Dynamic Cube Attacks against Grain-128AEAD

. In this paper, we revisit the division property based dynamic cube attack on the full Grain-128 presented by Hao et al. at FSE 2020 and demonstrate that their attack on the full Grain-128 is invalid, that is, no key information could be successfully recovered. The theoretical framework for the dynamic cube attack provided by Hao et al. is correct, but the technique for building the MILP model in the dynamic cube attack has flaws. Besides, strong evidence indicates that their bias estimation method is not applicable to Grain-128AEAD and Grain-128. Accordingly, we introduce the three-subset division property without unknown subset (3SDP/u) into dynamic cube attacks and present a correct MILP modeling technique. In addition, we propose a heuristic technique called Polynomial Approximation with regard to Bias (PAB) to evaluate the bias in superpolies in the dynamic cube attack, which can provide a more accurate bias evaluation for high-dimension cubes. As a result, we implemented the dynamic cube attack based on 3SDP/u on 190-round Grain-128AEAD, and we could recover 3 key bits with a complexity 2 103 . 44 and the success probability was evaluated to be 99 . 68%. For Grain-128, some zero-sum distinguishers of cube size 80 are given for the first time.


Introduction
Since the cube attack was first introduced by Dinur and Shamir in [DS09], it has become an important cryptanalysis tool for stream ciphers.In cube attacks, the first output bit of a stream cipher can be regarded as a black-box polynomial f (k, v) with respect to the secret key variables k and public IV variables v. Given a non-empty subset I of IV indices, f (k, v) can be rewritten uniquely as where v I = i∈I v i and each term of q I (k, v) is not divisible by v I .The IV variables in {v i | i ∈ I} are called cube variables.In the preprocessing phase, by assigning all possible combinations of 0/1 values to the cube variables, 2 |I| polynomials are obtained from f , and their symbolic sum p I is called the superpoly of I in f .Generally, the non-cube variables are set to 0-constant in specific cube attacks, and in this case, p I is a polynomial in k.Cube attacks aim to find proper sets I such that the superpolies p I (k) are balanced polynomials with low-degree, which can provide 1-bit secret key information theoretically.The equations on the secret key variables could be built by inquiring about the value of p I (k) online.Finally, some key information could be restored by solving these equations.Additionally, a distinguisher variant of cube attacks, referred to as cube tester, was first introduced in [ADMS09], which is used to detect non-random properties of a superpoly of a carefully selected cube such as constantness, linearity, and bias.
The dynamic cube attack, a variant of cube attacks proposed in [DS11], serves as a potent cryptanalytic technique extensively applied in the evaluation of security in the Grain family [DS11, DGP + 11, RBMA16, HJL + 20].Unlike cube attacks, dynamic cube attacks recover secret key information by exploiting distinguishers on superpolies, such as bias and constantness.The basic idea of dynamic cube attacks is to simplify or even nullify the ANFs of several critical intermediate state bits by imposing dynamic constraints on some IV variables called dynamic variables, which aims to simplify the ANF of the output function and induce non-random properties to the corresponding superpoly.The dynamic constraints typically depend on some cube variables and key expressions.By guessing the values of key expressions (or secret key variables) involved in the constraints, the correct guesses can be obtained by detecting the non-randomness of the corresponding superpoly.Ideally, under a correct key guess, the corresponding superpoly will show a kind of non-randomness; conversely, under wrong key guesses, the corresponding superpolies behave randomly.By using the dynamic cube attack, Dinur and Shamir proposed a weak-key attack on the full version of Grain-128 in [DS11].Subsequently, Dinur et al. further proposed a key-recovery attack on the full version of Grain-128 in [DGP + 11] and experimentally verified the correct guesses for a dozen of keys.By adjusting the strategy of imposed conditions, Rahimi et al. presented a key-recovery attack against 100-round Grain v1 in [RBMA16].
In [HJL + 20], Hao et al. argued that a theoretically reliable key-recovery attack should evaluate not only the non-randomness for the correct key guess but also the randomness for the wrong ones.Based on this idea, they pointed out that previous dynamic cube attacks are unreliable, as these attacks typically overlooked the empirical or theoretical validation of the randomness of the superpoly under wrong key guesses.
To solve this problem, Hao et al. applied the division property to dynamic cube attacks and proposed a new dynamic cube attack (which we call division property based dynamic cube attack) along with the corresponding MILP1 modeling technique.By applying the division property and the MILP modeling technique, large cubes can be exploited to construct zero-sum distinguishers in dynamic cube attacks, which is very useful for distinguishing correct guesses from incorrect guesses.To achieve this goal, a "qualified" cube must satisfy the following requirements: for the correct key guess, the cube should introduce a zero-sum property (i.e., the bias of the corresponding superpoly is 2 −1 ); for each wrong key guess, the superpoly should be of high degree with a bias smaller than 2 −1 .However, using high-dimensional cubes makes detecting the bias through experimental testing infeasible since the computation complexity exceeds the available computational capabilities.Therefore, to evaluate biases in superpolies of high-dimensional cubes, Hao et al. drew links between the bias and the division property through a specific algebraic structure and a heuristic assumption.Based on the links, they proposed a theoretical method for estimating the biases of superpolies.Strictly speaking, it is necessary to evaluate the biases of the superpolies for all possible wrong guesses.But, it is impractical to do this due to a large number of wrong key guesses.Therefore, the authors proposed a method to pick up a special wrong key guess that is expected to have a bias that is closest to the bias of the correct key guess.Thus, the dynamic cube attack is deemed to be successful if the correct key guess can be distinguished from the special wrong key guess.Finally, the authors in [HJL + 20] applied the division property based dynamic cube attack to the full Grain-128 and recovered about 3-bit key information with a complexity of 2 97.86  and a success probability of 99.83%.It is currently the best theoretical key recovery attack for the full Grain-128.
1. We present a key-recovery attack against 190-round Grain-128AEAD with theoretical analysis of the success probability, which is the first dynamic cube attack against Grain-128AEAD.In our attack on Grain-128AEAD, we identify the nullification strategy by employing an automated search algorithm.It only nullifies two internal state bits by guessing 6 key bits.As a result, our attack provides 3 bits of key information with a complexity of 2 103.44 and a theoretically estimated success probability of 99.68%.
We summarized the previous and our attack results for Grain-128AEAD in Table 1.Compared with Hao et al.'s cube attack in [HLM + 21], our attack can be regarded as a more "practical" key recovery attack since we can independently recover 3 key bits.In [HLM + 21], it is explained from the perspective of entropy that 15 recovered superpolies with high biases can provide 5.03 bits of key information, which is a "theoretical" analysis and how to solve theses 5.03 bits of key information in practice is unknown.
2. Based on the new modeling technique, we further discuss the feasibility of Hao et al.'s dynamic cube attack against the full Grain-128.Through a large number of experiments, we claim that within the framework of dynamic cube attacks proposed in [HJL + 20], it is challenging to execute an effective key-recovery attack against Grain-128.
3. We compare the accuracy of our bias estimation method with the previous method given in [HJL + 20] by performing experiments on the reduced-round Grain-128AEAD.
It can be seen from Table 10 that the accuracy of our new bias evaluation method is much better than the previous method for Grain-128AEAD.Besides we also give the main reasons for the inaccuracies in estimating bias with the previous method.
All our results and the source code are available in our git repository.[HHPW22] 1 They recovered two massive superpolies with a high-bias, which are considered to be able to provide 1.7-bit key information from the perspective of entropy. 2 They recovered one massive superpoly, which is proved balanced through experimental testing and is considered capable of providing 1-bit key information.

