Keywords

1 Introduction

A nonlinear feedback shift register (NFSR) is widely used in modern cryptographic primitives, especially in radio-frequency identification devices (RFID) and wireless sensor networks applications. Most NFSR-based cryptosystems can be described as tweakable Boolean functions with respect to both secret variables (e.g., key bits) and public variables (e.g., plaintext bits or initial value (IV) bits). The algebraic degrees of these Boolean functions are of great importance in the security of the corresponding primitives. For a cryptographic primitive with low algebraic degree, it is vulnerable to many known attacks, such as cube attacks [1,2,3,4] and higher order differential attacks [5, 6] which are the most powerful cryptanalytic tools against NFSR-based cryptosystems. Cube attack is introduced by Dinur and Shamir [1], which is a chosen plaintext key-recovery attack. Since then, cube attack has attracted much attention in recent public cryptographic literatures. At Eurocrypt 2015, Dinur et al. [2] publish a key-recovery attack on Keccak keyed modes, where the cube variables are selected not to multiply with each other after the first round, then the output degree of the polynomials is reduced. Later Huang et al. [7] propose a new conditional cube attack on Keccak keyed modes and present an 8-round attack on Keyak. Recently, conditional cube attack is applied to round-reduced ASCON [8] and River Keyak [9]. Also, algebraic attacks [10, 11] and integral attacks [12] are easy to perform on a cryptographic primitive with low algebraic degree.

For modern cryptographic primitives, it is difficult to compute the exact values of the algebraic degrees. But, there are several theoretical tools can be used to estimate the upper bounds on the algebraic degrees of iterated permutations, and concurrently exploited to attack iterated ciphers [1, 13,14,15]. Yet for NFSR, there are few tools for estimating its algebraic degree, besides symbolic computation and statistical analysis. Some techniques highly depend on computational capabilities which restrict the cryptanalytic results. A variant of cube attacks called dynamic cube attacks can reach much higher attack complexity, but they are still limited by the size of the cubes [1, 4]. Based on this point, in either cube attacks or cube testers, the cubes with size larger than 54 have never been utilized in cryptanalysis of NFSR-based cryptosystems. Recently, at CRYPTO 2017, two works on cube attacks use the cubes with size larger than 50. The one by Todo et al. [16] presents possible key recovery attacks against Trivium [17], Grain-128a [18] and ACORN [19] using the cubes of sizes 72, 92 and 64. They mainly make use of the propagation of the bit-based division property of stream ciphers. The other by Liu [20] gives a tool called numeric mapping to iteratively obtain the upper bounds on the algebraic degrees of NFSR-based cryptosystems.

Our Contributions. In this paper, we propose a new cube searching method named conditional searching. The main idea of this new searching method is to reduce the searching space through controlling the propagation of the IV bits and contains two main steps: finding complementary variables and searching conditional cubes. At the finding complementary variables step, we introduce a concept of complementary variables corresponding to cube variables. To ensure that cube variables are not multiplied with each other in the first few propagations, we give two main strategies to find complementary variables according to the taps used in the feedback functions and the size of cubes needed. At the second step, we first give a simple algorithm to estimate the maximal size of conditional cubes which means that there is not any corresponding complementary variable. Then another algorithm is given to search conditional cubes. With our cube searching method and the algebraic degree estimated method numeric mapping introduced by Liu [20], we can confirm the maximum numbers of initialization rounds of some NFSR-based cryptosystems such that the generated keystream bit does not achieve the maximum algebraic degree.

We apply our method to Trivium to verify the validity with the searching space of size about \(2^{12.5}\). While in [20], the searching space is \(2^{25}\). Our searching space is smaller than that of the existing results. We also apply the method to Trivium-variants containing Par-Trivium and Loc-Trivium. For Par-Trivium, where the parameters in Trivium are changed, we estimate the algebraic degrees and can get an upper bound of the maximum initialization rounds such that the generated keystream bit does not achieve the maximum algebraic degree. The experiments show that the maximum round of Par-Trivium is 863 which is the worst case. So, parameters in Par-Trivium can be as big as possible on the premise of the security against other attacks. And for Loc-Trivium, where the key and IV loading locations are changed in Trivium, we can get similar results. The experiments show that the maximum initialization round of all considered Trivium-variants is 910, which is the worst case and should be avoided to be resistant to cube attacks or cube tests when new ciphers are designed. The applications provide some insights into the taps used in the feedback functions and the key and IV loading locations of such stream ciphers, which are useful in both cryptanalysis and design of NFSR-based cryptosystems.

Organization of the Paper. The rest of this paper is structured as follows. In Sect. 2, basic definitions and notations are provided. Section 3 shows the general framework of our conditional searching method, while its applications on Trivium and Trivium-variants are given in Sects. 4 and 5. Section 6 concludes the paper.

