 Hello everyone, my name is Kai-Hu, I will present a work named Matthew Superpoly Recovery with nested monominal predictions. This is a joint work with Sui Sun, Yuzhik Toto, Mei Qin Wang, and Qin Jiu Wang. This presentation consists of four parts. In the first part, I will give some background knowledge about the cube attack and superpoly recovery. Secondly, I will introduce our first technical contribution about an efficient framework for the massive superpoly recovery. Thirdly, I will show how to do the key recovery attacks based on the massive superpoly we recovered. Lastly, I summarize this work. The cube attack was proposed by Dina and Shamya in Europe of the 29th. In this attack, a bottom polynomial can be simplified by focusing on the coefficient of one cube monominal x2u. The value of the superpoly can be calculated also according to the Mobius transform for a symmetric software system. The superpoly will be a function of the secret key, Olin, if we let the nine-cube, nest, or other bits be zero. If we can recover the AF of the superpoly, then we can get one equation of k, and some k information may be extracted. In the very early stage, the superpoly can be recovered by experimental methods Olin. Olin's simple superpolys can be recovered in this way. A breakthrough occurred under Cripto 2017. Codal, et cetera, introduced the development property into cube attack. Then we do not need to rely on the experimental method, theoretical analysis becomes possible. There are many following works along this direction. There are also some algebraic methods in the literature. For composite-volume function, the monominal prediction or division property allows us to predict if a monominal x2u does or doesn't appear in the monominal y2 way by counting the number of so-called monominal or division trials. For a cube term, x2u, if we can determine all possible monominal gk, x2u, then the superpoly can be determined accordingly. However, with previous methods, there exist some challenges. The recovered superpolys in literature are all low-degree and with small number of terms. However, as the number of rounds increases, superpolys become more and more complex. We took directly the monominal prediction to recover the superpoly for 843 rounds of trivial. Unfortunately, no results are obtained for 1 month, so the challenge is how to recover a massive superpoly. In this paper, we give an efficient framework with nested usage of the monominal prediction, provided the output bit of a certain round of a stream suffer. We first choose a positive number r0 to expand the output bit to the intermediate states after r-r0 rounds. In other words, the output bit will be written as a polynomial of the states after the r-r0 rounds. All the monominal are pushed into the set s2r-r0. Then, for each monominal in this set, we construct an MRP model to compute the partial polynomial with the monominal prediction, but we add a time limit tau on this model. So after the time is up, all monominal in s2r-r0, the set, can be grouped into three disjoint set. In the first case, the MRP model for this monominal is solved, but in feasible. Then we know the monominal has no contribution to the final superpoly. In the second case, the MRP model for the monominal is solved but feasible and feasible. Then we can extract the partial polynomial from this monominal. In the last case, the MRP model cannot be determined, feasible or infeasible. We have to expand every monominal to next deeper round states and we repeat this process. When there is no undetermined set or the determined set is empty, the superpoly is totally recovered. We collect all the partial superpoly along the way and sum them up to the final superpoly. We have a short discussion on the choices of tau and r, both of which affect the efficiency. As r-r0-r1 until r-r becomes smaller and closer to 0, in principle, tau should be larger and larger. And r-r is chosen such that the number of expounded monominal is the path given threshold. And in other experiments, we usually choose n as 10,000 or 100,000. Please note that tau and r should be chosen according to the concrete experimental environment. Next, I will show some results of this new framework. The first application is for trivial. You can see here five cubes we used in our experiment. These cubes are chosen by adding new indexes one by one to the cube given by Liu in crypto 2017. And here is the information of the superpoly we recovered. This superpoly is truly massive and contains hundreds and thousands of monominal. It involves all k bits. The superpoly for 843 and 844 rounds can be recovered within two weeks, while the superpoly for 845 rounds are within three weeks. And their balance is tested by conducting two to 15 randomly chosen cubes. The second application is for the grade 128A. And please note that if we assume we can observe the first pre-output bit of the initialization phase of grade 128AAD, then the AAD, therefore, is