with a distinguisher in the setting of unknown key. Since our algorithm is very fast, we can exhaust all the cubes of size \(37\le n\le 40\) that contain no adjacent indexes for Trivium in a dozen minutes on a common PC. The total amount of such cubes is about \(2^{25}\). Before this paper, it needs around \(c2^{62}\) cipher operations to test all those cubes, and the confidence of the test depends on c; while our algorithm is deterministic. We then find a cube of size 37 over which the algebraic degree of the keystream bit of 837-round Trivium is strictly less than 37. We also verify this result by performing experiments on 100 random keys. The minimum number of rounds that the sum over this cube, called superpoly in cube attacks and cube testers, is not zero-constant is detected to be 839 in our experiments, which implies that our algorithm is not only efficient in computation but also accurate in estimation of attacked rounds. Our experiments show that this cube can also be used to distinguish 842-round Trivium. All the cubes of size \(61\le n\le 64\) that contain no adjacent indexes for Kreyvium and TriviA-SC are exhausted in a few hours. The total amount of such cubes is about \(2^{30}\). By the conventional methods, it needs around \(c2^{91}\) cipher operations. The best cube we have found for Kreyvium is of size 61, which can be used to distinguish 872-round Kreyvium. The best cubes we have found for TriviA-SC and its successor are respectively of size 63 and size 61, for distinguishing 1035 rounds and 1047 rounds respectively. To the best of our knowledge, this is the first timeFootnote 1 that a cube of size larger than 60 can be used in the attack on an NFSR-based cryptosystem.

As such, we obtain the best distinguishing attacks for the stream ciphers Trivium and TriviA-SC so far and the first outside cryptanalysis of Kreyvium. Our results are summarized in Table 1 with the comparisons of the previous attacks. Note here that this table does not include the distinguishers worse than an exhaustive search or for a small percentage of weak keys. We detail the discussions of related work in the following.

Table 1. Distinguishing attacks on Trivium, Kreyvium and TriviA-SC
Full size table

1.2 Related Work

Upper Bound on Algebraic Degree. At EUROCRYPT 2002, Canteaut and Videau [12] developed a theory to find an upper bound on the algebraic degree of a composite function using the Walsh spectrum, and applied it to higher order differential cryptanalysis on Feistel block ciphers and especially on a generalization of MISTY1. This theory was further improved by Boura et al. [6, 7] in recent years with applications to cryptanalysis of several block ciphers and hash functions, including Rijndael-256 and Keccak. These theories of estimating algebraic degree are suitable for iterated ciphers. Similarly, our work is started by an upper bound on the algebraic degree of a composite function, but without using the Walsh spectrum and based on a simple fact.

More recently, at EUROCRYPT 2015, Todo [40] discovered a new tool for searching upper bound on the algebraic degree of SPN and Feistel ciphers by introducing the division property with applications to integral cryptanalysis of various iterated cryptographic primitives. The bit-based division property proposed by Todo and Morii in [42] is more relevant to our work. In parallel with our work, this tool has been exploited by Todo et al. [41] for estimating the algebraic degree of NFSR-based cryptosystems, including Trivium, Grain-128a and ACORN, and applied to cube attacks on these ciphers. Nevertheless, our idea is still essentially different with that of division property. In some ways, the tool based on division property is limited by the number of rounds and the size of input variables, due to its high time complexity. The bound found by division property is possibly more precise, while our tool is much faster and has no such limitations.

Attacks on Trivium-Like Ciphers. It is worth noticing that all but the attacks of [45] listed in Table 1 are cube tester, which is a variant of higher order differential attacks and was first introduced by Aumasson et al. in [3]. Cube testers are useful not only in distinguishing attacks but also in key recovery attacks, e.g., dynamic cube attacks [19, 22] and cube-attack-like cryptanalysis [20].

Before the work of Aumasson et al., Trivium (designed by Cannière and Preneel [8, 10] in 2006) had already attracted a lot of similar cryptanalysis, especially for chosen IV statistical attacks, e.g., [23, 24, 37]. After the effort of cryptanalysts in the past ten years, the cryptanalysis of Trivium seems to be approaching a bottleneck, if not the summit. Several cube distinguishers under different statistical models reach around 830 rounds, e.g., [33, 38, 43]. Though our distinguisher for Trivium does not improve the previous ones much, our technique for finding cubes is novel and gives a new and global view on cube cryptanalysis of Trivium.

In addition, Knellwolf et al. [29] showed distinguishers on 868-round and 961-round Trivium respectively for \(2^{31}\) and \(2^{26}\) weak keys both with complexity of \(2^{25}\). The key recovery attacks are also well studied for Trivium. In [21], Dinur and Shamir described a practical full key recovery on Trivium reduced to 767 rounds, using cube attacks. Afterwards, Fouque and Vannet [26] improved the cube attacks on Trivium, and provided a practical full key recovery after 784 rounds and a full key recovery after 799 rounds with complexity of \(2^{62}\). Recently, Todo et al. [41] proposed a possible key recovery after 832 rounds, in which one bit information of the key can be retrieved with unknown probability in around \(2^{77}\). Besides, Maximov and Biryukov [34] presented a state recovery attack on the full cipher with time complexity around \(c2^{83.5}\), where c is the complexity of solving a system of linear equations with 192 variables.