2 Preliminaries

Boolean Functions and Algebraic Degree. Let \(\mathbb {F}_{2}\) be the binary field and \(\mathbb {F}_{2}^{n}\) the n-dimensional vector space over \(\mathbb {F}_{2}\). An n-variable Boolean function is a mapping from \(\mathbb {F}_{2}^{n}\) into \(\mathbb {F}_{2}\). An n-variable Boolean function f can be uniquely represented as a multivariate polynomial over \(\mathbb {F}_{2}\),

$$f({x_1},{x_2}, \cdots {x_n}) = \mathop \oplus \limits _{c = ({c_1},{c_2}, \cdots {c_n}) \in {\mathbb {F}_{2}}} {a_c}\prod \limits _{i = 1}^n {x_i^{{c_i}}} ,~~~{a_c} \in {\mathbb {F}_{2}},$$

called the algebraic normal form (ANF). The algebraic degree of f, denoted by \(\deg (f)\), is defined as \(\max \{wt(c)|a_{c}\ne 0\}\), where wt(c) is the Hamming weight of c.

Numeric Mapping. Let \(f({x_1},{x_2}, \cdots {x_n}) = \mathop \oplus \limits _{c = ({c_1},{c_2}, \cdots {c_n}) \in {\mathbb {F}_{2}}} {a_c}\prod \limits _{i = 1}^n {x_i^{{c_i}}} ({a_c} \in {\mathbb {F}_{2}})\) be a Boolean function. Denote by \(\mathbb {B}_{n}\) the set of all n-variable Boolean functions. The numeric mapping [20], denoted by \(\texttt {DEG}\) is defined as

(1)

where \(D = (d_{1}, d_{2},\cdot \cdot \cdot , d_{n})\) and \(a_{c}\)’s are coefficients of the ANF of f. Let \(g_{i}(1 \le i \le n)\) be Boolean functions on m variables, and denote \(\deg (G) =(\deg (g_{1}), \deg (g_{2}),\cdot \cdot \cdot ,\deg (g_{n}))\) for \(G = (g_{1}, g_{2}, \cdot \cdot \cdot , g_{n})\). The numeric degree of the composite function \(h = f\circ G\) is defined as \(\texttt {DEG}(f, \deg (G))\), denoted by \(\texttt {DEG}(h)\) for short. The algebraic degree of h is always less than or equal to the numeric degree of h. The algebraic degrees of the output bits with respect to the internal states can be estimated iteratively for NFSR-based cryptosystems by using numeric mapping.

Cube Testers. Given a Boolean function f and a term \(t_{I}\) containing variables from an index subset I that are multiplied together, the function can be written as

$$f(x_{1}, x_{2}, \cdot \cdot \cdot , x_{n}) = f_{S}(I) \cdot t_{I} \oplus q(x_{1}, x_{2}, \cdot \cdot \cdot , x_{n}),$$

where the terms in \(q(x_{1}, x_{2}, \cdot \cdot \cdot , x_{n})\) miss at least one variable from I and \(f_{S}(I)\) is called the superpoly of I in f. The basic idea of cube testers is that

$$\begin{aligned} \sum \limits _{x' \in {C_I}} {f = {f_S}} (I), \end{aligned}$$

where \(C_{I}\) are all possible values of the subset of variables in the term \(t_{I}\). The target of cube testers work by evaluating superpolys of carefully selected terms \(t_{I}\)’s which are products of public variables (e.g., IV bits), and trying to distinguish them from a random function. A cube tester can detect the nonrandomness in cryptographic primitives by extracting the testable properties of the superpoly, such as unbalance, constantness and low degree, with the help of property testers. Especially, the superpoly \(f_{S}(I)\) is equal to a zero constant, if the algebraic degree of f in the variables from I is smaller than the size of I.

3 A New Method for Searching Cube

In this section, we propose a new model for searching cube, called conditional searching. The new searching method consists of two phases, finding complementary variables and searching conditional cubes. First, we will give a generalized model of the initialization phases of NFSR-based cryptosystems.

3.1 Generalized Model

For NFSR-based cryptosystems, especially NFSR-based stream ciphers, the initialization phase is used to initialize the internal state using secret variables (e.g., key bits) and public variables (e.g., plaintext bits or IV bits). Then the encryption phase just consists of an exclusive or (XOR) with the continuously updated keystream. The generalized model of initialization phases of some NFSR-based cryptosystems can be depicted as Fig. 1, which is helpful in the sense that we could study some special properties/choices more clearly in a unified framework.

Fig. 1.
figure 1

Generalized initialization phase of NFSR-based cryptosystem

Full size image

FSR1 and FSR2 are two registers. Here we stress that FSR1 in the model can be further decomposed into a series of cascaded smaller NFSRs or LFSRs, which could also be treated by our cryptanalysis. There are two Boolean functions involved in the model: a (either linear or non-linear) Boolean function g and a non-linear Boolean function f. FSR2 is initialized by the padded IV. It is obvious that our generalized model could cover initialization processes of Grain v1 [21], Trivium and so on. Denote by \(S_{t}\) and \(B_{t}\) the initial states of FSR1 and FSR2 at time t with size of \(m_{1}\) and \(m_{2}\). At each step, FSR2 is updated by f, sometimes without any taps from FSR1, and FSR1 is updated by g as follows:

  • FSR1 is updated recursively by g as \(S_{t+1} = (s_{t+1}, s_{t+2}, \cdot \cdot \cdot , s_{t+m_{1}} )\) with \(s_{t+m_{1}} = g(S_{t},B_{t})\).

  • FSR2 is updated recursively by f as \(B_{t+1} = (b_{t+1}, b_{t+2}, \cdot \cdot \cdot , b_{t+m_{2}} )\) with \(b_{t+m_{2}} = f(B_{t},S_{t})\) or \(b_{t+m_{2}} = f(B_{t})\).

