# A SAT-Based Algorithm for Finding Short Cycles in Shift Register Based Stream Ciphers

Elena Dubrova<sup>1</sup> and Maxim Teslenko<sup>2</sup>

<sup>1</sup> Royal Institute of Technology, Electrum 229, 164 40 Stockholm, Sweden dubrova@kth.se

<sup>2</sup> Ericsson Research, Ericsson, Färögatan 6, 164 80 Stockholm, Sweden maxim.teslenko@ericsson.com

**Abstract.** This paper addresses the problem of finding short cycles in the internal state space of shift register based stream ciphers. The existing Boolean Decision Diagram (BDD) based algorithms for finding cycles have limited capacity due to the excessive memory requirements of BDDs. The simulation-based algorithms can be applied to larger instances, however, they cannot guarantee the detection of all cycles of a given length. The same holds for general-purpose SAT-based model checkers. We present a SAT-based algorithm which can find all short cycles in real cryptographic systems with very large state spaces. The algorithm is evaluated by analyzing Trivium, Bivium, and Grain family of stream ciphers. The analysis shows that Trivium, Bivium, Grain-80 and Grain-128 contain short cycles whose existence, to our best knowledge, was previously unknown. We describe how short cycles can theoretically be used to mount a fault attack which results in a full secret key recovery.

**Keywords:** Shift register, stream cipher, Trivium, Grain, cycle, SAT, fault attack, fault injection.

# 1 Introduction

SAT solvers are a powerful tool for finding solutions to Boolean satisfiability problem. Using backtracking and different heuristics, these solvers explore the exponential space of variable assignments looking for a satisfying assignment. In spite of NP-completeness of the SAT problem [1], today's SAT solvers are able to handle problem instances involving thousands of variables. This is sufficient for many practical SAT problems in formal verification, automatic test pattern generation, and logic synthesis [2].

In the past there were multiple attempts to use SAT solvers in cryptanalysis, including finding preimages for hash functions [3–5], generating collisions for hash functions [6], faking RSA signatures [7], recovering RSA private keys [8], finding (or disproving the existence of) weak keys in stream and block ciphers [9, 10], guess-and-determine attacks on stream ciphers [9], algebraic attacks [11–13], and side-channel attacks on software implementations of block ciphers [14]. So

called *logical cryptanalysis* has been introduced by Massacci and Marraro [15] as a general framework for encoding the low-level properties of cryptographic algorithms as SAT problems and then using efficient automated theorem-proving systems and SAT-solvers for reasoning about them. This approach has been followed by many, including [16–19]. However, it is generally quite difficult to make SAT solvers to produce meaningful results except for strongly reduced instances of cryptographic systems.

In this paper, we present a SAT-solver based algorithm which is able to produce results for important stream ciphers such as Trivium [20] and Grain [21] which are among the candidates that have continuously attracted attention since the end of the eStream project [22]. The presented algorithm can find all short cycles of a given length in the internal state space of a shift register-based stream cipher. Given that the internal state space of Trivium is of size  $2^{288}$ , designing an algorithm which guarantees that all cycles of a given length are detected is far from trivial. To the best of our knowledge, none of the existing algorithms is able to do it. The existing Boolean Decision Diagram (BDD) based algorithms [23,24] have limited capacity due to the excessive memory requirements of BDDs. The simulation-based algorithms [25–28] can be applied to larger problem instances, however, they cannot guarantee the detection of all cycles of a given length, even if the length is short. The same holds for the SAT-based algorithms that do not limit cycle length [29] and general-purpose SAT-based model checkers, e.g. [30]. There are many algorithms for finding cycles of length one, including [31-33], but they cannot handle larger cycles.

The presented algorithm uses a SAT-solver for the identification of paths of a particular length k in the state transition graph of a shift register. The input fed into the SAT-solver is a propositional formula representing the unfolding of the transition relation of the shift register by k time steps. A satisfying assignment to this propositional formula corresponds to a valid path of length k in the state transition graph. Since each state of a shift register has a unique next state, once a path reaches a loop, it never leaves it. So, we can determine the presence of a cycle simply by checking whether the last state of the path occurs at least twice on this path. Furthermore, for shift registers with invertible state transition functions (which is the case for stream ciphers), we can take advantage of that fact that their state transition diagrams consist of pure cycles, without branches. In this case, if the last state of a path of length k is equal to its first state, we can conclude that we found a cycle of length k or a factor of k. We can than mark all cycle's states by adding them as constrains to the input formula of the SAT-solver and, in the following iterations, search only for paths in which the last state is not marked. We repeat the process iteratively until the SAT-solver cannot find any more satisfying assignments.

This paper contributes to the ongoing work by providing an algorithm which can find all short cycles in real cryptographic systems. We evaluated the presented algorithm by analyzing Trivium, Bivium, Grain family stream ciphers. We found that Trivium, Bivium, Grain-80 and Grain-128 contain short cycles whose existence, to our best knowledge, was previously unknown (except for all-0 cycles). We describe how short cycles can be used to mount a fault attack which results in a full secret key recovery. Our attack is theoretical, we have not implemented it. It is based on the assumption that an attacker can set a specific shift register bit to either 0 or 1 value at a precise time of his/her choice. The fact that such an assumption can be realistic has been demonstrated by Skorobogatov and Anderson already in 2002 [34]. They used a focused flash light to set individual SRAM cells in a microcontroller to a fixed value. Since then the state-of-the-art in fault attacks advanced [35–37]. There are laboratories around the world which offer services in carrying out fault attacks using dedicated stations and high-resolution measurement equipment. It seems very likely that the attack we present might be feasible in practice (if not today, tomorrow) provided that a chip is not protected against fault injection. Therefore, it is important to bring this problem to the attention of research community. In Section 5 we propose a countermeasure against fault attacks which use all-0 cycle, but for other cases the problem is still open.

The paper is organized as follows. Section 2 gives the background on shift registers, stream ciphers and SAT-solvers. Section 3 presents the new SAT-based algorithm. Section 4 summarizes the experimental results on four stream ciphers. In section 5 we show how short cycles can be used to recover a secret key by a fault attack. Section 6 concludes the paper and discusses open problems.

## 2 Background

This section gives an introduction to shift registers, stream ciphers and SAT solvers and describes basic notions used in the paper.

#### 2.1 Shift registers

As a model of a shift register, we use a deterministic finite state machine with a set of states  $S = \{0, 1\}^n$  and the state transition function  $f: S \to S$ . We are not concerned with inputs and outputs in this paper, so we assume that the input alphabet is empty and there is no output function.

