 Thank you very much for listening to my talk, I'm Yunlin Hao, and I'd like to talk about links between division property and other kubatek variants. This is a joint work with Linjiao, Chaoyin Li, Willi Mer, Yuzuki Toto, and Qin Jiuwan. Without the motivation of this work, we start with the latest story in the realm of kubateks. It's about Fu Itao's kubatek results on Shuiviam proposed at Scriptu 2018. They provide a theoretic 855 round result along with the 721 round practical verification. On the kube submissions in the practical attack, they claimed that for wrong guesses, the result is one with probability 50%. Soon afterwards, how Itao give a thorough analysis to Fu's result in Eprint. They provide theoretic evidence that the 855 round result is questionable, and the practical one is completely self-contradicting. They find that the kube submissions in the practical attack are constantly zero for both correct and incorrect key guesses. How's finding Fu to admit their mistakes in Eprint? They admit that they forget to test the 32-dimensional kubes on the wrong key guessing. They provide 29-dimensional new kubes as a remedy to the 721 round result. However, Fu Itao have no response to the theoretic result, so the questionable comment remains. Finally, at Eurocrypt 2020, the conclusion on Fu's results and remedy is finally joined by how Itao using a three-subset division property technique. They prove that the 855 round result doesn't work, and the remedy is wrong as well. Instead of blaming Fu and appealing for an honest research, we should learn a more important lesson. The theoretically reliable key recovery result should include two proofs. Firstly, there is detectable non-randomness when the key guess is correct. Secondly, randomness is verified when the key guess is wrong. Taking proof 2 for granted can cause catastrophic consequences, but the proof act is that some practical attacks due to the lack of computational resources simply assume proof 2 to be true without any verification. In 2011, Theyner Itao proposed the first dynamic kuba attack on full grain 128. It is a practical attack implemented on an FTGA cluster. They use 51 specific cubes to detect the non-randomness named the bias phenomenon, which means over 50 cube summations are zero. They expect that there is bias phenomenon detected for the correct key guess, and for wrong guesses, the cube summations are random zero or ones. But according to their experiments, the bias phenomenon can only be detected for 8 out of 107 randomly chosen keys. Furthermore, the randomness of the wrong key guess has never been tested. Therefore, it is unknown whether proof 2 is true or whether Daenerys attack is available. Even if proof 2 were to be true, the success probability of Daenerys attack should still be 7.5% which is quite low. Faced with the situation, our initial goal is to give a theoretically more reliable dynamic kuba attack on grain 128 with higher success probabilities. To be more specific, our new dynamic kuba attack guarantees all 29 cube summations to be constant zero when the key guess is correct. For wrong key guesses, we only ask that not all cube summations are zero. Under certain assumptions, we show that proof 2 is true with probability about 99.83%. The theoretic tool we use is the division property, a powerful tool for deducing theoretically available kuba attacks. We now introduce the concepts used in this paper. In the context of kuba attacks, a stream cipher starts from an initial state SO containing secret key bits x and the public IV bits v. Then, the updating function is called iteratively for r rounds to generate a state Sr where key and IV bits are thoroughly mixed. Finally, an output bit is generated as z. The algebraic normal form af of z can be represented as a complicated polynomial of key and IV variables as follows. The coefficient Au to the f is a binary polynomial of key bits corresponding to the IV monomer v to the u. In cube attack, a cube index zi is predefined. Such i uniquely determines an IV monomer v to the Ki. The output bit is uniquely decomposed as z equals to v to the Ki times Pi plus Qi, where Pi is called the superpoly. For such zi and a binary vector IV, a specific structure named cube is defined as Ci containing 2 to the i vector v's. Dinner and Shamir have proved that the value of the superpoly can be computed by summing the output z's corresponding to all the vector v's in the cube. If the superpoly is secretly related with the simple af, we can recover the af offline and get the exact value Pi online with a cube summation. In this way, one bit of key related information is recovered directly. The dynamic cube attack is based on the volume of the observation. For a particularly intermediate state bit sij becomes a constant zero, the af of the output bit z will change significantly. With such an af change may be reflected by a particular non-random property called the bias phenomenon. For randomly chosen key x, the value of the superpoly Pi is more likely to be zero rather than one, indicating that the epsilon in the equation is larger than zero. The notification of the crucial bit sij is achieved by setting an IV bit vL, referred as the dynamic IV, to a particular value, a function fL determined by the af of sij. Therefore, during the cube summation, three kinds of IV bits are to be assigned in different manners. The cube IVs are still traversing all possible values. The constant IVs remain constants. The dynamic IVs are set afterwards according to the an of fL. Of course, the fL involves key bits, so the whole process of the dynamic cube attack can also be divided into offline and online phases. In the offline phase, the adversary should find many qualified cubes having significant bias when sij is successfully notified. What