  • We assume these processes are invertible, and the inverse processes are \(S_{t-1} \,{=}\, (s_{t-1}, s_{t},\cdot \cdot \cdot , s_{t+m_{1}-2})\) with \(s_{t-1} \,{=}\,g^{-1}(S_{t},B_{t})\) and \(B_{t-1}= (b_{t-1}, b_{t},\cdot \cdot \cdot , b_{t+m_{2}-2})\) with \(b_{t-1} =f^{-1}(B_{t},S_{t})\) or \(b_{t-1} =f^{-1}(B_{t})\).

3.2 Conditional Searching Method

Huang et al. [7] propose a new conditional cube attack on Keccak keyed modes and present an 8-round attack on Keyak. By restraining some bit conditions of the key, they obtain a new set of cube variables which not only do not multiply with each other after the first round, but also contains one cube variable that does not multiply with other cube variables after the second round, and then the output degree over cube variables is further reduced. Based on this method, we give our conditional searching method which is a searching tool with some conditions to reduce the searching space. The conditional cubes used in our paper is different, which means that the cubes do not contain any complementary variables. Before the method is given, we will give a definition of complementary variables. In the cube attack or cube test against stream cipher, cube variables are chosen from the IV bits with length l, where \(IV=(iv_{1},iv_{2},\cdot \cdot \cdot ,iv_{l})\). When \(iv_{i}\) is chosen as a cube variable, the variables that must not be chosen are called complementary variables corresponding to the cube variable \(iv_{i}\). Our conditional searching method contains two steps: finding complementary variables and searching conditional cubes. We call the cubes that do not contain any corresponding complementary variables, conditional cubes for simplicity. The conditional cubes and the maximum numbers of initialization rounds (maximum rounds for simplicity)  are corresponding to the situation that the generated keystream bit does not achieve the maximum algebraic degree.

Finding Complementary Variables. The main way to find complementary variables is to control the propagation of cube variables. As shown in the generalized model, the IV bits are loaded in FSR2 and cube variables are chosen from them. This way, the propagation paths of the IV bits are of importance to choose cube variables and determine the corresponding complementary variables. In the beginning, the IV bits only appear in FSR2 and take part in the update of FSR2 (or FSR1) through the feedback function f (or g). Several steps later, they will appear in both FSR2 and FSR1.

It is intuitive that if the cube variables are not multiplied with each other in the first few propagations, the maximum initialization round, such that the generated keystream bit does not achieve the maximum algebraic degree, will be larger. The complementary variables are determined by these variables that would be multiplied with each other. For the multiplied variables, if one of them is chosen to be cube variable, the others are defined as complementary variables. This way, the taps in the feedback functions play a leading role in finding complementary variables. It is easy to see that the more propagations are controlled, the less conditional cubes are satisfied. Two main strategies to choose cube variables are used here.

  • In the beginning, where the IV bits take part in the first iteration, cube variables should not be multiplied with each other.

  • When the IV bits as a part of the feedback value take part in the update function, cube variables must not be multiplied with each other.

By an iteration we mean two or more rounds which depends on the maximal tap in the feedback function, more details, one can see the following example.

Example 1

Let \(m_{1}=m_{2}=8\) and

$$\begin{aligned} \begin{aligned}&\qquad \; \; s_{t+8}=s_{t+6}s_{t+1}+s_{t}+b_{t+2},\\&\qquad \; \; b_{t+8}=b_{t+4}b_{t+3}+b_{t}+s_{t+3},\\&S_{1} = (s_{1}, s_{2}, \cdot \cdot \cdot , s_{8})=(iv_{1}, iv_{2}, \cdot \cdot \cdot , iv_{8}), \end{aligned} \end{aligned}$$

where \(t\ge 1\). For FSR2, the maximal tap in the feedback function is \(s_{t+6}\) and an iteration means two rounds, where

figure a

What we need to control is the first two iterations, that is \(t\le 4\). In the first iteration, \(s_{7}\), \(s_{2}\) and \(s_{8}\), \(s_{3}\) are multiplied with each other. In the second iteration, \(s_{9}\) is multiplied with \(s_{4}\) and \(s_{10}\) is multiplied with \(s_{5}\), where \(s_{9}\) and \(s_{10}\) are feedback values. Take the IV bits into account, the multiplied pairs are \((iv_{2},iv_{7}),(iv_{3},iv_{8}),(iv_{1},iv_{4})\) and \((iv_{2},iv_{5})\), during the first two iterations. We can predict that if \(iv_{i}\) is a cube variable, \(iv_{i+3}\) and \(iv_{i+5}\) will be multiplied with \(iv_{i}\) at some point. So, the complementary variables are \(iv_{i+3}\) and \(iv_{i+5}\) corresponding to the cube variable \(iv_{i}\). Similarly, for FSR1, when \(t=9\), the number of the iterations with respect to \(S_{1}\) is larger than two. The multiplied pairs are \((iv_{4},iv_{5}),(iv_{5},iv_{6})\) and \((iv_{6},iv_{7})\), during the first two iterations and the complementary cube variable is \(iv_{i+1}\) corresponding to the cube variable \(iv_{i}\). In summary, if \(iv_{i}\) is chosen to be a cube variable, the set of complementary variables is \(\{iv_{i+1},iv_{i+3},iv_{i+5}\}\).