TriviA-SC [13] is a stream cipher designed by Chakraborti et al. at CHES 2015 for using in the authenticated encryption scheme TriviA, which was selected as a second-round candidate in the CAESAR competition but was not retained for the third round. Its successor, TriviA-SC (v2) [14], retains the same design and only differs in flipping all but three bits of the constants loaded to the initial internal state. Sarkar et al. [38] showed cube distinguishers with complexity of \(2^{36}\) on both versions of TriviA-SC reduced to 930 rounds and 950 rounds respectively. We improve these distinguishers to 1035 rounds and 1047 rounds respectively. The work of [45] by Xu et al. shows a linear distinguisher with complexity of \(2^{120}\) for the full 1152 rounds of a simplified variant of TriviA-SC in which the unique nonlinear term of the output function is removed. As shown in Table 1, we cut down their complexity from \(2^{120}\) to \(2^{63}\) for this simplified TriviA-SC.

Kreyvium is a variant of Trivium with 128-bit security, designed by Canteaut et al. at FSE 2016 for efficient homomorphic-ciphertext compression [11]. As far as we know, this paper proposes the first cryptanalysis of Kreyvium.

1.3 Organization

The rest of this paper is structured as follows. In Sect. 2, the basic definitions and notations are provided. Section 3 shows the general framework of our algorithm for estimating algebraic degree of NFSR-based cryptosystems. We propose in Sect. 4 a concrete algorithm for finding an upper bound on the algebraic degree of Trivium-like ciphers with applications to Trivium, Kreyvium and TriviA-SC, while Sect. 5 further presents an improved algorithm with applications to TriviA-SC. Section 6 concludes the paper.

2 Preliminaries

Boolean Functions and Algebraic Degree. Let \(\mathbb {F}_2\) denote the binary field and \(\mathbb {F}_2^n\) the n-dimensional vector space over \(\mathbb {F}_2\). An n-variable Boolean function is a mapping from \(\mathbb {F}_2^n\) into \(\mathbb {F}_2\). Denote by \(\mathbb {B}_n\) the set of all n-variable Boolean functions. An n-variable Boolean function f can be uniquely represented as a multivariate polynomial over \(\mathbb {F}_2\),

$$\begin{aligned} f(x_1,x_2,\cdots ,x_n)=\bigoplus _{c = (c_1, \cdots , c_n)\in \mathbb {F}_2^n}{a_{c}\prod _{i = 1}^{n}{x_i^{c_i}}}, \ a_c \in \mathbb {F}_2, \end{aligned}$$

called the algebraic normal form (ANF). The algebraic degree of f, denoted by \(\deg (f)\), is defined as \(\max \{wt(c)\mid a_c\ne 0\}\), where wt(c) is the Hamming weight of c. Let \(g_i\) (\(1\le i\le m\)) be Boolean functions on n variables. We denote \({\text {deg}}(G)=(\deg (g_1), \deg (g_2), \cdots , \deg (g_m)),\) for \(G=(g_1, g_2, \cdots , g_m)\).

Cube Testers. Given a Boolean function f and a term \(t_I\) containing variables from an index subset I that are multiplied together, the function can be written as the sum of terms which are supersets of I and terms that miss at least one variable from I,

$$\begin{aligned} f(x_1,x_2,\cdots ,x_n)= f_S(I)\cdot t_I \oplus q(x_1,x_2,\cdots ,x_n), \end{aligned}$$

where \(f_S(I)\) is called the superpoly of I in f. The basic idea of cube testers is that the symbolic sum of all the derived polynomials obtained from the function f by assigning all the possible values to the subset of variables in the term \(t_I\) is exactly \(f_S(I)\). Cube testers work by evaluating superpolys of carefully selected terms \(t_I\) which are products of public variables (e.g., IV bits), and trying to distinguish them from a random function. Especially, the superpoly \(f_S(I)\) is equal to a zero constant, if the algebraic degree of f in the variables from I is less than the size of I. In this paper, we mainly focus on this case. For more details of cube testers, we refer to [3].

Nonlinear Feedback Shift Registers. Nonlinear feedback shift registers (NFSRs) are the basic components of cryptographic primitives, especially of stream ciphers. Each time the system is clocked, the internal state is shifted right, and the new left bit is computed from the previous state by a nonlinear function f. The feedback bit is computed as

$$\begin{aligned} s_{t+1}=f({s}_{t},\cdots , {s}_{t-n+1}), \end{aligned}$$

where f can be any function in \(n\) variables. According to implementation purposes, the most useful case is the binary case, in which each cell contains a bit, and f is a Boolean function. In this paper, we focus on this binary case. For more details of NFSRs, we refer to [25].

3 An Iterative Method for Estimating Algebraic Degree of NFSR-Based Cryptosystems

Compared with other types of cryptographic primitives, such as Feistel and SPN ciphers, an NFSR-Based Cryptosystem usually updates less bits each round and needs more rounds to ensure its security, and its algebraic degree is more irregular. Maybe due to this reason, besides experimental analysis there are few theoretical tools to estimate algebraic degree of NFSR-Based cryptosystems.

