Advanced Algebraic Attack on Trivium

  • Frank-M. QuedenfeldEmail author
  • Christopher Wolf
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9582)


This paper presents an algebraic attack against Trivium that breaks 625 rounds using only 4096 bits of output in an overall time complexity of \(2^{42.2}\) Trivium computations. While other attacks can do better in terms of rounds (799), this is a practical attack with a very low data usage (down from \(2^{40}\) output bits) and low computation time (down from \(2^{62}\)).

From another angle, our attack can be seen as a proof of concept: how far can algebraic attacks can be pushed when several known techniques are combined into one implementation? All attacks have been fully implemented and tested; our figures are therefore not the result of any potentially error-prone extrapolation, but results of practical experiments.


Trivium Algebraic modelling Similar variables ElimLin Sparse multivariate algebra Equation solving over \(\mathbb {F}_2\) 



The first author wants to thank Wolfram Koepf (University of Kassel) for fruitful discussions and guidance. Both authors gratefully acknowledges an Emmy Noether Grant of the Deutsche Forschungsgemeinschaft (DFG).


  1. 1.
    Abbott, T., Albrecht, M., Bard, G., Bodrato, M., Brickenstein, M., Dreyer, A., Dumas, J.G., Hart, W., Harvey, D., James, J., Kirkby, D., Pernet, C., Said, W., Wood, C.: M4RI(e)–Linear Algebra over \(F_2\) (and \(F_2^e\)).
  2. 2.
    Albrecht, M.: Algorithmic Algebraic Techniques and their Application to Block Cipher Cryptanalysis. Ph.D. thesis, Royal Holloway, University of London (2010)Google Scholar
  3. 3.
    Armknecht, F., Krause, M.: Algebraic attacks on combiners with memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–175. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Ars, G., Faugère, J.-C., Imai, H., Kawazoe, M., Sugita, M.: Comparison between XL and Gröbner basis algorithms. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 338–353. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Biryukov, A., De Cannière, C.: Block ciphers and systems of quadratic equations. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 274–289. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Brickenstein, M., Dreyer, A.: PolyBoRi: a framework for Groebner-basis computations with Boolean polynomials. J. Symbol. Comput. 44(9), 1326–1345 (2009). Effective Methods in Algebraic Geometry
  7. 7.
    De Cannière, C., Preneel, B.: Trivium. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 244–266. Springer, Heidelberg (2008)Google Scholar
  8. 8.
    Courtois, N.T., Bard, G.V.: Algebraic cryptanalysis of the data encryption standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Courtois, N.T., Klimov, A.B., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. 10.
    Courtois, N.T., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Courtois, N.T., Pieprzyk, J.: Cryptanalysis of Block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Courtois, N.T., Sepehrdad, P., Sušil, P., Vaudenay, S.: \({\sf ElimLin}\) algorithm revisited. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 306–325. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  13. 13.
    Diem, C.: The XL-algorithm and a conjecture from commutative algebra. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 323–337. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Faugère, J.C.: A new efficient algorithm for computing gröbner bases (F4). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC 2002, pp. 75–83. Springer (2002)Google Scholar
  16. 16.
    Faugère, J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (\(F_5\)). In: International Symposium on Symbolic and Algebraic Computation, ISSAC 2002, pp. 75–83. ACM Press, July 2002Google Scholar
  17. 17.
    Faugère, J.C., Ars, G.: An algebraic cryptanalysis of nonlinear filter generators using Gröbner bases. Rapport de recherche 4739.
  18. 18.
    Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Faugère, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic cryptanalysis of Mceliece variants with compact keys. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 279–298. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  20. 20.
    Fouque, P.-A., Vannet, T.: Improving key recovery to 784 and 799 rounds of trivium using optimized cube attacks. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 502–517. Springer, Heidelberg (2014)Google Scholar
  21. 21.
    Khazaei, S., Hasanzadeh, M.M., Kiaei, M.S.: Linear Sequential Circuit Approximation of Grain and Trivium Stream Ciphers. Cryptology ePrint Archive, Report 2006/141 (2006).
  22. 22.
    Quedenfeld, F., Wolf, C.: Advanced Algebraic Attack on Trivium. Cryptology ePrint Archive, Report 2014/893 (2014).
  23. 23.
    Quedenfeld, F., Wolf, C.: Algebraic Properties of the Cube Attack. Cryptology ePrint Archive, Report 2014/800 (2014).
  24. 24.
    Raddum, H.: Cryptanalytic results on Trivium (2006).
  25. 25.
    Schilling, T.E., Raddum, H.: Analysis of trivium using compressed right hand side equations. In: Kim, H. (ed.) ICISC 2011. LNCS, vol. 7259, pp. 18–32. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  26. 26.
    Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Techn. J. 28, 656–715 (1949)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Simonetti, I., Faugère, J.C., Perret, L.: Algebraic attack against trivium. In: First International Conference on Symbolic Computation and Cryptography, SCC 2008, pp. 95–102. LMIB, Beijing (2008).
  28. 28.
    Sugita, M., Kawazoe, M., Perret, L., Imai, H.: Algebraic cryptanalysis of 58-Round SHA-1. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 349–365. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  29. 29.
    Teo, S., et al.: Algebraic analysis of Trivium-like ciphers (2013).
  30. 30.
    Yang, B.-Y., Chen, J.-M.: All in the XL family: theory and practice. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 67–86. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  31. 31.
    Yang, B.-Y., Chen, J.-M.: Theoretical analysis of XL over small fields. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 277–288. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.University of Technology BraunschweigBraunschweigGermany
  2. 2.Research Center JülichJülichGermany

Personalised recommendations