 Hello everyone, it is our pleasure to share our work, a practical key recovery attack on 805 round Trivium here. In the following, we shall introduce our work from the following 5 aspects. Trivium is a beta-arranted stream cypher designed by Chris Dovall, the canoe and Bat Preneel. It was selected as one of the extreme hardware-oriented finalists, and it was specified as an international standard under ISO IEC. Both the key size and the array size are 8 bits. It contains a 288-bit internal state. The number of initialization runs is 1,152. This figure shows an overview of Trivium. And the pseudo-code of Trivium is shown as follows. The cube attack, which was first proposed by Dina and Shamir, is one of the most important crypto-analysis techniques against Trivium. Since proposed, cube attacks attract mainly attentions and lots of good ideas such as mobiles transformation, division property, and correlation cube attacks are proposed to improve cube attacks. In the following, we shall introduce the basics of cube attacks. Let F be an unvariable Boolean function, and I be a subset of variable indexes. Then F can be related as following. The polynomial P i is called the superpoly of i in F. A d-dimensional cube of C i is a set of assignments consisting of 2 to the power d and temples in which the variables indexed by i are assigned to all the possible combinations of 0 or 1, while the other variables remain undetermined. Then P i is equal to the summation of a function derived by each element in C i. Note that 2 evaluated P i, 2 to the power d summations are always needed. For stream cybers, the function F is the polynomial representation of the first auto p-stream bit on the p- and i-variables. Let i be a subset of i-ray indexes, and d be the order of set i. Let C i be a set of assignments of i-ray variables consisting of 2 to the power d and temples in which the variables indexed by i are assigned to all the possible combinations of 0 or 1, while the other i-ray variables are assigned to 0 or fixed constant. Then the superpoly of R F, which is equal to the summation of functions derived by elements of in C i, is a function on key variable. There were two phases in cube attacks. The first phase is offline phase, which is independent of the sacred key. During this phase, the M is to find some useful superpolis in sacred key variables. The second phase is online phase. In this phase, the task is to solve a system of equations defined by superpolis under the sacred key. Traditionally, no-degree tests such as BLR linearity tests and quachacity tests are used to find, balance the superpolis containing sacred key information. FSE 2013 fork and vanid used Mobius transformation to simultaneously compute a large number of sub-cubes from a large cube. Given the choice table of a Boolean function, one could compute its algebraic normal form by using Mobius transformation. When it comes to cube attacks, under any specific key, by storing the value of f on all elements of C i, one could compute the a of f of f on variables in i. It was noted that much memory is needed to store the choice table for a large cube. Division property is an important improvement on cube attacks. Division property was proposed by Total at Eurocrepit 2015 as a generalization of integral property used in integral-crepit analysis against the bulk cybers. Later, the best division property, as well as the three subset division property, was introduced by Total and Miro at FSE 2016 to search new integral distinguishing for Simon family. Division property best cube attacks were first proposed by Total at Syret at Crypto 2017. It breaks the limitation of traditional cube attacks where the cube dimension could hardly be larger than 40. For example, 28 dimensional cubes could be exploited in division property based cube attacks. The definition of beta-best division property was shown as follows. In the paper published in Crypto 2015 and FSE 2016, Total and Miro studied the propagation rules of division property for basic operations and XOR and COPE. Furthermore, for an around-cyber, the propagation of division property could be evaluated by figuring out the division property of internal states. Then, the concept of division trail was proposed, which could propagate through the hole around the cybers. The detailed definition is shown in our slides. At ASEA Crypto 2016, Xiang at Syret showed that the propagation could be efficiently evaluated by using MRP models. More particularly, an MRP model covers all division trails and the solver evaluates the feasibility whether there are division trails from the input division property to the output one or not. Based on division property, one at Syret proposed a degree evaluation method which could estimate the upper bound of the degree of superpolis. According to the proposition proposed by one at Syret, if there is D such that all K-lambda with hammy weights larger than D, the division trail X superscript K-lambda does not exist, then it can be seen that D is the upper bound of the algebraic degree of the superpolis. Now we are going to introduce our work. In cube attacks, finding cube which would lead to useful superpolis is a critical but difficult task. Previously, some ideas were proposed to find or construct such cubes. In 2009, Dina and Shamil proposed a random work algorithm to find cubes with linear superpolis. Later, in 2013, Rook and Bennett presented a method where two disjoint small cubes are unioned to find linear superpolis. When it comes to finding cubes leading to zero sum distinguisher, selecting cubes with no adjacent indexes and graded bit-side algorithm was proposed. Our aim is to construct good cubes for recovering linear superpolis. To achieve our aim, we find inspiration from graded bit-side algorithm, namely, our solution is starting from a set of cube variables indexes and extending it to a large candidate cube indexes. Then, there were two critical problems to be solved. First, how to determine