In this paper we present experimental results of an application of SAT solvers in current cryptography. Trivium is a very promising stream cipher candidate in the final phase of the eSTREAM project. We use the fastest industrial SAT solvers to attack a reduced version of Trivium – called Bivium. Our experimental attack time using the SAT solver is the best attack time that we are aware of, it is faster than the following attacks: exhaustive search, a BDD based attack, a graph theoretic approach and an attack based on Gröbner bases. The attack recovers the internal state of the cipher by first setting up an equation system describing the internal state, then transforming it into CNF and then solving it. When one implements this attack, several questions have to be answered and several parameters have to be optimised.


SAT Solver Application Cryptography Stream Cipher Rsat eSTREAM Bivium Trivium BDD Gröbner Base 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    eSTREAM: eSTREAM – The ECRYPT Stream Cipher Project.
  2. 2.
    NESSIE: NESSIE – New European Schemes for Signatures, Integrity and Encryption.
  3. 3.
    De Cannière, C., Preneel, B.: TRIVIUM – a stream cipher construction inspired by block cipher design principles. eSTREAM, ECRYPT Stream Cipher Project, Report 2005/030 (2005),
  4. 4.
    Raddum, H.: Cryptanalytic results on TRIVIUM. eSTREAM, ECRYPT Stream Cipher Project, Report 2006/039 (2006),
  5. 5.
    Le Berre, D., Simon, L.: Special Volume on the SAT 2005 competitions and evaluations. Journal of Satisfiability (JSAT) (March 2006),
  6. 6.
    Maximov, A., Biryukov, A.: Two Trivial Attacks on Trivium. In: Selected Areas in Cryptography 2007, pp. 36–55 (2007)Google Scholar
  7. 7.
    Biryukov, A., Shamir, A.: Cryptoanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Bard, G., Courtois, N., Jefferson, C.: Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers. Cryptology ePrint Archiv, Report 2007/024 (2007)Google Scholar
  9. 9.
    McDonald, C., Charnes, C., Pieprzyk, J.: Attacking Bivium with MiniSat. Cryptology ePrint Archive, Report 2007/040 (2007)Google Scholar
  10. 10.
  11. 11.
    Pipatsrisawat, K., Darwiche, A.: RSat 2.0: SAT Solver Description. Technical report D153. Automated Reasoning Group, Computer Science Department, University of California, Los Angeles (2007),
  12. 12.
    Een, N., Sorensson, N.: MiniSat – A SAT Solver with Conflict-Clause Minimization. In: Bacchus, F., Walsh, T. (eds.) SAT 2005. LNCS, vol. 3569, Springer, Heidelberg (2005), Google Scholar
  13. 13.
    Wegener, I.: Branching Programs and Binary Decision Diagrams. SIAM Monographs on Discrete Mathematics and Applications. SIAM, Philadelphia (2000)zbMATHGoogle Scholar
  14. 14.
    Krause, M.: BDD-Based Cryptanalysis of Keystream Generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 237–239. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  15. 15.
    Krause, M.: OBDD-Based Cryptanalysis of Oblivious Keystream Generators. Theory of Computing Systems 40(1), 101–121 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Krause, M., Stegemann, D.: Reducing the space complexity of BDD-based attacks on keystream generators. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 163–178. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Stegemann, D.: Extended BDD-based Cryptanalysis of Keystream Generators. In: Proceedings of SAC 2007. LNCS, vol. 4876, pp. 17–35 (2007)Google Scholar
  18. 18.
    Somenzi, F.: CUDD, version 2.4.1, University of Colorado,
  19. 19.
    Stein, W.: Sage Mathematics Software (Version 2.9.2) The SAGE Group (2007),
  20. 20.
    Greuel, G.-M., Pfister, G., Schönemann, H.: Singular 3.0.4. A Computer Algebra System for Polynomial Computations. Centre for Computer Algebra, University of Kaiserslautern (2007),
  21. 21.
    Buchberger, B.: Gröbner Bases: A Short Introduction for System Theorists. In: Moreno-Díaz Jr., R., Buchberger, B., Freire, J.-L. (eds.) EUROCAST 2001. LNCS, vol. 2178, pp. 1–14. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Brickenstein, M.: Slimgb: Gröbner Bases with Slim Polynomials. Reports on Computer Algebra 35, ZCA, University of Kaiserslautern (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Tobias Eibach
    • 1
  • Enrico Pilz
    • 1
  • Gunnar Völkel
    • 1
  1. 1.Institute of Theoretical Computer ScienceUlm UniversityUlmGermany

Personalised recommendations