Automatic Search of Cubes for Attacking Stream Ciphers

. Cube attack was proposed by Dinur and Shamir, and it has become an important tool for analyzing stream ciphers. As the problem that how to recover the superpolys accurately was resolved by Hao et al. in EUROCRYPT 2020, another important problem is how to ﬁnd “good” superpolys, which is equivalent to ﬁnding “good” cubes. However, there are two diﬃculties in ﬁnding “good” cubes. Firstly, the number of candidate cubes is enormous and most of the cubes are not “good”. Secondly, it is costly to evaluate whether a cube is “good”. In this paper, we present a new algorithm to search for a kind of “good” cubes, called valuable cubes. A cube is called valuable , if its superpoly has (at least) a balanced secret variable. A valuable cube is “good”, because its superpoly brings in 1 bit of information about the key. More importantly, the superpolys of valuable cubes could be used in both theoretical and practical analyses. To search for valuable cubes, instead of testing a set of cubes one by one, the new algorithm deals with the set of cubes together, such that the common computations can be done only once for all candidate cubes and duplicated computations are avoided. Besides, the new algorithm uses a heuristic method to reject useless cubes eﬃciently. This heuristic method is based on the divide-and-conquer strategy as well as an observation. For veriﬁcations of this new algorithm, we applied it to Trivium and Kreyvium, and obtained three improvements. Firstly, we found two valuable cubes for 843-round Trivium , such that we proposed, as far as we know, the ﬁrst theoretical key-recovery attack against 843-round Trivium , while the previous highest round of Trivium that can be attacked was 842, given by Hao et al. in EUROCRYPT 2020. Secondly, by ﬁnding many small valuable cubes, we presented practical attacks against 806-and 808-round Trivium for the ﬁrst time, while the previous highest round of Trivium that can be attacked practically was 805. Thirdly, based on the cube used to attack 892-round Kreyvium in EUROCRYPT 2020, we found more valuable cubes and mounted the key-recovery attacks against Kreyvium to 893-round.

