Wikipedia - Benutzerbeiträge [de]

Trivium (Algorithmus)

2010-09-09T06:04:23Z

Ciphergoth: /* Security */ tidy up AIDA reference

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as part of the portfolio for low area hardware ciphers (Profile 2) by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant; while it shows remarkable resistance to cryptanalysis for its simplicity and performance, recent attacks leave the security margin looking rather slim.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 [[Cycles per byte|cycles/byte]] on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
{{quote|[Trivium] was designed as an exercise in exploring how far a stream cipher can be simplified without sacrificing its security, speed or ﬂexibility. While simple designs are more likely to be vulnerable to simple, and possibly devastating, attacks (which is why we strongly discourage the use of Trivium at this stage), they certainly inspire more confidence than complex schemes, if they survive a long period of public scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

{{As of|2010|09}}, no cryptanalytic attacks better than [[brute force attack]] are known, but several attacks come close. The [[cube attack]] requires 230 steps to break a variant of Trivium where the number of initialization rounds is reduced to 735; the authors speculate that these techniques could lead to a break for 1100 initialisation rounds, or "maybe even the original cipher".<ref>{{cite paper
| last = Dinur
| first = Itai
| coauthors = Shamir, Adi
| title = Cube Attacks on Tweakable Black Box Polynomials
| publisher = [[Cryptology ePrint Archive]]
| date = 2008-09-13
| id = ePrint 20080914:160327
| url = http://eprint.iacr.org/2008/385
| format = PDF
| accessdate = 2008-12-04
}}</ref> This builds on an attack due to Michael Vielhaber that breaks 576 initialization rounds in only 212.3 steps.<ref name="aida">{{cite web
| url = http://eprint.iacr.org/2007/413
| title = Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack
| author = Michael Vielhaber
| date = 2007-10-28
}}</ref> <ref name="AIDA-Shamir">{{cite web
| url = http://hs-bremerhaven.de/Binaries/Binary10017/AIDA_Shamir.pdf?SID=846650329488c36272d2aa88efcd870b
| title = Shamir's "cube attack": A Remake of AIDA, The Algebraic IV Differential Attack
| author = Michael Vielhaber
| date = 2009-02-23
}}</ref>

Another attack recovers the internal state (and thus the key) of the full cipher in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search).<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://eprint.iacr.org/2007/021
| format = [[PDF]]
}} (Table 6, page 11)</ref> Reduced variants of Trivium using the same design principles have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>. These attacks improve on the well-known time-space tradeoff attack on stream ciphers, which with Trivium's 288-bit internal state would take 2144 steps, and show that a variant on Trivium which made no change except to increase the key length beyond the 80 bits mandated by eSTREAM Profile 2 would not be secure.

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
{{reflist}}

==External links==
* [http://www.ecrypt.eu.org/stream/triviumpf.html eSTREAM page on Trivium]
* [http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/trivium/ eSTREAM Implementation]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

[[it:Trivium (cifrario)]]
[[ru:Trivium (шифр)]]

Förchtbar Maschien

2010-08-20T09:16:19Z

Ciphergoth: /* Plot summary */ use quote template, mention that these are the opening sentences. Great book.

{{Infobox Book | 
| name = Feersum Endjinn
| orig title =
| translator =
| image = [[Image:IainMBanksFeersumEndjinn.jpg|200px]]
| image_caption = Cover of first edition (hardcover)
| author = [[Iain M. Banks]]
| cover_artist =
| country = Scotland
| language = English (and phonetic Scots dialect)
| series =
| genre = [[Science fiction novel]]
| publisher = [[Orbit Books]]
| release_date = 1994
| media_type = Print ([[Hardcover|Hardback]] & [[Paperback]])
| pages = 279 pp
| isbn = 1-857-23235-6
| oclc= 30779268
| preceded_by = [[Complicity]]
| followed_by = [[Whit]]
}}

'''''Feersum Endjinn''''' is a [[science fiction]] [[novel]] by Scottish writer [[Iain M. Banks]], first published in 1994. It won a [[BSFA award|British Science Fiction Association Award]] in 1994.

It was Banks' second science fiction novel not based or set within the [[The Culture|Culture universe]].

==Plot summary==

The book is set on a far future [[Earth]] where the [[mind transfer|transfer of mindstate]]s into a world-spanning [[computer network]] (known as "the data corpus", "cryptosphere" or simply "crypt") is commonplace, allowing the dead to be easily [[reincarnation|reincarnated]] (though by custom, only a limited number of reincarnations are allowed).

Humanity has lost much of its technological background, due partly to an exodus by much of the species, and partly to the fact that those who remained (or at least their rulers) are fighting against more advanced technology such as [[Artificial intelligence|Artificial Intelligence]].

Meanwhile, the [[solar system]] is drifting into an interstellar [[molecular cloud]] ("the Encroachment"), which will eventually dim the Sun's light sufficiently to end life on Earth. However, the Diaspora (the long-departed segment of humanity) have left behind a device (the "Fearsome Engine" of the title) to deal with the problem; the book follows four characters who become involved in the attempt to activate it, with the narrative moving between the four (who do not meet until very near the end) in rotation.

The quarter of the book told by Bascule the Teller is written [[phonetic transcription|phonetically]] in the [[first-person narrative|first person]]. This is explained by Bascule's [[dyslexia]]. The book opens with:
{{quote|Woak up. Got dresd. Had brekfast. Spoke wif Ergates thi ant who sed itz juss been wurk wurk wurk 4 u lately master Bascule, Y dont u ½ a holiday? & I agreed & that woz how we decided we otter go 2 c Mr Zoliparia in thi I-ball ov thi gargoyle Rosbrith.}}

==Literary significance and criticism==
''Feersum Endjinn'' was generally well-received; while it is far from being "[[hard science fiction]]", the completeness of the plot and the detailed description of the mega-architecture and the crypt were praised by critics.

==See also==
* [[Simulated reality]]

==Sources==
*{{cite book|title=Feersum Endjinn|first=Iain M.|last= Banks|publisher=Orbit|location=London|year=1994|isbn=1-85723-273-9}}

==External links==
*[http://www.challengingdestiny.com/reviews/feersumendjinn.htm Challenging Destiny review]

{{Iain Banks}}

[[Category:1994 novels]]
[[Category:Novels by Iain M. Banks]]
[[Category:Books written in fictional dialects]]
[[Category:1990s science fiction novels]]

Maurice Lévy (Unternehmer)

2010-04-19T20:49:59Z

Ciphergoth: /* Other */ remove uncited assertion

[[Image:Maurice Levy 2008.jpg|thumb|right|200px|Maurice Lévy, 2008.]]
'''Maurice Lévy''', born 18 February 1942 in [[Oujda]], [[Morocco]], is a leading French [[businessman]] currently the chief executive officer of [[Publicis]] and has served in that role since 1987.

== Career ==

Lévy joined '''Publicis''' in 1971 as its IT Director. One of his most important feats was putting in place a data security policy, which involved backing up all of the company's data on magnetic tape. A fire in the company's office proved the success of his backup and restoration strategy, as the company was back on its feet one week later. He then became the anointed successor of the company's then owner and Chief Executive, [[Marcel Bleustein-Blanchet]], who made him Chairman of the Management Board, and Chief Executive Officer in November 1987.

Since the death of ''Marcel Bleustein-Blanchet'', he has not only become the strong man of the company with the full backing of Elizabeth Badinter, the heir of Bleustein-Blanchet, Lévy has succeeded in transforming the group into one of the powerhouses of the advertising world, and one of the most influential men in France and in advertising today. Publicis Group is today the world's 4th largest advertising and media conglomerate.

==Other==
In January 2008, Lévy was bestowed the International Leadership Award 2008 from the [[Anti-Defamation League]] in recognition of his stance towards tolerance and diversity.<ref>Finance Plus, 18 January 2008</ref>. He also financed the 2008 concert at the [[Trocadéro]] to celebrate the 60th anniversary of the [[Declaration of Independence (Israel)|founding of the state of Israel]].

==References==
*''[[Bilan (magazine)|Bilan]]'', numéro 213, interview p. 60-63
{{Reflist}}

{{DEFAULTSORT:Levy, Maurice}}
[[Category:1942 births]]
[[Category:French businesspeople]]
[[Category:Businesspeople in advertising]]
[[Category:Living people]]
[[Category:People from Oujda]]

[[ar:موريس ليفي]]
[[fr:Maurice Lévy (publicitaire)]]

George H. Heilmeier

2010-02-18T12:58:10Z

Ciphergoth: /* References */ add reflist template

{{Infobox_Scientist
| name = George H. Heilmeier
| image =
| caption =
| birth_date = {{birth date and age|1936|5|22}}
| birth_place =
| death_date =
| death_place =
| residence = [[United States]]
| nationality =[[United States|American]]
| field = [[Electrical engineering]]
| work_institution =
| alma_mater =
| doctoral_advisor =
| awards = [[IEEE Medal of Honor]]
}}

'''George Harry Heilmeier''' (born May 22, 1936) is an American [[engineer]] and businessman, who was a pioneering contributor to [[liquid crystal display]]s.

==Biography==
Heilmeier was born in [[Philadelphia, Pennsylvania]], received his BS in [[Electrical Engineering]] from the [[University of Pennsylvania]] in Philadelphia, and his M.S.E., M.A., and Ph.D. degrees in solid state materials and electronics from [[Princeton University]].

In 1958 Heilmeier joined [[RCA|RCA Laboratories]] in [[Princeton, New Jersey]], where he worked on parametric amplification, [[tunnel diode]] down-converters, [[millimeter wave]] generation, [[ferroelectricity|ferroelectric]] thin film devices, organic [[semiconductor]]s and electro-optic effects in molecular and liquid crystals. In 1964 he discovered several new electro-optic effects in [[liquid crystal]]s, which led to the first working liquid crystal displays based on what he called the dynamic scattering mode (DSM).

Heilmeier spent much of the 1970s in the [[United States Department of Defense]]. From 1970-71 he served as a [[White House Fellow]] and special assistant to the [[Secretary of Defense]], performing long-range research and development planning. In 1971 he was appointed Assistant Director for Defense Research and Engineering, Electronic and Physical Sciences, overseeing all research and exploratory development in electronics and the physical sciences. In 1975 he was named Director of the [[Defense Advanced Research Projects Agency]] (DARPA) and initiated major efforts in [[stealth aircraft]], space-based [[laser]]s, space-based [[infrared]] technology, and [[artificial intelligence]].

In December 1977 Heilmeier left government to become vice president at [[Texas Instruments]]; in 1983 he was promoted to [[Chief Technical Officer]]. From 1991-1996 he was president and CEO of [[Bellcore]] (now [[Telcordia]]), ultimately overseeing its sale to [[Science Applications International Corporation]] (SAIC). He served as the company's chairman and CEO from 1996-1997, and afterwards as its chairman emeritus.

Heilmeier has received numerous awards, holds 15 patents, and is a member of the [[National Academy of Engineering]], the [[Defense Science Board]], and the [[National Security Agency Advisory Board]]. He serves on the board of trustees of [[Fidelity Investments]] and of Teletech Holdings, and the Board of Overseers of the School of Engineering and Applied Science of the [[University of Pennsylvania]].

== Heilmeier's Catechism ==
A set of questions credited to Heilmeier that anyone proposing a research project or product development effort should be able to answer.<ref>[http://www.nap.edu/openbook.php?record_id=12498&page=29] credits these observations to G. Heilmeier, "Some Reflections on Innovation and Invention," Founders Award Lecture, National Academy of Engineering, Washington, D.C., Sept. 1992.</ref>
* What are you trying to do? Articulate your objectives using absolutely no jargon.
* How is it done today, and what are the limits of current practice?
* What's new in your approach and why do you think it will be successful?
* Who cares?
* If you're successful, what difference will it make?
* What are the risks and the payoffs?
* How much will it cost?
* How long will it take?
* What are the midterm and final "exams" to check for success?

== Selected awards ==
* 1976 [[IEEE David Sarnoff Award]], IEEE
* 1990 C&C Prize, NEC
* 1991 [[National Medal of Science]], USA
* 1992 [[National Academy of Engineering Founders Award]], USA
* 1993 Vladimir Karapetoff Eminent Members' Award, [[Eta Kappa Nu]]
* 1996 John Scott Award for Scientific Achievements, City of Philadelphia
* 1997 [[IEEE Medal of Honor]], IEEE
* 1999 [[John Fritz Medal]], [[American Association of Engineering Societies]]
* 2005 [[Kyoto Prize]] in advanced technology, [[Inamori Foundation]]
* 2006 [http://www.osa.org/aboutosa/awards/osaawards/awardsdesc/edwinland/ Edwin H. Land Medal, OSA]

== Selected publications ==
* 1966 "Possible Ferroelectric Effects in Liquid Crystals and Related Liquids" (Williams, R. and Heilmeier, G. H.), ''Journal of Chemical Physics'', 44: 638.
* 1968 "Dynamic Scattering: A New Electrooptic Effect in Certain Classes of Nematic Liquid Crystals" (with Zanoni, L. A. and Barton, L. A.), ''Proceedings of the IEEE'', 56: 1162.
* 1970 "Liquid Crystal Display Devices", ''Scientific American'', 222: 100.
* 1976 "Liquid Crystal Displays: An Experiment in Interdisciplinary Research that Worked", ''IEEE Transactions on Electron Devices'', ED-23: 780.

== References ==
{{reflist}}

* [http://www.cbi.umn.edu/oh/display.phtml?id=145 Oral history interview with George H. Heilmeier], [[Charles Babbage Institute]], University of Minnesota. Heilmeier describes his introduction to the Department of Defense as a White House Fellow assigned to the Office of the Secretary of Defense working in the Office of the [[Director of Defense Research and Engineering]]. Most of the interview is devoted to his years as Director of the [[Defense Advanced Research Projects Agency]] (1975-1979).
* [http://www.ieee.org/web/aboutus/history_center/biography/heilmeier.html IEEE biography]
* [http://www.inamori-f.or.jp/laureates/k21_a_george/prf_e.html Inamori Foundation biography]

{{s-start}}
{{s-gov}}
{{s-bef | before = Steve J. Lukasik}}
{{s-ttl | title=Director of [[DARPA]] | years = 1975 – 1977}}
{{s-aft | after = Robert R. Fossum}}
{{s-end}}

{{IEEE Medal of Honor 1976-2000}}
{{Winners of the National Medal of Science|engineering}}

{{DEFAULTSORT:Heilmeier, George H.}}
[[Category:1936 births]]
[[Category:IEEE Medal of Honor recipients]]
[[Category:Living people]]
[[Category:National Inventors Hall of Fame inductees]]
[[Category:National Medal of Science laureates]]
[[Category:TI alumni]]
[[Category:University of Pennsylvania alumni]]

[[fr:George Harry Heilmeier]]

George H. Heilmeier

2010-02-18T12:57:28Z

Ciphergoth: /* Heilmeier's Catechism */ provide some sort of reference

{{Infobox_Scientist
| name = George H. Heilmeier
| image =
| caption =
| birth_date = {{birth date and age|1936|5|22}}
| birth_place =
| death_date =
| death_place =
| residence = [[United States]]
| nationality =[[United States|American]]
| field = [[Electrical engineering]]
| work_institution =
| alma_mater =
| doctoral_advisor =
| awards = [[IEEE Medal of Honor]]
}}

'''George Harry Heilmeier''' (born May 22, 1936) is an American [[engineer]] and businessman, who was a pioneering contributor to [[liquid crystal display]]s.

==Biography==
Heilmeier was born in [[Philadelphia, Pennsylvania]], received his BS in [[Electrical Engineering]] from the [[University of Pennsylvania]] in Philadelphia, and his M.S.E., M.A., and Ph.D. degrees in solid state materials and electronics from [[Princeton University]].

In 1958 Heilmeier joined [[RCA|RCA Laboratories]] in [[Princeton, New Jersey]], where he worked on parametric amplification, [[tunnel diode]] down-converters, [[millimeter wave]] generation, [[ferroelectricity|ferroelectric]] thin film devices, organic [[semiconductor]]s and electro-optic effects in molecular and liquid crystals. In 1964 he discovered several new electro-optic effects in [[liquid crystal]]s, which led to the first working liquid crystal displays based on what he called the dynamic scattering mode (DSM).

Heilmeier spent much of the 1970s in the [[United States Department of Defense]]. From 1970-71 he served as a [[White House Fellow]] and special assistant to the [[Secretary of Defense]], performing long-range research and development planning. In 1971 he was appointed Assistant Director for Defense Research and Engineering, Electronic and Physical Sciences, overseeing all research and exploratory development in electronics and the physical sciences. In 1975 he was named Director of the [[Defense Advanced Research Projects Agency]] (DARPA) and initiated major efforts in [[stealth aircraft]], space-based [[laser]]s, space-based [[infrared]] technology, and [[artificial intelligence]].

In December 1977 Heilmeier left government to become vice president at [[Texas Instruments]]; in 1983 he was promoted to [[Chief Technical Officer]]. From 1991-1996 he was president and CEO of [[Bellcore]] (now [[Telcordia]]), ultimately overseeing its sale to [[Science Applications International Corporation]] (SAIC). He served as the company's chairman and CEO from 1996-1997, and afterwards as its chairman emeritus.

Heilmeier has received numerous awards, holds 15 patents, and is a member of the [[National Academy of Engineering]], the [[Defense Science Board]], and the [[National Security Agency Advisory Board]]. He serves on the board of trustees of [[Fidelity Investments]] and of Teletech Holdings, and the Board of Overseers of the School of Engineering and Applied Science of the [[University of Pennsylvania]].

