On the Relationships between Different Methods for Degree Evaluation

In this paper, we compare several non-tight degree evaluation methods i.e., Boura and Canteaut’s formula, Carlet’s formula as well as Liu’s numeric mapping and division property proposed by Todo, and hope to find the best one from these methods for practical applications. Specifically, for the substitution-permutation-network (SPN) ciphers, we first deeply explore the relationships between division property of an Sbox and its algebraic properties (e.g., the algebraic degree of its inverse). Based on these findings, we can prove theoretically that division property is never worse than Boura and Canteaut’s and Carlet’s formulas, and we also experimentally verified that the division property can indeed give a better bound than the latter two methods. In addition, for the nonlinear feedback shift registers (NFSR) based ciphers, according to the propagation of division property and the core idea of numeric mapping, we give a strict proof that the estimated degree using division property is never greater than that of numeric mapping. Moreover, our experimental results on Trivium and Kreyvium indicate the division property actually derives a much better bound than the numeric mapping. To the best of our knowledge, this is the first time to give a formal discussion on the relationships between division property and other degree evaluation methods, and we present the first theoretical proof and give the experimental verification to illustrate that division property is the optimal one among these methods in terms of the accuracy of the upper bounds on algebraic degree.


Introduction
The outputs (e.g., keystreams, ciphertexts or message digests) of symmetric ciphers can be regarded as Boolean functions over public variables (e.g., plaintext bits or IV bits) and/or secret variables (e.g., key bits). Distinguishing attacks or key-recovery attacks can be achieved if the targeting cipher exhibits low algebraic degrees, such as integral attacks [KW02], higher-order differential attacks [Knu94,Lai94], cube attacks [DS09] and some algebraic attacks [Cou03,CM03]. Thus, the algebraic degree of a cipher is one of the necessary criterions for security analysis, and it is always of great significance to get a tighter bound.
For the degree evaluation of block ciphers, the first improvement of the trivial bound (deg(G • F ) ≤ deg(G) · deg(F )) of the composition G • F was proposed by Canteaut and Videau [CV02]. Later, Boura et al. [BCC11] gave a new bound on the degree of iterated SPN block ciphers with nonlinear layer composed of parallel bijective Sboxes. As an application, they found a zero-sum partition of size 2 1590 for the full Keccakf [BDP09] permutation. Afterwards, Duan et al. [DL11] improved the bound for the inverse Keccak-f permutation focusing on the inverse Sbox based on [BCC11], which lowered the size of the full-round zero-sum partition of Keccak-f permutation from 2 1590 to 2 1579 . Almost at the same time, Boura and Canteaut [BC13] also studied the influence of the algebraic degree of F −1 on the algebraic degree of G • F and proposed a tighter bound than [BCC11]. Recently, Carlet [Car20] obtained a set of formulas to estimate the upper bound on the degree of composite functions by studying the graph indicators of vectorial Boolean functions, one of which is most applicable for the degree evaluation of SPN ciphers. At CRYPTO 2017, Liu [Liu17] presented a general framework to iteratively estimate the algebraic degree for NFSR-based ciphers, by exploiting the technique called numeric mapping. It was the first formalized and systematic method for finding upper bounds on the algebraic degree of NFSR-based stream ciphers. Based on the framework, a concrete and efficient algorithm to find an upper bound on the algebraic degree for Trivium-like ciphers was proposed. This algorithm has linear time complexity and needs a negligible amount of memory. Due to the high efficiency of the algorithm, a large set of cubes with large size can be exhausted. As an illustration, [Liu17] obtained the best distinguishing attacks on all Trivium-like ciphers at that time.
Besides aforementioned methods, division property is also an effective technique to estimate the upper bound. Division property [Tod15b], proposed by Todo at EURO-CRYPT 2015, is a generalized integral property which is aimed to construct longer integral distinguishers of block ciphers. Since its proposal, there were a lot researches focusing on this topic [Tod15a, BC16, XZBL16, SWW17, TIHM17, SHZ + 17]. Later, Todo and Morri [TM16] introduced the bit-based division property to achieve a more accurate structural evaluation. Therefore, the experimental 15-round integral distinguisher of Simon-32 [WLV + 14] can be verified using three-subset bit-based division property (3SBDP). Then the Mixed Integer Linear Programming (MILP), which has been widely used in cryptanalysis [MWGP11, SHS + 13, SHW + 14, CJF + 16], was first adopted by Xiang et al. [XZBL16] to automatically search integral distinguishers based on bit-based division property. The MILP-aided technique was extended to cube attacks by Todo et al. [TIHM17], which is the first application of division property to steam ciphers. Then Wang et al. [WHT + 18] introduced the flag technique and term enumeration to describe the propagation of division property more accurately and decrease the time complexity of recovering superpolys. At ASIACRYPT 2019, Wang et al. [WHG + 19a] proposed the MILP method based on 3SBDP for searching integral distinguishers. As applications to several lightweight block ciphers, more balanced bits or longer integral distinguishers can be found compared with [XZBL16]. Recently, applying 3SBDP to cube attacks [WHG + 19b,HLM + 20] were presented, where the exact superpolys can be recovered. Based on [TM16,XZBL16,TIHM17], the MILPaided division property could be used to effectively estimate the upper bound on the degree of not only block ciphers [BKL + 17] but also stream ciphers [WHT + 18]. Moreover, it breaks the structural limitation of ciphers and only needs to construct a corresponding MILP model which can be solved by off-and-shelf solvers like Gurobi 1 . In the following content, the (bit-based) division property generally represents the two-subset (bit-based) division property if there is no special statement.
In the applications of Boura and Canteaut's [BC13] and Carlet's [Car20] methods to SPN ciphers, the only parameter involved in their formulas is the algebraic degree of Sboxes used in the ciphers. Thus the advantages of the two methods are high efficiency and less manual work. However, both of them ignored the influence of linear layers between two rounds, and this may result in a less accurate upper bound, especially for weak linear layers. As for stream ciphers, Liu's numeric mapping [Liu17] is an efficient technique, especially for searching cubes with large size. It is required to analyze not only the ANF of the update function used in a particular cipher but also the algebraic expression of the state computed backward for several rounds. Moreover, the numeric mapping method frequently utilizes the trivial bound on the degree of the product of two functions i.e., deg(g · f ) ≤ deg(g) + deg(f ). Therefore, the precision will be inevitably lost in a long iteration. In [TIHM17], some experimental results indicate that using division property can derive longer zero-sum distinguishers than [Liu17] for Trivium and Kreyvium. However, the reason why division property is superior to numeric mapping is still unclear until now.