Yao Sun 101 secret variables. Specifically, let k and v be secret and public variables. The output bit of a stream cipher can be represented as a Boolean polynomial f (k, v). Generally, although a relation of secret variables can be obtained directly through the specialization of v in f (k, v), this relation has a high algebraic degree and is hard to be analyzed. Alternatively, instead of using a single value of v, cube attack takes advantage of enormous values. A cube consists of many values of v's. Some bits of v are set as active, and this means, they take all possible combinations of values, while the other bits of v are set inactive and remain unchanged. By taking the values of f (k, v) over all values in the cube, the sum leads to a relation of secret variables. This relation is called the superpoly of the cube, and it is much simpler than f (k, v). By analyzing superpolys, some information about the secret variables can be achieved.
However, due to the complex structure of f (k, v), recovering the superpoly of given a cube used to be very difficult. In the original paper [DS09], a linearity test was proposed to verify linear superpolys. If the superpoly is tested to be linear, then the algebraic normal form (ANF) of this superpoly can be recovered. Later, a quadraticity test was introduced [PJ12], and was used to mount the attacks against Trivium in [FV14]. But since all these attacks were experimental cryptanalysis, there is a probability that the linearity and quadraticity tests fail.
Division Property: A breakthrough came after the division property was proposed in [Tod15,TM16]. Todo et al. revealed the relation between integral cryptanalysis [KW02] and the division property, while integral cryptanalysis was also assumed to be equivalent to square attacks [DKR97] or higher-order differential attacks [Lai94]. Division property is an effective tool to analyze the monomials in f (k, v), but the computation is very expensive. Firstly, breadth-first search algorithms were used, but these algorithms often required unacceptable time and space. Consequently, Mixed Integer Linear Programming (MILP) approach was introduced to model the propagations of the bit-based division property [XZBL16]. Thanks to the efficiency of MILP tools, the bit-based division property for six lightweight block ciphers was shown. Since then, more improvements were given in [SWW17, TIHM17, WHT + 18]. However, traditional division property often suffers from the accuracy problem.
Taking the method proposed in [TIHM17] for example, if there is no division trail such that the output is 1, one can confirm that some specific monomial must not appear in the superpoly with absolute confidence. But if there is such a division trail, the corresponding monomial may or may not appear. The inaccuracy of the division trail method makes many previous key-recovery attacks, e.g., [FWDM18, WHT + 18, YT19, WHG + 19, YLL19], degenerated to distinguishing attacks [HLM + 20]. To solve this inaccuracy problem, threesubset division property was used. The first try was a variant of the three-subset division property [HW19], and later, Wang  Trivium : Trivium is a bit oriented synchronous stream cipher based on NLSFR [DCP08]. It is one of the eSTREAM hardware-oriented finalists and an International Standard under ISO/IEC 29192-3:2012. Trivium has attracted many attentions due to its simple structure and high level security. Trivium uses a 80-bit key and a 80-bit IV, so the complexity of exhaustive search for the key is 2 80 evaluations, and any attack of Trivium must has a lower complexity than 2 80 .
For practical attacks against Trivium, a key-recovery attack on 784-round Trivium was given in [FV14]. Recently, a practical attack against 805-round Trivium was proposed in [YT20], and many linear superpolys were found in practical time. Attacks against higher rounds of Trivium are still theoretical. An attack on 855-round Trivium was reported in [FWDM18], but some flaws were proposed later after this paper was published. The split into several subsystems through the divide-and-conquer strategy, characteristics of the subsystems are likely to coincide with those of the whole system, if the number of subsystems that have solutions is not large. Thus, we can reject many useless cubes only via the information obtained from subsystems. With the method, we devised a new efficient algorithm to search for valuable cubes. Instead of testing cubes one by one, the new algorithm deals with a set of cubes together. Although many useless cubes will be rejected during the computation, the remaining ones are likely to be valuable cubes. To verify the effectiveness of the proposed algorithm, we applied it to two famous stream ciphers, Trivium and Kreyvium, and obtained three improvements.
1. We obtained the first key-recovery attack against 843-round Trivium, while the previous highest round that can be attacked was 842, given in [HLM + 20].
The new algorithm successfully found many valuable cubes for 840-, 841-, and 842round Trivium. Particularly, we got two valuable cubes for 843-round Trivium. A summary of the results is shown in Table 1, and the details are presented in Section 4.1. In this table, the data in the first row means that, for 840-round Trivium, we found 222 valuable cubes. The dimensions of these cubes are all 78, and the secret variable k 0 is balanced in all the corresponding superpolys. The superpoly of a valuable cube for 843-round Trivium was recovered, and it consists of 16 561 monomials. For a key-recovery attack against 843-round Trivium, we need 2 78 evaluations of 843-round Trivium to gain the specific value of the superpoly. Using this superpoly, we can filter out 2 79 impossible keys, and the complexity of exhaustive search becomes 2 79 . In this way, the overall complexity of our approach is lower than 2 80 .
2. We found many new small valuable cubes to perform practical key-recovery attacks against 808-round Trivium, while the previous highest round of Trivium that can be attacked practically was 805, given in [YT20].
To do practical attacks, we need many valuable cubes instead of one. To reduce the number of requests in the online phase, like done in [YT20], we preset a set of indexes of public variables, say S, and we only searched for valuables cubes that are from the subsets of S. The new algorithm successfully found many small valuable cubes for 806-and 808-round Trivium, and we also recovered all their superpolys. Although these superpolys are mostly nonlinear, we can still perform practical key-recovery attacks by delicately selecting the variables for enumeration.
As shown in Table 2, the data in the first row means that, for 806-round Trivium, we preset a set S a , which contains indexes of 39 public variables. We totally found 29 valuable cubes, and the dimensions of these cubes are 34 ∼ 37. Details about the cubes and {S a , S b } are presented in Section 4.2.

104
Automatic Search of Cubes for Attacking Stream Ciphers For 893-round Kreyvium, we used the same preset set as that for attacking 892-round Kreyvium, and searched for valuable cubes whose balanced variables include k 26 . Finally, we obtained 1 valuable cube and recovered its superpoly. Thus, the overall complexity of the key-recovery attack is 2 127 + 2 115 , which is a bit smaller than the exhaustive search complexity 2 128 . We believe this complexity can be further lowered by searching for more valuable cubes, and we also think valuable cubes can be found in high rounds of Kreyvium as well.
The source codes of the proposed algorithm, including those searching for valuable cubes and retrieving superpolys, were released at https://github.com/ysun0102/ searchforcubes. This paper is organized as follows. Section 2 introduces necessary notations and some preliminaries. The new search algorithm is reported in Section 3, and its applications to Trivium and Kreyvium are in Section 4. We conclude this paper in Section 5.

