 Thank you very much for introduction. So my name is Yosuke Todo from NTT Secure Platform Labradories Japan. So today, I'd like to talk about cube attacks on non-black box polynomials based on division property. So this is a joint work with Takanori Isobe, Yonrin Howe, and William Are You. Okay, so first, I want to introduce as an overview of my talk. So our new technique is an improvement from the cube attack. So cube attack was proposed by Junyu and Shamil at Euroclip 2009. So cube attack is a kind of higher order differential attack. So higher order differential attack is one of the most powerful and famous cryptanalysis technique for block cipher. So when we attack block cipher using higher order differential attack, we first prepare the set of chosen plain text and we evaluate the sum of the corresponding ciphertext. So if, in many case, higher order differential attack uses higher order differential characteristics, who's the sum of ciphertext is always there. So when the block cipher is analyzed, we first prepare higher order differential characteristics, then we append key recovery after the characteristics. Then we guess subkey last round is used and recover the ciphertext from the intermediate text and compute the sum and evaluate as the sum value is zero or not. So if the sum is not non-zero, we know the guessed round key is incorrect and we can reduce the size of the round key space. But unfortunately, this attack strategy is not applied to stream cipher in general because in the case of the stream cipher, we cannot add key recovery part after the characteristics. So cube attack is so more familiar to the analysis of the stream cipher because in the case of cube attack, we recover the secret key from the sum of the corresponding output text. And in other words, the cube attack recovers the secret key from high order differential characteristics directly. But the most significant, most drawback part of the cube attack is this is the experimental attack. So this means we first regard stream cipher as black box polynomials and we evaluate this black box polynomial experimentally and they evaluate the sum of value. So in this case, as the size of cube bits, this means the size of active bits is limited to the experimental range, for example, 30 or 40. So that's a, in theoretical range, we can use more number of cube bits. So in such case, in many cases, we can attack more number of rounds. So in my talk, I proposed cube attacks on non-black box polynomials. So this means, so we never regard stream cipher as black box. So we perfectly analyze the structure of stream cipher and how to realize cube attack in this situation. So as a result, we explain the best attack on premium grain and acorn in the context of the key recovery attack. So how do we get this result? So we use division property. So division property is proposed, was proposed at Euroclip 2050 and this is a tool to find integral distinguisher on block cipher. So as far as my knowledge, so the division property is only applied to block cipher. So I think this is the first application of the division property to stream cipher. So but if we think, so the key, only key initialization part of the stream cipher, destroyed lecture is very similar to the block cipher. So if we want to evaluate zero sum integral distinguisher of stream cipher, this application is trivial. But so key recovery is non-trivial. So I want to propose how to recover the secret key. So to realize the key recovery attack, so I explain what division property can do. And so I propose a new, how to use the division property. As a result, we can get secret key variables that are not involved to the super poly. And finally, from this knowledge, we can recover the secret key. Okay, so let's start main topic. So now let's consider the stream cipher. So in this, as like this picture, so the input is two value, x and v. And x is n-bit secret variables, and v is n-bit public variables. And there applies a stream cipher. And z is the first bit of the key stream. In such case, we regained stream cipher as one Boolean function from n plus n-bit to one bit. So now, so we apply the cube attack. So in the cube attack, we first prepare cube index i. And so i is index i1 to ii, and this red part is active bits. And the other part is inactive. Then we compute the sum of the cube of the first bit of the key stream. And the c i is a set of two to the i values where v i is active. So in this case, so Boolean function f is decomposed into like this. And the p i is this monomial. So in such case, if the sum of the cube, so we get p i x v. And so attacker recovers the secret variables x by analyzing this Boolean function. And in the cube attack, we call p i superpoly. But so f is a stream cipher, and the stream cipher is very complicated structure. So it is very difficult to decompose Boolean function f into like this. So previous cube attack uses experimental approach. So now we want to recover the algebraic normal form of the superpoly. So we assume superpoly is linear function, and we compute the sum of cube for randomly chosen x, and so check linearity test in many times. If so linearity tests always pass, so if this nf of the superpoly is almost maybe linear Boolean function. So if the superpoly is a linear function, we can recover the algebraic normal form of the superpoly, and finally we can recover the secret key. But in this approach, so in the second phase, so we have to sum of the cube. So if the size of cube is, for example, 40, so it is very difficult to compute this variation in practical time. So in previous cube attack, it is experimental attack. So I convert this experimental attack to theoretical attack, and so for the theoretical attack, we use the division property to analyze algebraic normal form. Previous attack, so algebraic normal form is analyzed by experimentally using linearity test, but we analyze the algebraic normal form by using division property. So division property was proposed at Euroclip 2050, and so it is a tool to find the integral of the definition is like this. So it's a little complicated, so I skip this definition. So the most important part is division trade. So similar to differential characteristic and linear characteristics, so there is also division property characteristics. So if we have k there is division property, and the propagation rule d gets k1, kI, kR. So if the trade from k there to kR, satisfying propagation rule of the division property, we call this trade is division trade. So the most important part is, if there is not division trade from k there to EJ, means the unit vector, in such case, the J speed of ciphertext is always balanced. So, but this evaluation is in many cases very, so difficult, so in practical time. So, but as a group to last year, Sean proposed a new method for the evaluation of the propagation characteristics of the division property. So he used a CP based solver. So for example, MLP and SAS, SMT and constraint programming, so asked for such solver's help, we can practically evaluate the division trade. So if the solver answers, this trade is infeasible, we know the J speed is balanced. In other words, so if solver answers, it's possible, it's