 Hello everyone. It is our honor to present our work here. In the following, we shall introduce our work from five aspects. First, we shall introduce some basic backgrounds of our work. QB attacks were first proposed by Dina and Shamir at Eurocopter 2009. For stream ciphers, the output of Z is a trigger-ball boolean function f on security key variables and array variables. For a given public variable set i, f could be written as the following form, where Ti is the product of variables in i, and Q is the summation of terms that misses at least one variable in i. The basic idea of QB attacks is that Pi is equal to the summation of all the two to the power of D polynomials derived from f by setting Q variables to all the two to the power of D possible values. In Q attacks, variables in i are called Q variables, and the remaining variables in V are called non-Q variables. The linear space Ci is spanned by Q variables as called a Q. The polynomial Pi is called the superpoly of i in f. Q attacks could be divided into two phases. In the offline phase, which is the independent of the security key, one should find some useful superpolis to recover the security key. In the online phase, one should solve a system of equations derived from the previously found superpolis under the real key. Later, based on the idea of Q attacks, the concept of the Q tester was proposed. Different from the Q attacks, the idea of Q tester is aiming at non-randomness, namely binding superpolis, which could be distinguished from random polynomial, such as narrow constant polynomials. Originally, linear tests are applied to find the linear superpolis in Q attacks. However, the computing complexity increases exponentially as the size of i increases. Generally, the size of i is confined to 40. At the crypto 2017, total and some other researches applied the diffusion property to the Q attacks for the first time and make a breakthrough. The main idea of a diffusion property-based Q attacks is using the diffusion property to analyze the algebraic normal form of the output bit, as cubes with large sizes could be used. Diffusion property as a generalization of the integral property was first proposed at Eurocrypto 2015. Later, at FSE 2016, the beta-based diffusion property was proposed to investigate integral characteristics for the beta-based bulk cybers. Then, at AsiaCrypt 2016, Xiang and some other researchers combined mixed integer-linear programming methods with division property. With the aid of MIOP, beta-based diffusion property could be applied widely. With the development of beta-based diffusion property, the division property-based Q attacks were proposed. Later, total and some other researches improved the diffusion property-based Q attacks by considering the effects of non-Q variables, which are acced to zero. Then, one and some other researchers made improvements by proposing some techniques such as the drag technique and the degree evaluation method. In the following, we shall present our motivations and contributions. In division property-based Q attacks, for a given Q i, a set J, which contains all the key variables appearing in the superpolice, could be figured out. However, the best division property could not analyze the AF of the output bit precisely, since it does not consider the terms managed by XOR operations. Hence, for a Q set i, even though the set J is not empty, the superpolice PI may be constant. To keep the validity of key recovery attacks, there was an important assumption which is called a wake-up assumption. The main idea of wake-up assumption is that, for a given Q i, there are many values of non-Q variables such that the corresponding superpolice is not a constant function. However, wake-up assumption does not always hold, and indicates that some so-called key recovery attacks may be distinguished attacks only. Based on the above motivations, we further studied the division property-based Q attacks and proposed a new method which is able to recover the superpolice of i in the output. With our new method for the cube also to attack 832 rounds to view at the critical 2017, we recovered the exact AF of its superpolice. Based on this exact superpolice, we could do key recovery attacks on 832 rounds to view. Furthermore, for the cubes proposed at the critical 2018, we proved that their superpolice are all their constant. Hence, the key recovery attacks are all distinguished attacks, actually. Table 1 summarizes our contributions. Before illustrating our work in detail, we shall introduce some preliminaries. The division property is defined on a multi-set whose elements take a value of an n-dimensional binary vector. When the multi-set x has the division property d subscript capital K, upscrewed 1, upscrewed n, it fulfills the following conditions. It can be seen that the n-dimensional vectors are divided into two paths according to the multi-set x. Considering the propagation of the division property, Xiang and some other researchers proposed the concept of division trail. The detailed definition is shown in the slide. With the concept of division trail, one could calculate the division property of the auto-policyte iteratively. Based on these concepts, the division property could be used to analyze the a and f coefficients of a Boolean function. In specific, for an dimensional beta vector, if there is no division trail, such a lot starting from K to 1, then the coefficient of x upscrewed u is always there for u. Following the above lemma, Toto and some other researchers proposed the following proposition, let f be a polynomial and i be a cube