- Trivium (cipher)
**Trivium**is a synchronousstream cipher designed to provide a flexible trade-off between speed andgate count in hardware, and reasonably efficient software implementation.It was submitted to the Profile II (hardware) of the

eSTREAM competition by its authors,Christophe De Cannière andBart Preneel , and has been selected as part of the portfolio for Profile 2 by the eSTREAM project. It is not patented.It generates up to 2

^{64}bit s of output from an 80-bit key and an 80-bit IV. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.**Description**Trivium's 288-bit internal state consists of three

shift register s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

**pecification**Trivium may be specified very concisely using three recursive equations. [

*[*] Each variable is an element of GF(2); they can be represented as*http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20*]bit s, with "+" being XOR and multiplication being AND.*"a"

_{"i"}= "c"_{"i"-66}+ "c"_{"i"-111}+ "c"_{"i"-110}"c"_{"i"-109}+ "a"_{"i"-69}

*"b"_{"i"}= "a"_{"i"-66}+ "a"_{"i"-93}+ "a"_{"i"-92}"a"_{"i"-91}+ "b"_{"i"-78}

*"c"_{"i"}= "b"_{"i"-69}+ "b"_{"i"-84}+ "b"_{"i"-83}"b"_{"i"-82}+ "c"_{"i"-87}The output bits "r"

_{0}... "r"_{264-1}are then generated by*"r"

_{"i"}= "c"_{"i"-66}+ "c"_{"i"-111}+ "a"_{"i"-66}+ "a"_{"i"-93}+ "b"_{"i"-69}+ "b"_{"i"-84}Given an 80-bit key "k"

_{0}... "k"_{79}and an "l"-bit IV "v"_{0}... "v"_{"l"-1}(where 0 ≤ "l" ≤ 80), Trivium is initialized as follows:*("a"

_{-1245}... "a"_{-1153}) = (0, 0 ... 0, "k"_{0}... "k"_{79})

*("b"_{-1236}... "b"_{-1153}) = (0, 0 ... 0, "v"_{0}... "v"_{"l"-1})

*("c"_{-1263}... "c"_{-1153}) = (1, 1, 1, 0, 0 ... 0)The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits "r" to a stream of bytes "R", we use the little-endian mapping "R"

_{"i"}= Σ_{"j"=0 ... 7}2^{j}"r"_{8"i"+j}.**Performance**A straightforward hardware implementation of Trivium would use 3488

logic gate s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.The same property allows an efficient bitslice implementation in software; performance testing by

eSTREAM give bulk encryption speeds of around 4 cycles/byte on somex86 platforms, which compares well to the 19 cycles/byte of the AES reference implementation on the same platform.**ecurity**quote| [Trivium] was designedas an exercise in exploring how far a stream cipher can be simpliﬁed withoutsacriﬁcing its security, speed or ﬂexibility. While simple designs are more likelyto be vulnerable to simple, and possibly devastating, attacks (which is why westrongly discourage the use of Trivium at this stage), they certainly inspiremore conﬁdence than complex schemes, if they survive a long period of publicscrutiny despite their simplicity. [

*cite paper*] As of November

author =Christophe De Cannière ,Bart Preneel

title = Trivium specifications

publisher = eSTREAM submitted papers

date = 2005-04-29

url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf

format =PDF

accessdate = 2006-10-092007 , no cryptanalytic attacks better thanbrute force attack are known. The best attack recovers the internal state (and thus the key) in around 2^{89.5}steps (where each step is roughly the cost of a single trial in exhaustive search). [*cite paper*] Reduced variants of Trivium using the same design principles have been broken using an equation-solving technique. [

author = Alexander Maximov,Alex Biryukov

title = Two Trivial Attacks on Trivium

publisher = Cryptology ePrint

date = 2007-01-23

url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021

format =PDF (Table 6, page 11)*cite paper*] . These attacks improve on the well-known time-space tradeoff attack on stream ciphers, which with Trivium's 288-bit internal state would take 2

author =Håvard Raddum

title = Cryptanalytic results on Trivium

publisher = eSTREAM submitted papers

date = 2006-03-27

url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps

format =PostScript

accessdate = 2006-10-09^{144}steps, and show that a variant on Trivium which made no change except to increase the key length beyond the 80 bits mandated by eSTREAM Profile 2 would not be secure.A detailed justification of the design of Trivium is given in [

*cite paper*] .

author =Christophe De Cannière ,Bart Preneel

title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles

publisher = eSTREAM submitted papers

date = 2006-01-02

url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf

format =PDF

accessdate = 2006-10-09**References****External links*** [

*http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium*]

*Wikimedia Foundation.
2010.*

### Look at other dictionaries:

**Trivium**— is the Latin singular form of trivia. It may refer to the following: * Trivium (band), an American heavy metal band * Trivium (cipher), a synchronous stream cipher * Trivium (education), in medieval educational theory … Wikipedia**Trivium (Algorithmus)**— Struktur von Trivium Trivium ist eine synchrone Stromchiffre, die einen Kompromiss zwischen einfacher und performanter Umsetzbarkeit in Hardware und effizienter Implementierung in Software darstellt. Trivium wurde von den beiden belgischen… … Deutsch Wikipedia**Stream cipher**— The operation of the keystream generator in A5/1, a LFSR based stream cipher used to encrypt mobile phone conversations. In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher… … Wikipedia**Dragon (cipher)**— Dragon is a stream cipher developed at the Information Security Institute by Ed Dawson, Kevin Chen, Matt Henricksen, William Millan, Leonie Simpson, HoonJae Lee, and SangJae Moon. The cipher is a Phase 3 Focus candidate for the eSTREAM project.… … Wikipedia**Stream-cipher**— Stromverschlüsselung (engl. stream cipher) ist ein kryptographischer Algorithmus, bei dem Zeichen des Klartextes mit den Zeichen eines Schlüsselstroms einzeln (XOR bei nur zwei verschiedenen Zeichen) verknüpft werden. Der Schlüsselstrom ist eine… … Deutsch Wikipedia**NLS (cipher)**— In cryptography, NLS is a stream cypher algorithm designed by Gregory Rose, Philip Hawkes, MIchael Paddon, and Miriam Wiggers de Vries. It has been submitted to the eSTREAM Project of the eCRYPT network … Wikipedia**Cube attack**— Cryptography portal The cube attack is a method of cryptanalysis applicable to a wide variety of symmetric key algorithms, published by Itai Dinur and Adi Shamir in a September 2008 preprint. A revised version of this preprint was placed online… … Wikipedia**eSTREAM**— eSTREAM проект по выявлению новых поточных шифров, пригодных для широкого применения, организованный ЕС. Был начат после взлома всех 6 шифров, предложенных в проекте NESSIE. Условия приёма алгоритмов впервые были опубликованы в… … Википедия**VEST**— High Level Structure of VEST General Designers Sean O Neil First published June 13, 2005 Cipher deta … Wikipedia**Correlation attack**— In cryptography, correlation attacks are a class of known plaintext attacks for breaking stream ciphers whose keystream is generated by combining the output of several linear feedback shift registers (called LFSRs for the rest of this article)… … Wikipedia