Notations
Let F 2 [x] be the polynomial ring over the field F 2 = {0, 1} in variables x = (x 0 , x 1 , . . . , x n−1 ). Given a bit-vector u = (u 0 , u 1 , . . . , u n−1 ) ∈ F n 2 , , and a u x u is called a term where a u ∈ F 2 . A polynomial is a sum of finite terms.
To avoid confusion, we use bold letters to represent bit-vectors in this paper. Besides, we always use x to represent unknowns or inputs to a function, and use y to represent the outputs of a vectorial function. Secret and public variables are denoted by k and v. And u and w are always used as the powers of monomials. The support of a bit-vector u = (u 0 , u 1 , . . . , u n−1 ) ∈ F n 2 is defined as the set Supp(u) = {i | u i = 1}, and the weight of u is defined as wt(u) = |Supp(u)|, where |{·}| is the cardinality of the set {·}. Given a monomial x u , its degree is defined by wt(u).
Let f : F n 2 → F 2 be a Boolean function, then its algebraic normal form (ANF) can be represented as a polynomial in the ring F 2 [x]:f = u∈F n 2 a u x u , where a u ∈ F 2 . For an ANFf , we say a monomial x u appears inf , if the coefficient of x u inf is 1, i.e., a u = 1, and we denote x u →f ; otherwise, we denote x u →f .
In Section 3, we will use an algebraic manner to describe the search algorithm, and we will recover the superpolys by solving a system of constraints, where the constraints could be algebraic equations, conjunctive normal forms, or integer inequalities. Let F (x) be a set of constraints, where x are unknowns. We use F (x | constraints) to denote the system after adding some new constraints to F (x). The solutions to the system F (x) and F (x | constraints) are represented by Sol(F ) and Sol(F | constraints) respectively. For example, Sol(F | wt(x) = 2) is the set of x such that x is a solution to F (x) and wt(x) = 2. Note that we always have Sol(F | constraints) ⊆ Sol(F ).

Cube attack
Cube attack was proposed in EUROCRYPT 2009 [DS09]. For a cipher with n secret variables and m public variables, each output bit of this cipher can be represented as a polynomial in secret and public variables. Denote k = (k 0 , k 1 , . . . , k n−1 ) and v = (v 0 , v 1 , . . . , v m−1 ) as the secret and public variables respectively, where k i , v j ∈ F 2 for 0 ≤ i < n and 0 ≤ j < m. Thus, one output bit can be written as f , where f is a polynomial in the ring F 2 [k, v] for 0 ≤ i < n and 0 ≤ j < m.
Let I ⊆ {0, 1, . . . , m − 1} be a set of indices of public variables. A cube determined by I is denoted as C I , and contains all 2 |I| possible combinations of the values of v j 's for j ∈ I, while the value of v j remains unchanged for j ∈ {0, 1, . . . , m − 1} \ I. Then we have the following equation: where t I represents the product i∈I v i , and there is no term of q divisible by t I . The polynomial p is called the superpoly of the cube C I . By the above definitions, the superpoly of C I only involves the inactive public variables v j where j ∈ {0, 1, . . . , m−1}\I, and the values of these variables are often preset to constants in cube attacks. So the superpoly p is actually a polynomial in For a polynomial p ∈ F 2 [k], we say p has a balanced variable k i where 0 ≤ i < n, if the coefficient of k i in f is 1, and the other monomials in f do not involve k i . If a polynomial f has a balanced variable, then f is balanced, i.e., |{k | f (k) = 0}| = |{k | f (k) = 1}| = 2 n−1 . We say a cube is valuable if its superpoly has a balanced variable.
A valuable cube C I may lead to a key-recovery attack against the cipher system represented by f . In the offline phase of cube attack, attackers recover the superpoly p of C I . Next, in the online phase, attackers get the value a of p by querying the encryption oracle 2 |I| times. Since the superpoly is balanced, 2 n−1 illegal keys will be filtered out by the equation p = a. To recover the whole key, it suffices to query the encryption oracle another 2 n−1 times. And the overall complexity of this attack is 2 |I| + 2 n−1 .
Note that more balanced superpolys may filter out more illegal keys, but the complexity of obtaining the values of these superpolys increases. However, the costs of calculating these values may be lowered in a special case. That is, if there are several cubes and their indexes are all from the subsets of a set S, then it only needs 2 |S| requests to calculate all the values of the superpolys. This technique was used in [YT20] to obtain practical cube attacks against round-reduced Trivium. We also use this technique in Section 4.2.

8:
for all feasible solutions do 9: get u = (x 1 , x 2 , . . . , x n , v 1 , v 2 , . . . , v m ) in every found solution 10: increase J[u] by 1 11: end for 12: prepare a polynomial p = 0 13: for all u whose J[u] is an odd number do 14:  The pseudo code of the update function is given as follows.

