 Thank you very much for listening to my talk. I'm Yosuke Todo, and I'd like to talk about modeling for a three-subset division property with an unknown subset. This is a joint work with Yonlin Howe, Grego Render, Miri Meijie, and Jinju Wai. First, I want to explain the overview of my talk. So, the topic is about cube attack. And cube attack was proposed by Dinyo and Shamil at Buelocrit 2009. Cube attack is a variant of higher-order differential crypt analysis. And the main target is stream cipher. So, in cube attack, the function f is a target, and this is a stream cipher. And x is a path secret, and v is a public. So now, we assume the function f is decomposed like this equation. So, the goal is to recover this polynomial called superpoly. So, if we can recover simple superpoly, then we can attack stream cipher. So, for the cube attack, the main goal is to recover the superpoly. We have several approaches. The first approach was proposed by Dinyo and Shamil, and this method is experimental method. Another method was recently proposed by crypt in crypt 2017, and this method uses theoretical algorithm. Very recently, so more general genetic algorithm using three subset division property was proposed at Azure Grid last year. So, if we use this technique, we can recover the exact superpoly even if cube size is very large. But this algorithm conceptually works, but if we want to apply this algorithm for the best attack against stream cipher, it's far from practical. So, now we want to propose a new algorithm dedicated for superpoly recovery. This is the result of our new algorithm, and we have two types of results. The first one is the degeneration results, where we report some errors about the previous best-key recovery attack. At crypt 2018, the best-key recovery attack against stream beam was proposed, but our algorithm detected that there is a flow on their degree estimation. Unfortunately, this error is critical, and this attack no longer works. At crypt 2018, we also have the best-key recovery attack against grain 128A. On this attack, the superpoly is much simpler than the authors expected, and the key recovery attack is degenerated to the distinguishing attack. Another result is the best-key recovery attack, where the superpoly for 841 round stream beam is recovered, and this superpoly recovery was already updated to 842 rounds in our full version. For grain 128A, we showed the superpoly recovery for 190 rounds. Let's start the main talk, and first I want to explain what is cube attack. The main target of cube attack is stream cipher, and the input of stream cipher is secret variables and public variables, and the z is the first bit of key stream, and function f is stream cipher, and it's a public function. In cube attack, we first prepare the indices of active bits described by i, and ci is the set of 2 to the i values, where vi is active. Assuming the function f is decomposed like this, then the sum of z over the cube is equal to the superpoly pi. So, attackers can recover secret variables x by analyzing superpoly, but if we want to do it, we need to recover superpoly in advance, and superpoly must be simple. This is the history of cube attack. The first generation was proposed by Dnew and Shamier, and this method used superpoly recovery by experimental approach. It means we first create cube at random, and compute the sum by experiment and check. So, if we use this technique, the cube size i must be practical. For example, the size i is up to 32. In the second generation was proposed at crypt 2017, and in this method, complexity to recover superpoly is bounded theoretically, but we need an assumption. So, in the second generation, this idea used the bit-based division property instead of experimental approach. First, we prepare the initial division property corresponding to cube, and if we use this initial point, it means the target is xj, and k is a bit vector such that v2 to the k is equal to ta. And we check the propagation of division property from initial to output, and if there is no division trade, then we know xj is not involved to the superpoly. And we can check the existence of division trade by using milk easily. So, we just check the secret variables that might be involved, and if fj is the size of the involved secret variables, the complexity to recover superpoly is bounded by 2 to the i plus j. But in this method, we assume that the secret key is involved if there is a division trade. So, if this assumption doesn't hold, the attack would be degenerated to distinguishing attack from key recovery attack. So, in the third generation, this assumption is removed, and exact superpoly is recovered with practical time. But how to do it? So, original preliminary idea was already introduced at Azure Crypt last year. More accurate method called 3-subset division property is used. 3-subset division property was originally proposed at FSE 2016, but unfortunately, there was no efficient algorithm. So, it's unlikely to apply this more accurate method to 3-incypher. But last Azure Crypt, an efficient milk-based algorithm was first proposed. So, in the bit-based division property used the set of k and the set of 0, but in the 3-subset division property, it used the set of 0 and the set of k and set of l. But if we want to use this 3-subset division property to recover the superpoly, we need more accurate one called 3-subset division property with that unknown subset. In this case, the set of k is removed from the 3-subset division property. But fortunately, original algorithm for 3-subset division property is directly applied to this one. But unfortunately, so that if we direct this direct application cannot produce the best attack against 3-incypher and only degeneration of the best attack was shown. So, this reason is the algorithm at Azure Crypt was originally designed for the 3-subset division property with unknown subset. So, I think the direct application to the cube attack is not always efficient. So, our approach is we propose a new algorithm dedicated to the 3-subset division property with that unknown subset. So, now I want to explain the division train and the 3-subset division train. For simplicity, I want to explain everything by using graph. The goal is to check if f2 to the r of x has a monomial x to the u or not. In this setting, we first prepare the initial division property and this property is a bit vector whose length is the same as block size. And this bit vector is exactly same as u, this u. The final division property is also bit vector. Where the ice bit is 1 if we focus on the ice bit of f2 to the r of x and other bits are 0. Next, we generate the division property for k1 by using the propagation rule. And we apply this propagation rule repeatedly. So, we get k2, get kr-2, and get kr-1, then kr. So, now we check the existence of division train from beginning to the end. In this example, we have this red line. So, it means there is a division train. So, in this case, we say there could be x to the u in f2 to the r. But for example, if