== Heilmeier's Catechism ==
A set of questions credited to Heilmeier that anyone proposing a research project or product development effort should be able to answer.<ref>[http://www.nap.edu/openbook.php?record_id=12498&page=29] credits these observations to G. Heilmeier, "Some Reflections on Innovation and Invention," Founders Award Lecture, National Academy of Engineering, Washington, D.C., Sept. 1992.</ref>
* What are you trying to do? Articulate your objectives using absolutely no jargon.
* How is it done today, and what are the limits of current practice?
* What's new in your approach and why do you think it will be successful?
* Who cares?
* If you're successful, what difference will it make?
* What are the risks and the payoffs?
* How much will it cost?
* How long will it take?
* What are the midterm and final "exams" to check for success?

== Selected awards ==
* 1976 [[IEEE David Sarnoff Award]], IEEE
* 1990 C&C Prize, NEC
* 1991 [[National Medal of Science]], USA
* 1992 [[National Academy of Engineering Founders Award]], USA
* 1993 Vladimir Karapetoff Eminent Members' Award, [[Eta Kappa Nu]]
* 1996 John Scott Award for Scientific Achievements, City of Philadelphia
* 1997 [[IEEE Medal of Honor]], IEEE
* 1999 [[John Fritz Medal]], [[American Association of Engineering Societies]]
* 2005 [[Kyoto Prize]] in advanced technology, [[Inamori Foundation]]
* 2006 [http://www.osa.org/aboutosa/awards/osaawards/awardsdesc/edwinland/ Edwin H. Land Medal, OSA]

== Selected publications ==
* 1966 "Possible Ferroelectric Effects in Liquid Crystals and Related Liquids" (Williams, R. and Heilmeier, G. H.), ''Journal of Chemical Physics'', 44: 638.
* 1968 "Dynamic Scattering: A New Electrooptic Effect in Certain Classes of Nematic Liquid Crystals" (with Zanoni, L. A. and Barton, L. A.), ''Proceedings of the IEEE'', 56: 1162.
* 1970 "Liquid Crystal Display Devices", ''Scientific American'', 222: 100.
* 1976 "Liquid Crystal Displays: An Experiment in Interdisciplinary Research that Worked", ''IEEE Transactions on Electron Devices'', ED-23: 780.

== References ==
* [http://www.cbi.umn.edu/oh/display.phtml?id=145 Oral history interview with George H. Heilmeier], [[Charles Babbage Institute]], University of Minnesota. Heilmeier describes his introduction to the Department of Defense as a White House Fellow assigned to the Office of the Secretary of Defense working in the Office of the [[Director of Defense Research and Engineering]]. Most of the interview is devoted to his years as Director of the [[Defense Advanced Research Projects Agency]] (1975-1979).
* [http://www.ieee.org/web/aboutus/history_center/biography/heilmeier.html IEEE biography]
* [http://www.inamori-f.or.jp/laureates/k21_a_george/prf_e.html Inamori Foundation biography]

{{s-start}}
{{s-gov}}
{{s-bef | before = Steve J. Lukasik}}
{{s-ttl | title=Director of [[DARPA]] | years = 1975 – 1977}}
{{s-aft | after = Robert R. Fossum}}
{{s-end}}

{{IEEE Medal of Honor 1976-2000}}
{{Winners of the National Medal of Science|engineering}}

{{DEFAULTSORT:Heilmeier, George H.}}
[[Category:1936 births]]
[[Category:IEEE Medal of Honor recipients]]
[[Category:Living people]]
[[Category:National Inventors Hall of Fame inductees]]
[[Category:National Medal of Science laureates]]
[[Category:TI alumni]]
[[Category:University of Pennsylvania alumni]]

[[fr:George Harry Heilmeier]]

The Brown Bunny

2009-03-09T08:41:21Z

Ciphergoth: /* Cultural references */ remove uncited, weasel-worded sentence - fascinating if true but useless without a cite

{{Infobox Film
| name = The Brown Bunny
| image = Brown bunny post.jpg
| caption = Theatrical release poster
| writer = [[Vincent Gallo]]
| starring = Vincent Gallo, [[Chloë Sevigny]]
| director = Vincent Gallo
| producer = Vincent Gallo
| distributor = [[Wellspring Media]]
| released = [[August 27]], [[2004]]
| runtime = 93 min.
| country = [[United States]] [[France]]
| language = English
| budget =
| music = |[[Jackson C. Frank]], [[Jeff Alexander]], [[Gordon Lightfoot]], [[Ted Curson]], [[Accardo Quartet]], [[John Frusciante]]
| awards =
|imdb_id = 0330099
}}
'''''The Brown Bunny''''' is a [[2003 in film|2003]] [[United States|American]] [[independent film]] written, produced and directed by [[actor]] [[Vincent Gallo]] about a motorcycle racer on a cross-country drive who is haunted by memories of his former lover. It had its world premiere at the 2003 [[Cannes Film Festival]] to a long ovation, but at the same time a minority of [[boo]]s and [[catcall]]s. The film garnered a great deal of media attention due to the explicit sexual content of the final scene, and due to a war of words between Gallo and film critic [[Roger Ebert]], who stated that ''The Brown Bunny'' was the worst film in the history of Cannes,<ref>{{cite web
|title="Review for The Brown Bunny"
|author=Roger Ebert
|date=[[September 3]], [[2003]]
|work=Chicago Sun-Times
|url=http://rogerebert.suntimes.com/apps/pbcs.dll/article?AID=/20040903/REVIEWS/409020301/1023}}</ref> although he later gave a re-edited version of the film his signature "thumbs up".

==Plot==

Bud Clay ([[Vincent Gallo]]), a [[motorcycle]] racer, undertakes a cross-country drive, following a race in New Hampshire, in order to participate in a race in California. All the while he is haunted by memories of his former lover, Daisy ([[Chloë Sevigny]]). On his journey he meets three women, but is unable to form an emotional connection with any of them. He first meets Violet (played by [[Anna Vareschi]]) at a gas station in New Hampshire and convinces her to join him on his trip to California. They stop at her home in order to get her clothes, but he drives off as soon as she enters the house.

Bud's next stop is at Daisy's parents' home, where there is Daisy's brown bunny. Daisy's mother does not remember Bud, who grew up in the house next door, nor does she remember having visited Bud and Daisy in California. Next, Bud stops at a pet shelter, where he asks about the life expectancy of rabbits (he is told about five or six years). At a highway rest stop, he joins a distressed woman, Lilly (played by [[Cheryl Tiegs]]), comforts and kisses her, before starting to cry and eventually leaving her. Bud appears more distressed as the road trip continues, crying as he drives. He stops at the [[Bonneville Speedway]] to race his motorcycle. In [[City of Las Vegas|Las Vegas]], he drives around prostitutes on street corners, before deciding to ask one of them, Rose (played by [[Elizabeth Blake]]), to join him for a lunch. She eats [[McDonald's]] food in his truck until he stops, pays her, and leaves her back in the street.

After having his motorcycle checked in a bike shop in Los Angeles, Bud stops at Daisy's home, which appears abandoned. He leaves a note on the door frame, after sitting in his truck in the driveway remembering about kissing Daisy in this place and checks in at a hotel. There, Daisy eventually appears. She seems nervous, going to the bathroom twice to smoke crack cocaine, while Bud waits for her, sitting on his bed. As she proposes to go out to buy something to drink, Bud tells her that, because of what happened the last time they saw each other, he doesn't drink anymore.

They have an argument about Daisy kissing other boys. At this point, Bud undresses Daisy and she performs [[fellatio]] on him. Once done, he insults her and as they lie in bed, talking about what happened during their last meeting. Bud continuously asks Daisy why she hooked up with some men at a party. She explains that she was just being friendly and wanted to get high smoking pot with them. Bud becomes upset because Daisy was pregnant and it transpires that the fetus died as a result of what happened at this party.

Eventually, the viewer understands that Daisy was raped at the party, a scene witnessed by Bud, who did not intervene. Bud explains to her that he did not know what to do and decided to leave the party. As he came back, he saw an ambulance and Daisy explains to Bud that she is dead, having passed out prior to the rape and then choking to death after vomiting while unconscious. The movie ends as Bud is driving his truck in California.

==Filming==
The movie was filmed in [[16 mm]] and then blown up in [[35 mm]], which gives the photography a typical{{fact|date=September 2007}} "old-school grain". Vincent Gallo is credited as director of the photography as well as one of the three camera operators along with Toshiaki Ozawa (also credited as gaffer/grip) and John Clemens.

The version of the film shown in the US has been cut by about 25 minutes compared to the version shown at the Cannes Film Festival, removing a large part of the initial scene at the race track (about four minutes shorter), about six minutes of music and black screen at the end of the movie, and about seven minutes of driving before the scene in the Bonneville Speedway.<ref>[http://movies.about.com/od/thebrownbunny/a/bbunnyvg081904.htm Interview with Vincent Gallo (About)] </ref>

Neither Anna Vareschi nor Elizabeth Blake, both in the film, were professional actresses.
[[Kirsten Dunst]] and [[Winona Ryder]] were both attached to the project and left for unknown reasons. Sevigny said of the sex scene, "It wasn't that bad for me, I have been intimate with Vincent before" in an interview from ''[[The Guardian]]''.<ref>{{cite web
|title="Contrite Gallo apologises for pretension"
|author=Fiachra Gibbons
|date=[[May 24]], [[2003]]
|work=The Guardian
|url=http://film.guardian.co.uk/cannes/story/0,13266,962544,00.html}}</ref> After the film's release, the [[William Morris Agency]] dropped her as a client. In spite of that, Sevigny continued to get work as an actress.

==Cannes reception and reviews==
The screening of the film at [[Cannes Film Festival|Cannes]] was mixed; the audience gave the film a very long ovation while at the same time a minority of people booed and made [[catcall]]s. Several [[French people|French]] critics were defending the film despite its unfinished state but the boos were "almost like salt in the wound" to Gallo who had endured much mental anguish to finish the film.

Upon his return to America, Gallo took a defiant stance, defending the film and finishing a new edit that clarified and tightened the storyline. A war of words then erupted between Gallo and film critic [[Roger Ebert]], with Ebert writing that ''The Brown Bunny'' was the worst film in the history of Cannes, and Gallo retorting by calling Ebert a "fat pig with the physique of a [[slave trade]]r."<ref>Peretti, Jacques. [http://film.guardian.co.uk/features/featurepages/0,,1084253,00.html "Jacques Peretti on Shooting Vincent Gallo"], ''The Guardian'', November 14, 2003.</ref> Ebert then responded, paraphrasing a statement attributed to [[Winston Churchill]], that "one day I will be thin, but Vincent Gallo will always be the director of ''The Brown Bunny''." Gallo then claimed to have put a [[curse|hex]] on Ebert's [[colon (anatomy)|colon]], cursing the critic with [[cancer]]. Ebert then replied that enduring his [[colonoscopy]] would be more entertaining than watching ''The Brown Bunny''. Gallo subsequently stated that he had been misquoted, and that the hex had actually been placed on Ebert's [[prostate]], and that the whole thing had been meant as a joke which was misinterpreted by a reviewer.<ref>{{cite news |first=Roger |last=Ebert |authorlink=Roger Ebert |title=The whole truth from Vincent Gallo |url=http://www.suntimes.com/output/eb-feature/sho-sunday-gallo29.html |work=Chicago Sun-Times |date=[[2004-08-29]] |accessdate=2007-10-23 |archiveurl=http://web.archive.org/web/20040921074433/http://www.suntimes.com/output/eb-feature/sho-sunday-gallo29.html |archivedate=2004-09-21 }}</ref>

A shorter, re-edited version of the film played later in 2003 at the [[Toronto International Film Festival]] (although it still retained the controversial sex scene). The new version was regarded more highly by some, even Ebert, who gave the new cut three stars out of a possible four. On the [[August 28]], [[2004]] episode of the television show ''[[At the Movies with Ebert & Roeper|Ebert & Roeper]]'', Ebert gave the new version of the film a "thumbs up" rating. In a column published about the same time, Ebert reported that he and Gallo had made peace. According to Ebert, "Gallo went back into the editing room and cut 26 minutes of his 118-minute film, or almost a quarter of the running time. And in the process he transformed it. The film's form and purpose now emerge from the miasma of the original cut, and are quietly, sadly, effective. It is said that editing is the soul of the cinema; in the case of ''The Brown Bunny'', it is its salvation".

''The Brown Bunny'' maintains a 45% approval rating at [[Rotten Tomatoes]].<ref>http://www.rottentomatoes.com/m/brown_bunny/</ref>

French cinema's magazine [[Les Cahiers du Cinéma]] voted [[The Brown Bunny]] one of the ten best films of [[2004]]. <ref>http://alumnus.caltech.edu/~ejohnson/critics/cahiers.html</ref>

==Theatrical release and DVD==
A shorter, re-edited version of the film also won a U.S. theatrical distribution deal from [[Wellspring]]. The film had the highest per screen average in its first opening weekend, grossing $50,601 in a limited U.S. theatrical release (5 screens). The film won approval from [[Sony Pictures Entertainment]], which acquired multi-territory distribution rights of the film in February 2005. Sony also released the film on [[DVD]] in North America in August [[2005]].
According to Ryan Werner (who had worked for Wellspring), this movie ended up being profitable for everyone involved, including Wellspring and Gallo himself.<ref>Hollywood Reporter ''[http://www.hollywoodreporter.com/hr/search/article_display.jsp?vnu_content_id=1001002055 Business Plans]''.</ref>

==Controversies==
''The Brown Bunny'' also attracted media attention over a large [[billboard (advertising)|billboard]] erected over [[Sunset Boulevard]] in [[West Hollywood, California]] in 2004 promoting the movie. The billboard featured a black and white image taken from the fellatio sequence,<ref>[http://www.airmassive.com/amblog_080304_1.html billboard image]</ref> drawing complaints from residents and business owners. The image showed Vincent Gallo standing with Chloë Sevigny on her knees, and did not show any explicit sexual content. It was eventually removed. Vincent Gallo never saw the billboard, as he was in New York until the billboard was taken down.{{Fact|date=August 2007}}

In [[Richard Schickel]]'s documentary ''[[Welcome to Cannes]]'', aired on [[Turner Classic Movies]], there is mention of a rumor launched during the Cannes Film Festival by French filmmaker [[Claire Denis]], who directed ''[[Trouble Every Day]]'', a movie featuring Vincent Gallo. According to Denis, the penis appearing on the infamous [[fellatio]] scene is a prosthetic stolen from the set of ''Trouble Every Day''.

==Cultural references==
Numerous references to the film (and in particular the fellatio scene) are made in the pilot episode of the BBC comedy ''[[Freezing (TV series)|Freezing]]'', as much of the episode's plot involves [[Elizabeth McGovern]] being considered for a role in an upcoming Vincent Gallo film.

==Soundtrack==
{{main|The Brown Bunny (soundtrack)}}

==See also==
*[[List of mainstream films with unsimulated sex]]

==References==
{{reflist}}

==External links==
*{{imdb title|id=0330099|title=The Brown Bunny}}
*{{rogerebert|id=20040903/REVIEWS/409020301|title=The Brown Bunny}}
*[http://www.slate.com/id/2106174/ "Playboy Bunny: Vincent Gallo proves he just wants to be loved"], David Edelstein, [[Slate.com]], [[10 September]] [[2004]].
*[http://www.salon.com/ent/movies/review/2004/09/17/brown_bunny/index.html ''The Brown Bunny''], Charles Taylor, ''[[Salon.com]]'', [[17 September]] [[2004]].

{{DEFAULTSORT:Brown Bunny, The}}
[[Category:2003 films]]
[[Category:American films]]
[[Category:Films shot in Super 16]]
[[Category:Road movies]]

[[de:The Brown Bunny]]
[[fr:The Brown Bunny]]
[[it:The Brown Bunny]]

Trivium (Algorithmus)

2009-01-01T13:00:15Z

Ciphergoth: No need to introduce a new initialism, but wikilink once to the new page.

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|Trivium}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as part of the portfolio for low area hardware ciphers (Profile 2) by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant; while it shows remarkable resistance to cryptanalysis for its simplicity and performance, recent attacks leave the security margin looking rather slim.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 [[Cycles per byte|cycles/byte]] on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simplified without
sacrificing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more confidence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

{{As of|2008|12}}, no cryptanalytic attacks better than [[brute force attack]] are known, but several attacks come close. The [[cube attack]] requires 230 steps to break a variant of Trivium where the number of initialization rounds is reduced to 735; the authors speculate that these techniques could lead to a break for 1100 initialisation rounds, or "maybe even the original cipher".<ref>{{cite paper
| last = Dinur
| first = Itai
| coauthors = Shamir, Adi
| title = Cube Attacks on Tweakable Black Box Polynomials
| publisher = [[Cryptology ePrint Archive]]
| date = 2008-09-13
| id = ePrint 20080914:160327
| url = http://eprint.iacr.org/2008/385
| format = PDF
| accessdate = 2008-12-04
}}</ref> Another attack recovers the internal state (and thus the key) of the full cipher in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search).<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://eprint.iacr.org/2007/021
| format = [[PDF]]
}} (Table 6, page 11)</ref> Reduced variants of Trivium using the same design principles have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>. These attacks improve on the well-known time-space tradeoff attack on stream ciphers, which with Trivium's 288-bit internal state would take 2144 steps, and show that a variant on Trivium which made no change except to increase the key length beyond the 80 bits mandated by eSTREAM Profile 2 would not be secure.