set. If there exists a division trail from the vector formed by e subscript j and K subscript i to 1, then it is regarded that xj is involved in the superpoly of i in f. Based on the above proposition, in division property-based cube attacks, one could figure out a set j containing all the key variables involved in the superpoly. After that, in division property-based cube attacks, there are many three steps to do key recovery attacks. In the first phase, one should find the proper value of non-cube variables, such that the corresponding superpoly is a non-constant polynomial. In the second phase, one should query the encryption oracle to obtain the value of the superpoly and the real key, so that some wrong keys could be discarded. Finally, in the third phase, guess the remaining secret key bits to recover the entire secret key. It was noted that the set of key bits that the superpoly depends on is a subset of j. Our main work is focusing on division property-based cube attacks. Since the bit-based division property could not analyze the ANF coefficients precisely, it is possible that key recovery attacks may be used to distinguish attacks only. Tagging at the above problem, our solution is computing the exact ANF of the superpoly for a given cube i. And our main idea is expressing z as a polynomial on the initial state iteratively and discard terms that the superpoly of i is zero constant in each iteration. Assuming z is expressed as a polynomial on the internal state at time t, following our main idea, for a cube set i, it needs to judge whether the superpoly of i in u is zero constant. By analyzing the division property of the internal state at time t, the following lemma gives us a sufficient condition such that the superpoly of i in a term u is zero constant. Accordingly, we introduce the idea of invalid terms, where the superpoly of i in an invalid term is zero constant. Based on the above lemma, we could define the polynomial gt into two parts, namely gt1 and gt2, where the superpoly of i in gt2 is zero constant. Hence, we only need to consider gt1. According to the above two lemmas, we propose a new method to recover the superpoly of a given cube based on division property. First, we express the output z as a polynomial on the internal state at time t. Then, we discard invalid terms, and so a reduced polynomial gt1 could be obtained. For gt1, we further express it as a polynomial on internal state at time t minus nt, and then repeat the above procedure. When reaching the initial internal state, the superpoly could be recovered according to the initialization way. In the following, we discuss some details of our method. The first one is how to discard invalid terms. According to lemma 2, we could use MRP added division property to remove invalid terms. However, when the number of terms is large, the computing complexity is high. It was noted that when the degree of u is smaller than the size of i, u is an invalid term. It indicates that we could use a degree evaluation method as a numerical mapping to remove invalid terms. Consequently, our solution is first using the numerical mapping method to discard invalid terms, and then utilizing the MRP added method to discard invalid terms. Another issue is how to determine nt. In the first iteration, nt is set to 300. Hence, it only needs to build MRP models tracing the propagation of division properties through r minus 300 runs. Therefore, the scale of MRP models could be reduced, and so it could be solved more efficiently. In the next iterations, nt is set to a proper value such that the terms in gt minus nt are not too much. The details could be found in algorithm 5 in our manual script. As illustrations, we apply our new method to Trevium. Trevium is a bit-oriented stream server designed by Kanye and Prenew. The main building block of Trevium is a 288-bit nonlinear feedback shift register. It supports an 8-bit key and an 8-bit highway and has 1,152 initialization runs. Trevium is one of extreme hardware-oriented finalists and became an international standard under RSO-IEC. Tagging at Trevium, we verify our method experimentally. First, for a cube set shown in the slide, we recover its superpoly in the output bit of 591 run Trevium. According to the ANF of the superpoly, by setting different values of non-cube variables, different equations could be obtained. In particular, when all the non-variables are set to zero, the corresponding superpoly is zero constant. It implies that setting the non-cube variables to zeros, which is adopted widely, may be not the optimal choice. Second, we calculate the superpoly of i in the output bit of 586 run Trevium. The superpoly is complexity. Fortunately, by appending some non-cube variables to the set of cube variables, some simple superpoly could be obtained. 3 table 2 full details. Finally, we apply our method to Trevium variants with more than 830 runs. For the cube used to attack 832 run Trevium, we calculated its superpoly, which is given by equation 1. Accordingly, under two different assignments of non-cube variables, we could obtain two different equations which are shown in the slide. Based on these two equations, we could recover at least one bit information of the sacred key and for 832 run Trevium, the 80-bit key could be recovered in less than 2 to the power of 79 plus 2 to the power of 73 requests. Furthermore, for the cubes used to do key recovery attacks against Trevium at crypto 2018, we prove that their superpoly are all their constant. It indicates that such key recovery attacks are all distinguish attacks in fact. Thank you.