Links between Division Property and Other Cube Attack Variants

. A theoretically reliable key-recovery attack should evaluate not only the non-randomness for the correct key guess but also the randomness for the wrong ones as well. The former has always been the main focus but the absence of the latter can also cause self-contradicted results. In fact, the theoretic discussion of wrong key guesses is overlooked in quite some existing key-recovery attacks, especially the previous cube attack variants based on pure experiments. In this paper, we draw links between the division property and several variants of the cube attack. In addition to the zero-sum property, we further prove that the bias phenomenon, the non-randomness widely utilized in dynamic cube attacks and cube testers, can also be reﬂected by the division property. Based on such links, we are able to provide several results: Firstly, we give a dynamic cube key-recovery attack on full Grain-128. Compared with Dinur et al.’s original one, this attack is supported by a theoretical analysis of the bias based on a more elaborate assumption. Our attack can recover 3 key bits with a complexity 2 97 . 86 and evaluated success probability 99.83%. Thus, the overall complexity for recovering full 128 key bits is 2 125 . Secondly, now that the bias phenomenon can be eﬃciently and elaborately evaluated, we further derive new secure bounds for Grain-like primitives (namely Grain-128, Grain-128a, Grain-V1, Plantlet) against both the zero-sum and bias cube testers. Our secure bounds indicate that 256 initialization rounds are not able to guarantee Grain-128 to resist bias-based cube testers. This is an eﬃcient tool for newly designed stream ciphers for determining the number of initialization rounds. Thirdly, we improve Wang et al.’s relaxed term enumeration technique proposed in CRYPTO 2018 and extend their results on Kreyvium and ACORN by 1 and 13 rounds (reaching 892 and 763 rounds) with complexities 2 121 . 19 and 2 125 . 54 respectively. To our knowledge, our results are the current best key-recovery attacks on these two primitives.


Introduction
At CRYPTO 2018, Fu et al. proposed a new cube attack variant, referred to as the "IV-representation based cube attack" hereafter, and applied it to a key-recovery attack on 855-round Trivium [FWDM18]. According to [FWDM18], with the knowledge of particular key bits, the adversary can make a transformation to the first keystream bit satisfying: for the correct key guess, the transformed output bit has an algebraic degree much lower than the original one so that zero-sum properties can be detected using cube testers; for the wrong guess, the cube summation is a random 0/1. The degree of the (transformed) output bit is evaluated with an innovative method called "IV-representation". The reliability of such a method is based purely on Fu et al.'s implementation on a huge cluster along with what they referred to as "man-made work" [FWDM18]. But their implementation has no theoretically reliable proof or complexity analysis. In order to verify the correctness of their method, the authors of [FWDM18] propose a practical attack on 721-round Trivium claiming "This process can be executed in an hour in a PC... for wrong guesses, the result is 1 with probability 1 2 " as supportive material for their method. Recently, another group of researchers gives a detailed analysis of the IV-representation based cube attack method in [FWDM18] and has some astonishing findings [HJL + 18]. The first finding is that [FWDM18] is self-contradictive: according to actual experiments, the 721-round practical result itself is disproving their theories because, using their parameters, the cube summations are constantly zero for both correct and incorrect key guesses 1 . The second finding is that the precise evaluation of the superpoly degree for 855-round Trivium requires a memory complexity 2 70 , far beyond the practical reach, and further deliberate reduction may result in wrong evaluations. Based on such findings, [HJL + 18] makes a comment on the results in [FWDM18] as "questionable" 2 .
The lesson we should learn is that: a theoretically reliable key-recovery result should include 2 proofs: Proof 1 There is detectable non-randomness when the key guess is correct.
Proof 2 Randomness is verified when the key guess is wrong.
In fact, verification of random behavior if a key guess is wrong has been neglected in the past as well. In Dinur et al.'s dynamic cube attack on full Grain-128 [DGP + 11], the authors have exhausted the capacity of a FPGA cluster only to test the correct guess on 107 randomly chosen keys. Whereas, for wrong guesses, they were unable to provide strong evidence for the randomness property of cube summations. They simply believe that the success of the small-cube reduced-round simulations in [DS11] can simply transplanted to the case of full-round attack. The result is not so positive: according to [DGP + 11], even for the 107 correct guesses, they only find 8 of them having significant bias 3 . It remains to be a question whether for the 8 keys, the significant bias also exists when some of their 39 key bits are wrongly guessed. The absence of the wrong-key-guess discussion in [DGP + 11] is due to a lack of computational capacity and a theoretic method: there are 39 key bits to be guessed and each of the 2 39 − 1 wrong key guesses requires to run a cube tester of time complexity 2 50 + 50 · 2 49 ≈ 2 54.7 .
In this paper, we reveal that with the successful introduction of division property into the realm of cube attacks [TIHM17a, TIHM17b, WHT + 17, WHT + 18], new hopes appear for giving dynamic cube attacks having both Proof 1 and 2 even if the used cubes are very large. Related Works. Division property is a generalization of the integral property initially proposed by Todo at EUROCRYPT 2015 [Tod15b]. It has a solid algebraic foundation and theoretically provable propagation rules so as to be successfully applied to cryptanalysis of MISTY1 and SIMON32/SIMECK32 soon afterwards [Tod15a,TM16]. With division 1 The source code of [HJL + 18] is at https://github.com/peterhao89/Analyze721Trivium 2 In accordance with [HJL + 18], the authors of [FWDM18] have agreed that their data were incorrect [FWD + 18]. They also provide parameters different from those of [FWDM18] as a refinement to their practical result, but no further explanation has been given for the important theoretic result on 855-round Trivium [FWD + 18].
3 Quoted from [DGP + 11]: "by running a 50-dimensional cube tester for 107 random keys and discovering a very strong bias in about 7.5% of these key".
property, the propagation of the integral characteristics can be represented by the operations on a set of 0-1 vectors identifying the bit positions with the zero-sum property. At ASIACRYPT 2016, Xiang et al. [XZBL16] draw a link between division property and the MILP model 4 : an entry of the 0-1 vectors, referred to as the division property value of the state bit hereafter, is equivalent to a binary variable in the MILP model; the propagation rules can be described as linear constraints imposed on the variables. Thanks to Xiang et al., the memory consuming division property propagation has become an efficient MILP model solving process using existing highly efficient MILP solvers like Gurobi [GRB], which largely stimulates the application of division property to block cipher cryptanalysis for finding better integral characteristics [SWW16, SWW17, FTIM17, WGR18, WHG + 18, HW19]. It was not until CRYPTO 2017 that the division property was introduced into the realm of cube attacks on stream ciphers [TIHM17a,TIHM17b].
Cube attack (as well as its distinguisher variant cube testers [ADMS09]), introduced by Dinur and Shamir [DS09] in the year 2009, has become a general tool for evaluating cryptographic primitives. It is usually regarded as a generalization of the chosen IV statistical attack on stream ciphers [Saa06,FKM08,EJT07] or a combination of higher order differential cryptanalysis and AIDA [Vie07]. Same with the setting of integral attacks, the cube attack also considers the situation when some input bits are active (cube IVs) while others being constants (non-cube IVs), and check the non-random property in the summation of an output bit. But the non-randomness of cube summations is not restricted to the zero-sum property. As is proved in [DS09], the cube summation is equal to a boolean function called the "superpoly" whose algebraic normal form (ANF) is a polynomial of key bits and noncube IV bits. In addition to constant 0, cube attacks and testers can also cultivate other non-randomness of superpolies such as constantness, neutrality, linearity, bias, etc., and have been successfully applied to all kinds of cryptographic primitives, including stream ciphers [TIHM17a, ADMS09, DS11, FV13, SBD + 16, LYWL18, KMN10,SMB17], hash functions [DMP + 15, HWX + 17, LBDW17] and authenticated encryption [LDW17,DLWQ17].
Among all such results, Todo et al.'s cube attack [TIHM17a] stands out as it draws a link between the division property and the key bits involved in the superpolies. Therefore, theoretic key recoveries can be achieved when only very few key bits are involved in the ANF of the superpolies, resulting in improved cryptanalysis results on several primitives namely Trivium, Acorn, Grain-128a and Kreyvium [TIHM17a,TIHM17b]. Recently at CRYPTO 2018, Wang et al. [WHT + 17, WHT + 18] have further improved the division property based cube attack by introducing the flag technique and the degree evaluation: the former takes the effect of constant 0-1 bits into MILP models for identifying proper non-cube IV assignments; the latter draws the highly qualified upper bounds to the algebraic degrees of the superpolies so as to further lower the complexities. Motivations. Among various non-randomness utilized by cube attacks and testers, the bias phenomenon is the most popular one. There are cube testers based on bias and such bias testers are widely used to various stream ciphers [KMN10,SMB17,LLW15]. As to key recoveries, in addition to Dinur et al.'s dynamic cube attack [DS11], the correlation cube attack [LYWL18] also relies on biases in cube summations. However, once the non-randomness in Proof 1 refers to the bias phenomenon, Proof 2 corresponds to the absence or insignificance of biases for the wrong key guesses. Again, the division property method might be a promising tool for achieving this goal. Our Contributions. We first draw links between the bias phenomenon and the division property. We find that the bias of a superpoly is closely related to a particular algebraic structure referred to as "split set". We prove that the minimal split set can draw lower bounds on the bias in superpolies. And we provide a heuristic algorithm with the advanced and Plantlet [MAM16]) against both zero-sum and bias cube testers. We find that for Grain-128, 254 rounds are enough for resisting zero-sum cube tester but, to resist bias testers, the initialization round number should increase to 265. On the contrary, the bounds for the other 3 primitives are 190, 82 and 138 respectively, far below their initialization round numbers. This indicates that our method can also be used as a useful tool in the design process of stream ciphers for identifying proper initialization round numbers.
3. We improve the current best key-recovery attack on Kreyvium [CCF + 16] and Acorn [Wu16] by 1 and 13 rounds with complexities 2 121.19 and 2 125.54 respectively. The method of this attack is the same as that of [WHT + 18] but our new MILP modeling technique enables us to cultivate more information from the superpoly in order to lower the complexities even further. As can be seen in Table 2, our results are the current best cube attacks on these two primitives. Since all our results are affected by the accuracy of the division property, we check the feasibility of all our results with the current most accurate division property method in [YT19], proving that the problems reported in [YT19] do not occur in our results. All our results, no matter theoretic deductions using MILP-aided division property or practical verifications, are equipped with C++ source codes in the supplementary materials for double-check 6 . Organization. Section 2 provides a brief description of the division property and the dynamic cube attack method in [DGP + 11]. Section 3 formalizes the Proof 1 and 2 used in our dynamic cube attack. Section 4 gives a theoretical explanation to the bias phenomenon and introduce the concept of a minimal split set. It also presents the general idea of our split-set-based bias evaluation technique. Section 5 illustrates the division property based MILP model construction process for dynamic cube attacks, and shows how such new techniques can be used to find highly qualified split sets and cubes. Section 6 introduces the main procedure of our dynamic cube attack on full 256-round Grain-128. Section 7 discusses rationalities as well as limitations of our new techniques and compare our dynamic cube attack with Dinur et al.'s in detail. It also points out some promising directions for improvements. In Section 8, our theories are additionally applied for drawing secure bounds of Grain-like ciphers against bias testers, and improved cube attacks on Kreyvium and Acorn. Finally, we conclude the paper in Section 9.