Our Contributions
Which is the best one among these methods in terms of the accuracy of degree evaluations? In order to seek this answer, in this paper, we attempt to establish the relationships between division property and other methods.
We first present an iterative method based on division property to get upper bounds on the degree of SPN ciphers in this paper. To be specific, for the composite function G • F , if we obtain an integer d as the minimal weight of the input division property of function F such that the weight of the corresponding output division property is always greater than deg(G), then we can regard d − 1 as the upper bound on deg(G • F ). The framework corresponding to this method is described in Algorithm 1. In addition, we introduce the concept of word-based division trail and according to the propagation of word-based division property of a public Sbox, which is discussed in [Tod15a], we deeply explore some relationships between the word-based division trail of an Sbox and its algebraic properties as indicated in Lemma 1 and 2. Moreover, these observations are closely related to Boura and Canteaut's and Carlet's formulas. Based on these observations, we theoretically prove from the point of view of word-based division property that our new method is never worse than Boura and Canteaut's and Carlet's formulas. Furthermore, we used small-PRESENT as a toy example to make this conclusion seem more intuitive. Note that bit-based division property is more accurate than word-based division property, thus our new method when implemented by bit-based division property can further improve the upper bounds. Based on this fact, we conclude that bit-based division property will never be worse than both of the two formulas for degree evaluations of SPN ciphers. As an illustration, we apply bit-based division property, Boura and Canteaut's and Carlet's formulas, to estimate degrees of Keccak and KNOT ciphers. The best bounds are obtained actually by division property in these experiments and these results provide strong evidences for our final conclusion.
For the degree evaluation of NFSR-based ciphers, Liu's numeric mapping [Liu17] can derive an upper bound quite efficiently. As an application, an algorithm was proposed in [Liu17] to estimate the algebraic degree of Trivium-like ciphers. For a more intuitive comparison with bit-based division property, we formalized Liu's algorithm in this paper. In order to establish a relationship between numeric mapping and division property, we present some observations on the degree evaluation by division property. Based on these observations and the core idea of numeric mapping, we provide comparisons of the two methods on not only generalized stream ciphers but also the particular Trivium-like ciphers, and strictly prove the division property is never worse than the numeric mapping for degree evaluations of NFSR-based ciphers. In addition, we introduce a divide-andconquer approach and a new notion called maximal polynomial to improve the efficiency of the MILP-aided degree evaluation based on division property, which is described in Algorithm 2. As an application, we apply Algorithm 2 to Trivium and Kreyvium. The comparison of our experimental results with [Liu17] shows that the gap between the estimated degree derived by division property and numeric mapping becomes more and more significant with the round increasing.
Very recently, two works about computing the exact algebraic degree by Hu et al. [HSWW20] and Hebborn et al. [HLLT20] appear, both of which have been accepted to ASIACRYPT 2020. The methods used in [HLLT20] and [HSWW20] are 3SBDP and monomial prediction, respectively. Generally, when computing the exact degree, 3SBDP (monomial prediction) requires to enumerate all the division trails (monomial trails). But their applications in practice may be limited, e.g., for block ciphers with large block size or stream ciphers with complex update functions. In these cases, evaluating the exact algebraic degree will be quite difficult and it would be better to use some simple but non-tight methods to evaluate the upper bound. Our paper exactly devotes attention to the question that which non-tight method is the most accurate.

Organization
The rest of this paper is organized as follows: In Sect.2, we revisit division property and some previous work on degree evaluations. In Sect.3, we give the comparison between division property and Boura and Canteaut's formula as well as Carlet's formula for degree evaluations of SPN ciphers. The comparison of degree evaluations of NFSR-based ciphers between division property and numeric mapping is given in Sect.4. We conclude our paper and discuss in Sect.5.

