Improved Attack on Full-round Grain-128

Transcription

1 Improved Attack on Full-round Grain-128 Ximing Fu 1, and Xiaoyun Wang 1,2,3,4, and Jiazhe Chen 5, and Marc Stevens 6, and Xiaoyang Dong 2 1 Department of Computer Science and Technology, Tsinghua University, Beijing , China 2 Institute for Advanced Study, Tsinghua University, Beijing , China xiaoyunwang@mail.tsinghua.edu.cn 3 School of Mathematics, Shandong University, Jinan , China 4 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan , China, 5 China Information Technology Security Evaluation Center, Beijing , China, 6 Centrum Wiskunde & Informatica, Amsterdam, The Netherlands Keywords: Stream ciphers, Grain-128, Polynomial reduction, IV representation, Dynamic cube attack Abstract. In this paper, we propose a series of techniques that can be used to determine the missing IV terms of a complex multivariable Boolean polynomial. Using these techniques, we revisit the dynamic cube attack on Grain-128. Based on choosing one more nullified state bit and one more dynamic bit, we are able to obtain the IV terms of degree 43, combined with various of reduction techniques, fast discarding monomial techniques and IV representation technique for polynomials, so that the missing IV terms can be determined. As a result, we improve the time complexity of the best previous attack on Grain-128 by a factor of Moreover, our attack applies to all keys. 1 Introduction Most cryptanalytic problems of symmetric ciphers can be reduced to the problem of solving large non-linear multivariate polynomial systems. This problem is NPcomplete [?,?]. Solving the system using linearization or relinearization methods directly will result in space and time complexities that are beyond the power of current computers. As a result, algebraic attacks such as cube attack [?], cube tester [?,?] and dynamic cube attack [?] were proposed in order to reduce the complexities. Stream cipher Grain-128 [?] is a refined version of Grain scheme ciphers, one of the finalists of estream Project. The output bit is a high degree Boolean function over initial vector (IV) bits and key bits. Since the proposal of Grain-128, a number of cryptanalytic results have been presented in the literatures. Fischer et al. applied the statistical analysis to recover the key of reduced Corresponding author.

2 Grain-128 up to 180 out of 256 iterations with a complexity slightly better than brute force [?]. They pointed out that Grain-128 may be immune to this attack due to the very high degree of the output polynomial. Knellwolf et al. proposed the conditional differential cryptanalysis on NFSR-based stream ciphers including Grain scheme ciphers [?]. Conditional differential cryptanalysis exploited the message modification technique introduced in [?,?], which controlled the diffusion by controlling the plaintexts. It was applied to recover 3 bit s key of the Grain-128 reduced to 213 rounds with a probability up to 0.59 and distinguish Grain-128 reduced to 215 rounds from random primitives [?]