We will show in this section a general idea for iteratively estimating algebraic degree of NFSR-based cryptosystems. We first present a basic fact on the degree of a composite function, and then exploit it to estimate degrees of the internal states and outputs of NFSR-based cryptosystems.

Let \(f(x_1,x_2,\cdots ,x_m)=\bigoplus _{c = (c_1, \cdots , c_m)\in \mathbb {F}_2^m}{a_{c}\prod _{i = 1}^{m}{x_i^{c_i}}}\) be a Boolean function on m variables. We define the following mapping, called numeric mapping and denoted by DEG,

$$\begin{aligned} \texttt {DEG}:~&\mathbb {B}_m\times \mathbb {Z}^m \rightarrow \mathbb {Z},\\&(f, D) \mapsto \max _{{a_{c}\ne 0}}\{\sum _{i = 1}^{m}{{c_i}d_i}\}, \end{aligned}$$

where \(D=(d_1,d_2,\cdots ,d_m)\) and \(a_c\)’s are coefficients of algebraic normal form of f as defined previously.

Let \(g_1, g_2, \cdots , g_m\) be Boolean functions on n variables, \(G=(g_1, g_2, \cdots , g_m)\) and \({\text {deg}}(G)=(\deg (g_1), \deg (g_2), \cdots , \deg (g_m))\). The numeric degree of the composite function is defined as \(\texttt {DEG}(f, {\text {deg}}(G))\), denoted by \(\texttt {DEG}(h)\) for short. We call \(\texttt {DEG}(f, D)\) a super numeric degree of h if \(d_i\ge \deg (g_i)\) for all \(1\le i\le m\), where \(D=(d_1,d_2,\cdots ,d_m)\). We can check that the algebraic degree of h is always less than or equal to the numeric degree of h, i.e.,

$$\begin{aligned} \deg (h)=\deg (f(g_1, g_2, \cdots , g_m))\le \texttt {DEG}(h)=\max _{a_{c}\ne 0}\{\sum _{i = 1}^{m}{{c_i}\deg (g_i)}\}. \end{aligned}$$

Proposition 1

The algebraic degree of a composite function is less than or equal to its numeric degree.

An NFSR-based cryptosystem usually consists of an update function g and an output function f. The internal state is updated by the update function g, while the output bit is generated by the output function f after an initialization of a sufficient number of rounds. To make the implementation efficient, the update function and output function usually have extremely sparse terms, e.g.,  Trivium [8, 10] and Grain [1, 27, 28]. Even though these functions are simple, there are few tools to exactly compute their algebraic degrees after updating the internal state by a sufficient number of rounds. A straightforward way to achieve this is to calculate the algebraic normal form, but it easily becomes out of memory as the number of rounds increases. A more efficient method is to test the coefficients of the algebraic normal form by statistical analysis, but it highly depends on the computational power and is limited by computational time. To overcome these limitations of computational resources, we exploit the numeric mapping to estimate the algebraic degree.

Corollary 2

Denote by \(s^{(t)}\) the internal state of an NFSR-based cryptosystem at t-th round, and let g and f be the update function and output function respectively. Then the algebraic degrees of the updated bit and output bit are respectively less than or equal to their numeric degrees, i.e., \(\texttt {DEG}(g, {\text {deg}}(s^{(t)}))\) and \(\texttt {DEG}(f, {\text {deg}}(s^{(t)}))\).

Example 1

Let \(x_{t}=x_{t-2}x_{t-7}+x_{t-4}x_{t-5}+x_{t-8}\) be the update function of an NFSR with size 8. For \(t=16\), we have

$$\begin{aligned} x_{16}=x_{14}x_{9}+x_{12}x_{11}+x_8. \end{aligned}$$

We can iteratively compute

$$\begin{aligned} x_{9}&= x_2 x_7 + x_4 x_5 + x_1,\\ x_{11}&= x_2 x_4 x_7 + x_1 x_4 + x_4 x_5 + x_6 x_7 + x_3,\\ x_{12}&= x_3 x_5 x_8 + x_2 x_5 + x_5 x_6 + x_7 x_8 + x_4,\\ x_{14}&= x_2 x_3 x_7 x_8 + x_2 x_5 x_6 x_7 + x_3 x_4 x_5 x_8 + x_3 x_5 x_7 x_8\\&\quad + x_1 x_3 x_8 + x_1 x_5 x_6 + x_2 x_4 x_5 + x_2 x_5 x_7 + x_4 x_5 x_6 \\&\quad + x_5 x_6 x_7 + x_1 x_2 + x_2 x_7 + x_4 x_7 + x_7 x_8 + x_6. \end{aligned}$$

Then by numeric mapping, we have

$$\begin{aligned} \texttt {DEG}(x_{16})&= \max \{\deg (x_{14})+\deg (x_{9}),\deg (x_{12})+\deg (x_{11}),\deg (x_{8})\}\\&= \max \{4+2,3+3,1\}\\&= 6. \end{aligned}$$

We can verify that \(\deg (x_{16})=6\) by calculating the algebraic normal form of \(x_{16}\). As a matter of fact, we can also check that \(\texttt {DEG}(x_{t})=\deg (x_{t})\) for all \(t<16\). This fact implies that we can get an accurate estimation of the algebraic degree of \(x_{16}\) by iteratively using numeric mapping starting at the beginning, without computations of the algebraic normal forms of internal bits.

