Trivium (cipher) - Specification

Specification

Trivium may be specified very concisely using three recursive equations. Each variable is an element of GF(2); they can be represented as bits, with "+" being XOR and "•" being AND.

• a_i = c_i−66 + c_i−111 + c_i−110 • c_i−109 + a_i−69
• b_i = a_i−66 + a_i−93 + a_i−92 • a_i−91 + b_i−78
• c_i = b_i−69 + b_i−84 + b_i−83 • b_i−82 + c_i−87

The output bits r₀ ... r₂₆₄₋₁ are then generated by

• r_i = c_i−66 + c_i−111 + a_i−66 + a_i−93 + b_i−69 + b_i−84

Given an 80-bit key k₀ ... k₇₉ and an l-bit IV v₀ ... v_l−1 (where 0 ≤ l ≤ 80), Trivium is initialized as follows:

• (a₋₁₂₄₅ ... a₋₁₁₅₃) = (0, 0 ... 0, k₀ ... k₇₉)
• (b₋₁₂₃₆ ... b₋₁₁₅₃) = (0, 0 ... 0, v₀ ... v_l−1)
• (c₋₁₂₆₃ ... c₋₁₁₅₃) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits r to a stream of bytes R, we use the little-endian mapping R_i = Σ_{j=0 ... 7} 2j r_8i+j.