 So, thank you everyone and so this talk is entitled Improving Scare Recovery to 7.84 and 7.99 Rounds of Tribune Using Optimized Cube Attacks. So first my outline, so I will define what is Tribune, the Cube Attacks, and then what are the optimization I've realized on the attack. So on three parts. First by explaining how we can exploit polynomials of the grid 2, how we use the values to transform to recover many cubes at once, and how we exploit the cycle structure to lower the density. So first an introduction. So this is a Tribune, which you may probably know. So it's a stream cipher from the stream competition and it has three non-linear feedback shift registers. So in the first register we put the 80-bit key. In the second register we put the initialization vector, which is also 80-bit and green here. And so we have 1152 initialization rounds, which just means that we will do four complete turns of the cipher. And so this is the feedback function. So the relevant points are mainly the feedback, T1, T2 and T3. So the feedback is here. And so there's only one term of the grid 2, everything else is linear. And the output of the function, it is z pi here. And so it has the sum of these three terms, so it's a total of six terms linear. So what are the non-attacks on Tribune? Well first we have the full key recovery on 735 rounds in a feasible time, 2 to the 30. And we can also recover 35 key bits after 767 rounds. So it's also in feasible time 2 to the 36. And then besides key recovery attacks we have some distinguishers or non-linear properties. And these signatures go up to 806 rounds for instance. So this is our contribution. First we have a full key recovery on 784 rounds in 2 to 39 queries. And then we recover 12 key bits and some simple quadratic expressions after 799 rounds in the same complexity. So which more or less means that we can recover the full key with some brute force in 2 to 62 queries. So what are the cube attacks? So they've been introduced in 2009 by Dineur and Shamir. And we just consider the polynomial representation of the cipher, depending on the key bits and the IZ bits. And there are two phases. So first in an offline phase we will extract some low degree expression which should depend on the key bits. And in some online phase we will evaluate those expressions. And then we just have to solve a system and recover the key bits. So more formally, we have a cube which is just a subset of the IZ bits. And we have our polynomial which depends on the key bits and the IZ bits. And so we'll just factor the term of the cube VC1 to VCK in the polynomial such that we have a PR which is the remainder where no single polynomial of PR can be devised by this term. And it turns out that if we sum the evaluation of p on every single assignment of the variables of the cube we have exactly the evaluation of PC because every polynomial of PR will be summed in itself a number of times and consult each other. So we can evaluate PC on the input of our choice. So we assume the attacker has full control over the IZ but not on the key. And it turns out that every time we want an evaluation of this PC we have to make the full sum which is 2 to the k queries to the polynomial. So it's quite expensive and we don't want to do too many queries. And so we have two things to do. First we want to check whether the polynomial PC is low degree and if it is low degree then we want to interpolate it to give our mind face. So first how do we test if it is low degree? Well there's the BLR test which tests if a polynomial is linear. So it's very simple, we just pick two random inputs and we check if the polynomial behaves linearly on this input. So that's 3 per width. So yes, 3 per width. And if we want to do the same thing for higher degree, so for instance for degree 2 well we have a very similar test which requires 7 per width so it's more than twice as expensive. So let's assume we have recovered when we have detected that the polynomial is linear of low degree. Now we want to interpolate it. So the interpolation is very simple. We just set 1 kB to 1 and we check whether the polynomial changes its value. So that's 81 per width for linear polynomial. But the problem arises when we want to interpolate polynomials of higher degree. So this is the number of queries which are necessary. So it's simply because every time we have an evaluation we receive a binary information 0 or 1 and since this is the number of monomials of the grid k in polynomial and every monomial can be present or not. So it is a requirement that we make at least this many queries. So for instance for degree 2 this will mean that we need over 3200 queries which is way too much to be done in practice. So I try to sum up 3 shortcomings of the original attack in my opinion. So first in the original attack we only consider linear polynomials but it turns out that we can use degree 2 polynomials they do not cost more and they are easier to find. Then there's the fact that the cube, the cube vc1 vck here how do we choose it? So in the original attack we just pick a random cube and we check whether pc is high degree or whether it is 0 and if it's 0 we remove an element if it is high degree we add an element to the cube that's the original random work. But it's not very efficient in practice it tends to add a lot of elements when we find the cube's smaller. So we would suggest a different approach which tests many parameters at once and proves much more efficient. And finally the cube attack is a very generic attack so we can use a lot of ciphers and it actually doesn't exploit the structure of a trivial which is very simple so we can do better than this. So first the first point how do we deal with degree 2 polynomials? Well first I will come back on the BLR test so we assume that the inputs are independently chosen at random and because of this we need three queries for