Notations
Let n be a positive integer.An n-variable Boolean function f (x 0 , x 1 , . . ., x n−1 ) is a mapping from F n 2 into F 2 , and we also denote it by f (x) for simplicity.It can be uniquely written as where , which is called the Algebraic Normal Form (ANF) of f (x).A Boolean function of the form x µ for some vector µ ∈ F n 2 is called a monomial.In particular, 1 = x 0 is a monomial.By Eq.(1), if a µ = 1, then we say the monomial x µ appears in f (x), denoted by x µ → f ; otherwise denote x µ ↛ f .The algebraic degree of f (x) is defined by deg where wt(µ) is the Hamming Weight of µ, and is denoted by deg(f ).A vector of length 2 n consisting of all the outputs of f (x) is called the truth table of f .The quantity ε f such that is called the bias of f (x), which describes the 0/1 distribution of the truth table of f (x).
It can be seen that − 1 2 ≤ ε f < 1 2 .If ε f = 0, then the number of 0's is equal to that of 1's in the truth table of f , and in this case, f is called a balanced Boolean function.If ε f > 0, then the number of 0's is larger than that of 1's, and in this case, the output of f is more likely to be 0 for a random input.In particular, if ε f is close to 1 2 , then f is close to being the zero constant function.
Beside Boolean functions, we need to introduce another type of polynomial ring.Let Z[x 0 , . . ., x n−1 ] be the polynomial ring in n variables over the integer ring Z and ) is a commutative ring with identity, and we denote it by Z[x], where x = (x 0 , x 1 , . . ., x n−1 ).Since , it follows that every polynomial f (x) ∈ Z[x] can be written uniquely as

Frequency test to Boolean functions
Let f (x) be an n-variable random Boolean function, that is, its truth table contains as many zeroes as ones.This implies that Pr(f (x) = 1) = Pr(f (x) = 0) = 1 2 for a uniformly distributed discrete random variable ) by S. Then the central limit theorem implies that for a sufficiently large N , the distribution of is approximately the standard normal distribution N (0, 1).Generally, when N is greater than 25 or 30, this approximation will be good [HTZ13,Chapter 5.6].Next, we devise a test for random Boolean functions.Choose a significance level 0 < α ≤ 0.05.If Φ(|y|) ≤ 1 − α 2 , then we say the function f passes the frequency test for randomness with a significance level α, where Φ is the distribution function of N (0, 1), that is, Otherwise, we say f (x) fails the frequency test for randomness with the significance level α and in this case we also say f is biased.Finally, we discuss the sample size N in the above frequency test to detect a Boolean function f ′ with bias ε f ′ > 0. The bias implies that Pr(f If we want f ′ to fail the frequency test for randomness, then the sample size N should be the solution of (2) Thus, we can detect that f ′ is biased by the frequency test for randomness with the significance level α when the size of X is at least (2ε To make the assertion for a Boolean function being biased more reliable, in the following we set

Three-subset division property without unknown subset
The concept of the three-subset division property without unknown subset (shortly 3SDP/u) was proposed by Hao et al. at Eurocrypt 2020 in [HLM + 20], which is widely applied to cube attacks against stream ciphers.The 3SDP/u is one of the best methods to resolve the problem of determining the presence or absence of a monomial in the ANF of a Boolean function.In [HLM + 20], the definition of the 3SDP/u was not given directly, but an equivalent definition called the modified three-subset division property was proposed.
Definition 1 (Modified three-subset division property).Let X be a multiset whose elements take a value of F N 2 .Let L also be a multiset whose elements take a value of F N 2 .When the multiset X has the modified three-subset division property (shortly T 1 N L ), it fulfils the following conditions: 1 if there is an odd number of µ's in L, 0 otherwise.
Generally, an iterative stream cipher can be decomposed into a composition of basic vectorial Boolean functions: COPY, AND, and XOR.We present the propagation rules of the 3SDP/u for these basic vectorial Boolean functions below and provide their MILP models in Appendix A.
Proposition 1 (COPY).Let x = (x 0 , x 1 , ..., x m−1 ) and y = (x 0 , x 0 , x 1 , ..., x m−1 ) be the input and output vector of a Copy function.Let X and Y be the input and output multisets, respectively.Assuming that X has where L ′ is computed as for all l ∈ L. Note that the operator ∨ represents the OR operation, and here L ′ ← l denotes that l is inserted into the multiset L ′ .
Proposition 2 (AND).Let x = (x 1 , x 2 , ..., x m ) and y = (x 1 • x 2 , x 3 , ..., x m ) be the input and output vector of an And function.Let X and Y be the input and output multisets, respectively.Assuming that X has where L ′ is computed as for all l ∈ L.
Proposition 3 (XOR).Let x = (x 1 , x 2 , ..., x m ) and y = (x 1 ⊕ x 2 , x 3 , ..., x m ) be the input and output vector of a Xor function.Let X and Y be the input and output multisets, respectively.Assuming that X has where L ′ is computed as To determine whether a given monomial appears in the ANF of the output function for an iterative cryptosystem with r-round initialization, the authors in [HLM + 20] defined the concept of three-subset division trail.
Definition 2 (Three-subset division trail [HLM + 20]).Let T Li be the three-subset division property of the input for the ith round function.Let us consider the propagation of the three-subset division property i+1 by the propagation rules of the 3SDP/u, denoted by Let f (x) be a basic vectorial Boolean function, and y = f (x).For an input bit-vector µ, the corresponding output bit-vector ω can be derived using the propagation rules of the 3SDP/u.In this case, the monomial x µ appears in the ANF of y ω with respect to x, the correctness of which is guaranteed by the propagation rules.
However, when the function f (x) is not a basic vectorial Boolean function, µ p − → ω does not necessarily mean that the monomial x µ appears in the ANF of y ω with respect to x.It is implied that the monomial x µ appears in the expression of y ω with respect to x, under the condition that the expression does not consider the cancellation property of the operation xor.This is because a Boolean function can typically be decomposed into a composition of basic vectorial Boolean functions, and there are more than one possible ways for propagation according to the rule of COPY, rendering µ propagate to ω through several different ways.Assuming that there are a total of N different trails connecting µ and ω, it implies that there are N monomials x µ appearing in the expression of y ω with respect to x, without taking into account the cancellation property.Further, if N is even, then the monomial x µ does not appear in the ANF of y ω with respect to x due to the cancellation property; otherwise, x µ appears in the ANF of y ω .To illustrate more clearly, we provide a simple example.
Similarly, for an iterated stream cipher with r-round initialization f (k, v), if we want to determine whether a monomial π l (s 0 ) appears in f , it is necessary to enumerate all possible three-subset division trails connecting π l (s 0 ) and f .When the number of trails is odd, the monomial π l (s 0 ) appears in the ANF of f ; otherwise, π l (s 0 ) does not appear in the ANF of f .
Based on the propagation rules of these basic functions and the concept of three-subset division trail, Hao et al. proposed a general modeling technique to recover the superpolies against the stream ciphers in [HLM + 20, HLM + 21], which is a basic tool for all superpoly recovery algorithms proposed after it.For details on the corresponding MILP models for specific stream ciphers, please refer to [HLM + 20, HLM + 21].