Preliminaries
We first introduce the common notations frequently used in this paper: • The small letters n and m are positive integers. The ith bit of a positive integer n is denoted as n [i]. The boolean field is denoted as F 2 . Its n-dimensional vector space is F n 2 . We commonly use small letters to represent a single element and capital letters for sets. For a set S, we denote its size as |S|. We denote the complexity and success probability of an attack as Comp and P S respectively. The integer set {i, . . . , n − 1} is presented as [i, n) for short. For the subset J ⊆ [0, n), we denote its complementary set asJ. Let x 0 , . . . , x n−1 be n variables, then, for a set J ⊆ [0, n), the corresponding set of variables is x J := {x j : j ∈ J}.
• An n-dimensional vector is denoted as x = (x 0 , . . . , x n−1 ). Its ith entry (i = 0, . . . , n − 1) is referred to as x[i] = x i . Furthermore, for a set J ⊆ [0, n), we define the corresponding vector k J ∈ F n 2 s.t. k J [j] = 1 for j ∈ J and k J [j] = 0 for j ∈J. For two n-dimensional boolean vectors x = (x 0 , . . . , x n−1 ) and k = (k 0 , . . . , k n−1 ) ∈ F n 2 , there is an operation x k = n−1 i=0 x ki i . For example, let x [0,n) in x be n boolean variables, then any polynomial p on the ring F 2 [x [0,n) ] can be represented as (1) Furthermore, we denote e i ∈ F n 2 for i ∈ [0, n) as the n unit vectors ( e i [i] = 1 and e i [j] = 0 for j = i) while 1 and 0 are vectors with all entries being 1 and 0 respectively.
• The algebraic degree of a polynomial p is represented as deg(p). Specifically, if p is constant 0 or 1, we have deg(0) = −1 and deg(1) = 0.
• is the concatenation such as x a = (x 0 , . . . , x n−1 , a). + in a boolean polynomial refers to the XOR operation on bits. ∧ is the bitwise AND of two n-dimensional binary vestors: We can also define its objective function as M.obj = max{x 1 + x 2 }. We solve the model and find M.optimize() = 1 along with a proper assignment x 0 = 0, x 1 = 1, x 2 = 1.

