Modeling for Three-Subset Division Property without Unknown Subset

Abstract

A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 842-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 842-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to a distinguishing attack. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds. In the application to ACORN, we prove that the 772-round key-recovery attack at ISC2019 is in fact a constant-sum distinguisher. We then give new key-recovery attacks mounting to 773-, 774- and 775-round ACORN. We verify the current best key-recovery attack on 892-round Kreyvium and recover the exact superpoly. We further propose a new attack mounting to 893 rounds.

Appendices

On Source Code

We provide two source codes to well understand our algorithm in https://github.com/ysktodo/milp-three-subset-wo-unknown.

1.1 Code for Superpoly Recovery on Trivium and Grain-128AEAD

Under code/recovery, there is a source code to recover the superpoly for Trivium and Grain-128AEAD. This code is written in C++ with Gurobi API. Therefore, to compile and run this code, you need to install Gurobi Optimizer in advance. If you already install the Gurobi Optimizer version 8.1, you just run

make

If your Gurobi Optimizer is not version 8.1, please change LIB option in makefile.

If you want to try the superpoly recovery for 840- or 841-round Trivium, you just run

./a.out -r [840 or 841] -trivium -t [option : thread number]

Note that this code does not return the answer quickly. It depends on the performance of your computer, and if you execute this code in a cheap computer, you need to wait a few days. We highly recommend that this code is executed on a computer with good performance.

If you want to try the superpoly recovery for 190-round Grain-128AEAD, you just run

./a.out -r 190 -grain -t [option : thread number]

Moreover, if you want to try 15 superpolies that are used in the key-recovery attack against Grain-128AEAD, you just run

./a.out -r 190 -grain -subcube -t [option : thread number]

Similarly to the case of Trivium, this code does not return the answer quickly. Therefore, we highly recommend that this code is executed on a computer with good performance.

This source code also provides the practical verification, where the superpoly is recovered under the randomly chosen cube whose size is chosen from the practical range. The correctness of the recovered superpoly is experimentally verified by using 100 randomly generated secret key bits and non-cube IV bits. If you want to try this verification, you just run

./a.out -trivium -practical

for Trivium and

./a.out -grain -practical

for Grain-128AEAD.

1.2 Code for Verification of Statement 1

Under code/855disproof, there is a source code to verify Statement 1. Similarly to the source code for the superpoly recovery, this code is written in C++ with Gurobi API. Therefore, to compile and run this code, you need to install Gurobi Optimizer in advance. If you already install the Gurobi Optimizer version 8.1, you just run

make

If your Gurobi Optimizer is not version 8.1, please change LIB option in makefile.

For easy verification, we wrote this source code as simple as possible, and the code length is about 300 lines. Therefore, this verification code is more suited to understand our algorithm than another source code described in A.1. You just run

./a.out -r 855 -t [option : thread number]

Then, you can find only one three-subset division trail.

Proof of Propagation of Modified Three-Subset Division Property

1.1 Proof of Rule 1’ (copy)

Let F be a copy function, where the input \((x[1], x[2], \ldots , x[m])\) takes values of \(\mathbb {F}_2^m\), and the output is calculated as \((x[1], x[1], x[2], x[3], \ldots , x[m])\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Now, we want to evaluate the parity \(\bigoplus _{\mathbf {y} \in \mathbb {Y}} \mathbf {y}^{\mathbf {v}}\) for any \(\mathbf {v} \in \mathbb {F}_2^{m+1}\).

$$\begin{aligned} \bigoplus _{\mathbf {y} \in \mathbb {Y}} \mathbf {y}^{\mathbf {v}}&= \bigoplus _{\mathbf {x} \in \mathbb {X}} (F(\mathbf {x}))^{\mathbf {v}}\\&= \bigoplus _{\mathbf {x} \in \mathbb {X}} x[1]^{v[1]} x[1]^{v[2]} x[2]^{v[3]} x[3]^{v[4]} \cdots x[m]^{v[m+1]} \\&= \bigoplus _{\mathbf {x} \in \mathbb {X}} \mathbf {x}^{(v[1] \vee v[2], v[3], \ldots , v[m+1])}. \end{aligned}$$

Assuming that \(\mathbb {X}\) has \({{\mathcal {T}}}_{\tilde{\mathbb {L}}}^{1^m}\),

$$\begin{aligned} \bigoplus _{x \in \mathbb {X}} x^{\mathbf {u}} = {\left\{ \begin{array}{ll} 1 &{}\text{ if } \text{ there } \text{ is } \text{ an } \text{ odd } \text{ number } \text{ of } \mathbf {u} '\text{ s } \text{ in } \tilde{\mathbb {L}}, \\ 0 &{}\text{ otherwise }. \end{array}\right. } \end{aligned}$$

Thus, \(\bigoplus _{\mathbf {y} \in \mathbb {Y}} \mathbf {y}^{\mathbf {v}}\) is 1 if and only if

$$\begin{aligned} \#\{ \mathbf {u} \in \tilde{\mathbb {L}} | \mathbf {u} = (v[1] \vee v[2], v[3], \ldots , v[m+1]) \} \end{aligned}$$

is an odd number. In other words, when \(u[1]=0\), (v[1], v[2]) can take (0, 0). When \(u[1]=1\), (v[1], v[2]) can take (1, 0), (0, 1) and (1, 1). Note that the number of appearance of new \(\mathbf {v}\)’s caused by even-number \(\mathbf {u}\)’s is always even.

1.2 Proof of Rule 2’ (and)

Let F be a nonlinear function, where the input \((x[1], x[2], \ldots , x[m])\) takes values of \((\mathbb {F}_2)^m\), and the output is calculated as \((x[1] \wedge x[2], x[3], \ldots , x[m])\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Now, we want to evaluate the parity \(\bigoplus _{\mathbf {y} \in \mathbb {Y}} \mathbf {y}^{\mathbf {v}}\) for any \(\mathbf {v} \in \mathbb {F}_2^{m-1}\).

$$\begin{aligned} \bigoplus _{\mathbf {y} \in \mathbb {Y}} \mathbf {y}^{\mathbf {v}}&= \bigoplus _{\mathbf {x} \in \mathbb {X}} (F(\mathbf {x}))^{\mathbf {v}}\\&= \bigoplus _{\mathbf {x} \in \mathbb {X}} (x[1]x[2])^{v[1]} x[3]^{v[2]} x[4]^{v[3]} \cdots x[m]^{v[m-1]} \\&= \bigoplus _{\mathbf {x} \in \mathbb {X}} \mathbf {x}^{(v[1], v[1], v[2], v[3], \ldots , v[m-1])}. \end{aligned}$$

Assuming that \(\mathbb {X}\) has \({{\mathcal {T}}}_{\tilde{\mathbb {L}}}^{1^m}\), \(\mathbf {x}^{\mathbf {u}}\) is satisfied as

$$\begin{aligned} \bigoplus _{x \in \mathbb {X}} x^{\mathbf {u}} = {\left\{ \begin{array}{ll} 1 &{}\text{ if } \text{ there } \text{ is } \text{ an } \text{ odd } \text{ number } \text{ of } \mathbf {u} '\text{ s } \text{ in } \tilde{\mathbb {L}}, \\ 0 &{}\text{ otherwise }. \end{array}\right. } \end{aligned}$$

Thus, \(\bigoplus _{\mathbf {y} \in \mathbb {Y}} \mathbf {y}^{\mathbf {v}}\) is 1 if and only if there is an odd number of \(\mathbf {u}\)’s in \(\tilde{\mathbb {L}}\) satisfying \(\mathbf {u} = (v[1], v[1], v[2], v[3], \ldots , v[m-1])\). In other words, when \((u[1],u[2])=(0,0)\), v[1] can take 0. When \((u[1],u[2])=(1,1)\), v[1] can take 1. Note that the number of appearance of new \(\mathbf {v}\)’s caused by even-number \(\mathbf {u}\)’s is always even.

1.3 Proof of Rule 3’ (xor)

Let F be a function compressed by an XOR, where the input \((x[1], x[2], \ldots , x[m])\) takes values of \(\mathbb {F}_2^m\), and the output is calculated as \((x[1] \oplus x[2], x[3], \ldots , x[m])\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input multiset and output multiset, respectively. Now, we want to evaluate the parity \(\bigoplus _{\mathbf {y} \in \mathbb {Y}} \mathbf {y}^{\mathbf {v}}\) for any \(\mathbf {v} \in \mathbb {F}_2^{m-1}\).

$$\begin{aligned} \bigoplus _{\mathbf {y} \in \mathbb {Y}} \mathbf {y}^{\mathbf {v}}&= \bigoplus _{\mathbf {x} \in \mathbb {X}} (F(\mathbf {x}))^{\mathbf {v}}\\&= \bigoplus _{\mathbf {x} \in \mathbb {X}} (x[1] \oplus x[2])^{v[1]} x[3]^{v[2]} x[4]^{v[3]} \cdots x[m]^{v[m-1]} \\&= \bigoplus _{\mathbf {x} \in \mathbb {X}} x[1]^{v[1]} x[3]^{v[2]} x[4]^{v[3]} \cdots x[m]^{v[m-1]} \oplus x[2]^{v[1]} x[3]^{v[2]} x[4]^{v[3]} \cdots x[m]^{v[m-1]} \\&= \bigoplus _{\mathbf {x} \in \mathbb {X}} \mathbf {x}^{(v[1], 0, v[2], v[3], \ldots , v[m-1])} \bigoplus _{\mathbf {x} \in \mathbb {X}} \mathbf {x}^{(0, v[1], v[2], v[3], \ldots , v[m-1])}. \end{aligned}$$