A divide-and-conquer algorithm for superpoly recovery
A divide-and-conquer algorithm for recovering superpolies was proposed in [Sun21, HST + 21].Its basic idea is to decompose the complex system that failed to be solved within a time limit, into several simpler subsystems for resolution by employing a divide-and-conquer strategy based on the algebraic expression of the internal update function.If any subsystems remain unsolved within a time limit, they are further decomposed into even simpler subsystems until all subsystems are successfully resolved.
In specific, expressing the output bit z as a polynomial of some intermediate state variables (not necessarily at the same time instance), say z = f (s 1 , s 2 , . . ., s m ), and then the process of recovering the superpoly of the output bit z for a given cube I could be divided into recovering the superpoly of every monomial of f for the cube I.That is, if f (s 1 , s 2 . . ., s m ) has N monomials, then the MILP model to recover the superpoly of z could be decomposed into N smaller MILP models as N branches for recovering the superpolies of N monomials.The MILP models for some branches could be solved very efficiently, such as 0-constant superpolies, while the MILP models for some branches are time-consuming.For those branches with MILP models that are hard to resolve, a preset time limit is used to terminate them.Therefore, for each monomial of f , if the corresponding MILP model is solved within the time limit, then the superpoly of the monomial has been recovered; otherwise, it indicates that the superpoly of the monomial is still unknown.Then, each monomial with an unsolved MILP model is further divided into more branches by expressing it as polynomials of deeper intermediate states.The above procedure is iterated until all monomials are resolved.Finally, all the superpolies are collected and assembled into the whole superpoly of the output bit.

Revisiting Hao et al.'s dynamic cube attack
In this section, we will first provide a brief introduction to Hao et al.'s dynamic cube attack in Section 3.1 and then discuss the issues in their attack on the full Grain-128 in Sections 3.2 and 3.3, respectively.

Brief introduction to the dynamic cube attack
In this subsection, we briefly introduce the division property based dynamic cube attack presented by Hao et al. in [HJL + 20].For a stream cipher with n-bit key variables x = (x 0 , . . ., x n−1 ) and m-bit public IV variables v = (v 0 , . . ., v m−1 ), the ANF of its arbitrary intermediate state bit can be regarded as a polynomial s(x, v) as follows, Naturally, the output bit can be represented as a polynomial involving the intermediate state bits.Hence, if we can identify crucial intermediate state bits for the output bit and nullify them, then the output bit can be significantly simplified, making it vulnerable to cube testers.An intermediate state bit s (r) i , generated at round r and position i, can be nullified by assigning specific IV variables to a dynamic value determined by the ANF of s (r) i .Assume that s (r) i can be expressed as where each monomial in g does not contain the variable v l .Then, the state bit s (r) i can be nullified by assigning g(x, v) to v l .Let v ′ = (v 0 , . . ., v l−1 , g, v l+1 , . . ., v m−1 ) be a vector derived from v. The state bit s The expression g is referred to as the dynamic value and the variable v l is referred to as the dynamic variable.If there are several crucial state bits s (r1) i1 , . . ., s (rt) it (we always assume r 1 ≤ • • • ≤ r t hereafter) to be nullified, then the dynamic variables v l1 , . . ., v lt need to be replaced by the corresponding dynamic values g 1 , . . ., g t recursively.Since the dynamic values are uniquely determined by the pairs in N S = {(v l1 , s (r1) i1 ), . . ., (v lt , s (rt) it )}, the authors referred to the set N S as the "nullification strategy".
Once a nullification strategy N S and a cube I are confirmed, we can identify a set of key expressions (including key variables) that need to be guessed.By guessing the values of these key expressions, we can obtain a set of dynamic values.To-be-guessed key expressions are denoted as G = (g 0 , g 1 , . . ., g κ−1 ) where g j ∈ F 2 [x] for j ∈ {0, . . ., κ − 1}.There are a total of 2 κ different key guesses, denoted by , where µ ∈ {0, . . ., 2 κ − 1} and µ[i] represents the ith bit of µ.Obviously, µ = 0 is the correct key guess.For a predefined nullification strategy, it is necessary to find a batch of cubes that satisfy the following criteria: the corresponding superpolies should be 0-constant polynomials (i.e., the bias is 2 −1 ) under the correct key guess; under any wrong key guess, the corresponding superpolies should be high-degree polynomials with a bias less than 2 −1 .Such cubes can effectively differentiate between correct and wrong key guesses, thus recovering key information.
There are two important contributions in [HJL + 20] for the dynamic cube attack.One is applying the conventional bit-based division property (CBDP) with the "flag" technique to the dynamic cube attack and proposing a new MILP modeling method.The MILP model established by this method can be used to estimate the algebraic degree of the superpoly for a given cube, provided that the nullification strategy is predefined and the assignment of the non-cube IV is fixed.The models can not only describe the zero-sum (or bias) for the correct key guess but also analyze the randomness in the wrong guesses.This modeling method forms the basis for division property based dynamic cube attacks.See [HIJ + 19, HJL + 20] for more details about the propagation rules of CBDP and its MILP modeling techniques.
The other is drawing links between the bias and the division property.To achieve this, two new concepts were proposed: split set and minimal split set, along with an assumption.They found that the bias of a superpoly is closely related to the split set and further proved that the minimal split set can draw lower bounds on the bias in superpolies under the given assumption.Based on these two new concepts and the assumption, a new method was proposed to theoretically estimate the bias for superpolies of large cubes.Definition 3. ([HJL + 20]) Let p I (k) be a superpoly.Let Λ be a subset of secret key indices.It defines a key class W Λ ⊂ F n 2 as follows:

Assumption 1. ([HJL + 20]) For a minimal split set Λ and its corresponding key class W Λ , we assume
For a superpoly p I (k), let Λ be a minimal split set of p I (k).Then it follows from Definition 3 and Assumption 1 that and so the bias of p I (k) is set to be 2 −(|Λ|+1) .Note that the accuracy of such bias evaluation depends on the rationality of Assumption 1.
Although Hao et al. provided a reliable framework for dynamic cube attacks in theory, the implementation of their attack against the full Grain-128 is not in accordance with their theory, which makes the key-recovery attack invalid.