Searching Conditional Cube. Once the complementary variables are obtained, we need to search the conditional cubes that do not contain any complementary variables. But before that, we have to determine the maximal size of conditional cubes and then to search this kind of cubes. If the number of variables that can be used as cube variables is small, the problem is very easy. As shown in Example 1, the maximal size of conditional cubes is four, which are \(\{iv_{1},iv_{3},iv_{5},iv_{7}\}\) and \(\{iv_{2},iv_{4},iv_{6},iv_{8}\}\). We can verify that among conditional cubes, cube variables will not be multiplied with each other in the first few rounds and there is not any complementary variables \(\{iv_{i+1},iv_{i+3},iv_{i+5}\}\) corresponding to \(iv_{i}\).

In the NFSR-based stream ciphers, the length of the IV bits is so large that we can’t easily estimate the maximal size and search the cubes. Two algorithms are given to solve these two problems. Let the set of the complementary variables corresponding to \(iv_{i}\) be \(C^{'}=\{iv_{i+j_{1}},iv_{i+j_{2}},\cdot \cdot \cdot ,iv_{i+j_{m}}\}\). Algorithm 1 is used to estimate the maximal size of conditional cubes. The main idea is to choose one special cube according to the indexes of the IV bits from small to large. It is obvious that the size dim of this special cube is the maximal size and all the conditional cubes are of size less than dim.

figure b
figure c

Algorithm 2 is given to search conditional cubes with the maximal size dim. First, we evenly divide the IV bits into several parts. For the first part, search all sub-conditional cubes with possible sizes. For other parts, we can get the corresponding sub-conditional cubes by changing the subscripts, as show in line 7 of Algorithm 2. Second, examine the combinations of all possible sub-conditional cubes to obtain the conditional cubes. Denote the length of the IV bits and the evenly divided factor by l and m. Evenly divide the IV bits into l / m parts, denoted by part j, where \(1 \le j\le l/m\). Denoted by \(subdim_{j}\) the sub-size of sub-conditional cubes chosen from part j. The criteria of testing whether the cube with size dim is a conditional cube is to verify that if \(iv_{i}\) is a cube variable, whether the complementary variables in \(C^{'}\) are cube variables. For example, if the length of the IV bits is 80, we can evenly divide them into 4 parts, \(iv_{1}\) to \(iv_{20}\), \(iv_{21}\) to \(iv_{40}\), \(iv_{41}\) to \(iv_{60}\), and \(iv_{61}\) to \(iv_{80}\). The first part is \(iv_{1}\) to \(iv_{20}\) and all sub-conditional cubes with possible sizes can be obtained by the simple exhaustive search method. For other parts, add 20, 40, 60 to the subscripts of the sub-conditional cubes. If the size of conditional cubes is 38, we need to consider all possible combinations of sub-conditional cubes, where the sum of the sub-sizes is 38. Then for each cube variable \(iv_{i}\), verify whether the corresponding complementary variables are cube variables. If not, this cube is a conditional cube.

The main time complexity of Algorithm 2 is to test the combinations of sub-conditional cube with size of \(subdim_{j}\), where \(1 \le j\le l/m\). According to the length of the IV bits and the maximum size of conditional cubes, m need to be chosen carefully, which plays an important role in the time complexity. Whether the IV bits need to be divided depends on the complementary variables. For Trivium, two complementary variables are \(iv_{i+1}\) and \(iv_{i-1}\) and we can exhaust search all the cubes containing no adjacent indexes. Then the criteria is used to test whether the cubes are conditional cubes.

4 Applications to Trivium

Trivium is a stream cipher designed in 2005 and has been selected as one of the portfolio for hardware ciphers (Profile 2) by the eSTREAM project. Though Trivium is designed to provide a flexible trade-off between speed and gate count in hardware, it also provides extremely efficient software implementation. Trivium has attracted much attention in recent public cryptographic literatures for its simplicity and very good performance, such as [26, 27].

In this section, we apply our conditional searching method to Trivium to verify the validity of our method.

4.1 A brief description of Trivium

Trivium generates up to \(2^{64}\) bits of keystream from an 80-bit secret key and an 80-bit IV. For the sake of simplicity, we give an alternative description of the algorithm different from the already existed ones. Let A,  B and C be three registers of sizes 93, 84 and 111. Denoted by \(A^{t}\), \(B^{t}\) and \(C^{t}\) the corresponding states at time \(t~(t\ge 0)\),

$$\begin{aligned} A^{t} = (x^{t}_{1}, x^{t}_{2}, \cdot \cdot \cdot , x^{t}_{93}), \\ B^{t} = (y^{t}_{1}, y^{t}_{2}, \cdot \cdot \cdot , y^{t}_{84}),\\ C^{t} = (z^{t}_{1}, z^{t}_{2}, \cdot \cdot \cdot , z^{t}_{111}), \end{aligned}$$

and the three quadratic update functions are

$$\begin{aligned}&x^{t}_{93} = z^{t-1}_{1}+ z^{t-1}_{2}\cdot z^{t-1}_{3} + z^{t-1}_{46}+ x^{t-1}_{25},\\&y^{t}_{84} = x^{t-1}_{1}+ x^{t-1}_{2}\cdot x^{t-1}_{3} + x^{t-1}_{28}+ y^{t-1}_{7},\\&z^{t}_{111} = y^{t-1}_{1}+ y^{t-1}_{2}\cdot y^{t-1}_{3} + y^{t-1}_{16}+ z^{t-1}_{25}. \end{aligned}$$