The state transition function f defines the next state  $s^+ = (x_1^+, x_2^+, \ldots, x_n^+)$ as f(s), where  $s = (x_1, x_2, \ldots, x_n)$  is a current state and  $x_i \in \{0, 1\}$  and  $x_i^+ \in \{0, 1\}$  are Boolean variables representing the bit number i of the current and next state, respectively,  $\forall i \in \{1, 2, \ldots, n\}$ . The bit number i of the output of fis computed by the Boolean function  $f_i : S \to \{0, 1\}, \forall i \in \{1, 2, \ldots, n\}$ . In other words, the state transition function f defines the mapping

$$\begin{pmatrix} x_1 \\ \dots \\ x_n \end{pmatrix} \to \begin{pmatrix} f_1(x_1, \dots, x_n) \\ \dots \\ f_n(x_1, \dots, x_n) \end{pmatrix}.$$
 (1)

Note that such a general definition of shift registers includes the linear and non-linear feedback shift registers in the Fibonacci and the Galois configurations [38], shift registers with feedforward connections (e.g. used in Trivium), as well as Golomb's binary machines [39, p. 21].



Fig. 1. The state transition graph of the function defined by (2).

Each state transition function f induces a directed graph called the *state* transition graph in which the nodes represent the states and the edges represent possible transitions between the states. The node x (the predecessor) in connected to node y (the successor) by an edge if f(x) = y. Nodes forming a loop are called a *cycle*. A node x satisfying f(x) = x is regarded as a cycle of length 1. Every node has a unique successor, but some nodes may have no predecessors and some may have more than one predecessor. In general, a state transition graph consists of a number of cycles and a number of directed trees rooted in cycles. For example, Figure 1 shows the state transition graph for the state transition function

$$\begin{pmatrix} x_1 \\ x_2 \\ x_3 \end{pmatrix} \to \begin{pmatrix} x_2 \\ x_3 \oplus x_1 x_2 \\ x_1 \oplus x_2 \end{pmatrix}$$
(2)

where " $\oplus$ " is for the Boolean XOR (the Boolean AND in the product-terms is omitted).

If the state transition function f is invertible, so that for every y there is an x satisfying f(x) = y, then f is called a *permutation*, and the state transition diagram consists of pure cycles, without any trees rooted in them. Stream ciphers [20, 40] and hash functions [41, 42] typically use invertible state transition functions to prevent incremental reduction of the entropy of the state. The round function of a block cipher [43–45] has to be invertible in order to result in a unique decryption.

Conditions for invertibility are well-known [39] for Fibonacci NLFSRs whose state transition function is of type

$$\begin{pmatrix} x_1 \\ x_2 \\ \dots \\ x_n \end{pmatrix} \to \begin{pmatrix} x_2 \\ x_3 \\ \dots \\ f(x_1, \dots, x_n) \end{pmatrix}.$$

An n-bit Fibonacci NLFSR is invertible if and only if the Boolean function updating its nth bit has the form:

$$f(x_1,\ldots,x_n)=x_1\oplus g(x_2,\ldots,x_n)$$

where  $g: \{0,1\}^{n-1} \to \{0,1\}$  does not depend on  $x_1$ .

For Galois NLFSRs, a sufficient condition for invertibility has been derived in [46]. An n-bit Galois NLFSR is invertible if its state transition function is of type

$$\begin{pmatrix} x_1 \\ x_2 \\ x_3 \\ \dots \\ x_n \end{pmatrix} \rightarrow \begin{pmatrix} x_2 \oplus g_1 \\ x_3 \oplus g_2(x_2) \\ x_4 \oplus g_3(x_2, x_3) \\ \dots \\ x_1 \oplus g_n(x_2, x_3 \dots, x_n) \end{pmatrix}$$

## 2.2 Stream ciphers

A stream cipher is a symmetric cryptographic primitive that allows two parties which share a secret key to communicate confidential information [47]. Stream ciphers generate a stream of pseudo-random bits, called *the keystream*, given a secret key and a public random initialization vector (IV). The keystream is combined with the plaintext message before the message is send, typically by bitwise XORing. The received ciphertext is again XORed with the keystream to recover the original plaintext. As a result, the message cannot be read while in transit or storage by unauthorized parties who do not posses the secret key.

The stream ciphers considered in this paper are based on one or more shift registers with linear or non-linear state transition functions as well as an output function that maps the internal register state to keystream bits. Stream ciphers have two working phases: (1) an initialization phase and (2) a keystream generation phase. During the initialization, key and IV are usually mixed by shifting the shift registers while updating them with a combination of the state transition function and the output function. During the keystream generation, the shift registers are shifted and their state transition functions are evaluated, while the keystream is generated from the internal state using the output function.

## 2.3 SAT solvers

SAT solvers are software tools that employ efficient heuristics to decide whether a set of constraints has a solution. Constraints are typically represented by a propositional formula in the Conjunctive Normal Form (CNF). In a CNF, each variable symbol in the expression, x or  $\overline{x}$ , is called a *literal*. A *clause* is a disjunction (Boolean OR) of literals. CNF is a conjunction (Boolean AND) of clauses.

SAT solvers are widely used in Electronic Design Automation (EDA) for formal verification, automatic test pattern generation, and logic synthesis [2], though they are also popular in a growing number of other domains.

Modern SAT solvers that are typically based on the Davis-Putnam-Logemann-Loveland (DPLL) algorithm [48] which is a refinement of the earlier Davis-Putnam algorithm [49]. Most efficient DPLL-based SAT solvers include GRASP [50], where a powerful conflict analysis procedure was introduced, and Chaff [51], where a particularly efficient implementation of Boolean constraint propagation and a novel low overhead decision strategy were introduced. Solvers that employ

these techniques are called *conflict-driven* SAT solvers. In this paper we use MiniSat [52], a conflict-driven SAT solver which is designed to be easily adaptable to different domains. Other reasons for choosing MiniSat is its competitive performance, code availability, and flexibility in adding arbitrary Boolean constraints

MiniSat employs a backtracking-based, depth-first search algorithm to find a satisfying assignment of variables for a set of clauses. The algorithm branches on a variable by picking it heuristically, guessing its value to be TRUE or FALSE and examining whether the values of other variables depend on this guess. The affected variables are then assigned and the search continues until no more assignments can be made. During this propagation phase, a conflict may be detected, i.e. a clause that cannot be satisfied may be found (because all its literals became false). If this happens, a so called *conflict clause* (or *learned clause*) which describes the wrong guesses that lead to the conflict is constructed and added to the SAT problem. Assumptions are then canceled by backtracking until the conflict clause becomes a unit, at which point it is propagated and the search process continues. The conflict clauses drive the backtracking, guiding the algorithm in choosing the best next guess, and speed up future conflicts by caching the reason for the conflict [52]. Eventually, either a satisfiable assignment is found, or the search tree is exhausted implying that no satisfying assignment exists.