. Another message controlling method is to nullify some state bits which may be more important than the others for reducing the degree or enhancing the density. After nullifying some state bits, the representation of the output bit with IV bits can be simplified; and the output bit becomes nonrandom. This technique is called dynamic cube attack which combines the conditional differential and cube tester. With dynamic cube attack, Dinur and Shamir [?] proposed two key-recovery attacks on reduced-round Grain-128 for arbitrary keys and an attack on the full Grain- 128 that holds for 2 10 of the key space. Furthermore, Dinur et al. [?] improved the dynamic cube attack on full Grain-128, and tested the main component with a dedicated hardware. Their experimental results showed that for about 7.5% of the keys, the proposed attack beat the exhaustive search by a factor of In this paper, we further improve the attack in [?] by obtaining the missing IV terms. Our Contributions. The contributions of this paper are five fold. Firstly, we exploit the nullification technique introduced in [?] and improve the nullification by a better choice of nullified state bits and a carefully selected nullification of IV bits. Secondly, we give several fast discarding monomial techniques for Boolean functions in order to reduce the number of terms we need to process. Thirdly, with the aforementioned techniques, we mathematically compute the IV terms of degree 43, combined with IV representation technique. The major difference between our attack and the previous dynamic cube attacks is that we focus on obtaining the IV terms mathematically instead of choosing the suitable (sub)cubes with testing technique. Finally, we present an attack with a complexity 2 16 faster than the best result before. In this way, our method not only improves the previous attacks but also can naturally be applied to all keys. So the successful ratio of our attack is 100%. Due to the difference, we also simplified the attack procedure of the dynamic cube attack. Briefly, our attack can be decomposed to the following phases: 1. Determine the dynamic variables, state/iv bits to be nullified, as well as the key bits to be guessed. Calculate the IV terms of degree 43 afterwards. The cube can be chosen freely from those disappeared IV terms. This is the preprocessing phase of the attack. However, most of the dedicated work in this paper contributes to this phase. In this phase, we use various techniques to obtain the exact IV terms. We exploit degree evaluation, degree reduction and low-frequency IV bits, which help discard monomials dramatically. We also use IV representation to compute the IV terms of degree 43. 2

3 2. Guess the key bits, and get the output bits with IVs chosen according to the principle in the previous phase. The summation of the output bits over the cube can be used as a distinguisher since for the correct key the summation will always be 0, while for wrong keys 0 and 1 are supposed to occur with the same probability. This is the only on-line phase of our attack. The time complexity of our attack is about 2 74 cipher executions, which is applicable to all keys of Grain128. The details of our attack will be demonstrated in the rest of the paper. In Section??, the outline of Grain-128 and basic concepts of Boolean functions will be introduced. The related techniques including cube attacks/tester, dynamic cube attack and nullification will be introduced in Section??. In Section??, we will show the outline of our attack. Then the preprocessing phase of our attack will be presented in Section??, followed by the online attack in Section??. Next, we show an example of Grain128 reduced to 191 to illustrate our attack process in Section??. Finally, Section?? summarizes the paper. 2 Preliminaries In this section, we will first briefly introduce Grain-128, followed by the basic concepts about Boolean functions. 