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
{{reflist}}

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

[[it:Trivium (cifrario)]]

Trivium (Algorithmus)

2008-12-04T14:51:32Z

Ciphergoth: talk down security; some small fixes

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|Trivium}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as part of the portfolio for low area hardware ciphers (Profile 2) by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant; while it shows remarkable resistance to cryptanalysis for its simplicity and performance, recent attacks leave the security margin looking rather slim.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simplified without
sacrificing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more confidence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

{{As of|2008|12}}, no cryptanalytic attacks better than [[brute force attack]] are known, but several attacks come close. The [[cube attack]] requires 230 steps to break a variant of Trivium where the number of initialization rounds is reduced to 735; the authors speculate that these techniques could lead to a break for 1100 initialisation rounds, or "maybe even the original cipher".<ref>{{cite paper
| last = Dinur
| first = Itai
| coauthors = Shamir, Adi
| title = Cube Attacks on Tweakable Black Box Polynomials
| publisher = [[Cryptology ePrint Archive]]
| date = 2008-09-13
| id = ePrint 20080914:160327
| url = http://eprint.iacr.org/2008/385
| format = PDF
| accessdate = 2008-12-04
}}</ref> Another attack recovers the internal state (and thus the key) of the full cipher in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search).<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://eprint.iacr.org/2007/021
| format = [[PDF]]
}} (Table 6, page 11)</ref> Reduced variants of Trivium using the same design principles have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>. These attacks improve on the well-known time-space tradeoff attack on stream ciphers, which with Trivium's 288-bit internal state would take 2144 steps, and show that a variant on Trivium which made no change except to increase the key length beyond the 80 bits mandated by eSTREAM Profile 2 would not be secure.

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
{{reflist}}

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

[[it:Trivium (cifrario)]]

Trivium (Algorithmus)

2008-12-04T14:43:47Z

Ciphergoth: add the cube attack

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|Trivium}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as part of the portfolio for low area hardware ciphers (Profile 2) by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simplified without
sacrificing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more confidence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

{{As of|2008|12}}, no cryptanalytic attacks better than [[brute force attack]] are known, but the security margin looks slim. The [[cube attack]] requires 230 steps to break a variant of Trivium where the number of initialization rounds is reduced to 735; the authors speculate that these techniques could lead to a break for 1100 initialisation rounds, or "maybe even the original cipher".<ref>{{cite paper
| last = Dinur
| first = Itai
| coauthors = Shamir, Adi
| title = Cube Attacks on Tweakable Black Box Polynomials
| publisher = [[Cryptology ePrint Archive]]
| date = 2008-09-13
| id = ePrint 20080914:160327
| url = http://eprint.iacr.org/2008/385
| format = PDF
| accessdate = 2008-12-04
}}</ref> Another attack recovers the internal state (and thus the key) of the full cipher in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search).<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}} (Table 6, page 11)</ref> Reduced variants of Trivium using the same design principles have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>. These attacks improve on the well-known time-space tradeoff attack on stream ciphers, which with Trivium's 288-bit internal state would take 2144 steps, and show that a variant on Trivium which made no change except to increase the key length beyond the 80 bits mandated by eSTREAM Profile 2 would not be secure.

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

[[it:Trivium (cifrario)]]

Trivium (Algorithmus)

2008-11-28T13:44:55Z

Ciphergoth: remove Pasalic attack altogether - it doesn't fly

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|Trivium}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as part of the portfolio for low area hardware ciphers (Profile 2) by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simplified without
sacrificing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more confidence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

As of November [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack recovers the internal state (and thus the key) in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search).<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}} (Table 6, page 11)</ref> Reduced variants of Trivium using the same design principles have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>. These attacks improve on the well-known time-space tradeoff attack on stream ciphers, which with Trivium's 288-bit internal state would take 2144 steps, and show that a variant on Trivium which made no change except to increase the key length beyond the 80 bits mandated by eSTREAM Profile 2 would not be secure.

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

[[it:Trivium (cifrario)]]

Trivium (Algorithmus)

2008-11-25T18:38:39Z

Ciphergoth: I'll print this attack out and read it but for now I don't believe it - a real attack on Trivium would be submitted to FSE, no?

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|Trivium}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as part of the portfolio for low area hardware ciphers (Profile 2) by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, but its security is uncertain.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacrificing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more confidence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

A 2007 attack recovers the internal state (and thus the key) in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search).<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}} (Table 6, page 11)</ref> Reduced variants of Trivium using the same design principles have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>. These attacks improve on the well-known time-space tradeoff attack on stream ciphers, which with Trivium's 288-bit internal state would take 2144 steps, and show that a variant on Trivium which made no change except to increase the key length beyond the 80 bits mandated by eSTREAM Profile 2 would not be secure.

A 2008 paper on the [[Cryptology ePrint Archive]] claims to break Trivium with a differential attack with complexity 268;<ref name="url_eprint_2008_443">{{cite web |url=http://eprint.iacr.org/2008/443.pdf |title=Transforming chosen IV attack into a key differential attack: how to break TRIVIUM and similar designs |format= |work= |accessdate= |author=Enes Pasalic}}</ref> however this attack has yet to be published in a peer-reviewed forum.

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

[[it:Trivium (cifrario)]]

Trivium (Algorithmus)

2008-08-23T09:40:41Z

Ciphergoth: Undo conversion of math to LaTeX - in general its use is recommended against on Wikipedia where normal HTML markup suffices.

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|Trivium}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as part of the portfolio for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacriﬁcing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more conﬁdence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}
As of November [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack recovers the internal state (and thus the key) in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search).<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}} (Table 6, page 11)</ref> Reduced variants of Trivium using the same design principles have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>. These attacks improve on the well-known time-space tradeoff attack on stream ciphers, which with Trivium's 288-bit internal state would take 2144 steps, and show that a variant on Trivium which made no change except to increase the key length beyond the 80 bits mandated by eSTREAM Profile 2 would not be secure.

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Advanced Vector Extensions

2008-07-21T11:01:45Z

Ciphergoth: add crypto instructions AESENC and CLMUL

The Intel Advanced Vector Extensions is a set of [[SIMD]] instructions announced by [[Intel]] at the Spring [[Intel Developer Forum]] in April 2008. These instructions will appear on 2010 Intel processors such as [[Sandy Bridge (microarchitecture)|Sandy Bridge]].

White papers are available at the Intel Software Network site for Intel AVX.<ref>{{cite web | url=http://softwareprojects.intel.com/avx/ | title=Intel Software Network | publisher=[[Intel]] | accessdate=2008-04-05}}</ref> There is also an online reference manual.<ref>{{cite web | url=http://softwarecommunity.intel.com/isn/downloads/intelavx/Intel-AVX-Programming-Reference-31943302.pdf | title=Intel Advanced Vector Extensions Programming Reference | publisher=[[Intel]] | accessdate=2008-04-05}}</ref>

==Features==

===General===

*Suited for highly FP intensive workloads.
**Multimedia processing.
**3D modeling.
**Scientific simulation.
**Financial analysis.
*Up to 256-bit wide vector FP data.
*3 and 4 operands supported.
*Power efficient, idle power usage is insignificant.
*Up to 2x the [[FLOPS]] compared to before, due to the wider vectors supported.
*Performance scales with threads, cores, and interconnects.
*Programming flexibility.
*Improves performance of both existing and new applications that benefit from AVX.

===Cryptography===

*[[Advanced Encryption Standard|AES]] acceleration instructions
*PCLMULQDQ instruction useful for [[finite field]] arithmetic in GF(2n) and thus implementation of [[elliptic curve cryptography]].

===Instructions===

*> 200 legacy Intel SSE instructions are updated to handle flexible memory alignment and distinct source operands.
*< 100 legacy Intel SSE instructions are updated to support 256-bit vectors.
*< 100 new instructions.
*Broadcast, permute, fused multiply-add instructions.
*4 operand instructions include: FMA, generalized shuffles, and blending of variables.

===Future===

*Built-in future scalability.
*256- and 512-bit vector integers.
*512- and 1024-bit vector FPs.

==Future Intel instructions==

Intel will introduce hardware FMA (fused multiply-add) in 2011 (or later). [http://pc.watch.impress.co.jp/docs/2008/0407/kaigai434.htm] These instructions may arrive with the [[22 nanometer|22 nm]] process, also slated for 2011.

==References==
{{reflist}}

==See also==
* [[Streaming SIMD Extensions|SSE]], [[SSE2]], [[SSE3]], [[SSSE3]], [[SSE4]], [[SSE5]]

[[Category:X86 instructions]]
[[Category:SIMD computing]]
[[pl:AVX]]

Aga-Khan-Stiftung

2008-06-26T12:28:34Z

Ciphergoth: Wikipedia doesn't tend to use honorifics like this.

[[Image:Akf-title logo.gif|right|250px]]

The '''Aga Khan Foundation [http://www.akdn.org/agency/akf.html (AKF)]''' is a non-denominational, [[non-governmental organization|non-governmental]], [[international development|development agency]] founded in [[1967]] by [[Aga Khan IV]]. The Foundation aims to develop and promote creative solutions to problems that impede social development, primarily in Asia and East Africa. Based in [[Geneva]], [[Switzerland]], it has branches and independent affiliates in 15 countries. The Aga Khan Foundation is an agency of the [[Aga Khan Development Network]].

==Areas of focus==
The Aga Khan Foundation concentrates its resources on selected issues in [[health]], [[education]], [[Rural community development|rural development]] and the strengthening of [[civil society]]. Seeking innovative approaches to generic problems, it tries to identify solutions that can be adapted to conditions in many different regions and replicated.

Cross-cutting issues that are also addressed by the Foundation include Human Resource Development, Community Participation, Gender and Development and issues of the Environment.

==Funding and grant making==
The Aga Khan Foundation is the principal grant-making agency for social development within the [[Ismaili|Shia Ismaili]] Imamat. The Āgā Khān provides the Foundation with regular funding for administration and new programme initiatives as well as contributions to its endowment. The Ismaili community contributes volunteer time, professional services and substantial financial resources. Other funding sources include income from investments and grants from government, institutional and private sector partners - as well as donations from individuals around the world.

Grants are normally made to non-governmental organisations that share the Foundation’s goals. In some cases, where there is no appropriate partner, the Foundation may help to create a new civil society organisation or may manage projects directly. In [[2004]], the foundation provided $149 million [[USD]] in grants for 130 projects located in 16 countries.

==Awards and recognition==
Among other recognition for its work, the Foundation received the 2005 Award for Most Innovative Development Project from the [[Global Development Awards and Medals Competition|Global Development Network]] for the Aga Khan Rural Support Programme (AKRSP) in Pakistan.[http://www.gdnet.org/middle.php?primary_link_id=3&secondary_link_id=9]

==Geographic focus==
The Foundation normally intervenes where it has a strong volunteer base. It is currently active in the following countries:
*[[Afghanistan]]
*[[Bangladesh]]
*[[Canada]] - [http://www.akfc.ca/ Aga Khan Foundation Canada]
*[[India]] - [http://www.akdn.org/agency/akpbs.html/ Aga Khan Foundation India]
*[[Kenya]]
*[[Kyrgyzstan]]
*[[Mozambique]]
*[[Pakistan]]
*[[Portugal]] - [http://www.fakp.pt/ Fundação Aga Khan]
*[[Switzerland]]
*[[Syria]]
*[[Tajikistan]]
*[[Tanzania]]
*[[Uganda]]
*[[United Kingdom]] - [http://www.akf.org.uk/ Aga Khan Foundation United Kingdom]
*[[United States of America]] - [http://www.akfusa.org/ Aga Khan Foundation USA]

==Sources==
*{{cite web |url=http://www.akdn.org/akf/AKF%20Annual%20Report%202005.pdf |title=Aga Khan Foundation Annual Report 2005 |format=PDF |accessdate=2006-12-01}}

==External links==
*[http://www.akdn.org/agency/akf.html Aga Khan Foundation (website)]

[[Category:Aga Khan Development Network|Foundation]]
[[Category:Development charities]]
[[Category:Humanitarian aid organizations]]
[[Category:Organizations established in 1967]]
[[Category:International nongovernmental organizations]]
[[Category:Rural community development]]

Kuckuckskinder (Roman)

2008-04-12T16:09:43Z

Ciphergoth: restore missing bracket elsewhere

'''''The Midwich Cuckoos''''' is a [[science fiction]] [[novel]] written by English author [[John Wyndham]], published in [[1957 in literature|1957]]. It has been filmed twice as ''Village of the Damned''.

==Plot summary==

The novel is set largely within the eponymous Midwich, Winshire, a typical small English village. A series of incidents near to the village one day establishes that anybody who passes a certain boundary line falls instantly unconscious; the effect extends completely around Midwich, with the unconsciousness vanishing as soon as a person re-crosses the boundary. Experimentation rules out any chemical or biological effect, whilst aerial photography reveals a peculiar silver object on the ground in the village itself. Police officers outside the boundary line use a canary in a cage to deduce the size and shape of the the line, finding it to be perfectly spherical, and, after further investigation, the shape of a hemisphere.

After a period of one day the effect vanishes, along with the object. The villagers wake, apparently with no ill-effects. Some months later a follow up study reveals that every woman of child-bearing age is pregnant, with all indications that the pregnancies were initiated on the "Dayout".

When the children are born they appear normal, except that they all have blonde hair and unusual golden eyes, and their hair-strands have one flat edge, rather like a '''D'''. They have a very silver pale skin. If one of the women were not already pregnant before the "Dayout", there would be exactly thirty-one boys and thirty-one girls. Because one of the women in Midwich was already pregnant, the numbers were off, and the "Dayout" only resulted in thirty females. They have none of the genetic characteristics of their parents. As they grow up, it becomes apparent that they are at least in some respects inhuman. They experience accelerated growth and are able to use their minds to force their will on others, controlling their actions. Also, they share two distinct group minds, one for the boys, and one for the girls. The children gradually begin to exert a bigger and bigger effect on the villagers, killing several of them in retaliation for perceived attacks.

The villagers learn that the same thing has taken place in other parts of the world: an [[Inuit]] settlement in the [[Canada|Canadian]] [[Arctic]], a [[cattle station]] in Australia's [[Northern Territory]], and a rural [[Siberia]]n village. The Inuit instinctively killed their newborn children, sensing they were not their own, while the Australian babies had all died within a few weeks, suggesting that something went wrong with the insemination process. In Siberia, the village was destroyed by the Soviet government, using long-range artillery.

The children are aware of the threat against them, and use their power to prevent any aeroplanes from flying over the village. Realising that the only way to destroy the children is to trick them, an elderly Midwich citizen uses their trust in him to gather them together. Some projecting equipment he has brought with him to show slides turns out to be a bomb, which he uses to kill himself and all the children.

The title is a reference to the [[cuckoos|cuckoo]], which lays its eggs in the nest of other birds in the hopes that they will raise the cuckoo's offspring as their own.

==Major themes==
The novel's theme is of society being subverted from within by a force which infiltrates one of its most cherished aspects; children.

The subtext of the book is subtle and can easily be lost in the text. Throughout the book, many different philosophies and their merits are discussed and argued through as a way of coming to terms with the events told of in the story. Also, we see the Russian/Communist reaction to what is an exactly paralleled plot situation.

While the book could be criticised for neglecting its large number of female characters (two central female characters leave the narrative halfway through, never to come back) some of them are well-developed. Most notable is Angela Zellaby who is continually reining in her high-minded and sentimentally modern husband/academic into the true nature and facts of the situation at hand. She is also the first to grasp the realities of the situation. But it is true to say that no female character takes a direct hand in changing matters or affecting the situation.

Wyndham's writing style is quite accessible and the novel remains popular.

==Adaptations==
The novel was filmed as ''[[Village of the Damned (1960 movie)|Village of the Damned]]'' in 1960, with (unusual for [[science fiction film]]s made in that era) a script that was fairly faithful to the book. A sequel, ''[[Children of the Damned]]'', followed shortly after, and there was also a [[Village of the Damned (1995 film)|colour remake]] of the original in [[1995]] by [[John Carpenter]] set in "Midwich, California", and starring [[Christopher Reeve]] in his last film role before he was paralysed in a riding accident. This movie also included [[Kirstie Alley]] as the government official Susan, a female character not present in the original novel. There have also been several radio adaptations by the [[BBC]]. A dramatisation for BBC World Service by William Ingram featured [[Charles Kay]] (Bernard Westcot), [[Manning Wilson]] (Gordon Zellaby), [[William Gaunt]] (Richard Gayford), and [[Pauline Yates ]](Angela Zellaby). In 2003, BBC Radio 4 aired a version by [[Dan Rebellato]] which starred [[Bill Nighy]] (Richard), [[Sarah Parish]] (Janet), and [[Clive Merrison]] (Zellaby). The latter version was released on CD by BBC Audiobooks in 2007.

Wyndham began work on a sequel novel, ''Midwich Main'', which he abandoned after only a few chapters.

The Thai film [[Kawow Tee Bangpleng]] ([[Cuckoos at Bangpleng]]) is a localized take on the story, based on a book that is clearly based on unattributed wholesale borrowings from Wyndham's book. The Thai version contains intriguing differences due to the confrontation between the alien intelligences and Buddhist philosophy. <ref>[http://www.aycyas.com/cuckoosatbangpleng.htm And You Call Yourself a Scientist! - Cuckoos at Bangpleng (1994)]</ref>.

