 I'll give the talk on behalf of MeeChin. The nonlinear feedback shift register, NFSR for short, is a common component in modern cryptographic primitives. There are a lot of lightweight cryptographic algorithms built on NFSRs, including stream ciphers Trivian, Grain, authenticated cipher ACORM, block ciphers Catine, Catine and hash function Quack. Most cryptographic primitives, including NFSR based cryptosystems, can be described by tweakable boolean functions, which contain secret variables and public variables. The algebraic degree of these boolean functions plays an important role in the security. In fact, a cryptographic primitive with a low algebraic degree is vulnerable to many known attacks, such as higher order differential attacks, IOD break attacks, Cuber attacks and integral attacks. Cuber attacks and higher order differential attacks are most powerful against the NFSR based cryptosystems. The based non-key recovery attack on Trivian Cuber attacks and reach 799 rounds. The best known distinguisher on Trivian covers 839 rounds. The full grain 128 was broken by dynamic cube attacks. These attacks exploit low degree relations of the tweakable boolean functions. That is the low degree relations between the heavy base and the key stream base. A boolean function can be written as the sums of term, which are supersets of Ti, and the terms, which means at least one variable from Ti. The basic idea of Cuber attacks and Cuber testers is that the symbolic sum of boolean functions F by assigning all possible values to Ti is exactly FS, exactly FS. Cuber attacks work by trying to find low degree polynomial FS in secret base, while Cuber testers work by trying to distinguish FS from random functions. It is difficult to compute the exact IOD break degree for modern cryptographic primitives. After years of development of cryptanalysis, two major trills are proposed for estimating the upper bound on the IOD break degree for iterated permutations. One is based on worst spectrum. The other is based on division property. However, for NFS based crypto system, there are few trills for estimating the IOD break degree of NFSR systems, except symbolic computation and statistical analysis. These traditional techniques highly depend on computational capacities, and the results is limited by the computational resources. For example, so far, cubes with twice less than 54 have never been utilized in cryptanalysis against NFSR based crypto systems. So to gain better attacks, one has to utilize more computational resources, which could turn out to be very expensive. In this talk, we devote our attention to evaluating the IOD break degree of NFSR based crypto systems. To overcome the existing limitations, we exploit a new technique called numeric mapping to iteratively estimate the upper bound on the IOD break degree for the NFSR systems. Based on this new tool, we develop an algorithm for estimating IOD break degrees for NFSR crypto systems. As for an illustration, we refine the algorithm for trivial like ciphers, including trivial, credian, and trivial SC. First, let's see the definition of numeric mapping. Let F be a boarding function on M variables. The numeric mapping mipes the boarding function F and M integers to one integer. The numeric mapping is denoted by capital DEG, DIG. Here, AC are the coefficients of the IOD break normal form of the boarding function F. The numeric degree of composite function is defined as follow. Then we can prove the IOD break degree of composite function is less than or equal to its numeric degree. An NFSR based crypto system usually consists of an updated function, G, and an older port function F. The internal state is updated by the updated function, and the older boot bit is generated by the older port function F after an initialization of sufficient number of runs. Keep in mind the IOD break degree of a composite function does not exceed its numeric degree. We can easily show that this factor can be used to the NFSR based crypto systems. Let's see an example. Suppose we have an NFSR with size eight, and XT is the update function. Suppose we want to estimate the IOD break degree of X16, the updated bit at the clock 16. Then we can, it's racially compute X9, X9, X11, X12, X14, and then by the numeric might be, we can calculate the numeric degree of X16, and get that to be six. We can also check that the IOD break degree of X16 is six by calculating the IOD break normal form of X16. So the numeric degree of X16 is exactly the same as the IOD break degree. This fact implies that we can get an accurate estimation of IOD break degree using the numerical mapping without computations of the IOD break normal form. The IOD break degrees of output base and the internal states can be estimated iteratively. This estimation is described in algorithm one. In the algorithm, the update function G is written as a vectorial boolean function which takes consideration of the shift operations. And DIGA-ST is a procedure for estimating the IOD break degree. When setting the DIGA-ST to the numeric mapping DIG, this algorithm gives an upper bond on IOD break degree of the output of it. To reach a tighter upper bond, we use a more dedicated DIGA-ST rather than the numeric degree mapping. Later we'll show the application of this algorithm to Triven-like ciphers. We introduce