Assuming that \(\mathbb {X}\) has \({{\mathcal {T}}}_{\tilde{\mathbb {L}}}^{1^m}\), \(\mathbf {x}^{\mathbf {u}}\) is satisfied as

$$\begin{aligned} \bigoplus _{x \in \mathbb {X}} x^{\mathbf {u}} = {\left\{ \begin{array}{ll} 1 &{}\text{ if } \text{ there } \text{ is } \text{ an } \text{ odd } \text{ number } \text{ of } \mathbf {u} '\text{ s } \text{ in } \tilde{\mathbb {L}}, \\ 0 &{}\text{ otherwise }. \end{array}\right. } \end{aligned}$$

Thus, \(\bigoplus _{\mathbf {y} \in \mathbb {Y}} \mathbf {y}^{\mathbf {v}}\) is 1 if and only if

$$\begin{aligned} \#\{ \mathbf {u} \in \tilde{\mathbb {L}} | \mathbf {u} = (v[1],0,v[2],v[3], \ldots , v[m-1]) \} + \#\{ \mathbf {u} \in \tilde{\mathbb {L}} | \mathbf {u} = (0,v[1],v[2],v[3], \ldots , v[m-1]) \} \end{aligned}$$

is an odd number. In other words, when \((u[1],u[2])=(0,0)\), v[1] can take 0. When \((u[1],u[2])=(1,0)\) or (0, 1), v[1] can take 1. Finally, when the number of appearance of new \(\mathbf {v}\)’s is odd, \(\bigoplus _{\mathbf {y} \in \mathbb {Y}} \mathbf {y}^{\mathbf {v}} = 1\). Otherwise, \(\bigoplus _{\mathbf {y} \in \mathbb {Y}} \mathbf {y}^{\mathbf {v}} = 0\).

Another View of the Three-Subset Division Property without Unknown Subset

At Asiacrypt2020, the work [30] builds upon the three-subset division property without unknown subset, but uses a different notation. Proposition 1 was revisited in view of the parity set  [31].

In this appendix, we also view Proposition 1 and three propagation rules in the context of the parity set. We hope that this view can provide an easier understanding for readers who did not follow the series of research on the division property.

The parity set, which was used as another view of the division property in   [31], is defined as

Definition 6

(Parity Set) Let \(\mathbb {X} \subseteq \mathbb {F}_2^n\) be a set. We define the parity set of \(\mathbb {X}\) as

$$\begin{aligned} \mathcal {U}(\mathbb {X}) := \left\{ \mathbf {u} \in \mathbb {F}_2^n \ \text{ such } \text{ that } \ \sum _{\mathbf {x} \in \mathbb {X}} \mathbf {x}^{\mathbf {u}} =1 \right\} \end{aligned}$$

Remark that the set \(\mathbb {L}\) in Definition 2 is exactly the same as \(\mathcal {U}(\mathbb {X})\) when there is no unknown subset.

Before describing the property of the parity set, we first define the addition of two subsets \(\mathbb {X}, \mathbb {Y} \subseteq \mathbb {F}_2^n\) by

$$\begin{aligned} \mathbb {X} + \mathbb {Y} := (\mathbb {X} \cup \mathbb {Y} ) \setminus (\mathbb {X} \cap \mathbb {Y}). \end{aligned}$$

In other words, we view the set of all subsets of \(\mathbb {F}_2^n\) as a binary vector space of dimension \(2^n\), and this addition is isomorphic to adding the binary indicator vectors of the sets.

Example 3

Considering the sets \(\mathbb {X} = \{001, 010, 110, 111\}\) and \(\mathbb {Y} = \{000, 001, 010, 110\}\), the sum of \(\mathbb {X}\) and \(\mathbb {Y}\) is

$$\begin{aligned} \mathbb {X} + \mathbb {Y} = \{000, 111\}. \end{aligned}$$

From this perspective, for \(\mathbb {X}_i \subset \mathbb {F}_2^n\),

$$\begin{aligned} \mathcal {U}\left( \sum \mathbb {X}_i \right) = \sum \mathcal {U}\left( \mathbb {X}_i \right) \end{aligned}$$

holds, i.e., \(\mathcal {U}\) is a linear mapping. It was shown in [31] that there is a one to one correspondence between sets and its parity set. That is the mapping

$$\begin{aligned} \mathcal {U} : \mathbb {X} \mapsto \mathcal {U}(\mathbb {X}) \end{aligned}$$

is a bijection and actually its own inverse, i.e.,

$$\begin{aligned} \mathcal {U}(\mathcal {U}(\mathbb {X}) ) =\mathbb {X} .\end{aligned}$$

Those properties follow from the linearity of \(\mathcal {U}\) and the following lemma. The proof is added for completeness and to get familiar with the notation.

Lemma 3

Let \(\mathcal {U}\) be the mapping defined above and \(\ell \) be an element in \(\mathbb {F}_2^n\). Then

1. 1.

   \(\mathcal {U}(\{\mathbf {\ell }\})=\{ \mathbf {u} \in \mathbb {F}_2^n \ | \ \mathbf {u} \preceq \mathbf {\ell }\}\)

2. 2.

   \(\mathcal {U}(\{\mathbf {x} \in \mathbb {F}_2^n \ | \ \mathbf {x} \preceq \mathbf {\ell }\})=\{\mathbf {\ell }\}\)

Proof

For the first property, we note that \(\mathbf {x}^{\mathbf {u}}=1\) if and only if \(\mathbf {u} \preceq \mathbf {x}\). Thus, we get

$$\begin{aligned} \mathcal {U}(\{\mathbf {\ell }\})&= \left\{ \mathbf {u} \in \mathbb {F}_2^n \ \text{ such } \text{ that } \ \sum _{\mathbf {x} \in \{\mathbf {\ell }\} } \mathbf {x}^{\mathbf {u}} =1 \right\} \\&= \left\{ \mathbf {u} \in \mathbb {F}_2^n \ \text{ such } \text{ that } \ {\mathbf {\ell }}^{\mathbf {u}} =1 \right\} \\&= \left\{ \mathbf {u} \in \mathbb {F}_2^n \ | \ \mathbf {u} \preceq \mathbf {\ell }\right\} \end{aligned}$$

For the second property, we see that \(\sum _{\mathbf {x} \in \mathbb {F}_2^n \ | \ \mathbf {x} \preceq \mathbf {\ell }} \mathbf {x}^{\mathbf {u}} = 1\) if and only if \(\mathbf {u} = \mathbf {\ell }\). Let \(A_{\mathbf {u}}\) be the number of elements \(\mathbf {x} \preceq \mathbf {\ell }\) such that \(\mathbf {x}^{\mathbf {u}} =1\). We get

$$\begin{aligned} A_{\mathbf {u}} = | \{ \mathbf {x} \preceq \mathbf {\ell }\ | \ \mathbf {x}^{\mathbf {u}} =1 \} | = | \{ \mathbf {x} \preceq \mathbf {\ell }\ | \ \mathbf {u} \preceq \mathbf {x} \} | = | \{ \mathbf {x} \in \mathbb {F}_2^n \ | \ \mathbf {u} \preceq \mathbf {x} \preceq \mathbf {\ell }\} | \end{aligned}$$

and it holds that \(A_{\mathbf {u}}\) is odd if and only if \(\mathbf {\ell }=\mathbf {u}\), which completes the proof. \(\square \)

We next define the propagation as follows.

Definition 7

(Propagation) Given \(F :\mathbb {F}_2^n \rightarrow \mathbb {F}_2^m\) and \(\mathbf {a} \in \mathbb {F}_2^n, \mathbf {b} \in \mathbb {F}_2^m\) we say that the division property \(\mathbf {a}\) propagates to the division property \(\mathbf {b}\), denoted by \(\mathbf {a} \xrightarrow {F} \mathbf {b}\) if and only if \(\mathbf {b} \in \mathcal {U}(F(\mathcal {U}(\{\mathbf {a}\})))\).

Here the image of a set \(\mathbb {X}\) under F is defined as

$$\begin{aligned}F(\mathbb {X}):=\sum _{\mathbf {a} \in \mathbb {X}} \{F(\mathbf {a})\},\end{aligned}$$

that is again using the addition of sets as defined above.

In Definition 7, the propagation is defined without specifying each concrete operation. Only using this definition reveals one important property of the propagation very simply. Given \(U_1=\mathcal {U}({\mathbb {X}})\), for any function F, \(U_2=\mathcal {U}(F({\mathbb {X}}))\) is evaluated as

$$\begin{aligned} U_2= & {} \mathcal {U}(F({\mathbb {X}})) = \sum _{\mathbf {x} \in \mathbb {X}} \mathcal {U}(F(\{\mathbf {x}\})) = \sum _{\mathbf {a} \in \mathcal {U}(\mathbb {X})} \mathcal {U}(F(\mathcal {U}(\{\mathbf {a}\}))) = \sum _{ \mathbf {a} \in U_1, \mathbf {a} \xrightarrow {F} \mathbf {b}} \{\mathbf {b}\}. \end{aligned}$$

(21)

In order to determine \(U_2\) after applying the function F, it is enough to consider what happens with individual elements of \(U_1\) to start with. Here again, we like to emphasize that the sum in Eq. 21 is modulo two, that is, if an element appears an even number of times on the right side, it actually does not appear in \(U_2\).

To understand the link between Definition 7 and propagation rules, we show an example here.