Inaccuracy in the MILP models for dynamic cube attacks
The MILP modeling technique for dynamic cube attacks proposed in [HJL + 20] can be utilized to evaluate the algebraic degree of the superpoly, provided that the nullification strategy and the cube are predefined.This modeling technique is essential for constructing qualified cubes, and its accuracy determines the effectiveness of the results of dynamic cube attacks.Upon analyzing this modeling technique, we discovered that the specific modeling process did not consider the algebraic structure of Grain family of ciphers.This oversight led to many redundant division trails in their models, which may result in an inaccurate estimation of the algebraic degree of a superpoly.
Through further experiments, we discovered that the qualified cubes used in [HJL + 20] do not meet the specified requirements.Specifically, the superpolies corresponding to these cubes are 0-constant polynomials under both correct and wrong key guesses, making it impossible to correctly distinguish between correct and wrong key guesses.To illustrate the issues in this modeling technique, we will first describe the propagation of division property from an algebraic perspective.
The propagation of division property from an algebraic perspective.Generally, an iterative stream cipher f (k, v) can be further decomposed into a composition of simple vectorial Boolean functions as follows, where 2 as the output of F i for i ∈ {0, . . ., r}.We refer to Eq.(3) as a composite expression of f (k, v).Obviously, the composite expression of f is not unique.From an algebraic perspective, the 3SDP/u actually describes how a given monomial is propagated in a composite expression of f (k, v).
Let us consider the propagation of the 3SDP/u as follows, where l = (µ, ν) ∈ F n+m

2
. For the sequence of multisets L, if the multiset L out is nonempty, there must exist a three-subset division trail, denoted by where l i ∈ L i for i ∈ {0, . . ., r}.According to the propagation rules of 3SDP/u, ) can appear in the expansion of π li+1 (l i+1 ) with respect to s (i−1) .The trail ι describes a propagation of the monomial π l (k, v) in a composite expression of f (k, v), and indicates that the monomial π l (k, v) appears in the expansion of f with respect to k and v.However, the expansion of different composite expressions of f with respect to k and v may vary.This means that in other composite expressions of f , the three-subset division trails connecting the monomial π l (k, v) and f may not necessarily exist.We will illustrate this point through a simple example.
and F o (z) = z 1 z 3 .It is clear that the monomial z 1 z 3 can be expanded as the polynomial of x in Z[x] as follows, be another composite expression of f , where The expandsion of z 1 z 3 can be obtained as follows, For the first composite expression f 1 , there is an even number of division trails connecting x 0 x 3 to f .In contrast, no three-subset division trail connects x 0 x 3 to f for the second composite expression f 2 .Therefore, if we set x 0 and x 3 as cube variables and construct the MILP model based on the composite expression f 1 , the estimated algebraic degree of the superpoly in f is not accurate due to redundant trails in the MILP model.Therefore, when constructing the MILP model for a stream cipher f (k, v), the usage of an inadequate composite expression for f can result in numerous redundant trails within the corresponding MILP model.The propagation rules of CBDP are similar to those of 3SDP/u, so the propagation of CBDP faces the same issues as 3SDP/u.This issue is the primary reason for the failure of the dynamic cube attack against the full Grain-128 proposed in [HJL + 20].
Inaccuracy in the original MILP models.The original modeling technique for dynamic cube attacks is to model round by round.Therefore, the r-round Grain-128 G(k, v) is first decomposed into a composition of the round functions as Eq.(3).
Let (s In any round i, only two state bits, s i+128 and b i+128 , are updated respectively by z i ⊕ f i ⊕ s i and z i ⊕ g i ⊕ s i , and the rest of the state bits are shifted.The additional binary variables f i , g i and z i can be represented as the polynomial of s (i) and b (i) .
In the process of modeling the function F i+1 , the additional binary variables f i , g i , and z i are first defined, and the algebraic relation between them and s (i) as well as b (i) are added to the model as constraints.Then, the expressions of s (i+1) and b (i+1) with respect to s (i) , b (i) , f i , g i and z i are added to the model.However, the MILP model established by this method may have redundant division trails, since z i ⊕ s i is involved in both two update functions of s i+128 and b i+128 , which makes the following equations hold, Another issue with the original MILP models is that the imposed constraints, based on the nullification strategy, do not consider the specific structure of Grain-128.We will use the nullification strategy in [HJL + 20] as an example to illustrate this issue.
For the nullification strategy N S = {(v 30 , b 158 )}, the IV variable v 30 is first set as a dynamic variable, and its dynamic value is determined by the ANF of b 158 under a specific key guess.For the correct key guess, we have the equations b 158 = 0 and v 30 = g 30 + z 30 , which are added to the MILP model as the constraints.Then, the other state bit s 158 is updated by the expression z 30 + f 30 + s 30 in the MILP model.The modeling process described above is algebraically sound, but it may result in many division trails in the MILP model that should not exist.This is because the MILP model does not consider the cancellation property.Due to the nullification strategy N S , the equations v 30 = z 30 + g 30 and s 30 = v 30 are satisfied in the MILP model, thereby, the equation s 158 = z 30 + f 30 + s 30 = 2 • z 30 + f 30 + g 30 also satisfying in the MILP model, which makes many redundant trails in this model.
In [HJL + 20], the presence of numerous redundant trails in the model led to inaccurate results, causing the cubes identified as "qualified" to be unable to distinguish between correct and wrong key guesses.This directly rendered the key-recovery attack against the full Grain-128 invalid.

Empirical analysis of the impact caused by wrong key guesses
Evaluating the bias of the superpoly for each wrong key guess in practical scenarios presents challenges due to the exponential increase in the quantity of wrong key guesses as the number of key expressions to be guessed rises.This task necessitates solving numerous MILP models, which is a time-consuming process and incurs substantial computational costs.Constrained by the MILP modeling technique and computational capacity, Hao et al. introduced a resolution, which is to identify a specific wrong key guess that is considered to have potentially significant bias and is closest to the bias under the correct key guess.
For a predefined nullification strategy, Intuitively, as the complexity of the ANFs of the intermediate state bits that require nullification increases, the complexity of the superpoly may also increase, potentially resulting in a smaller bias of the superpoly.Therefore, the special wrong key guess is considered to have the most significant bias among all wrong key guesses.Based on the above view, if a batch of cubes can successfully differentiate between the correct key guess and such a specific wrong key guess, it implies that the batch of cubes can successfully differentiate between the correct key guess and all wrong key guesses.This solution not only reduces the requirements for modeling techniques but also greatly reduces the computational workload.
However, the validity of this viewpoint lacks inferences drawn from theoretical analysis; instead, it is based on personal experiences and intuition, which may lead to the division property based dynamic cube attack encountering similar issues as the traditional dynamic cube attack; that is, the constructed cubes may not guarantee successful differentiation between the correct key guess and all wrong key guesses.

