 This is a sexual introduction. We have a talk on the average type of the women once in Cyprus. This is a joint work with NTG. We all come from Chinese Academy of Sciences. And we first did the introduction of our talk underneath. We gave a description of room 1. And then we present all the ideas, some key observations. And the general attack model and the basic attack density in 1 is presented as that. Then we improve it to NCA2 and NCA3, which is the DS public assembly under the special table techniques. And then we present our simulation results. And then we give some conclusions. Room 1 is done by Martin Howe, Thomas Johansson and Benjamin. They do stream Cyprus on the street, have various environments. And they are selected into the final volume by this project. And room 1 is immune to the correlation and the distribution attacks that successfully broken the formal machine, room 0. And the canyard, et cetera, is covered slide property in the initialization piece of room 1. It can reduce half of the costs of exhausted search for fixed family. And based on this slide property, the rain key for the army attack has also been proposed by Lee et cetera. In this family, there is also another Cypher, in room 128. They did some use in every, but it was low, every work feedback function. And this is sorted in a dynamic, to attack on the full initial cross, by details, et cetera. And to frustrate the dynamic, to attack the new covariance, room 500, 288, with optional authentication function was proposed by Lee et cetera. And now we look at the description of room 1. This is a display generation piece. There are two registers in room 1. One linear feedback system register and one nonlinear feedback register. And there is also a nonlinear filter function at each stage. The linear feedback is updated independently, but it's often, it's taxable with the feedback function of the nonlinear feedback system. And then the contents are combined by a nonlinear filter function, which is probably new of West Oya. And then the output of this function is axed out with seven bits from the nonlinear feedback register to produce the two-speed. And then this is the initializer piece. Actually, our attack has no relation with this piece, so we can assume that if a perfect key and every initializer piece is adopted, that is, the slide property does not exist anymore. And the nonlinear filter function is balanced and already new of West Oya and it is defined as this. The output function of room 1 is defined as here. And it is the axle of the output of the nonlinear function and the seven bits directly from the nonlinear feedback register. This seven bits makes the linear analysis very difficult. And now we present our here and some key observations. We propose the standard curve attack of the nonlinear attack on the room 1. Our attack, which it has the nonlinear feedback register and the linear feedback structure of the room 1. And our idea is to combine the universal difference of the nonlinear space that you are calling me. We observe that the nonlinear feedback register and the linear feedback register of length is actually a bit the same as the key length with no resonance and the linear feedback structure is independent in the key standard interface. Also, as of that the linear feedback register can be easily recovered with an internal state difference and two different types. The third of the three is that the distribution of the key stream segment difference is non-uniform given a low handling with an internal state difference. And we propose three attacks. The basic points MCA1 and the MCA2 is combined with the DSW7 and the MCA3 is based on MCA2 and it is the non-uniform distribution of the internal state difference from this key stream difference. And now we look at some preliminaries. We define two unbiased streams as per a linear collision if their XOR has a Hamming weight lower than or equal to D similar to the birthday-birth paradox which states that two random states of subsets of a space with 2 to n elements are expected to be attacked, but the product where such exists 2 to n represent the formula of linear collision that is, given two random states of subsets of a and b of a space of 2 to n elements then there is a pair of a and b with a belongs to a and b belongs to b that is, b here can be if this equation is satisfied here. b and d is the total number of internal state difference with handling weight lower than or equal to d. Now we look at the first approximation that is the state recovery with non-stating difference we assume that at time t1 time t2 we know the error-assisting error-assisting state difference and we define the earlier state as this and the later state as here then it is easy to see that the late state can be represented by a linear system of the earlier state and the component with a state difference we can develop another linear system so from this it is easy to see that we can easily recover the earlier the internal state from by solving this internal state by solving this linear system the content is very low after recovering the linear feedback state register state we need to recover the non-interference at current time we use some equations solved using magma to solve the non-interference term and we estimate the intensity and experimentally but actually we