Example 4

Let F be a function compressed by an AND, where the input \(\mathbf {x} \in \mathbb {F}_2^m\) and the output is calculated as \((x[1] \wedge x[2], x[3], \ldots , x[m])\). Let \(\mathbb {X}\) and \(\mathbb {Y}\) be the input and output multisets, respectively. Assuming that \(\mathcal {U}(\mathbb {X}) = \{\mathbf {a}\}\), \(\bigoplus _{\mathbf {x} \in \mathbb {X}} \mathbf {x}^{\mathbf {u}} = 1\) if and only if \(\mathbf {u} = \mathbf {a}\). Then, we want to evaluate \(\mathcal {U}(F(\mathbb {X}))\). Due to Lemma 3,

$$\begin{aligned} \mathbb {X}&= \mathcal {U}(\{\mathbf {a}\}) = \{\mathbf {u} \in \mathbb {F}_2^n | \mathbf {u} \preceq \mathbf {a}\}. \end{aligned}$$

We now take four cases into consideration.

• When \((a[1],a[2])=(0,0)\), \(\mathbb {X} = \{ \mathbf {u} \in \mathbb {F}_2^{n} | \mathbf {u} \preceq (0, 0, a[3], \ldots , a[n])\}\). Then, \(\mathbb {Y} = F(\mathbb {X}) = \{ \mathbf {v} \in \mathbb {F}_2^{n-1} | \mathbf {v} \preceq (0, a[3], \ldots , a[n])\}\). Therefore, \(\bigoplus _{\mathbf {x} \in \mathbb {X}}F(\mathbf {x})^{\mathbf {v}} = 1\) if and only if \(\mathbf {v} = (0,a[3],\ldots ,a[n])\).

• When \((a[1],a[2])=(1,1)\), \(\mathbb {X} = \{ \mathbf {u} \in \mathbb {F}_2^{n} | \mathbf {u} \preceq (1, 1, a[3], \ldots , a[n])\}\). Then, \(\mathbb {Y} = F(\mathbb {X}) = \{ \mathbf {v} \in \mathbb {F}_2^{n-1} | \mathbf {v} \preceq (1, a[3], \ldots , a[n])\}\). Therefore, \(\bigoplus _{\mathbf {x} \in \mathbb {X}}F(\mathbf {x})^{\mathbf {v}} = 1\) if and only if \(\mathbf {v} = (1,a[3],\ldots ,a[n])\).

• When \((a[1],a[2])=(0,1)\), \(\mathbb {X} = \{ \mathbf {u} \in \mathbb {F}_2^{n} | \mathbf {u} \preceq (0, 1, a[3], \ldots , a[n])\}\). Then,

  $$\begin{aligned} \mathbb {Y} = F(\mathbb {X}) = \{ \mathbf {v} \in \mathbb {F}_2^{n-1} | \mathbf {v} \preceq (0, a[3], \ldots , a[n])\} + \{ \mathbf {v} \in \mathbb {F}_2^{n-1} | \mathbf {v} \preceq (0, a[3], \ldots , a[n])\}. \end{aligned}$$

  In other words, the number of appearance of every element is always two and they are canceled out by adding. Therefore, there is no \(\mathbf {v}\) satisfying \(\bigoplus _{\mathbf {x} \in \mathbb {X}}F(\mathbf {x})^{\mathbf {v}} = 1\).

• When \((a[1],a[2])=(1,0)\), \(\mathbb {X} = \{ \mathbf {u} \in \mathbb {F}_2^{n} | \mathbf {u} \preceq (0, 1, a[3], \ldots , a[n])\}\). Then, the set of \(\mathbb {Y}\) is the same as the case of \((a[1],a[2])=(0,1)\). Therefore, there is no \(\mathbf {v}\) satisfying \(\bigoplus _{\mathbf {x} \in \mathbb {X}}F(\mathbf {x})^{\mathbf {v}} = 1\).

We notice that the example above is exactly the same as the propagation rule for \(\mathtt{AND}\) operation. More generally, the authors in [30] showed the following proposition.

Proposition 5

Let \(F : \mathbb {F}_2^n \rightarrow \mathbb {F}_2^m\) be defined as

$$\begin{aligned} F(\mathbf {x}) = \mathbf {y} \end{aligned}$$

For \(\mathbf {a} \in \mathbb {F}_2^n\) and \(\mathbf {b} \in \mathbb {F}_2^m\), it holds that \(\mathbf {a} {\mathop {\rightarrow }\limits ^{F}} \mathbf {b}\) if and only if \(\mathbf {y}^{\mathbf {b}}\) contains the monomial \(\mathbf {x}^{\mathbf {a}}\).

We omit the proof here and refer to [30] for the formal proof.

Following previous works, we now generalize the definition above to the setting where F is actually given as the composition of many functions

$$\begin{aligned} F= F_R \circ \cdots \circ F_2 \circ F_1 . \end{aligned}$$

Definition 8

(Trail) Given \(F :\mathbb {F}_2^n \rightarrow \mathbb {F}_2^n\) as

$$\begin{aligned} F= F_R \circ \dots \circ F_2 \circ F_1 \end{aligned}$$

and \(\mathbf {a}_0 \dots \mathbf {a}_R \in \mathbb {F}_2^n\) we call \((\mathbf {a}_0,\dots , \mathbf {a}_R)\) a (division) trail for the compositions of F into the \(F_i\) if and only if

$$\begin{aligned} \forall i \in \{1,\dots ,R\},\mathbf {a}_{i-1} \xrightarrow {F_i} \mathbf {a}_i.\end{aligned}$$

We denote such a trail by

$$\begin{aligned} \mathbf {a}_0 \xrightarrow {F_1} \mathbf {a}_1 \xrightarrow {F_2} \cdots \xrightarrow {F_R} \mathbf {a}_R .\end{aligned}$$

Using the same considerations as in Eq. 21, we can now state the main reason of why considering trails is useful:

Theorem 1

Given \(F :\mathbb {F}_2^n \rightarrow \mathbb {F}_2^n\) as

$$\begin{aligned} F= F_R \circ \cdots \circ F_2 \circ F_1 \end{aligned}$$

and \(\mathbb {X}\subseteq \mathbb {F}_2^n\). Then

$$\begin{aligned} \mathcal {U}(F(\mathbb {X})) = \sum _{ \mathbf {a}_0,\dots ,\mathbf {a}_R, \mathbf {a}_0 \in \mathcal {U}(\mathbb {X}), \mathbf {a}_0 \xrightarrow {F_1} \mathbf {a}_1\xrightarrow {F_2} \cdots \xrightarrow {F_R} \mathbf {a}_R } \{\mathbf {a}_R\} \end{aligned}$$

The important link between the division property and the ANF is the following observation and is actually a special case of Proposition 5.

Corollary 1

Let \(F:\mathbb {F}_2^n \rightarrow \mathbb {F}_2^n\) be a function with algebraic normal form

$$\begin{aligned} F(\mathbf {x}) = \sum _{ \mathbf {u} \in \mathbb {F}_2^n} \lambda _{\mathbf {u}} \mathbf {x}^{\mathbf {u}} \end{aligned}$$

where \(\lambda _{\mathbf {u}} =(\lambda _{\mathbf {u}}^{(1)}, \dots , \lambda _{\mathbf {u}}^{(n)}) \in \mathbb {F}_2^n\). Furthermore, let \(\mathbb {X}\) be the set such that \(\mathcal {U}({\mathbb {X}})=\{\mathbf {\ell }\}\). Then

$$\begin{aligned} \lambda _{\mathbf {\ell }}^{(i)} =1 \ \Leftrightarrow \mathbf {e}_i \in \mathcal {U}({F(\mathbb {X})})\end{aligned}$$

Proof

If \(\mathcal {U}({\mathbb {X}})=\{\mathbf {\ell }\}\), by Lemma 3 we have

$$\begin{aligned} \mathbb {X}=\{ \mathbf {x} \in \mathbb {F}_2^n \ | \ \mathbf {x} \preceq \mathbf {\ell }\} .\end{aligned}$$

Now, we get

$$\begin{aligned} \lambda _{\mathbf {\ell }}^{(i)}&= \sum _{\mathbf {x} \preceq \mathbf {\ell }} F(\mathbf {x}) = \sum _{\mathbf {x} \in \mathbb {X}} F^{(i)}(\mathbf {x}) = \sum _{\mathbf {x} \in F(\mathbb {X})} \mathbf {x}^{\mathbf {e}_i} = {\left\{ \begin{array}{ll} 1 &{} \text{ if } \mathbf {e}_i \in \mathcal {U}(F(\mathbb {X})) \\ 0 &{} \text{ otherwise } \end{array}\right. } \end{aligned}$$

which concludes the proof. \(\square \)

Theorem 1 and Corollary 1 finally result in the following corollary.

Corollary 2

Let \(F:\mathbb {F}_2^n \rightarrow \mathbb {F}_2^n\) be a function with algebraic normal form

$$\begin{aligned} F(\mathbf {x}) = \sum _{\mathbf {u} \in \mathbb {F}_2^n} \lambda _u \mathbf {x}^{\mathbf {u}} \end{aligned}$$

where \(\lambda _{\mathbf {u}} =(\lambda _{\mathbf {u}}^{(1)},\dots ,\lambda _{\mathbf {u}}^{(n)}) \in \mathbb {F}_2^n\) and \(F= F_R \circ \dots \circ F_2 \circ F_1\). Then \(\lambda _{\mathbf {\ell }}^{(i)} =1\) if and only if the number of trails

$$\begin{aligned} \mathbf {\ell }\xrightarrow {F_1} \mathbf {a}_1 \xrightarrow {F_2} \cdots \xrightarrow {F_R} \mathbf {e}_i \end{aligned}$$

is odd.

Proof

Follows immediately from the statements above. \(\square \)

Corollary 2 is exactly the same as Proposition 1.