The case that the numeric degree equals the algebraic degree usually happens when the intermediate variables appearing in the same nonlinear terms are independent. This scenario is reasonable for an ideal cryptosystem. For a concrete cipher, the numeric degree might be equal or close to the algebraic degree if we eliminate or reduce the dependent relationship between the intermediate variables.

figure a

The algebraic degrees of output bits and the internal states can be estimated iteratively for NFSR-based cryptosystems. We describe this estimation in Algorithm 1. In the algorithm, \(s^{(0)}=(s^{(0)}_1, s^{(0)}_2, \cdots , s^{(0)}_n)\) denotes the internal state at time 0 with size \(n\), and \(\deg (s^{(0)}, X)=(\deg (s^{(0)}_1, X), \deg (s^{(0)}_2, X), \cdots , \deg (s^{(0)}_n, X))\), where the notation \(\deg (s^{(0)}_i, X)\) denotes the algebraic degree of \(s^{(0)}_i\) with X as variables. Especially, \(\deg (0, X)=-\infty \), and \(\deg (c, X)=0\) for any nonzero c containing no variable in X. The update function G is written as vectorial Boolean functions from \(\mathbb {F}_{2}^{n}\) to \(\mathbb {F}_{2}^{n}\), where a few bits of input are updated and the rest of the bits are shifted. DegEst is a procedure for estimating algebraic degree. The output of this algorithm gives an upper bound on algebraic degree of the output of a given NFSR-based cryptosystem when setting \(\texttt {DegEst}(\cdot ,E^{(t)})\) to \(\texttt {DEG}(\cdot ,D^{(t)})\). This is based on the fact that \(\deg (g(s^{(t)}))\le \texttt {DEG}(g, {\text {deg}}(s^{(t)}))\le \texttt {DEG}(g, \texttt {DEG}(s^{(t)}))\) according to Corollary 2.

Now we have given a general framework of iterative estimation of algebraic degree of NFSR-Based Cryptosystems. To reach a sharper upper bound, we use a more delicate DegEst rather than DEG in Algorithm 1. We will show later the applications to Trivium-like ciphers, and the experimental results show that our estimated degree is very close to the real value of algebraic degree.

4 Applications to Trivium-Like Ciphers

In this section, we first briefly describe a generic view of a Trivium-like cipher to capture various cryptographic algorithms such as Trivium, TriviA-SC and Kreyvium. Then, based on our observations on the update functions of this kind of ciphers, we formalize and develop a linear-time algorithm for finding an upper bound on the algebraic degree of a Trivium-like cipher. Finally, we apply our algorithm to analyze the security of the ciphers Trivium, TriviA-SC and Kreyvium.

4.1 A Brief Description of Trivium-Like Ciphers

Let A,  B and C be three registers with sizes of \(n_A,n_B\) and \(n_C\), denoted by \(A_t\), \(B_t\) and \(C_t\) their corresponding states at clock t,

$$\begin{aligned} A_t&= (x_t, x_{t-1}, \cdots , x_{t-n_A+1}) ,\end{aligned}$$
(1)
$$\begin{aligned} B_t&= (y_t, y_{t-1}, \cdots , y_{t-n_B+1}) , \end{aligned}$$
(2)
$$\begin{aligned} C_t&= (z_t, z_{t-1}, \cdots , z_{t-n_C+1}) , \end{aligned}$$
(3)

and respectively updated by the following three quadratic functions,

$$\begin{aligned} x_t&= z_{t-r_C}\cdot z_{t-r_C+1} + \ell _A(s^{(t-1)}), \end{aligned}$$
(4)
$$\begin{aligned} y_t&= x_{t-r_A}\cdot x_{t-r_A+1} + \ell _B(s^{(t-1)}), \end{aligned}$$
(5)
$$\begin{aligned} z_t&= y_{t-r_B}\cdot y_{t-r_B+1} + \ell _C(s^{(t-1)}), \end{aligned}$$
(6)

where \(1\le r_\lambda < n_\lambda \) for \(\lambda \in \{A,B,C\}\) and \(\ell _A,\ell _B\) and \(\ell _C\) are linear functions. We denote \(A_t[i]=x_i\), \(B_t[i]=y_i\) and \(C_t[i]=z_i\), and define \(g_A^{(t)}=z_{t-r_C}\cdot z_{t-r_C+1}\), \(g_B^{(t)}=x_{t-r_A}\cdot x_{t-r_A+1}\) and \(g_C^{(t)}=y_{t-r_B}\cdot y_{t-r_B+1}\). The internal state, denoted by \(s^{(t)}\) at clock t, consists of the three registers ABC, that is, \(s^{(t)}=(A_t,~B_t,~C_t)\). Let f be the output function. After an initialization of N rounds, in which the internal state is updated for N times, the cipher generates a keystream bit by \(f(s^{(t)})\) for each \(t\ge N\).