More accurate bias evaluation for high-dimension cubes
Due to computational constraints, evaluating biases for high-dimension cubes has always been an extremely challenging problem.Hao et al. in [HJL + 20] first established connections between the bias phenomenon and the division property, introducing a bias evaluation method based on the minimal split set.However, this method has significant limitations because its accuracy depends on Assumption 1.If Assumption 1 is unsuitable for a certain cryptosystem, then this method cannot provide a relatively accurate estimate of bias.In [HJL + 20], this method was applied in the division property based cube attack against the full Grain-128.However, based on our experiments, we found that Assumption 1 is not universally true for the Grain family of ciphers.
In this section, we present a new technique called Polynomial Approximation with regard to Bias (PAB) to evaluate the bias of the superpolies for the dynamic cube attack.The basic idea is that when dealing with a complex unknown polynomial, we identify and leverage its various algebraic properties to construct a simpler, known polynomial.By leveraging these properties, the constructed polynomial closely reflects the bias of the original one.Consequently, the original polynomial can be evaluated by detecting bias of the constructed polynomial.Prior to presenting the new method for evaluating bias in Section 4.1, we will first describe a trivial method for calculating the actual bias in Section 4.2.

A trivial method for calculating practical bias
Identifying biases of superpolies of high-dimension cubes through experimental testing is not feasible in cube attacks due to the computational complexity involved, which far exceeds current computational capabilities.In current cube attacks against stream ciphers, the dimensions of cubes that can be experimentally tested are mostly around 40 dimensions, not exceeding 50 dimensions.
With the three-subset division property without unknown set (3SDP/u) and its MILP modeling technique proposed in [HLM + 20, HLM + 21], it is possible to recover the exact ANF of a superpoly.Subsequently, by combining 3SDP/u with the divide-and-conquer strategy, a series of state-of-the-art methods were proposed in [Sun21, HST + 21, HHPW22], which demonstrate high efficacy in the massive superpoly recovery.Therefore, we can use the accurately recovered superpoly to calculate its bias directly.Fortunately, recovering the corresponding superpoly in dynamic cube attacks is more accessible than in other variants of the cube attack, as a nullification strategy is applied to simplify the superpoly of the output bit, which makes enumerating all feasible solutions in the MILP model easier.
For a predetermined nullification strategy, if the superpoly under a specific wrong key guess has been successfully recovered, we can use experimental testing to detect its bias directly.Let p I (k) represent the recovered superpoly of a given cube I.The process of detecting bias of p I is simple and follows these steps.
2. Randomly assign values to the key variables in K multiple times, denoted as κ 1 , . . ., κ N , as N different inputs for the superpoly p I .

compute the bias ε
As described in Section 2.2, if the obtained value ε N satisfies Eq.(2), it can be regarded as the practical bias of p I , and this bias can be detected with the significance level α using N random inputs of p I .If N does not satisfy Eq.(2), choose a new N ′ such that and repeat the aforementioned process.

Polynomial Approximation with regard to Bias
While the process of recovering a massive superpoly is currently quite effective, it still involves significant computational and time expenses.Additionally, as the number of initialization rounds of a cryptosystem increases, the superpoly simplified by the nullification strategy will also become more complex, making it difficult to recover its exact ANF.Therefore, a method is required to provide accurate bias evaluation with fewer computational requirements and faster processing times.
In this part, we will introduce a new method for evaluating bias based on a new technique, called Polynomial Approximation with regard to Bias.The new technique is not to recover the entire superpoly but to recover a portion of it and identify specific algebraic properties of the remaining portion, thereby constructing a polynomial with a bias similar to that in the complete superpoly, which we refer to as an approximate polynomial of the superpoly.Accordingly, the bias of the superpoly can be evaluated by detecting the bias of the approximate polynomial.
An r-round iterative stream cipher f (k, v) can be decomposed into a composition of round functions as Eq.(3).By choosing a proper positive number r 0 ∈ {0, . . ., r − 1}, f (k, v) can be represented as follows: where For a specified cube I, we denote the superpoly of I in π ω (s (r0) ) as p (r0) ω , and try to recover these superpolies.The method of superpoly recovery is to construct the corresponding MILP model M r0 ω with a time limit for each monomial π ω (s (r0) ) in f .If the model M r0 ω is not solved within the time limit, the procedure will be forcibly terminated.Depending on whether the model M r0 ω determined by ω ∈ Ω (r0) can return all feasible solutions within the time limit, the function f can be represented as where ω is solved within the time limit and p (r0) ω has been recovered }, |M r0 ω is unsolved within the time limit and p (r0) ω is still unknown }.
Obviously, the superpoly p ω .Furthermore, if the set Ω (r0) u is empty, the superpoly p I will be successfully recovered.However, recovering the superpoly is a challenging task, making it almost impossible for the set Ω (r0) u to be empty, and our primary goal is to handle the monomials determined by the set Ω (r0) undergoes a detection process to ascertain whether its superpoly is divisible by the variables k 0 , . . ., k n−1 .Assuming that the superpoly p (r0) ω is divisible by the variables {k i1 , . . ., k it }, it can be represented as follows: where µ(∈ It is noteworthy to highlight that the polynomial q (r0) ω still remains unknown.If the superpoly in each monomial ω ∈ Ω (r0) u has such a representation, i.e., p ω , then the entire superpoly p I can be represented as Otherwise, we will choose another positive integer r 1 ∈ {0, . . ., r 0 − 1}, and then expand the polynomial f (r0) u into a polynomial f (r1) in terms of s (r1) as follows, where We repeat the process of dealing with Ω (r0) along with the number of rounds reducing (0 < r t < • • • < r 1 < r 0 ) until we obtain the following equation, i.e., p where s .The worst-case scenario of this process is that Ω (rt) u is an empty set, indicating that the entire superpoly has been recovered.
For each ω ∈ Ω (rt) u , the superpoly p ) is considered a relatively complex polynomial due to the inability to enumerate all potential three-subset division trails within a time limit.The polynomial q (rt) ω serves as the predominant component of polynomial p (rt) ω , thus indicating that polynomial q (rt) ω possesses a level of complexity equivalent to that of polynomial p (rt) ω , making it difficult to recover the ANF of q (rt) ω .Hence, it is crucial to determine how to provide an approximate polynomial that maintains a bias similar to the bias of q (rt) ω when constructing an approximate polynomial of the superpoly p I .According to the equation p that is most correlated with the key variables {k 0 , . . ., k n−1 } has been extracted.Therefore, we consider the correlation between q (rt) ω and the key variables notably feeble.Given this understanding, it is possible to introduce a new variable x ω ∈ F 2 as substitutes for the unidentified polynomial q It can be seen that p ′ I is a simple and identified polynomial whose bias can be detected by the method described in Section 4.1.However, there is a significant gap between the practical bias p ′ I and p I , and the reasons mainly lie in two aspects.
1.The polynomial q (rt) ω has a bias that is not equal to 0. Although the polynomial q (rt) ω is extremely complex, it does not mean that it is balanced.Therefore, the new variable x ω used to replace q (rt) ω should not be randomly distributed over F 2 , implying that Pr(x ω = 1) ̸ = Pr(x ω = 0).