The algorithm is initialized by loading an 80-bit secret key and an 80-bit IV into the 288-bit initial state, and setting all remaining bits to 0, except for \(z_{1},~z_{2}\) and \(z_{3}\),

$$\begin{aligned}&(x^{0}_{1},x^{0}_{2},\cdot \cdot \cdot ,x^{0}_{93})\leftarrow (0,\cdot \cdot \cdot ,0,k_{0},\cdot \cdot \cdot ,k_{79}),\\&(y^{0}_{1},y^{0}_{2},\cdot \cdot \cdot ,y^{0}_{84})\leftarrow (0,\cdot \cdot \cdot ,0,iv_{0},\cdot \cdot \cdot ,iv_{79}),\\&(z^{0}_{1},z^{0}_{2},\cdot \cdot \cdot ,z^{0}_{111})\leftarrow (1,1,1,0,\cdot \cdot \cdot ,0).~~~~~~~~ \end{aligned}$$

Let h be the output function. After an initialization of N rounds, in which the internal state is updated for N times, the cipher generates a keystream bit by \(h(A^{t},B^{t},C^{t})\) for each \(t \ge N\).

4.2 Conditional Searching for Trivium

The 80-bit IV is loaded into the shift register B and the propagation paths are shown in Fig. 2. To find the complementary variables, we just need to control the paths and in the first few rounds. For path , we guarantee that the cubes are not multiplied with each other in the first iteration. According to the taps in the feedback functions, the complementary variables are \(iv_{i-1}\) and \(iv_{i+1}\) corresponding to cube variable \(iv_{i}\). When the IV bits in the register C begin to be transmitted to the register A, we need to control the path . The complementary variables are \(iv_{i+14}\) and \(iv_{i+16}\) corresponding to cube variable \(iv_{i}\). In summary, if \(iv_{i}\) is chosen to be a cube variable, the set of complementary variables is \(\{iv_{i-1},iv_{i+1},iv_{i+14},iv_{i+16}\}\).

Fig. 2.
figure 2

Propagation paths of IV

Full size image
Table 1. Results of Trivium
Full size table

With Algorithm 1, we know that the sizes of conditional cubes are less than 38. Then, with Algorithm 2, we can obtain all conditional cubes of size 37 and 38 in a dozen seconds on a common PC. The result, see Table 1, shows that the output of 837-round Trivium has degree strictly less than 37 over a subset of the IV bits with size 37, which agrees with [20]. The corresponding cubes are the same and the amount of the conditional cubes is \(5945\approx 2^{12.5}\). Before this paper, the amount of cubes need to be searched is about \(2^{25}\) [20]. We can conclude that our conditional searching method is valid for Trivium and it has better performance.

5 Applications to Trivium-Variant Ciphers

The analysis of Trivum-like ciphers is to find a variant that will remove one of the biggest deficiencies in the Trivium design: the huge number of initial 1152 rounds, which makes the original Trivium stream cipher to have very high initial latencies when used in IoT devices. The parameters used in Trivium are subtle that a little change will affect the security a lot. Although there are some Trivium-based cryptosystems, such as Kreyvium [22], TriviA-SC [23] Bivium [24], Trivium-N [25] and so on, how do the parameters work is still a problem to be solved. In this section, we introduce two Trivium-variants named Par-Trivium and Loc-Trivium, and apply the conditional searching method to them to give some guidelines for choosing parameters according to the algebraic degree.

5.1 Applications to Par-Trivium

Par-Trivium is a variant of Trivium, where the parameters in the feedback functions of Trivium are changed. Determined by propagation paths of the IV bits, the algebraic degrees of conditional cubes are mainly associated with the taps from the register where the IV bits are loaded, and distances between the indexes of multiplied variables. In order to keep the elegant structure, the feedback functions of Par-Trivium at time t can be write as

$$\begin{aligned}&x^{t}_{93} = z^{t-1}_{1}+ z^{t-1}_{\alpha }\cdot z^{t-1}_{\alpha +\delta } + z^{t-1}_{46}+ x^{t-1}_{25},\\&y^{t}_{84} = x^{t-1}_{1}+ x^{t-1}_{\alpha }\cdot x^{t-1}_{\alpha +\delta } + x^{t-1}_{28}+ y^{t-1}_{\gamma },\\&z^{t}_{111} = y^{t-1}_{1}+ y^{t-1}_{\alpha }\cdot y^{t-1}_{\alpha +\delta } + y^{t-1}_{\beta }+ z^{t-1}_{25}. \end{aligned}$$

For Trivium, \(\alpha =2,~\beta =16,~\gamma =7,~\delta =1\). For simplicity, we denote by \(R_{\alpha ,\beta ,\gamma ,\delta }\) the maximum round that the conditional cubes of size \(37\le n\le 40\) have reached maximum degrees. Sometimes a part of the subscripts would be omitted and the symbol becomes \(R_{\beta ,\gamma }\), \(R_{\alpha }\) and so on.

