 Thanks for the introduction. So my name is Qingjui Wang. I'm from Luxembourg University and I'm going to talk about Improved Development Property based at Cube Attack, exploring algebra properties of the superpower. So this is a joint work with Yunlin, Yusko, Chow Yun, Techonarrow and Willy. So let's first give some introductions about Cube Attack and the stream cypher. So then I will recall the idea of the total ethos to Crypto 17's paper and we will point out some limitations that were motivated us to do further improvements to the Cube Attack. And then we give our approach to solve these problems and then we applied our method to some stream cypher and then give some improved results and then in the end I will conclude my talk. Okay. So why stream cypher? So as one of the symmetric key primitives to stream cypher are still widely used. For example, it's for IC4 and the Char Char is used in software applications where the higher put is required. And for green and the trim is designed, it is particularly suitable for the hardware applications. And this stays some cypher with low multiplications. For example, Trivium, Carivium, Flip and Rasta play a very good role in these homomorphic encryptions. Rasta is another paper accepted by Crypto will be talked on Wednesday morning, I guess. So the last applications for stream cypher is that it can also be used for application, authenticated encryptions. And the ACROM is one of the seven finalists of the Caesar competitions which we will also look at in this paper. So how stream cypher looks like. Normally the initialized state as zero is loaded with n beta secret k, secret what we call it k and the n beta public variables we call it IV and the state as zero is updated by this update function for R rounds until only the first bit of the k stream is outputed. And we can represent this output as Boolean functions of this secret k, X and the public variables V. So the next I will explain a little bit about the cube attack. Cube attack was proposed by Dinoche and Shamil in 2009 Eurocube. And this attack is very powerful for stream cypher, especially when the updated function is very low. And these days the cube attacks and its variants has already been applied to some other cyphers. For example, hash functions, KTAC and also authenticated encryptions, ACROM and KGSR, et cetera. And how this attack looks like works. So we choose some beta from the IV part and you toss all these values, all the rest which is now actually recorded, you just choose some arbitrary constant. And we call this set of all the variables of VI, we call it, we denote it as CI and then we call it cube. And the output Z can be uniquely decomposed as TI multiple PI plus Q. Here Q has at least one term missing from this TI. And in this case, if we sum over this Z, then this term disappears. And there was only one possible here, all the values are one, then you'll get a P and we call this P is a super poly of this CI. So this PI is expected to be much simpler than the original effects. So if you analyze this PI and get some secret information, but unfortunately in real, we cannot decompose this F like, sorry, like how this looks like. So what this traditional cube attack to do is, so just to choose randomly, they treat the stream cipher as a black box and they choose randomly some cube and you sum over, you do the linear test to see if the super poly is linear. If it is linear, then the secret information is recovered directly. This is very good. But the not so good thing is that this is an experiment result. You can only try the cubes for size smaller than 40. So in 2017, they introduced for the first time different property to this cube attack and they analyze the NF of the super poly. And for the first time, they give some theoretical results where they can try some very large cubes. For example, for 832 round trim, they tried some cube of size 72. And they can also upper bounded the complexity to recover the NF of the super poly. So next, I will give more details about their work and point out some limitations of their work. But I need the two definitions first. So what is the different property and the different trails? So different property is proposed in Eurocrypt 2017 by Trudeau. And if you give a multi-set X and N-bit vector K, and if we consider the property, the very property of this multi-set, how we do this, if we can find some K. And for all these vectors, which for each bit, if it is bigger than K and the parity of X to the U, if this is unknown, we see the multi-set X has a different property, D and K. And using this property, we can easily define some different trails. So for some ciphers, if the initial input different property is K zero, and after some rounds, the different property is DK, then we have a trail ready. And if we take one R-round trail, if for each of this vector, it can propagate to the next one, then we call this is R-round the different property trail. And how can this different property trail be evaluated for some cipher? So we can try to build this cipher as a model and to describe the propagation of the different property. And in 2016, Asia Crypto Xiang et al, they propose a method to represent this model as MIP model. And there may be some other method you can also use. How to do this? So we put all these elements