Too many new variables were introduced.
There are correlations among the polynomials {q and variables k; however, the newly introduced variables are not correlated with each other or with the original variables.This implies that the more new variables we add, the smaller the bias of p ′ I will be, which can be proven by the piling-up lemma.
To mitigate these issues, we introduced a new algebraic property of polynomials, referred to as the minimum algebraic degree.Based on this property, we proposed a heuristic method to estimate the probability of each new variable taking the value of 1.
We denote the minimal algebraic degree of the function f as deg m (f ), defined as A heuristic method for probability estimation.For each ω ∈ Ω (rt) u , we heuristically use the minimal algebraic degree of q (rt) ω , denoted by d ω , to define the probability of x ω taking the value 1, i.e.,

Pr(x
The heuristic method is based on a simple property: for a monomial d j=1 x ij , when x i1 , . . ., x i d are random variables over F 2 , it has the probability given by Pr As the value of d increases, the probability of the monomial taking the value 1 decreases.Intuitively, when a polynomial has a high minimal algebraic degree, the probability of it taking the value 1 may be very small.Furthermore, if there are correlations among monomials in this polynomial, it may bring this intuition closer to the actual scenario.In our experiments, we observed that for the Grain family, particularly for Grain-128AEAD and Grain-128, there is a high correlation among the monomials in their superpolies, and their superpolies generally have high minimal algebraic degrees.Therefore, for a superpoly with a high correlation between monomials and with d-minimal algebraic degree, we regard it as a monomial of degree d.Besides, for the new variable x used to substitute the superpoly, the probability of it taking value 1 is required to be 2 −d .
For the sake of simplicity, we will only focus on the case where the minimum algebraic degree is greater than 0 hereafter, which also aligns with the algebraic characteristics of the Grain family.
A set of rules for polynomial transformations.We provide a set of polynomial transformation rules designed to integrate unknown polynomials, aiming to reduce the introduction of new variables.The specific rules are listed as follows: rule 1: If there are polynomials k µ • q (rt) ω1 , . . ., k µ • q (rt) ω l involved in Eq.(4), we use a new symbol polynomial g to represent the sum (q ω l ), and these polynomials can be replaced by k µ • g.The minimal algebraic degree of g can be obtained by deg m (g) = min{d ω1 , . . ., d ω l }. rule 2: If there are such polynomials k µ1 • q (rt) ω1 and k µ2 • q (rt) ω2 in Eq.(4) satisfying that k µ2 is divisible by k µ1 , we use a new symbol polynomial g to represent the sum (q ), and thereby the polynomials can be replaced by k µ1 • g.The minimal algebraic degree of g can be obtained by deg m (g) = min{d ω1 , d ω2 + (wt(µ 2 ) − wt(µ 1 ))}.rule 3: If there are at least three polynomials ( ω3 in Eq.(4), we use a new symbol polynomial g to represent the sum (k l1 • q ω3 ), and thereby these polynomials can be replaced by (k i1 • • • k ij ) • g.The minimal algebraic degree of g can be obtained by deg m (g) = 1 + min{d ω1 , d ω2 , d ω3 }.
Based on the polynomial transformation rules, a simplified form of Eq.(4) can be derived as follows, Besides, the minimal algebraic degree of g i has been obtained, denoted by d i .By replacing the polynomials g 1 , . . ., g t with new variables x 1 , . . ., x t ∈ F 2 , we can obtain an approximate polynomial of the superpoly p I , i.e., Note that the new variables satisfy the conditions: Pr(x i = 1) = 2 −di , for i ∈ {1, . . ., t}.
The construction of this approximate polynomial involves leveraging the known part and the algebraic properties of the undetermined part of the superpoly.It makes the constructed polynomial closer to the superpoly in terms of algebraic properties, further making the bias of the approximate polynomial more similar to the bias of the superpoly.
Therefore, we can compute the actual bias ε ′ of the approximate polynomial p ′ I by the method described in Section 4.1.Moreover, we use the bias ε ′ of the approximate polynomial p ′ I to evaluate the bias of the superpoly p I .

A reliable implementation of dynamic cube attacks
In this section, we introduce a reliable implementation of dynamic cube attacks against the Grain family of ciphers, which includes an algebraic analysis of the impact caused by wrong key guesses and a more accurate MILP modeling technique for dynamic cube attacks.

Algebraic analysis of the impact caused by wrong key guesses
In dynamic cube attacks, it is necessary to evaluate the biases of the superpolies for all possible wrong key guesses.However, it is impractical to do this due to the need to solve a large number of MILP models, which is time-consuming and entails a significant computational cost.Therefore, we also need to identify specific wrong key guesses that may have significant biases and are closest to the bias of the correct guess.We refer to these key guesses as "bad" wrong key guesses.For a predefined nullification strategy N S and a given cube I, based on the ANFs of the intermediate state bits that need to be nullified, we can identify a set of dynamic variables v d1 , . . ., v dt , and their respective dynamic values f d1 (k, v), . . ., f dt (k, v).It is worth noting that, through simple algebraic substitutions, it can be ensured that none of f d1 , . . ., f dt contain any dynamic variables.
The first output bit z = f (k, v) can be uniquely decomposed into the following form, i.e., where there are no dynamic variables involved in the polynomial q µ (k, v), for each vector µ ∈ F t 2 .Based on Eq.( 6), we can analyze the impact of different wrong key guesses on the biases of the corresponding superpolies.Taking the specific strategy in [HJL + 20] as an example, we will provide a simple explanation.
For the nullification strategy N S = {(v 30 , b 158 )}, the dynamic variable v 30 is required to satisfy the following equation, For Eq.( 7), if the variables v 38 and v 72 are treated as non-cube variables with fixed values, guessing the values of k 42 and k 125 is meaningless, due to the equation v 30 = g ′ 0 ⊕v 43 v 50 ⊕v 90 .In this situation, the constructed cubes can not provide 3-bit key information.Therefore, the variables v 38 and v 72 should be set to cube variables.
The function f (k, v) can be decomposed into the expression as Eq.( 6), i.e., where q and h are polynomials with respect to the key variables k and the cube variables v I .
Let µ be a positive integer.Denote the guess values of (g 0 , k 42 , k 125 ) by (g ).Each value of µ corresponds to a unique key guess, and we refer to µ as the key-guess pattern.Since the value of v 30 is determined by the guess values of (g 0 , k 42 , k 125 ), the function f can be further represented as follows, Since the superpoly under the key-guess pattern µ = 0 is required to be a 0-constant polynomial, the corresponding superpoly in h should be a 0-constant polynomial.The polynomial q can be uniquely decomposed as follows, where the IV variables v 38 , v 72 are not involved in the polynomials q 0 , q 1 , q 2 , q 3 .Therefore, the function f can be further represented as follows, Due to the variables v 42 and v 72 set to cube variables, the superpoly in f only comes from • q 3 ).Let p 1 , p 2 , p 3 be the corresponding superpoly in the polynomials v 38 v 72 • q 0 , v 38 v 72 • q 1 , v 38 v 72 • q 2 respectively.Therefore, the superpoly p in f also can be represented as follows, We show the superpoly under different key-guess patterns in Table 2.