Preliminaries
We first introduce some notations used throughout this paper. Let F 2 denote the finite field with two elements (0 and 1) and a ∈ F n 2 be an n-bit vector where a i denotes the ith bit of a. A unit vector where the ith element is 1 and the others are 0 is denoted by e i . Especially, a vector whose all elements are 0 (or 1) is denoted by 0 (or 1). The Hamming weight of a ∈ F n 2 is denoted by wt(a) = #{i : a i = 1, 1 ≤ i ≤ n}. Denote a an element in (F n 2 ) m where the ith element of a, denoted by a i , belongs to F n 2 . Let k and k * be two vectors in F n 2 , define k k * if k i ≥ k * i holds for all i ∈ {1, 2, ..., n}, otherwise we write k k * .
Bit Product Function π u (x) and π u ( x) [Tod15b]. For any u ∈ F n 2 , let π u (x) be a function from F n 2 to F 2 . For any x ∈ F n 2 , π u (x) is defined as For any u ∈ (F n 2 ) m , let π u ( x) be a function from (F n 2 ) m to F 2 . For any x ∈ (F n 2 ) m , π u ( x) is defined as

Algebraic Normal Form.
For any Boolean function f on n variables, it can be uniquely represented by its Algebraic Normal Form (ANF) as where a f u ∈ F 2 is a constant depending on f and u. The algebraic degree of f , denoted by deg(f ), is defined as max{wt(u)|u ∈ F n 2 , a f u = 1}. Let u and u * be two vectors in F n 2 , define π u (x) π u * (x) if u u * = 0 holds and there exists i ∈ {1, ..., n} such that u i > u * i , otherwise we write π u (x) π u * (x). Algebraic Degree of Vectorial Boolean Function. For a vectorial Boolean function F from F n 2 into F m 2 . Denote the algebraic degree of F by deg(F ), which is defined as: where F i denotes the ith coordinate of F .

Division Property
Division property [Tod15b] is a generalized integral property, which was proposed by Todo at EUROCRYPT 2015. It has shown its great power [Tod15a] since its proposal as it is a more accurate description of integral property. At FSE 2016, Todo and Morii [TM16] extended this technique to two-subset and three-subset bit-based division property, both of which are much more accurate since bit is the smallest unit in cryptography. We now briefly revisit division property and related theories as follows.
Definition 1 (Division Property [Tod15b]). Let X be a multiset whose elements take values from F n 2 and k takes a value between 0 and n. When the multiset X has division property D n k , it fulls the following conditions: Definition 2 (Vectorial Division Property [Tod15b]). Let X be a multiset whose elements take values from (F n 2 ) m , and k is an m-dimensional vector where k i denotes the ith element of k and 0 ≤ k i ≤ n for all i ∈ {1, 2, ..., m}. When the multiset X has division property D n,m k , it fulls the following conditions: Definition 3 (Bit-based Division Property [TM16]). Let X be a multiset whose elements take values from F n 2 and K denote a set of n-dimensional bit vectors whose elements take the value 0 or 1. When the multiset X has the division property D 1,n K , it fulls the following conditions: Proposition 1 (Propagation Characteristic of Sbox [Tod15b]). Let S be a function (Sbox) from F n 2 into F n 2 with degree d. Assuming that an input multiset X has division property D n k , then the output multiset Y has division property D n k d . In addition, if the Sbox is a permutation, the output multiset Y has division property D n n when the input multiset has division property D n n . Proposition 1 is applicable for the case where the only available information of an Sbox is its algebraic degree. When the Sbox is a public function, which means the ANF of the Sbox is known, Todo et al. [Tod15a] used the 7-bit Sbox of MISTY [Mat97] as an example to illustrate how to accurately describe the propagation characteristic. Based on [Tod15a] and with the help of the following definition in [BC13], we formalize the propagation rule of division property of a public Sbox as Property 1 for brevity.

Definition 4 ([BC13]
). Let F be a function from F n 2 into F m 2 . For any integer k, 0 ≤ k ≤ m, δ k (F ) denotes the maximal degree of the product of any k (or fewer) coordinates of F : In particular, δ 0 (F ) = 0 and δ 1 (F ) = deg(F ).
Property 1. Let S be an n × n public Sbox. Assuming that an input multiset X has division property D n k , then the output multiset Y has division property D n k where k = min 0≤i≤n {i|δ i (S) ≥ k}.

The MILP Technique Used in Division Property
Mixed Integer Linear Programming. MILP was first introduced by Mouha et al. [MWGP11] to evaluate the number of differentially and linearly active Sboxes of AES and Enocoro-128v2. Since then, MILP method has been widely applied to cryptography [SHS + 13, SHW + 14, CJF + 16, XZBL16, SWW17, ST17]. The propagations of cryptographic properties (such as differential characteristics, linear approximations or division property) are converted into a system of linear inequalities in MILP-aided cryptanalysis, and these linear inequalities are sent to an MILP solver with an appropriate objective function. In general, an MILP model M is composed of variables M.var, constraints M.con and an objective function M.obj. If M is feasible, then an optimized solution, denoted by OBJ(M), will be returned. In addition, if M has no objective function, the MILP solver only evaluate the feasibility of M.