The Theoretic Basis of Cube Related Cryptanalysis Methods
where the monomials of q( x, v) miss at least one variable from v I while p( x, v) is the socalled superpoly [DS09] and is on the polynomial ring F 2 [x [0,n) , vĪ ]. Following [WHT + 18], we refer the indices in I as "cube indices", the variables in v I as cube IV and those of vĪ as non-cube IV. Since the superpoly p in (2) is only related to key bits and non-cube IVs, according to (1), we can represent the ANF of p as Arbitrary binary vector IV ∈ F m 2 corresponds to a specific assignment to non-cube IVs. With I and IV , we can define a structure called "cube", denoted as C I ( IV ), consisting of 2 |I| vectors from F m 2 : As is proved in [DS09], the ANF of the superpoly p corresponding to the non-cube IV assignment IV can be computed by summing the output bit over the cube C I ( IV ) as: Since C I is defined according to I, we may also refer I as the "cube" without causing ambiguities and the size |I|, is referred to as the "dimension" of the cube. All cube related cryptanalysis methods are utilizing the non-random properties of the superpoly p IV in (4) (for some IV ). The cube attacks on Keccak [DMP + 15, HWX + 17, LBDW17,DLWQ17] and Ascon [LDW17] are utilizing the zero-sum property (p IV ( x) ≡ 0) The original cube attack in [DS09] can recover secret key bits when p IV ( x) is linear (deg(p IV ) = 1). Todo The dynamic cube attacks [DGP + 11, DS11] as well as the cube testers in [ADH + 09] on Grain-128 utilize a quite different property called "bias": for random x ∈ F n 2 and particular IV (usually IV = 0 [DS11]), the values of p IV ( x) have a bias > 0 towards 0: When is big enough, it can be used for either distinguishing the correct key guesses from the wrong ones [DGP + 11, DS11] or distinguishing the Grain-128 keystreams from truly random bitstreams [ADH + 09]. We'll briefly introduce the procedures of Dinur et al.'s dynamic cube attack in Section 2.5.

Bit-Based Division Property and its MILP Representation
The division property based cube attacks in [TIHM17a, WHT + 18] use the bit-based division property first introduced in [TM16]. Its definition is as the following Definition 1: Definition 1 (Bit-Based Division Property [TM16]). Let X be a multiset whose elements take a value of F n 2 . Let K be a set whose elements take an n-dimensional bit vector. When the multiset X has the division property K, it fulfils the following conditions: According to Definition 1, the division property of multiset X ⊆ F n 2 is grasped by the set K ⊆ F n 2 . For a input multiset X with division property K, when the basic bitwise operations COPY, XOR, AND are applied to all the elements in X and acquire X , the division property of X , denoted by K , can be deduced following the propagation rules copy, xor, and proved in [Tod15b,TM16]. Specifically, let I ⊆ [0, n) be the set containing all the indices of active IV bits; the 2 |I| initial states compose a set X 0 with division property K 0 = { k I }. Since the round functions of all cryptographic primitives can be represented as the combinations of the three basic operations, the division property propagation for an R-round encryption can be evaluated as If e i / ∈ K R for some i ∈ [0, n), we know the ith bit of the ciphertext has zero-sum property; otherwise, the summation of the ith bit is unknown. But the sizes of K r (r ∈ [R) expand exponentially to O(2 n ) consuming huge memory resources [TM16]. So Xiang et al.
proposed the MILP modeling method and solved the memory crisis [XZBL16]. They first transform the set operations in (7) into a vector propagation, referred to as the "division trail", as follows: Definition 2 (Division Trail [XZBL16]). Consider the division propagation in (7), for any vector Xiang et al. also prove that all division trails can be covered by a MILP model M: all entries in k i (i ∈ [R)) are binary variables in M.var; the propagation rules copy, xor, and are equivalent to linear constraints in M.con; to check whether e j / ∈ K R , we need to impose constraints M.con ← e j = k R and call M.optimize(): if it returns 1, we know e j ∈ K R , the summation of the jth bit is unknown; otherwise, e j / ∈ K R and the jth bit has zero-sum property. The model solving completely relies on the highly efficient MILP solver like Gurobi [GRB]. Some simplifications have been made to the MILP descriptions of copy, xor, and [SWW16,TIHM17a] in order to reduce the workload of the solvers.

The Division Property Based Cube Attacks
In the context of cube attacks, the following structure of a stream cipher is assumed. The n-bit key x and m-bit IV v are first used to initialize a large register s 0 of length l > m + n containing key, IV and constant 0/1 bits as s 0 = k v c. Then, the stream cipher starts an R-round initialization phase and acquires s 1 , . . . , s R by iteratively calling the updating function Therefore Based on Proposition 1, they let j traverse [0, n) and decide a key index set J ⊆ [0, n) s.t. the superpoly p IV of I can only be a function of key bits x J [TIHM17a]. They prove that for proper IV making p IV ≡ 0, the whole truth table can be constructed offline with complexity 2 |I|+|J| with which 1 key bit can be recovered online with a cube summation and a table lookup. Proposition 2 enables the adversaries to draw upper bound for the algebraic degree of p IV : they can find an integer d ≥ 0 s.t. deg(p IV ) ≤ d. With such an upper bound d, the complexity decreases from 2 |I|+|J| to no more than 2 |I| · |J| ≤d (5). For t = 1, . . . , d, Proposition 2 also enables to find a set J t ⊆ [0, n) t corresponding to all t-degree monomial terms possibly appearing in p IV (Note: J 1 = J as is explained in [WHT + 18]). Considering that the determining J t is too time consuming for Gurobi, Wang et al. also proposed a relaxed version that determines a relaxed setJ t ⊆ [0, n) s.t. J t ⊆ J t t ⊆ [0, n) t and the complexities of some key-recovery attacks can be further reduced to (8) according to [WHT + 18]: Note that in [WHT + 18],J t ⊇J t+1 for t = 1, . . . , d − 1: indicating that key bits involved in nonlinear parts should always be assumed to appear in the linear parts. We remove such restriction in Section 8.2 and acquire improved key-recovery results.
Besides degree evaluation and term enumeration, Wang et al. also find that some division trails are impossible when specific constant 0/1 bits are involved. So they introduce the "flag technique" for finding proper IV 's [WHT + 17, WHT + 18]. According to [WHT + 18], the division property of arbitrary bit s has 2 parameters s.val and s.F : • s.val ∈ M.var is the division property value as before so it is permanently binary variables taking values either 0 or 1.
• s.F ∈ {0 c , 1 c , δ} is the "flag" value where 0 c , 1 c , δ specifies whether the state bit is constant 0, constant 1 or variable (active IV, unknown key bits, cube IV's or non-cube IV bits with arbitrary value are all corresponding to flag value δ).
The flag value helps to track the constant bits and control the division property propagations.
Corresponding to the bitwise EQUAL, XOR and AND operations, the flag values 0 c , 1 c , δ has =, ⊕ and × operations. The = operation is naturally 1 c = 1 c , 0 c = 0 c and δ = δ. The ⊕ and × operations follow the rules: for arbitrary x ∈ {1 c , 0 c , δ}. We refer to such a structure s with both division property value and flag value as "DP structure" hereafter and its propagation rules corresponding to the COPY, XOR and AND operations have become copyf, xorf, andf described as Proposition 3, 4 and 5 respectively. With the DP structure and its propagation rules, the degree evaluation (DegEval), term enumeration (TermEnum) and its relaxed version (RTermEnum) are uniformly described in the framework in Algorithm 1 where we add an additional parameter "etc.", because additional parameters are required for such models to describe the dynamic cube attacks in [DGP + 11] as well as our new methods. It is also noticeable that when, DegEval returns 0, it only proves that the superpoly is a constant (either 0 or 1). This is a constant-sum property and can also serve as a cube tester [ADMS09]. If DegEval returns −1, we can fully convince that the cube has a zero-sum property (a special case of the constant-sum property) because its superpoly is constant 0 according to Definition 1. Such a denotation of constant 0 is in accordance with the definition of deg(·) at the beginning of Section 2. As distinguishers, both the constant-sum and zero-sum can be used for identifying the correct key guesses. But, since all the cubes used in our dynamic attacks have the zero-sum property (DegEval returns -1) for the correct key guess, we only use the term zero-sum hereafter. The specific effectiveness of utilizing 0, rather than 1, biasing property has already been noticed by Dinur et al..
We denote this process as We denote this process as (M, b) ← xorf(M, a 1 , . . . , a m ).