Table 2:
The superpoly under different key-guess patterns. ( For the Grain family of ciphers, the output bit can be expressed as a polynomial with respect to the secret key and public IV variables.As the initialization rounds increase, the superpolies in the polynomial representing the output bit become incredibly complex.Typically, the linear combination of different superpolies is considered even more complicated, as there are no significant cancellations of monomials.Therefore, we can come to the following conclusion. Let c = (c 1 , c 2 , c 3 ) ∈ F 3 2 , and be a linear combination of the superpolies p 1 , p 2 and p 3 .Denote the bias of a polynomial p as ε(p).For each c ∈ F 3 2 , the bias ε(p c ) satisfies the following condition: As shown in Table 2, when the key-guess mode is µ = 1, 3, or 5, the associated superpolies may exhibit more significant biases.Therefore, it is necessary to identify the biases of the superpolies under key-guess modes µ = 1, 3, and 5, as it is uncertain which one exhibits a greater bias.By employing the nulling strategy N S , if we can construct a series of qualified cubes that successfully distinguish between the key guessing mode µ = 0 and key guessing modes µ = 1, 3, and 5, then we believe that these cubes can be used to distinguish between correct and wrong key guesses.Leveraging these cubes, we can execute a reliable dynamic cube attack against Grain-128.Compared to the analysis in [HJL + 20], our method relies more on theoretical deduction, which is more reasonable.
Theoretically, this analysis method is a general and effective approach to identify the potential "bad" wrong key guesses in dynamic cube attacks for most stream ciphers.However, when the imposed conditions are complicated, the analysis becomes too intricate to find the possible "bad" key guesses.

A new MILP model for dynamic cube attacks
In this subsection, we introduce a new MILP modeling technique for dynamic cube attacks targeting the Grain family.

Specifications of Grain-128AEAD and Grain-128
The Grain family of ciphers include Grain v1, Grain-128, Grain-128a, and Grain-128AEAD.The Grain family of ciphers consists of two registers: an NFSR b = (b 0 , . . ., b n−1 ) and an LFSR s = (s 0 , . . ., s n−1 ), along with two feedback functions g and f for the NFSR and the LFSR.
In the initialization phase, the n-bit key and the m-bit IV are first loaded into b and s, respectively, while the other state bits are set to constant values.Then, the cipher is clocked 2n times without generating a keystream.Simultaneously, the output produced from certain bits of the NFSR and the LFSR is fed to the cipher, as illustrated in Figure 1.

Figure 1: Structure of the Grain family
Grain-128AEAD and Grain-128 are both members of the Grain family designed to provide 128-bit security.Grain-128AEAD is one of the ten finalist candidates of the NIST LWC standardization process.Grain-128 is the preliminary version of Grain-128AEAD, whose specification is simpler than Grain-128AEAD.Their internal state at time t consists of an LFSR and an NFSR, both with a length of 128 bits, denoted by s (t) = (s t , . . ., s t+127 ) and b (t) = (b t , . . ., b t+127 ), respectively.
For Grain-128AEAD, the initial states can be represented as follows: Let z t be an output of the pre-output function as time t, and it is computed as where A = {2, 15, 36, 45, 64, 73, 89}, and h(s (t) , b (t) ) is defined as Moreover, the functions g(b (t) ) and f (s (t) ) are defined as follows, The internal state bits s t+128 and b t+128 are computed by In the initialization phase, the state is updated 256 times without producing an output.After the initialization, the update function is adjusted so that z t is not fed to the state but rather used as a pre-output keystream.Grain-128AEAD inherits many specifications from Grain-128a proposed in [ÅHJM11].Assuming that the first bit of the pre-output keystream can be observed, there is no difference between Grain-128AEAD and Grain-128a.Hereinafter, we study the round-reduced Grain-128AEAD under the above assumption.
For Grain-128, the feedback function for the NFSR is more sparse and is specified as Moreover there is a small tweak in the h function as where s t+95 is used to instead of s t+94 .The others are identical to Grain-128AEAD.

A new modeling technique
Let s (r) = (s r , . . ., s r+n−1 ) and b (r) = (b r , . . ., b r+n−1 ) represent the intermediate states of the Grian family of cipher after the r-th round of iteration.In the initialization phase, the internal state bits s r+n and b r+n can also be updated by where z ′ t ≜ z t ⊕ s t and f = f ′ ⊕ s t .The purpose of updating the intermediate state bits with the functions z ′ , f ′ , and g is to avoid the issue mentioned in Section 3.2.
For a given nullification strategy N S = {(v lj , s n−1 )} j∈J b and a predefined cube I, the dynamic variables and their dynamic values can be determined.For a pair (v d , s d , and we have the following equation: Obviously, only one of z ′ and f contains the dynamic variable v d .If the dynamic variable While these constraints are algebraically equivalent due to Eq.( 8), this modification in the MILP model helps reduce unnecessary division trails within the model, as described in Section 3.2.For the pair (v d , b (r d ) n−1 ) ∈ N S that satisfies similar conditions, we use the identical processing method to replace the original constraint with the new one.
Compared with the original MILP modeling method proposed in [HJL + 20] for dynamic cube attacks, our new modeling technique can achieve a more accurate MILP model.First, it is known that 3SDP/u is more accurate than the CBDP, and Algorithm 2 is based on 3SDP/u while the original model is based on CBDP.Second, the specific algebraic structure of the Grain family is taken into consideration in Algorithm 2 to avoid generating numerous redundant trails.Our modeling technique is demonstrated in Algorithms 1 and 2, focusing on the modeling ideas while omitting some technical details.The detailed modeling process has been uploaded to the GitHub repository as code.ModelFuncG, and ModelFuncZ used in Algorithm 2 are specific implementations for the function g and the modified functions f ′ and z ′ .The models established by Algorithm 2 can be used to estimate the algebraic degree of a superpoly and recover the superpoly for a given cube.Moreover, by adjusting the objective function as described in Algorithm 1 to M.obj ← min{ n−1 i=0 kvar[i]}, the modified model can be employed to estimate the lower bound of the minimal algebraic degree of the superpoly.Additionally, if the initially feasible models become infeasible by adding the constraint M ← kvar[i] = 0 to the model, then we can determine that the superpoly is divisible by the key variable k i .By solving n MILP models with different constraints, i.e., M ← kvar[i] = 0 for i ∈ {0, . . ., n − 1}, all key variables that divide the superpoly can be identified.