The impacts of parameters \(\alpha ,\beta ,\gamma \) and \(\delta \) on the algebraic degrees are summarized in the following three properties.

Property 1

When \(\beta ,~\gamma \) and \(\delta \) are fixed, the maximum round that the conditional cubes have reached maximum degrees decreases with the growth of \(\alpha \).

It is obvious that the larger \(\alpha \) is, the earlier the feedback values take part in the iterations and the smaller the maximum round is. For \(\beta =16,~\gamma =7,~\delta =1\), the result is listed in Table 2. We can see that the maximum rounds \(R_{\alpha }\) is decreased with the growth of \(\alpha \).

Table 2. The maximum rounds \(R_{\alpha } \), when \(\beta =16,~\gamma =7,~\delta =1\)
Full size table

For Par-Trivium with parameters \((\alpha ,\beta ,\gamma ,\delta )\), the complementary variables are \(iv_{i-\delta }\), \(iv_{i+\delta }\), \(iv_{i+\beta -\delta -1}\) and \(iv_{i+\beta +\delta -1}\) corresponding to cube variable \(iv_{i}\). When \(i+\beta +\delta -1>79\), \(iv_{i+\beta +\delta -86+\gamma }\) will be multiplied with \(iv_{i+\delta -86+\gamma }\) according to the propagation paths of the IV bits. Also, when \(i+\beta -\delta -1>79\), \(iv_{i+\beta -\delta -86+\gamma }\) will be multiplied with \(iv_{i-\delta -86+\gamma }\). For example, when \(\alpha =2,~\beta =16,~\gamma =7\) and \(\delta =2\), we can know that

$$\begin{array}{l} z_{111}^1 = y_{16}^0 + \cdots = i{v_{11}} + \cdots , \\ \cdots \\ z_{111}^4 = y_{16}^3 + y_2^3 \cdot y_4^3 + \cdots = i{v_{14}} + i{v_0} \cdot i{v_2} + \cdots , \\[6pt] z_{111}^5 = y_{16}^4 + y_1^4 + y_2^4 \cdot y_4^4 + \cdots = i{v_{15}} + i{v_0} + i{v_1} \cdot i{v_3} + \cdots , \\ \cdots \\ z_{111}^{88} = y_{16}^{87} + y_1^{87} + y_2^{87} \cdot y_4^{87} + \cdots = i{v_{78}} + i{v_{63}} + i{v_{64}} \cdot i{v_{66}} + \cdots , \\[6pt] z_{111}^{89} = y_{16}^{88} + y_1^{88} + y_2^{88} \cdot y_4^{88} + \cdots = i{v_{79}} + i{v_{64}} + i{v_{65}} \cdot i{v_{67}} + \cdots , \\[6pt] z_{111}^{90} = y_{16}^{89} + y_1^{89} + y_2^{89} \cdot y_4^{89} + \cdots = i{v_2} + i{v_{65}} + i{v_{66}} \cdot i{v_{68}} + \cdots , \\ \cdots \\ z_{111}^{103} = y_{16}^{102} + y_1^{102} + \cdots = i{v_{15}} + i{v_{78}} + \cdots , \\[6pt] z_{111}^{104} = y_{16}^{103} + y_1^{103} + \cdots = i{v_{16}} + i{v_{79}} + \cdots , \\[6pt] z_{111}^{105} = y_{16}^{104} + y_1^{104} + \cdots = i{v_{17}} + i{v_2} + \cdots \\ \end{array}$$

according to the feedback functions. When \(t=198\), \(z_{111}^{88}\) and \(z_{111}^{90}\) will take part in the feedback of \( x_{93}^{198}\) and \(i{v_2}\) will be multiplied with \(i{v_{63}}\). Also, at time \(t=213\), \(z_{111}^{103}\) and \(z_{111}^{105}\) will take part in the feedback of \( x_{93}^{213}\) and \(i{v_2}\) will be multiplied with \(i{v_{15}}\). Take these into consideration, we can use our conditional searching method to estimate the maximum round \(R_{\alpha ,\beta ,\gamma ,\delta }\) with respect to the conditional cubes of size \(37\le n\le 40\) and we get the following result.

Property 2

For parameters \(\alpha ,~\beta ,~\gamma \) and \(\delta \), let \(q=79-\delta \mod 2\delta \) and

figure d

where k is the maximum integer satisfying \(\gamma \ge \gamma ^{*}\). When \(\alpha \) and \(\delta \) are fixed, the maximum round \(R_{\beta ,\gamma }\) that the conditional cubes of size \(37\le n\le 40\) have reached maximum degrees, satisfies that

$$R_{\beta ,\gamma }\le R_{\beta ^{*},\gamma ^{*}}$$

and \(R_{\beta ^{*},\gamma ^{*}}\) decreases with the growth of \(\beta ^{*}\) or \(\gamma ^{*}\).