## 3 Description of the Algorithm

The pseudocode of the presented algorithm is given as Algorithm 1. The algorithm 1 finds cycles of length k and factors of k in a shift register with an invertible state transition function f.

### 3.1 Transition relation

The state transition function f of an n-bit shift register induces a transition relation  $T \subseteq S \times S$  which can be described by the following propositional formula:

$$T(s,s^+) = \bigwedge_{i=1}^n (x_i^+ \leftrightarrow f_i(x_1,\dots,x_n))$$
(3)

where " $\wedge$ " and " $\leftrightarrow$ " are the Boolean logic operations AND and EQUALITY, respectively.

For example, the transition relation for the state transition function in the example (2) is given by:

$$T(s,s^+) = (x_1^+ \leftrightarrow x_2) \land (x_2^+ \leftrightarrow x_3 \oplus x_1 x_2) \land (x_3^+ \leftrightarrow x_1 \oplus x_2).$$
(4)

Algorithm 1 An algorithm for finding cycles of length k and factors of k in the internal state space of an n-bit shift register with an invertible state transition function  $f : \{0, 1\}^n \to \{0, 1\}^n$ .

1:  $T = \bigwedge_{i=1}^{n} (x_i^+ \leftrightarrow f_i(x_1, \dots, x_n));$  /\* transition relation induced by  $f^*$ / 2:  $T_{-k\dots 0} = \bigwedge_{i=-k}^{-1} T(s_i, s_{i+1});$  /\* unfolding of T from the time step -k to 0 \*/ 3:  $F = T_{-k\dots 0};$  /\* propositional formula representing  $T_{0\dots -k}$  \*/ 4:  $F = F \land (s_{-k} \leftrightarrow s_0)$ ; /\* adding a constrain requiring the last state of a path \*/ 5:/\* of length k,  $s_0$ , to be equal to the first state,  $s_{-k}$  \*/ 6:  $C(s_0) = 0$ ; /\* propositional formula representing the set states of all currently \*/ /\* found cycles expressed in terms of variables of the state  $s_0$  \*/ 7: 8: Find the set  $M_k$  of all factors of k; 9: while Sat(F) do for each  $m \in M_k$  do 10:if  $s_{-m} = s_0$  then 11: for (j = 0; j > -m; j - -) do 12: $C(s_0) = C(s_0) \lor (s_0 \leftrightarrow a_j);$  /\* marking a cycle of length  $m^*/$ 13: $/*a_i$  is the assignment of variables of the state  $s_i$  returned by  $\operatorname{Sat}(F)^*/$ 14:end for 15: $F = F \wedge \neg C(s_0)$ ; /\* adding a constrain describing marked cycles \*/  $16 \cdot$ 17:break: 18:end if 19:end for 20: end while 21: **return** all cycles contained in  $C(s_0)$ 

#### 3.2 Unfolding of transition relation

At step 2 of the algorithm, the unfolding of the transition relation T by k time steps is constructed.

The unfolding of a transition relation by k time steps is typically performed by taking the AND of the transition relations from the current state to the next state, from the next state to the one after next state, etc., from the state at the time step k - 1 to the state at the time step k [30]. For instance, for the example defined by (2), the unfolding by two time steps is computed as  $T(s, s^+) \wedge T(s^+, s^{++})$ , where  $T(s, s^+)$  is given by (4) and  $T(s^+, s^{++})$  is given by

$$T(s^+, s^{++}) = (x_1^{++} \leftrightarrow x_2^+) \land (x_2^{++} \leftrightarrow x_3^+ \oplus x_1^+ x_2^+) \land (x_3^{++} \leftrightarrow x_1^+ \oplus x_2^+).$$

A possible satisfying assignment for the expression  $T(s, s^+) \wedge T(s^+, s^{++})$  is  $s = (101), s^+ = (011), \text{ and } s^{++} = (111)$ . This assignment corresponds to the path  $101 \rightarrow 011 \rightarrow 111$  in the state transition graph in Figure 1.

#### 3.3 Reverse direction of unfolding

Let  $T_{0...k}$  denotes the unfolding of the transition relation T from the time step 0 to the time step k:

$$T_{0...k} = \bigwedge_{i=0}^{k-1} T(s_i, s_{i+1}).$$

Note that we need to switch from the previous notation  $T(s, s^+)$  to the notation  $T(s_i, s_{i+1})$  in order to describe longer sequences of states.

It is common to unfold the transition relation T in the forward direction, as shown above, however, we have chosen to unfold T in the *reverse* order, from the time step -k to the time step 0 (step 2):

$$T_{-k\dots 0} = \bigwedge_{i=-k}^{-1} T(s_i, s_{i+1}).$$
(5)

In this way, the states from the previous time steps rather than the next ones are added to the unfolding. As a result, the last state of the unfolded transition relation is always  $s_0$ , independently of the depth of unfolding. For example, the unfolding by two time steps is computed as  $T_{-2,-1,0} = T(s_{-2}, s_{-1}) \wedge T(s_{-1}, s_0)$ . In this case, the path  $101 \rightarrow 011 \rightarrow 111$  in the state transition graph in Figure 1 corresponds to the satisfying assignment  $s_{-2} = (101)$ ,  $s_{-1} = (011)$ , and  $s_0 =$ (111). This way of unfolding reduces the number of extra clauses added to F at each iteration of SAT-solver. A similar strategy was used in the algorithm [29].

#### 3.4 Finding satisfying assignments

Once the transition relation is unfolded, the propositional formula F representing the unfolding  $T_{-k...0}$  is constructed using the standard procedure [30] (step 3). Then a constrain  $s_{-k} \leftrightarrow s_0$  which means that the last state of a path of length  $k, s_0$ , should to be equal to the first state of the path,  $s_{-k}$ , is added to F (step 4) and the SAT-solver is called to find a satisfying assignment for F (step 9).

The function  $\operatorname{Sat}(F)$  takes the expression F and returns TRUE if there exists an assignment of variables for the states  $s_{-k}, \ldots, s_1, s_0$  which makes F true. Such a satisfying assignment corresponds to a path of length k in the state transition graph induced by the state transition function f. A path has length k if it makes k transitions between the states. Since we added to F the constrain  $s_{-k} \leftrightarrow s_0$ , we also know that in the path returned by the SAT-solver the last state is equal to the first. This means we found a cycle which can either be of length k, or a factor of k.