Searching Integral Distinguishers Based on MILP-aided Division Property.
The application of bit-based division property is limited because of its high time and memory complexity. At ASIACRYPT 2016, Xiang et al. [XZBL16] applied MILP to division property to overcome this drawback.
Definition 5 (Division trail [XZBL16]). Consider the propagation of division property Ki is the division property after i rounds. Moreover, for any vector k When we consider an r-round iterated cipher E and give the input division property or 1 c means the state bit is constant 0 or 1, δ means this state bit is a variable. Moreover, they redefined the constraints for several basic operations i.e., XOR, COPY, AND, which can be used to construct a more accurate MILP model to describe the propagations of division property. As a result, they achieved improved cube attacks on Trivium, Kreyvium, Ascon and Grain-128a.

The Known Methods for Degree Evaluation
In this subsection, we briefly revisit several known methods for estimating the upper bounds on the degree of ciphers.

Theorem 1 ([BC13]
). Let F be a permutation from F n 2 into F n 2 corresponding to the concatenation of s bijective Sboxes, S 1 , ..., S s , defined over F n0 2 . Then, for any function G from F n 2 into F m 2 , we have where .
Note that deg(G • F ) must be an integer, thus (1) is equivalent to Besides, the authors in [BC13] proposed another bound deg(G Carlet proposed a new bound (see (2)) in [Car20] by exploiting the graph indicators of vectorial Boolean functions. In the earlier version of [Car20], the author claimed that (2) improves by one unit the bound deg(G , but later was fixed as the two bounds are actually fully equivalent. Both of the two bounds are related to the degree of F −1 , but they are constructed from different aspects. Thus, in order to facilitate the following discussion and be consistent with (1), we will focus on (2) instead and present the bound in Theorem 2. Then we will compare division property with (1) and (2) respectively in Sect.3.

Theorem 2 ([Car20]
). Let F be a permutation of F n 2 and let G be a function from F n 2 to F m 2 . Then we have x ui i be a Boolean function on m variables. Denoted by B m and Z the set of all m-variable Boolean functions and the integer ring. Moreover, Z m denotes the set of all m-dimensional vectors whose elements belong to Z. The numeric mapping [Liu17], denoted by DEG, is defined as , and a f u 's are coefficients of the ANF of f as defined previously. Let g 1 , g 2 , ..., g m be Boolean functions on n variables, G = (g 1 , g 2 , ..., g m ) and deg(G) = (deg(g 1 ), deg(g 2 ), ..., deg(g m )). The numeric degree of the composite function We can check that the algebraic degree of h is always less than or equal to the numeric degree of h, i.e., The numeric mapping can be generally applied to the algebraic degree evaluation of NFSR-based ciphers. In fact, the core idea of numeric mapping is to estimate the degree of the monomial by computing the sum of degrees of all the variables contained in this monomial. In order to obtain a tighter bound on the algebraic degree for a particular cipher as Liu did in [Liu17] for Trivium and Kreyvium, we can iteratively compute the algebraic expression backward for several rounds, and use the degree of the previous states to estimate the degree of the current state.
Division Property. Another effective and accepted application of division property is the degree evaluation. It is a reverse use of the division property for searching balanced bits. Assuming that the MILP model M in which the propagation rules of the division property for a given block cipher with n-bit block size are described, and two n-bit vectors x and y denote MILP variables corresponding to the input and output division property, respectively. Moreover we constrain n i=1 y i = 1 and maximize n i=1 x i by MILP. Suppose the optimized solution is d of an r-round cipher, then it indicates that the algebraic degree of the r-round cipher is upper bounded by d. Furthermore, if we focus on a specific bit in the r-round output, e.g., the jth bit, we constrain y = e j and maximize n i=1 x i . The optimized solution being d means the algebraic degree of the jth bit of the r-round output is at most d. Similarly, for a given stream cipher with n-bit internal state and m-bit IV, let iv, u (r) and ks denote MILP variables corresponding to division property of IV, the r-round internal state and the r-round keystream bit, respectively. We constrain n i=1 s (r) i = 0, ks = 1 and maximize m i=1 iv i . In addition, we need to set the division property of the initial states except IVs to 0. If the optimized solution returned by solvers is d, then we ensure that the upper bound on algebraic degree of r-round keystream bit defined over IV is d. These applications have been discussed in [BKL + 17] and [WHT + 18], respectively.

Degree Evaluation of SPN Ciphers
In this section, we establish relationships between word-based division property and Boura et al.'s and Carlet's formulas. Then we use word-based division property as a link to illustrate that bit-based division property can always derive a bound never worse than both of the two formulas. Finally, we show applications to Keccak and KNOT to provide evidences for our conclusion.