2.1 Notations ANF the Algebraic Normal Form IV bit public variables of Grain IV term product of certain IV bits state bit internal state bit in the initialization of Grain stream cipher state term product of certain state bits, IV bits or key bits 2.2 Outline of Grain-128 The state of Grain-128 is represented by a 128-bit linear feedback shift register (LFSR) and a 128-bit nonlinear feedback shift register (NFSR). The feedback function of the LFSR and NFSR are defined as s i+128 =s i + s i+7 + s i+38 + s i+70 + s i+81 + s i+96, b i+128 =s i + b i + b i+26 + b i+56 + b i+91 + b i+96 + b i+3 b i+67 + b i+11 b i+13 + b i+17 b i+18 + b i+27 b i+59 + b i+40 b i+48 + b i+61 b i+65 + b i+68 b i+84. The output function is z i =b i+2 + b i+15 + b i+36 + b i+45 + b i+64 + b i+73 + b i+89 + s i+93 + b i+12 s i+8 + s i+13 s i+20 + b i+95 s i+42 + s i+60 s i+79 + b i+12 b i+95 s i+95. During the initialization step, the 128-bit key is loaded into the NFSR and 96 bits of IV are loaded into the LFSR, with the other IV bits setting to 1. The state runs 256 rounds with the output feeding back, and the first output bit is z 257. For the detail of Grain-128, we refer to [?]. 3

4 2.3 Boolean Polynomial The output bit and internal state bits of symmetric cryptosystem can be described as a Boolean function of the public variables and private variables, which can be applicable to all symmetric ciphers. For stream ciphers, the public variables are often IV while the private variables are keys. Supposing that there are m IV bits, i.e., v 0, v 1,..., v m 1 and n key bits, i.e., k 0, k 1,..., k n 1, the Algebraic Normal Form (ANF) of the internal state bit s could be written as the following style: v i k j, (1) s = I,J i I where the sum operation is over filed F 2. The i I v i j J k j is denoted as a state term of s and i I v i is denoted as its corresponding IV term. Let IV term t I = i I v i be the multiplication of v i whose indices are within I, the ANF of s can be rewritten as j J s = I t I g I (k), (2) where g I (k) is the sum of corresponding coefficient function of terms whose corresponding IV term is t I, i.e. g I (k) = l 1 J 1 k l1 + l 2 J 2 k l2 + + l p J p k lp. The degree of s is deg(s) = max I {deg (t I )}. Property 1. (Repeat Property) In the ANF of s in Equ. (??), suppose two state terms are equal, i.e. i I v i j J k j = i I v i j J k j, then the ANF of state bit s is simplified by removing the two state terms. Property 2. (Cover Property) In Equ. (??), suppose there are two state terms T 1 = t I1 g I1 (k) and T 2 = t I2 g I2 (k). If I 1 I 2, we denote that the state term T 1 is covered by T 2. We delete the covered state term T 1 from s to get a new s. If T 1 = T 2, according to the repeat property, the two state terms should be removed from s. However, according to the cover property, T 2 is still in s. So deg(s ) deg(s). This property could help us estimate deg(s) efficiently. 3 Related Works In this section, the techniques related to our work will be introduced, including cube attack/tester, dynamic cube attack and nullification technique. 3.1 Cube Attack and Cube Tester Cube attack [?] exploits the IV terms whose coefficient is linear over key bits, and then retrieves the keys once enough independent linear functions are obtained, by solving linear equations. A methodology is proposed [?,?] to test if a coefficient is linear and which key bits are involved. 4

