Cryptology ePrint Archive: Report 2018/198

A Key-recovery Attack on 855-round Trivium

Ximing Fu and Xiaoyun Wang and Xiaoyang Dong and Willi Meier

Abstract: In this paper, we propose a key-recovery attack on Trivium reduced to 855 rounds. As the output is a complex Boolean polynomial over secret key and IV bits and it is hard to find the solution of the secret keys, we propose a novel nullification technique of the Boolean polynomial to reduce the output Boolean polynomial of 855-round Trivium. Then we determine the degree upper bound of the reduced nonlinear boolean polynomial and detect the right keys. These techniques can be applicable to most stream ciphers based on nonlinear feedback shift registers (NFSR). Our attack on $855$-round Trivium costs time complexity $2^{77}$. As far as we know, this is the best key-recovery attack on round-reduced Trivium. To verify our attack, we also give some experimental data on 721-round reduced Trivium.

Category / Keywords: Trivium, Nullification Technique, Polynomial Reduction, IV Representation, Key-recovery Attack

Original Publication (with minor differences): IACR-CRYPTO-2018

Date: received 18 Feb 2018, last revised 2 Jun 2018

Contact author: fxm15 at mails tsinghua edu cn

Available format(s): PDF | BibTeX Citation

Version: 20180603:014018 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]