The Practical Verification using Parameters from Fu et al. ’s Refinements in  [34]

Table 10 The 17 29-dimensional cubes in [34] and their superpoly \(p(\mathbf {x})\)’s for \(z_{721}\) (as well as \({\hat{z}}_{721}\) in (24))

Example 5

(Parameters from [34]) In  [34], Fu et al. provide 17 29-dimensional cubes as Table 10. For the correct key guess, the \(p(\mathbf {x})\) of \((1+s^{221}_{94})z_{721}\) over \(I_j\) (\(j=0,\ldots , 16\)) is constantly 0. [34] also shows the \(p(\mathbf {x})\ne 0\) for pure \(z_{721}\) with sufficiently many random keys. Both situations are perfectly evaluated with our method. We have \(I=I_j\) (\(j=0,\ldots , 16\)) and \(C_0=\{1,\ldots , 80\}\backslash I\). The only difference appears in model construction:

1. 1.

   For \((1+s^{221}_{94})z_{721}\), we call Algorithm 4 as \(\mathcal {M}\leftarrow \mathtt{TriviumSecEval}(721,221)\)

2. 2.

   For \(z_{721}\), we call Algorithm 3 as \(\mathcal {M}\leftarrow \mathtt{TriviumEval}(721)\)

Then, we simply call Algorithm 2 to acquire \(p(\mathbf {x})\) for both situations. All 17 \(p(\mathbf {x})\)’s are 0 for \((1+s^{221}_{94})z_{721}\) and those for \(z_{721}\) are listed in Table 10. Since all the \(p(\mathbf {x})\)’s for \(z_{721}\) are quite simple, the key-recovery can already be carried out without using Fu et al. ’s method in [20]. Furthermore, as can be seen, all \(p(\mathbf {x})\) in Table 10 have a common divisor \(x_{62}\). Therefore, when the key bit \(x_{62}\) is constant 0, the 17 cube summations for \(z_{721}\) will be 0. For all the 17 cubes, the ANF of \(s^{221}_{94}\) can be represented as

$$\begin{aligned} s^{221}_{94}=\underline{g_1}+\underline{g_2} v_{67}+\underline{g_3}(v_{21}+v_{51})+v_{21}v_{67} + v_{25}v_{39} + v_{41} + v_{53} \end{aligned}$$

(22)

where \(g_1,g_2 and g_3\) are the three secret-key related bits that need to be guessed. Such to-be-guessed bits are in fact polynomials of key bits represented as:xxxx

$$\begin{aligned} \left\{ \begin{aligned} g_1&= x_{2} + x_{9}x_{10} + x_{11} + x_{18}x_{19} + x_{20} + x_{27}x_{28} + x_{29}\\&\quad + x_{47} + x_{53} + x_{60}x_{61} + x_{72}x_{73} + x_{74} \\ g_2&= x_{9} \\ g_3&= x_{10} \end{aligned} \right. \end{aligned}$$

(23)

Since there is a wrong key guess (\(g_1\) is wrongly guessed as \(g_1+ 1\), while \(g_2 and g_3\) are guessed correctly) that can make the assignment of \(s^{221}_{94}\) become \(1+s^{221}_{94}\) so the corresponding transformation and summation become:

$$\begin{aligned} \begin{aligned} g_1+ 1,g_2,g_3&\Rightarrow {\hat{z}}_{721} =(1+1+s^{221}_{94})z_{721}=(1+s^{221}_{94})z_{721}+ z_{721}\\&\Rightarrow \sum _{C_I}{\hat{z}}_{721}=\sum _{C_I} \left[ (1+s^{221}_{94})z_{721}\right] +\sum _{C_I}z_{721}=0+\sum _{C_I}z_{721} \end{aligned} \end{aligned}$$

(24)

As can be seen, such a wrong key guess summation equals to that of plain \(z_{721}\) and all 17 cube summations are 0 as long as \(x_{62}=0\). This phenomenon can also be verified experimentally. In other words, Fu et al. ’s attacks in  [34] on 721-round Trivium can only work under the weak-key setting (\(x_{62}=1\)), while the ordinary cube attack on plain \(z_{721}\) recovers key bits directly for arbitrary key settings. Therefore, Fu et al. ’s method is no better than the ordinary cube attack. Such analysis has not only proved the accuracy of our method but the ineffectiveness of Fu et al. ’s refinements in [34] as well.

Detailed Result for Cube Attacks against Trivium

The superpoly recovered for 842-Round Trivium is given as the following

$$\begin{aligned} p(\mathbf {x})&= x_{80}+ x_{79}+ x_{78}+ x_{78}x_{80}+ x_{78}x_{79} + x_{77}+ x_{77}x_{80}\\&\quad + x_{77}x_{78}x_{80}+ x_{76}+ x_{76}x_{80} + x_{76}x_{79}+ x_{76}x_{78}x_{80}+ x_{76}x_{78}x_{79}\\&\quad + x_{76}x_{77}x_{80} + x_{76}x_{77}x_{78}+ x_{76}x_{77}x_{78}x_{80}+ x_{75}+ x_{75}x_{79}\\&\quad + x_{75}x_{77}x_{78}+ x_{75}x_{76}x_{78} + x_{75}x_{76}x_{77}+ x_{74}+ x_{74}x_{75}x_{80}\\&\quad + x_{74}x_{75}x_{79} + x_{74}x_{75}x_{78}x_{80}+ x_{74}x_{75}x_{78}x_{79}\\&\quad + x_{74}x_{75}x_{77}x_{80}+ x_{74}x_{75}x_{77}x_{78}+ x_{74}x_{75}x_{77}x_{78}x_{80}\\&\quad + x_{74}x_{75}x_{76}x_{80}+ x_{74}x_{75}x_{76}x_{78}x_{79}+ x_{74}x_{75}x_{76}x_{77}x_{80}\\&\quad + x_{74}x_{75}x_{76}x_{77}x_{78}x_{79}+ x_{73}x_{80}+ x_{73}x_{78}x_{79}+ x_{73}x_{75}\\&\quad + x_{73}x_{74}x_{79}+ x_{73}x_{74}x_{77}x_{78}+ x_{73}x_{74}x_{76}+ x_{73}x_{74}x_{75}\\&\quad + x_{72}x_{73}+ x_{71}x_{76}+ x_{71}x_{75}+ x_{71}x_{74}x_{75}+ x_{71}x_{73}x_{74}\\&\quad + x_{71}x_{72}x_{80}+ x_{71}x_{72}x_{78}x_{79}+ x_{71}x_{72}x_{75}+ x_{71}x_{72}x_{73}x_{74}\\&\quad + x_{70}+ x_{70}x_{75}+ x_{70}x_{73}x_{74}+ x_{69}+ x_{69}x_{70}x_{76}+ x_{69}x_{70}x_{75}\\&\quad + x_{69}x_{70}x_{74}x_{75}+ x_{69}x_{70}x_{73}x_{74}+ x_{68}+ x_{68}x_{69}+ x_{68}x_{69}x_{75}\\&\quad + x_{68}x_{69}x_{73}x_{74}+ x_{67}x_{78}+ x_{67}x_{76}x_{77}+ x_{67}x_{68}\\&\quad + x_{66}x_{80}+ x_{66}x_{78}x_{79}+ x_{66}x_{77}+ x_{66}x_{76}+ x_{66}x_{75}\\ \end{aligned}$$

$$\begin{aligned}&\quad + x_{66}x_{75}x_{76}+ x_{66}x_{74}x_{75}+ x_{66}x_{73}+ x_{66}x_{73}x_{74}\\&\quad + x_{66}x_{71}x_{72}+ x_{66}x_{67}+ x_{65}x_{80}+ x_{65}x_{78}x_{79}+ x_{65}x_{76}+ x_{65}x_{76}x_{80}\\&\quad + x_{65}x_{76}x_{78}x_{79}+ x_{65}x_{75}+ x_{65}x_{74}x_{75}+ x_{65}x_{74}x_{75}x_{80}\\&\quad + x_{65}x_{74}x_{75}x_{78}x_{79}+ x_{65}x_{73}x_{74}+ x_{65}x_{66}x_{78}+ x_{65}x_{66}x_{76}x_{77}\\&\quad + x_{64}x_{76}x_{80}+ x_{64}x_{76}x_{78}x_{79}+ x_{64}x_{74}x_{75}x_{80}+ x_{64}x_{74}x_{75}x_{78}x_{79}\\&\quad + x_{64}x_{65}x_{80}+ x_{64}x_{65}x_{78}x_{79}+ x_{63}+ x_{63}x_{78}x_{80}+ x_{63}x_{78}x_{79}\\&\quad + x_{63}x_{77}x_{80}+ x_{63}x_{77}x_{78}x_{79}+ x_{63}x_{76}+ x_{63}x_{76}x_{77}x_{80}\\&\quad + x_{63}x_{76}x_{77}x_{78}x_{79}+ x_{63}x_{75}x_{76}x_{80}+ x_{63}x_{75}x_{76}x_{78}x_{79}+ x_{63}x_{74}x_{75}\\&\quad + x_{63}x_{70}+ x_{63}x_{68}x_{69}+ x_{63}x_{65}x_{80}+ x_{63}x_{65}x_{78}x_{79}\\&\quad + x_{62}x_{79}+ x_{62}x_{77}x_{78}+ x_{62}x_{76}+ x_{62}x_{74}x_{75}+ x_{62}x_{65}\\&\quad + x_{62}x_{63}+ x_{62}x_{63}x_{76}x_{80}+ x_{62}x_{63}x_{76}x_{78}x_{79}\\&\quad + x_{62}x_{63}x_{74}x_{75}x_{80}+ x_{62}x_{63}x_{74}x_{75}x_{78}x_{79}+ x_{61}\\&\quad + x_{61}x_{80}+ x_{61}x_{79}+ x_{61}x_{78}x_{79}+ x_{61}x_{77}\\&\quad + x_{61}x_{77}x_{78}+ x_{61}x_{76}x_{79}+ x_{61}x_{76}x_{77}x_{78}+ x_{61}x_{75}x_{76}\\&\quad + x_{61}x_{74}x_{75}x_{79}+ x_{61}x_{74}x_{75}x_{77}x_{78}+ x_{61}x_{73}+ x_{61}x_{72}\\&\quad + x_{61}x_{71}+ x_{61}x_{71}x_{72}+ x_{61}x_{70}x_{71}+ x_{61}x_{69}+ x_{61}x_{69}x_{70}\\ \end{aligned}$$