Trivium and TriviA-SC exactly fall into this kind of ciphers. As mentioned earlier, TriviA-SC and its successor TriviA-SC (v2) only differ in the constants loaded to the initial internal state. Hereinafter, TriviA-SC means its both versions, if not specified. Kreyvium is a variant of Trivium with 128-bit security. Compared with Trivium, Kreyvium uses two extra registers \((K^*, V^*)\) without updating but shifting, i.e., \(s^{(t)}=(A_t,~B_t,~C_t, K^*, V^*)\), and add a single bit of \((K^*, V^*)\) to each of \(\ell _A\) and \(\ell _B\), where \(K^*\) and \(V^*\) only involve the key bits and IV bits respectively. We can easily adapt our techniques to Kreyvium from Trivium. Trivium uses an 80-bit key and an 80-bit IV, while Kreyvium and TriviA-SC both use a 128-bit key and a 128-bit IV. All these ciphers have 1152 rounds. For more details of the specifications of these ciphers, we refer to [10, 11, 13, 14].

4.2 The Algorithm for Estimation of Degree of Trivium-Like Ciphers

We present here an algorithm for giving an upper bound on the algebraic degree of the output of f after N rounds for a Trivium-like cipher, as depicted in Algorithm 2. We first initialize the degree of the initial internal state, denoted by \(D^{(0)}\), then iteratively compute \(D^{(t)}\) for \(t=1,2,\cdots ,N\), and finally apply numeric mapping to calculate an estimated degree for the first bit of the keystream. In Algorithm 2, we also use three sequences, denoted by \(d_A\), \(d_B\) and \(d_C\), to record the estimated degrees of the three registers ABC. In each step of a Trivium-like cipher, three bits are updated as (4), (5) and (6). Accordingly, we compute estimated degrees for these three bits in each step t, denoted by \(d_A^{(t)},d_B^{(t)}\) and \(d_C^{(t)}\). Then update \(D^{(t)}\) from \(D^{(t-1)}\). For estimating the algebraic degrees of \(x_t,y_t,z_t\), we exploit two procedures DegMul and DEG for dealing with their “quadratic” and “linear” parts separately. An instance of DegMul is described in Algorithm 3. The other two cases are similar, and the full procedure of DegMul is given in Algorithm 5 in Appendix. Algorithm 3 is used to compute an upper bound on the algebraic degree of \(g_A^{(t)}=z_{t-r_C}\cdot z_{t-r_C+1}\), and its correctness is shown in Lemma 4. We will demonstrate that for all t with \(1\le t\le N\) the estimated degrees \(d_A^{(t)},d_B^{(t)},d_C^{(t)}\) for \(x_t,y_t,z_t\) are greater than or equal to their corresponding algebraic degrees, and therefore the output \(\texttt {DEG}(f, D^{(N)})\) of Algorithm 2 is a super numeric degree of the first bit of the keystream. In other words, Algorithm 2 gives an upper bound on algebraic degree of the N-round output bit of a Trivium-like cipher.

figure b
figure c

Theorem 3

Algorithm 2 outputs a super numeric degree of the first keystream bit of an N-round Trivium-like cipher with X as variables.

As mentioned previously, to prove Theorem 3, it is sufficient to show the following lemma.

Lemma 4

In Algorithm 2, we have \(d_A^{(t)}\ge \deg (x_t, X)\), \(d_B^{(t)}\ge \deg (y_t, X)\) and \(d_C^{(t)}\ge \deg (z_t, X)\) for \(t\le N\).

Proof

It is trivial for \(t\le 0\). Next we simply write \(\deg (\cdot ,X)\) as \(\deg (\cdot )\). By Eqs. (4), (5) and (6), it is sufficient to prove for \(1\le t\le N\) that

$$\begin{aligned} d_A^{(t)}\ge \max \{\deg (z_{t-r_C}\cdot z_{t-r_C+1}), \deg (\ell _A(s^{(t-1)}))\}, \end{aligned}$$
(7)
$$\begin{aligned} d_B^{(t)}\ge \max \{\deg (x_{t-r_A}\cdot x_{t-r_A+1}), \deg (\ell _B(s^{(t-1)}))\}, \end{aligned}$$
(8)

and

$$\begin{aligned} d_C^{(t)}\ge \max \{\deg (y_{t-r_B}\cdot y_{t-r_B+1}), \deg (\ell _C(s^{(t-1)}))\}. \end{aligned}$$
(9)

We prove them by induction. Here we provide only the details of the proof for the first inequality due to the similarity. It is clear that (7) is true for \(1\le t\le r_C\). Assume that (7), (8) and (9) are true for all \(i\le t-1\). Now we prove that (7) is true for t with \(r_C< t\le N\).