a proper set of cube variables indexed by i. Second, how to extend i to be a large candidate cube indexes. We show, first, introduce how to solve the second problem. We propose a two-stage method to extend i. The figure shows an overview of our method. More specifically, steep i.v. variables and gentle i.v. variables are picked in the two different stages. In stage 1, every time, add a steep i.v. variable to decrease the degree of superpolis as fast as possible. In stage 2, to make the degree of superpolis close to run, we pick up a gentle i.v. variables in each iteration. Now, the only left problem is how to determine a good started cube set. Note that the output function of Trivium is linear, which is shown in our slide. If a cube C has a linear superpolis, then it is very likely one of the six terms contributes the linear superpolis and the other five terms contributes can send zero. Namely, we shall only focus on one of the six internal states bits appeared in the output function. Take the first one as an example. According to the feedback function of Trivium, it could be expressed as follows. Our idea is focusing on the two-degree term in this expression. More particularly, we choose a set of cube variables indexed by i and search some of its sub-cubes to find a cube with linear superpolis either in the blue internal state or the red one. Such cubes is determined as a starting set cube set. Then the problem turns into how to pick up a proper internal state from the six internal states bits in the output function. Since the output function is a summation of six internal states bits, the superpolis of i and z could take them apart into six ones. Note that a linear superpolis usually has only one term. Say Pi is equal to Kj, one of the six superpolis is equal to Kj. Hence, for a given i, it is necessary to predict the key with a large success property such that a linear superpolis in zr implies a linear superpolis in skr. In our paper, skr is called the preference bit to predict the preference bit. Our main idea is to predict the number of terms in the form of ti times Kj, which are called wk terms in the six internal state bits. However, it is difficult to make such prediction directly. Our solution is exploiting the feedback function of trivium to predict the number of wk terms iteratively. We shall take S94 as an example. The feedback function of S94 is shown in the slide. Let vks be the number of wk terms in s. The number of pure iv terms in s is denoted by vs. Then, the number of wk terms in S94 could be predicted as the equation at the bottom of our slides. The key point is to predict the terms in red. Considering the property of Boolean function, we predict the number of wk terms as following. Finally, we use the equation in red to predict the number of wk terms in S94. Based on the buff method, we propose algorithm 4, which could iteratively predict the number of wk terms, so that the preference bit could be predicted. Another contribution of this paper is to improve the Mobius transformation. As mentioned before, the advantage of Mobius transformation is that it could compute a large number of subcubes from a large cube simultaneously. However, the weakness is that much memory is needed to store the truth table for a large cube. Hence, our aim is testing a large number of subcubes from a large cube simultaneously with reasonable memory. Let f be a Boolean function on unvariables. Our idea is breaking the original Mobius transformation into a two-stage one to recover a part of f. In the first stage, we calculate g0, g1, tog2 to the power q minus one and keep a part of their information. In the second stage, we recover f according to the capital information. Algorithm 5 shows the details of our improved Mobius transformation. The memory complexity of Algorithm 5 consists of two parts. First, the size of s is 2 to the power n minus q, and so it costs 2 to the power n minus q bit memory. Second, for hj, the size of sfj is t, and so it requires 2 to the power q times t bits memory totally. When t is much less than 2 to the power n minus q, the memory complexity of our improved Mobius transformation is much less than not all of the original Mobius transformation. With all the above measures, we make application to 805 round trivium. First, the preference bit to find the linear superpoly is s66. Second, we choose cubes of size 22 and use Mobius transformation to find a proper cube i1 as our start cube size. In the first stage, we extend i1 by adding steep array variables and we obtain a cube of size 34. In the second stage, we start with i3 and keep up four variables such that the degree of superpoly are less than 4 in the last iteration. Finally, i4 of size 140 is the candidate and large cube which is given in the size. Together with some other candidate cubes, we find more than 1,000 cubes with linear superpoly in the output of 805 round trivium. There were 38 independent linear superpoly. With more, we also find 16 linear superpoly for 806 round trivium. These are a part of linear superpoly of 805 round trivium. These are a part of linear superpoly of 806 round trivium. We summarize the key recovery attacks on trivium. Note that the previous best practical attack is on 784 round trivium proposed by Volcker and Vennet. In this report, the best practical key recovery attacks are improved 21 rounds to 805 round trivium. What's more, we apply our method to 800 round trivium where a candidate cube of size 43 is constructed and two subcubes of 42 linear superpoly are found. Now, we shall make a brief conclusion of our work. In this paper, we introduce a new algorithm to construct good cubes and apply it to 805 round trivium. More specifically, a new algorithm to construct candidate cubes, the preference bit and algorithm to predict it and to improve the mobius transformation more presented. Hopefully, we believe that the new algorithm could also be applied to trivium-like ciphers. Thanks for your attention.