Proposition 5 (MILP Model for AND with Flag [WHT
val be a division trail of AND. Its DP structure propagation rule andf is: We denote this process as

2:
Declare an empty MILP model M.

3:
Declare kx, kv as the DP structures for key and IV bits and assign their division property values and flag values according to I, IV etc. Denote the procedure as ( kx, kv) ← IniDP(M, I, IV , R, etc.).
Declare an empty MILP model M.

4:
Declare kx, kv as the division properties of key and IV bits and assign their division property values and flag values according to I, IV etc.

The Accuracy of the Division Property based Cube Attacks
The division property can prove the zero-sum property of cubes theoretically. When division trails show the superpoly non-constant, it is a function of key bits with high probability. But such a probability is not 100% in some cases even with the flag technique [WHT + 18]. The reason is obvious: the division property itself cannot handle the effect of monomial cancellation (such as x 1 x 2 + x 1 x 2 = 0). The theoretic remedy has already been proposed in [TM16] referred to as the bit-based division property with three subsets (BDPTS). But the implementation is far beyond practical reach since it requires to enumerate almost all division trails. The issue of accuracy is discussed extensively recently [WHG + 18, YT19, WHG + 19, HW19]. Various compromises are given and the general frameworks for R-round stream ciphers can all be summarized as follows: The whole cipher is split into 2 stages: the 0 → R m stage is accurately evaluated either using BDPS [WHG + 18] or precise ANF deductions [YT19]. Then, all division trails in R m → R are enumerated in a conventional manner and the validity of each trail is checked according to the accurately deduced information in 0 → R m . In this way, the cancellation effects in 0 → R m is handled so that the accuracy is improved. The limitations are also obvious: 1. Rm cannot be large; 2. The trails within Rm → R should be very few, suitable for practical evaluations.

The cancellation effects in
The most significant finding is that, for some key-recovery attacks on Trivium, there is only 1 division trail within R m → R and such a division trail cannot add key bits to the superpolies according to their analysis to the ANFs of the intermediate state bits at round R m [YT19]. We are to use the ANF deduction method in [YT19] for double-check our results.

Brief Introduction to Dinur et al.'s Dynamic Cube Attacks
In this part, we briefly introduce Dinur et al.'s dynamic cube attack on full Grain-128 [DGP + 11]. In a cryptographic primitive with n key bits x = (x 0 , . . . , x n−1 ) and m public IV bits v = (v 0 , . . . , v m−1 ), the ANFs of its arbitrary bit can be regarded as a polynomial f ( x, v) as follows:  and s r i is therefore nullified for s r i = s r i ( x, v) = 0. The expression f is referred to as dynamic value and the ith IV bit is referred to as the dynamic IV. If there are multiple crucial bits s r1 i1 , . . . , s rt it (we constantly assume r 1 ≤ . . . ≤ r t hereafter) to be nullified, we also start from the same v and repeat the procedure t times: acquire v 1 , . . . , v t by recursively replacing l 1 −th, . . . , l t −th IV bits with the corresponding dynamic values f 1 , . . . , f t . Let v := v t , we know s r1 i1 , . . . , s rt it are successfully nullified. As can be seen, the dynamic values can be uniquely decided by the pairs N S = {(l 1 , s r1  i1 ), . . . , (l t , s rt it )}, so we refer to the set N S as the "nullification strategy" hereafter. The combination of (N S , I, IV ) can decide particular key bits that need to be guessed for assignment to dynamic values. The correct key guess is supposed to be uniquely identified using cube testers dedicated for particular non-randomness (such as bias phenomenon in [DGP + 11]) in cube summations.

Formalize Proof 1 and 2 in Dynamic Cube Attacks
With the nullification strategy N S defined in Section 2.5 along with cube I and non-cube IV assignment IV , we can deduce the ANF of the dynamic values f 1 , . . . , f t ∈ F 2 [x [0,n) , v I ] for assigning the IV bits at positions l 1 , . . . , l t during cube summations. Detailed analysis to f 1 , . . . , f t enables us to determine the to-be-guessed key bits for computing dynamic values. We denote to-be-guessed key bits as G = (g 0 , . . . , . Such G is determined with the method in [HJL + 18] making sure that only the correct key guess can nullify all targeted intermediate state bits. We also follow [HJL + 18] and denote the ANF vectors of the 2 κ possible key guesses as G 0 , . . . , for w ∈ [0, 2 κ ) and j ∈ [0, κ). Apparently, w = 0 is the correct key guess. We also specify w = 1 as the particular key guess s.t. s rt it = 1 and all targeted intermediate state bits are successfully nullified.
In dynamic cube attacks, the correct key guess G 0 is supposed to be identified using cube summations over several different qualified cube I's dedicated for detecting the bias phenomenon in Definition 3. Such a definition corresponds to the simple fact that the truth table of the boolean polynomial p IV ( x) contains more 0 than 1 entries.

Definition 3. (General Bias Phenomenon In Cube Summations)
Let p IV ( x) be the superpoly of cube I with non-cube IVs assigned to IV . The bias phenomenon is that the cube summation over C I ( IV ) has higher probability of being 0 than 1 for randomly chosen key x: Pr The parameter is referred to as "bias", measuring the significance of the bias phenomenon. Specifically, zero-sum property is also a bias phenomenon with = 2 −1 ; if = 0, the summation is random 0-1 without bias.
In dynamic cube attacks, different key guesses w ∈ [0, 2 κ ) result in different superpolies p w IV ( x) in the 1st output bit with different biases w . A qualified cube I should detect a bias phenomenon satisfying both Proof 1 and 2 for distinguishing the correct key guess from the wrong ones. Therefore, we let w be the bias of key guess w ∈ [0, 2 κ ), Dinur et al.'s bias phenomenon in [DGP + 11] can be formalized as Definition 4.
They find 51 qualified cube I's of dimension 49 or 50. For verifying Proof 1, they randomly picked 107 keys and, under the correct key guess w = 0, there are 8 of them have more than 50 zero-summations, indicating 0 < 0 < 2 −1 . Although 0 > 0 seems rational, a success probability of 8/107 ≈ 7.5% is far from good. Even for the 8 keys with significant bias, Fu et al.'s lesson is still reminding us that there is a possibility that such non-randomness remains for wrong guesses [FWDM18, HJL + 18]. Proof 2 is only an idealized wrong-key assumption whose rationality deserves further discussions.
In our dynamic cube attack on full Grain-128 in Section 6, we are going to use large cube I's of dimension 90 satisfying: for correct key guess, the cubes have zero-sum property ( = 2 −1 ), a non-randomness provable with division property; for wrong guesses w ∈ [1, 2 κ ), the cube summations will result in superpoly p w IV 's of extremely high algebraic degrees. Furthermore, we proposed division property based methods for evaluating the corresponding biases w . Therefore, we can formalize our bias phenomenon with Proof 1 and 2 as Definition 5.