$$\begin{aligned}&\quad + x_{61}x_{67}x_{78}+ x_{61}x_{67}x_{76}x_{77}+ x_{61}x_{67}x_{68}+ x_{61}x_{66}\\&\quad + x_{61}x_{65}+ x_{61}x_{65}x_{76}+ x_{61}x_{65}x_{74}x_{75}+ x_{61}x_{65}x_{66}x_{78}\\&\quad + x_{61}x_{65}x_{66}x_{76}x_{77}+ x_{61}x_{62}x_{78}x_{80}+ x_{61}x_{62}x_{78}x_{79}\\&\quad + x_{61}x_{62}x_{77}x_{80}+ x_{61}x_{62}x_{77}x_{78}x_{79}+ x_{61}x_{62}x_{76}x_{77}x_{80}\\&\quad + x_{61}x_{62}x_{76}x_{77}x_{78}x_{79}+ x_{61}x_{62}x_{75}x_{76}x_{80}\\&\quad + x_{61}x_{62}x_{75}x_{76}x_{78}x_{79}+ x_{61}x_{62}x_{65}x_{80}\\&\quad + x_{61}x_{62}x_{65}x_{78}x_{79}+ x_{60}+ x_{60}x_{80}+ x_{60}x_{78}x_{79}\\&\quad + x_{60}x_{74}+ x_{60}x_{73}+ x_{60}x_{72}+ x_{60}x_{72}x_{73}\\&\quad + x_{60}x_{71}x_{72}+ x_{60}x_{70}x_{71}+ x_{60}x_{66}+ x_{60}x_{62}+ x_{60}x_{61}x_{79}\\&\quad + x_{60}x_{61}x_{77}x_{78}+ x_{60}x_{61}x_{74}+ x_{60}x_{61}x_{72}x_{73}+ x_{60}x_{61}x_{65}\\&\quad + x_{59}x_{80}+ x_{59}x_{78}x_{79}+ x_{59}x_{76}+ x_{59}x_{75}+ x_{59}x_{74}+ x_{59}x_{74}x_{75}\\&\quad + x_{59}x_{73}x_{74}+ x_{59}x_{72}x_{73}+ x_{59}x_{66}+ x_{59}x_{62}+ x_{59}x_{61}\\&\quad + x_{59}x_{61}x_{70}+ x_{59}x_{61}x_{68}x_{69}+ x_{59}x_{60}x_{80}+ x_{59}x_{60}x_{79}\\&\quad + x_{59}x_{60}x_{78}x_{79}+ x_{59}x_{60}x_{77}+ x_{59}x_{60}x_{77}x_{78}+ x_{59}x_{60}x_{76}x_{79}\\&\quad + x_{59}x_{60}x_{76}x_{77}x_{78}+ x_{59}x_{60}x_{75}x_{76}+ x_{59}x_{60}x_{74}+ x_{59}x_{60}x_{74}x_{75}x_{79}\\&\quad + x_{59}x_{60}x_{74}x_{75}x_{77}x_{78}+ x_{59}x_{60}x_{73}+ x_{59}x_{60}x_{72}\\&\quad + x_{59}x_{60}x_{72}x_{73}+ x_{59}x_{60}x_{71}x_{72}+ x_{59}x_{60}x_{70}x_{71}\\ \end{aligned}$$

$$\begin{aligned}&\!\qquad +x_{59}x_{60}x_{66}+ x_{59}x_{60}x_{65}+ x_{59}x_{60}x_{65}x_{76} + x_{59}x_{60}x_{65}x_{74}x_{75}\\&\!\qquad + x_{59}x_{60}x_{62}+ x_{58}x_{80}+ x_{58}x_{78}x_{79}+ x_{58}x_{77}+ x_{58}x_{75}+ x_{58}x_{74}\\&\!\qquad + x_{58}x_{74}x_{75}+ x_{58}x_{73}x_{74}+ x_{58}x_{73}x_{74}x_{76}+ x_{58}x_{73}x_{74}x_{75}\\&\!\qquad + x_{58}x_{72}x_{73}+ x_{58}x_{70}+ x_{58}x_{68}+ x_{58}x_{68}x_{69}+ x_{58}x_{66}+ x_{58}x_{62}x_{74}\\&\quad + x_{58}x_{62}x_{72}x_{73}+ x_{58}x_{61}x_{74}+ x_{58}x_{61}x_{72}x_{73}+ x_{58}x_{60}+ x_{58}x_{60}x_{61}\\&\quad + x_{58}x_{60}x_{61}x_{74}+ x_{58}x_{60}x_{61}x_{72}x_{73}+ x_{58}x_{59}+ x_{58}x_{59}x_{74}\\&\quad + x_{58}x_{59}x_{72}+ x_{58}x_{59}x_{72}x_{73}+ x_{58}x_{59}x_{70}x_{71}+ x_{58}x_{59}x_{61}\\&\quad + x_{58}x_{59}x_{61}x_{74}+ x_{58}x_{59}x_{61}x_{72}x_{73}+ x_{57}x_{75}x_{77}+ x_{57}x_{74}\\&\quad + x_{57}x_{74}x_{75}+ x_{57}x_{73}x_{74}x_{77}+ x_{57}x_{73}x_{74}x_{76}+ x_{57}x_{73}x_{74}x_{75}\\&\quad + x_{57}x_{73}x_{74}x_{75}x_{76}+ x_{57}x_{72}x_{73}+ x_{57}x_{66}+ x_{57}x_{62}+ x_{57}x_{62}x_{75}\\&\quad + x_{57}x_{62}x_{73}x_{74}+ x_{57}x_{62}x_{63}+ x_{57}x_{61}x_{75}+ x_{57}x_{61}x_{73}x_{74}\\&\quad + x_{57}x_{61}x_{65}+ x_{57}x_{60}x_{61}+ x_{57}x_{60}x_{61}x_{75}+ x_{57}x_{60}x_{61}x_{73}x_{74}\\&\quad + x_{57}x_{59}+ x_{57}x_{59}x_{61}+ x_{57}x_{59}x_{60}+ x_{57}x_{59}x_{60}x_{75}+ x_{57}x_{59}x_{60}x_{73}x_{74}\\&\quad + x_{57}x_{59}x_{60}x_{65}+ x_{57}x_{58}x_{76}+ x_{57}x_{58}x_{75}+ x_{57}x_{58}x_{74}\\&\quad + x_{57}x_{58}x_{74}x_{75}+ x_{57}x_{58}x_{73}x_{74}+ x_{57}x_{58}x_{72}x_{73}+ x_{57}x_{58}x_{60}\\&\quad + x_{57}x_{58}x_{59}x_{61}+ x_{57}x_{58}x_{59}x_{60}+ x_{56}x_{60}+ x_{56}x_{57}x_{61}\\ \end{aligned}$$

$$\begin{aligned}&\qquad + x_{55}+ x_{55}x_{61}+ x_{55}x_{56}x_{61}+ x_{55}x_{56}x_{57}x_{61}+ x_{54}+ x_{54}x_{76}\\&\qquad + x_{54}x_{74}x_{75}+ x_{54}x_{55}x_{61}+ x_{53}+ x_{53}x_{79}+ x_{53}x_{78}+ x_{53}x_{77}\\&\qquad + x_{53}x_{77}x_{78}+ x_{53}x_{76}+ x_{53}x_{76}x_{79}+ x_{53}x_{76}x_{78}+ x_{53}x_{76}x_{77}\\&\qquad + x_{53}x_{76}x_{77}x_{78}+ x_{53}x_{74}x_{75}+ x_{53}x_{74}x_{75}x_{79}+ x_{53}x_{74}x_{75}x_{78}\\&\qquad + x_{53}x_{74}x_{75}x_{77}+ x_{53}x_{74}x_{75}x_{77}x_{78}+ x_{53}x_{74}x_{75}x_{76}\\&\qquad + x_{53}x_{74}x_{75}x_{76}x_{77}+ x_{53}x_{73}+ x_{53}x_{71}x_{72}\\&\qquad + x_{53}x_{66}+ x_{53}x_{65}+ x_{53}x_{65}x_{76}+ x_{53}x_{65}x_{74}x_{75}+ x_{53}x_{64}x_{76}\\&\qquad + x_{53}x_{64}x_{74}x_{75}+ x_{53}x_{64}x_{65}+ x_{53}x_{63}x_{78}+ x_{53}x_{63}x_{77}+ x_{53}x_{63}x_{76}x_{77}\\&\qquad + x_{53}x_{63}x_{75}x_{76}+ x_{53}x_{63}x_{65}+ x_{53}x_{62}x_{63}x_{76}+ x_{53}x_{62}x_{63}x_{74}x_{75}\\&\qquad + x_{53}x_{61}+ x_{53}x_{61}x_{62}x_{78}+ x_{53}x_{61}x_{62}x_{77}+ x_{53}x_{61}x_{62}x_{76}x_{77}\\&\qquad + x_{53}x_{61}x_{62}x_{75}x_{76}+ x_{53}x_{61}x_{62}x_{65}+ x_{53}x_{60}+ x_{53}x_{59}+ x_{53}x_{59}x_{60}+ x_{53}x_{58}\\ \end{aligned}$$