Monomial prediction
The concept of monomial prediction was proposed in [HSWW20], to resolve the problem of determining the presence or absence of a monomial in the algebraic normal form of a Boolean function. In our opinion, the monomial prediction technique is in fact an algebraic representation of the three-subset division property without unknown subset technique proposed in [HLM + 20], because the codes provided by both authors are identical. We prefer the concept of monomial prediction, as we would like to describe our search algorithm in an algebraic manner. So we rewrite the monomial prediction technique below. Let Then y w can be represented as a Boolean polynomial with respect to x, and we are interested in whether x u → y w , where u ∈ F n 2 and w ∈ F m 2 . Generally, a vectorial Boolean function equals to a composition of basic vectorial Boolean functions. We present the propagation rules of the copy, AND, and XOR functions below. Rule 1 (copy): Let f copy : F n 2 → F n+1 2 be a copy function, s.t.
For a given bit-vector u ∈ F n 2 , we define that u propagates to w ∈ F n+1 2 under the copy function, or equivalently u ⇒ copy w, by the following rule: be an AND function, s.t.
For a given bit-vector u ∈ F n 2 , we define that u propagates to w ∈ F n−1 2 under the AND function, or equivalently u ⇒ AN D w, by the following rule: For a given bit-vector u ∈ F n 2 , we define that u propagates to w ∈ F n−1 2 under the XOR function, or equivalently u ⇒ XOR w, by the following rule: If a vectorial Boolean function, say f , can be represented as a composition of the copy, AND, and XOR functions, for a given x u , we can theoretically obtain the set of all possible y w such that f (x) = y and u ⇒ f w by applying the above rules repeatedly. However, the set of all possible w is often too large to be computed. Fortunately, it is not necessary to compute the whole set, and instead, we are only interested in finding the bit-vectors u ∈ F n 2 , such that u ⇒ fw wherew is a pre-given specific bit-vector in F m 2 . For this goal, the bit-vector u is set as unknowns, and a system of the (in)equations can be built with respect to f andw. Finally, we can obtain all desired u by solving this system. Example 1. Let x = (x 0 , x 1 ) and y = f (x) = (x 0 x 1 + x 1 , x 0 ), then f can be decomposed into the following procedure Consider u = (0, 1), then we have x u = x 1 and (0, 1) propagates in the following way (1) Then we have (0, 1) ⇒ f (1, 0). However, the propagations of (1, 1) are more complicated because of the two copy rules.
Note that we have yw in F 2 , so yw represents a Boolean function with respect to x. We denote this function by f which is from F n 2 to F 2 . We are interested in which monomial appears in the ANF of f , i.e., the set of x u such that x u →f , wheref is the ANF of f and f = yw. But please remark that, u ⇒ f w does not always imply x u → y w , if the function y = f (x) is not one of the basic copy, AND, and XOR functions. This is because there are more than one possible propagating ways in the copy rule, such that u can propagate to w through several different ways. To get a definite answer to whether x u →f holds, like division trails, Hu et al. defined the concept of monomial trails.
Using the concepts of monomial trail and monomial hull, we can determine the presence or the absence of a monomial by the following proposition.
Since the size of the hull is 2, by Definition 1, we have Thus, to check where x u appears inf , we only need to compute all monomial trials connecting x u andf . Only if the number of these monomial trails is odd, we have x u →f . For computing monomial trails, an MILP model can be built and solved by Gurobi [GO21]. Each feasible solution to this model corresponds exactly to one monomial trail.

A search algorithm for valuable cubes
The search algorithm is based on the divide-and-conquer strategy and an observation, so we introduce these two parts in Section 3.1 and 3.2, respectively. Then the search algorithm comes in Section 3.3.