When \(\alpha \) and \(\delta \) are fixed, for any \(\beta \) and \(\gamma \), we can obtain an upper bound of the number of initialization rounds such that the generated keystream bit does not achieve the maximum algebraic degree. For example, when \(\alpha =2\) and \(\delta =2\), we can get \(q=1\) and list a part of the maximum rounds for different \(\beta \) and \(\gamma \) in Table 3. We can see that in each square, the upper bound of the maximum rounds appears at the lower left. For \(21\le \beta \le 24\) and \(9\le \gamma \le 12\), it shows that \(R_{\beta ,\gamma }\le R_{\beta ^{*},\gamma ^{*}}=R_{21,9},\) where \(\beta ^{*}=21\) and \(\gamma ^{*}=9\), which is indicated by the gray part. Also, \(R_{\beta ^{*},\gamma ^{*}}\) is inversely proportional to \(\beta ^{*}\) or \(\gamma ^{*}\), see the numbers in bold in Table 3. Parameters \(\beta \) and \(\gamma \) for the maximum rounds in bold are the corresponding \(\beta ^{*}\) and \(\gamma ^{*}\). So, in design of Trivium-Like stream cipher, it is needed to choose \(\beta \) and \(\gamma \) as big as possible, and \(\beta ^{*}\) and \(\gamma ^{*}\) should be avoided. While the location of the lower bound is indeterminate in spite of the fact in Table 3. It’s a coincidence that the maximum round in the first column and second row is the smallest number.

Table 3. The maximum rounds \(R_{\beta ,\gamma }\), where \(\alpha =2\) and \(\delta =2\)
Full size table

Property 3

Let \(\alpha =2\). When \(\beta \) and \(\gamma \) run through all possible combinations, the maximum round that the conditional cubes have reached maximum degree decreases with the growth of \(\delta \).

It may be more persuasive to consider the relationship between the maximum round and \(\delta \) if \(\beta \) and \(\gamma \) are also fixed. But when \(\beta \) and \(\gamma \) are also fixed, different \(\delta \) would lead to the sizes of the corresponding conditional cubes smaller than 37, which makes the comparison meaningless. For \(\alpha =1,~\beta =16,~\gamma =7,\) the size of the conditional cubes is 38 corresponding to \(\delta =1\), but if \(\delta =6\), the size of the conditional cubes is smaller than 33. So we run through all possible \(\beta \) and \(\gamma \) to compare the maximum rounds. When \(1\le \delta \le 5\), the results are listed in Table 4. Here \(\alpha =2\) and three taps from register B, which are \(y_{1},~y_{2}\) and \(y_{2+\delta }\), are fixed. \(y_{\gamma }\) takes part in the feedback of register B separately and \(y_{\beta }\) takes part in the feedback of register C with \(y_{1},~y_{2}\) and \(y_{2+\delta }\) together, as

$$\begin{aligned} y^{t}_{84} = x^{t-1}_{1}+ x^{t-1}_{2}\cdot x^{t-1}_{2+\delta } + x^{t-1}_{28}+ y^{t-1}_{\gamma },\\ z^{t}_{111} = y^{t-1}_{1}+ y^{t-1}_{2}\cdot y^{t-1}_{2+\delta } + y^{t-1}_{\beta }+ z^{t-1}_{25}. \end{aligned}$$

So the range of values for \(\gamma \) is 1 to 84 and for \(\beta \) is 2 to 84. When \(\delta \) is given, the minimum values of \(\beta ^{*}\) and \(\gamma ^{*}\), and the maximum value of rounds are determined by Property 2. But some pairs of \((\beta ,\gamma )\) aren’t in consideration. For example, when \(\delta =3\), \(\beta ^{*}_{min}=7\), \(\gamma ^{*}_{min}=1\) and \(R_{7,1}=851\). But for \(2\le \beta \le 6\), we need to estimate the corresponding maximum rounds separately.

Table 4. The maximum rounds \(R_{\beta ,\gamma ,\delta } \), where \(\alpha =2\) and k is a positive integer
Full size table

The results give us some design principles for designing Trivium-Like ciphers. Ideally, the smaller the maximum rounds of NFSR-based cryptosystems such that the generated keystream bit does not achieve the maximum algebraic degree the better. So the parameters in Par-Trivium should be as big as possible on the premise of the security against other attacks. From the experiment results, we can know that the maximum round of Par-Trivium is 863 which is the worst case.

5.2 Applications to Loc-Trivium

Loc-Trivium is a variant of Trivium, where the key and the IV loading locations are changed in Trivium. In Trivium, the key bits are loaded into the register A and the IV bits are loaded into the register B. The maximum round that conditional cubes reach maximum degree is influenced mainly by propagation paths of the IV bits. So, if we change the key and IV loading locations, the maximum round will be changed. The experiments show that the maximum round is influenced mainly by the IV loading location and the corresponding taps. Here, an example is given to illustrate our findings.

Example 2

For Loc-Trivium, if we load the IV bits into the register A and the key bits into the register C, and other parameters remain unchanged, the loading procedure becomes

$$\begin{aligned}&(x^{0}_{1},x^{0}_{2},\cdot \cdot \cdot ,x^{0}_{93})\leftarrow (0,\cdot \cdot \cdot ,0,iv_{0},\cdot \cdot \cdot ,iv_{79}),\\&(y^{0}_{1},y^{0}_{2},\cdot \cdot \cdot ,y^{0}_{84})~\leftarrow (1,1,1,0,\cdot \cdot \cdot ,0),~~~~~~~\\&(z^{0}_{1},z^{0}_{2},\cdot \cdot \cdot ,z^{0}_{111})\leftarrow (0,\cdot \cdot \cdot ,0,k_{0},\cdot \cdot \cdot ,k_{79}). \end{aligned}$$

With the tool numeric mapping, we can estimate the maximum round R of Loc-Trivium. The results are listed in the second column of Table 5. We can see that the key bits loaded into the register A and the IV bits loaded into the register B are not the best choice in view of the algebraic degree. The best choice is to load the key bits into register A and the IV bits into the register C and the maximum round is 814 smaller than 837.