An Iterative Method for Degree Evaluation
Suppose that the input multiset X of F has division property D n k and the corresponding output multiset Y has division property D n k , where k ∈ {0, 1, ..., n}. Then we have Assuming that k − 1 ∈ W, thus k is great than deg(G) according to the definition of W, which follows that (3) is always equal to 0 due to Proposition 1. This implies that the output multiset of G • F has a balanced property. In other words, the algebraic degree of G • F is bounded by k − 1. Therefore, for an arbitrary X with division property D n k , Based on Proposition 2, we introduce Algorithm 1 to evaluate the upper bound on deg(G • F ). Let M F w be an MILP model, which describes the propagation from the input division property of F to the output division property of F . Moreover, its objective is to get the minimal weight of the output division property of F , and it contains an extra constraint that the weight of the input division property of F is fixed to w. Denoted by . In Algorithm 1, in and out respectively denote the weight of the input division property of F and the minimal weight of the corresponding output division property. Note that we can initialize in to be deg(G), since the weight of the corresponding output division property of F is clearly less than or equal to that of the input due to Proposition 1.
Additional, our target is to get the minimal in such that the corresponding out is always greater than deg(G), thus if a current objective value being equal to deg(G) occurs in the searching process of optimized solutions of Gurobi, we can always terminate the current searching process in order to save time. Note that this can be easily achieved using the terminate() function of Gurobi. In our experiments, this approach can provide a great improvement on the efficiency of Algorithm 1.

Comparisons between Division Property and Two Formulas
In this subsection, we will clarify the relationships between word-based division property, bit-based division property and other two formulas for the degree evaluation of SPN ciphers.
Definition 6 (Word-based Division Trail). Let S be an n 0 × n 0 Sbox. Assuming that the input multiset X and the corresponding output multiset Y of S respectively have division property D n0 k and D n0 k , where k, k ∈ {0, 1, ..., n 0 }, then we call (k −→ k ) a word-based division trail of S. Similarly, let F be a function from F n 2 into F n 2 composed of s Sboxes (S 1 , ..., S s defined over F n0 2 ), assuming that the input multiset X and the output multiset Y of Proof. It is obvious that if k = 0, then k = 0. Apparently, the conclusion holds since η ≥ n0−1 n0−δ1(S) = n0−1 n0−deg(S) > 1, where deg(S) denotes the algebraic degree of S. Similarly, if k = n 0 then k = n 0 , thus (4) holds when k equals to 0 and n 0 , we will prove that (4) holds when 0 < k < n 0 . Because S is bijective, which indicates that δ 0 (S) = 0 and δ n0 (S) = n 0 . Thus 0 / ∈ {i|δ i (S) ≥ k} when 1 ≤ k ≤ n 0 − 1. In this case, for any Therefore, combining with the previous two cases k = 0 and k = n 0 , for any k satisfying 0 ≤ k ≤ n 0 , we have x ≥ n 0 − (n 0 − k) · η for all x ∈ {i|δ i (S) ≥ k}, and due to Property 1 holds.
According to the Lemma 1, we give a comparison between word-based division property and Boura and Canteaut's formula on degree evaluations as in the following proposition.
Proposition 3. Let F be a function from F n 2 into F n 2 , which is the concatenation of s bijective Sboxes (S 1 , ..., S s defined over F n0 2 , sn 0 = n). Denote W F w the minimal weight of the corresponding output division property when the weight of the input division property of F is equal to w. For any function G from F n 2 into F m 2 , we have where γ is the same as in Theorem 1.
Proof. It is equivalent to prove that n − n−deg(G) Note that (k j −→ k j ) is the word-based division trail of jth Sbox S j . Thus according to Lemma 1, we have In addition, it is clear that η j ≤ γ always holds for any j ∈ {1, 2, ..., s}. Thus we have It indicates that for any word-based division trail of F , if the weight of input division property of F is fixed to n − n−deg(G) γ + 1, then the weight of the corresponding output division property is always greater than deg(G). In other words, holds.
For an r-round SPN cipher E = (R L • R N ) r , where R L and R N are the linear layer and non-linear layer of the round function. Let E i denote the i-round reduced cipher. Boura and Conteaut's formula first decomposes E 1 = R L • R N = G • F , and computes its degree according to Theorem 1. Then the degree of E i (i = 2, ..., r) is iteratively computed by The relationship of these four models and Boura and Canteaut's formula is illustrated as in Figure 1. First, Proposition 3 indicates that the value of the upper bound obtained by Model 1 is less than or equal to that of Boura and Canteaut's formula. Next, Model 2 is more precise than Model 1, since Model 2 takes the influence of linear layers on the division property propagation into consideration. In addition, Model 3 is more precise than Model 2, because Model 3 is based on BDP and BDP is more accurate than WDP. Note that Model 4 returns the maximal weight of the input division property of E when the weight of the output division property is fixed to 1. Assuming that the result obtained by Model 4 is d, in other words, if we set the weight of the input division property of E to d + 1, then the minimal weight of the corresponding output division property is exactly equal to 2. Thus Model 3 is actually equivalent to Model 4. Finally, we deduce that the value of the upper bound obtained by Model 4 is less than or equal to that of Boura and Canteaut's formula. As a conclusion, the bit-based division property will never be worse than Boura and Canteaut's formula for degree evaluations of SPN ciphers. We can also obtian a similar conclusion for Carlet's formula, which will be discussed as follows.