==Allusions/references from other works==
The [[Stepford Cuckoos]], a group of [[New X-Men]] characters were partly inspired by the Midwich Cuckoos.

In ''[[The Simpsons]]'' episode, '[[Wild Barts Can't Be Broken]]', the children go to see a film entitled 'The Bloodening', a parody of ''Village of the Damned''. The children in the film look like those from the film adaptation of ''The Midwich Cuckoos''.

[[The Befort Children]] from the anime ''[[Fantastic Children]]'' were also inspired by the Midwich Cuckoos.

''[[1440 Cuckoo]]'' is a song written in 2006 by British singer/songwriter [[Pete Doherty]] and was inspired by the serial number of the Penguin edition of the novel which Doherty read while in rehab at the Priory in London.

In ''[[Smallville (TV series)|Smallville]]'', episode 9 of season 3, entitled "Asylum" (2004), one of the characters is reading "The Midwich Cuckoos," which proves to be prophetic about that character.

In ''[[Catherine Jinks]]'s'' Book, ''[[Evil Genius]]'', teachers of the main character, Cadel, speculate about the possibility of his resemblance to the children in ''The Midwich Cuckoos.''

The plot of [[Beetle in the Anthill]] novel by [[Boris and Arkady Strugatsky]] is someway similar. Authorities of Earth have a great fear about the group of [[Foundlings (Noon Universe)|foundling]] children, alleged to be [[Wanderers (Noon_Universe)|Wanderers]]' spies and probably even non-human. These children were moved out of Earth by a secret order of government, but later one of them came back to Earth and was killed by Earth's security service.

==Notes==

{{reflist}}

{{John Wyndham}}

{{DEFAULTSORT:Midwich Cuckoos, The}}
[[Category:Science fiction novels]]
[[Category:1957 novels]]
[[Category:Novels by John Wyndham]]

[[fr:Le Village des damnés (roman)]]

Kuckuckskinder (Roman)

2008-04-12T16:06:51Z

Ciphergoth: remove spurious bracket

'''''The Midwich Cuckoos''''' is a [[science fiction]] [[novel]] written by English author [[John Wyndham]], published in [[1957 in literature|1957]]. It has been filmed twice as ''Village of the Damned''.

==Plot summary==

The novel is set largely within the eponymous Midwich, Winshire, a typical small English village. A series of incidents near to the village one day establishes that anybody who passes a certain boundary line falls instantly unconscious; the effect extends completely around Midwich, with the unconsciousness vanishing as soon as a person re-crosses the boundary. Experimentation rules out any chemical or biological effect, whilst aerial photography reveals a peculiar silver object on the ground in the village itself. Police officers outside the boundary line use a canary in a cage to deduce the size and shape of the the line, finding it to be perfectly spherical, and, after further investigation, the shape of a hemisphere.

After a period of one day the effect vanishes, along with the object. The villagers wake, apparently with no ill-effects. Some months later a follow up study reveals that every woman of child-bearing age is pregnant, with all indications that the pregnancies were initiated on the "Dayout".

When the children are born they appear normal, except that they all have blonde hair and unusual golden eyes, and their hair-strands have one flat edge, rather like a '''D'''. They have a very silver pale skin. If one of the women were not already pregnant before the "Dayout", there would be exactly thirty-one boys and thirty-one girls. Because one of the women in Midwich was already pregnant, the numbers were off, and the "Dayout" only resulted in thirty females. They have none of the genetic characteristics of their parents. As they grow up, it becomes apparent that they are at least in some respects inhuman. They experience accelerated growth and are able to use their minds to force their will on others, controlling their actions. Also, they share two distinct group minds, one for the boys, and one for the girls. The children gradually begin to exert a bigger and bigger effect on the villagers, killing several of them in retaliation for perceived attacks.

The villagers learn that the same thing has taken place in other parts of the world: an [[Inuit]] settlement in the [Canada|Canadian]] [[Arctic]], a [[cattle station]] in Australia's [[Northern Territory]], and a rural [[Siberia]]n village. The Inuit instinctively killed their newborn children, sensing they were not their own, while the Australian babies had all died within a few weeks, suggesting that something went wrong with the insemination process. In Siberia, the village was destroyed by the Soviet government, using long-range artillery.

The children are aware of the threat against them, and use their power to prevent any aeroplanes from flying over the village. Realising that the only way to destroy the children is to trick them, an elderly Midwich citizen uses their trust in him to gather them together. Some projecting equipment he has brought with him to show slides turns out to be a bomb, which he uses to kill himself and all the children.

The title is a reference to the [[cuckoos|cuckoo]], which lays its eggs in the nest of other birds in the hopes that they will raise the cuckoo's offspring as their own.

==Major themes==
The novel's theme is of society being subverted from within by a force which infiltrates one of its most cherished aspects; children.

The subtext of the book is subtle and can easily be lost in the text. Throughout the book, many different philosophies and their merits are discussed and argued through as a way of coming to terms with the events told of in the story. Also, we see the Russian/Communist reaction to what is an exactly paralleled plot situation.

While the book could be criticised for neglecting its large number of female characters (two central female characters leave the narrative halfway through, never to come back) some of them are well-developed. Most notable is Angela Zellaby who is continually reining in her high-minded and sentimentally modern husband/academic into the true nature and facts of the situation at hand. She is also the first to grasp the realities of the situation. But it is true to say that no female character takes a direct hand in changing matters or affecting the situation.

Wyndham's writing style is quite accessible and the novel remains popular.

==Adaptations==
The novel was filmed as ''[[Village of the Damned (1960 movie)|Village of the Damned]]'' in 1960, with (unusual for [[science fiction film]]s made in that era) a script that was fairly faithful to the book. A sequel, ''[[Children of the Damned]]'', followed shortly after, and there was also a [[Village of the Damned (1995 film)|colour remake]] of the original in [[1995]] by [[John Carpenter]] set in "Midwich, California", and starring [[Christopher Reeve]] in his last film role before he was paralysed in a riding accident. This movie also included [[Kirstie Alley]] as the government official Susan, a female character not present in the original novel. There have also been several radio adaptations by the [[BBC]]. A dramatisation for BBC World Service by William Ingram featured [[Charles Kay]] (Bernard Westcot), [[Manning Wilson]] (Gordon Zellaby), [[William Gaunt]] (Richard Gayford), and [[Pauline Yates ]](Angela Zellaby). In 2003, BBC Radio 4 aired a version by [[Dan Rebellato]] which starred [[Bill Nighy]] (Richard), [[Sarah Parish]] (Janet), and [[Clive Merrison]] (Zellaby). The latter version was released on CD by BBC Audiobooks in 2007.

Wyndham began work on a sequel novel, ''Midwich Main'', which he abandoned after only a few chapters.

The Thai film [[Kawow Tee Bangpleng]] ([[Cuckoos at Bangpleng]]) is a localized take on the story, based on a book that is clearly based on unattributed wholesale borrowings from Wyndham's book. The Thai version contains intriguing differences due to the confrontation between the alien intelligences and Buddhist philosophy. <ref>[http://www.aycyas.com/cuckoosatbangpleng.htm And You Call Yourself a Scientist! - Cuckoos at Bangpleng (1994)]</ref>.

==Allusions/references from other works==
The [[Stepford Cuckoos]], a group of [[New X-Men]] characters were partly inspired by the Midwich Cuckoos.

In ''[[The Simpsons]]'' episode, '[[Wild Barts Can't Be Broken]]', the children go to see a film entitled 'The Bloodening', a parody of ''Village of the Damned''. The children in the film look like those from the film adaptation of ''The Midwich Cuckoos''.

[[The Befort Children]] from the anime ''[[Fantastic Children]]'' were also inspired by the Midwich Cuckoos.

''[[1440 Cuckoo]]'' is a song written in 2006 by British singer/songwriter [[Pete Doherty]] and was inspired by the serial number of the Penguin edition of the novel which Doherty read while in rehab at the Priory in London.

In ''[[Smallville (TV series)|Smallville]]'', episode 9 of season 3, entitled "Asylum" (2004), one of the characters is reading "The Midwich Cuckoos," which proves to be prophetic about that character.

In ''[[Catherine Jinks]]'s'' Book, ''[[Evil Genius]]'', teachers of the main character, Cadel, speculate about the possibility of his resemblance to the children in ''The Midwich Cuckoos.''

The plot of [[Beetle in the Anthill]] novel by [[Boris and Arkady Strugatsky]] is someway similar. Authorities of Earth have a great fear about the group of [[Foundlings (Noon Universe)|foundling]] children, alleged to be [[Wanderers (Noon_Universe)|Wanderers]]' spies and probably even non-human. These children were moved out of Earth by a secret order of government, but later one of them came back to Earth and was killed by Earth's security service.

==Notes==

{{reflist}}

{{John Wyndham}}

{{DEFAULTSORT:Midwich Cuckoos, The}}
[[Category:Science fiction novels]]
[[Category:1957 novels]]
[[Category:Novels by John Wyndham]]

[[fr:Le Village des damnés (roman)]]

Trivium (Algorithmus)

2007-11-28T11:34:07Z

Ciphergoth: /* Security */ try to substitute something non-tautological about brute force and these attacks.

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|Trivium}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacriﬁcing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more conﬁdence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}
As of November [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack recovers the internal state (and thus the key) in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search).<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}} (Table 6, page 11)</ref> Reduced variants of Trivium using the same design principles have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>. These attacks improve on the well-known time-space tradeoff attack on stream ciphers, which with Trivium's 288-bit internal state would take 2144 steps, and show that a variant on Trivium which made no change except to increase the key length beyond the 80 bits mandated by eSTREAM Profile 2 would not be secure.

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2007-11-28T10:39:57Z

Ciphergoth: Undid revision 174127885 by 217.159.205.18 (talk) - completely redundant way to say brute force is more efficient.

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|Trivium}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacriﬁcing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more conﬁdence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}
As of November [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack recovers the internal state (and thus the key) in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search).<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}} (Table 6, page 11)</ref> Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2007-11-26T21:53:28Z

Ciphergoth: /* Security */ Move quote back; simplify time estimate.

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|Trivium}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacriﬁcing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more conﬁdence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}
As of November [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack recovers the internal state (and thus the key) in around 289.5 steps (where each step is roughly the cost of a single trial in exhaustive search).<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}} (Table 6, page 11)</ref> Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2007-11-26T18:03:01Z

Ciphergoth: appropriate otheruses page has changed back

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|Trivium}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
As of November [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack recovers the internal state in time around <math>c\cdot 2^{83.5}</math>.<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}}</ref> Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>

{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacriﬁcing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more conﬁdence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2007-11-26T17:59:39Z

Ciphergoth: Fix reference wikilinks one final time.

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|trivia (disambiguation)}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
As of November [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack recovers the internal state in time around <math>c\cdot 2^{83.5}</math>.<ref>{{cite paper
| author = [[Alexander Maximov (cryptographer)|Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}}</ref> Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>

{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacriﬁcing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more conﬁdence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2007-11-26T17:58:35Z

Ciphergoth: /* Security */ when you preview you can't preview references.

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|trivia (disambiguation)}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
As of November [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack recovers the internal state in time around <math>c\cdot 2^{83.5}</math>.<ref>{{cite paper
| author = [[Alexander Maximov (crytographer)|]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}}</ref> Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>

{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacriﬁcing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more conﬁdence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2007-11-26T17:57:59Z

Ciphergoth: /* Security */ not the footballer...

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|trivia (disambiguation)}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
As of November [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack recovers the internal state in time around <math>c\cdot 2^{83.5}</math>.<ref>{{cite paper
| author = [[Alexander Maximov (crytographer)]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}}</ref> Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>

{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacriﬁcing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more conﬁdence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2007-11-26T17:57:21Z

Ciphergoth: /* Security */ wikilink Maximov and Biryukov, don't repeat their anmes

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|trivia (disambiguation)}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
As of November [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack recovers the internal state in time around <math>c\cdot 2^{83.5}</math>.<ref>{{cite paper
| author = [[Alexander Maximov]], [[Alex Biryukov]]
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}}</ref> Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>

{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacriﬁcing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more conﬁdence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2007-11-26T17:56:14Z

Ciphergoth: /* Security */ move quote, update date

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|trivia (disambiguation)}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
As of November [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack, by Alexander Maximov and Alex Biryukov, recovers the internal state in time around <math>c\cdot 2^{83.5}</math>.<ref>{{cite paper
| author = Alexander Maximov, Alex Biryukov
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}}</ref> Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>

{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacriﬁcing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more conﬁdence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2007-11-26T17:31:28Z

Ciphergoth: Just directly quote what the paper has to say about security - impact is clearer than chopping it up. Remove superfluous assertion that the Raddum attack is less efficient than brute force,

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|trivia (disambiguation)}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
{{quote|[Trivium] was designed
as an exercise in exploring how far a stream cipher can be simpliﬁed without
sacriﬁcing its security, speed or ﬂexibility. While simple designs are more likely
to be vulnerable to simple, and possibly devastating, attacks (which is why we
strongly discourage the use of Trivium at this stage), they certainly inspire
more conﬁdence than complex schemes, if they survive a long period of public
scrutiny despite their simplicity.<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>}}

As of June [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack, by Alexander Maximov and Alex Biryukov, recovers the internal state in time around <math>c\cdot 2^{83.5}</math>.<ref>{{cite paper
| author = Alexander Maximov, Alex Biryukov
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}}</ref> Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

The Atheism Tapes

2007-10-29T18:28:35Z

Ciphergoth: /* The programmes */ mention the others who were interviewed at least.

'''''The Atheism Tapes''''' is a 2005 [[BBC]] television documentary series presented by [[Jonathan Miller]]. The material that makes up the series was originally filmed for another, more general series, '' [[Atheism: A Rough History of Disbelief]]'', but was too in-depth for inclusion. Instead, the BBC agreed to create ''The Atheism Tapes'' as a supplementary series of six programmes, each consisting of an extended interview with one contributor.

== The programmes ==
All six programmes were conducted in the form of interviews; the synopses below are summaries of the interviewees' responses to Miller's questions.

Also interviewed were [[Richard Dawkins]], [[Arthur Miller]] and [[Denys Turner]].

===Colin McGinn===
[[England|English]] [[philosophy|philosopher]] McGinn speaks about the various reasons for not believing in God, and some of the reasons for. He gives a thorough treatment of the ontological argument. In addition, McGinn draws an important distinction between atheism (lack of belief in a deity) and antitheism (active opposition to theism); he identifies himself as both an atheist and an antitheist. Finally, he speculates about a post-theistic society.

===Steven Weinberg===
He talks about the effectiveness of the [[Teleological argument|Design Argument]], both in the past and today. He also discusses the reasons that people become religious, including the varying influences of physicist and biological arguments against religion, and connects this to a higher likelihood of physicists being agnostic than biologists.

He goes on to distinguish between violence done ''in the name of'' religion, and ''because of'' religion, and states that both of these are very real and very dangerous. He goes on to discuss the difference between religious belief in America and Europe, and about how he doesn’t like the character of [[Yahweh|the Christian God]]. He ends by saying that science is very definitely corrosive to religious belief, and that he considers this a good thing.


===Daniel Dennett===
[[United States|American]] philosopher Dennett explains why he called one of his books ''[[Darwin's Dangerous Idea]]'', and why many of Darwin's contemporaries, in particular, considered Darwin's theory of evolution to be dangerous. He goes on to deal with the question of consciousness (i.e., is the consciousness/soul distinct from the body), talking about Darwin's rejection of the soul and the possible origins and psychological purposes of a belief in an immaterial soul.

Next, he talks about his Christian upbringing and how he became an atheist. He goes on to ask why it is thought rude to criticise religious belief, and suggests that it is due to the influential status of the religions in question. He finishes by wondering whether we could live effectively in a post-theistic world.

== External links ==
*[http://www.bbc.co.uk/bbcfour/documentaries/features/atheism-tapes.shtml The Atheism Tapes] The official BBC page for the series
*[http://tapes.atbhost.com/index.php Transcripts] of the programmes

{{DEFAULTSORT:Atheism Tapes, The}}
[[Category:Atheism]]
[[Category:BBC television documentaries on history]]
[[Category:2005 works]]

[[pt:The Atheism Tapes]]
[[fi:The Atheism Tapes]]

{{atheism-stub}}

{{documentary-film-stub}}

FAST TCP

2007-08-21T10:04:28Z

Ciphergoth: /* Name */ recursive algorithm joke overdone

'''FAST TCP''' is a new [[TCP congestion avoidance algorithm]] especially targeted at high-speed, long-distance links, developed at the [http://netlab.caltech.edu/ Netlab], [[California Institute of Technology]]. It is compatible with existing TCP algorithms, requiring modification only to the [[computer]] which is sending [[data]].

==Name==
The name '''FAST''' is a [[recursive acronym]] for '''F'''AST '''A'''QM '''S'''calable '''T'''CP, where '''AQM''' stands for '''A'''ctive '''Q'''ueue '''M'''anagement, and '''TCP''' stands for '''T'''ransmission '''C'''ontrol '''P'''rotocol.