A divide-and-conquer algorithm for recovering superpolys
The divide-and-conquer strategy has been used for recovering superpolys in [HLM + 20, HSWW20]. Bigger systems were divided into smaller subsystems to speed up the computations. Our algorithm also needs the divide-and-conquer strategy, because we hope to obtain the characteristics from the small subsystems instead of the whole large system. We first present an algebraic description of the divide-and-conquer algorithm, and then give a specialization of this algorithm for recovering superpolys for Trivium.
A stream cipher is usually constructed in an iterative manner. Let x ∈ F n 2 be the initial state and y ∈ F m 2 be the final state, then we have y = f (r−1) •f (r−2) •· · ·•f (0) (x), where f (i) are the copy, AND, or XOR functions for i = 0, 1, . . . , r −1. Thus, denote where π u (x) = x u . Thus, we have the following two sequences, and For a stream cipher, the output is often one bit, and can be represented as yw for a constant bit-vectorw ∈ F m 2 . The bit yw represents a Boolean function of x, and its algebraic normal formf can be calculated by expanding yw with respect to x. The complete form off is often too complicated to obtain, but it is possible to pry into parts off . Given a cube C I , let t I be the product of active public variables whose indexes are in I. To recover the superpoly of C I , it suffices to find out all monomials x u appearing in f such that t I divides x u , or equivalently I ⊆ Supp(u). So to recover the superpoly of C I we build the following system: where is a set of constraints, and I ⊆ Supp(u (0) ), u (r) =w are two new constraints added to the system F a,b (u). The set of all solutions to F a,b (u) is denoted by Sol(F a,b ), and similarly, Sol(F a,b | constraints) represents the set of solutions to the system Sol (F a,b | constraints).
If a solution in Sol(F 0,r | I ⊆ Supp(u (0) ), u (r) =w, u (0) =ū) is found, we obtain a monomial trail πū(x) πw(y) by Equation (2). For convenience, we say this solution is related to the monomial πū(x). Then Sol(F 0,r | I ⊆ Supp(u (0) ), u (r) =w, u (0) =ū) is the set of solutions related to the monomial πū(x). According to Proposition 1, we have that the monomial xū appears inf , or xū →f , if the cardinality of the set Sol(F 0,r | I ⊆ Supp(u (0) ), u (r) =w, u (0) =ū) is odd. Moreover, if all solutions to System (3) are found, the superpoly of C I can be recovered by collecting all appearing monomials. Systems are often easier to be solved if the systems have fewer unknowns and constraints. Note that System (3) can be divided into two smaller systems: and For System (4), because there is no constraints on u (i) , the system has a huge number of solutions and is usually hard to be solved. Fortunately, System (5) can be solved with lower complexity than solving System (3). If a solution to F top (u) is found and u (i) =v, wherev is a bit-vector, we can add the constraint "u (i) =v" to System (4), such that the revised system can be solved easier.
Clearly, every solution to system F bottom (u | u (i) =v) can be extended to a solution to System (3) by appending a solution in Sol(F top | u (i) =v). Thus, to determine whether xū appears inf , we can deduce the following equation: Then xū appears inf if and only if |Sol(F | u (0) =ū)| is odd. Note that |Sol(F top | u (i) = v)| contributes nothing if it is even.
By Equation (6), solving a large system F (u) is converted to solving several small subsystems like F bottom (u | u (i) =v). The number of subsystems is number of different v's that |Sol(F top | u (i) =v)| is odd.
Generally, the complexity of solving System (5) can be controlled by choosing the position of i. Particularly, if the system F bottom (u | u (i) =v) is still too complicated to be solved quickly, we can divide this system to even smaller subsystems.
In all, we have the following divide-and-conquer algorithm for recovering superpolys.
return {xū | u (0) =ū appears for odd times in S} Algorithm 1 presents the framework of the divide-and-conquer algorithm. To practically recover a superpoly, some details should be clarified. We take Trivium for an example, and Gurobi [GO21] is used for solving the systems.

Recovering the superpoly for round-reduced Trivium
Algorithm 2 is a specialization of Algorithm 1 for Trivium. To recover the superpoly of C I for an r-round Trivium, it suffices to call SuperP olyT rivium(r, C I , ∅).  return {xū |ū appears for odd times in S}

An observation
Our goal is to search for valuable cubes efficiently. An important step of the search algorithm is to verify whether a given cube C I is valuable. The direct way is to recover the whole superpoly, but this is very expensive if the cipher system is very complicated, e.g., 843-round Trivium. An alternative way is to only test whether a specific secret variable k i is balanced. This method only needs to compute the monomials that involve the variable k i , and is more efficient. However, for sake of security, the number of secret variables in stream ciphers is at least 80, and this means we need to repeat this method many times, since most secret variables are not balanced. Instead of using a verification mode, we realized the exclusive mode would be more efficient. For example, if we know that a monomial k 0 k 2 k 4 appears in the superpoly of a cube C I , then we are sure that the secret variables k 0 , k 2 , and k 4 are not balanced. But this exclusive method raises another crucial problem: how to confirm a monomial appears in the superpoly?
The direct and precise way of checking whether a monomial, say xū, appears in the superpoly, is to solve System (3) by adding an additional constraint "Supp(ū) ∪ I = Supp(u (0) )". The complexity of this approach is much lower than that of recovering the whole or parts of the superpoly. But it is still not endurable, because there are lots of monomials to be confirmed. For sake of efficiency, we used a probabilistic method for this verification based on Observation 2, before which we introduce the following straightforward observation first.

Observation 1: Let F (u) be a (sub)system like System (3) or (4). Among all monomials related to the solutions of F (u), most of them are related to EVEN numbers of solutions.
In our experiments, this ratio (number of monomials that are related to even numbers of solutions / number of all monomials) usually went over 90%, particularly when F (u) was complex. This means, if a monomial xū is related to N solutions, the probability of N being odd is low. Observation 2: In the last subsection, we get the following relation: When the number of subsystems that have solutions is not too large, we observed that, for a given monomial xū, if the cardinality of the set Sol(F bottom | u (i) =v, u (0) =ū) is odd in a subsystem, then the number |Sol(F | u (0) =ū)| tends to be odd with a relative high probability. The probability increases when the weight ofū increases. The condition that "the number of subsystems that have solutions is not too large" is important to the above observation. Because in this case, the monomial xū has a low probability of relating to solutions in other subsystems, and moreover, even if xū relates to solutions in another subsystem, the probability of its related number being odd is also low by Observation 1.

Discussion about the success rate of Observation 2
As it is very hard to provide theoretical proofs supporting Observation 2, we only discuss about the success rate from the experimental way.