identical to grade 128A. The two cubes are chosen as r0 and r1. r0 contains all the nonce or rv bits, while r1 contains all except the 30s. The two superpoly we recovered for 191 rounds are out here. The time for the two superpoly is three to five days. The third application is for trivial. We use a cube with dimension 119, like this. For this cube, the superpoly of 893 rounds is a constant 1. And for 894 rounds, the superpoly is a small balance, with 191 turns, the degree is 4. And although this superpoly is very simple, it costs a month to recover it. Next, we discuss why our framework is more efficient. Firstly, the Groovy server is called in a restricted way. We do not totally rely on its inner optimization. Which core to the server is limited to a given time limit. Secondly, the divide and conquer strategy is used. Thirdly, for Monominals, it is natural to take the parallelization to speed up the search. In our experiments, we use 64 threads. The second technical point is the cube recovery based on the superpoly we recovered. Provided the superpoly and the sum of the outputs over the cube, we can construct an equation of the superpoly. For n superpoly, if the joint distribution is p, like this. For each value with 0, with 1, until we n minus 1, the probability is corresponding to p. We can calculate the entropy of this distribution using the definition of the entropy. If the entropy is e, then we can recover a piece of key information on average. To know the distribution, we test 2 to 15 randomly chosen keys to observe this distribution. However, now our superpoly is a massive and too complicated. All key bits are involved. Exhaustive search is not impossible to recover information. So we have to use some new techniques, as is well known. Mobius transform is well known as the transformation between the a, f and the truth table of a bottom function. The complexity is n times 2, n times 2 to n minus 1, bit XOR, and the memory is 2 to n bits. Our superpoly is actually sparse, although it is massive, because comparing to randomly chosen polynomials, the number of polynomials are much less. So for sparse superpoly with a fine grid analysis, the time complexity can be reduced to n times 2 to n minus 2 XOR. And then we can use the Mobius transform and our divided conquer strategy to do the key recovery. First, we introduce the disjoint set of a polynomial. Given a superpoly pk with n variables, if kr and kj are never multiplied together in all polynomials of pk, then we say pr and pj are disjoint. If for a subset of variables d, every pair of variables in dr disjoint, we call d a disjoint set. And an example here is here. You can say k0 and k3 are never multiplied brutally. So we say k0 and k3 are disjoint. And the set containing k0 and k3 is a disjoint set. For n superpolys, we can define the common disjoint set if d is a disjoint set for every pi. A disjoint set or a common disjoint set can be found with a greedy algorithm on SMT model. Suppose pk has a disjoint set d with m variables, and j equals k0, k1 until n minus 1, except d. Then pk can be written as this form. Equation one. When where prj is a polynomial of the variables in j. So prj involves at most n minus m variables. And we can use mobules transform to compute the truth table of p0, p1, pn. And the time complexity for each table is n minus m times 2 to n minus m minus 2. With m minus 1 truth tables, we can access them and get the values for every k combination in j. Then equation one will become a linear expression of variables in d. Some k information can be extracted easily. The time complexity consists of four parts. Firstly, constructing the truth tables in the polys m plus one tables and n minus m times 2 to n minus m minus 2 is the cost to construct one table. Then we can access the tables and construct the linear equations. And this costs such complexity. In the third step, we get the value of m minus n bits. Then the remaining n bits can be determined by solving a set of simple linear equations. And this step costs 2 to m minus n gases, which is small. So for each gas in the third step called the saffron oracle to verify the candidate by exhaustive search. And we believe the exhaustive search is the dominant part of the complexity because the steps, the previous steps contains only bit operations and compared to the initialization of the stream saffron, they are small. The memory complexity is n times m times 2 to n minus m bits to store the m truth tables. Finally, here is our key results, all are the current best ones according to the wrong number. So in this work, a new efficient framework with nested monominal prediction for massive superpoly recovery is presented. We also give a new key recovery attack strategy with Mobius transform for massive superpoly recovery. The key recovery attacks on trivial, gradient 128A and equilibrium are improved. Thanks for your attention. If you have any questions, please write an email to me. Thank you.