Hill Climbing Algorithms and Trivium Julia Borghoff 1 , Lars R. Knudsen 1 , and Krystian Matusiewicz 2 1 Department of Mathematics, Technical University of Denmark {J.Borghoff,Lars.R.Knudsen}@mat.dtu.dk 2 Institute of Mathematics and Computer Science, Wroclaw University of Technology Krystian.Matusiewicz@pwr.wroc.pl Abstract. This paper proposes a new method to solve certain classes of systems of multivariate equations over the binary field and its crypt- analytical applications. We show how heuristic optimization methods such as hill climbing algorithms can be relevant to solving systems of multivariate equations. A characteristic of equation systems that may be efficiently solvable by the means of such algorithms is provided. As an example, we investigate equation systems induced by the problem of recovering the internal state of the stream cipher Trivium. We propose an improved variant of the simulated annealing method that seems to be well-suited for this type of system and provide some experimental results. Keywords: simulated annealing, cryptanalysis, Trivium. 1 Introduction Cryptanalysis focuses on efficient ways of exploiting, perhaps unexpected, struc- ture of cryptographic problems. It could be a difference which propagates with a high probability through the cipher as used in differential cryptanalysis [6,2] or a linear approximation of the non-linear parts of a cipher that holds for many of the possible inputs as is the case in linear cryptanalysis [20]. More recently, the so-called algebraic attacks have received much attention. They exploit the fact that many cryptographic primitives can be described by sparse multivariate non-linear equations over the binary field in such a way that solving these equa- tions recovers the secret key or the initial state in the case of stream ciphers. In general, solving random systems of multivariate non-linear Boolean equations is an NP-hard problem [12]. However, when the system has a specific structure, we can hope that more efficient methods may exist. One technique to tackle such equation systems is linearisation, where each non-linear term is replaced by an independent linear variable. It works only if there are enough linear independent equations in the resulting system. The XL algorithm [7] increases the number of equations by multiplying them with all monomials of a certain degree. It has been refined to the XSL algorithm [9], which, when applied to the AES, exploits the special structure of the equation A. Biryukov, G. Gong, and D.R. Stinson (Eds.): SAC 2010, LNCS 6544, pp. 57–73, 2011. c  Springer-Verlag Berlin Heidelberg 2011