$$\begin{aligned}&\quad + x_{52}+ x_{52}x_{80}+ x_{52}x_{78}x_{79}+ x_{52}x_{76}+ x_{52}x_{76}x_{80}\\&\quad + x_{52}x_{76}x_{78}x_{79}+ x_{52}x_{75}+ x_{52}x_{74}x_{75}+ x_{52}x_{74}x_{75}x_{80}\\&\quad + x_{52}x_{74}x_{75}x_{78}x_{79}+ x_{52}x_{73}x_{74}+ x_{52}x_{62}+ x_{52}x_{61}\\&\quad + x_{52}x_{61}x_{76}+ x_{52}x_{61}x_{74}x_{75}+ x_{52}x_{60}x_{61}\\&\quad + x_{52}x_{59}x_{60}+ x_{52}x_{59}x_{60}x_{76}+ x_{52}x_{59}x_{60}x_{74}x_{75}\\&\quad + x_{52}x_{53}+ x_{52}x_{53}x_{76}+ x_{52}x_{53}x_{74}x_{75}+ x_{51}+ x_{51}x_{80}\\&\quad + x_{51}x_{78}x_{79}+ x_{51}x_{77}+ x_{51}x_{76}+ x_{51}x_{76}x_{80}+ x_{51}x_{76}x_{78}x_{79}\\&\quad + x_{51}x_{75}x_{76}+ x_{51}x_{74}+ x_{51}x_{74}x_{75}+ x_{51}x_{74}x_{75}x_{80}+ x_{51}x_{74}x_{75}x_{78}x_{79}\\&\quad + x_{51}x_{72}x_{73}+ x_{51}x_{67}+ x_{51}x_{65}x_{66}+ x_{51}x_{63}+ x_{51}x_{63}x_{80}\\&\quad + x_{51}x_{63}x_{78}x_{79}+ x_{51}x_{62}+ x_{51}x_{61}+ x_{51}x_{61}x_{67}+ x_{51}x_{61}x_{65}x_{66}\\&\quad + x_{51}x_{61}x_{62}x_{80}+ x_{51}x_{61}x_{62}x_{78}x_{79}+ x_{51}x_{59}x_{60}+ x_{51}x_{59}x_{60}x_{62}\\&\quad + x_{51}x_{59}x_{60}x_{61}+ x_{51}x_{58}+ x_{51}x_{53}+ x_{51}x_{53}x_{76}\\&\quad + x_{51}x_{53}x_{74}x_{75}+ x_{51}x_{53}x_{63}+ x_{51}x_{53}x_{61}x_{62}+ x_{50}+ x_{50}x_{80}\\&\quad + x_{50}x_{78}+ x_{50}x_{78}x_{79}+ x_{50}x_{76}+ x_{50}x_{76}x_{80}+ x_{50}x_{76}x_{78}x_{79}\\&\quad + x_{50}x_{76}x_{77}+ x_{50}x_{75}+ x_{50}x_{74}x_{75}+ x_{50}x_{74}x_{75}x_{80}\\&\quad + x_{50}x_{74}x_{75}x_{78}x_{79}+ x_{50}x_{73}x_{74}+ x_{50}x_{63}x_{80}+ x_{50}x_{63}x_{78}x_{79}\\&\quad + x_{50}x_{61}+ x_{50}x_{61}x_{62}x_{80}+ x_{50}x_{61}x_{62}x_{78}x_{79}+ x_{50}x_{60}\\&\quad + x_{50}x_{59}x_{60}+ x_{50}x_{58}x_{59}+ x_{50}x_{57}x_{75}+ x_{50}x_{57}x_{73}x_{74}\\&\quad + x_{50}x_{53}+ x_{50}x_{53}x_{76}+ x_{50}x_{53}x_{74}x_{75}+ x_{50}x_{53}x_{63}\\&\quad + x_{50}x_{53}x_{61}x_{62}+ x_{50}x_{51}+ x_{49}+ x_{49}x_{80}+ x_{49}x_{79}\\&\quad + x_{49}x_{78}x_{80}+ x_{49}x_{78}x_{79}+ x_{49}x_{77}x_{80}+ x_{49}x_{77}x_{78}\\&\quad + x_{49}x_{77}x_{78}x_{80}+ x_{49}x_{76}x_{77}x_{80}+ x_{49}x_{76}x_{77}x_{78}x_{79}+ x_{49}x_{75}\\&\quad + x_{49}x_{75}x_{76}x_{80}+ x_{49}x_{75}x_{76}x_{78}x_{79}+ x_{49}x_{73}x_{74}\\&\quad + x_{49}x_{71}+ x_{49}x_{69}x_{70}+ x_{49}x_{66}\\ \end{aligned}$$

$$\begin{aligned}&\quad + x_{49}x_{65}+ x_{49}x_{65}x_{80}+ x_{49}x_{65}x_{78}x_{79}+ x_{49}x_{64}x_{80}\\&\quad + x_{49}x_{64}x_{78}x_{79}+ x_{49}x_{63}+ x_{49}x_{62}+ x_{49}x_{62}x_{63}x_{80}+ x_{49}x_{62}x_{63}x_{78}x_{79}\\&\quad + x_{49}x_{61}x_{79}+ x_{49}x_{61}x_{77}x_{78}+ x_{49}x_{61}x_{65}+ x_{49}x_{59}+ x_{49}x_{59}x_{60}x_{79}\\&\quad + x_{49}x_{59}x_{60}x_{77}x_{78}+ x_{49}x_{59}x_{60}x_{65}+ x_{49}x_{58} + x_{49}x_{58}x_{75}\\&\quad + x_{49}x_{58}x_{73}x_{74}+ x_{49}x_{57}+ x_{49}x_{57}x_{75} + x_{49}x_{57}x_{73}x_{74}\\&\quad + x_{49}x_{57}x_{58}+ x_{49}x_{54}+ x_{49}x_{53}+ x_{49}x_{53}x_{79}+ x_{49}x_{53}x_{78}+ x_{49}x_{53}x_{77}\\&\quad + x_{49}x_{53}x_{77}x_{78}+ x_{49}x_{53}x_{76}x_{77}+ x_{49}x_{53}x_{75}x_{76}+ x_{49}x_{53}x_{65}+ x_{49}x_{53}x_{64}\\&\quad + x_{49}x_{53}x_{62}x_{63}+ x_{49}x_{52}+ x_{49}x_{52}x_{80}+ x_{49}x_{52}x_{78}x_{79}+ x_{49}x_{52}x_{61}\\&\quad + x_{49}x_{52}x_{59}x_{60}+ x_{49}x_{52}x_{53}+ x_{49}x_{51}x_{80}+ x_{49}x_{51}x_{78}x_{79}+ x_{49}x_{51}x_{53}{+} x_{49}x_{50}\\&\quad + x_{49}x_{50}x_{80}+ x_{49}x_{50}x_{78}x_{79}+ x_{49}x_{50}x_{76}+ x_{49}x_{50}x_{74}+ x_{49}x_{50}x_{74}x_{75}\\ \end{aligned}$$