we've heard as significant bias means the epsilon in the equation is large. With these cubes in the online phase, we need to get the key bits involved in the an of of the dynamic value and compute the cube submissions for each key guess to acquire the bias, indicating that the number of zeros in the n-cube submissions. The key guess corresponding to the most significant bias is most likely to be the correct one. The cubes used in dynamic cube attacks should be qualified with the two proofs of theoretical reliable key recovery attacks. More specifically, for the correct key guess, there is large bias epsilon zero for the for the wrong guess, the bias epsilon one should be proved small. The largest possible epsilon zero is two to the minus one when the superpolypi is constant zero. The smallest epsilon one should also be proved. If epsilon one equals to zero, the cube submission is random. Let's get down to the essence of the bias phenomenon. According to its definition, the bias phenomenon reflects the proportion of keys that make the superpolypi in zero. The number of zero sum keys is larger than that of one sum keys by epsilon. Dinner's dynamic cube attack practically verified a positive epsilon zero in proof one. But for proof two, they simply assume epsilon one equals to zero. In our dynamic cube attack, we are able to theoretically prove the largest possible is close epsilon zero improved one. In proof two, we are able to find a deterministic weak key class w such that the superpoly value corresponding to the weak keys are all zero. Our assumption is that the non-weak keys have random superpoly values, so the bias epsilon one can be computed directly with the key space size. In other words, our attack moves a tiny step forward than dinner's in proof two. Dinner tells directly assume the superpoly values are random for all keys while we assume randomness for the non-weak keys. The theoretic tool we use is the division property. It was proposed at Eurogroup 2015 and was originally used for finding the grow characteristics for block ciphers. With the division property, the traditional integral property of a multiset is represented as a set of binary vectors denoted as k. When the multiset is encrypt through iterative updating function calls, the corresponding division property set k change accordingly to track the integral property propagation. With the updating function calls, the multiset transforms from x0 to xr and the division property also propagates from ko to kr. The k vectors in ko to kr form a chain referred as a division trail. If there is no division trail ko to ej, we know that j ciphertext bit has zero sum property. The ability of a division trail is evaluated with the MRRP model constructing and solving process. For a division trail ko to kr, each of their entries are regarded as binary variables of an MRRP model m. The updating function is described as a set of linear constraints. The final vector kr is intentionally set to ej in order to evaluate the zero sum property of the jth bit. Then the model m is solved with an MRRP model solver like groovy. If m is infeasible, the jth bit has zero sum property. The division property description to a stream cipher is quite straightforward. The r-round initialization is the same with that of block cipher. It only differs that there is an additional output bit. So the final vector is krkz and is dedicatedly assigned to 01. The corresponding MRRP model m is constructed and solved accordingly. If m is infeasible, we know the superpoly pi is constant 0. After introduced to the realm of ko, the division property has further developed. New techniques such as flag technique and degree evaluation are proposed. The former improves the accuracy of the division property by imposing each bit with flag value to control the model construction process. The latter replace the traditional constraints kx equals to 0 with an objective function maximizing the hamming weight of kx. So as to upper bound the algebraic degree of the superpoly. Combining the two technique is the division property based degree evaluation algorithm with flag technique. If the algorithm returns minus 1, the superpoly is constant 0. If it returns 0, the superpoly can be either constant 0 or constant 1. For a positive integer d, the superpoly is a polynomial of degree no higher than d. Degree 128 states consists of LFSR and NFSR. We find that the NFSR bit generated at the 31st initialization round denoted as b158 is a crucial bit. It can be notified by setting the v30 or v90 bit to the corresponding dynamic value. Dynamic value is based on the analysis of the b158a and f. Such a crucial intermediate state bit can be notified if v90 or v30 is set to its dynamic value f90 or f30 respectively. f90 and f30 contain three bits of key related information namely GO x42 and x125. In order to correctly assign the dynamic IV, the three bits should be correctly guessed. For a wrong guess, the b158 will not be notified but become one of the seven values including constant 1. Such values corresponds to the wrong guesses can be easily deduced with the a and f of b158. Among the seven wrong key guesses, the wrong guess, w equals to 1, will make the crucial intermediate state bit have the lowest algebraic degree. So we take w equals to 1 as the representation of wrong key guesses. The MRRP model construction for our dynamic cube attack is as follows. The starting point is also the initial vector corresponding to key and IV bits. Before modeling the updating function calls, the dynamic IV should be assigned to its dynamic value corresponding to the a and f. This will affect the division property by imposing constraints to the model m. So the division property vector is now ko sub. Then the updating function is called as original