113
For an evidence of Observation 2, we studied the probabilities of the monomials obtained when recovering the superpolys of 841-and 842-round Trivium. For example, to recover the superpoly of the cube where the indexes of active variables are {0, . . . , 79} \ {18, 34} for 842-round Trivium, the divide-and-conquer algorithm is used, and 5 034 subsystems are constructed and solved. Among these subsystems, 48 have solutions. We finally obtained 4 917 raw monomials and 975 of them are confirmed to appear in the superpoly. For each raw monomial xū, its related solutions may be obtained from several subsystems. We are interested in whether its solution number in some subsystem is odd, and whether the overall solution number is odd. Table 3 shows the statistics according to the weights of monomials in the superpolys. The numbers "3, 458, 373, 81.44%" in the fourth line of 842-round Trivium means that, among all 3-degree monomials that were computed from subsystems, there are 458 raw monomials such that their related solution numbers are odd in some subsystems. The overall solution numbers of 373 raw monomials are still odd, i.e., these 373 monomials are confirmed to appear in the superpoly. "81.44 %" is the ratio of 373 divided by 458.  Table 3 provides an experimental proof for Observation 2. As the degrees of monomials increase, the probabilities that Observation 2 holds increase as well. However, degree-2 monomials always have lower probabilities in Table 3, it is natural to worry about 114 Automatic Search of Cubes for Attacking Stream Ciphers Observation 2 will fail for these monomials. Note that monomials with degree 0 and 1 will not be used to reject useless cubes, so we do not consider them here.
To check the probabilities for degree-2 monomials, we did more experiments. Using the three cubes of 841-round Trivium in Table 3, by back-expanding (150, 200, 250, 300, 320, 340) rounds, we obtained (48, 120, 869, 4 147, 15 584, 37 371) subsystems. For the first cube, the numbers of subsystems that have solutions related to degree-2 monomials, are (2 ,  5, 5, 6, 8, 8). The probabilities (odd in final / odd in subsystems in Table 3) of degree-2 monomials are always 95.65%. For the other two cubes, related numbers of subsystems are (2, 4, 4, 5, 7, 7) and (2, 5, 5, 8, 10, 10). The corresponding probabilities are (98.55%, 93.79%, 93.79%, 93.15%, 92.52%, 92.52%) and (96.32%, 90.76%, 90.76%, 90.76%, 90.55%, 90.55%). We can see the numbers of subsystems that have solutions are much less than the numbers of all subsystems, and the increase of these numbers leads to the decrease of related probabilities. But in all, the probabilities are relatively high. During our practical searches of valuable cubes, we handled thousands of cubes together and generated lots of subsystems, but the monomials that related to a specific cube usually appeared in only a small number of subsystems, e.g., for 841-round Trivium, the number is 8 ∼ 27 generally. Thus, Observation 2 held with a relatively high probability in our experiments, and helped us find many valuable cubes.
Since it is hard to calculate the precise success rates of Observation 2, we have a remedy if the actual success rates of Observation 2 are really very low. We noted that, the larger the subsystems are, the higher the probabilities that Observation 2 hold will be. Particularly, if the subsystems are large enough to be the whole system, Observation 2 surely holds. So if we thought the practical success rates of Observation 2 was very low and no valuable cubes were found, we could increase the sizes of the subsystems and compute again. If there really exist some valuable cubes among the candidate ones, we eventually find some when the subsystems are large enough.

Discussion about Observation 2 and Todo et al.'s assumptions
In [TIHM17], Todo et al.'s made the strong and weak assumptions: "for a cube C I , there are many values in the constant part of IV whose corresponding superpoly is balanced", or "is not a constant function". Todo et al.'s assumptions provided a possible way to search for lots of balanced superpolys together, i.e., considering one cube with different values in the constant part of IV. But these two assumptions were later proved wrong in [YT19].
However, Observation 2 as well as the new search algorithm use the monomial prediction technique proposed in [HSWW20], which only considers the case that the values in the constant part of IV are all 0's. So the new search algorithm handles many cubes together in a different way from that in above paragraph, i.e., it handles many different sets of active bits in IV, e.g., the set of cubes whose dimensions are 78, while the values of inactive bits are always set as 0's. So Observation 2 has no direct relations to Todo et al.'s assumptions.