Definition 5. (Bias Phenomenon for Our Dynamic Cube Attacks)
Proof 1 For the correct key guess, there is zero-sum property: 0 = 2 −1 .
Our evaluation of [1,2 κ ) indicates that the Proof 2 in Definition 4 doesn't hold for Grain-128. The last bit s rt it can be nullified only if all other state bits have been nullified before hand. Therefore, if 1 bit involved in s r1 i1 is wrongly guessed, the nullification of many other state bits will fail even if all other κ − 1 key bits are correctly guessed. In this situation, the bias can be very small. On contrary, for w = 1, all other state bits will be nullified and the only not nullified bit s rt it will be constant 1, also of extremely low algebraic degree. In such a situation, the corresponding bias 1 can be quite significant, approaching 0 . Therefore, we will regard an attack as successful if there is a theoretically evaluatable success probability of distinguishing the correct key guess G 0 with key guess G 1 . In other words, in the remainder of this paper, we regard w = 1 as the representation of wrong key guesses for theoretic evaluations.

Evaluating the Bias Phenomenon
The theoretic evaluation of the bias phenomenon (Definition 5) requires a quantitative measurement to the in (6). Let F n 2 be the key space of x in (6). We first introduce a method for dividing F n 2 into a weak-key class and its complement so that the bias in (6) can be computed directly. Then, the concept of "split set" is introduced to identify a specific kind of weak-key classes so that the bias evaluation can be largely simplified based on a hypothesis. A method for constructing split sets heuristically is also introduced utilizing some algebraic properties of the superpolies.

Divide the Key Space with a Weak-Key Class
We suppose that the whole key space F n 2 can be divided into a weak-key class W and its complement W s.t.: for x ∈ W , the superpoly p IV (x) is constant 0; otherwise, for randomly chosen x ∈ W , p IV (x) is randomly 0 or 1. Such a weak-key-W -division can be summarized as (13) as follows: With such a weak-key class W , we can easily prove Proposition 6.
Proposition 6. For the superpoly p IV ( x) as defined in (4) and with key space F n 2 divided by a weak-key class W satisfying (13), the bias in (6) can be quantitatively measured as = |W |/2 n+1 where |W | is the size of W .
Proof. Since the key space is F n 2 , we know the complement |W | = 2 n − |W |. With the knowledge of (13), (6) can be computed as which completes the proof.

The Bias Evaluation using the Split Set
Let Λ = {i 1 , . . . , i λ } ⊆ [0, n) be an index set. We can refer such a subset as the "split set" if it can define a specific weak-key class W Λ of size 2 n−|Λ| as follows:

Definition 6. (Split Set)
The superpoly p IV is of the same setting as (4). We let Λ be an index set s.t. Λ ⊆ [0, n). It defines a key class W Λ ⊂ F n 2 as follows: Such Λ is referred to as a "split set" if the superpoly p IV ( x) in Definition 5 satisfies The split sets with the smallest size are of specific importance for evaluating the bias phenomenon so we define them as the minimal split set in Definition 7.

Definition 7. (Minimal Split Set)
Let Λ be a split set satisfying Definition 6. We call this Λ a minimal split set if, for all Λ with size |Λ | < |Λ| and the corresponding weak-key class W Λ defined as (14), there is p IV ( x) ≡ 0 for x ∈ W Λ . Definition 6 and 7 only guarantee half of (13). To make an evaluation to the bias, we make a further hypothesis that, for a minimal split set Λ, the weak-key class W Λ satisfies the whole (13) as Assumption 1.
With Assumption 1, the bias of p IV ( x) can be directly acquired using Proposition 6, which is formalized as Corollary 1.
Our theoretical deductions are mostly based on Assumption 1 and Corollary 1. In fact, we will see in Example 3 of Section 6 that the evaluation in Corollary 1 is more of a lower bound. The reason is quite simple. For a superpoly p IV , the minimal split set Λ is not necessarily unique. As a result, one minimal split set only can capture the largest zero-sum keys while the rest of the key-space may still contain weak-key x's corresponding to other split sets s.t. p IV ( x) = 0. Therefore, for one minimal split set Λ, there should be more x ∈ W Λ making p IV ( x) = 0 than those making p IV ( x) = 1. Their rationalities for using such Assumption 1 and Corollary 1 on Grain-128 will be discussed in detail in Section 7.

Algebraic Properties of Superpolies
The division property method given by Wang et al. in [WHT + 18] exploits the algebraic degree of the superpoly p IV ( x). Therefore, we introduce a (heuristic) method for finding a split set Λ utilizing similar algebraic properties so that Wang et al.'s method can be applied directly.
As a polynomial over the ring F 2 [x [0,n) ], the superpoly p IV ( x) can be split into subpolynomials over subrings according to an arbitrary set Λ = {i 1 , . . . , i λ } ⊆ [0, n). With such Λ, the corresponding vector k Λ ∈ F n 2 has divided the space F n 2 into 2 parts: Following (1), the ANF of the superpoly p IV ( x) can be represented as (17).
where (17) is further restricted to a split set, we know p Λ ≡ 0 according to Definition 6 and f Λ = p IV accordingly. In order to utilize Assumption 1 and Corollary 1 for bias evaluations, we need to construct a split set with size as small as possible. So we propose a heuristic split set construction method as follows.