To find the length of the cycle, for each of the factors of k, m, we check if the last state of the path,  $s_0$ , is equal to  $s_{-m}$  (step 11). In the pseudocode, the set  $M_k$  containing all factors of k is computed at step 8, before the first run of the SAT-solver. If a shorter than k cycle if found, the **for**-loop breaks.

For instance, a possible satisfying assignment for the unfolding by two steps  $T_{-2,-1,0} = T(s_{-2}, s_{-1}) \wedge T(s_{-1}, s_0)$  in the example (2) is  $s_{-2} = (110), s_{-1} =$ 

(110), and  $s_0 = (110)$ . This assignment corresponds to the path  $110 \rightarrow 110 \rightarrow 110$  in the state transition graph in Figure 1. By checking the set of factors  $M_2 = \{1,2\}$  of 2, we can determine that this path corresponds to a cycle of length 1 and stop checking other factors.

## 3.5 Identifying and marking cycles

If Algorithm 1 finds that  $s_0 = s_{-m}$  for some  $m \in M_k$ , the corresponding cycle of length m is marked by adding constraints to the input formula of the SATsolver, F. In the following iterations, the algorithm only searches for paths in which the last state is not marked.

Clearly, if the last state of a path of length k does not belong to a cycle of length at most k, then no states of this path belongs to such a cycle either. In our case, the last state of a path is always  $s_0$ . Therefore, it is sufficient to express the constraints in terms of variables of the state  $s_0$  only. By adding these constraints to F, we restrict F in such a way that no satisfying assignment for F returned by the SAT solver contains a state of a previously found cycle.

The constraints are added to F as  $F = F \land \neg C(s_0)$  (step 13), where  $C(s_0)$ is the propositional formula describing the characteristic function of the set of states of all currently found cycles expressed in terms of variables of the state  $s_0$ and "¬" is the Boolean logic operation NOT. Before the first run of the SATsolver, at step 6,  $C(s_0)$  is initialized to 0. If the algorithm finds a cycle of length m (step 11), each of the m states of this cycle,  $s_j, j \in \{0, 1, \ldots, m-1\}$ , is added to  $C(s_0)$  as  $C(s_0) = C(s_0) \lor (s_0 \leftrightarrow a_j)$ , where  $a_j$  is an n-bit vector corresponding to the assignment of variables of the state  $s_j$  returned by the SAT-solver.

In the presented approach, the number of extra clauses added to F at each iteration is equal to the total number of states in the cycles found at this iteration, i.e. at most k. So, a formula of size O(nk) is added to F, where n is the number of variables. Contrary, in a general case, a formula of size  $O(np \log p)$ , where p is the depth of unfolding, has to be added to to F to mark cycles [53].

If a satisfying assignment does not exist, then there is no cycle of length k or a factor of k among the unmarked states of the state transition graph. This implies that all cycles of length k and a factor of k are already found and marked. The algorithm terminates and returns the set of all found cycles (step 21).

## 4 Analysis of Trivium, Bivium and Grain

We applied the presented algorithm to Trivium, Bivium, Grain-80 and Grain-128 stream ciphers. This section shows the results and compares them to the results of the SAT-based algorithm from [29].

It might be worth mentioning that a random permutation over a set of p elements is expected to have an average of log p cycles [54]. The number of r-cycles is expected to decrease as 1/r, for any fixed integer  $1 \le r \le p$  [54].

#### 4.1 Analysis of Trivium

We used the presented algorithm to search for short cycles in Trivium stream cipher [20]. Trivium has a 288-bit internal state in which only 3 out of 288 bits are updated non-trivially. The rest of bits shift the content of the previous bit.

Let  $(x_1, x_2, \ldots, x_{288})$  be the variables representing the bits of a current state of Trivium. At each clock cycle, the bit number *i* of the next state, denoted by  $x_i^+$ , is computed as:

 $\begin{aligned} x_1^+ &= x_{288} \oplus x_{287} x_{286} \oplus x_{243} \oplus x_{69} \\ x_{94}^+ &= x_{93} \oplus x_{92} x_{91} \oplus x_{171} \oplus x_{66} \\ x_{178}^+ &= x_{177} \oplus x_{176} x_{175} \oplus x_{264} \oplus x_{162} \end{aligned}$ 

and  $x_i^+ = x_{i-1}$  for all other  $x_i, i \in \{2, 3, \dots, 93, 95, \dots, 177, 179, \dots, 288\}.$ 

We searched for cycles of length k, for k = 1, 2, 3, ... until the timeout of 12 hours was reached at k = 31. The results are shown in Table 1. The 2nd row in the table shows the number  $N_k$  of cycles of length k found by the Algorithm 1. The 3rd row shows CPU time, t. The experiments were run on a PC with Intel Core i7-4600U CPU at 2.1 GHz with 7.7 GB RAM running under Ubuntu 14.04 LTS.

| k     | 1      | 2                     | 3     | 4           | 5            |        | 6      | 7      | 8        | 9           | 10     | 11       | 12       |  |
|-------|--------|-----------------------|-------|-------------|--------------|--------|--------|--------|----------|-------------|--------|----------|----------|--|
| $N_k$ | 1      | 0                     | 21    | 0           | 0            |        | 0      | 0      | 0        | 0           | 1      | 1        | 2        |  |
| t     | 0.004s | 0.003s                | 0.011 | s 0.004 $s$ | 0.01         | 4s 0.0 | 030s   | 0.040s | 0.091    | s 0.099 $s$ | 0.359s | 0.261    | s 0.384s |  |
|       |        |                       |       |             |              |        |        |        |          |             |        |          |          |  |
| k     | 13     | 14                    | 15    | 16          | 17           | 7      | 18     |        | 19       | 20          | 4      | 21       | 22       |  |
| $N_k$ | 0      | 0                     | 1     | 0           | 0            |        | 0      |        | 0        | 0           |        | 0        | 0        |  |
| t     | 0.034s | 0.748s                | 0.565 | s 7.275s    | 10.6         | 04s 5  | 3.16   | ls 1m2 | 2.358s   | 3m18.44     | 2s 3m5 | .661s    | 48.548s  |  |
|       |        |                       |       |             |              |        |        |        |          |             |        |          |          |  |
| k     | 23     | 24                    |       | 25          | 25           |        |        | 27     |          | 28          | 29     |          | 30       |  |
| $N_k$ | 0      | 0                     |       | 0           | 0            |        |        | 0      |          | 0           | 0      |          | 0        |  |
| t     | 0.285s | s 15m10.014s 14m43.51 |       | 13s (       | ).125s 8m46. |        | 46.997 | s 1511 | n44.853s | 0.239s      | 511n   | 119.397s |          |  |