Applications to Grain-128AEAD and Grain-128
In this section, we applied dynamic cube attacks based on the 3SDP/u to Grain-128AEAD and Grain-128.As a result, we successfully conducted a key-recovery attack on 190-round Grain-128AEAD, with the ability to recover 3 key bits with a probability exceeding 99.68%.Additionally, we provided a feasibility analysis of a dynamic cube attack against full-version Grain-128.Furthermore, we compared two different methods of bias evaluation.The solver for the MILP model we used is: Gurobi Solver (version 9.0.3), and the platform we used is: AMD Ryzen 5950X 16-core Processor 3.7 GHz, 128G RAM, and Ubuntu 22.04 LTS.The source codes and experimental results are both available in our git repository.
cube I the bias ε (µ 1 ,µ 2 ) under the "bad" key-guess patterns (µ 1 , µ 2 ) (1, 0) (3, 0) (5, 0) (0, 1) (0, 3) (0, 5) According to the definite nullification strategy N S and these "bad" key-guess patterns, we found some qualified cubes by constructing and solving corresponding MILP models, denoted as I 0 , . . ., I 50 .Their biases under "bad" key-guess patterns were detected by conducting experimental testing on the corresponding superpolies that have been recovered.The amount of data used to detect the biases is 2 20 , which satisfies Equation (2).This implies that the detected biases can be considered practical biases in these superpolies under "bad" key-guess patterns.Both the cubes used and their biases under "bad" key-guess patterns were listed in Table 4.
Our dynamic cube attack process is consistent with the one described in [HJL + 20].It

Zero-sum distinguisher for Full Grain-128
In this subsection, we provide a further discussions on the feasibility of Hao et al's dynamic cube attack against the full Grain-128.Under the same nullification strategy N S = {90, b 158 }, we applied our new MILP modeling method to evaluate the cubes used in [HJL + 20].We found that their superpolies are 0-constant polynomials under both correct and wrong key guesses.This indicates that these cubes were unable to distinguish between correct and wrong key guesses.
By searching for cubes with dimensions ranging from 70 to 80, we found a batch of qualified cubes that meet the requirements: under the correct key guess, their superpolies are 0-constant polynomials; under wrong key guesses, their superpolies are non-constant polynomials with high degrees.However, these cubes were also unable to distinguish between correct and wrong key guesses because their superpolies have a bias of almost 2 −1 under wrong key guesses.Additionally, we observed that under wrong key guesses, the minimal algebraic degrees of their superpolies are generally high, ranging from a minimum of 9 to a maximum of 23.That is why their superpolies have biases very close, even equal to 2 −1 .We presented some cubes along with their respective minimal algebraic degrees in Table 11 (available in Appendix B) and Table 8.The comprehensive results have been uploaded to our Git repository.As the dimension of cubes decreases and the search space increases, it becomes challenging to find cubes with 0-constant superpolies under the correct key guess.To further explore the structural characteristics of Grain-128, we attempted to recover the superpolies of the full-version Grain-128 without applying any nullification strategies.As a result, we successfully recovered the superpolies of a batch of cubes with 80 dimensions, including 9 0-constant superpolies.These cubes with 0-constant superpolies can serve as the zero-sum distinguishers for the full-version Grain-128, and listed in Table 9.All the recovered superpolies have been uploaded to our git repository.In our experiments without any nullification strategy, we observed that all of the recovered superpolies of high-dimensional cubes exhibit significant biases close to 2 −1 , along with having a high algebraic degree and minimal algebraic degree.Additionally, these superpolies are very sparse.Based on the above experimental results, we infer that the superpolies of high-dimensional cubes in the full Grain-128 generally exhibit significant biases, as well as high algebraic degree and minimal algebraic degree.Moreover, when a nullification strategy is applied to the full Grain-128, even under wrong key guesses, the superpolies may still be simplified, particularly for the "bad" key guesses.Besides, the biases of superpolies may be more significant, approaching 2 −1 .Therefore, under the framework of the dynamic cube attack proposed by Hao et al., we consider that it is difficult to carry out key-recovery attacks solely by altering the nullification strategy.

Comparison of two different bias evaluation methods
In this section, we will compare the accuracy of bias estimation method based on the PAB technique given in Section 4.2 and the method based on the minimal split set given in [HJL + 20] by experimental testing on the reduced-round Grain-128AEAD.The nullification strategy and cubes employed were derived from Section 6.1.We apply the two methods to the superpolies under the key-guess pattern µ = (5, 0), respectively.The results are explicitly shown in Table 10.We provide a straightforward explanation of the data in Table 10, using the data from the 30th row as an example, which is "I 30 , 0.252210, {(k 88 , 5), (k 89 , 4)}, 0.242751, Λ = {46, 47, 88, 89}, 0.03125".For the cube I 30 , the practical bias obtained by directly testing the recovered superpoly is 0.252210.By using the PAB technique, we can represent the superpoly as p ′ I = p s ⊕ k 88 g 1 ⊕ k 89 g 2 , where deg m (g 1 ) = 5 and deg m (g 2 ) = 4. Furthermore, by using the corresponding approximate polynomial, the bias of the superpoly is evaluated to be 0.242751.As for the method based on the minimal split set, the minimal split set is given by Λ = {46, 47, 88, 89}, and the estimated bias of the superpoly is 2 −(|Λ|+1) = 0.03125.
It can be seen from Table 10 that the accuracy of the new bias evaluation method is much better than that of the minimal split method for Grain-128AEAD.We further investigate the reason for this phenomenon.Based on numerous experiments, we have observed that the minimal algebraic degrees of the superpolies in Grain-128AEAD are typically very high under wrong key guesses.Therefore, for the identified minimal split set, the superpoly still exhibits a high minimal algebraic degree and significant bias over its complement space, leading to the failure of Assumption 1 on Grain-128AEAD in the method based on the minimal split set.For the full version of Grain-128, we also observed similar algebraic properties for superpolis under the wrong key guesses, which fails Assumption 1 on Grain-128.

Conclusion
In this paper, we explain that the dynamic cube attack proposed by Hao et al. against Grain-128 is invalid.Furthermore, we present a reliable implementation of dynamic cube attacks against the Grain family of ciphers, including wrong key-guess analysis and a more accurate MILP modeling method based on 3SDP/u.Additionally, we introduce a new technique called Polynomial Approximation with respect to Bias (PAB), which can provide a more accurate bias evaluation.As an application, we implement a dynamic cube attack against the Grain family of ciphers.As a result, we present a key-recovery attack on 190-round Grain-128AEAD and discuss the feasibility of dynamic cube attacks on full-version Grain-128.Furthermore, through experiments, we demonstrate that the bias estimation method based on the minimal split set is unsuitable for the Grain family of ciphers.Simultaneously, we show the effectiveness and accuracy of our new method for evaluating bias.We believe this new method can play an important role in dynamic cube attacks on more rounds.
B The cubes used in Section 6.2

ω
, leading to the derivation of a new polynomial p ′ I expressed in terms of k and {x ω } ω∈Ω (r t ) u as follows,

(
r d ) n−1 ) ∈ N S and a key-guess pattern µ, denote φ (0) d as the dynamic value of the dynamic variables v d under the key-guess pattern µ = 0. Let δ (µ) d be the ANF of the to-be-nullified state bit s (r d ) n−1 under a key-guess pattern µ.Hence, the dynamic values of v d can be represented as φ (µ)

Table 1 :
Summary of the attack results for round-reduced Grain-128AEAD Hao et al. considered the wrong key guess satisfying the conditions s , and the other intermediate state bits that require nullification are successfully nullified.By contrast, the ANFs of the intermediate state bits that required nullification become more complex under other wrong key guesses.
j ≤ t − 1) as special, since under such a wrong key guess, the intermediate state bit s

Table 8 :
The minimal algebraic degrees of the superpolies under the "bad" key-guess patterns