 Now I will give a talk about Kirikawa attack on 855 around TruVium. The authors are Ximing Fu, Xiao Yun Wang, Xiao Yang Dong, and William M, Xiao Yang Dong. And then at first let's introduce the TruVium. TruVium is a stream sufferer. It has 288-bit initialization state. And there are 1,152 runs during the initialization phase. And then output the k-stream like this. So we rewrite TruVium as an iteration expression form. So at R round, the R is output as follows. Some related works, the kube text, an output bit or a stream sufferer can be read as follows. So we define these terms as every term. And the corresponding coefficient function is like this. So the kube sum over kube site is the coefficient function. So in kube tag, if the coefficient function is linear with partial case, it is a Kirikawa attack. Or if jik is 0, then it is a missing every term. We can use it as a distinguisher. Some basic ideas. Suppose z is an output polynomial of sufferer. And it can be read as this formula. And suppose P2 is more complexity than P3. Then we can multiply 1 plus P1 in both sides of the equation to simplify the output bit. So when simplifying this polynomial, we have to guess the k bits in P1. So under the right key guess, the polynomial is reduced. Otherwise, it is not reduced. So in the preprocessing phase, we have to determine P1. There are three criteria for choice of P1. So the first is the frequency of P1 in the high degree state terms. It must be high. And the degree of P1 is low. And the equivalent k guess in P1 are minimized. So suppose we compute the degree of the polynomial is d. Then d plus 1 could be served as a distinguisher. So in online phase, we have to guess the k bits in P1 and compute the k sums for the polynomial. The whole preprocessing phase could be divided into three steps. In the first step, we compute forward by using the k bits and i way bits and compute some internal state bits. And in the second step, we decompose backward to the internal state bits. And in the middle, we use every presentation to measure the gap. In step two as three, many repeated state terms must be removed. And some first discussing techniques are used when decomposition, including degree evaluation, degree reduction techniques. For example, in 255, we set a bound d equals to 17. So during the decomposition, the state terms whose degree is lower than 70, it is removed. We only care that state terms whose degree is higher than 70. This is the algorithm when we removed the repeated state terms. We use the hash table and the complexity of the algorithm is linear with the state terms. And then a degree evaluation algorithm. So we give an example to explain this. Suppose we evaluate the state bits. So we first decompose like this. And we let d equals to the maximum of state terms. It is 10 here. So we're discussing the state terms or degree lower than 10. So only those terms, these terms left. So we continue to decompose these terms. And then we find there is no term surviving. So we reset d equals to 9 and repeat the above procedures. And we find there are still terms surviving. So d equals to 9 is the estimated degree of this bit. So note that if we decompose, there is no state terms surviving. And we have to reduce d again and continue the above state steps. So this is a reduction algorithm. We use an example to explain this. And in Trivium, there are many state terms in these forms that the numbers are nearby. So we decompose these terms. There are two internal state bits that occur twice in a term. So when we evaluate the degree of this term, the double-appeared state term should be removed one. One state term. So if we decompose these terms, we find the degree. This degree is 7. And this degree is 7. And dt is 1. And so the degree of this term must be 30. So it is more accurate. Though every representation, given a polynomial like this, we remove the coefficient terms. For example, if s equals this term, the representation is like this. Note that there are two way there. And we only left, only one way there is left. So we have a property one. If every term exists in s, it must also exist in s, i, v, but not the opposite. If an i, v term is not in s, i, v, it can be concluded that it is not in s. So we use every representation to simplify this polynomial and determine the missing i, v terms. There are many repeated i, v terms, so we have to remove the repeated one. It is also repeated i, v removal algorithm. So that's why we attack our trivium. So we compute the internal state base when r is smaller than, is no bigger than 340 using the i, v base and k base. And we obtain the degree bound of other state base by algorithm 2. The other state base are around higher than this. So we choose p1 is s1 to h10 and compose the output base of 850 file that results in high degree state terms. And the criteria to choose s1 to h10 is that it occurs very frequently. And to degrade this bit, this bit is 5 and it can be reduced after notifying 5 i, v, and there are only 3 equivalent k base to be guessed. And these are the equivalent, 3 equivalent k base in p1. And then during the prepresents phase, we use degree, evaluation degree reduction and the representation to delete state terms whose degree is lower than 14. And we decompose many rounds and there are no state terms left. And all the state terms have a degree is lower than 17. So we conclude that this polynomial have a degree which is less than 17. On life phase, we have to guess the rate bit k and compute the co-sams of this polynomial. And the complexity is 2274 bit operation. Thank you.