**Table 1.** The number  $N_k$  of cycles of length k found in Trivium; t is the runtime.

In total, we found 27 cycles: one cycle of length 1 (all-0), 21 cycles of length 3, one cycle of length 10, one cycle of length 11, 2 cycles of length 12, and one cycle of length 15. Note, however, that these cycles do not directly affect security of Trivium because none of them contains a state required for Trivium's initialization. Trivium is initialized by loading the following state into its state register:

 $(x_1, x_2, \dots, x_{93}) = (K_1, \dots, K_{80}, 0, \dots, 0)$   $(x_{94}, x_{95}, \dots, x_{177}) = (IV_1, \dots, IV_{80}, 0, \dots, 0)$  $(x_{178}, x_{179}, \dots, x_{288}) = (0, \dots, 0, 1, 1, 1)$ 

10

where  $(K_1, \ldots, K_{80})$  is an 80-bit key and  $(IV_1, \ldots, IV_{80})$  is an 80-bit initialization value (IV), and clocking the cipher  $4 \times 288$  times.

#### 4.2 Analysis of Bivium

We also applied the presented algorithm to Bivium stream cipher [55], a simplified version of Trivium.

Bivium [55] has a 177-bit internal state in which only 2 out of 177 bits are updated non-trivially. Using the same notation as in the previous section, Bivium can be specified as:

$$x_1^+ = x_{177} \oplus x_{176} x_{175} \oplus x_{69} \oplus x_{162}$$
$$x_{94}^+ = x_{93} \oplus x_{92} x_{91} \oplus x_{171} \oplus x_{66}$$

and  $x_i^+ = x_{i-1}$  for all other  $x_i, i \in \{2, 3, \dots, 93, 95, \dots, 177\}$ .

Due to a smaller search space, the timeout of 12 hours was reached at k = 44. In Bivium, we found only one cycle of length 1 (all-0) and 5 cycles of length 3. As in Trivium's case, these cycles do not directly affect security of Bivium because none of them contains a state required for Bivium's initialization. Bivium is initialized by loading the following state into the state register:

$$(x_1, x_2, \dots, x_{93}) = (K_1, \dots, K_{80}, 0, \dots, 0)$$
  
$$(x_{94}, x_{95}, \dots, x_{177}) = (IV_1, \dots, IV_{80}, 0, \dots, 0)$$

where  $(K_1, \ldots, K_{80})$  is an 80-bit key and  $(IV_1, \ldots, IV_{80})$  is an 80-bit IV, and clocking the cipher 4 times.

#### 4.3 Analysis of Grain-80

The stream cipher Grain-80 [40] is constructed from an 80-bit NLFSR and an 80-bit LFSR. The LFSR is known to have the maximum period of  $2^{80} - 1$  since it uses a primitive generator polynomial of degree 80. The period of the NLFSR is unknown, however, the input stage of the NLFSR is fed from the output stage of the LFSR to guarantee the lower bound of  $2^{80} - 1$  on the overall period of the two combined shift registers.

We investigated the state space of the 80-bit NLFSR of Grain-80 for the case when it is disconnected from the LFSR. In this case, its feedback function is specified as

 $\begin{aligned} x_{80}^+ &= x_{64} \oplus x_{61} \oplus x_{53} \oplus x_{46} \oplus x_{38} \oplus x_{34} \oplus x_{29} \oplus x_{22} \oplus x_{16} \oplus x_{10} \oplus x_1 \oplus x_{64} x_{61} \\ &\oplus x_{38} x_{34} \oplus x_{16} x_{10} \oplus x_{61} x_{53} x_{46} \oplus x_{34} x_{29} x_{22} \oplus x_{64} x_{46} x_{29} x_{10} \oplus x_{61} x_{53} x_{38} x_{34} \\ &\oplus x_{64} x_{61} x_{22} x_{16} \oplus x_{64} x_{61} x_{53} x_{46} x_{38} \oplus x_{34} x_{29} x_{22} x_{16} x_{10} \oplus x_{53} x_{46} x_{38} x_{34} x_{29} x_{22} \end{aligned}$ 

and  $x_i^+ = x_{i+1}$  for all other  $x_i, i \in \{1, 2, \dots, 79\}$ .

The timeout of 12 hours was reached at k = 46. We found one cycle of length 1 (all-0), one cycle of length 3 and one cycle of length 12. Note that in the

full version Grain-80, when the NLFSR is combined with the LFSR, the cycles of length 3 and 12 will translate into the cycles of length  $3 \times (2^{80} - 1)$  and  $12 \times (2^{80} - 1)$ .

Grain-80 is initialized by loading an 80-bit key into the NLFSR, loading a 64-bit IV into the first 64-bits of the LFSR, filling the rest of LFSR with 1s, and clocking the cipher 160 times without producing keystream. Since no restrictions are imposed on the 80-bit key loaded into the NLFSR, the key may potentially be one of the states of the short cycles.

#### 4.4 Analysis of Grain-128

Similarly to Grain-80, the stream cipher Grain-128 is constructed from an 128-bit NLFSR and a 128-bit LFSR which is feeding the input stage of the NLFSR [21].

We investigated the state space of the 128-bit NLFSR of Grain-128 for the case when it is separated from the LFSR. In this case, its feedback function is specified as

$$\begin{aligned} x_{128}^+ = x_1 \oplus x_{27} \oplus x_{57} \oplus x_{92} \oplus x_{97} \oplus x_4 x_{68} \oplus x_{12} x_{14} \oplus x_{18} x_{19} \oplus x_{28} x_{60} \\ \oplus x_{41} x_{49} \oplus x_{62} x_{66} \oplus x_{69} x_{85} \end{aligned}$$

and  $x_i^+ = x_{i+1}$  for all other  $x_i, i \in \{1, 2, \dots, 127\}$ .

The timeout of 12 hours was reached at k = 32. We found one cycle of length 1 (all-0), one cycle of length 7 one cycle of length 8. Note that in the full version Grain-128, when the NLFSR is combined with the LFSR, the cycles of length 7 and 8 will translate into the cycles of length  $7 \times (2^{128} - 1)$  and  $8 \times (2^{128} - 1)$ .