5 Cube attack and cube tester techniques can retrieve partial information about Boolean functions probabilistically, however maybe fail for some specific structures with high degrees. For example, if the coefficient function of key bits is k 0 + k 1 k 2 k 3 k 4 k 5 k 6 k 7, cube attack may return a linear function k 0 for less than 128 tests with random keys. In addition, if the coefficient function over key bits is k 1 k 2 k 3 k 4 k 5 k 6 k 7, the result of cube tester may be always 0 for less than 128 tests with random keys, so that it is determined that the IV term t I does not occur. 3.2 Dynamic Cube Attack In [?], Dinur and Shamir proposed the dynamic cube attack to recover the secret key by exploiting distinguishers obtained from cube testers, with application to Grain-128. In dynamic cube attack, some dynamic bits in the IV are determined by key bits are chosen to nullify some state bits so as to greatly simplify the output function. Then one expects to acquire certain nonrandom property which can be exploited by cube tester. The nonrandom property can be used as a distinguisher for key recovery. As mentioned in Section 1, the attack in [?] is an improvement of that in [?]. The dynamic cube attacks introduced and exploited in [?,?] are based on the nullification technique. The major difference between the two works is the different choices of nullified bits 7. As a consequence, we will detail the nullification technique in the next subsection. 3.3 Nullification Technique For Grain-128, the first output bit z 257 can be expresses by state bits as z 257 =b 269 b 352 s b 352 s s 317 s s 270 s b 269 s s b b b b b b b 259. b 269 b 352 s 352 is the most vital term for us because it comprises more high degree IV terms than the others. Similarly, the most vital terms of the ANF of b 269, b 352 and s 352 are b 153 b 236 s 236, b 236 b 319 s 319 and b 236 b 319 s 319 respectively. The common factor is b 236, so b 269, b 352, s 352 and z 257 can be simplified if nullifying b 236. But b 236 is too complex, i.e., b 236 =b 120 b 203 s b 203 s b 176 b s 168 s b 169 b b 148 b b 135 b b 125 b b 119 b b 111 b s 121 s b 120 s b s b b b b b b b b b b b Nullifying b 236 needs too many guessed key bits, so the scheme in [?] retrieved a subset of 2 10 of all possible keys by fixing 10 key bits to be zero. 7 The authors also experimentally verified the main component of the attack by a dedicated hardware in [?] 5

6 Another approach is to simplify b 236 by nullifying b 203, which is adopted by [?]. b 203 is still too complex to be nullified directly, i.e., b 203 =b 87 b 170 s b 170 s b 143 b s 135 s b 136 b b 115 b b 102 b b 92 b 93 + b 86 b 88 + b 78 b s 88 s 95 + b 87 s 83 + b s b b b b b b b b b 90 + b 77 + b 75 + s 75. In order to nullify b 203, one should first nullify b 170, b 159, b 138, s 135, b 136, b 134, b 133, and b 131. All of these bits but b 170 can be nullified directly by choosing IV bits. We know that b 170 =b 54 b 137 s b 137 s 84 + b 110 b s 102 s b 103 b b 82 b 90 + b 69 b b 59 b 60 + b 53 b 55 + b 45 b s 55 s 62 + b 54 s 50 + b s b b b b b 98 + b 87 + b 78 + b 68 + b 57 + b 44 + b 42 + s 42. In order to nullify b 170, b 137 can be nullified first by setting s 9 to be a dynamic value. In fact, b 170 can be nullified directly as well since its expression over IV and key bits can be obtained directly in a PC. However, nullification of b 137 can not only nullify b 170 but also simplify b 253 which contributes a lot to the degree and IV terms. The term b 143 b 159 can be nullified by nullifying either b 143 or b 159. The authors chose to nullify b 159 because it can help reduce b 275 whose ANF significant term is b 159 b 242 s 242. b 145, b 153 and b 176 are also nullified in order to simplify s 261, b 269 and b 292. The nullified state bits and dynamic