==Principles of operation==
The role of congestion control is to moderate the rate at which data is transmitted, according to the capacity of the [[telecommunications network|network]] and the rate at which other users are transmitting. Like [[TCP Vegas]], FAST TCP<ref>{{cite journal
| last = Wei
| first = David X.
| coauthors = Jin, Cheng; Low, Steven H. and Hegde, Sanjay
| date =
| year = 2006
| month =
| title = FAST TCP: motivation, architecture, algorithms, performance
| journal = IEEE/ACM Trans. on Networking
| volume = 14
| issue = 6
| pages = 1246-1259
| issn =
| url = http://netlab.caltech.edu/pub/papers/FAST-ToN-final-060209.pdf
}}</ref>
<ref>{{cite journal
| last = Jin
| first = Cheng
| coauthors = Wei, David X.; Low, Steven H.; Buhrmaster, G.; Bunn, J.; Choe, D. H.; Cottrell, R. L. A.; Doyle, J. C.; Feng, W.; Martin, O.; Newman, H. Paganini, F.; Ravot, S.; Singh, S.
| date =
| year = 2005
| month =
| title = FAST TCP: from theory to experiments
| journal = IEEE Network
| volume = 19
| issue = 1
| pages = 4-11
| issn =
| url = http://netlab.caltech.edu/pub/papers/fast-network05.pdf
}}
</ref> uses [[queueing delay]] instead of [[packet loss|loss probability]] as a congestion signal.

Most current congestion control algorithms detect congestion and slow down when they discover that packets are being dropped, so that the average sending rate depends on the loss probability. This has two drawbacks. First, low loss probabilities are required to sustain high data rates; in the case of TCP Reno, very low loss probabilities are required, but even new congestion avoidance algorithms such as [[H-TCP]], [[BIC TCP]] and [[HSTCP]] require loss rates lower than those provided by most wireless [[wide area network]]s. Moreover, packet loss only provides a single bit of information about the congestion level, whereas delay is a continuous quantity and in principle provides more information about the network.

A FAST TCP flow seeks to maintain a constant number of packets in queues throughout the network. The number of packets in queues is estimated by measuring the difference between the observed [[round-trip delay time|round trip time]] (RTT) and the ''base RTT'', defined as the round trip time when there is no queueing. The base RTT is estimated as the minimum observed RTT for the connection. If too few packets are queued, the sending rate is increased, while if too many are queued, the rate is decreased. In this respect, it is a direct descendant of TCP Vegas.

The difference between TCP Vegas and FAST TCP lies in the way in which the rate is adjusted when the number of packets stored is too small or large. TCP Vegas makes fixed size adjustments to the rate, independent of how far the current rate is from the target rate. FAST TCP makes larger steps when the system is further from equilibrium and smaller steps near equilibrium. This improves the speed of convergence and the stability.

==Strengths and weaknesses==
Delay-based algorithms can, in principle, maintain a constant window size, avoiding the oscillations inherent in loss-based algorithms. However, they also detect congestion earlier than loss-based algorithms, since delay corresponds to partially filled [[buffer (Telecommunications)|buffers]], while loss results from totally filled buffers. This can be either a strength or a weakness. If the only protocol used in a network is delay-based, then the inefficiency of loss can be avoided; however, if loss-based and delay-based protocols share the network<ref>{{cite journal
| last = Tang
| first = Ao
| coauthors = Wang, Jiantao; Low, Steven H. and Chiang, Mung
| date =
| year = 2005
| month = March
| title = Network Equilibrium of heterogeneous congestion control protocols
| conference = IEEE INFOCOM
| conferenceurl = http://www.ieee-infocom.org/2005/
| location = Miami, FL
| url = http://netlab.caltech.edu/pub/papers/multiprotocol-infocom05.pdf
}}
</ref>, then delay-based algorithms tend to be less aggressive. This can be overcome by suitable choice of parameters, leading to complex interactions studied by Tang et al.

Delay measurements are also subject to jitter as a result of [[operating system]] scheduling, or [[Computer bus|bus]] contention.

Whether the strengths or weaknesses prevail is not clear, and depends in large part on the particular scenario.

==Intellectual property==
Unlike most TCP congestion avoidance algorithms, FAST TCP is protected by several patents<ref>{{cite web
| last = Jin
| first = Cheng
| coauthors = Low, Steven H.; Wei, Xiaoliang
| title = Method and apparatus for network congestion control
| publisher = [[United States Patent & Trademark Office]]
| date = [[2005-01-27]]
| url = http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=2&f=G&l=50&co1=AND&d=PG01&s1=jin.IN.&s2=low.IN.&OS=IN/jin+AND+IN/low&RS=IN/jin+AND+IN/low
| accessdate = 2006-11-05 }}</ref><ref>{{cite web
| last = Jin
| first = Cheng
| coauthors = Low, Steven H.; Wei, Xiaoliang
| coauthors = Low, Steven H.; Wei, David X.; Wydrowski, Bartek; Tang, Ao; Choe, Hyojeong
| title = Method and apparatus for network congestion control using queue control and one-way delay measurements
| publisher = [[United States Patent & Trademark Office]]
| date = [[2006-03-09]]
| url = http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PG01&s1=jin.IN.&s2=low.IN.&OS=IN/jin+AND+IN/low&RS=IN/jin+AND+IN/low
| accessdate = 2006-11-05 }}</ref>. Instead of seeking standardization by the [[IETF]], the inventors of FAST, notably Steven Low and Cheng Jin, are seeking to commercialize it through the company [http://www.fastsoft.com FastSoft].

==References==
<references/>

==See Also==
* [[TCP congestion avoidance algorithm]]
* [[Transmission Control Protocol#Development_of_TCP]]

==External links==
*[http://netlab.caltech.edu/FAST/ FAST] Home Page.
*[http://ultralight.caltech.edu/web-site/sc05/html/index.html Supercomputing 2005 Bandwidth Challenge]

[[Category:Internet protocols]]
[[Category:Internet standards]]
[[Category:Transport layer protocols]]

[[es:FAST TCP]]

Trivium (Algorithmus)

2007-06-25T07:19:50Z

Ciphergoth: User:Reginmund had it right all along. Links to popular articles on a name are only necessary on the page whose name has no brackets.

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

{{otheruses|trivia (disambiguation)}}

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref> to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
According to the authors, 'Trivium was designed as an exercise in exploring how far a stream cipher can be simplified without sacrificing its security, speed or flexibility'.

The Trivium authors claim in the specifications that simple designs like Trivium are more likely to be vulnerable to simple, and possibly devastating, attacks. Such schemes are offered as they 'certainly inspire more confidence than complex schemes, if they survive a long period of public scrutiny despite their simplicity'. The authors 'strongly discourage the use of Trivium at this stage'.

As of June [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack in [[2006]], by [[Shahram Khazaei]], requires around 2135 operations.<ref>{{cite paper
| author = Shahram Khazaei, Mehdi Hassanzadeh
| title = Linear Sequential Circuit Approximation of the TRIVIUM Stream Cipher
| publisher = eSTREAM submitted papers
| date = 2005-09-27
| url = http://www.ecrypt.eu.org/stream/papersdir/063.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref><ref>{{cite web
| author = Shahram Khazaei
| title = Re: A reformulation of TRIVIUM
| publisher = eSTREAM discussion forum
| date = 2006-02-21
| url = http://www.ecrypt.eu.org/stream/phorum/read.php?1,448,464
| accessdate = 2007-01-15
}}</ref> The best attack in [[2007]], by Alexander Maximov and Alex Biryukov, claims that the internal state of the full Trivium can be recovered in time around <math>c\cdot 2^{83.5}</math>.<ref>{{cite paper
| author = Alexander Maximov, Alex Biryukov
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}}</ref>

Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref> The paper claims that the current implementation of their equation-solving attack can not break the full Trivium cipher due to the short key-length when compared to the size of the internal state of the cipher.

The Trivium specifications do not support the use of keys at least twice the security rating of the cipher to prevent parallel brute-force attacks as recommend by Daniel J. Bernstein in his paper "Understanding Brute Force" <ref>{{cite paper
| author = [[Daniel J. Bernstein]]
| title = Understanding Brute Force
| publisher = cr.yp.to
| date = 2005-04-25
| url = http://cr.yp.to/snuffle/bruteforce-20050425.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.
A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2007-06-25T07:16:44Z

Ciphergoth: always preview

{{otheruses|Trivium (disambiguation)}}

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref> to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
According to the authors, 'Trivium was designed as an exercise in exploring how far a stream cipher can be simplified without sacrificing its security, speed or flexibility'.

The Trivium authors claim in the specifications that simple designs like Trivium are more likely to be vulnerable to simple, and possibly devastating, attacks. Such schemes are offered as they 'certainly inspire more confidence than complex schemes, if they survive a long period of public scrutiny despite their simplicity'. The authors 'strongly discourage the use of Trivium at this stage'.

As of June [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack in [[2006]], by [[Shahram Khazaei]], requires around 2135 operations.<ref>{{cite paper
| author = Shahram Khazaei, Mehdi Hassanzadeh
| title = Linear Sequential Circuit Approximation of the TRIVIUM Stream Cipher
| publisher = eSTREAM submitted papers
| date = 2005-09-27
| url = http://www.ecrypt.eu.org/stream/papersdir/063.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref><ref>{{cite web
| author = Shahram Khazaei
| title = Re: A reformulation of TRIVIUM
| publisher = eSTREAM discussion forum
| date = 2006-02-21
| url = http://www.ecrypt.eu.org/stream/phorum/read.php?1,448,464
| accessdate = 2007-01-15
}}</ref> The best attack in [[2007]], by Alexander Maximov and Alex Biryukov, claims that the internal state of the full Trivium can be recovered in time around <math>c\cdot 2^{83.5}</math>.<ref>{{cite paper
| author = Alexander Maximov, Alex Biryukov
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}}</ref>

Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref> The paper claims that the current implementation of their equation-solving attack can not break the full Trivium cipher due to the short key-length when compared to the size of the internal state of the cipher.

The Trivium specifications do not support the use of keys at least twice the security rating of the cipher to prevent parallel brute-force attacks as recommend by Daniel J. Bernstein in his paper "Understanding Brute Force" <ref>{{cite paper
| author = [[Daniel J. Bernstein]]
| title = Understanding Brute Force
| publisher = cr.yp.to
| date = 2005-04-25
| url = http://cr.yp.to/snuffle/bruteforce-20050425.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.
A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2007-06-25T07:16:04Z

Ciphergoth: a third disambiguation, which I think is the one in line with WP:D

{{otheruses}}

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]

'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref> to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
According to the authors, 'Trivium was designed as an exercise in exploring how far a stream cipher can be simplified without sacrificing its security, speed or flexibility'.

The Trivium authors claim in the specifications that simple designs like Trivium are more likely to be vulnerable to simple, and possibly devastating, attacks. Such schemes are offered as they 'certainly inspire more confidence than complex schemes, if they survive a long period of public scrutiny despite their simplicity'. The authors 'strongly discourage the use of Trivium at this stage'.

As of June [[2007]], no cryptanalytic attacks better than [[brute force attack]] are known. The best attack in [[2006]], by [[Shahram Khazaei]], requires around 2135 operations.<ref>{{cite paper
| author = Shahram Khazaei, Mehdi Hassanzadeh
| title = Linear Sequential Circuit Approximation of the TRIVIUM Stream Cipher
| publisher = eSTREAM submitted papers
| date = 2005-09-27
| url = http://www.ecrypt.eu.org/stream/papersdir/063.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref><ref>{{cite web
| author = Shahram Khazaei
| title = Re: A reformulation of TRIVIUM
| publisher = eSTREAM discussion forum
| date = 2006-02-21
| url = http://www.ecrypt.eu.org/stream/phorum/read.php?1,448,464
| accessdate = 2007-01-15
}}</ref> The best attack in [[2007]], by Alexander Maximov and Alex Biryukov, claims that the internal state of the full Trivium can be recovered in time around <math>c\cdot 2^{83.5}</math>.<ref>{{cite paper
| author = Alexander Maximov, Alex Biryukov
| title = Two Trivial Attacks on Trivium
| publisher = Cryptology ePrint
| date = 2007-01-23
| url = http://mirror.cr.yp.to/eprint.iacr.org/2007/021
| format = [[PDF]]
}}</ref>

Reduced variants of Trivium corresponding to the design's basic construction have been broken using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref> The paper claims that the current implementation of their equation-solving attack can not break the full Trivium cipher due to the short key-length when compared to the size of the internal state of the cipher.

The Trivium specifications do not support the use of keys at least twice the security rating of the cipher to prevent parallel brute-force attacks as recommend by Daniel J. Bernstein in his paper "Understanding Brute Force" <ref>{{cite paper
| author = [[Daniel J. Bernstein]]
| title = Understanding Brute Force
| publisher = cr.yp.to
| date = 2005-04-25
| url = http://cr.yp.to/snuffle/bruteforce-20050425.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.
A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Operation Mincemeat

2007-03-18T12:52:18Z

Ciphergoth: /* Impact on Later Operations */ use style guide compliant capitalisation in title

'''Operation Mincemeat''' was a highly successful British deception plan during [[World War II]] which convinced the German High Command ([[OKW]]) that the Allies would invade the [[Balkans]] and [[Sardinia]] instead of the island of [[Sicily]], the actual objective. The operation called for making the Germans believe that they had, by accident, intercepted highly classified documents detailing future Allied war plans, and part of Mincemeat's success lay in the unusual nature of the operation: the plans were attached to a corpse deliberately left to wash up on a Spanish beach. The story was subsequently told in a book and later film as ''[[The Man Who Never Was]]''.

==Planning for the deception==
As the [[North African Campaign]] was winding down, Allied planners turned their attention to mainland [[Europe]]. Sicily's location made it a strategic first objective. As well as providing a springboard for the invasion of the continent, control of the island would help safeguard Allied shipping in the [[Mediterranean]]. However, the strategic importance of the island was not lost on the Germans. It was the base of [[Luftwaffe]] air attacks against the British stronghold of [[Malta]]. Furthermore, as the massive Allied buildup for the invasion (code-named [[Operation Husky]]) would surely be detected as a sign of an impending operation, the Allies had to deceive the Germans, so that they would not concentrate their forces and repulse the allied invasion.

A few months before, [[Flight Lieutenant|Flight Lt.]] Charles Cholmondeley of Section B1(a) of [[MI5]]<ref>Not Sir Archibald Cholmondeley as in [http://militaryhistory.about.com/od/navalwarfare/a/mincemeat.htm The About.com account of Operation Mincemeat] by Robert W. Martin.</ref>, came up with an idea of having a wireless radio dropped in [[France]] by means of a dead man attached to a badly-opened parachute, thereby giving the Allies the opportunity to feed misinformation to the Germans. This was dismissed as impractical and unworkable; however the idea was taken up a few months later by a small inter-service, interdepartmental intelligence team called the [[Twenty Committee]].

As described in his published account, author and team member [[Lieutenant Commander|Lt. Cmdr.]] [[Ewen Montagu]], a naval intelligence officer, relates that the possibilities for the success of Cholmondeley's deception idea evolved into a more workable plan. Together they quickly devised the details of the ruse. The deception team first thought that the documents would have to be recovered from a man who died due to an unopened [[parachute]], as Cholmondeley had proposed. However, since the Germans knew that it was Allied policy never to send sensitive documents over enemy territory, they decided to make the man a victim of a plane crash at sea. That would explain the fact that the man would be dead for several days if found floating in the sea and solve the problem of the documents. Now that they had a plan, the operation needed a code name. With Montagu's characteristic macabre sense of humor, he gave the operation the code name of Mincemeat, just restored to the list of available names after its employment in a previously successful mission.<ref>[http://www.bbc.co.uk/dna/h2g2/A3031949 Operation Mincemeat - The Man Who Never Was in BBC's h2g2], retrieved [[December 1]], [[2006]].</ref>

===Precedents===
The idea of using a corpse with documents was nothing new. Two incidents that Montagu would have been aware of illustrated this. The first incident happened in August 1942 when a deception plan was executed before the [[Battle of Alam Halfa]] by using a corpse with a planted map. The body was placed in a blown-up scout car for the Germans to find, in a minefield facing the 90th Light Division just south of [[Quaret el Abd]]. The map included the locations of non-existent Allied minefields. The Germans fell for the ruse, and [[Erwin Rommel|Rommel's]] panzers were routed to areas of soft sand where they bogged down.<ref>[http://usacac.army.mil/CAC/milreview/English/JulAug02/JulAug02/bob.pdf Capt. Kevin D. Smith, USAF, "Coming Into its Own: The Contribution of Intelligence at the Battle of Alam Halfa," ''Military Review'', Jul-Aug 2002, pp. 74-77.] Although the use of the corpse was disputed in some accounts, Smith gives a more detailed account on how [[Freddie de Guingand|Brigadier Francis de Guingand]] concocted the whole deception. However, it remains to be debated whether the map actually affected Rommel's decisions. See also Roger Morgan, "Operation 'MINCEMEAT'", ''After the Battle'' (54), May 1988, p. 4.</ref>

The second incident was not a deception at all, but rather a close call. In September that same year a [[PBY Catalina]] crashed off [[Cadiz]] carrying a courier named Paymaster-Lt. James Hadden Turner of the [[Royal Navy]]. When his body was washed up on the beach near [[Tarifa]] and recovered by the Spanish authorities, he was carrying a letter from [[Mark W. Clark|General Mark Clark]] to the Governor of [[Gibraltar]], which named French agents in North Africa and gave the date of the Torch landings as [[November 4]] (although the actual landings happened on [[November 8]]). When the body was returned, the letter was still in its possession, and it was determined that the letter was never opened when examined by technicians. Of course, the Germans had the means to read the letter without opening the envelope, but, if they had, they apparently dismissed the information as bogus, regarding it as "planted" and therefore not acted upon -- until it was too late.<ref>Morgan, ibid.</ref>

===Major William Martin, Royal Marines===
With the help of the renowned [[pathologist]] [[Bernard Spilsbury|Sir Bernard Spilsbury]], Montagu and his team were able to determine what kind of body they needed for this purpose, one that appeared to have died by drowning. Through the most discreet inquiries they were able to secure the body of a 34-year old man who recently died of chemically-induced [[pneumonia]] as the result of ingesting rat poison. They briefed the man's next of kin of the operation and swore them to secrecy. The man's family agreed, on the condition that the man's real identity would never be revealed. Since the man died of pneumonia, the fluid in his lungs would be consistent with that of a man who had been at sea for an extended period.