From Algorithm 2, we have \(d_A^{(t)}\ge \texttt {DEG}(\ell _A, D^{(t-1)}) \ge \deg (\ell _A(s^{(t-1)}))\). Next we prove \(d_A^{(t)}\ge \deg (z_{t-r_C}\cdot z_{t-r_C+1})\). By (6), we obtain that for \(t-r_C\ge 1\),

$$\begin{aligned} z_{t-r_C}&= y_{t-r_C-r_B}\cdot y_{t-r_C-r_B+1} + \ell _C(s^{(t-r_C-1)}), \\ z_{t-r_C+1}&= y_{t-r_C-r_B+1}\cdot y_{t-r_C-r_B+2} + \ell _C(s^{(t-r_C)}), \end{aligned}$$

and thus

$$\begin{aligned}&z_{t-r_C}\cdot z_{t-r_C+1}\\ =&(y_{t-r_C-r_B}\cdot y_{t-r_C-r_B+1} + \ell _C(s^{(t-r_C-1)}))\cdot z_{t-r_C+1} \\ =&y_{t-r_C-r_B}\cdot y_{t-r_C-r_B+1}\cdot z_{t-r_C+1} + \ell _C(s^{(t-r_C-1)})\cdot z_{t-r_C+1} \\ =&y_{t-r_C-r_B}\cdot y_{t-r_C-r_B+1}\cdot (y_{t-r_C-r_B+1}\cdot y_{t-r_C-r_B+2} + \ell _C(s^{(t-r_C)}))\\&\quad + \ell _C(s^{(t-r_C-1)})\cdot z_{t-r_C+1} \\ =&y_{t-r_C-r_B}\cdot y_{t-r_C-r_B+1}\cdot y_{t-r_C-r_B+2} + y_{t-r_C-r_B}\cdot y_{t-r_C-r_B+1}\cdot \ell _C(s^{(t-r_C)})\\&+ \ell _C(s^{(t-r_C-1)})\cdot z_{t-r_C+1}. \end{aligned}$$

Denote by \(Y_1,Y_2\) and \(Y_3\) respectively the three summands in the above equality. By the previous assumption, we have

$$\begin{aligned}&d_C^{(t-r_C)} \ge \deg (y_{t-r_C-r_B}\cdot y_{t-r_C-r_B+1}), \\&d_C^{(t-r_C+1)} \ge \deg (y_{t-r_C-r_B+1}\cdot y_{t-r_C-r_B+2}), \end{aligned}$$

and thus

$$\begin{aligned} \deg (Y_1)\le&\min \{\deg (y_{t-r_C-r_B})+\deg (y_{t-r_C-r_B+1}\cdot y_{t-r_C-r_B+2}), \\&\quad \quad \deg (y_{t-r_C-r_B+2})+\deg (y_{t-r_C-r_B}\cdot y_{t-r_C-r_B+1}), \\&\quad \quad \deg (y_{t-r_C-r_B})+\deg (y_{t-r_C-r_B+1})+\deg (y_{t-r_C-r_B+2})\}\\ \le&\min \{\deg (y_{t-r_C-r_B})+d_C^{(t-r_C+1)}, \\&\quad \quad \deg (y_{t-r_C-r_B+2})+d_C^{(t-r_C)}, \\&\quad \quad \deg (y_{t-r_C-r_B})+\deg (y_{t-r_C-r_B+1})+\deg (y_{t-r_C-r_B+2})\}\\ \le&\min \{d_B^{(t-r_C-r_B)}+d_C^{(t-r_C+1)}, \\&\quad \quad ~d_B^{(t-r_C-r_B+2)}+d_C^{(t-r_C)}, \\&\quad \quad ~d_B^{(t-r_C-r_B)}+d_B^{(t-r_C-r_B+1)}+d_B^{(t-r_C-r_B+2)}\}=d_1. \end{aligned}$$

From the assumption we also have

$$\begin{aligned} \deg (Y_2)\le&~\texttt {DEG}(\ell _C, D^{(t-r_C)})+d_C^{(t-r_C)}=d_2, \\\deg (Y_3)\le&~\texttt {DEG}(\ell _C, D^{(t-r_C-1)})+d_C^{(t-r_C+1)}=d_3. \end{aligned}$$

Since \(\deg (z_{t-r_C}\cdot z_{t-r_C+1})\le \max \{\deg (Y_1),\deg (Y_2),\deg (Y_3)\}\le \max \{d_1,d_2,d_3\}\), by Algorithms 2 and 3 we know \(\deg (z_{t-r_C}\cdot z_{t-r_C+1}) \le d_A^{(t)}\).    \(\square \)

Complexity of the Algorithm. The size of the ANF of \(\ell _\lambda \) is constant and thus \(\texttt {DEG}(\ell _\lambda )\) and \(\texttt {DegMul}(g_\lambda ^{(t)})\) can be calculated in constant time, for \(\lambda \in \{A,B,C\}\). Therefore Algorithm 2 has time complexity of \(\mathcal {O}(N)\). It requires a memory of \(\mathcal {O}(N)\).

4.3 Experimental Results

In this section, we implement the algorithm on Trivium, Kreyvium and TriviA-SC, and reveal various upper bounds on the algebraic degrees of these ciphers. For Kreyvium, we use a modified \(D^{(t)}\) in the algorithm which includes the degrees of the two extra registers (key and IV).