Table 5. R with different key and IV loading locations
Full size table

If we also change the taps from the register loaded with the IV bits as shown in Sect. 5.1, we can get similar results, except the complementary variables. The feedback functions at time t turn into

$$\begin{aligned}&x^{t}_{93} = z^{t-1}_{1}+ z^{t-1}_{\alpha }\cdot z^{t-1}_{\alpha +\delta } + z^{t-1}_{46}+ x^{t-1}_{\gamma },\\&y^{t}_{84} = x^{t-1}_{1}+ x^{t-1}_{\alpha }\cdot x^{t-1}_{\alpha +\delta } + x^{t-1}_{\beta }+ y^{t-1}_{7},\\&z^{t}_{111} = y^{t-1}_{1}+ y^{t-1}_{\alpha }\cdot y^{t-1}_{\alpha +\delta } + y^{t-1}_{16}+ z^{t-1}_{25}. \end{aligned}$$

The complementary variables are \(iv_{i-\delta }\), \(iv_{i+\delta }\), \(iv_{i+\beta -\delta -1}\) and \(iv_{i+\beta +\delta -1}\) corresponding to the cube variable \(iv_{i}\). When \(i+\beta +\delta -1>79\), \(iv_{i+\beta +\delta -113+\gamma }\) will be multiplied with \(iv_{i+\delta -113+\gamma }\) according to the propagation paths of the IV bits. Also, when \(i+\beta -\delta -1>79\), \(iv_{i+\beta -\delta -113+\gamma }\) will be multiplied with \(iv_{i-\delta -113+\gamma }\).

In the third column of Table 5, we list the maximum rounds R when the corresponding parameters are also changed. The result shows that Loc-Trivium with the key loaded in the register B and IV loaded in the register C has the maximum rounds 910, which is the worst case. The corresponding feedback functions are

$$\begin{aligned}&x^{t}_{93} = z^{t-1}_{1}+ z^{t-1}_{2}\cdot z^{t-1}_{3} + \mathbf {z^{t-1}_{3}}+ x^{t-1}_{25},\\&y^{t}_{84} = x^{t-1}_{1}+ x^{t-1}_{2}\cdot x^{t-1}_{3} + x^{t-1}_{28}+ y^{t-1}_{7},\\&z^{t}_{111} = y^{t-1}_{1}+ y^{t-1}_{2}\cdot y^{t-1}_{3} + y^{t-1}_{16}+ \mathbf {z^{t-1}_{1}}.\end{aligned}$$

Here some tap positions are the same. Ensure that all tap positions are distinct, we obtain that the maximum rounds is 906 and the corresponding feedback functions are

$$\begin{aligned}&x^{t}_{93} = z^{t-1}_{1}+ z^{t-1}_{2}\cdot z^{t-1}_{3} + \mathbf {z^{t-1}_{5}}+ x^{t-1}_{25},\\&y^{t}_{84} = x^{t-1}_{1}+ x^{t-1}_{2}\cdot x^{t-1}_{3} + x^{t-1}_{28}+ y^{t-1}_{7},\\&z^{t}_{111} = y^{t-1}_{1}+ y^{t-1}_{2}\cdot y^{t-1}_{3} + y^{t-1}_{16}+ \mathbf {z^{t-1}_{4}}.\end{aligned}$$

The results show that the key and IV loading locations play important roles in the algebraic degree of NFSR-based cryptosystems. When a new cipher with the similar structure is designed, both the parameters and the key and IV loading locations should be taken into account. The worst case that the maximum rounds is 910 or 906, which should be avoided to be resistant to cube attacks or cube tests when new ciphers are designed.

6 Conclusions

In this paper, we have shown a new cube searching method. The main idea is to reduce the searching space through controlling the propagation of the IV bits. With our cube searching method and the algebraic degree estimated method numeric mapping, we can confirm the maximum numbers of initialization rounds of some NFSR-based cryptosystems such that the generated keystream bit does not achieve the maximum algebraic degree. As illustrations, we applied our method to Trivium to verify the validity, our searching space is much smaller than that of the existing results. We also applied our method to two Trivium-variants, named Par-Trivium and Loc-Trivium, and we can get an upper bound of the maximum initialization rounds.

We believe that our method is useful in both cryptanalysis and design of NFSR-based cryptosystems. In design of Trivium-Like stream cipher, it is needed to choose \(\alpha ,~\beta ,~\gamma \) and \(\delta \) as big as possible on the premise of the security against other attacks, and \(\beta ^{*}\) and \(\gamma ^{*}\) should be avoided. The experiments show that the maximum round of Par-Trivium is 863 which is the worst case. For the key and IV loading locations, if other parameters are not changed, the loading locations used in Trivium are the worst case, but it doesn’t threaten the security. If other parameters are also changed, the worst and best choices are also given. For Loc-Trivium, the maximum initialization round of all considered Trivium-variants is 910 which is the worst case and should be avoided to be resistant to cube attacks or cube tests.