 Hello everyone, I'm Yao Sun. It's my pleasure to give a presentation here. And my topic today is Automatic Search of Cubes for Attacking Stream Siphers. So in this talk, I will introduce a new algorithm to search for a special kind of cubes. This presentation contains three parts. Firstly, I introduce the background and our main contribution. And secondly, we talk about the many ideas of the search algorithm. And thirdly, we apply the search algorithm to attack against trivial. Now let's start with the first part. Our attacks are based on the cube attack, which has become one of the most powerful tools of attacking stream saffers. For stream saffers, the output bit can always be represented as the boolean polynomial f. And let i be the set of indexes of public variables, and ci be the cube of i. By summing up the values of f over the cube ci, we can obtain a new polynomial p. And this polynomial is called the superpoly of the cube. And generally, the superpoly p should be balanced. And in the offline phase of the cube attack, we need to generate the balanced superpoly p. And in the online phase, we need to query the order code for many times to get the active value of p. And then we will obtain an equation. Using this equation, we can filter out half of the illegal case. And this is the overall complexity. Note that using more superpolys can lower down this complexity. And this is the main idea of the cube attack. So in the cube attack, the first problem is how to generate the superpoly p. And many works have been done to solve this problem. In the earlier years, linearity tests and quadraticity tests were used. And in 2015, the division property was presented. But the related computations were very slow. And in the next year, the concept of division trail is proposed. It is similar to the concept of differential trail. And it can be computed very efficiently using MLP methods. And in the year 2017, the division trail method was first applied to cube attack. And this does the recent cube attack against stream suffers. After many improvements on the division properties, and finally the free subset division property without a no subset was presented in 2020. And since then, the problem how to retrieve the superpoly was solved completely. And what's the next problem to be solved in the cube attack? In my opinion, I think it is how to find good cubes or superpolys. Since one cube corresponds to exactly one superpoly, searching for cubes is equivalent to searching for superpolys. But the related works are quite for you. Next, we talk about which kind of superpolys should be searched for. Firstly, linear superpolys, they are perfect in the attacks, but they are too rare to find. And moreover, I think they may not exist at all for a year round of stream suffers. And secondly, the general nonlinear superpolys. They can be found almost everywhere, but they are useless. So to my understand, we think we can find a special kind of nonlinear superpoly called superpoly with balanced variables. For example, in this form, the variable Ki is a balanced variable, and the monomials in the other part can be nonlinear. I believe there are lots of these kinds of superpolys, much more than the linear ones. So these kinds of superpolys are not hard to find, and they are also very useful. Note that the superpolys with balanced variables must be balanced superpolys. And we call the cubes whose superpolys have balanced variables as the variable cubes. And this is the objective we are going to search for. So the main contribution in this paper is that we propose a new heuristic algorithm to search for valuable cubes. And as applications, we improve the theoretical cube attacks against trivial and anacrybium when the paper was submitted in the last year. And we also improve the practical key recovery attack against trivial. And this is the best result, best practical result now. And next, let's see the third algorithm. Our goal is to search for valuable cubes. Or equivalently, search for the superpolys with balanced variables in this form. So the first idea coming to our mind is that we can choose a random cube and recover the whole superpoly and check whether there are many balanced variables. But clearly this method is not very efficient. Because, for example, recovering the whole superpoly for 840 trivial always takes more than one hour. So this method has a very low success rate. And an improvement is that we can choose a specific secret variable, Ki. And only check whether Ki is balanced in the superpoly. And this method is faster than the first one. But it has a very low success rate because the number of secret variables is large. For example, usually more than 80. So we got the third idea. That is, we can treat a set of cubes together such that the common computations among these cubes can be shared. And this method is much faster than the previous ones. And it also has a high success rate. But in fact this method is still not efficient enough because we must finish the computation of all the cubes. And actually we only need a few numbers of valuable cubes. So we think we can reject some hopeless cubes during the computation. And this will slightly lower the success rate. But the efficiency of this method will be very good. And there is another problem that is how to reject hopeless cubes timely. And by saying a hopeless cube of Ki, we mean that the secret variable Ki is not balanced in its superpoly. Equivalently, there are many nonlinear monomials involving Ki appear in the superpoly. And this introduces another problem. That is, we need a method to check whether a monomial appears in the superpoly, which can be solved by the three subset division property without a null subset. And next we briefly introduce the main result of this method. There are some notations. Fr be the r round function and Xr be the state of the r round. And pi w Xc just a notation. And f hat w is the a and f of a boolean function. And the three subset division property without a null subset says, a monomial appears in the a and f, f hat w, if and