A search algorithm for valuable cubes
Based on Observation 2, we devised a new algorithm to search for valuable cubes. In this algorithm, we consider a set of cubes together instead of a single one, because many duplicated computations of these cubes can be avoided when we deal with them together. Let C be a set of candidate cubes. For example, C is the set of cubes whose dimensions are 34, 40, or 78.
First of all, we need to select a secret variable to perform further searches. This selection can be done based on some heuristic computations, or just done randomly.
For a selected secret variable, say k i , we use a table to record the status of each cube in C. The status of every cube C I ∈ C could be not appear, linear, and excluded. Initially, the status of all cubes is set as not appear. For the status linear, we also record the number of solutions that are related to the monomial t I k i where t I is the product of public variables Yao Sun 115 with indexes in I.
Next, we use the divide-and-conquer algorithm to compute all monomials that probably appear in the superpolys of cubes in C. As there are many cubes in C instead of one, we change the condition "I ⊆ Supp(u (0) )" in System (3) to "there exists C I ∈ C such that I ⊆ Supp(u (0) )". And we also need to add the condition "k i divides π u (0) (x)" to the system, i.e., we only consider the monomials involving k i .
When the computation starts, the divide-and-conquer strategy will divide the large system into several small subsystems. Once a subsystem is solved, we collect the solutions, and deal with the monomials related to these solutions. Please note that, by the first constraint added in the last paragraph, every monomial corresponds to a cube C I ∈ C. If solutions related to the monomial t I k i are found and the status of C I is not excluded, we record/add the number of solutions and mark the status of C I as linear. If solutions related to some monomial with higher degree than t I k i are found, we have three criteria to deal with this monomial. If a cube C I is excluded by a criterion, we update the status of C I to excluded, and add a constraint to the other subsystems to exclude the solutions related to the cube C I .
Based on Observation 2, there are two criteria for dealing with the monomials with higher degrees than t I k i .

First Criterion:
If there are solutions related to a monomial xū, such that xū = t I k i , then k i is supposed to be unbalanced in the superpoly of C I , and hence, we exclude the cube C I from C.
Second Criterion: If the number of solutions related to a monomial xū is odd, where xū = t I k i , then k i is supposed to be unbalanced in the superpoly of C I , and hence, we exclude the cube C I from C.
By the above definitions, we can see that First Criterion is more aggressive but also more efficient. A brief comparison is shown in Table 4. So First Criterion can be used for simple systems, while Second Criterion is usually applied to more complicated systems.
After the search algorithm terminates, i.e., all subsystems are solved, we check the status of the cubes in C. If a cube has the status linear, and the number of related solutions is odd, then we successfully find a valuable cube; otherwise, if no valuable cubes are found, we change the set C or change the secret variable k i , and try again. The search algorithm is given by Algorithm 4.
In practical applications, the above search algorithm may not terminate within endurable time due to the complicated structures of the ciphers. In this case, if most of the candidate cubes have been excluded, we can check the remaining cubes one by one, via the direct way. It usually does not take much time to find a valuable cube, and we found the valuable cubes for 843-round Trivium and 893-round Kreyvium in this way.

Applications to Trivium and Kreyvium
We applied the search algorithm to Trivium and Kreyvium, and obtained three main improvements. Due to the page limit, superpolys used in this section can be found at https://github.com/ysun0102/searchforcubes/tree/main/results.

Theoretical cube attacks against round-reduced Trivium
To obtain theoretical cube attacks, we searched for valuable cubes whose dimensions are 78. As there are 80 secret variables in Trivium, a valuable cube with dimension 78 could lead to a theoretical attack with the complexity 2 79 + 2 78 . So the candidate set C is set as all the cubes with 78 public variables and the size of C is 3 160. For 840-round Trivium, we chose k 0 , k 1 , k 2 as candidate secret variables, and performed brief comparisons between these secret variables as well as the two criteria. Our platform is: AMD Threadripper 3970X with 32 cores, 256 GB memory, Ubuntu 20.04. In Table 4, we can see that Criterion 1 is more efficient, but more possible valuable cubes were rejected aggressively. We recovered 9 superpolys for the founded valuable cubes, i.e., the first 3 valuable cubes for each k i . The computing time is shown in Table 5. Although the time differs significantly for different cubes, it is always more than 1 hour. Thus, compared with the proposed search algorithm, it takes much more time to search for valuable cubes by retrieving all superpolys for (3 160) candidate cubes.
As the algebraic structures of 841-and 842-round Trivium are not very complicated, we used First Criterion to reject useless cubes. For 841-round Trivium, we found 2 valuable cubes for k 0 , and 42 valuable ones for k 1 . For 842-round Trivium, we directly chose k 1 as the candidate secret variable. We found 28 cubes whose status is linear, and there are 5 cubes having odd numbers of solutions.