have some improvements recently and it can reduce the intensity by a better relative run and we will provide the details in upcoming papers currently the time setting for recovering the non-interference state is 22.3 several hits and the second observation is that the distribution of the non-interference state with a bit as ksd is best given as positive internal state difference differential here is an example if we have the d equals to 4 and the truncated ksd equals to 16 we have a very high distribution for the ksd and our resource also shows that there exist some differences for most of the dmk the third observation is that the intensity of the root force of time is ksd 22.187 hits and such a time can only be modelled for hpx value for h in numeric p i it's i raised from 1 to to 18-1 the attack curve first is to proceed the initializing phase which is 166 if it is ksd treated as a random modelled for hpi the probability that the attack curve needs to generate l this ksd is less this for l equals to 1 so l is larger than 1 it is 2 to minus l minus 1 so based on this we can see that the expected number of ksd for h in numeric p is sd, it is approximately 4 so the total capacity for the root force attack is sd 22.187 4 separate hits now we look at our general attack model and the basic attack mc1 in this attack curve identify the correct dmk and then there are two stages here all of that stage we pre-compute some well structured differential tables and the table structure can be listed as follows each table is indexed with ksd and in each table there are many rows in each row there is the isd and the corresponding proportions and every table is constructed in this way we denote the total number of tables by q and dl every number of rows in each table by r and dl then due to the non uniform distribution of the ksd for fixed isd we may consider at most 100 ksd with proportions whose proportions are the first 100 the largest among all the ksd hence r and dl are bounded by this one now we look at our state we want to obtain the isd by utilizing the pre-compute the differential tables and the total ksd the first step we randomly collect two ksd size a and b size 5 this near first day parallel efficient and then we solve this two size with respect to the value of the first lb and dividing them into n different groups g1a to gma and then g1b to gmb respectively we identify the internal state and candidate state pair that is d near ksd two strategies here the first strategy we use the candidate ksd to find out one of the list and then find the match between the candidate ksd and the other list the other strategy is to first x all these two lists and then get a candidate ksd and then find the match between the stock ksd list the fourth step is to find the real sd by utilizing 0.21 here by 0.21 we mean that the internal state difference is not actually the near believing but the corresponding ksd is found in the previous step now we look at the capacity the pre-competition pre-competition time is very obvious it's straightforward competition and the real capacity is the two size of the size of A and the plus size of B and L height is in segments and memory capacity is at here so this is the capacity for storing these two stocks and here we divide it by omica because we convert the capacity only to the properties and this is the capacity for the second step this is the capacity for the funding for testing the here we have the attack capacity with various truncated L it is shown in this table we name this basic attack as density is 1 the pre-competition capacity is about 2295.7 which exceeds the brute force attack capacity 2287.4 now we want to improve this attack the first instruction is to define the standard resistance of a green with density 1 so it is easy to see that given the value of 139 particular states of green and the first 21 states produced from this state another 21 internal states can be used directly we provide the detailed proof in the panic of all hammer the only thing from the BSW is that the searching space is now reduced to the spectrum subset of the internal states now the goal is to recover the 139 piece ISD and instead of the 116 piece ISD we need to collect those keystream segments in the prefix with the basic pattern 0 to 21 that is 21 zeros the data capacity is multiplied by 2221 this is attack capacity with various keystream segments and based on the BSW 70 we can see here we use strategy 2 in our step 3 we can see that compared to LCA1 the improved attack reduced the pre-competition capacity by a factor of 2212.3 it saves about 10 base storage for each entry A and B all the capacities here are under the brute force attack capacity 2287.4 we understand this improved attack as NCA2 now we look at the second improvement it is based on NCA2 and by utilizing the non-uniform distribution of KSS from all the tables from observations these are some extreme examples we look at that some tables that with low hanging width index contains more rows than those other tables with higher hanging width index and the first table index with zero contains the most rows among all the tables most tables like this that with much higher hanging width index only contains a single row in their table and the tables with low hanging width index satisfy this equation that is the hanging