only if the vector u corresponds to an odd number of solutions of the system. By this result, we can see that to check whether a monomial appears in the superpoly, we only need to solve this polynomial, solve this system. And for simplification, we restate the bound statement as a monomial appears in the, in some in an if and only if, sorry, if and only if it appears all the times in the solutions of some system. So to reject hopefully this curve timely, we can use the divide and conquer strategy, which is proposed in 2020. The idea is simple. Since we want to solve a big system, we can split this big system into several small subsystems. By solving these subsystems one by one, we can accumulate the results. And by using this divide and conquer strategy, we can determine whether a cube is hopeless with a high probability after we computing only a few number of subsystems. And that is, we observe that the property of the whole system approximately equals to the property of the subsystem. And specifically, we have two observations. Our first observation is, if a monomial appears in the solutions of some subsystem, then it tends to appear even times. And this observation holds with a very high probability, particularly when the system is complicated. And our second observation is, if a monomial only appears in a few subsystems and it appears all the times in some subsystem, then it tends to appear all the times in the whole system with a relatively high probability. And the logic of this second observation is that for a monomial, it only appears in a few subsystems. And by the first observation, it appears even times in most of them. And if it is all in some subsystem, it hardly turns to even in the last. And there are some data supporting. We cannot prove this observation, but there are some data that can be supporting the observation, too. The data are the statistics, the statistics of the monomials in the superpolis. And we thought the monomials by degree. And the fourth column shows how many monomials, appear odd in the subsystem. And the fifth column shows how many monomials appear, still appear, odd in the whole system. And the ratio is given in the last column. From the data, we can see that the higher the degree is, the ratio, the higher the ratio is. And with these two observations, we give a heuristic algorithm to search for valuable cubes. In the first step, we prepare a set of candidate cubes and choose a specific secret variable Ki. In the second step, we divide the whole system into several small subsystems. And in the third step, we solve each subsystem one by one. And during the computation, for a cube, if a nonlinear monomial emollient K appears odd times in some subsystem, then we remove this cube from the candidate side. Another case is for a cube Ci. If the monomial Ki appears in some subsystem, this time we record the number of the times for Ci. And after the computation finished, if there exists some cube Ci, such that the recorded number of Ci is odd, then Ci is a valuable cube. And in our experiments, we use two criteria to detect hopeless cubes, and one is more aggressive but more efficient. And another possible case is that our criteria are too aggressive and reject all candidate cubes. And in this case, we can increase the size of subsystems and search again. Because if there really exists some valuable cubes, we can always find them if the subsystems are large enough. And next, let's see the applications. And Trivium is a famous stream cipher, and it has an 80-bit K. So to provide a theoretical attack against the round radius Trivium, it suffices to find one valuable cube, with dimension no bigger than 78. So the set of candidate cubes we used in our experiments contain all the cubes of dimension 78. And for attacking 8400 round Trivium, we choose three secret variables by random. And we compared the number of hopeless cubes and the number of valuable cubes. And we also give the timings of each search algorithm. From the table, we can see that the first criterion is more aggressive. But it is more efficient. And the data of different variables are also different. And here are the timings for retrieving the superpolis. From these data, we can see that all the timings are more than one hour. And compared with the search algorithm, we can see the search algorithm is very efficient. And we also apply the search algorithm to higher rounds of Trivium. For 841 and 842, we use the first criterion. And for 843, we use the second criterion. And finally, we found two valuable cubes. And we recover the superpoly of one valuable cube. And the superpoly contains more than 16,000 monomials. And it leads to a theoretical attack against 843 round Trivium with a complexity slightly better than the brute-force method. And another application is a practical attack against Trivium. In this case, we need many superpolis instead of one. So we present a set of indexes S. And we prepare all the candidate cubes from the subsets of S. And we searched about two weeks and got about 200 valuable cubes, as well as their nonlinear superpolis. To solve this nonlinear system, we use the guess and determine method. And please note that only the values of balanced variables can be deduced. For example, in this equation, only the value of x2 can be deduced. And by guessing the values of 43 variables, we can deduce the values of the other 37. And the deduction costs no time. So the complexity of getting the active values of superpolis is 2 power 44. And the complexity of solving the true k is 2 power 43. Both can be done practically. And there are some details about the valuable cubes and the balanced variables. Note that a superpoly may contain several balanced variables. And at last we summarize this presentation. Our main contribution is to propose, is that we propose the new algorithm to search for valuable cubes. And we will apply the search algorithm to both theoretical and practical attacks. And we believe the search algorithm can be applied to other sectors directly. And that's all. Thanks for your attention.