The next step was creating a "legend", or a false identity for the man -- Major Martin of the Royal Marines: [[William Martin]], a captain and acting major, born in [[Cardiff]], [[Wales]], in 1907, and assigned to Headquarters, [[Combined Operations]]. This rank was assigned because a man with too junior a rank would not be so entrusted with sensitive documents, but his age would have been a problem. Making Martin an acting major would solve both problems and would give the impression that the man was a very responsible officer and thus had been trusted.

To give credence to this cover identity they supplied him with a fiancée named Pam (actually a woman clerk from MI5), complete with photograph and love letters (plus a letter from his father expressing his dissatisfaction with his son's choice of bride). They also provided for a set of keys, theater stubs for a recent performance, a statement from his club for lodging in London, and so forth. To make him even more believable, Montagu and his team decided to insinuate his careless nature such as overdue bills, a replacement identification card to replace the one he lost, an expired pass to Combined Operations HQ that he forgot to renew, and an irate missive from a bank manager from [[Lloyds Bank]] for an overdraft of £17 19s 11d. This last touch, although ingenious, carried an element of risk as the possibility existed that the [[Abwehr]] would be suspicious of a careless man having been entrusted with sensitive documents. However, if Montagu was aware of the Catalina incident, he was also counting on the Germans' frustration with what could have been an intelligence coup to take the documents seriously.

But it was also necessary to imply carelessness because they had to find a way to ensure that both the body and the briefcase with the documents would be recovered together. The solution that they hit upon that Martin would be wearing a chain looped around his trench coat to give the impression of a man who wanted to be comfortable during a long flight but wanted to have the case with him at all times, indicating a highly responsible, if somewhat careless officer.

While the cover identity was being created by Montagu and his team, the documents needed to make the ruse work were being created, since they needed to deceive the Germans that the invasion would be taking place somewhere besides Sicily. Thus the scenario to attack Sardinia first as a staging area for an invasion of the south of France, to be followed by a second major thrust against Greece through the Balkans. Rather than state the obvious through official documents, the war plans would be suggested through a personal letter from [[Archibald Nye|Lt. Gen. Sir Archibald Nye]], vice chief of the Imperial General Staff to [[Harold Alexander|General Sir Harold Alexander]], the British commander in North Africa. It would be revealed in an "off-the record" manner that there would be two operations: Alexander would attack Sardinia and [[Corsica]], while [[Henry Maitland Wilson|General Sir Henry Wilson]] would take on Greece (which was given the name "Operation Husky", the real name of the Sicily invasion). Furthermore, in a master stroke of reverse psychology, the letter disclosed that deception plans were being drawn up to convince the Germans that they were going to invade Sicily. This would give the impression that they were dealing with a force strong enough for two ''separate'' operations that would take place far from the intended target, causing them to disperse their forces to meet the threat.

To emphasize the letter's sensitive nature as well as to establish Major Martin's qualifications for travel to North Africa, Montagu also included another letter from [[Lord Louis Mountbatten]], the Chief of Combined Operations, to [[Andrew Cunningham, 1st Viscount Cunningham of Hyndhope|Admiral Sir Andrew Cunningham]], Commander-in-Chief in the Mediterranean. In the letter, Mountbatten extolled Major Martin's expertise in amphibious operations; more important was that Mountbatten also told Cunningham that Martin was carrying a letter too important to be sent through normal channels, hence the need for Major Martin to fly. The letter intimated that Sardinia was to be an invasion target.

==Execution==
Major Martin, preserved in dry ice and dressed in his Royal Marines uniform, was placed in a sealed steel canister, and Cholmondeley and Montagu hired a car to deliver it to [[Holy Loch]], [[Scotland]] and placed on board the British [[submarine]] [[HMS Seraph (P219)|HMS ''Seraph]]''. Montagu had made the arrangement through Admiral Barry, the flag officer in charge of submarines. Barry suggested the ''Seraph'', which was available. This was fortunate, for its commanding officer, [[Norman Jewell|Lt. Norman L.A. (Bill) Jewell]] and his crew had previous special operations experience.

On [[April 19]], [[1943]] the ''Seraph'' set sail to a point about a mile off [[Huelva]] on the coast of [[Spain]]. This location was decided because they knew that Spain, despite being neutral was sympathetic with the [[Axis Powers|Axis]] and was crawling with Abwehr agents, allowing for easy discovery. It was known that there was a German agent stationed in Huelva with excellent contacts with Spanish officials.

At 0430 hrs. on [[April 30]], Lt. Jewell ordered the canister to be brought up on deck of the surfaced submarine by the crew. He previously told the crew that a top secret [[meteorological]] device was being deployed and ordered everyone below deck. He gathered his officers, briefed them on the details of the operation and swore them to secrecy. They then opened the canister, fitted Major Martin with a [[life jacket]], and secured his briefcase with the papers. The [http://en.wikisource.org/wiki/Bible%2C_King_James%2C_Psalms#Chapter_39 39th Psalm] was read and the body was gently pushed into the sea where the tide would bring it ashore. Jewell afterwards sent a message to the Committee: "MINCEMEAT completed".

The body was discovered at around 9:30 in the morning by a local fisherman, Jose Antonio Rey Maria, who brought him to port and the report of the discovery was made to the local Abwehr, of which is the chief was a man named Adolf Clauss, the son of the German consul, who operated under the cover of an agriculture technician.<ref>[http://ahoy.tk-jk.net/macslog/ArcherClassAuxiliaryCarie.html Archer Class Auxiliary Carrier, HMS Dasher Destroyed by Explosion on the 27nd. of March 1943. 379 Dead], an account of the HMS ''Dasher'' disaster. Retrieved [[December 1]], [[2006]]</ref>

=="Mincemeat swallowed whole"==
Three days later, the Committee received a cable from the [[Naval Attaché]] of the news of the body's discovery. After handing over the body to the British Vice-Consul F.K. Hazeldene, Major Martin was buried with full military honours on [[May 4]] in Huelva.

The Vice Consul arranged for a pathologist, Eduardo Del Torno, to carry out a post-mortem. He reported that the man had fallen into the sea while still alive and had no bruises, death was due to drowning, and that the body had been in the sea between 3 and 5 days. <ref>Ibid.</ref> A more comprehensive examination was not made because the pathologist took him for a [[Roman Catholic]] due to a silver [[crucifix]] that hung from his neck as well as a [[St. Christopher]] plaque in his wallet.

Meanwhile, Montagu decided to include Major Martin's name in the next British casualty list and a month later was published in ''[[The Times]]'', knowing that the Germans would be bound to read them to confirm Martin's bona fides. (By coincidence, the names of two other officers who actually died when their plane was lost at sea en route to Gibraltar were also published that day, giving credence to Major Martin's "story".) To further the ruse, a series of urgent messages were made by the [[Admiralty]] to the Naval Attaché demanding the return of the documents found with the body at all costs due to their sensitive nature and to make the inquiries discreet so as not to alert the Spanish authorities of their importance. The papers were returned on [[May 13]], with the assurance that "everything was there".

The Germans got wind of the discovery and the local Abwehr agent with some difficulty was able to obtain the documents. The envelopes were carefully opened by the Germans and the letters photographed. They were then given to the British by Spanish officials. The photographs were rushed to [[Berlin]] where they were evaluated by German intelligence.

When Major Martin's body was returned and the papers examined, the British had been able to determine that the papers were read, carefully refolded and resealed. Further confirmation from [[ULTRA]] prompted a cable to be sent to [[Winston Churchill]], then in the [[United States]]: "Mincemeat Swallowed Whole".

The documents were indeed swallowed whole. The care which Montagu and his team had lavished on establishing Martin's identity paid off, for they were to learn much later that the Germans noted the date on the theatre stubs ([[April 22]], [[1943]]) and confirmed their genuineness. As a result [[Adolf Hitler|Hitler]] was so convinced of the veracity of the bogus documents that he disagreed with Mussolini that Sicily would be the most likely invasion point, insisting that any incursion against the island should be regarded as a feint. [[Adolf Hitler|Hitler]] ordered the reinforcement of Sardinia and [[Corsica]] and sent [[Field Marshall]] [[Erwin Rommel]] to [[Athens]] to form an [[Army Group]]. Even patrol boats as well as [[Minesweeper (ship)|minesweepers]] and [[minelayers]] marked for the defence of Sicily were diverted. Perhaps the most critical move of all was diverting two panzer divisions to Greece from the [[Eastern Front (World War II)|Eastern Front]] where they were most needed, especially when the Germans were preparing to engage the [[Russians]] in the [[Battle of Kursk|Kursk salient]].

Operation Husky began on [[July 9]], with the Allies attacking Sicily. The Germans remained convinced for two more weeks that the main attack would be in Sardinia and Greece. As a result, the Allies met relatively little resistance and the conquest of Sicily was complete by [[August 9]]. Moreover, the fall of [[Palermo]] in the middle of July inspired the [[coup]] against [[Benito Mussolini|Mussolini]], and he fell from power on [[July 27]].

==Impact on later operations==

During [[Operation Market-Garden]], the invasion of Holland in September 1944, a British staff officer had inadvertently left behind on a transport glider a complete operations order with maps and graphics for the airborne phase of the invasion, which was not even supposed to be brought on a glider or elsewhere with the invading troops. The operations order fell into German hands, but the Germans, convinced that this was another attempt at an Operation Mincemeat-style deception, actually deployed their forces contrary to the information before them. This was referenced in both [[Cornelius Ryan]]'s book [[A Bridge Too Far]] and the 1977 film based on it.

==Who was Major Martin?==
[[Image:Major Martin Grave Composite - Huelva.jpg|thumb|right|The grave of ''Major Martin'' at [[Huelva]], [[Spain]]]]

The man known as Major Martin lies in the Cemetery of Solitude in Huelva. As Mincemeat became legend the question persisted: what was the identity of the man known as Major William Martin?

It was only in 1996 that an amateur historian by the name of Roger Morgan was able to uncover evidence that "Martin" was a vagrant [[Wales|Welsh]] [[alcoholic]] named Glyndwr Michael who died of ingesting rat poison, although how this happened is unknown.<ref>[http://www.bbc.co.uk/dna/h2g2/A3031949 h2g2 account of Mincemeat], retrieved [[December 1]], [[2006]]. It was also noted that Morgan found his name in the [[Public Record Office]] in [[Kew]], [[West London.]]</ref> While it will never be completely certain, this is the most likely candidate for the identity of "Martin".

As for Ewen Montagu, he was awarded the [[Order of the British Empire|Military Order of the British Empire]] for his part in Operation Mincemeat. He later became [[Judge Advocate of the Fleet]]. Montagu later wrote a book about the operation, ''[[The Man Who Never Was]]'' (1953), which was made into a film of the same name (1955). The submarine used in the film wore pennant number P219, that of HMS ''Seraph'', and she was indeed still in commission in 1954/55.

===HMS ''Dasher'' connection===
Authors John and Noreen Steele in their book, ''The Secrets of HMS Dasher'' claim that the body was not of Glyndwr, but of one of the victims of the [[aircraft carrier]] [[HMS Dasher (D37)|HMS ''Dasher'']] accident. As reasoning they present evidence that the body of the vagrant was "acquired" in January 1943 and would have suffered decomposition even on ice. Why else would the submarine HMS ''Seraph'' be ordered up the east coast of Scotland, around the north, and then turn south and make for the [[Firth of Clyde]]? It would have made more sense for Major Montagu to drive straight to [[Blyth, Northumberland|Blyth]] where the ''Seraph'' was berthed. The authors think that a new body was needed for the operation as the original body had decomposed to the point of being unusable and the container that Montagu took to Holy Loch was empty.

==Influences==
Operation Mincemeat inspired a similar plan in ''[[Cryptonomicon]]'' by [[Neal Stephenson]], and in ''[[Red Rabbit]]'' by [[Tom Clancy]].

==Notes==
{{reflist|2}}

==Additional reading==
* Steele, John and Noreen. ''The Secrets of HMS Dasher'', Scotland: Argyll Publishers, 2002 3rd Ed., ISBN 1-902831-51-9
* Montagu, Ewen. ''[[The Man Who Never Was]]: World War II's Boldest Counter-Intelligence Operation''. Paperback. Bluejacket Books, March 2001. ISBN 1-55750-448-2
* [[Jon Latimer]], ''Deception in War'', London: John Murray, 2001. ISBN 978-0719556050

== See also ==
*[[Operation Barclay|Barclay]]
*[[Trojan Horse]]
*[[Operation Warehouse|Warehouse]]
*[[Operation Waterfall|Waterfall]]
*[[Operation Withstand|Withstand]]

== External links ==
* http://militaryhistory.about.com/od/navalwarfare/a/mincemeat.htm
* http://web.ukonline.co.uk/chalcraft/sm/seraph.html
* http://www.theage.com.au/articles/2003/01/27/1043534001763.html
* http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2004/08/24/db2401.xml&sSheet=/portal/2004/08/24/ixportal.html
* http://us.geocities.com/manwhoneverwas/hom090.html

[[Category:Allied invasion of Sicily]]
[[Category:World War II deception operations|Mincemeat]]
[[Category:World War II Mediterranean Theatre|Mincemeat]]
[[Category:Classified documents|Mincemeat]]
[[Category:Nonexistent people|Martin, William]]

[[es:Operación Mincemeat]]
[[fr:Opération Mincemeat]]
[[sv:Operation Mincemeat]]

Präsidentschaftsvorwahl in den Vereinigten Staaten

2006-12-04T07:02:26Z

Ciphergoth: /* Pop culture trivia */ better section title

The series of '''presidential primary elections''' is one of the first steps in the process of electing a [[President of the United States|President of the United States of America]]. The [[primary election]]s provide a method for [[list of political parties in the United States|U.S. political parties]] to nominate and unite behind one popularly chosen candidate for the Presidency.

==Process==
The [[Democratic Party (United States)|Democratic]] and [[Republican Party (United States)|Republican]] parties each officially nominate their candidate for President at their [[United States presidential nominating convention|national convention]] the summer before the election. When voters cast ballots for a candidate in a presidential caucus or primary, they are actually voting to award delegates "bound" to that candidate in the national convention.{{fact}}
The rules for the awarding of delegates vary from party to party, state to state, and election to election. Not all delegates are selected by primaries and caucuses—both major parties have provisions for "[[superdelegate]]s" chosen outside the primary system.

If no candidate wins a majority of delegates during the primary season, the nominee is chosen by the convention. This method of nominee selection has not occurred since [[United States presidential election, 1976|1976]], when incumbent president [[Gerald Ford]] narrowly defeated [[Ronald Reagan]].

===Calendar===
Campaigning for president often begins a year or more before the New Hampshire primary, almost two years before the [[general election]].

The first binding event, that is, in which a candidate can secure convention delegates, is traditionally the [[Iowa caucus]], held in January of the presidential election year. It is followed by the [[New Hampshire primary]] two weeks later, by tradition and state law always the first primary. On [[July 22]], [[2006]], the DNC Rules Committee recommended a change in the primary calendar for the 2008 Presidential election. Approved on [[August 19]], [[2006]], the DNC set the primary schedule as follows: [[January 14]]—[[Iowa caucus|Iowa Caucus]]; [[January 19]]—Nevada Caucus; [[January 22]]—[[New Hampshire Primary]]; [[January 29]]—South Carolina Primary.{{fact}} The DNC also enacted penalties for states that did not abide by this calendar by saying any delegates from a state that did not go by the calendar would not be counted at the DNC National Convention and thus would not count for the Presidential nomination.{{fact}}

Because these states are small, campaigning takes place on a much more personal scale. As a result, even a little-known, underfunded candidate can use "retail politics" to meet intimately with interested voters and perform better than expected. The Iowa caucuses and New Hampshire primary have produced a number of headline-making upsets in history{{fact}}:

* [[Harry S. Truman]] ended his re-election bid in 1952 after losing the New Hampshire primary.
* [[Lyndon Baines Johnson]] dropped his 1968 reelection bid after performing far below expectations in the New Hampshire primary.
* [[Jimmy Carter]], the little-known governor of [[Georgia (U.S. state)|Georgia]], took a surprise win in 1976 and rode it to the presidency.
* Television commentator [[Pat Buchanan]]'s strong showing in the 1992 and 1996 New Hampshire primaries highlighted the weakness of the future nominees, incumbent [[George H. W. Bush]] and Senator [[Bob Dole]] respectively, both of whom subsequently lost the general election.
* [[John McCain]], a less known senator from [[Arizona]], defeated party favorite [[George W. Bush]] in the New Hampshire primary in [[United States presidential election, 2000|2000]], making it a close contest. (McCain lost the next primaries.)