$$\begin{aligned}&\quad + x_{49}x_{50}x_{72}x_{73}+ x_{49}x_{50}x_{63}+ x_{49}x_{50}x_{62}+ x_{49}x_{50}x_{61}+ x_{49}x_{50}x_{59}x_{60}\\&\quad + x_{49}x_{50}x_{59}x_{60}x_{62}+ x_{49}x_{50}x_{59}x_{60}x_{61}+ x_{49}x_{50}x_{58}+ x_{49}x_{50}x_{53}+ x_{48}\\&\quad + x_{48}x_{79}+ x_{48}x_{77}x_{78}+ x_{48}x_{73}+ x_{48}x_{71}+ x_{48}x_{71}x_{72}+ x_{48}x_{70}+ x_{48}x_{69}x_{70}\\&\quad + x_{48}x_{68}x_{69}+ x_{48}x_{65}+ x_{48}x_{62}+ x_{48}x_{61}+ x_{48}x_{60}x_{61}+ x_{48}x_{59}+ x_{48}x_{59}x_{60}\\&\quad + x_{48}x_{58}x_{76}+ x_{48}x_{58}x_{74}x_{75}+ x_{48}x_{57}x_{77}+ x_{48}x_{57}x_{76}+ x_{48}x_{57}x_{75}x_{76}\\&\quad + x_{48}x_{57}x_{74}x_{75}+ x_{48}x_{57}x_{62}+ x_{48}x_{57}x_{61}+ x_{48}x_{57}x_{60}x_{61}+ x_{48}x_{57}x_{59}x_{60}\\&\quad + x_{48}x_{57}x_{58}+ x_{48}x_{52}+ x_{48}x_{51}+ x_{48}x_{50}+ x_{48}x_{50}x_{57}+ x_{48}x_{49}+ x_{48}x_{49}x_{76}\\&\quad + x_{48}x_{49}x_{75}+ x_{48}x_{49}x_{74}x_{75}+ x_{48}x_{49}x_{73}x_{74}+ x_{48}x_{49}x_{66}+ x_{48}x_{49}x_{60}\\&\quad + x_{48}x_{49}x_{58}x_{59}+ x_{48}x_{49}x_{57}+ x_{48}x_{49}x_{50}+ x_{47}+ x_{47}x_{61}+ x_{47}x_{60}+ x_{47}x_{60}x_{61}\\&\quad + x_{47}x_{59}+ x_{47}x_{58}+ x_{47}x_{58}x_{62}+ x_{47}x_{58}x_{61}+ x_{47}x_{58}x_{60}x_{61}+ x_{47}x_{58}x_{59}\\&\quad + x_{47}x_{58}x_{59}x_{61}+ x_{47}x_{57}x_{58}+ x_{47}x_{51}+ x_{47}x_{49}x_{50}+ x_{47}x_{48}x_{58}+ x_{47}x_{48}x_{51}\\&\quad + x_{47}x_{48}x_{49}x_{50}+ x_{46}x_{80}+ x_{46}x_{78}x_{79}+ x_{46}x_{75}+ x_{46}x_{73}x_{74}\\&\quad + x_{46}x_{66}+ x_{46}x_{61}+ x_{46}x_{60}+ x_{46}x_{59}x_{60}+ x_{46}x_{53}+ x_{46}x_{48}+ x_{46}x_{47}x_{76}\\&\quad + x_{46}x_{47}x_{74}x_{75}+ x_{46}x_{47}x_{66}+ x_{46}x_{47}x_{62}+ x_{46}x_{47}x_{61}+ x_{46}x_{47}x_{60}x_{61}\\&\quad + x_{46}x_{47}x_{59}x_{60}+ x_{46}x_{47}x_{58}+ x_{46}x_{47}x_{51}+ x_{46}x_{47}x_{49}x_{50}+ x_{46}x_{47}x_{48}{+} x_{45}x_{70}\\&\quad + x_{45}x_{68}x_{69}+ x_{45}x_{61}+ x_{45}x_{60}+ x_{45}x_{59}x_{60}+ x_{45}x_{58}x_{59}+ x_{45}x_{46}x_{61}\\&\quad + x_{45}x_{46}x_{59}x_{60}+ x_{45}x_{46}x_{57}+ x_{44}x_{76}+ x_{44}x_{75}+ x_{44}x_{74}x_{75}+ x_{44}x_{73}x_{74}\\&\quad + x_{44}x_{61}+ x_{44}x_{57}x_{61}+ x_{44}x_{49}+ x_{44}x_{48}+ x_{43}+ x_{43}x_{75}+ x_{43}x_{73}x_{74}\\&\quad + x_{43}x_{63}+ x_{43}x_{59}x_{61}+ x_{43}x_{58}+ x_{43}x_{48}+ x_{43}x_{45}+ x_{43}x_{44}x_{70}+ x_{43}x_{44}x_{68}x_{69}\\&\quad + x_{42}+ x_{42}x_{61}+ x_{42}x_{43}x_{57}x_{61}+ x_{41}+ x_{41}x_{66}x_{80}+ x_{41}x_{66}x_{78}x_{79}\\&\quad + x_{41}x_{64}x_{65}x_{80}+ x_{41}x_{64}x_{65}x_{78}x_{79}+ x_{41}x_{53}x_{66}+ x_{41}x_{53}x_{64}x_{65}+ x_{40}x_{78}\\&\quad + x_{40}x_{76}x_{77}+ x_{40}x_{61}x_{78}+ x_{40}x_{61}x_{76}x_{77}+ x_{40}x_{57}+ x_{40}x_{51}+ x_{40}x_{51}x_{61}\\&\quad + x_{39}x_{80}+ x_{39}x_{78}x_{79}+ x_{39}x_{61}+ x_{39}x_{53}+ x_{39}x_{41}x_{80}+ x_{39}x_{41}x_{78}x_{79}\\&\quad + x_{39}x_{41}x_{53}+ x_{39}x_{40}+ x_{39}x_{40}x_{80}+ x_{39}x_{40}x_{78}x_{79}+ x_{39}x_{40}x_{66}x_{80}\\&\quad + x_{39}x_{40}x_{66}x_{78}x_{79}+ x_{39}x_{40}x_{64}x_{65}x_{80}\\ \end{aligned}$$

$$\begin{aligned}&+ x_{39}x_{40}x_{64}x_{65}x_{78}x_{79}+ x_{39}x_{40}x_{53}+ x_{39}x_{40}x_{53}x_{66}+ x_{39}x_{40}x_{53}x_{64}x_{65}\\&+ x_{37}x_{76}x_{80}+ x_{37}x_{76}x_{78}x_{79}+ x_{37}x_{74}x_{75}x_{80}+ x_{37}x_{74}x_{75}x_{78}x_{79}\\&+ x_{37}x_{53}x_{76}+ x_{37}x_{53}x_{74}x_{75}+ x_{37}x_{49}x_{80}+ x_{37}x_{49}x_{78}x_{79}\\&+ x_{37}x_{49}x_{53}+ x_{37}x_{38}x_{61}+ x_{36}x_{78}x_{80}+ x_{36}x_{78}x_{79}\\&+ x_{36}x_{77}x_{80}+ x_{36}x_{77}x_{78}x_{79}+ x_{36}x_{76}+ x_{36}x_{76}x_{77}x_{80}+ x_{36}x_{76}x_{77}x_{78}x_{79}\\&+ x_{36}x_{75}x_{76}x_{80}+ x_{36}x_{75}x_{76}x_{78}x_{79}+ x_{36}x_{74}+ x_{36}x_{74}x_{75}\\&+ x_{36}x_{72}x_{73}+ x_{36}x_{65}x_{80}+ x_{36}x_{65}x_{78}x_{79}+ x_{36}x_{63}\\&+ x_{36}x_{62}+ x_{36}x_{61}+ x_{36}x_{59}x_{60}+ x_{36}x_{59}x_{60}x_{62}+ x_{36}x_{59}x_{60}x_{61}\\&+ x_{36}x_{58}+ x_{36}x_{53}x_{78}+ x_{36}x_{53}x_{77}+ x_{36}x_{53}x_{76}x_{77}\\&+ x_{36}x_{53}x_{75}x_{76}+ x_{36}x_{53}x_{65}+ x_{36}x_{51}+ x_{36}x_{51}x_{80}\\&+ x_{36}x_{51}x_{78}x_{79}+ x_{36}x_{51}x_{53}+ x_{36}x_{50}x_{80}+ x_{36}x_{50}x_{78}x_{79}\\&+ x_{36}x_{50}x_{53}+ x_{36}x_{49}x_{50}+ x_{36}x_{48}+ x_{36}x_{47}+ x_{36}x_{47}x_{48}+ x_{36}x_{46}x_{47}\\&+ x_{35}x_{79}+ x_{35}x_{77}x_{78}+ x_{35}x_{65}+ x_{35}x_{61}+ x_{35}x_{59}+ x_{35}x_{59}x_{60}\\ \end{aligned}$$

$$\begin{aligned}&\quad + x_{35}x_{58}+ x_{35}x_{58}x_{74}+ x_{35}x_{58}x_{72}x_{73}+ x_{35}x_{57}x_{75}+ x_{35}x_{57}x_{73}x_{74}\\&\quad + x_{35}x_{52}+ x_{35}x_{51}+ x_{35}x_{51}x_{61}+ x_{35}x_{51}x_{59}x_{60}+ x_{35}x_{49}x_{50}\\&\quad + x_{35}x_{49}x_{50}x_{61}+ x_{35}x_{49}x_{50}x_{59}x_{60}+ x_{35}x_{48}+ x_{35}x_{48}x_{57}\\&\quad + x_{35}x_{47}x_{58}+ x_{35}x_{46}x_{47}+ x_{35}x_{36}+ x_{35}x_{36}x_{61}+ x_{35}x_{36}x_{59}x_{60}\\&\quad + x_{34}+ x_{34}x_{79}+ x_{34}x_{77}+ x_{34}x_{77}x_{78}+ x_{34}x_{76}x_{79}+ x_{34}x_{76}x_{77}x_{78}+ x_{34}x_{75}x_{76}\\&\quad + x_{34}x_{74}x_{75}x_{79}+ x_{34}x_{74}x_{75}x_{77}x_{78}+ x_{34}x_{73}+ x_{34}x_{72}+ x_{34}x_{71}x_{72}\\&\quad + x_{34}x_{70}x_{71}+ x_{34}x_{65}+ x_{34}x_{65}x_{76}+ x_{34}x_{65}x_{74}x_{75}+ x_{34}x_{62}\\&\quad + x_{34}x_{60}+ x_{34}x_{60}x_{74}+ x_{34}x_{60}x_{72}x_{73}+ x_{34}x_{60}x_{61}+ x_{34}x_{58}\\&\quad + x_{34}x_{58}x_{74}+ x_{34}x_{58}x_{72}x_{73}+ x_{34}x_{58}x_{59}+ x_{34}x_{58}x_{59}x_{74}+ x_{34}x_{58}x_{59}x_{72}x_{73}\\&\quad + x_{34}x_{57}x_{75}+ x_{34}x_{57}x_{73}x_{74}+ x_{34}x_{57}x_{65}+ x_{34}x_{57}x_{60}\\&\quad + x_{34}x_{57}x_{58}x_{59}+ x_{34}x_{52}+ x_{34}x_{52}x_{76}+ x_{34}x_{52}x_{74}x_{75}+ x_{34}x_{51}\\&\quad + x_{34}x_{51}x_{62}+ x_{34}x_{51}x_{60}x_{61}+ x_{34}x_{50}+ x_{34}x_{49}x_{79}\\&\quad + x_{34}x_{49}x_{77}x_{78}+ x_{34}x_{49}x_{65}+ x_{34}x_{49}x_{52}+ x_{34}x_{49}x_{50}\\&\quad + x_{34}x_{49}x_{50}x_{62}+ x_{34}x_{49}x_{50}x_{60}x_{61}+ x_{34}x_{48}+ x_{34}x_{48}x_{57}+ x_{34}x_{47}\\&\quad + x_{34}x_{47}x_{60}+ x_{34}x_{47}x_{58}+ x_{34}x_{47}x_{58}x_{59}+ x_{34}x_{46}+ x_{34}x_{46}x_{47}\\&\quad + x_{34}x_{45}+ x_{34}x_{45}x_{46}+ x_{34}x_{36}+ x_{34}x_{36}x_{62}+ x_{34}x_{36}x_{60}x_{61}\\ \end{aligned}$$