Grain-128 is initialized by loading an 128-bit key into the NLFSR, loading a 96-bit IV into the first 96-bits of the LFSR, filling the rest of LFSR with ones, and clocking the cipher 256 times without producing keystream. Since no restrictions are imposed on the 128-bit key loaded into the NLFSR, the key may potentially be one of the states of the short cycles.

## 4.5 Comparison with the SAT-based algorithm from [29]

The algorithm presented in [29] is a SAT-based algorithm which does not limit the cycle length. It was developed for the analysis of so called (n, 2) random Boolean networks (or Kauffman networks) which are used in physics to model spin glasses [56] and in biology to study cell differentiation [57], immune response [58], and evolution [59]. The (n, 2) random Boolean networks use noninvertible *n*-variable state transition functions in which each Boolean function depends on at most two variables assigned at random. They are known to have a small number of short cycles [60]. While quite successful for the (n, 2) random Boolean network case, the algorithm [29] does not seem suitable for the invertible mappings in which all states belong to some cycle. This makes the search for all cycles unfeasible for large n.

We have applied the algorithm [29] to Trivium, Bivium, Grain-80 and Grain-128. It all four cases, the algorithm [29] was able to find all-0 cycles, but no other short cycles. The process was killed due to the memory blow-up.

12

## 5 Fault Attack Based on Short Cycles

In this section, we describe how short cycles can theoretically be used to recover a secret key by a fault attack.

The idea of fault attacks is to intentionally inject a fault in an implementation of a cryptographic system so that the potential computational error caused by the fault can be exploited to expose secrets [35–37].

We assume that an attacker can set a specific shift register bit/flip-flop to either 0 or 1 value. Moreover, we assume that the attacker can inject faults at a precise time of his/her choice.

The attack is performed during the initialization phase as follows. Let  $(S_1, S_2, \ldots, S_n)$  be one of the states of one of the short cycles C of length m of a stream cipher with an n-bit internal state. Suppose that, in the original specification, the k-bit key  $(K_1, K_2, \ldots, K_k)$  is loaded into the first k bits of the internal state. Then, rather than loading into the stream cipher the required initialization state, n-1 single-bit faults are injected so that the loaded state is  $(K_1, S_2, \ldots, S_n)$ . The cipher is clocked as many times as required by the initialization phase, and then the keystream is generated and analyzed for the presence of length m cycles. If there is a cycle of length m, then  $K_1 = S_1$ . Otherwise,  $K_1$  is the complement of  $S_1$ . The attack is repeated k - 1 times to recover the remaining bits of the key one by one. To recover the bit  $K_i$ , n - 1 faults are injected so that the loaded state is  $(S_1, \ldots, S_{i-1}, K_i, S_{i+1}, \ldots, S_n)$ , for  $i \in \{1, 2, \ldots, k\}$ .

To summarize, an attacker can determine the complete k-bit key by performing k times an attack which injects n-1 single-bit transient faults.

For Bivium and Trivium, short cycles which we computed in Section 4 can be directly used to mount this fault attack. For Grain-80 and Grain-128, the cycles were computed assuming that the NLFSR-part is disconnected from the LFSR-part. Therefore, for Grain-80 and Grain-128, in addition to injecting faults representing the short cycles of the NLFSR, the attacker needs to inject faults which set to all-0 the initial states of the 80-bit and 128-bit LFSRs, respectively. This will prevent the LFSR from affecting the NLFSR-part of Grain.

The difficulty of implementing the presented fault attack depends on the mechanism which is used for loading the initialization state into a stream cipher. In the typical scenario when the bits of the initialization state are loaded sequentially, bit-by-bit, into the input stage of the state register and then shifted further into the register, the attacker needs to identify in the layout of a chip the flip-flop corresponding to the input stage of the shift register, and, for all i rounds of the attack,  $i \in \{1, 2, \ldots, k\}$ , consecutively set this flip-flop to n - 1 desired values  $S_j, j \in \{1, \ldots, i - 1, i + 1, \ldots, n\}$ , injecting one fault per clock cycle and keeping precise synchronization with the clock. Note that, if all-0 state is used as C, then the attack becomes particularly simple since the attacker has to inject the same value into the same position during n - 1 clock cycles (mostly consecutive, with at most one interruption for  $K_i$ ).

In the case of parallel load, when the initialization state is loaded as one word in one clock cycle, the attacker has to simultaneously inject n - 1 faults into n - 1 different flip-flops. Again, using all-0 state may simplify the attack.

At this point the reader may be wondering why do we need other short cycles if all-0 state is sufficient for mounting the attack. This is because the attack based on all-0 state is easiest to detect using countermeasures similar to the runtime health checks monitoring true Random Number Generators (RNGs). For example, FIPS-140 mandates that all approved RNGs use a runtime health check that verifies that the generator has not become stuck, i.e. generating the same value over and over again [61]. With such a check implemented in a stream cipher, it will be easy to detect an attack which uses all-0 as the initial state. However, an attack using not-all-0 initial states of other short cycles will go undetected.

# 6 Conclusion

In this paper, we presented a SAT-based algorithm for finding short cycles and applied it to Trivium, Bivium, Grain-80 and Grain-128 stream ciphers. We found that all four ciphers contain short cycles whose existence, to our best knowledge, was previously unknown (except for all-0 cycles). We described how short cycles can be used to mount a fault attack which results in a full secret key recovery. We proposed a countermeasure against fault attacks using all-0 cycle, but for other cases the problem is still open.

Note that the presented algorithm is applicable not only to shift-register based systems, but also to any invertible mapping of type  $\{0,1\}^n \to \{0,1\}^n$  including Feistel networks [62], T-functions [63], and univariate permutation polynomials modulo  $2^n$  [64].

Our next steps is apply the presented algorithm to other cryptographic systems. Systems which use only a secret key and IV for their initialization, without fixing the remaining state bits (if any) to constants, seem to be particularly vulnerable.

The source code of the presented algorithm is available from the authors upon request.

# 7 Acknowledgements

The first author was supported in part by the research grant No SM14-0016 from the Swedish Foundation for Strategic Research.

## References

- S. A. Cook, "The complexity of theorem-proving procedures," in 3rd Annual ACM Symposium on Theory of Computing, pp. 151–158, 1971.
- in Logic Synthesis and Verification (S. Hassoun and S. Tsutomu, eds.), Norwell, MA, USA: Kluwer Academic Publishers, 2002.
- D. De, A. Kumarasubramanian, and R. Venkatesan, "Inversion attacks on secure hash functions using SAT solvers," in *Proceedings of the 10th International Conference on Theory and Applications of Satisfiability Testing*, SAT'07, (Berlin, Heidelberg), pp. 377–382, Springer-Verlag, 2007.