Cube attacks against 843-round Trivium
To search for valuable cubes for 843-round Trivium, Second Criterion is used to reject useless cubes. We selected k 2 as the candidate secret variable. However, the computations were slowed down after using Second Criterion, so we cut down the program when about 3 140 cubes were excluded. For the remaining 20 cubes, we tested them directly by recovering the monomials that only involve k 2 . It took about 10 000 seconds for each test. Finally, we found two valuable cubes whose inactive public variables are: For recovering the superoly of the cube C I where I = {0, . . . , 79} \ {30, 76}, we totally obtained 1 085 554 019 solutions in more than two weeks. These solutions are related to 140 096 raw monomials, and the distribution of solutions is unbalanced. For instance, there are 396 911 938 solutions related to the monomial t I , i.e., the constant "1" in the superpoly. By removing the raw monomials whose solution numbers are even, we obtained 16 561 monomials that really appear in the superpoly of C I . Detailed results about this superpoly can be found at the GitHub website.
Thus, we can get the value of this superpoly by summing up all 2 78 possible values in the cube C I . As the value of k 2 can be deduced directly from the other secret bits by using this superpoly, we can recover the whole 80-bit key by doing 2 79 exhaustive searches. The overall complexity is lower than 2 80 , and it is an attack against 843-round Trivium.

Practical cube attacks against round-reduced Trivium
To perform practical cube attacks, we need many valuable cubes instead of a single one, and besides, the dimension of the cubes must be small. Using the idea in [YT20], we preset a set of indexes, and then searched for valuable cubes whose indexes are the subsets of the preset set. If the size of the preset set is l, to obtain the values of the superpolys related to the obtained valuable cubes, it suffices to query the encryption oracle 2 l times.
Please remark that, unlike the linear superpolys found in [YT20], almost all superpolys found by our technique are nonlinear, but these superpolys all have balanced secret variables. This characteristic enables us to deduce the values of balanced variables by linearizing the superpolys, and the linearization can be done by delicately selecting the variables that are used to enumerate values. Moreover, once the values of some balanced variables are deduced, they can be used to deduce the values of other balanced variables iteratively. We use the following toy example to illustrate this iterative deduction.
To solve this system, we can enumerate the values of x 4 and x 5 to linearize the polynomial f 2 , and no matter what values they are, we will get the specific value of x 2 . Then, we can get the value of x 3 after knowing the values of x 2 and x 5 in f 3 . And consequently, we can deduce the value of x 1 in f 1 after knowing the specific values of all the other variables. In this way, for each enumeration of x 4 and x 5 , we can solve (x 2 , x 3 , x 1 ) within constant time. So the overall complexity for solving this system is 2 2 .
Please remark that, there are three crucial points in the above method. Firstly, the polynomials must have balanced variables. Secondly, the deducing order of variables is very important, e.g., the value of x 1 cannot be obtained from f 1 by only guessing the values of x 4 and x 5 at the beginning. Thirdly, the above method is independent with the specific values of {f 1 , f 2 , f 3 } and {x 4 , x 5 }, i.e., the values of {x 2 , x 3 , x 1 } can always be solved no matter what values of {f 1 , f 2 , f 3 } and {x 4 , x 5 } are.

A practical attack against 806-round Trivium
In [YT20], the authors presented 16 cubes whose superpolys are linear, and the values of these superpolys can be obtained by 2 38.64 requests. But they had to use a bruteforce attack to recover the remaining 64 key bits, so their overall attack cannot be done practically.
To obtain a practical attack against 806-round Trivium, we searched for more valuable cubes. We preset a set of indexes, say S a , which was obtained by merging some sets in [YT20]. The size of S a is 39, so it only needs 2 39 requests to obtain all the values of superpolys whose related cubes are from the subsets of S a . Finally, we found 29 valuable cubes and recovered related superpolys, which can be found at the GitHub website. Details about these cubes as well as S a are shown in Table 6. To attack 806-round Trivium practically, it takes 2 39 requests to obtain all the values of superpolys in Table 6. By using the linear superpolys in [YT20], we can get the values of the 16 variables: {k 14 , k 15 , k 17 , k 28 , k 32 , k 33 , k 41 , k 42 , k 44 , k 46 , k 52 , k 55 , k 58 , k 59 , k 63 , k 65 }, and the complexity is 2 38.64 . Next, we need to enumerate the values of 35 variables: {k 1 , k 8 , k 10 , k 11 , k 12 , k 23 , k 24 , k 25 , k 27 , k 34 , k 37 , k 38 , k 39 , k 40 , k 43 , k 47 , k 49 , k 51 , k 53 , k 54 , k 56 , k 57 , k 61 , k 62 , k 64 , k 66 , k 68 , k 69 , k 70 , k 71 , k 72 , k 73 , k 74 , k 75 , k 76 }, and the complexity is 2 35 . During each enumeration, the values of the remaining 29 variables can be deduced iteratively in the following order: (k 67 , k 77 , k 2 , k 7 , k 29 , k 48 , k 50 , k 3 , k 26 , k 0 , k 30 , k 60 , k 78 , k 9 , k 79 , k 16 , k 18 , k 13 , k 35 , k 36 , k 22 , k 45 , k 20 , k 31 , k 19 , k 21 , k 6 , k 4 , k 5 ), and this deduction only costs constant time. To sum up, the whole attack costs 2 39 + 2 38.64 + 2 35 operations, which can be done practically.