 Hello everyone, my name is Kai. This is a joint work with Siwei Meiqi and Qinju. In this work, we show some new insights into the development property. This is the outline of this presentation. I will introduce our work from these six aspects. As is well known, development property is powerful to detect integrity distinguishers for many sufferers. In recent years, it has been proven useful in support recovery in cube attacks. However, the development property is actually a property defined over the multi-set and rather than the sufferers themselves. And in this paper, we are interested in whether we can develop a director definition of it if we focus on the sufferers themselves alone without other conceptions. In this paper, we propose an underlying technique called monominal prediction. It can be seen as another explanation of current development properties. With this new conception, all the previous development properties can be unified into one framework. Then, we can use monominal prediction to the key independent sums. We also obtain the exact degree for from 1 to 834 rounds of trivial and improved attacks on 840, 841 and 842 rounds of trivial. Vector bottom function can be written as this and x2u or piux is called a monominal of f. If xc appears in f with the f contains x2u denoted by the arrow, otherwise with the f doesn't contain x2u denoted by this. Our vector bottom function sending x to y and a monominal of y can be also written as a polynomial of x like this. And our question is how to judge whether or not xcu is contained by yv? To answer this question, we introduce a new conception called monominal trial. We look into a composite bottom function sending x0 to xr. For each of its component function fi, if we know its nf, we can find such a relationship. A monominal of xi is contained by a monominal of xi plus 1. And we can repeat it for each component function fi. And finally, we can find a chain from monominal of x0 to the monominal of xr. And this trial from x0, x1 to xr, we call it a monominal trial. And if there is at least one trial between piu0x0 and piurxr, we say that the monominal trials piu0x0 and piurxr is connected. To make it clear, we show an example. f is a composite function consisting of x0 and fy and the nf of x0 and fy are here. And we consider the trials from the monominal x0. And firstly, we compute all the monominal of y like this. We can find three monominal trials from x0 to some monominal of y. And similarly, we can compute the monominal trial from the monominal of y to the monominal of x of z. And finally, we connect them and find three monominal trials from x0 to some monominal of z. Next, we study the relationship between a monominal is contained by another monominal and the two monominal are connected. We say, if the monominal piu0x0 is contained by piurxr, then there is at least one trial connecting the two monominal. And we can prove it by induction R. However, the thing is different for the opposite. Although there is a trial from this monominal to this monominal, but this monominal may not be contained by this monominal. Considering the previous example, although x0 can be connected to z1, but if we write out the af of z1, we can find that two x0 cancel each other. So z1 doesn't contain x0. We can find there are just two trials connecting x0 and z1. This implies that the number of trials is important in determining this monominal is or not contained by this monominal. To study the number of trials, we introduce the conception of monominal how. The monominal how is defined as a set of all the monominal trials connecting two monominals and denoted by this notation. And the number of elements in our monominal how is called the size of this monominal how denoted by the side of the monominal how can be computed recursively, like this step by step. Okay, it's the time to introduce our theory. Our theory says if and only if the size of this monominal how is the odd number, then this monominal is contained by this monominal. And we can prove it by induction on R. Assume that it is valid for R less than s. And we want to prove it is also true for the case R equals s. Firstly, we expand pay us xs on x to s minus 1, like this. Then we use the formula of computing the size of monominal how, like this. And considering our assumption, for those monominals of pay us s minus 1 contained by the pay us xs, then the size from the size of monominal how of pay you 0x0 and those pay us minus 1x minus 1 is odd. Then odd number of odd numbers, the sum of odd numbers, odd numbers are odd numbers. So we prove our theory. In practice, we sometimes fix some input as constant values. For example, we may fix this input as a constant 0 and fix this input as constant 1. And some variables are treated as public variables, such as play text, array, and some variables are treated as secret variables, such as k bits. So we introduce the conception of derived function. A derived function can be defined by the f and the four marks as follows. The mask gamma 0 indicates the constant 0 and the gamma 1 mask indicates the constant 1 variables. And the gamma p indicates the public variables and the gamma s indicates the secret variables. And for the derived function, we should use this variant theory to compute whether a monominal is or not contained by another monominal, because all the monominal pay you 0x0 or way are actually one monominal. Okay, let's say the first application, we apply the monominal prediction to the k independent sums for our structure of x. If we want to judge whether lambda is independent of ks, we should know whether the monominal of pi urfdx contains any k-related monominal, like this. To determine it, we should compute the size of all related monominal howls. Obviously, this is very difficult, however, for attackers, they need less. They only need to determine some bits of self-taxes is k independent and do not care about those k dependent self-tax bits, then they can take some trade-off. For example, if they know there is no trials from this k-related monominal to pi urxr, then this monominal are impossible to appear in the final AF. This is simpler and enough to the attacker. We say this compromised algorithm, the no-force-alarm approximation of the monominal prediction, means we can use the trade-off algorithm to detect whether the final AF doesn't contain any k-related monominal and the algorithm will not raise force-alarm. So for the attackers, they can use the compromised algorithm to detect k independent self-tax bits. And now we can unify all the previous development properties into one framework and we say all the previous development properties are all no-force-alarm approximation of the monominal prediction. Here we take the two subset bit-based development property as an example because this development property is generally used in many cases. If we compare the initial set of two subset bit-based development property and the propagation of it, we can deduce that if there is no two subset different trials, then there is no monominal trials and then there is no k-related monominal in the final AF. So we can see that the two subset bit-based development property is a no-force-alarm approximation of the monominal prediction. And in this way, we can also prove that the three subset bit-based development property without all no subsets are also the no-force-alarm approximation of the monominal prediction and we can also prove that the monominal prediction is also the no-force-alarm approximation of the three subset bit-based development property without all no subsets because they share the same inputs and the same propagation rules. So the two techniques are equivalent and we can also say the previous development properties are also no-force-alarm approximation of three subset bit-based development property without all no subsets. Initially, if we can know why the monominal appears in the bottom function, we can compute the exact degree of this bottom function. Firstly, we find a monominal with degree of D to determine that this monominal is contained by F and then secondly, we prove that any monominal with larger degree than D will not appear in F. Then we can determine that the degree of F is just D. Then we apply monominal prediction to its poly-recovery. We can find all monominal of a bottom function related to the cube term and finally, we can get the superpoly with this formula, which is because the superpoly is just the coefficient of the cube term to compute to speed up the search. We recall the formula of computing the size of monominal how, which can be used to divide the large search problem into several smaller ones. And with this improved algorithm, we use it to recover many superpoly for 840, 841, 842 rounds of trivial. And with this superpoly, we develop the improved cube attacks on trivial for round reduced trivial. To summarize our work, we propose an underlying monominal prediction technique and give the exact degree of trivial up to 834 rounds of trivial. And finally, we improve the key recovery attack on trivial. Thanks for your attention and if you have some problems, please, questions, please email to me. Thank you.