Theorem 3 ([BC13]
). Let F be a permutation on F n 2 . Then, for any integers k and l, δ l (F −1 ) < n − k if and only if δ k (F ) < n − l.
The contraposition of Theorem 3 can greatly help us to link the word-based division trail of an Sbox with the algebraic degree of its inverse as indicated in the following lemma.
Lemma 2. Let S be an n 0 × n 0 bijective Sbox. Assuming that (k −→ k ) is a word-based division trail of S, then we have Proof. Due to Property 1, we have Note that S is bijective, thus it is a permutation. According to the contraposition of Theorem 3 and (5), we can deduce Then, based on the trivial bound δ n0−k (S −1 ) ≤ (n 0 − k) · δ 1 (S −1 ), we have Proposition 4. Let F be a function from F n 2 into F n 2 , which is the concatenation of s bijective Sboxes (S 1 , ..., S s defined over F n0 2 , sn 0 = n). Denote W F w the minimal weight of the corresponding output division property when the weight of the input division property of F is equal to w. For any function G from F n 2 into F m 2 , we have Proof. We reuse some notations in the proof of Proposition 3. Similarly, we only need to prove that n − n−deg(G) Assuming that the weight of the input division property of F is equal to n − n−deg(G) deg(F −1 ) + 1, thus we have According to Lemma 2, the weight of the corresponding output division property can be calculated as The inequality (6) comes from the fact that deg(F −1 ) ≥ deg(S −1 j ) for any j ∈ {1, 2, ..., s} . It implies that the weight of the corresponding output division property is always greater than deg(G) if the weight of the input division property of F is equal to n − n−deg(G)

Similarly, we can conclude that bit-based division property will never be worse than Carlet's formula for degree evalautions of SPN ciphers.
Example 1. Small-PRESENT is a simplified version of PRESENT block cipher, and its round function is shown as in Figure 2.  1, 0, 1, 0) A four-dimensional vector, whose elements belong to {0, 1, 2, 3, 4}, denotes the word-based division property of the state, and the substitution layer and the permutation layer are denoted by S and P, respectively. According to Proposition 2, the algebraic degree of 4-round small-PRESENT is upper bounded by 15 − 1 = 14.
In addition, [BC13] and [Car20] give the same iterative formula to compute the upper bound as In this case, the function F always represents the nonlinear layer, i.e. The 4-round degree is finally obtained as 15 by the two formulas, which is one more greater than the bound estimated by division property. The reason why this gap exists is that the former method does not consider the influence of P. If we set the weight of the input division property to 15 and implement Algorithm 1 with an ideal linear layer, which means that any input division property can propagate to any output division property with the only restriction that they have the same weight. In this case, we enumerate all the word-based division trails of the 4-round cipher as

Experiments on Keccak and KNOT
In this subsection, we use the bit-based division property and two formulas in [BC13] and [Car20] [BDP09] in 2007, was selected as SHA-3 cryptographic hash function in 2012. The core component of Keccak sponge family is the Keccak-f permutation, which is a 1600-bit SPN permutation with 24 rounds. One can refer to [BDP09] for more details. The best known bound on the algebraic degree of Keccak-f was given in [BCC11], which led to a full-round zero-sum distinguisher. Later, focusing on the inverse Sbox, Duan et al. [DL11] improved the bound for the inverse Keccak-f , which decreased the size of the full-round zero-sum partition from 2 1590 to 2 1579 compared with [BCC11].
Algebraic degrees of the Keccak Sbox and its inverse are 2 and 3, respectively. Therefore, for the forward degree evaluation, the upper bounds on deg(G • F ) can be obtained according to [BC13] and [Car20] as: It is clear that 1600 Note that the algebraic degrees of KNOT's Sbox and its inverse are both 3. Thus in the degree evaluations of forward and backward KNOT-n (n = 256, 384, 512), [BC13] and [Car20] provide formulas as n − n−deg(G) 3 and n− n−deg(G) 3 to calculate deg(G•F ). Similar to Keccak-f , the linear layer in KNOT is translation-invariant in the direction of the word, thus we can utilize this property to save redundant computations. As a result, division property extends the shortest rounds where the degree is bounded by n − 1 from 9 to 13, 10 to 14, 11 to 15 for KNOT-256, 384, 512 respectively compared with [BC13] and [Car20], which are shown in Table 1.

Degree Evaluation of NFSR-based Ciphers
As an important cryptographic component, NSFR can be used to construct not only stream ciphers but also block ciphers. In this section, we mainly focus on the degree evaluation of stream ciphers based on NFSR.