IV bits of [?] are shown in??. Table 1. Nullification Scheme in [?] nullification b 131, b 133, b 134, s 135, b 136, b 137, b 138, b 145, b 153, b 159, b 170, b 176, b 203 dynamic bits s 3, s 5, s 6, s 77, s 8, s 9, s 10, s 17, s 25, s 31, s 42, s 83, s 1 4 Basic Ideas 4.1 Outline of Our Attack In this paper, our basic idea is to find the missing IV terms in the ANF of the first output bit z 257 of Grain128. For example, the output bit is polynomial p over six secret variables k 1, k 2,..., k 6 and five public variables v 1, v 2, v 3, v 4, v 5, as shown in??. p = k 1 k 2 v 1 v 2 v 3 v 4 v 5 + k 3 v 2 v 3 v 4 v 5 + k 5 v 1 v 3 v 4 v 5 + k 6 v 1 v 2 v 4 v 5 + k 2 v 1 v 2 v (3) 6

7 Obviously, the IV term v 1 v 2 v 3 v 4 does not exist in p. So we can construct cubesum distinguisher by setting v 5 = 0 and selecting cube C T = {v 1, v 2, v 3, v 4 }. Then the cube sum of p is always zero. So to determine the missing product of certain IV bits (missing IV term) is in fact a way to find the missing cube variables combination from a set of candidate cube variables, i.e. the five public variables. In our attack on Grain128, there are totally 96 public variables (IV bits), in order to reduce the ANFs of the internal state bits and then reduce the output polynomial, we study the nullification technique comprehensively and give a new nullification scheme, which includes: i. We use 14 dynamic variables to nullify 14 internal state bits. When comparing with Dinur et al. s nullification scheme, we use one more dynamic variable s 15 to nullify an additional internal state bit b 143. Thus there are 96-14=82 free public variables (IV bits) left. ii. Then calculate the frequency of occurrence of the 82 IV bits in the internal state bits and state terms. We nullify the high frequency IV bits to reduce the internal state bits and state terms as much as possible. We choose 36 IV bits to be nullified (set to zero). Then there are 82-36=46 free IV bits left. iii. Thus, we have to find the missing IV terms from a candidate cube set with size 46. In this paper, we are going to find the 43-degree missing IV terms in the output polynomial z 257. After determining the nullification scheme, we have to reduce the output polynomial z 257 in order to find the 43-degree missing IV terms. The procedures are as follows shown in??: Step 1. Initialize LFSR and NFSR with the new nullification scheme. We compute forward to express the ANF of some internal state bits over IV bits and key bits. Thus, b i and s i (0 i 222) are computed and their degrees are compute directly. Step 2. During the iteratively computing the ANF representation of the output bit z in the backward direction (decryption), we introduce the fast discarding monomial technique in Section??, which includes the following techniques: First, we propose the degree evaluation algorithm to obtain the degree bounds of internal state bits. As the monomials of z s ANF is a product of these internal state bits, the degree of a monomial is bounded by the sum of the degrees of the multiplied internal state bits, which is regarded as the degree estimation of the monomial. If the estimated degrees of monomials are lower than 43, they are discarded directly. Second, we find in Grain128 encryption scheme the high degree state terms are in the form of b i s i. We pre-compute the degree reductions of those products, which is d t = deg(b i ) + deg(s i ) deg(b i s i ). Thus, the degree of a monomial is upper bounded by difference value between the sum of the multiplied internal state bits and the corresponding degree reduction d t. If it is smaller than 43, the monomial is discarded. 7