this train is removed nothing, in that case, there is no train from beginning to the end. In this case, we know there is no x to the u in the polynomial f to the r. But this property means, so even if we use bit base division property, we cannot detect the fact this monomial is always involved. So, this property is the reason of assumptions we need in the second generation cube attack. So, three subset division property is promising improvement because it is more accurate than the bit base division property. In the three subset division property, we need to manage two different graphs, k-graph and l-graph. The k-graph is exactly the same as the original one, but l-graph as a propagation rule is slightly different. And the propagation rule is very complicated. And it's very, very difficult to model everything by using milk because of two main reasons. So, one reason is unknown producing property. This property is a new node for k is generated by the node of l. And cancellation property is another issue. So, in that case, so that if there are even number different sources, the new bit vector in l must be removed. Unfortunately, if we want to use milk or such to model the three subset division property, it is very difficult to manage these two properties. Very recently, at Asia Crypt 2019, the first efficient algorithm for three subset division property was proposed. This idea is the breast-fast search algorithm with milk-based pruning. So, in the three subset division property, we need to manage two graphs. And for first one, for k-part, this algorithm is the same as non-milk-based algorithm. For n-part, we first apply the trivial breast-fast search algorithm. But after we get node, each node, we call milk again. And then we check this node is meaningful or not. So, they said this technique is milk-based pruning techniques. And this example, for l1, we have five nodes. But after applying milk-based pruning technique, only two nodes are remained and other three nodes are removed. And repeat. In this case, cancellation property is easily managed. If we use this algorithm, we need to solve the sum of sides of LI milk problems. It means if the size of a node is not so many, this algorithm is practical. But if the size of node is extremely high, much, then unfortunately, this algorithm is not so practical. So now, I want to propose more simple method. Actually, our strategy is very simple. So, first, previous algorithm at Azure Crypt 2019 was originally designed for three subset division property with unknown subset. So, this property is for the block cipher. So, the supposed application is a block cipher. But this algorithm can be also applied to the superpoly recovery. But this direct application is not always efficient. So, eventually, this algorithm can't recover the superpoly of trimming with the best attack. So, now, we design a new algorithm by dedicating to the three subset division property without unknown subset. In our case, we focus on the three subset division property without unknown subset. So, it means we no longer have the graph 4k. We only have the graph 4L. So, we don't need to manage unknown producing property because there is no graph in k. So, only the remaining problem is only cancellation property. But now, we don't have the k graph. So, in that case, we don't need to manage all intermediate nodes. So, in this case, extremely, the cancellation at the final round is no problem. It means we just enumerate all trade from start from beginning to the end. So, this is the summary of the comparisons of the previous algorithm for bitbase division property and our algorithm. For the first, the model is different. Previous one used the model for the propagation for k, but our one, we use the propagation for L. It is slightly different. So, for propagation rule for the division property, we have three rules for copy and x to L. For copy rule, previous one uses an plus, but our one is all. And under rule, previous one is b is greater than equal to ai, but our one is b is equal to ai. For x, the rule is exactly the same. So, our new modeling is very, very similar, but different. And the goal is also different. Previous one is to check the existence of trade, but our one, we need to check the number of trades. And if this number is odd, we know x to the u is always involved. And if it's even, no x to the u. And the advantage of our new algorithm is super poly friendly. So, super poly recovery friendly. So, it means we need to, so actually, so that if we want to recover the super poly, we need to recover all ANF coefficients. And our algorithm can recover super poly by calling only one milk problem. So, how to do it? So, the first, we want to create initial division property. But in this, in this case, for secret variables, we set arbitrary, and for public variables, if it's active, we set this bit is constrained by one. And if it's zero, constant zero, this value, this bit is constrained by zero. And if it is one, we set this bit is arbitrary. And learn only one milk problem and emulate all trades. And after we enumerate all trades, we count the number of each initial division property and check the number of initial division properties appears. So, now we apply this new algorithm to the cube attack. So, this is the result for cube attack against trivial. Previous best attack is for 839 rounds. But this cube attack is already degenerated to the distinguishing attack. But it implies the super poly is much simpler than we expected. So, we just try the same similar cube to attack 840 rounds. And this is the result of the initial, the list of initial division property and this is the result of the super poly. So, this cube used the dimension of this cube is 78. So, it's very, very large. But we can recover the super poly with practical time. And this super poly is balanced function because there is x12 and this bit is missing in other monomers. So, this is the summary of applications. So, we have two types result. The first one is degeneration result. So, first, the degeneration to distinguish share for a tree beam was already proposed. And we also show as a flow in the degree estimation in crypto 18 papers and we show this attack does work. And grain and acorn has the similar issues about the previous tree beam degeneration result. So, we know previous best key recovery attack is distinguishing attack. And we also improved the best key recovery attack for tree beam, grain, acorn and tree beam. And for tree beam, our camera ready version only attack 841 rounds, but our full versions we already recover as super poly for 842 rounds. So, I conclude my talk. I propose a new tool and this tool is very simple and easy to implement. And this tool can by using this tool, we get new generation tube attacks. So, we no longer need solitical step to recover the super poly and super polys that lead to the best key recovery attack can be recovered. So, we get the best key recovery attack for tree beam, grain, acorn and tree beam. Thank you very much for listening my talk.