of the trail to this M as a variable. And then we constant this update function use some linear constant. And then we ask the help from the summer solver to verify if this differential, it is possible or not. If this is a different trail, for example, here, this is a unit vector with only the jth, the jth bit, this is non-zero. If this trail is not feasible, we would see this jth bit is not, it is balanced. So this one, this can be used to find some integral distinguishes or zero sum properties. And how can this help us to evaluate the superpoly, evaluate the coefficient of the superpoly of stream ciphers? So remember here, we already took some cubes here, right? And now we wanted to check if this secret variable is involved or not in the final superpoly. What we do is we put this as a initial trail and check if this different property, it is feasible or not. And here, e.g. indicated by this is active and this k indicated by this active cube variables here. And if no different trails exist, then we will see that xg is not involved in the superpoly. And if we do this one by one and we can determine all the secret variables involved in this or not, and denote this as set g, we give a little bit of overview of their attack. So there are three stages of their attack. The first is they recover the evaluated phase theory. They try to determine the secret k set g. And in the second one, this phase is feasible. It can be solved by some MIP solver. For example, we use Groobie to do this. And offline fees they do, they try to sum over the output over this cube to get to recover the whole truth table there to get the superpoly PI. And this phase is not practical, but they already give up a bound of this time complexity as two to the i plus j because they recover the whole truth table. So the memory is two to the j. And the last phase is online fees. In this phase, they just get access to the random oracle and calculate the exact value of the superpoly over, a superpoly value and then compare with the stored table in the second phase and to get the correct candidates of the key. So the time complexity of these stages to the i. And we see there are some problems left for us to solve in this work. Why we will see this? So remember that if the superpoly it is constant, actually we cannot get any secret information from this superpoly, right? So but from their method, they cannot guarantee that the result to the superpoly it is constant or not. So what they do is for smaller, if this cube or this number of secret variables is not so big, they can use some practical experiment to really find the specific IV to make sure that this p, it is constant or it is not constant. Then they can use to recover the secret key. But for the bigger values, especially when this are very close to the key size, then the correctness of the assumptions it cannot be guaranteed, right? So what we do is we use some flag technique in this paper to determine the proper IV to make sure that the superpoly we found it is a non constant. So this can be used. The next limitation of their work is in the second phase of their attack, they try to recover the whole truth table. Then it means that the complexity of this phase is bounded by two to the i minus plus g. So this value, usually if you try some very big cube size and for some very big number rounds, this value can be very big, right? So this might bury seeded the adversary to apply larger cubes or even not a bigger number of rounds. So what we do in this work is we try to avoid recover the whole truth table in the second phase and we will give some techniques to do to find more information about the effort of the superpoly. So what we propose is degree evaluation and term enumeration tactic. So what is this flag technique? So they're mostly used operations in this stream cipher. It is copy and together. So assume that the inputs of this operation is x1 and x2 and the outputs is copy first and then and operation. So the different property of this operation it goes to, this is a different property value goes to y1, y2 and a. So this might, this is a might possible, I mean possible output different property difference. But we will know that in some case, if S0 is just, S2 is just zero, then we will know the end operation of this is also zero. So the different property should be also zero. But the previous model cannot, cannot eliminate this wrong dividend propagation. So it means that we have to modify the model to make the not possible trails be there. We should eliminate all the wrong dividend trails. Yes. It means that for each variables here, so if it is, as before it is just determined it is constant or it is not constant, it is not enough. So for each variable we have to give some flag value. It can be constant zero, it can also can be one constant or it can be variables. So before we use this flag technique to really model operations, we have to define the roles of these flags first. So naturally we can define the equal operations and we can also define the operations. So for XOR you can see for constant one after the XOR it is constant zero. And for constant zero XOR this variable, it goes to variable. If you XOR this delta with this X for any of them it goes to delta. So we can similarly do this for end operation. So now if we have this