Iowa and New Hampshire set the tone for the campaign—and allow an outsider to topple the favorite. In recent elections, the Iowa caucuses and New Hampshire primary have garnered over half the national and international media attention paid to the entire selection process. New Hampshire jealously guards its first-in-the-nation status, (although it is being [[United States presidential primary#Representativeness|challenged in 2008]]).

After Iowa and New Hampshire, primaries and caucuses are held in the other states, [[Puerto Rico]], insular areas, and the [[District of Columbia]]; the front runners attempt to solidify their status, while the others fight to become #2.{{fact}} Each party sets its own calendar and rules and in some cases actually administers the election; however, in order to reduce expenses and encourage turnout, the major parties' primaries are held the same day and may be consolidated with other state elections. The primary election itself is administered by local governments according to state law. In some cases, state law determines how delegates will be awarded and who may participate in the primary; where it does not, party rules prevail.{{fact}}

In recent years states have been holding early primaries to maximize their leverage (see [[United States presidential primary#Front-loading and compression|below]]). [[California]] moved its primary back to June in [[2004]], having moved it to March in 1996.

==Types of primary==
Franchise in a primary is governed by rules established by the state party, although the states may impose other regulations.

Nearly all states have a ''binding'' primary, in which the results of the election legally ''bind'' some or all of the delegates to vote for a particular candidate at the national convention. A handful of states practice a ''non-binding'' primary, which may select candidates to a state convention which then selects delegates, or which is a "beauty contest" to gauge voter sentiment unrelated to the selection of delegates by caucus or convention. Both parties have rules which designate [[superdelegate]]s

In most states, only voters registered with a party may vote in that party's primary, known as a [[closed primary]]. In some states, a [[semi-closed primary]] is practiced, in which voters unaffiliated with a party (independents) may choose a party primary in which to vote. In an [[open primary]], any voter may vote in any party's primary. In all of these systems, a voter may participate in only one primary; that is, a voter who casts a vote for a candidate standing for the Republican nomination for president cannot cast a vote for a candidate standing for the Democratic nomination, or vice versa. A few states once staged a [[blanket primary]], in which voters could vote for one candidate in multiple primaries, but the practice was struck down by the [[Supreme Court of the United States|U.S. Supreme Court]] in the 2000 case of ''[[California Democratic Party v. Jones]]'' as violating the [[freedom of assembly]] guaranteed by the [[First Amendment to the United States Constitution|First Amendment]].{{fact}}

Most state parties observe a "winner-take-all" system in which the winner of the primary receives all of the state's delegates. This system is not without its critics, however, as the winner may have prevailed by only a slim margin. Since most states follow [[plurality voting system|plurality voting]], a candidate could receive a distinct minority of the vote, yet win a very large bloc of delegates in large states such as California.{{fact}} Some states, notably New Hampshire, now require delegates be awarded proportionally.{{fact}}

==History==
There is no provision for the role of political parties in the [[United States Constitution]], but parties had developed by the early [[19th century]]. At first, members of [[United States Congress|Congress]] would nominate a single candidate from their party to put before the [[United States Electoral College|Electoral College]], but by [[1830]] the preferred mechanism for nomination was a [[United States presidential nominating convention|national convention]].

Delegates to the national convention were usually selected at state conventions whose own delegates were chosen by caucus. Thus, they soon became dominated by intrigue between [[political boss]]es who controlled delegates; the national convention was far from democratic or [[transparency (humanities)|transparent]]. [[Progressive Era]] reformers looked to the [[primary election]] as a way to measure popular opinion of candidates, as opposed to the opinion of the bosses. In 1910, Oregon became the first state to establish a presidential preference primary in which the delegates to the National Convention were required to support the winner of the primary at the convention. By 1912, twelve states either selected delegates in primaries, used a preferential primary, or both. By 1920 there were 20 states with primaries, but some went back and from 1936 to 1968, 13 or 14 states used them. (Ware p 248)

The primary received its first major test in the [[United States presidential election, 1912|1912 election]] pitting incumbent President [[William Howard Taft]] against challengers [[Theodore Roosevelt]] and [[Robert M. La Follette, Sr.|Robert La Follette]]. Roosevelt proved the most popular candidate, but as most primaries were non-binding "preference" shows, the Republican nomination went to Taft, who controlled the convention.

Seeking to boost [[voter turnout]], [[New Hampshire]] simplified its [[ballot access]] laws in [[1949]]. In the ensuing "beauty contest" of [[1952]], [[Dwight Eisenhower]] demonstrated his broad voter appeal by outpolling the favored [[Robert A. Taft]], "Mr. Republican," and [[Estes Kefauver]] defeated incumbent President [[Harry S. Truman]], leading him to abandon his campaign for a second full-length term.{{fact}} The first-in-the-nation [[New Hampshire primary]] has since become a widely-observed test of candidates' viability.

The impetus for national adoption of the binding primary election was the chaotic [[1968 Democratic National Convention]]. Vice President [[Hubert Humphrey|Hubert Humphrey II]] secured the nomination despite primary victories and other shows of support for Senator [[Eugene McCarthy]], running against Humphrey on a strong anti-[[Vietnam War]] platform. After this, a [[Democratic National Committee]]-commissioned panel led by Senator [[George McGovern]] recommended all future delegates be selected by primary. The Republicans also adopted the primary nationally, in 1972.

Since nationalization of the primary system, states have tried to increase their influence in the nomination process. One tactic has been to create geographic blocs to encourage candidates to spend time in a region. [[Vermont]] and [[Massachusetts]] attempted to stage a joint [[New England]] primary on the first Tuesday of march, but New Hampshire refused to participate so it could retain its traditional place as the first primary. The first successful regional primary was [[Super Tuesday]] of [[March 8]], [[1988]], in which nine [[Southern United States|Southern]] states united in the hope that the Democrats would select a moderate candidate in line with Southern interests.{{fact}}

Another trend is to stage earlier and earlier primaries, given impetus by Super Tuesday and the mid-1990s move (since repealed) of the [[California]] primary and its bloc of votes—the largest—from June to March. In order to retain its tradition as the first primary in the country (and adhere to a state law which requires it to be), New Hampshire's primary has moved back steadily, from early March to mid-January.

==Criticisms==
===Representativeness===
Great attention is paid to the results of the Iowa caucuses and the New Hampshire primary; however, critics, such as Mississippi secretary of state Eric Clark (see quote below), and Tennessee Senator William Brock, point out that these states are not representative of the United States as a whole: they are overwhelmingly [[white (people)|white]], more rural, and wealthier than the national average, and neither is located in the fast-growing [[Western United States|West]] or [[Southern United States|South]]. For example, [[New Jersey]] and [[Montana]], which are the last states to have their primaries, end up having no say in who the presidential candidate will be; in 2004, they had their primaries in June, 13 weeks after Senator [[John Kerry]] became unopposed<ref name="WNJandMTLast">{{cite journal | first = | last = | | title = http://www.nytimes.com/2005/06/24/nyregion/24vote.html?ex=1277265600&en=306c89c8091cff64&ei=5090&partner=rssuserland&emc=rss}}</ref>. Although the addition of [[Nevada]] to the early primaries in [[2008]] was done to equalize representativeness in the country, this change does nothing to represent the entire country.

In 2005, the primary commission of the Democratic National Committee began considering removing New Hampshire and Iowa from the top of the calendar. A revised system may take effect beginning in 2008; as of 2006, however, it has not received final approval. New Hampshire is fighting back by obliging candidates who want to campaign in the state to pledge to uphold that primary as the first one.

In [[Mississippi]], secretary of state Eric Clark said the following<ref name="EricClark">{{cite journal | first = | last = | | title = http://www.sos.state.ms.us/pubs/PressReleases/Articles/ClarkPushesPresidentialPrimaryReform.asp}}</ref>:
<blockquote>
{{cquote|It's obvious to me that too many Americans, including Mississippians, are effectively left out of the process. The problem now is that too many states are having their primary elections very early in the year, and the nomination is locked up in a matter of weeks. The nominees had effectively been decided by March 7 [2000]. Mississippians had no meaningful voice in the process. In fact, Americans in 33 states had no meaningful voice in the process. Instead of getting people involved, today's primary system rewards big money and mass media campaigns. Every candidate should have a fair chance to be heard, regardless of how much money he or she has.}}
</blockquote>

===Front-loading and compression===
States vie for earlier primaries in order to claim greater influence in the nomination process, as the early primaries can act as a signal to the nation, showing which candidates are popular and giving those who perform well early on the advantage of the [[bandwagon effect]]. Also, candidates can ignore primaries which fall after the nomination has allready been secured, and would owe less to those states politically. As a result, rather than stretching from March to July, most primaries take place in a compressed time frame in February and March. National party leaders also have an interest in compressing the primary calendar, as it enables the party to reduce the chance of a bruising internecine battle and to preserve resources for the general campaign.

In such a primary season, however, many primaries will fall on the same day, forcing candidates to choose where to spend their time and resources. Indeed, [[Super Tuesday]] was created deliberately to increase the influence of the South. When states cannot agree to coordinate primaries, however, attention flows to larger states with large numbers of delegates at the expense of smaller ones. Because the candidate's time is limited, paid advertising may play a greater role. Moreover, a compressed calendar limits the ability of lesser-known candidates to corral resources and raise their visibility among voters, especially when a better-known candidate enjoys the financial and institutional backing of the party establishment.<ref name="WilliamBock">{{cite journal | first = | last = | | title = http://www.centerforpolitics.org/reform/report_nominating.htm}}</ref> Ironically, then, the parties' influence over the nomination primaries were intended to limit has grown again.

In an article from ''Detroit News'', Tennessee Senator [[Bill Brock|William (Bill) Brock]] said the following about front-running<ref name="WilliamBock">{{cite journal | first = | last = | | title = http://www.centerforpolitics.org/reform/report_nominating.htm}}</ref>:
<blockquote>
{{cquote|Today, too many people in too many states have no voice in the election of our major party nominees. For them, the nominations are over before they have begun.}}
</blockquote>

==Reform proposals==
There are several proposals of reforming the primary system. Some have called for a single nationwide primary to be held on one day. Others point out that requiring candidates to campaign in every state simultaneously would exacerbate the purported problem of campaigns being dominated by the candidates who raise the most money.

Alternative reform concepts such as the [[Graduated Random Presidential Primary System|American Plan]] would return the presidential primary season to a more relaxed schedule. Fewer primaries in smaller states would allow grassroots campaigns to score early successes and pick up steam. With this idea in mind, a commission empaneled by the Republican National Committee recommended the Delaware Plan in 2000; however, populous states objected to the plan because it would have always scheduled their primaries at the end of the season. The Delaware Plan was put to vote at [[Republican National Convention]] of 2000 and rejected.

==Lists of primaries==
* [[1992 Democratic presidential primary]]
* [[United States presidential primaries, 2000]]
* [[Democratic Party (United States) presidential primaries, 2004|Democratic Party presidential primaries, 2004]]
* [[United States Republican Party presidential nomination, 2004|Republican Party presidential primaries, 2004]]
* [[Democratic Party (United States) presidential primaries, 2008|Democratic Party presidential primaries, 2008]]
* [[Republican Party (United States) presidential primaries, 2008|Republican Party presidential primaries, 2008]]

==In fiction==
*A convention race did take place in fiction in the [[The West Wing presidential election, 2006|2006 Democratic race]] on the television series ''[[The West Wing (TV series)|The West Wing]]''.

*The first season of the popular [[24 (TV series)|television series ''24'']] takes place "on the day of the California Presidential Primary."

==See also==
* [[Iowa caucus]]
* [[New Hampshire primary]]
* [[United States presidential election]]
* [[United States presidential election debates]]
* [[United States presidential nominating convention]]

==References==
<references/>
* Brereton Charles. ''First in the Nation: New Hampshire and the Premier Presidential Primary''. Portsmouth, NH: Peter E. Randall Publishers, 1987.
* Kendall, Kathleen E. ''Communication in the Presidential Primaries: Candidates and the Media, 1912-2000'' (2000)
* Hugh, Gregg. [http://www.state.nh.us/nhinfo/genesis.html "First-In-The-Nation Presidential Primary"], ''State of New Hampshire Manual for the General Court'', (Department of State) No.55, 1997.
* McGaughey, Bill. "On the Ballot in Louisiana". Minneapolis: Thistlerose Publications. ISBN 0-9605630-6-7.] A minor candidate's experiences campaigning in Louisiana's 2004 Democratic presidential primary.
* Palmer, Niall A. ''The New Hampshire Primary and the American Electoral Process'' (1997)
* [http://www.azstarnet.com/allheadlines/139096 "Reid, labor aided Nevada with Demos"], Arizona Daily Star, July 24, 2006.
* Sabato, Larry, [http://www.vqronline.org/articles/2006/summer/sabato-politics-americas/ Politics: America's Missing Constitutional Link], ''Virginia Quarterly Review'', Summer 2006, 149-61.
* Scala, Dante J. ''Stormy Weather: The New Hampshire Primary and Presidential Politics'' (2003)
* Ware, Alan. ''The American Direct Primary: Party Institutionalization and Transformation in the North'' (2002), a British perspective

[[Category:United States presidential primaries| ]]

[[ja:アメリカ合衆国大統領予備選挙]]

Turinggrad

2006-11-11T15:02:06Z

Ciphergoth: /* Structure of the r.e. Turing degrees */ wikilink re

:'''Post's problem''' ''redirects here. You may be seeking [[Post's correspondence problem]]''

In [[computer science]] and [[mathematical logic]], the '''[[Alan Turing |Turing]] degree''' or '''degree of unsolvability''' of a set ''X'' of natural numbers is the equivalence class of all sets that are Turing equivalent to ''X''. The concept of Turing degree is fundamental in [[computability theory]].

The Turing degree of a set gives a measure of the level of algorithmic unsolvability of the set; two sets are equivalent if they have the same level of unsolvability. The Turing degrees are partially ordered so that if degree of a set ''X'' is less than degree of a set ''Y'' then the level of unsolvability of ''X'' is less than that of ''Y'' in the sense that any (noncomputable) procedure that correctly decides whether numbers are in ''Y'' can be effectively converted to a procedure that correctly decides whether numbers are in ''X''.

The Turing degrees were introduced by [[Stephen Cole Kleene]] and [[Emil Leon Post]] in the 1940s and have been an area of intense research since then.

== Turing equivalence ==

For the rest of this article, the word ''set'' will refer to a set of natural numbers. A set ''X'' is said to be '''[[Turing reducible]]''' to a set ''Y'' if there is an [[oracle Turing machine]] that decides membership in ''X'' when given an oracle for membership in ''Y''. The notation ''X'' ≤T ''Y'' indicates that ''X'' is Turing reducible to ''Y''.

Two sets ''X'' and ''Y'' are defined to be '''Turing equivalent''' if ''X'' is Turing reducible to ''Y'' and ''Y'' is Turing reducible to ''X''. The notation ''X'' &equiv;T ''Y'' indicates that ''X'' and ''Y'' are Turing equivalent. The relation &equiv;T can be seen to be an [[equivalence relation]], which means that for all sets ''X'', ''Y'', and ''Z'':
* ''X'' &equiv;T ''X''
* ''X'' &equiv;T ''Y'' implies ''Y'' &equiv;T ''X''
* If ''X'' &equiv;T ''Y'' and ''Y'' &equiv;T ''Z'' then ''X'' &equiv;T ''Z''.

== Turing degree ==

A '''Turing degree''' is an [[equivalence class]] of the relation &equiv;T. The notation [''X''] denotes the equivalence class containing a set ''X''. The entire collection of Turing degrees is denoted <math>\mathcal{D}</math>.

The Turing degrees have an order relation ≤ defined so that [''X''] ≤ [''Y''] if and only if ''X'' ≤T ''Y''. This can be seen to be a [[partial order]]. There is a unique Turing degree containing all the computable sets, and this degree is less than every other degree. It is denoted '''0''' (zero) because it is the least element of the poset <math>\mathcal{D}</math>. (It is common to use boldface notation for Turing degrees, in order to distinguish them from sets. When no confusion can occur, such as with [''X''], the boldface is not necessary.)

For any sets ''X'' and ''Y'' the '''Turing join''' ''X &oplus; Y'' is defined to be the union of the sets {2''n'' : ''n'' ∈ ''X'' } and {2''m''+1 : ''m ∈ Y''}. It can be seen that the Turing degree of ''X &oplus; Y'' is the least upper bound of the degrees of ''X'' and ''Y''. Thus <math>\mathcal{D}</math> is an upper semi-lattice. The least upper bound of degrees '''a''' and '''b''' is denoted '''a''' ∪ '''b'''. It is known that <math>\mathcal{D}</math> is not a lattice; there are pairs of degrees with no greatest lower bound.

For any set ''X'' the notation ''X''′ denotes the set of indices of oracle machines that halt when using ''X'' as an oracle. The set ''X''′ is called the '''Turing jump''' of ''X''. The Turing jump of a degree [''X''] is defined to be the degree [''X''′]; this is a valid definition because ''X''′ &equiv;T ''Y''′ whenever ''X'' &equiv;T ''Y''. Thus, for example, the degree '''0'''′ is the degree of the [[Halting problem]].

== Basic properties of the Turing degrees ==

*Every Turing degree contains exactly <math>\aleph_0</math> (that is, countably many) sets.

*There are <math>2^{\aleph_0}</math> Turing degrees.

*For each degree '''a''' the strict inequality '''a''' < '''a'''′ holds.