every linear test but actually we can do better than this if we just pick some 10 random inputs for instance and we will check a linearity on every couple so x i and x j it's a weakened BLR test because we lose the independence of the inputs but in practice it turns out that every linearity test will roughly eliminate half the nonlinear polynomials so this is much more efficient because for instance with 55 queries we can have 45 linearity tests and the real interesting aspect is that if you want to move to degree 2 this is the test for degree 2 and it turns out that we know every single evaluation from the linearity test the only unknown is the first one p of x i 1 plus x i 2 plus x i 3 so we will have to do an extra query to the polynomial but this is only one query for one degree 2 test so to sum up we will do 100 queries and this will give us 45 linearity tests and 45 degree 2 tests so this is very cheap actually and the second part is how do we interpolate the degree 2 polynomials once we have detected them so that's the tricky part because we know it's impossible to interpolate completely a random polynomial in less than 3200 queries but we will have to make an assumption to reduce on the specific shape of the polynomial so what kind of assumption can we make? one we can look at the structure of Trivium in the first few rounds of Trivium the first time the feedback function is called on the key bits and so the first time the degree 2 polynomial will appear there is a very specific form on the key bits and since they appear in the first 100 rounds of Trivium they will be everywhere in the slide first they will be multiplied with Pochette, Pozzareggis and such so it's a fair assumption that if we find the degree 2 polynomial it will have this shape but of course we need to verify this assumption so first we have done some formal interpolation with the 3200 queries on the cubes of size 30 which is still practical on the 784 rounds and it turns out that every single degree 2 polynomial actually has this specific shape so the assumption is Ali at least on the 784 rounds and so the algorithm is very simple once we detect the degree 2 polynomial we assume it has this form and so there are only 80 such polynomials which can exist and we'll just in 81 queries because of the constant we'll detect which one of those polynomials it is and then thanks to the 100 queries we did before we can check whether the assumption actually is compatible with the queries we have done before so this is very cheap actually because 81 queries for degree 2 are as much as the number of queries we need for degree 1 so the third point is actually solving the system because when we have linear polynomials we just do some Gaussian elimination and we only need about 80 equations but with degree 2 polynomials it can be much harder to solve the system it turns out that this is not the case so why? because they have this specific shape and during the online attacks since every query to a cube requires an exponential number of queries to the polynomial, to the cipher actually cheaper to brute force some of the qubits so for instance if we have qubits of size 35 and we have 32 such qubits it costs 2 to the 40 queries to the polynomial to evaluate them and so it's actually cheaper to brute force 40 qubits than it is to compute 32 qubits of size 35 so we will do brute force whatever the case and since we brute force some of the qubits we can actually choose to brute force the ones which appear here that every degree 2 polynomial will actually provide us with a linear relation between the qubits so what to sum up the degree 2 polynomials are cheap and they provide us well they are as cheap as the degree 1 polynomials to detect, to interpolate and they give us roughly as much information to insert a certain point so this is very good so first sorry, next considering the random work we use the Mabuse transform which has been also introduced it has been introduced by Antoine and Jou but it was used in the case of cube attacks to compute sub-cubes but not in the regular cube attacks so first I will define it if we have a polynomial with an algebraic normal form we basically interpolate it by finding out the transform of this polynomial which gives us 0 or 1 depending on whether or not it is present in the algebraic normal form and it has a time and memory complexity exponential in the number of variables so this is not very good but actually since computing a cube is also exponential and the algorithm is very simple computing the Mabuse transform will be cheaper than computing a single cube and the only problem is the memory requirements so in practice we have 10 around 40 so 128 gigabytes of memory is required but that's still doable so how do we apply this transform to the cube attacks? well if we have a cube of key variables of the IV we continue the restriction of the output polynomial to those key variables we apply the transform to this polynomial and then for every sub-cube of C we check whether the associated polynomial in C is present or not because this is a constant time operation once the transform is computed and if the the monomial is present it means that the cube is equal to 1 and if not the cube is equal to 0 so in this constant time we can compute every sub-cube of the large cube of size k so what does this mean in practice? if we have the k equal to 40 and for instance the monomial of size is roughly 34 one can just compute in a constant time 34 out of 40 the binomial coefficient which is about 3 and 8 3.8 million cubes and the computation time is only 64 times bigger so this is really worth it but what we do is the random approach and instead the only degree of freedom which remains is the choice of the initial large cube so how are we going to choose this cube by exploiting the cipher structure so first I would like to talk about the density