When Will the Key and IV Be Sufficiently Mixed? We take all the key and IV bits as input variables X, and do experiments on Trivium, Kreyvium and TriviA-SC using Algorithm 2. We list the results in Table 2. As shown in the table, Trivium does not achieve the maximum degree 160 after an initialization of 907 rounds, while Kreyvium and TriviA-SC do not achieve the maximum degree 256 after 982 rounds and 1108 rounds respectively. Though it is not an attack, this implies that Trivium behaves best among the three ciphers while TriviA-SC has a small margin towards this test of maximum algebraic degree.

Table 2. Lower bound on the maximum number of rounds of not achieving maximum degree for Trivium, Kreyvium and TriviA-SC with all the key and IV bits as variables (\(X=(key,IV)\))
Full size table

When Will the IV Be Sufficiently Mixed? Taking a subset of the IV as input variables and the key as parameter, the algorithm gives a chosen IV distinguisher on the cipher. Such kind of distinguishers, including cube testers, have been widely investigated on stream ciphers, e.g., [3, 23, 24, 37].

We first apply the algorithm to Trivium, Kreyvium and TriviA-SC with all the IV bits as input variables, i.e., \(X=IV\). In our experiments, the key is taken as parameter, that is, \(\deg (k_i, X)=0\) for any bit \(k_i\) of the key. This is consistent with a distinguisher in the setting of unknown key. Our experiments show that Trivium does not achieve the maximum degree 80 after an initialization of 793 rounds, while Kreyvium and TriviA-SC do not achieve the maximum degree 128 after 862 rounds and 987 rounds respectively. We summarize our results in Table 3.

Table 3. Lower bound on the maximum number of rounds of NOT achieving maximum degree for Trivium, Kreyvium and TriviA-SC with all the IV bits as variables (\(X=IV\))
Full size table

We next consider an exhaustive search on the sets of input variables X which have size of around half length of the IV and contain no adjacent indexes. This is not the first time to make use of a cube that contain no adjacent indexes. Actually, the results of Aumasson et al. [3] and Liu et al. [33] have shown that we can profit from such kind of cubes in cube testers due to the nonlinear structure of the update functions of Trivium. In our experiments, we set the key as parameter, and set the non-variable IV bits to be zeros. Using Algorithm 2, we can exhaust all the cubes of size \(37\le n\le 40\) for Trivium, which contain no adjacent indexes, in a dozen minutes on a common PC. The amount of such cubes is \(\sum _{n=37}^{40}{81-n\atopwithdelims ()n}\approx 2^{25}\). Before this paper, it needs \(c\sum _{n=37}^{40}2^{n}{81-n\atopwithdelims ()n}\approx c2^{62}\) cipher operations to test all those cubes, and the confidence of the test depends on c. All the cubes containing no adjacent indexes of size \(61\le n\le 64\) for Kreyvium and TriviA-SC are exhausted in a few hours. The amount of such cubes is \(\sum _{n=61}^{64}{129-n\atopwithdelims ()n}\approx 2^{30}\). By the existing methods, it needs \(c\sum _{n=61}^{64}2^{n}{129-n\atopwithdelims ()n}\approx c2^{91}\) cipher operations to test all those cubes. The results are summarized in Table 4. The corresponding cubes are listed in Table 7 in Appendix.

Table 4. Cube testers on round-reduced Trivium, Kreyvium and TriviA-SC with around half of the IV bits as variables
Full size table
Table 5. Superpoly of round-reduced Trivium over a cube of size 37
Full size table

As shown in Table 4, the output of 837-round Trivium has degree strictly less than 37 over a subset of IV bits with size 37, and thus the outputs of 837-round Trivium over this cube always sum to 0. Since \(2^{37}\) is practical, we verify this by carrying out a test for random 100 keys. The minimum number of rounds such that the sum over this cube, i.e., the superpoly of the cube, is not zero-constant is detected to be 839, which means the output of 839-round Trivium achieves the maximum degree 37 over this subset of IV bits. This shows that our lower bound on the number of attacked rounds is very sharp, and our estimation of degree is, in some ways, very close to its real value. The test also implies a distinguisher for 842-round Trivium with time complexity of around \(2^{39}\), since we detect a bias of 0.46 from the 842-round output bit. We summarize in Table 5 the results of the test, where the rate that the superpoly of this cube equals non-zero is given for starting from 837 rounds to 842 rounds.

As shown in Table 4, the output of 872-round Kreyvium has algebraic degree strictly less than 61 over a subset of IV bits with size 61, which implies a distinguisher on this reduced version of Kreyvium with complexity of \(2^{61}\).

Our experiments also show that the output of 1035-round TriviA-SC (v1) and 1046-round TriviA-SC (v2) do not achieve maximum algebraic degree on a subset of IV bits with size 63 and size 62 respectively, which implies that we can distinguish them from random functions in \(2^{63}\) and \(2^{62}\) respectively. In fact, these two cubes are found much earlier before the completion of our experiments. The former is found in a second, and the latter in three minutes. By using the cube of size 63, we can also obtain a distinguisher with complexity of \(2^{63}\) on the full rounds of a simplified variant of TriviA-SC (for both versions), in which the unique nonlinear term of the output function is removed.

We have also tried to search for the cubes of large size under other strategies. We exhaust all the cubes with size close to the length of the IV. Besides, we use our algorithm together with the greedy algorithm, as done in [39], to search for the best cubes of any size. Nevertheless, no better results are found.