Heuristic Construction of Split Sets
If p IV ( x) itself is constant 0 (deg(p IV ) = −1), we can simply conclude that the empty set Λ = φ is the minimal split set. If p IV ( x) ≡ 1 (deg(p IV ) = −1), it cannot have a split set. For non-constant p IV ( x) (deg(p IV ) ≥ 1), our heuristic method start from an empty set Λ = φ and construct the final split set gradually by adding the most promising element to the current Λ.
Such a heuristic split set construction algorithm can be carried out easily using Wang et al.'s division property based degree evaluation technique in [WHT + 18]. The generated Λ satisfies Definition 6. Furthermore, such Λ is usually of small size and quite likely to be a minimal split set as Definition 7: enabling use to provide theoretically evaluated success probabilities based on Assumption 1 and Corollary 1. Like all heuristic algorithms, our method has its limitation: it is possible that the heuristically generated Λ may not be minimal. Our method can only exhaust all Λ's of size 1 so the result may not be optimal especially for the superpolies having much larger sized minimal split sets. So, in most cases, the Λ's constructed by our heuristic algorithm can only provide an approximation to the bias provided by the minimal split set in Corollary 1. Fortunately, as can be seen in Section 6, all the cubes used in our attacks have very small sized minimal split sets making our heuristic method applicable to Grain-128. We will detail the limitation of our heuristic method as well as the feasibility of our dynamic cube attack in Section 7.2. The idea and limitation of our Λ-construction algorithm are demonstrated in the following Example 1.
Note that Example 1 is only a toy case showing the limitation of the heuristic split set construction technique. So we use simple p IV involving very few key bits. In the case of Grain-128, p IV 's are extremely complicated: having high algebraic degree over 39 and involving almost all 128 key bits. The heuristic method can still construct Λ of size 2 or 3 but the corresponding p Λ1 , p Λ2 will become much more complicated polynomials. Therefore, in the case of our dynamic cube attack on Grain-128, it is rational to assume that, for randomly chosen x, which is not in the weak-key class captured by the minimal split set, the probability for a p Λj ( x) being 0 or 1 is approximately 2 −1 .

Division Property Description of Dynamic Cube Attacks
In this section, we introduce the division property description of the dynamic cube attack. According to Section 2.5, the nullification strategy N S = {(l 1 , s r1 i1 ), . . . , (l t , s rt it )} affects both the initial DP structure k x , k v and the DP structures k r1 [i 1 ], . . . , k rt [i t ] corresponding to the nullified state bits s r1 i1 , . . . , s rt it .

The ModelConstruct and InitDP for Dynamic Cube Attacks
The init k x , k v is affected because the IVs v[l j ] are to be changed from v lj to a polynomial f w j ∈ F 2 [x [0,n) , v I ] decided by N S and the key guess G w (j = 1, . . . , t, w ∈ [0, 2 κ )). Each polynomial f j can be regarded as a summation of monomials composed of variables x [0,n) , v I . We encode each monomial (including constant 1's) into a numeric sequence as follows: xi 1 xi 2 · · · xi s vj 1 vj 2 · · · vj t → (i1, i2, . . . , is, n + j1, n + j2, . . . , n + jt) , we can construct the set S f containing all the numeric sequences corresponding to all the monomials of f : . . . , is, n + j1, . . . , n + jt) : For the wrong guesses G w (w ∈ [1, 2 κ )), the corresponding ANF of the dynamic values will become f w Algorithm 2 The division property of initial key and IV bits.

2:
Declare the DP structures k 0 x , k 0 v of lengths n and m respectively.

6:
According to N S and w, deduce the ANFs of the dynamic values f w 1 , . . . , f w t .

12: end procedure
With the nullification strategy N S and integer w ∈ [0, 2 κ ) identifying key guess G w along with the split set Λ defined in Definition 6, the procedure ( k x , k v ) ← IniDP(M, I, IV , R, etc.) used in DegEval in Algorithm 1 can now be specified as Algorithm 2. The subroutine PolyDiv is defined in Algorithm 3, handling the DP structure of 1 dynamic value. The

Selecting Qualified Cubes for Dynamic Cube Attacks
With such division-property-based tools, we can theoretically analyze a dynamic cube attack for not only Proof 1 but also Proof 2 in Definition 5. Proof 1 specifies the zero-sum property ( 0 = 2 −1 ). Such a property can be checked by the degree evaluation technique as −1 = d 0 = DegEval(I, IV , N S , w = 0). Proof 2 indicates that p w IV ( x) = 0 for w = 1 Algorithm 3 Evaluate the division property of a polynomial encoded as S f .

2:
Initialize an empty set T .

5:
Add o in T .

3:
Initialize an empty set P .

2:
Initialize the division property of the initial state as k 0 according to kx, kv.
13: end procedure so the degree evaluation should return 0 < d 1 = DegEval(I, IV , N S , w = 1). Proof 2 also requires that p 1 IV ( x) has insignificant bias phenomenon: 1 < 2 −1 . According to Section 4, we need to find the minimum split set Λ for p 1 IV ( x). Therefore, we realize the heuristic Λ-construction method in Section 4.4 as DeteLam defined in Algorithm 5. Note that DeteLam use IniDP as the subroutine. The additional parameter Λ of Algorithm 5 only affects IniDP in Algorithm 2 by replacing the statements colored in blue with the corresponding comments.
The algebraic degrees in (18) are evaluated with Wang et al.'s division property based algorithm DegEval. Such DegEval is defined in Algorithm 1 and its subroutines IniDP, ModelConstruct are defined as Algorithm 2 and 4 respectively. Therefore, with a predefined nullification strategy N S and non-cube IV assignment to IV , a qualified cube I suitable for dynamic cube attacks can be constructed as follows: 1. Randomly construct a high-dimensional cube I ⊆ [0, m)\{l1, . . . , lt}.
3. If d0 = −1 and d1 > 0, keep such I as a qualified cube and go to Step 4; otherwise, go back Algorithm 5 A heuristic construction of the split set Λ.
The good cubes should be the ones satisfying d 0 = 0 d 1 and Λ > 1, indicating that the superpoly p 1 IV corresponding to the wrong guess w = 1 is a high-degree polynomial rather than constant 0 and the bias of wrong guess is smaller than 2 −2 . If we are able to find sufficiently many such cube I's, such a collection of cubes makes up a cube tester available for launching dynamic cube attacks. This is exactly the kind of cube we use in our attack on full Grain-128 in Section 6.