8 Third, we find 7 low-frequency IV bits out of the 46 IV bits, which means that the 7 IV bits have less probability being involved in the internal state bits. We are going to find the 43-degree missing IV terms that contain the 7 low frequency IV bits. So if a monomial does not contain the 7 low-frequency IV bits simultaneously, we discard it. For detailed description, we refer to Section??. Step 3. For the left monomials of z s ANF, we introduce IV representation technique in Section?? to continue to discard monomials and finally find the 43-degree missing product of certain 43 IV bits (missing IV term). In IV representation technique, the symbolic key bits in the internal state bits are removed and only IV bits are left. We combine IV representation technique with the following two techniques: Combining with removing covered IV terms, we can simplify monomials without losing the degree information. It helps us to determine a more accurate upper bound degree of the monomials of z. And then if the degree of a monomial is smaller than 43, delete it. Combining with repeated IV term removing algorithm, we can simplify monomials of z s ANF without losing the missing IV term information. If we find an IV term is not in the IV representation of z, we can conclude that it is also not in z. Initialize by the new nullification scheme Forward Internal State bits ( k1,..., k128, v1,..., v96) i IV Representation Step 1 Step 3 x Internal State bits x i ' discarding monomials Step 2 z 257 Fig. 1. Framework of the Preprocessing Phase Thus, our attack includes two phases, which are the preprocessing phase and the online attack phase. In the preprocessing phase, we determine the 43-degree missing products of certain 43 IV bits (missing IV terms) in z 257, and select those 43-bit IV sets as cubes, which are summarised in??. In the online phase, we guess the key bits in the 14 dynamic variables, and compute the cube sums of the cubes produce in preprocessing phase: a. For the right key guessing, the coefficient is zero. Thus the cube sums must be zero. b. For the wrong key guessing, the output is random, the cube sums are not always zero. 8

9 5 Preprocessing Phase of the Attack on Full-round Grain New Nullification Scheme In Step 1 of??, we have to introduce a nullification scheme to initialize the state. We obtain the nullification scheme of state bits and the corresponding 14 dynamic IV bits in??. More details of the nullification are shown in??. Table 2. Our Nullification Scheme nullification b 131, b 133, b 134, s 135, b 136, b 137, b 138, b 143, b 145, b 153, b 159, b 170, b 176, b 203 dynamic bits s 3, s 5, s 6, s 77, s 8, s 9, s 10, s 15, s 17, s 25, s 31, s 42, s 83, s 1 In??, the first column are the state bits to be nullified and the second column are the corresponding equations. The third column are the subkey bits guessed for nullifications. For example, in order to nullify b 131, we just need to set s 3 to b 15 b 98 +b 98 s 45 +b 71 b 87 +s 63 s 82 +b 64 b 68 +b 43 b 51 +b 30 b 62 +b 20 b 21 +b 14 b 16 +b 6 b 70 + s 16 s 23 +b 15 s 11 +b 99 +b 94 +b 92 +b 76 +b 67 +b 59 +b 48 +b 39 +b 29 +b 18 +b 5 +b 3 +1, where b 98 and b 15 underlined are the key bits guessed. Besides these two bits, one expression on key bits indicated by, that is b 15 b 98 + b 71 b 87 + b 64 b 68 + b 43 b 51 + b 30 b 62 + b 20 b 21 + b 14 b 16 + b 6 b 70 + b 99 + b 94 + b 92 + b 76 + b 67 + b 59 + b 48 + b 39 + b 29 + b 18 + b 5 + b 3 should be guessed. Hence, three bits need to be guessed to nullify b 131. Totally, 40 bits should be guessed for nullifying the state bits in Table??. After setting 14 dynamic IV bits, there are 96-14=82 free IV bits left. We calculate the frequency of occurrence of the 82 IV bits in the internal state bits and state terms. We nullify the high frequency IV bits to reduce the internal state bits and state terms as much as possible. We choose 36 IV bits shown in?? to be nullified (set to zero). There are 82-36=46 free IV bits left. After the initialization of Step 1 in??. We are going to determine the 43- degree missing IV terms. It is divided into two steps as shown in??: Step 2, Fast Discarding Monomials; Step 3, IV Representation. The two steps are shown in??. 5.2 Fast Discarding Monomials After initializing the states in??, we are going to iteratively compute and reduce z 257 in Step 2. In each iteration, many state terms of z 257 are produced. There are 46 free IV bits left and we will find missing IV terms of degree 43. We introduce the following three ways to discard monomials fast shown in??: Removing state terms according to degree evaluation; 9

10 Table 3. Nullification Scheme Nullified bitsequations for nullification Subkey bits guessed s 1 = b 115 b b 92 b 93 + b 86 b 88 + s 88 s 95 + b 87 s 83 + b 111 b b 104 b b 83 b 91 + b 48 b 87, b 52, b 115, b 96, +b 60 b 61 + b 54 b 56 + b 46 b s 56 s 63 + b b 99 + b 88 + b 79 + b 58 + b 45 + b 43 + s 14 s 21 b 13, b 203 +s 43 + b 52 s 48 + b b b 85 + b 55 + b 42 + s 78 + s 47 + s 40 + b 106 b b 99 b b 5 +b 78 b 86 + b 65 b 97 + b 55 b 56 + b 49 b 51 + b 41 b b 50 s 46 + b b 83 + b 64 + b 53 + b 96 s 43 +b 40 + b 104 b b 97 b b 76 b 84 + b 63 b 95 + b 53 b 54 + b 47 b 49 + b 39 b b s 3 b 13 b 96 +b b 90 + b b b b 92 + b 81 + b 72 + b 62 + b 51 + b 36 + b 77 + b 75 + s 82 +s 75 + b 32 b b 115 s 62 + b 88 b s 80 + b 81 b 85 + b 60 b 68 + b 47 b 79 + b 37 b 38 + s 39 + s 8 +b 31 b 33 + b 23 b 87 + b b b 93 + b 84 + b 76 + b 65 + b 56 + b 46 + b 70 b b 16 + b 3 +b 35 + b 22 + b 20 + b 100 s 47 + s 18 s 25 + b 17 s 13 + b 78 + b 50 + b 41 + b 13 s 9 + s 94 + b 90 + b 65 +b 20 + b 7 + s 86 + s 43 + s 12 + s 5 b 15 b 98 + b 98 s 45 + b 15 s 11 + b 92 + b 67 + b 46 + b 37 + b 18 +b 39 + s 73 + s 10 s 83 = s 48 + b 48 + b 74 + b s 11 + b 11 + b 37 + b 67 + b 14 b 78 + b 22 b 24 + b 28 b 29 + b 38 b 70 b 23, b 111, b 16 b 116, +b 51 b 59 + b 72 b 76 + b 79 b 95 + b 13 + b 26 + b 47 + b 56 + b 75 + b s 19 b 23 + b 23 b b 16 b 25, b 99 b 116, +b 42 + b 72 + b 19 b 83 + b 27 b 29 + b 33 b 34 + b 43 b 75 + b 56 b 64 + b 77 b 81 + b 84 b b 18 + b 31 +b 52 + b 61 + b 80 + b 89 + b b 28 b s 58 b b 51 b b 59 b 61 + b 65 b 66 + b 75 b 107 b 176 +b 88 b 96 + b 109 b s 4 b b 4 b b 30 b b 60 b b 95 b b 100 b 116 +b 7 b 71 b b 15 b 17 b b 21 b 22 b b 31 b 63 b b 44 b 52 b b 65 b 69 b 116 +b 72 b 88 b b 6 b b 19 b b 40 b b 49 b b 68 b b 77 b b 93 +b 93 b s 12 b 16 b b 16 b 99 b b s 46 b 99 b b 50 + b 63 + b s 13 +b 15 + b 28 + b 49 + b 58 + b 77 + b 86 + s 21 b 25 + b 25 b s 73 s b s 42 = b 110 b b 103 b b 82 b 90 + b 69 b b 59 b 60 + b 53 b 55 + b 45 b s 55 s b 54 s 50 + b b b 98 + b 87 + b 78 + b 68 + b 57 + b 44 + b b 159 +b 34 b 98 + s 44 s 51 + b 43 s 39 + b b b b b 95 + b 87 + b 76 + b 67 + b 57 + b 46 s 31 = b 43 b b 126 s 73 + b 99 b s 91 + b 92 b 96 + b 71 b 79 + b 58 b 90 + b 48 b 49 + b 42 b 44 b 43,b 126, +b 33 + b b 153 +b 36 b 38 + b b 28 b 92 + s 38 s 45 + b 37 s 33 + b b b 98 + b 89 + b 81 + b 70 s 25 = b 37 b b 120 s 67 + b 93 