width of the KSS is the last time we cost up tables, special tables contain about 80% also being the different ISPs here we make an assumption that on average the special tables can cover 50% although we can start the different ISPs when the L becomes larger this assumption indicates that in the offline stage we can only need to construct those special tables now we look at the classic analysis of this attack every community remains the same except the second step here under the exact complexity of green width various L-based on special tables here we can see that we have a time with time complexity 2273.1 and memory capacity 2262.8 and the data capacity 2267.8 with the pre-computing capacity 2273.1 now we name this a HOSTECH SSA3 and now we present our simulation results on the reduced version of green we look at the reduced version of green width 1 and this one consists of linear feedback register of 32 bits and nonlinear feedback register of 32 bits the update functions of linear feedback register and nonlinear feedback register are done in a similar way as well through version this is linear feedback register update function and this is nonlinear update function we can see that we also used linear one to balance the interstate of the nonlinear the update function is different here to the function in the state as that in the original design under here we choose a subset of bits from the nonlinear feedback register with a 90 of 4 we can see that the similar resistance of this reduced version of green width 1 has 22 matters a lot and now we first verify our assumption one that randomly choose 10 to 4 STs with timing width less than or equals to 4 and generate their corresponding KSD splitter proportions then for each KSD randomly choose states to generate it to determine the projection from ST to KSD only those KSD satisfy this addition will be recorded under their corresponding as it will be stored in your text file with the corresponding KSD similar to the process of the offline state we only consider at most eta KSDs whose proportions are the first eta letters among all the KSDs finally we count the number of the number of different ISDs in those special tables this is our verification so you can see that this makes the scenario quite well and in the offline state we set eta equals to 15 and as a sample size equals to 2 to 12 and the timing width equals to 4 then we have a tag here this is a theoretical KSD and then we present our actual pre-competition time of this A2 and it's actually in this table this is the number of tables the scenario is the time we use in our simulation we apply this A2 and A3 to the reduced version of green respectively for 114 randomly generated PIB pairs the simulation results on the reduced version of green is asked here this is average attack time and this is the success probability this is an experiment time is based on what might C++ prevent our CPU with this configuration the success probability is the proportion of the number of the correct internal state difference stored in the KSD tables we can see from the experiment that the success probability of our attack needs to be stabilized our attack needs to be refined further and we indeed get some improvements by reducing the capacity of recurring the nonlinear feedback stress and the state difference but we will provide the details in upcoming timers we can also see that the experiment experienced successful probability of A2 is lower than estimated in theory but the reason we think is that we choose a restricted value of A time and these two parameters directly influence the size and the number of pre-competition tables and that has a factor of success probability we think that how to theoretically balance the relationship between the success probability and these two parameters is our future work now we give some concurrence in our paper we presented a key recovery talk in the single key model called near-clear attack on current and one based on some key observations we have presented the basic act in C1 and so the impact in C2 and C3 by combining the stability resistance with current and one and the non-uniform distribution of the TSP tables as respectively our attack has been verified on a reduced portion of current one and an exponential of the results in a linear way in the case of attack on the full version of current one with capacity as mentioned before in our experiment we make a second assumption that is when all exponential is based on a linear point and we think that our attack we ask a second point for further analysis of green-act stream signers and hopefully it will provide some new insights on such design of such impact stream signers thank you ok, we have questions so this assumption too that you mentioned at the end would you think of a way to verify this one as well the extrapolation actually yeah it's not so easy to verify it on assumption too because if we reduce the size of the internal state further and then we may get some curve but actually we think that the slide of the curve will be dominated by the last point of the curve and the attack on target sign so we experiment in a linear way we need to define our reduced version that is a little bit bigger yeah that is maybe more accurate thank you, any more questions? Changbin and the other speakers of the session