Dynamic Cube Attack on Full Grain-128 with Theoretic
Evidence for Both Proof 1 and 2 The specification of Grain-128 is described in Appendix A. More details can be seen in [HJMM06] In accordance to [DGP + 11], the bits in LFSR (NFSR) are denoted as s 0 , s 1 , . . . (b 0 , b 1 , . . .). For full Grain-128, the 1st output bit is computed after 256 initialization rounds so the keystream bits are z 256 , z 257 , . . .. The corresponding division property propagation is described by the MILP models in Appendix B. The 1st and most important step of the dynamic cube attack is setting the nullification strategy N S , determining which intermediate state bit is nullified and how. In [DGP + 11], Dinur et al.'s terminal goal is to nullify b 203 . But the ANF of b 203 is too complicated involving too many key bits to be guessed. Therefore, they nullify other intermediate state bits to simplify b 203 . At last, their nullification strategy contains 13 pairs requiring to guess κ = 39 key bits. They use 51 I's consisting of one 50-dimensional cube along with its 49-dimensional sub-cubes. According to [DGP + 11], for the correct key guess G 0 , more than 50 out of the 51 cubes can have zero-sum property with probability 8/107 ≈ 7.5%. But the bias of wrong key guesses is never tested, so whether 0 max{0, [1,2 39 ) } is unknown.
In comparison, our N S is quite simple only containing 1 pair: N S = {(l 1 , b 158 )}. We find that when b 158 is nullified by setting IV bits at position l 1 = 30 or l 1 = 90 to dynamic values, the superpoly of the cube summations over I = [0, n)\{30} (or I = [0, n)\{90}) at round 256 is constant. Another good news is that the dynamic values for the two l 1 's share the same key guesses only involving κ = 3 bits, since the ANFs of the two dynamic values are as follows: where g 0 is a polynomial of key bits: So the correct key guess should be defined as G 0 = (g 0 , x 42 , x 125 ). Furthermore, when the wrong guess number w = 1 ( G 1 [0] is wrongly guessed as g 0 + 1, x 42 and x 125 are correctly guessed), we have b 1 158 ≡ 1. For w > 1, the corresponding ANF b w 158 's are even more complicated. Therefore, we run the procedure in Section 5.2 and find some qualified cubes of dimension 90, denoted as I 1 , . . . , I 29 in Table 3. As can be seen, such cubes not only have large d 1 's (d 1 ≥ 39 > d 0 = 0) but split sets of size |Λ| ≥ 2 as well. This indicates that for wrong guesses w ∈ [1, 2 κ ), the superpoly p w IV ( x) is a polynomial of degree deg(p IV ) ≥ 39 and, if Assumption 1 holds, the bias can be evaluated as w ∈ [2 −4 , 2 −3 ] according to Corollary 1. Such Λ's are to be used to theoretically evaluate the success probability, denoted as P T P S , of our dynamic cube attacks. The procedure of our dynamic cube attack is quite simple. For the 29 90-dimensional cubes in Table 3, we select N of them, denoted as I i1 , . . . , I i N (1 ≤ i 1 < · · · < i N ≤ 29), and do the following steps: 1. Guess g 0 , x 42 and x 125 .
3. If any of the N summations is non-zero, the key guess is wrong; otherwise, keep the key guess as a correct key guess candidate.

Complexity and Success Probabilities
The time and data complexities of the attack are both Comp = 2 3 · N · 2 90 = N · 2 93 . The memory complexity is only 2 3 counters of log N bits, which is negligible. Since the correct key guess makes sure N 0-summations, evaluating the success probability P S is equivalent to evaluating the probability for a wrong key guess to generate N zero summations. In Dinur et al.'s idealized setting in Definition 4, [1,2 κ ) = 0 so the probability of having N 0-summations is 2 −N and such idealized success probability can be easily evaluated as P ideal S = 1 − 2 −N which is demonstrated in the 2nd line of Table 4. On the other hand, our evaluation of P S takes the split set Λ into account. We use the worst case [1,2 κ ) = 2 −3 , so our theoretically evaluated success probability, based on Assumption 1 and Corollary 1, is P T P S = 1 − (5/8) N when N which is demonstrated in the 3rd line of Table 4. Practical Verifications We verify the correctness of our method with practically computable cube I's for round reduced Grain-128. Following the procedure in Section 4.4, we acquire the cube I's satisfying d 0 = 0, d 1 > 0 but with split set Λ of different sizes by calling Algorithm 5. Then, for key guess w = 0 and w = 1, we practically evaluate the corresponding biases 0 , 1 respectively with sufficiently many random keys. We find that the zero-sum property 0 = 2 −1 is satisfied whenever d 0 = 0. But Dinur et al.'s wrong-key hypothesis 1 = 0 (Proof 2 of Definition 4) is incorrect. We present Example 2 and 3: the former can be regarded as a disproof to Definition 4 while the latter can be regarded as a support to our theories in Section 4.2: Assumption 1 based Corollary 1 serves as a lower bound to the bias phenomenon. It remains to be discussed whether Corollary 1 based bias evaluations can be used as success probability evaluation to dynamic cube attacks, as we will show immediately in Section 7. Example 3. For the I 1 , I 2 in Example 2 with the same R, IV and N S settings. We call Algorithm 5 only finding that their split set Λ's for wrong key w = 1 are different: Λ 1 = {37, 125} and Λ 2 = {75}. According to Corollary 1, such a difference |Λ 1 | = 2 > |Λ 2 | = 1 indicates that, for wrong guesses, the bias of I 1 is less significant than that of I 2 making I 1 more suitable for dynamic cube attacks. The experimentally acquired statistics support our deductions: for sufficiently many randomly chosen keys, we evaluate the actual bias of wrong guesses as 1 1 = 0.165 ≥ 2 −3 = 0.125 and 2 1 = 0.464 ≥ 2 −2 = 0.25. This is in accordance with our theories in Section 4.2.
On the Accuracy of the Division Property. We use [YT19]'s method to verify the non-constant property of p 1 0 . We find that for arbitrary 0 ≤ R m ≤ 256, there are sufficiently many division trails within R m → R in (10). We also practically check the ANF of ( b Rm , s Rm ) for R m ≤ 210 finding that all of them can add key bits to the superpolies. So the superpolies are unlikely to be constants. This is an additional theoretic evidence supporting the feasibility of our dynamic cube attack on full Grain-128.

Discussions and Comparisons
We discuss the unsolved issues (such as the rationality of Assumption 1, the limitations of our dynamic cube attacks etc.). We also make detailed comparisons between our attack with Dinur et al.'s in [DGP + 11] and point out some promising improvements.

Probability Evaluation based on Assumption 1
Although our dynamic cube attack in Section 6 provides P T P S , such a theoretic evaluation of the success probability is based on Corollary 1, which can only be valid when Assumption 1 holds. According to the analysis in Section 4.2, for a single cube, the bias evaluation in Corollary 1 is more of a lower bound. However, in our practical experiments on Grain-128, we try many cube I's resembling the I 1 , I 2 in Examples 2 and 3. Such I's have d 0 = 0, d 1 > 0 and a non-empty Λ. When we practically measure their bias, there is an interesting finding: their bias parameter in Definition 5 always falls into the range [2 −(|Λ|+1) , 2 −|Λ| ]. If this is the case, the cubes with |Λ| = 3 will have bias [2 −4 , 2 −3 ] while those with |Λ| = 2 will be within [2 −3 , 2 −2 ]. Since most of the cubes in Table 3 have |Λ| = 3 and the rest have |Λ| = 2, we believe it rational for us to use the median number 2 −3 an approximate bias for success probability evaluation.

Limitation of Heuristic Split Set Construction and the Rationality of the Dynamic Cube Attack
As has been pointed out in Section 4.4 and demonstrated in Example 1, our heuristic split set construction cannot guarantee to generate the theoretically minimum Λ. But, it should also be noticed that the nature of our heuristic method will exhaustively try all Λ of size |Λ| = 1. Therefore, this at least guarantees that all cubes in Table 3 have split set sizes larger than 1. So we have |Λ| ≥ 2 and the split sets with |Λ| = 2 in Table 3 should be regarded as optimal. During the Λ-construction process in Algorithm 5, we find that, after nullifying most of the key bits, the degree of the superpoly will not drop at all. Just as x 3 , x 4 in Example 1, such key bits should not have priority for entering Λ. For the rest, it will be possible for us to exhaust all Λ's with |Λ| = 2 only to find that all 2-sized Λ cannot make p Λ in (17) become constant 0. Therefore, the 3-sized Λ's in Table 3 are also optimal. Therefore, although it is not theoretically perfect, our heuristic split construction method in Section 4.4 works well in our dynamic cube attack on Grain-128.