To further evaluate the accuracy of our algorithm, we perform more experiments specially on Trivium. We compute the exact value of the algebraic degree of the output bit of reduced Trivium from 66 rounds to 426 rounds, as well as estimate the degree by our algorithm. Our experiments show that

  • our estimated bound is equal to its real value for most of cases (greater than 70%), and even for the other cases their gap is only one, when taking all the key and IV bits or all the IV bits as input variables.

  • our estimated bound is always equal to its real value, when taking the best cube of size 37 as input variables.

Fig. 1.
figure 1

Upper bound on the algebraic degree of reduced Trivium

Full size image

They are strong evidence of high accuracy of our algorithm. We depict in Fig. 1 our full estimation of the upper bound on the algebraic degree of reduced Trivium for the mentioned three cases. From this figure, we can see that the algebraic degree on the IV bits is almost the same as that on all the key and IV bits, and it increases much faster than that of the best cube. The former is possible due to that the key and IV bits are loaded into different registers of Trivium, and the latter due to that two adjacent variable bits accelerate the growth of the algebraic degree.

Remarks. The algorithm is possibly improved by further refining the estimation of the degree of \(y_{i}\cdot y_{i+1} \cdot y_{i+2}\). However, probably because in most of cases \(y_{i}\cdot y_{i+1} \cdot y_{i+2}\) is not dominant on the algebraic degree of \(z_{i+r_B}\cdot z_{i+r_B+1}\), no improvement is found by this way in our experiments. Another possible improvement is to store the estimated degree of \(y_{i}\cdot y_{i+1}\) and replace some \(d_C^{(i+r_B)}\) with it in the procedure \(\texttt {DegMul}\). Again, it gives no better result, at least in our experiments, probably due to that the algebraic degree of \(z_{i+r_B}\) is usually equal to that of \(y_{i}\cdot y_{i+1}\). Even though these methods show no advantages in our experiments, they may be useful in some cases. In the following, for an instance, we will show an improved algorithm by computing the exact degrees of the internal states of the first rounds, together with the second method.

5 Improved Estimation of Degree of Trivium-Like Ciphers

In this section, we present an improved algorithm for estimating algebraic degree of the output of f after N rounds for a Trivium-like cipher, as described in Algorithm 4.

figure d

It is similar to Algorithm 2. In the improved algorithm, we compute the exact algebraic degrees of the internal states for the first \(N_0\) rounds, where the degrees of \(g_A^{(t)}\), \(g_B^{(t)}\) and \(g_C^{(t)}\) are also recorded, and use a modified \(\texttt {DegMul}^{*}\) to replace \(\texttt {DegMul}\), as depicted in Algorithm 6 in Appendix. The rest of this algorithm is the same as Algorithm 2. The output of Algorithm 4 also gives an upper bound on algebraic degree of an N-round Trivium-like cipher with X as input variables. The replacing \(\texttt {DegMul}\) with \(\texttt {DegMul}^{*}\) does not give the improvement but guarantees the validity of the algorithm. The proof is similar to that of Algorithm 2 and thus omitted in this paper.

It is hard to assess the complexity of Algorithm 4, which depends on \(N_0\) and the complexities of the ANFs of the internal states \((A_t,B_t,C_t)\) with \(t\le N_0\). It becomes much slower than Algorithm 2, as \(N_0\) increases.

We apply the algorithm to Trivium, Kreyvium and TriviA-SC. It slightly improves the results in Sect. 4 for TriviA-SC, as shown in Table 6, while this is not the case for Trivium and Kreyvium. For both versions of TriviA-SC in the case \(X=(key, IV)\), the number of rounds such that the output has degree less than 256 is improved from 1108 to 1121, by taking \(N_0=340\). For TriviA-SC (v2) with X being a subset of IV with size of 61, the number of rounds is improved from 1032 to 1047, by taking \(N_0=440\). This cube is listed in Table 7 in Appendix.

Table 6. Lower bounds on the number of rounds of NOT achieving maximum degree for TriviA-SC
Full size table

6 Conclusions

In this paper, we have shown a general framework of algebraic degree evaluation for NFSR-based cryptosystems. It is based on a new tool, named numeric mapping. We have also detailed the technique for efficiently finding an upper bound on the algebraic degree of Trivium-like ciphers. As illustrations, we applied it to Trivium, Kreyvium and TriviA-SC, and gained the best distinguishing attacks for all these ciphers, by an exhaustive search on a subset of the cubes that have size of around half length of the IV. To the best of our knowledge, our tool is the first theoretical one for finding an upper bound on the algebraic degree of an NFSR-based cryptosystem, and this is the first time that a cube of size beyond practical computations can be used in cryptanalysis of an NFSR-based cryptosystem. Note that cube testers are useful not only in distinguishing attacks but also in key recovery attacks. We believe that this tool is useful in both cryptanalysis and design of NFSR-based cryptosystems. In the future, it is worthy of working on its applications to key recovery attacks and to more cryptographic primitives. It is also worth a further generalization to other cryptosystems that are not built on NFSR.