problem so we can measure the density of the polynomials by using the Mobius transform once again since it gives us the list of nonzero monomials and so this was done after 799 rounds and we measured the number of nonzero monomials for different monomials size so first we leave on a random cube so we just picked 40 IV bits at random and we can observe that up to roughly 35 monomials size of size 35 the density is about 50% which means the polynomial is random and dense and for dense polynomials there is no hope of extracting linear information so that's not very useful and we have to go much higher around 37, 38 to have a low enough density to actually extract useful information but 37 or 38 out of 40 is quite low so we have few candidates and this is not very worth it for me using a random cube so we managed to find an algorithm to pick smartly the cube and you can see that the difference is very clear we have roughly we gained about 4 4 degrees that is to say for monomials size 33 the density is the same as size 37 for random cube so how do we choose this cube very smartly ok so I just come back on the this is the output of Trivium so the sum of 6 registers and and each of those registers remember the feedback function that's the feedback function so this is the output that I which is the sum of those 6 terms and each of those terms was generated roughly 100 rounds before because every register has size around 96 and when they were created there was only one non linear monomial what is here so we have those 6 monomials and each of them is the product of two monomials of lower degree and there are also terms of degree 1 which we will actually neglect them because they have a much lower size than the terms of degree 2 so to sum up this is the output of Trivium you can say it's roughly the sum of 6 products of two monomials of lower degree and we will want to find a cube c1 to ck which will give us a pc of low degree so how do we do this when we make a series of functions first ok we want pc to be of low degree for the cube c1 ck we will assume that c1 ck will give us low degree monomials for every product PI1 PI2 that's not necessarily true because it could happen that the cube gives us a high degree polynomial for instance PI1 PI2 and the exact same high degree monomial for p21 p22 and then they would cancel each other in the sum but that's unlikely to happen because the polynomials are not generated independently but from different inputs it's unlikely that the monomials are exactly the same so we will just assume this property that vc1 to vck gives us a low degree polynomial for every product and furthermore we assume that for every partition of the cube c1 and c2 basically c1 applied to PI1 will give us a low degree polynomial pc and c2 applied to PI2 will give us a low degree polynomial so that that product will also be low degree so a degree 1 or 2 or 0 and once again this is not necessarily true it could be that for some partition we have high degree monomials and the exact same high degree monomials for another partition and they would cancel each other but it is almost necessary and so we assume that it works and by doing this we just pick two cubes c1 and c2 and check whether it gives us the 0 polynomial on the 12 involved registers and hopefully the union will give us a low degree NP but that's only one partition and in practice we need more than one so instead we use two cubes and we check once again with WMD's transform to find the cube which will have as many sub cubes which themselves give us the 0 polynomial on 12 registers that's a lot of conditions but the WMD's transform gives us a lot of candidates so that's worth putting a lot of conditions and then we realize the WMD's transform on the union and so the result is the table which I showed earlier the entity is indeed much lower and that's how we managed to find linear chance after 799 rounds so to conclude we more or less defined three major issues with the original attack and we tried to address them so the degree 2, the random work and the density problem we managed to recover repeats in practical time up to 799 rounds so it's my belief that we could make the full care recovery in practical time but I don't believe we can go much further the density increases and the degree also increases and once trivial because of the dense and high degree polynomial there is absolutely no hope of extracting all the degree polynomials with this attack thank you for your attention thank you for your excellent speech and here I have a small question about the binary linear test it seems that you use a small site of the random inputs and reuse the data from this site and to do the test so are there any influence to the success probability? yes, because the input is not independent we have to have the guarantee that the success probability is at high so for instance like I said we will use 45 linearity tests but by using only 55 queries so for instance if we assume we have a degree polynomial in the black box polynomial actually there is a roughly 40% chance that it will not be detected in the 55 queries not even once it will appear so if it doesn't appear we will not detect its presence but it's not that much of a problem because for instance for the degree 6 polynomial it will appear in 1 key out of 64 so since we have a bridge force out of 40 bits we only need to detect 12 cubes for the remaining 40 bits and even if roughly 40% of those cubes have indeed a degree 6 polynomial which will make the attack actually wrong the polynomial is not for the bridge since it will not appear for most keys we will recover the right key but for some keys indeed we will recover a wrong key so the attack will fail but it will be very successful ok thank you so you mean that in your experiment you found some wrong keys for some keys yeah that's good any more questions? good help, thank you