Comparison between Division Property and Numeric Mapping
For a generalized stream cipher based on an n-bit NFSR, assuming that the register at clock t is updated as n ) denotes the internal state at clock t and g denotes the update function. The output key stream bit at clock t, denoted by KS (t) , can be represented as f (s (t) ), where f is the output function. Assuming that the ANFs of the update function and output function are When evaluating the algebraic degree of the output KS (t) , the numeric mapping first utilizes trivial bound to iteratively compute degrees of the state s (t) as where d(s i . Thus the degree of the output bit KS (t) , denoted by d(KS (t) ), can be similarly calculated using numeric mapping as When applying bit-based division property to estimate the degree of KS (t) , we convert the division property propagations from the initial state to the t-clock state into a system of inequalities of an MILP model, and constrain the division property of s (t) i (for all 1 ≤ i ≤ n) to 0 and the division property of KS (t) to 1. Then the maximal weight of division property of the initial state, which will be taken as the degree of KS (t) , can be computed by solvers. This is a whole process but we can also interpret this process in an iterative way in order to compare it with numeric mapping intuitively. Before presenting a high-level comparison, we first introduce some important conclusions.
In summary, the conclusion holds. Now we are ready to prove Proposition 6.
Proof. It is clearly true for |I| = 1. Thus it is significant to prove that it also holds for |I| = 2. Now we will prove it by contradiction. Assume q ). According to the propagation rules of division property, when the division property of h(s t ) is 1, there are three cases for the division property of (s  Proof. We only need to prove thatd(s n is the updated state bit at clock t. Note that when t = 0, both ofd(s {d(π u (s (0) ))} due to Proposition 5, whered(π u (s (0) )) denotes the computed degree of the monomial π u (s (0) ) by division property. According to Proposition 6, we knoŵ Thus we havê Similarly,d From the above iteration, it is clear thatd(s i ) always holds for all 1 ≤ i ≤ n at any clock t. Thus we havê Proposition 7 indicates that the division property is never worse than the numeric mapping for degree evaluations of NFSR-based stream ciphers. In a particular stream cipher, there may be more than one registers and update functions, and the output function may be more complex, but these factors will not affect our final conclusion. In this case, the numeric mapping may compute a tighter bound by exploiting the algebraic properties of the update functions and output function. Liu specially introduced an algorithm to estimate the algebraic degree for Trivium-like ciphers in [Liu17], and we will give a more detailed comparison on degree evaluations of Trivium-like ciphers in the next subsections.

Applications of Numeric Mapping to Trivium-like Ciphers
In order to compare the applications of division property and numeric mapping to Triviumlike ciphers intuitively, we first introduce some special notations in this subsection.

Trivium-like Stream Ciphers
Let X, Y and Z be three feedback shift registers with size n X , n Y and n Z respectively. Denoted by x (t) , y (t) and z (t) their corresponding states at clock t, n Z ), and the states are updated as follows, where 1 ≤ r λ < n λ and λ is a linear function for λ ∈ {X, Y, Z}. The internal state at clock t denoted by s (t) is composed of the three registers, i.e., where n denotes the size of internal states, i.e. n = n X + n Y + n Z . Let f be the output function, after an initialization of N rounds, the cipher generates a keystream bit KS (t) by f (s (t) ) for each t ≥ N . Trivium-like stream ciphers can be represented as above roughly, additional details depend on the specific cipher. Trivium exactly falls into this kind of ciphers. Kreyvium is a variant of Trivium with 128-bit security. Moreover, two extra registers K * and IV * without updating but shifting, which only involve the key bits and IV bits respectively, are used in Kreyvium to provide single bit to each of X and Y . Trivium uses an 80-bit IV and key, while Kreyvium uses a 128-bit IV and key. Both ciphers have 1152-round initialization. One can refer to [CP08, CCF + 16] for more details of this two ciphers.

Formalizing the Applications of Numeric Mapping to Trivium-like Ciphers
In [Liu17], an efficient algorithm is proposed to estimate degrees of updated states and the output keystream bit for Trivium-like ciphers. It takes advantage of the property that the only nonlinear term of the update functions is the product of two neighboring state bits. Thus, it can obtain a more accurate degree based on numeric mapping by iteratively computing the algebraic expression backward for one round. We give a formalized description of this algorithm for intuition as follows. Denote d(x where n = n X + n Y + n Z . Particularly, D (0) denotes the degree of the initial state and is equal to the exact algebraic degree. The degree of the linear function λ (s (t) ) for λ ∈ {X, Y, Z}, denoted by DEG( λ , D (t) ), is computed as DEG( λ , D (t) ) = max 1≤i≤n {a λ ei ·d(s (t) i )} (see in Sect.2). If D (j) for j ≤ t − 1 is known, then we can compute the degree of the updated state of the register X due to numeric mapping as follows: where The processes to compute degrees of the updated states of registers Y and Z are similar to the above. Finally, the degree of the key stream KS (t) is easy to be computed as d(KS (t) ) = DEG(f, D t ) after we get D (t) .