feasible, so J speed is unknown. So we directly apply this technique to stream cipher and we get integral distinct issue, there's some distinct issue. So now we get, we first prepare the division property for the chosen plain text, and zero k, and zero is corresponding to the secret key and k is corresponding to the cube bits. So now we check division trade from zero k to one, and if no division trade, we know the sum of the output is already there. But unfortunately, we cannot recover the secret key only by this approach. So to recover the secret key, so we propose a new application of the division property. So we never use division property to find there's some integral distinct issue. So we, division property is used to analyze NF coefficient. So we first evaluate the number of involved key bits, that's of cube bits, and we can guarantee the upper bound of the time complexity to recover the NF of the superpower. So to understand this technique, we first explain the basic knowledge of algebraic normal form. So now F is the Boolean function and this is the algebraic normal form. So and AUF is the ANF coefficient. So of course, it's practically invisible to analyze all NF coefficients. Now we first decompose a Boolean function F in according to the vector k, such that x to the k is monomial. So in such case, we can decompose Boolean function like this. So now we know this part is algebraic normal form of the superpoly. Now, assuming there is not division trail from k to one, so we know the sum of F is equal to superpoly is equal to this algebraic normal form. It's always there for arbitrary x. In other words, we know algebraic normal form coefficients such that U is greater than or equal to k is always zero. So this means by using the division property, we can know ANF coefficients are zero or not. So now we extend this idea to key recovery attack. Assuming there is not division trail Ejk to one, so previously this part is zero, but now we add unit vector Ej, then AUF is, if there is not such division trail, we know ANF coefficients such that U is greater than or equal to Ejk is always zero. In such case, so we know superpoly is like this and if Uj is one, so from this knowledge, we know corresponding ANF coefficients is always zero. So this polynomial is equal to this polynomial. But now Uj is always zero. This means xj is independent from superpoly. So this is the summary of the result. So now we first prepare the corresponding division property Ejk and check division trail. If there is no division trail, we know xj is not involved to the superpoly. So by repeating this procedure, this means we repeat E1 to En and we know each secret variables are involved to the superpoly. So now we explain attack strategy. So attack strategy consists of three parts, a variation of line and online phase. So of course, so previous cube attack, analyze is up to offline phase, but our attack is practical up to a variation phase. So offline phase is only guaranteed from the upper bound of the time complexity. So this is a variation phase. So first we decide the position of active bits i and prepare the set j is the empty set and we check the division trail E from Ejk to one. And if there is such trail, so this index j is inserted into the set j. If there is no such trail, so we don't insert. So finally, we know the set j and this set contains bits that may be involved to the superpoly. Next, so offline phase, we prepare, we decide initial IVV, randomly and repeat the set of chosen IVVs by flipping bits in active bits, and then compute the sum. So, but we know the secret variable only j bit, the size of j bits, secret variables are involved. So we, so as a, so n minus the size of j bits are not involved, so we can perfectly compute and store the table of the sum of cube with time complexity to the i plus j. So if the size of cube plus the size of involved secret variables is smaller than the security level, so offline phase is so faster than exhaustive search. And finally, we try online, we recover the secret variables in real. So access encryption Oracle and compute this sum and we check the, we compare this sum value from the sum value in online phase and if this sum value is different, the guess the secret variables are incorrect. So the data complexity is to design. So now we apply this idea to stream cipher trivium. So trivium has this type structure and so secret key is 80 bit and initialization vector is 80 bit and secret key is inserted into this path and IV is inserted into this path. So the number of rounds of the trivium is 1,152 rounds. So first to verify our idea experimentally, so we try small cube size. So in this example, sorry, the number of active IV is 10. So we choose this 10 bits active IV. In such case, so we know these five bits are involved to the secret key by valuing the propagation and the division property. As a result, we know, we attack five, nine, one round. So the time complexity is two to the 30 time complexity. So in this case, so if we choose this IV, so initially, so the super poly is like this and if we use this IV, super poly is like this. If we use this IV, super poly is like this. So in this case, these two super poly is not balanced function, but the bottom one is balanced function so we can recover the secret key, we can recover the one bit of secret key information by using this IV. So now we try the solid color variation. So the most interesting result is this path. So if we choose the number of active IV is 72 and this is the active index, in this case, the number of involved keys is only five. So we can attack this tribe with reduce the number around the H32 as two to the 77. Of course, the exhaustive search is the two to the 80. Okay, so next, finally I explain the other applications. So I also applied this technique to Grain12HA and ACOM. So Grain128 was already broken by the dynamic cube attack but Grain12HA was have been survived. So previous best attack is 177 rounds and it's only distinguishing, but so our attack reaches 183 rounds and it's possible to recover the secret key. And in the case of ACOM, so this is one of the third rounds is candidates. So previous cube attack is 477 rounds but our attack breaks 704 rounds. So finally, I conclude my talk. So I propose cube attacks on non-black box polynomials. So I propose a new method to how to use the division property. So previously division property is a simple tool to find to detect integral distinguisher. But so from this paper, in this paper I use the division property to analyze A and F coefficients. So in this approach, so the cryptographer only creating MRP model for the division property and so evaluation is, what evaluation was done from the MRP solvers. So the cost is very small and so it is very easy to apply this technique to barrier stream cycle. So and so division property is more practical than experimental approach. So we can evaluate cube attack even if the size of cube is a theoretical range. So for example, so in the case of best attack on trabium, we use a 72-bit cube bits. So it is practically infeasible to check such huge cube experimentally now. So but we can predict the security of the trabium in future. So thank you very much.