The Trivium algorithm is a hardware-efficient (profile 2), synchronous stream cipher designed by Christophe De Canniere and Bart Preneel. The cipher makes use of a 80-bit key and 80-bit initialisation vector (IV); its secret state has 288 bits, consisting of three interconnected non-linear feedback shift registers of length 93, 84 and 111 bits, respectively. The cipher operation consists of two phases: the key and IV set-up and the keystream generation. Initialisation is very similar to keystream generation and requires 1152 steps of the clocking procedure of Trivium. The keystream is generated by repeatedly clocking the cipher, where in each clock cycle three state bits are updated using a non-linear feedback function, and one bit of keystream is produced and output. The cipher specification states that 264 keystream bits can be generated from each key/IV pair.
The Trivium stream cipher was designed to be compact in constrained environments and fast in applications that require a high throughput. In particular, the cipher's design is such that the basic throughput can be improved through parallelisation (allowing computing 64 iterations at once), without an undue increase to the area required for its implementation. For instance, for 0.13 μm Standard Cell CMOS the gate count is 2599 NAND gates for one bit of output and 4921 NAND gates for the full parallelisation (see article for more details). A 64-bit implementation in 0.25 μm 5-metal CMOS technology yields a throughput per area ratio of 129 GBit/s⋅mm2 (see article), which is higher than for any other eSTREAM portfolio cipher. Hardware performance of all profile-2 eSTREAM candidates (phase 3) was described in Good and Benaissa's paper at SASC 2008 (article). Prototype quantities of an ASIC containing all phase-3 hardware candidates was designed and fabricated on 0.18 μm CMOS, as part of the eSCARGOT project.
Although Trivium does not target software applications, the cipher is still reasonably efficient on a standard PC. For more information about eSTREAM ciphers performance in software, refer to the eSTREAM testing framework page.
The elegant and simple structure of Trivium has attracted the attention of many cryptanalysts; however there is so far no attack faster than exhaustive key search. Smaller versions of the cipher have been proposed, mostly for the purpose of cryptanalytic experiments: for instance Bivium (a variant with two FSRs rather than three) and variants of Trivium with a round-reduced key/IV setup have been proposed, and in fact successfully attacked; however none of the attacks can be extended to the full cipher.
The designers make no intellectual property claim on Trivium (see statement).