value we can use this flag technique to model the operations here. Here I just give an example for this end operation. So we define some flag value and if the flag value of B it is zero, constant then B it is zero. Using this we can model the operations. Also similar we can do this for the other operations XOR and equal operations, et cetera. So how this flag technique can be used to determine the non-constant superbole and the secret key set to G. So first we choose the cube index i and as before you just give the constant value or not or variables but just set the flag values here. So for this secret variable set the flag value as variable delta and for this cube variables you put the flag value as delta and for the non-cube variables. So for the first step what we did is we also put this as delta to determine that if this superbole it is constant or not. If and then for the rest you just update represent these operations by this model and solve to return this set G as before. So if this can be solved and returned by some set G we would see that in this choice of cube we can see the superbole it is non-constant and can be used. And for how to determine the exact constant value what we do we know that all the possible values are to the i minus i possible. So you just choose some arbitrary one and to check if this result of the set G is equal with the previous step. If you find one then you just give a specific IV to make your superbole non-constant. What you do is just try some specific one. If this value is one you just put it one C if it is zero then just put it zero C. Also we can give a degree evaluation of the superpoly. So what we do is we check, so here I check this should be some kind of term here indicated by K gamma and we try this trail to check if it exists or not. If this one is not exist we would see this term is not involved in the superpoly. And if for all gamma of a degree of size D plus one if we evaluate all the differential and say there is no differential we would see the degree of this superpoly is upper bounded by D because all the D plus one terms are not possible to be involved then we would see the degree is upper bounded by D, right? And I don't go through with how you can represent this without our MIP model. I just mentioned that we put the objective function here as the maximum of the sum of XER, XR if this MI is feasible and we would see the degree is D. So by this we can get the upper bound of the superpoly as degree D. So the attack strategy are very similar as before. So for the first stage the difference is we do we use the flag technique to determine the specific IV to make sure this superpoly is not constant. And we also evaluate the upper bounded of the degree D of the superpoly. This is the difference as before with before. And in the second stage we know that the upper bounds of the degree of the superpoly is D then there are at most this number of nonzero coefficients, right? So we just need to compute and sum these cubes and store all the solutions for later use. And the time complexity is reduced to this value from their original paper. And the memory complexity it is also reduced from the previous one. We are out of time so please wrap up. Oh, sorry. The last stage is also kind of similar as before. So I just give some numbers here then. So we also do the third improvements to do the term enumeration since we already know what kind of secret variables is involved in this superpoly and what is the number of what is the upper bounded of a degree then we can find what is all the possible terms there, right? We do all the evaluation enumerations and we can find the set JT with a degree T. So in this way we can upper bounded our complexity in the second phase as this. It should be, normally it should be smaller than this degree evaluation method. Our complications, I just give an example of this trillium. So we know this trillium is the mostly analyzed stream cipher. And what we do is, first we do smaller examples to verify our degree here. So it means that by using our technique we can find a specific IV to get the degree and of course we also get the G and the G2, G3, right? Like here. So the complexity is upper bounded by this value and also we tried some bigger cubes to get more rounds of this trillium and we tried some cube size like 73 and 78 so we can get two to the 832, 33 and 839 rounds. And the degree here means that using the degree evaluation method to upper bounded the complexity and use the term enumeration to get this values. There should be some little bit improvement here. And also we tried some other ciphers trillium, green and acron and you can see the improvement compared to the previous one. Okay, the conclusion is that different property based on cube attack is very efficient to do the key recovery for the stream ciphers. And the second is that we can really get the upper bound of the super poly and we can really get all the terms of the super poly. And future works is try to find some other targets to try our method and maybe further modify our model to get accurate degree or accurate term enumeration and the third is try to get some links between this different property or to the other cube attack variance. Yeah, thanks. Okay, we have no time for questions so please take the speaker. Thank you.