Comparison with Dinur et al.'s Result
As can be seen in Section 6, our nullification strategy only requires to guess 3 key bits. Therefore, we are able to recover 3 key bits with complexity bounded by 2 97.86 and success probability 99.83%. The remaining 125 key bits are supposed to be recovered through exhaustive search with complexity 2 125 . On the contrary, Dinur et al.'s nullification strategy in [DGP + 11] requires 39 bits of key guesses. They use a 50-dimensional cube along with its 49-dimensional subcubes so they are able to recover the 39 key bits with complexity 2 93.71 and success probability only 7.5%. The remaining 89 key bits should also be exhausted with complexity 2 89 , lower than that of their dynamic cube partial-key recovery. Our partial-key recovery has overwhelmingly better success probability but only 3 bits are recovered, which is obviously a limitation making the overall complexity high. To sum up, our attack can be regarded as a special kind of tradeoff of Dinur et al.'s: we trade a higher complexity for a better success probability and theoretic reliability.

Additional Comments on Dinur et al.'s Attack
Dinur et al. also claimed in [DGP + 11] that some unspecified tradeoffs can be made to their attacks to improve the efficiency of their attack, but our analysis reveals many underlying problems. Using the same modeling method in Section 5, we are also able to evaluate Dinur et al.'s result with division property techniques. For each of the 51 cubes (a 50-dimensional one along with its 49-dimensional subcubes), we search for minimal split sets for both correct w = 0 and incorrect key guess w = 1. We find that such a cube-subcube combination is not optimal: there are unqualified cubes included. Examples can be seen in I\{79}: both correct and incorrect key guess share the same Λ of size 78 indicating an insignificant bias for the correct key guess. Such subcube can be a distraction for identifying the correct key guess from wrong ones. If a larger cube is used to make a more significant bias for the correct key guess, more key bits will be involved so that the number of key guesses will be skyrocketing because, in Dinur et al.'s nullification strategy in [DGP + 11], the ANFs of the dynamic IVs have already mixed the key and IV bits quite thoroughly. Besides, larger cubes still cannot avoid the bad-subcube distractions.
On the other hand, if they abandon the cube-subcube strategy and use our random cube picking strategy in Section 5.2, they may still be confronted with an increased number of key guesses because different cubes will involve different key guesses. Furthermore, Dinur et al.'s complicated nullification strategy may result in that some of the key guesses are involved in very few randomly constructed cubes. When these key bits are wrongly guessed while others are correctly guessed, there will still be high probability of witnessing significant bias so that the success probability can be even lower. So abandoning the cube-subcube strategy can be hard for Dinur et al.'s attack.
Besides, according to our division property evaluations, with Dinur et al.'s nullification strategy, even the largest possible cube cannot provide zero-sum property for the correct key guess. So, it is hard for them to draw the threshold for the bias parameter to distinguish correct key guess from the wrong ones.
Faced with these problems, the unspecified tradeoffs in [DGP + 11] may not bring too much improvements to the success probability or the average efficiency.

Future Improvements
According to the analysis above, we can see that Dinur et al.'s dynamic cube attack has lower complexity along with a limited success probability. Their complicated nullification strategy also makes it hard to find a good tradeoff. On the other hand, our attack has a much higher success probability for recovering the 3 key bits determined by a quite simple nullification strategy. But such a simple nullification strategy also makes the complexity for recovering all 128 key bits quite high. In other words, an extremely simple nullification strategy also has its disadvantage for involving too few key guesses. As a promising compromise, there might be a nullification strategy N S that involve more than 3 key guesses. Along with such a N S , there should also be highly qualified cubes that maintain a significant bias phenomenon for the correct key guess and far less significant one for the wrong guesses. Of course, designing the N S and finding the corresponding cubes can be quite challenging as well.

Other Applications of the Split Sets
We now focus on n split sets each contain n − 1 elements denoted as Λ i := [0, n)\{i} for i ∈ [0, n). For round number R and some cube I, if 1 = DegEval(I, IV , R, Λ i ), we know that x i can appear in the linear part of the superpoly p IV ( x) of the output bit z R ; otherwise, x i can only appear in the non-linear part. Therefore, we have two directions for extension: 1. Draw secure bounds for stream ciphers against the bias cube tester.
We apply this method to Kreyvium and Acorn, and improve the results in [WHT + 18] by 1 and 13 rounds respectively. The detailed parameters are listed in Table 6. As can be seen, both attacks have d = 2 and the complexities are computed according to (8) where J is the set including all involved key bits deduced with Algorithm 1 as J ← TermEnum(I, IV , R, 1). Apparently, smallerJ 1 can bring down the complexity Comp. Note that, for Acorn, there is the relationship J =J 1 =J 2 , indicating that all involved key bits appear both in linear and non-linear parts of the superpoly. So the diffusion of Acorn round function is quite smooth. The whole process needs to manipulate the flag values of both non-cube IV bits and key bits for a precise description ofJ 1 . On the Accuracy of the Division Property. For Kreyvium, we choose R m as large as 312. We find that there are multiple trails in R m → R and all of them can add key bits to the superpoly. Such a situation is also true for Acorn: there are multiple division trails making non-constant superpolies for arbitrary R m 's and the practical ANF analysis (can only be carried out within R m < 256) also supports the non-constant property of the superpoly. These supportive verifications are showing not only the feasibility of our attacks but the better linear diffusions of such stream ciphers as well.

Conclusion and Future Works
In this paper, we draw links between the division property and the bias phenomenon, the non-random property used in dynamic cube attack method in [DGP + 11]. Based on such a theoretic finding, we are able to give the 1st dynamic cube attack on full Grain-128 with a theoretically evaluated success probability 99.83%. There are also other applications namely: drawing secure bounds for Grain-like stream ciphers against bias cube testers, and improved cube attack results on Kreyvium and Acorn.
As to future works, although most of the existing cube attack methods have been described by the division property bringing better results and steadier theoretic foundations, there are still cube attack variants, such as the correlation cube attack in [LYWL18], not included in the division property based models. Besides, as is pointed out in Section 7.5, a compromised dynamic cube attack that combines the advantages of both our attack and Dinur et al.'s is also a promising direction that deserves pursuing. After that, for r = 0, . . . , 255, the NLFSRs are updated by calling Upd as follows: Finally, the first keystream bit z 256 is output, computed as (23) with parameter r = 256. Such a procedure can be reflected by Fig. 1.

B The Division Property Propagation of Grain-128
The division property propagation corresponding to the whole procedure of updating function can be constructed by calling UpdDiv Algorithm 6. It is the subroutine of Algorithm 4. The subroutines funcZ, funcG, funcF are defined in Algorithm 7, where funcZ can also describe the DP structure of the output bit, denoted as o in Algorithm 4.