A Detailed Comparison on the Degree Evaluation of Trivium-like Ciphers between Division Property and Numeric Mapping
When applying division property to the degree evaluation of Trivium-like ciphers, we denoted(x and z (t) i at clock t, respectively. The degree of the internal state at clock t (0 ≤ t ≤ N ) is denoted aŝ Especially,D (0) denotes the degree of the initial state and is equal to the exact algebraic degree. According to Proposition 5, the estimated degree of the linear function λ (s (t) ) for λ ∈ {X, Y, Z}, denoted byd( λ (s (t) )), can be represented aŝ i ) for all 1 ≤ i ≤ n and t ≥ 0. Moreover, denoted byd(KS (t) ) and d(KS (t) ) the degree of the output bit estimated by division property and numeric mapping at clock t, then we havê d(KS (t) ) ≤ d(KS (t) ).
Proof. We know both D (0) andD (0) are initialized by the exact algebraic degree, thus this conclusion apparently holds for t = 0. In fact, we only need to pay attention to the updated state bits instead of every state bit. Here we just illustrate the details of the proof for register X due to the similarity of these three registers. Assuming thatd(s always holds for all 1 ≤ i ≤ n and 1 ≤ j ≤ t − 1, then we need to proved(x When estimating the value ofd(x (t) n X ), the division property of state x (t) n X is 1. Thus, according to the update function and Proposition 5, we havê r Z +1 ) by division property. It is clear thatd( X (s (t−1) )) ≤ DEG( X , D (t−1) ) holds because of the assumption thatd(s i ) for any 1 ≤ i ≤ n and 1 ≤ j ≤ t − 1. Thus we havê Now we focus on the degree of the monomial z r Z +1 . Let t 1 = t + r Z − n Z − 1, similar to the numeric mapping, there are two cases as the following discussion. update function and output function, and s (t) denotes the internal state at clock t. Denoted by M d u (t) an MILP model constructed using flag technique [WHT + 18] where d is a positive integer and u ∈ F n 2 . It covers t rounds and maximizes m i=1 iv i , where iv = (iv 1 , ..., iv m ) represents the division property of IV. Moreover, we constrain m i=1 iv i > d and u u (t) in M d u (t) where u (t) represents the division property of s (t) . Denoted by OBJ(M d u (t)) the optimized solution of M d u (t) obtained by MILP solvers. If M d u (t) is infeasible, we assign 0 to OBJ(M d u (t)). In addition, we define f i (x) = f (g • g • · · · • g i (x)).
Now we introduce a divide-and-conquer strategy based on maximal polynomial technique to further speed up the MILP-aided degree evaluation, which is described as follows: 1. For an r-round initialization, split r to the former part t 1 and the latter part t 2 as r = t 1 + t 2 , and compute the maximal polynomial of f t2 (s (t1) ) as f t2 (s (t1) ) = u∈M π u (s (t1) ). In addition, initialize d to be 0. The scale of MILP model is decreased from r to t 1 = r − t 2 by the divide-and-conquer strategy, meanwhile the number of MILP model is pruned from |M| to |M| by the maximal polynomial technique. In our experiments, this strategy can greatly improve the efficiency of the MILP-aided degree evaluation, especially for large rounds. For example, in a laptop with 8GB RAM and i7-8550U CPU, the traditional method based on division property cannot return a result in 2.5 hours for 788-round Trivium. However, it takes no more than 20 minutes to return the degree using the divide-and-conquer strategy. The framework of estimating the degree for a stream cipher up to r rounds is described in Algorithm 2. Note that the number of models is |M| in step 2, which is entirely depends on the selection of t 2 . We will illustrate how to achieve a trade-off on determining t 2 in the next subsection.

Experiments on Trivium and Kreyvium
In this subsection, we apply Algorithm 2 to evaluate the upper bounds on the degree of Trivium and Kreyvium, and compare the results with [Liu17] to illustrate the advantage of degree evaluations using division property. We will omit the details of the two ciphers, and one can refer to [CP08, CCF + 16] for more details.
First of all, we need to choose an appropriate split on the round. In our experiments, we calculate the precise ANFs of f r (s (0) ) when r ≤ 250 both for Trivium and Kreyvium. Table 2 lists the number of monomials for several rounds, where |M| and |M| respectively denote the number of monomials of f r (s (0) ) and f r (s (0) ) for 215 ≤ r ≤ 235. Comparing the number of monomials for different rounds, we set t 2 = 225 in the divide-and-conquer strategy for Trivium and Kreyvium. Hence, we can use Algorithm 2 to estimate the algebraic degree of the two ciphers, where the degree of rounds 1-225 are obtained by precisely computing corresponding ANFs and remaining rounds are obtained by division property.  Besides, we need state that 3SBDP as well as monomial prediction can be used to compute the exact degree of ciphers. In order to avoid enumerating all division trails, the authors in [HLLT20] provide an idea to explore the exact algebraic degree by evaluating both the lower and upper bounds on the degree, i.e., the exact degree is determined if the two bounds are equal. Meanwhile, they gave the concept of inconsistent sub-trails and proposed the trail extension technique to avoid inconsistent sub-trails to improve the searching efficiency. Thanks to this idea, the exact algebraic degree evaluation can be achieved using 3SBDP for some block ciphers (PRESENT, GIFT, SKINNY-64 and AES in [HLLT20]). In addition, the authors in [HSWW20] used the H-representation of convex hull to describe the monomial trail propagation of the update function of Trivium cipher instead of modeling the specific AND, COPY and XOR operations. This tip was used to improve the searching efficiency and they could obtain the exact degree of Trivium up to 834 rounds. It is worth noticing that the gap between the upper bounds estimated by two-subset bit-based division property and the exact degrees given by [HSWW20] is no more than 1 and the upper bounds are actually equal to the exact degrees for most cases. Thus, if we only require an overview of the degree with limited effort, two-subset division property would be a better choice than Boura and Canteaut's formula, Carlet's formula and the numeric mapping method. However, 3SBDP or monomial prediction combined with a more carefully analysis like in [HLLT20] or [HSWW20] would be preferable when we want to explore the exact algebraic degree.