RIN128 process, except for at round 31, where the intermediate state bit b155 and 58 is generated. For the correct key guess, the flag is assigned to 0 while for the wrong guess is 1. The constraints in model m are both b158 equals to 0, so the guess w can only affect the model construction process afterwards. Apparently, the model m's for correct and incorrect key guesses are different. Q i, the degree evaluation method can be called based on such model m so as to upper bound the degree of the superpoly. Such degree evaluation algorithm takes as input not only i and IV, but the key guess w as well. Based on such a degree evaluation technique, we design the preliminary criteria for a qualified cube that are likely to satisfy both proof 1 and proof 2 of our dynamic cube attack. For proof 1, we restrict that DO equals to minus 1, indicating that for the correct key guess, the submission over the cube is constantly 0. So there is detectable zero sum property as not randomly simple. For proof 2, we restrict d1 to an integer much larger than 0, so the superpoly corresponding to the wrong key guess is likely to be a complicated polynomial with high algebraic degree. According to such criteria, we randomly construct cube i's and collect some qualified cube candidates. They are of dimension 90 and their d1's are no less smaller than 39. For each cube, we need to construct the weak key classes for the wrong key guesses. We first introduce a weak key class defined by a subset of key indices called split set denoted as lambda. As far as a key x satisfies that the entries of their position at lambda are all 0, the corresponding superpoly value is constant 0. The split set can be easily checked with modified division property based degree evaluation technique. Before the model construction, the flag values corresponding to the split set entries are all set to 0. With such flag values, additional constraints should be imposed accordingly. With such model m, the degree evaluation should always return minus 1 indicating that the superpoly is constant 0 or corresponding to such weak key. If we are able to acquire the minimum split set lambda based on our proof 2 assumption, bias of the wrong key guesses can be evaluated. As can be seen, the smaller the minimum split set is, the less significant the bias can be. Accordingly, with significant bias for wrong guesses, the success probability of our dynamic cube attack can be higher. The success probability can be computed easily as well. We construct the minimum split set lambda in a heuristic manner. We start from an empty set lambda 0, then we traverse the remaining indices and expand the split set by picking the one bringing the largest degree drop. The iteration ends until the evaluated degree drops to minus 1. With this method, we are able to construct the minimum split set for the 29 cubes used in our dynamic cube attack. To make sure we get the higher success probability, we must make sure that the minimum split set of the cubes are not too small. So the criteria of qualified cubes is changed. We restrict that the minimum split sets are of size larger than 2. Fortunately, all 29 cubes have minimum sets containing at least two elements, so the overall success probability of our attack is evaluated as 99.83%. The concept of split set can also be used in other situations. As we have demonstrated, the smaller the minimum split set is, the more significant the bias phenomenon can be. For an R-round stream cipher, if the degree evaluation algorithm returns a positive integer, even for the largest possible cube i and the largest possible split set lambda, we regard such round number R as the secure bound for the cipher against the bias-based cube tester. Apparently, the largest possible cube is the one containing all i, v bits, and the largest possible split sets are those only missing one element of all key indices. Using this method, we are able to give the bounds for grain-like stream ciphers. As can be seen, the bounds for bias is usually larger than those of zero sum. Especially for grain 128, the bias bound is even larger than the originally designed initialization round number. Therefore, our method is an efficient tool for newly designed stream ciphers to determine their number of initialization rounds. In ordinary key requirement attack for a superpoly-related key index j, we consider the split set lambda j and call the modified degree evaluation algorithm. We can evaluate its degree dj. If dj is larger than zero, we know that the corresponding key cannot appear in the linear part of the superpoly, so the coefficient of xj is zero. Therefore, we do not need to compute such a coefficient through a cube summation, which diminishes the complexity by 2 to the i. In this way, we are able to improve the current best results on crivium and acron by 1 and 13 rounds. To sum up, the contribution of this paper is that we have broadened the application of the division property technique. We link the division property with three cube attack variants, namely the dynamic cube attack, the bioscube tester, and the ordinary cube attack. More specifically, we propose a new dynamic cube attack on full grain 128. In comparison with dener's original one, our attack has much better success probability. For the bioscube tester, we draw secure bounds for grain-like stream ciphers. This is a promising tool for determining the number of initialization rounds for newly designed primitives. Finally, we give improved cube attack results on crivium and acron. In the future, there are still works to be done to better modeling the non-randomness used in cube attacks and cube testers. The existing attacks should also be improved. We will also introduce the three subset division property to the realm of dynamic cube attack.