$$\begin{aligned}&\quad + x_{34}x_{35}x_{76}+ x_{34}x_{35}x_{74}+ x_{34}x_{35}x_{74}x_{75}+ x_{34}x_{35}x_{72}x_{73}+ x_{34}x_{35}x_{63}\\&\quad + x_{34}x_{35}x_{60}x_{61} + x_{34}x_{35}x_{59}x_{60}x_{62}+ x_{34}x_{35}x_{59}x_{60}x_{61}+ x_{34}x_{35}x_{58}\\&\quad + x_{34}x_{35}x_{51} + x_{34}x_{35}x_{49}x_{50}+ x_{34}x_{35}x_{48}+ x_{34}x_{35}x_{47}+ x_{34}x_{35}x_{47}x_{48}\\&\quad + x_{34}x_{35}x_{46}x_{47}+ x_{33}+ x_{33}x_{74}+ x_{33}x_{72}+ x_{33}x_{72}x_{73}+ x_{33}x_{70}x_{71}+ x_{33}x_{61}\\&\quad + x_{33}x_{61}x_{74}+ x_{33}x_{61}x_{72}x_{73}+ x_{33}x_{59}+ x_{33}x_{59}x_{60}+ x_{33}x_{59}x_{60}x_{74}\\&\quad + x_{33}x_{59}x_{60}x_{72}x_{73}+ x_{33}x_{58}+ x_{33}x_{57}x_{61}+ x_{33}x_{57}x_{59}x_{60}\\&\quad + x_{33}x_{50}+ x_{33}x_{48}x_{49}+ x_{33}x_{47}+ x_{33}x_{47}x_{61}+ x_{33}x_{47}x_{59}x_{60}\\&\quad + x_{33}x_{45}+ x_{33}x_{34}x_{74}+ x_{33}x_{34}x_{72}x_{73}+ x_{33}x_{34}x_{57}+ x_{33}x_{34}x_{47}\\&\quad + x_{32}+ x_{32}x_{74}+ x_{32}x_{72}x_{73}+ x_{32}x_{60}+ x_{32}x_{57}+ x_{32}x_{57}x_{61}+ x_{32}x_{47}\\&\quad + x_{31}+ x_{31}x_{73} + x_{31}x_{71}x_{72}+ x_{31}x_{67}+ x_{31}x_{65}x_{66}+ x_{31}x_{57}x_{61}\\&\quad + x_{31}x_{46}+ x_{31}x_{40} + x_{31}x_{32}+ x_{30}+ x_{30}x_{61}+ x_{30}x_{57}+ x_{30}x_{57}x_{61}+ x_{30}x_{31}\\&\quad + x_{29}x_{61}+ x_{29}x_{30}x_{73}+ x_{29}x_{30}x_{71}x_{72}+ x_{29}x_{30}x_{67}+ x_{29}x_{30}x_{65}x_{66}\\&\quad + x_{29}x_{30}x_{57}+ x_{29}x_{30}x_{46}+ x_{29}x_{30}x_{40}+ x_{28}x_{29}x_{57}+ x_{28}x_{29}x_{31}x_{57}\\ \end{aligned}$$

$$\begin{aligned}&+ x_{28}x_{29}x_{30}x_{57} + x_{27}x_{61}+ x_{26}x_{75}+ x_{26}x_{73}x_{74}+ x_{26}x_{63}+ x_{26}x_{62}\\&+ x_{26}x_{59}+ x_{26}x_{48} + x_{24}+ x_{24}x_{76}+ x_{24}x_{75}+ x_{24}x_{74}+ x_{24}x_{74}x_{75}\\&+ x_{24}x_{73}x_{74} + x_{24}x_{72}x_{73}+ x_{24}x_{61}+ x_{24}x_{59}+ x_{24}x_{59}x_{60}\\&+ x_{24}x_{59}x_{60}x_{62}+ x_{24}x_{59}x_{60}x_{61}+ x_{24}x_{58}+ x_{24}x_{57}x_{61}\\&+ x_{24}x_{47}+ x_{24}x_{47}x_{48}+ x_{24}x_{46}x_{47}+ x_{24}x_{36}+ x_{24}x_{35}+ x_{24}x_{35}x_{61}\\&+ x_{24}x_{35}x_{59}x_{60}+ x_{24}x_{34}+ x_{24}x_{34}x_{62}+ x_{24}x_{34}x_{60}x_{61}\\&+ x_{24}x_{34}x_{35}+ x_{23}x_{76}+ x_{23}x_{75}+ x_{23}x_{74}x_{75}+ x_{23}x_{73}x_{74}\\&+ x_{23}x_{66}+ x_{23}x_{61}+ x_{23}x_{60}+ x_{23}x_{58}+ x_{23}x_{58}x_{59}+ x_{23}x_{49}\\&+ x_{23}x_{48}+ x_{23}x_{33}+ x_{22}+ x_{22}x_{58}+ x_{22}x_{51}+ x_{22}x_{49}x_{50}\\&+ x_{22}x_{48}+ x_{22}x_{46}x_{47}+ x_{22}x_{36}+ x_{22}x_{34}x_{35}+ x_{22}x_{24}+ x_{21}x_{76}\\&+ x_{21}x_{74}x_{75}+ x_{21}x_{66}+ x_{21}x_{62}+ x_{21}x_{61}+ x_{21}x_{60}x_{61}\\&+ x_{21}x_{59}x_{60}+ x_{21}x_{58}+ x_{21}x_{51}+ x_{21}x_{49}x_{50}+ x_{21}x_{47}x_{48}\\&+ x_{21}x_{36}+ x_{21}x_{35}+ x_{21}x_{34}+ x_{21}x_{34}x_{35}+ x_{21}x_{24}+ x_{21}x_{22}\\&+ x_{20}x_{61}+ x_{20}x_{59}x_{60}+ x_{20}x_{57}+ x_{20}x_{34}+ x_{18}+ x_{18}x_{70}\\&+ x_{18}x_{68}x_{69}+ x_{18}x_{43}+ x_{17}x_{57}+ x_{17}x_{57}x_{61}+ x_{16}x_{57}+ x_{15}x_{16}x_{57}\\&+ x_{14}+ x_{14}x_{66}x_{80}+ x_{14}x_{66}x_{78}x_{79}+ x_{14}x_{64}x_{65}x_{80}\\&+ x_{14}x_{64}x_{65}x_{78}x_{79}+ x_{14}x_{53}x_{66}+ x_{14}x_{53}x_{64}x_{65}+ x_{14}x_{39}x_{80}\\ \end{aligned}$$

$$\begin{aligned}&\quad + x_{14}x_{39}x_{78}x_{79}+ x_{14}x_{39}x_{53}+ x_{14}x_{15}x_{57}+ x_{11}x_{61}\\&\quad + x_{11}x_{58}x_{61}+ x_{11}x_{57}x_{61}+ x_{11}x_{24}x_{61}+ x_{10}+ x_{10}x_{61}\\&\quad + x_{9}+ x_{9}x_{77}+ x_{9}x_{76}+ x_{9}x_{75}+ x_{9}x_{75}x_{76}+ x_{9}x_{74}+ x_{9}x_{74}x_{75}+ x_{9}x_{73}x_{74}\\&\quad + x_{9}x_{72}x_{73}+ x_{9}x_{68}+ x_{9}x_{66}+ x_{9}x_{66}x_{67}+ x_{9}x_{61}+ x_{9}x_{59}x_{60}\\&\quad + x_{9}x_{59}x_{60}x_{62}+ x_{9}x_{59}x_{60}x_{61}+ x_{9}x_{58}+ x_{9}x_{57}+ x_{9}x_{50}+ x_{9}x_{47}\\&\quad + x_{9}x_{47}x_{48}+ x_{9}x_{46}x_{47}+ x_{9}x_{41}+ x_{9}x_{36}+ x_{9}x_{35}\\&\quad + x_{9}x_{35}x_{61}+ x_{9}x_{35}x_{59}x_{60}+ x_{9}x_{34}+ x_{9}x_{34}x_{62}\\&\quad + x_{9}x_{34}x_{60}x_{61}+ x_{9}x_{34}x_{35}+ x_{9}x_{32}+ x_{9}x_{22}+ x_{9}x_{21}+ {x_{8}}+ x_{7}\\&\quad + x_{7}x_{57}+ x_{6}x_{57}+ x_{5}x_{6}+ x_{5}x_{6}x_{57}+ x_{4}x_{73}+ x_{4}x_{71}x_{72}+ x_{4}x_{67}+ x_{4}x_{65}x_{66}\\&\quad + x_{4}x_{46}+ x_{4}x_{40}+ x_{4}x_{30}x_{57}+ x_{4}x_{28}x_{29}x_{57}+ x_{3}x_{57}+ x_{3}x_{31}x_{57}\\&\quad + x_{3}x_{29}x_{30}x_{57}+ x_{3}x_{4}x_{57} \end{aligned}$$

Table 11 Detailed results for superpoly against 840-round Trivium

Table 12 Detailed results for superpoly against 841-round Trivium

Model for Modified Three-Subset Division Property for Components of Grain-128AEAD

Model for Modified Three-Subset Division Property for Components of ACORN

Detailed Result for Cube Attacks against ACORN

Table 13 Detailed result for superpoly for 773-round ACORN

Table 14 Detailed result for superpoly for 774-round ACORN

Table 15 Detailed result for superpoly for 775-round ACORN