- V. Nossum, SAT-based Preimage Attacks on SHA-1. MSc. Thesis, University of Oslo, Norway, 2012.
- P. Morawiecki and M. Srebrny, "A SAT-based preimage analysis of reduced keccak hash functions," *Inf. Process. Lett.*, vol. 113.10-11, pp. 392–397, 2013.
- I. Mironov and L. Zhang, "Applications of SAT solvers to cryptanalysis of hash functions," in *Proceedings of the 9th International Conference on Theory and Applications of Satisfiability Testing*, SAT'06, (Berlin, Heidelberg), pp. 102–115, Springer-Verlag, 2006.
- 7. C. Fiorini, E. Martinelli, and F. Massacci, "How to fake an RSA signature by encoding modular root finding as a SAT problem," *Discrete Appl. Mat.*
- C. Patsakis, "Rsa private key reconstruction from random bits using SAT solvers." Cryptology ePrint Archive, Report 2013/026, 2013. http://eprint.iacr.org/.
- 9. F. Lafitte, O. Markowitch, and D. Van Heule, "SAT based analysis of LTE stream cipher ZUC, booktitle = Proceedings of the 6th International Conference on Security of Information and Networks, series = SIN '13, year = 2013, isbn = 978-1-4503-2498-4, location = Aksaray, Turkey, pages = 110–116, numpages = 7, url = http://doi.acm.org/10.1145/2523514.2523533, doi = 10.1145/2523514.2523533, acmid = 2523533, publisher = ACM, address = New York, NY, USA, keywords = 128-EEA3, 128-EIA3, LTE, SAT solver, ZUC, stream cipher,,"
- F. Lafitte, J. Nakahara, and V. D. Heule, "Applications of sat solvers in cryptanalysis: Finding weak keys and preimages," *Journal of Politics in Latin America*;2014, Vol. 6 Issue 2, p1, vol. 6, 2014.
- B. Chen, "Strategies on algebraic attacks using SAT solvers," in Young Computer Scientists, 2008. ICYCS 2008. The 9th International Conference for, pp. 2204– 2209, Nov 2008.
- M. Soos, K. Nohl, and C. Castelluccia, "Extending SAT solvers to cryptographic problems," in *Proceedings of the 12th International Conference on Theory and Applications of Satisfiability Testing*, SAT '09, (Berlin, Heidelberg), pp. 244–257, Springer-Verlag, 2009.
- P. Jovanovic and M. Kreuzer, "Algebraic attacks using SAT-solvers," Groups Complexity Cryptology, vol. 2.2, pp. 247–259, 2010.
- 14. N. R. Potlapally, A. Raghunathan, S. Ravi, N. K. Jha, and R. B. Lee, "Satisfiability-based framework for enabling side-channel attacks on cryptographic software," in *Proceedings of the Conference on Design, Automation and Test in Europe: Designers' Forum*, DATE '06, (3001 Leuven, Belgium, Belgium), pp. 18–23, European Design and Automation Association, 2006.
- F. Massacci and L. Marraro, "Logical cryptanalysis as a SAT problem," J. Autom. Reason., vol. 24, pp. 165–203, Feb. 2000.
- D. Jovanović and P. Janičić, "Logical analysis of hash functions," in *Proceedings of* the 5th International Conference on Frontiers of Combining Systems, FroCoS'05, (Berlin, Heidelberg), pp. 200–215, Springer-Verlag, 2005.
- 17. T. Eibach, E. Pilz, and G. Völkel, *Attacking Bivium Using SAT Solvers*, pp. 63–76. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008.
- E. Homsirikamol, P. Morawiecki, M. Rogawski, and M. Srebrny, Security Margin Evaluation of SHA-3 Contest Finalists through SAT-Based Attacks, pp. 56–67. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012.
- L. Papay, Use of SAT Solvers in Cryptanalysis. MSc. Thesis, Comenius University, Bratislava, Slovakia, 2016.
- C. D. Canniere and B. Preneel, "TRIVIUM specifications," citeseer.ist.psu.edu/734144.html.

- M. Hell, T. Johansson, A. Maximov, and W. Meier, "A stream cipher proposal: Grain-128," in *Information Theory*, 2006 IEEE International Symposium on, pp. 1614–1618, July 2006.
- 22. "estream: the ecrypt stream cipher project," 2008. http://www.ecrypt.eu.org/stream/.
- E. Dubrova, M. Teslenko, and A. Martinelli, "Kauffman networks: Analysis and applications," in *Proceedings of the IEEE/ACM International Conference on Computer-Aided Design*, pp. 479–484, November 2005.
- 24. A. Garg, I. Xenarios, L. Mendoza, and G. De Micheli, "An efficient method for dynamic analysis of gene regulatory networks and in silico gene perturbation experiments," in *Proceedings of 11th Annunal International Conference on Research* in Computational Molecular Biology (RECOMB'2007), vol. 4453 of Lecture Notes in Computer Science, pp. 62–76, Springer, April 2007.
- 25. S. Bilke and F. Sjunnesson, "Stability of the Kauffman model," *Physical Review* E, vol. 65, p. 016129, 2001.
- J. E. S. Socolar and S. A. Kauffman, "Scaling in ordered and critical random Boolean networks." http://arXiv.org/abs/cond-mat/0212306.
- C. Oosawa, "Effects of alternative connectivity on behavior of randomly constructed Boolean networks," *Physica D: Nonlinear Phenomena*, vol. 170, no. 2, pp. 143–161, 2002.
- L. Raeymaekers, "Dynamics of Boolean networks controlled by biologically meaningful functions," *Theoretical Biology*, vol. 218, no. 3, pp. 331–41, 2002.
- E. Dubrova and M. Teslenko, "A SAT-based algorithm for finding attractors in synchronous Boolean networks," *IEEE/ACM Transactions on Computational Biology* and Bioinformatics, vol. 8, no. 5, pp. 1393–1399, 2011.
- A. Biere, A. Cimatti, E. Clarke, M. Fujita, and Y. Zhu, "Symbolic model checking using SAT procedures instead of BDDs," *Proceedings of Design Automation Conference (DAC'99)*, pp. 317–320, June 1999.
- 31. T. Tamura and T. Akutsu, "An improved algorithm for detecting a singleton attractor in a Boolean network consisting of AND/OR nodes," in *Proceedings of the* 3rd International Conference on Algebraic Biology (AB'08), vol. 5147 of Lecture Notes in Computer Science, pp. 216–229, Springer, July-August 2008.
- 32. T. Akutsu and T. Tamura, "On finding a fixed point in a Boolean network with maximum indegree 2," *IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences*, vol. E92.A, no. 8, pp. 1771–1778, 2009.
- 33. A. Naldi, D. Thieffry, and C. Chaouiya, "Decision diagrams for the representation and analysis of logical models of genetic networks," in *Proceedings of International Conference on Computational Methods in Systems Biology (CMSB'2007)*, vol. 4695 of *Lecture Notes in Computer Science*, pp. 233–247, Springer, September 2007.
- S. P. Skorobogatov and R. J. Anderson, "Optical fault induction attacks," in Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems, CHES '02, (London, UK), pp. 2–12, Springer-Verlag, 2003.
- C. Giraud and H. Thiebeauld, A Survey on Fault Attacks, pp. 159–176. Boston, MA: Springer US, 2004.
- H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan, "The sorcerer's apprentice guide to fault attacks," *Proceedings of the IEEE*, vol. 94, pp. 370–382, Feb 2006.
- D. Karaklajic, J. M. Schmidt, and I. Verbauwhede, "Hardware designer's guide to fault attacks," *IEEE Transactions on Very Large Scale Integration (VLSI) Systems*, vol. 21, pp. 2295–2306, Dec 2013.