Triven-like ciphers first and then based on our observations on the update functions, we formalize a linear time algorithm for estimating the IOD break degree. The internal state, which is denoted by ST at clock T consists of three registers A, B and C. The update functions update three Bs each time as shown in equation four to six, eight of which is a sum of a single quadratic term and some linear terms. The quadratic term consists of two adjacent bits. After an initialization of n-rumps, the cipher output a key stream bit using the output function f. Triven and Triven SC exactly fall into this kind of a cipher and the crivian is a variant of Triven. These three ciphers use different length of key and IV but all of them iterates 1,152 rumps in the initialization. The procedure for finding an upper bond on the IOD break degree of the output bit after n-rumps proceeds as follows. First initialize the degree of the initial state. The initialize the degree as denoted by D zero. Then iteratively compute DT for T varies from one to n. Finally, apply the numeric mapping to calculate an estimated degree for the first output bit. In the calculation of DT, two procedures are used, digomal and the numeric mapping for dealing with the quadratic and the linear parts separately. This estimation is described in algorithm two. We just skip the details. Algorithm three provides an instance of digomal. On the line in this algorithm, there are several lemurs which are proved in the paper. The details of the proof are omitted in this talk. Based on this lemur, we can prove that algorithm two output an upper bond on the IOD break degree of the first key stream bit for an n-round triven-like cipher. One thing to note is that algorithm two has linear time and memory complexity. In the following, our experiment reveals some bond on the IOD break degree of triven-like ciphers. First, we will the key and IV be sufficiently mixed. The experiment shows that the initialization should contain more than this number of runs in the third row. For example, for triven, the initialization should have more than 907 runs in order to make the key and IV sufficiently mixed. This was done by taking all the key and IV base at input variables. Second, when will the IV be sufficiently mixed? In this case, we take a subset of IV as input of variables and the key as parameter. The experiments show that the initialization should contain at least this number of runs. Otherwise, there exist chosen IV distinguisher. Next, we did a more dedicated search where input of variables contain no additized in the bits. For triven, we exhaust all the two to the 25 cubes of size 37 to 40 for triven. And we exhaust all the two to the 30 cubes of size 61 to 64 for crevine and trivia as a C. Then we obtained improved results as shown in this table. For example, with a cube of size 37 the distinguisher covers 837 runs. For the experiments show that the output of 837 round triven has a degree strictly less than 37. And the best also implies the distinguisher for 842 runs since a bias is detected for the output of 8. The accuracy of our algorithm is verified by comparing the exact algae break degree with the estimated degree using by our algorithm for triven from 66 runs to 426 runs. Our experiments show that when taking all the key and IVBs or the IVBs as input of variables our estimated bond is equal to the real bond for most cases. And when taking the best cube of size 37 as input of variables our estimated bond is always equal to the real bond. This figure shows the estimated algae break degree for triven under the three mentioned cases. In order to improve our algorithm we made two adaptions. First, we compute the exact algae break degree of the internal state for the first and zero runs. Second, we use a modified digger mall star to replace the original digger mall. And the rest remains the same as the algorithm two. Now it becomes hard to estimate the time complexity of our algorithm. The adapted algorithm is described in algorithm four. Applications of the improved algorithm brings new bonds for trivia as a C. However, it is not the case for triven and crevium. As shown in the table, better bonds are obtained using algorithm four. This table summarizes the main results of our paper. In summary, we have shown a framework of algae break evaluation for NFSR-based cryptosystem using the numeric mibing. We have also detailed the techniques for efficiently finding an upper bond on the algae break degree for trivia like ciphers. To the base of our knowledge, the tool is the first theoretic one for finding an upper bond on the algae break degree of an NFSR-based cryptosystem. In parallel with our work, Toto et al exploited the tool of division property to estimate the algae break degree of NFSR-based cryptosystem. The difference between these two methods is that the bond found by division property is possibly more accurate. However, our tool is much faster and use much less memory and has no limitation on the size of variables and internal state. This slide lists some directions for future work. One needs to apply the algorithm to more NFSR-based cell phones. Yeah, the second is to apply the algorithm for key recovery attacks. A third application may be general the algorithm to non-FSR-based cryptosystems. Thank you for your attention.