== Structure of the Turing degrees ==

A great deal of research has been conducted into the structure of the Turing degrees. The following survey lists only some of the many known results. One general conclusion that can be drawn from the research is that the structure of the Turing degrees is extremely complicated.

==== Order properties ====

* There are '''minimal degrees'''. A degree '''a''' is ''minimal'' if '''a''' is nonzero and there is no degree between '''0''' and '''a'''.

* For every nonzero degree '''a''' there is a degree '''b''' incomparable with '''a'''.

* There is a set of <math>2^{\aleph_0}</math> pairwise incomparable Turing degrees.

* There are pairs of degrees with no greatest lower bound. Thus <math>\mathcal{D}</math> is not a lattice.

* Every countable partially ordered set can be embedded in the Turing degrees.

* No infinite increasing sequence of degrees has a least upper bound.

==== Properties involving the jump ====

* For every degree '''a''' there is a degree strictly between '''a''' and '''a′'''. In fact, there is a countable sequence of pairwise incomparable degrees between '''a''' and '''a′'''.

* A degree '''a''' is of the form '''b′''' if and only if '''0′''' ≤ '''a'''.

* For any degree '''a''' there is a degree '''b''' such that '''a''' < '''b''' and '''b′''' = '''a′'''; such a degree '''b''' is called ''low'' relative to '''a'''.

* There is an infinite sequence '''a'''i of degrees such that '''a'''′i+1 ≤ '''a'''i for each ''i''.

==== Logical properties ====

* The first-order theory of <math>\mathcal{D}</math> in the language &lang; ≤, = &rang; or &lang; ≤, ′, =&rang; is [[Many-one reduction|many-one equivalent]] to the theory of true second-order arithmetic. This indicates that the structure of <math>\mathcal{D}</math> is extremely complicated.

* The jump operator is definable in the first-order structure of the degrees with the language &lang; ≤, =&rang;.

== Structure of the r.e. Turing degrees ==

A degree is called r.e. (recursively enumerable) if it contains a [[recursively enumerable set]]. Every r.e. degree is less than or equal to '''0′''' but not every degree less than '''0′''' is an r.e. degree.

* The r.e degrees are dense; between any two r.e. degrees there is a third r.e degree.

* There are two r.e. degrees with no greatest lower bound in the r.e. degrees.

* There is a pair of nonzero r.e. degrees whose greatest lower bound is '''0'''.

* Every finite distributive lattice can be embedded into the r.e. degrees. In fact, the countable atomless Boolean algebra can be embedded in a manner that preserves suprema and infima.

* Not all finite lattices can be embedded in the r.e. degrees (via an embedding that preserves suprema and infima). The following particular lattice cannot be embedded in the r.e. degrees:

::[[Image:rehasse.png]]

* There is no pair of r.e. degrees whose greatest lower bound is '''0''' and whose least upper bound is '''0′'''. This result is informally called the ''nondiamond theorem''.

* The first-order theory of the r.e. degrees in the language &lang; '''0''', ≤, = &rang; is many-one equivalent to the theory of true first order arithmetic.

== Post's problem and the priority method ==

[[Emil Post]] studied the r.e. Turing degrees and asked whether there is any r.e. degree strictly between '''0''' and '''0′'''. The problem of constructing such a degree (or showing that none exist) became known as '''Post's problem'''. This problem was solved independently by Friedberg and Muchnik in the 1950s, who showed that these intermediate r.e. degrees do exist. Their proofs each developed the same new method for constructing r.e degrees which came to be known as the '''priority method'''. The priority method is now the main technique for establishing results about r.e. sets.

The idea of the priority method for constructing an r.e. set ''X'' is to list a countable sequence of ''requirements'' that ''X'' must satisfy. For example, to construct an r.e. set ''X'' between '''0''' and '''0′''' it is enough to satisfy the requirements ''Ae'' and ''Be'' for each natural number ''e'', where ''Ae'' requires that the oracle machine with index ''e'' does not compute 0′ from ''X'' and ''Be'' requires that the Turing machine with index ''e'' (and no oracle) does not compute ''X''. These requirements are put into a ''priority ordering'', which is an explicit bijection of the requirements and the natural numbers. The proof proceeds inductively with one stage for each natural number; these stages can be thought of as steps of time during which the set ''X'' is enumerated. At each stage, numbers may put into ''X'' or forever prevented from entering ''X'' in an attempt to ''satisfy'' requirements (that is, force them to hold once all of ''X'' has been enumerated). Sometimes, a number can be enumerated into ''X'' to satisfy one requirement but doing this would cause a previously satisfied requirement to become unsatisfied (that is, to be ''injured''). The priority order on requirements is used to determine which requirement to satisfy in this case. The informal idea is that if a requirement is injured then it will eventually stop being injured after all higher priority requirements have stopped being injured, although not every priority argument has this property. An argument must be made that the overall set ''X'' is r.e. and satisfies all the requirements. Priority arguments can be used to prove many facts about r.e. sets; the requirements used and the manner in which they are satisfied must be carefully chosen to produce the required result.

== References ==
==== Monographs (undergraduate level) ====

Cooper, S.B. ''Computability theory''. Chapman & Hall/CRC, Boca Raton, FL, 2004. ISBN 1-58488-237-9

Cutland, N. ''Computability.'' Cambridge University Press, Cambridge-New York, 1980. ISBN 0-521-22384-9; ISBN 0-521-29465-7

Odifreddi, P. ''Classical Recursion Theory'', North-Holland, ISBN 0-444-87295-7

==== Monographs and survey articles (graduate level) ====

Ambos-Spies, K. and Fejer, P. Degrees of Unsolvability. Unpublished. http://www.cs.umb.edu/~fejer/articles/History_of_Degrees.pdf

Lerman, M. ''Degrees of unsolvability.'' Perspectives in Mathematical Logic. Springer-Verlag, Berlin, 1983. ISBN 3-540-12155-2

Rogers, H. ''The Theory of Recursive Functions and Effective Computability'', MIT Press. ISBN 0-262-68052-1; ISBN 0-07-053522-1

Simpson, S. Degrees of unsolvability: a survey of results. ''Handbook of Mathematical Logic'', North-Holland, 1977, pp. 631--652.

Shore, R. The theories of the T, tt, and wtt r.e. degrees: undecidability and beyond. Proceedings of the IX Latin American Symposium on Mathematical Logic, Part 1 (Bahía Blanca, 1992), 61--70, Notas Lógica Mat., 38, Univ. Nac. del Sur, Bahía Blanca, 1993.

Soare, R. ''Recursively enumerable sets and degrees.'' Perspectives in Mathematical Logic. Springer-Verlag, Berlin, 1987. ISBN 3-540-15299-7

Soare, Robert I. Recursively enumerable sets and degrees. ''Bull. Amer. Math. Soc.'' 84 (1978), no. 6, 1149--1181.

[[Category:Recursion theory]]
[[Category:Mathematical logic]]
[[Category:Theory of computation]]

Trivium (Algorithmus)

2006-10-09T08:20:00Z

Ciphergoth: use references

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation.

It was submitted<ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium specifications
| publisher = eSTREAM submitted papers
| date = 2005-04-29
| url = http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref> to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]]. It is the simplest eSTREAM entrant, and shows remarkable resistance to cryptanalysis for its simplicity.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations.<ref>[http://www.ecrypt.eu.org/stream/phorum/read.php?1,448 eSTREAM Phorum, 2006-02-20]</ref> Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations. <ref>{{cite paper
| author = Shahram Khazaei, Mehdi Hassanzadeh
| title = Linear Sequential Circuit Approximation of the TRIVIUM Stream Cipher
| publisher = eSTREAM submitted papers
| date = 2005-09-27
| url = http://www.ecrypt.eu.org/stream/papersdir/063.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref> Reduced variants of Trivium have been attacked using an equation-solving technique.<ref>{{cite paper
| author = [[Håvard Raddum]]
| title = Cryptanalytic results on Trivium
| publisher = eSTREAM submitted papers
| date = 2006-03-27
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/039.ps
| format = [[PostScript]]
| accessdate = 2006-10-09}}</ref>

A detailed justification of the design of Trivium is given in <ref>{{cite paper
| author = [[Christophe De Cannière]], [[Bart Preneel]]
| title = Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles
| publisher = eSTREAM submitted papers
| date = 2006-01-02
| url = http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf
| format = [[PDF]]
| accessdate = 2006-10-09
}}</ref>.

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==References==
<references/>

==External links==
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{Crypto navbox | stream}}

[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-10-03T12:09:50Z

Ciphergoth: /* Security */ add Raddum attack.

Trivium (Algorithmus)

2006-05-12T18:39:52Z

Ciphergoth: say more about its simplicity

Trivium (Algorithmus)

2006-04-15T07:40:07Z

Ciphergoth: I got this wrong, it's capital D everywhere

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448]. Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-04-15T07:14:26Z

Ciphergoth: fix repetition in introduction.

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium was submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe de Cannière]] and [[Bart Preneel]], and has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448]. Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-04-14T13:09:17Z

Ciphergoth: atm I only have de Cannière's word that it isn't patented - I've asked him to say it somewhere verifiable...

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium is submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe de Cannière]] and [[Bart Preneel]]. It is not patented.

Trivium has been selected as Phase 2 Focus Candidate for Profile 2 by the eSTREAM project. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448]. Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-03-02T09:51:55Z

Ciphergoth: /* Specification */ specify bounds on IV length

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium is submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]]. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448]. Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1 (where 0 ≤ ''l'' ≤ 80), Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-02-27T17:14:27Z

Ciphergoth: /* Specification */ make more concise

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium is submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]]. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448]. Each variable is an element of [[finite field|GF]](2); they can be represented as [[bit]]s, with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]].

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

The output bits ''r''0 ... ''r''264-1 are then generated by

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1, Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-02-27T13:49:18Z

Ciphergoth: /* Specification */ de-uglify sum, other small tidyups.

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium is submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]]. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448]:

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

and an output equation

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

where each ''r''''i'', ''a''''i'', ''b''''i'', ''c''''i'' is an element of [[finite field|GF]](2) (so each may be represented by a [[bit]], with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]]). ''r''0 ... ''r''264-1 is the stream of output bits.

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1, Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0 ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0 ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0 ... 0)

The large negative indices on the initial values reflect the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=0 ... 7 2j ''r''8''i''+j.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-02-27T13:35:36Z

Ciphergoth: /* Specification */ specify bound on stream length, and bit/byte mapping.

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium is submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]]. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448]:

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

and an output equation

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

where each ''r''''i'', ''a''''i'', ''b''''i'', ''c''''i'' is an element of [[finite field|GF]](2) (so each may be represented by a [[bit]], with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]]). ''r''0 ... ''r''264-1 is the stream of output bits.

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1, Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0, ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0, ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0, ... 0)

The large negative indices on the initial values indicate the 1152 steps that must take place before output is produced.

To map a stream of bits ''r'' to a stream of bytes ''R'', we use the little-endian mapping ''R''''i'' = Σ''j''=07 2j ''r''8''i''+j

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-02-27T13:00:14Z

Ciphergoth: /* Description */ give spec its own section; separate out output equation for clarity; explain negative indices

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium is submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]]. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

==Specification==
Trivium may be specified very concisely using three recursive equations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448]:

*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

and an output equation

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84

where each ''r''''i'', ''a''''i'', ''b''''i'', ''c''''i'' is an element of [[finite field|GF]](2) (so each may be represented by a [[bit]], with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]]). ''r''0 ... is the stream of output bits.

Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1, Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0, ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0, ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0, ... 0)

The large negative indices on the initial values indicate the 1152 steps that must take place before output is produced.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-02-27T09:23:01Z

Ciphergoth: /* Description */ briefly describe GF(2) for implementors

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium is submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]]. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

Trivium may be specified very concisely using three recursive equations and an output equation [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448]:

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84
*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

where each ''r''''i'', ''a''''i'', ''b''''i'', ''c''''i'' is an element of [[finite field|GF]](2) (so each may be represented by a [[bit]], with "+" being [[Exclusive or|XOR]] and multiplication being [[Binary and|AND]]). ''r''0 ... is the stream of output bits. Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1, Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0, ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0, ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0, ... 0)

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-02-27T08:57:12Z

Ciphergoth: /* Description */ Provide reference for this reformulation

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium is submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]]. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

Trivium may be specified very concisely using three recursive equations and an output equation [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448]:

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84
*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

where each ''r''''i'', ''a''''i'', ''b''''i'', ''c''''i'' is an element of [[finite field|GF]](2). ''r''0 ... is the stream of output bits. Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1, Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0, ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0, ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0, ... 0)

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-02-27T08:50:35Z

Ciphergoth: /* Description */ don't italicise numbers

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium is submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]]. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

Trivium may be specified very concisely using three recursive equations and an output equation:

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84
*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

where each ''r''''i'', ''a''''i'', ''b''''i'', ''c''''i'' is an element of [[finite field|GF]](2). ''r''0 ... is the stream of output bits. Given an 80-bit key ''k''0 ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1, Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0, ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0, ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0, ... 0)

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-02-27T08:47:02Z

Ciphergoth: /* Description */ and add initialization

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium is submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]]. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

Trivium may be specified very concisely using three recursive equations and an output equation:

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84
*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

where each ''r''''i'', ''a''''i'', ''b''''i'', ''c''''i'' is an element of [[finite field|GF]](2). ''r''0 ... is the stream of output bits. Given an 80-bit key ''k''''0'' ... ''k''79 and an ''l''-bit IV ''v''0 ... ''v''''l''-1, Trivium is initialized as follows:

*(''a''-1245 ... ''a''-1153) = (0, 0, ... 0, ''k''0 ... ''k''79)
*(''b''-1236 ... ''b''-1153) = (0, 0, ... 0, ''v''0 ... ''v''''l''-1)
*(''c''-1263 ... ''c''-1153) = (1, 1, 1, 0, 0, ... 0)

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]

Trivium (Algorithmus)

2006-02-27T08:40:06Z

Ciphergoth: /* Description */ complete spec is so tiny we might as well add it here

[[Image:Trivium_(cipher).png|thumb|300px|right|Structure of Trivium]]
'''Trivium''' is a simple synchronous [[stream cipher]] designed to provide a flexible trade-off between speed and [[gate count]] in hardware, and reasonably efficient software implementation. It generates up to 264 [[bit]]s of output from an 80-bit [[key length|key]] and an 80-bit [[initialization vector|IV]].

Trivium is submitted to the Profile II (hardware) of the [[eSTREAM]] competition by its authors, [[Christophe De Cannière]] and [[Bart Preneel]]. It is not patented.

==Description==
Trivium's 288-bit internal state consists of three [[shift register]]s of different lengths. At each round, a bit is shifted into each of the three shift registers using a non-linear combination of taps from that and one other register; one bit of output is produced. To initialize the cipher, the key and IV are written into two of the shift registers, with the remaining bits starting in a fixed pattern; the cipher state is then updated 4 × 288 = 1152 times, so that every bit of the internal state depends on every bit of the key and of the IV in a complex nonlinear way.

No taps appear on the first 64 bits of each shift register, so each novel state bit is not used until at least 64 rounds after it is generated. This is the key to Trivium's software performance and flexibility in hardware.

Trivium may be specified very concisely using three recursive equations and an output equation:

*''r''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''a''''i''-66 + ''a''''i''-93 + ''b''''i''-69 + ''b''''i''-84
*''a''''i'' = ''c''''i''-66 + ''c''''i''-111 + ''c''''i''-110 ''c''''i''-109 + ''a''''i''-69
*''b''''i'' = ''a''''i''-66 + ''a''''i''-93 + ''a''''i''-92 ''a''''i''-91 + ''b''''i''-78
*''c''''i'' = ''b''''i''-69 + ''b''''i''-84 + ''b''''i''-83 ''b''''i''-82 + ''c''''i''-87

where each ''r''''i'', ''a''''i'', ''b''''i'', ''c''''i'' is an element of [[finite field|GF]](2). ''r''''0'' ... is the stream of output bits.

==Performance==
A straightforward hardware implementation of Trivium would use 3488 [[logic gate]]s and produce one bit per clock cycle. However, because each novel state bit is not used for at least 64 rounds, 64 state bits can be generated in parallel at a slightly greater hardware cost of 5504 gates. Different tradeoffs between speed and area are also possible.

The same property allows an efficient bitslice implementation in software; performance testing by [[eSTREAM]] give bulk encryption speeds of around 4 cycles/byte on some [[x86]] platforms, which compares well to the 19 cycles/byte of the [[Advanced Encryption Standard|AES]] reference implementation on the same platform.

==Security==
Trivium's security is bounded by its 80-bit key length. As of January [[2006]], no cryptanalytic attacks better than [[brute force attack]] are known; the best attack, by [[Shahram Khazaei]], requires around 2135 operations [http://www.ecrypt.eu.org/stream/phorum/read.php?1,448].

A detailed justification of the design of Trivium is given in the paper "Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles".

No new design should be fielded for real use until it has survived a period of public scrutiny, and Trivium's design is also fairly novel. The authors express the hope that its simple design should inspire greater confidence in its security once it survives such scrutiny.

==External links==
* [http://www.ecrypt.eu.org/stream/ciphers/trivium/trivium.pdf Trivium specification] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/papersdir/2006/021.pdf Trivium - A Stream Cipher Construction Inspired by Block Cipher Design Principles] ([[PDF]])
* [http://www.ecrypt.eu.org/stream/trivium.html eSTREAM page on Trivium]

{{stream ciphers}}
[[Category:Stream ciphers]]