16

- 38. E. Dubrova, "A transformation from the Fibonacci to the Galois NLFSRs," IEEE Transactions on Information Theory, vol. 55, pp. 5263–5271, November 2009.
- 39. S. Golomb, Shift Register Sequences. Aegean Park Press, 1982.
- 40. M. Hell, T. Johansson, and W. Meier, "Grain a stream cipher for constrained environments," citeseer.ist.psu.edu/732342.html.
- 41. G. Bertoni, J. Daemen, M. Peeters, and G. V. V. Assche, "The Kessak reference," January 2011. http://keccak.noekeon.org/.
- 42. J.-P. Aumasson, L. Henzen, W. Meier, and M. Naya-Plasencia, "Quark: A lightweight hash," Journal of Cryptology, vol. 26, no. 2, pp. 313–339, 2013.
- 43. J. Daemen and V. Rijmen, "AES proposal: Rijndael," April 2003. National Institute of Standards and Technology.
- 44. A. Bogdanov, L. Knudsen, G. Leander, C. Paar, A. Poschmann, M. Robshaw, Y. Seurin, and C. Vikkelsoe, "Present: An ultra-lightweight block cipher," in Cryptographic Hardware and Embedded Systems - CHES 2007 (P. Paillier and I. Verbauwhede, eds.), vol. 4727 of Lecture Notes in Computer Science, pp. 450-466, Springer Berlin Heidelberg, 2007.
- 45. J. Borghoff, A. Canteaut, T. Gneysu, E. Kavun, M. Knezevic, L. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S. Thomsen, and T. Yaln, "Prince - a low-latency block cipher for pervasive computing applications," in Advances in Cryptology ASIACRYPT 2012 (X. Wang and K. Sako, eds.), vol. 7658 of Lecture Notes in Computer Science, pp. 208–225, Springer Berlin Heidelberg, 2012.
- 46. E. Dubrova, "On constructing secure and hardware-efficient invertible mappings," in Proceedings of International Symposium on Multiple-Valued Logic (IS-MVL'2016), pp. 27-33, May 2016.
- 47. M. Robshaw, "Stream ciphers," Tech. Rep. TR 701, July 1994.48. M. Davis, G. Logemann, and D. Loveland, "A machine program for theoremproving," Commun. ACM, vol. 5, pp. 394-397, July 1962.
- 49. M. Davis and H. Putnam, "A computing procedure for quantification theory," J. ACM, vol. 7, pp. 201-215, July 1960.
- 50. J. P. M. Silva and K. A. Sakallah, "Conflict analysis in search algorithms for satisfiability," in Tools with Artificial Intelligence, 1996., Proceedings Eighth IEEE International Conference on, pp. 467–469, Nov 1996.
- 51. M. W. Moskewicz, C. F. Madigan, Y. Zhao, L. Zhang, and S. Malik, "Chaff: Engineering an efficient SAT solver," in Proceedings of the 38th Annual Design Automation Conference, DAC '01, (New York, NY, USA), pp. 530-535, ACM, 2001.
- 52. N. Eén and N. Sörensson, An Extensible SAT-solver, pp. 502–518. Berlin, Heidelberg: Springer Berlin Heidelberg, 2004.
- 53. D. Kroening and O. Strichman, "Efficient computation of recurrence diameters," in Proceedings of the 4th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI'2003), vol. 2575 of Lecture Notes in Computer Science, pp. 298–309, Springer, January 2003.
- 54. P. Flajolet and A. M. Odlyzko, Random Mapping Statistics, pp. 329–354. Berlin, Heidelberg: Springer Berlin Heidelberg, 1990.
- 55. H. Raddum, "Cryptanalytic results on TRIVIUM." ECRYPT Stream Cipher Project, Report 2006/039, 2006. http://www.ecrypt.eu.org/stream.
- 56. B. Derrida and H. Flyvbjerg, "Multivalley structure in Kauffman's model: Analogy with spin glass," J. Phys. A: Math. Gen., vol. 19, p. L1103, 1986.
- 57. S. Huang and D. E. Ingber, "Shape-dependent control of cell growth, differentiation, and apoptosis: Switching between attractors in cell regulatory networks," Experimental Cell Research, vol. 261, pp. 91-103, 2000.

- S. A. Kauffman and E. D. Weinberger, "The NK model of rugged fitness landscapes and its application to maturation of the immune response," *Theoretical Biology*, vol. 141, pp. 211–245, 1989.
- S. A. Kauffman, The Origins of Order: Self-Organization and Selection of Evolution. Oxford: Oxford University Press, 1993.
- M. Aldana, S. Coopersmith, and L. P. Kadanoff, "Boolean dynamics with random couplings." http://arXiv.org/ abs/adap-org/9305001.
- 61. "Fips pub 140-2, security requirements for cryptographic modules," 2001. http://csrc.nist.gov/groups/STM/cmvp/standards.html.
- H. Feistel, "Cryptography and computer privacy," Scientific American, vol. 228, pp. 15–23, May 1973.
- A. Klimov and A. Shamir, "A new class of invertible mappings," in *Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems*, CHES'02, (London, UK), pp. 470–483, Springer-Verlag, 2002.
- R. L. Rivest, "Permutation polynomials modulo 2<sup>w</sup>," Finite Fields and Their Applications, vol. 7, pp. 287–292, 1999.