b s 85 + b 86 b 90 + b 65 b 73 + b 52 b 84 + b 42 b 43 +b 61 + b 51 + b 40 + b 27 + b b 145 +b 28 b 30 + b 20 b 84 + s 30 s 37 + b 29 s 25 + b b b b 90 s 17 = b 29 b b 112 s 59 + b 85 b s 77 + b 78 b 82 + b 57 b 65 + b 44 b 76 + b 34 b 35 b 29, b 112, +b 81 + b 73 + b 62 + b 53 + b 43 + b 32 + b 19 + b b 143 +b 26 b 28 + b 18 b 82 + s 28 s 35 + b 27 s 23 + b b b b 88 + b 79 s 15 = b 27 b b 110 s 57 + b 83 b 99 + s 75 s 94 + b 76 b 80 + b 55 b 63 + b 42 b 74 + b 32 b 33 b 27, b 110, +b 71 + b 60 + b 51 + b 41 + b 30 + b 17 + b b 138 +b 21 b 23 + b 13 b 77 + s 23 s 30 + b 22 s 18 + b b b 99 + b 83 + b 74 s 10 = b 22 b b 105 s 52 + b 78 b 94 + s 70 s 89 + b 71 b 75 + b 50 b 58 + b 37 b 69 + b 27 b 28 b 22, b 105, +b 66 + b 55 + b 46 + b 36 + b 25 + b 12 + b b 137 +b 20 b 22 + b 12 b 76 + s 22 s 29 + b 21 s 17 + b b b 98 + b 82 + b 73 s 9 = b 21 b b 104 s 51 + b 77 b 93 + s 69 s 88 + b 70 b 74 + b 49 b 57 + b 36 b 68 + b 26 b 27 b 21, +b 65 + b 54 + b 45 + b 35 + b 24 + b 11 + b b 136 +b 19 b 21 + b 11 b 75 + s 21 s 28 + b 20 s 16 + b b 99 + b 97 + b 81 + b 72 + b 64 s 8 = b 20 b b 103 s 50 + b 76 b 92 + s 68 s 87 + b 69 b 73 + b 48 b 56 + b 35 b 67 + b 25 b 26 +b 53 + b 44 + b 34 + b 23 + b 10 + b s s 77 = b 19 b b 102 s 49 + s 67 s 86 + s 20 s 27 + b 19 s 15 + b 96 + s 88 b 19, b 102, 135 +b 80 + s 7 + b 71 + b 52 + s 45 + b 43 + b 22 + s 14 + b 9 b 134 +b 17 b 19 + b 9 b 73 + s 19 s 26 + b 18 s 14 + b b 97 + b 95 + b 79 + b 70 + b 62 s 6 = b 18 b b 101 s 48 + b 74 b 90 + s 66 s 85 + b 67 b 71 + b 46 b 54 + b 33 b 65 + b 23 b 24 b 101, +b 51 + b 42 + b 32 + b 21 + b 8 + b b 133 +b 16 b 18 + b 8 b 72 + s 18 s 25 + b 17 s 13 + b b 96 + b 94 + b 78 + b 69 + b 61 s 5 = b 17 b b 100 s 47 + b 73 b 89 + s 65 s 84 + b 66 b 70 + b 45 b 53 + b 32 b 64 + b 22 b 23 b 17, b 100, +b 50 + b 41 + b 31 + b 20 + b 7 + b b 131 +b 14 b 16 + b 6 b 70 + s 16 s 23 + b 15 s 11 + b 99 + b 94 + b 92 + b 76 + b 67 s 3 = b 15 b 98 + b 98 s 45 + b 71 b 87 + s 63 s 82 + b 64 b 68 + b 43 b 51 + b 30 b 62 + b 20 b 21 b 15, b 98, +b 59 + b 48 + b 39 + b 29 + b 18 + b 5 + b Each in this table indicates a different expression of partial key bits. 10

11 nullified bits Table 4. Nullified IV Bits s14, s16, s20, s22, s23, s24, s28, s30, s32, s33, s35, s36, s38, s41, s44, s50 s 51, s 53, s 55, s 56, s 61, s 64, s 67, s 68, s 69, s 70, s 71, s 75, s 76, s 79, s 81, s 82 s 84, s 85, s 86, s 94 State Terms Fast Discarding Monomials Degree Evaluation Degree Reduction Using Low-frequency IV Bits Step 2 IV Representation Cover Property Step 3 IV Representation Repeat (Algorithm 3) 43-degree IV Term Table FFFFFFFFFF EFFFFFFFFF DFFFFFFFFF Left State Terms Deleted State Terms Fig. 2. Framework of Our Work Removing state terms according to degree reduction; Removing the state terms that do not contain all the 7 low-frequency IV bits. Degree Evaluation Since we are determining the 43-degree missing IV terms, the state terms of z 257 with degree less than 43 are removed without consideration, because they do not contain those 43-degree IV terms certainly. The exact degrees of state bits b i and s i for i [0, 222] can be obtained in a PC and are shown in Table??. The degrees of b i for 0 i < 128 and s j for 96 j < 128 is 0 as they are constant. In order to obtain the degree of state bit b r or s r for r > 222, we decompose the state bits until the state bits are the product of state bits b i and s j for i < end and j < end. Obviously, we will get a more accurate estimation, if we choose a smaller value for end 8. However, the smaller the end is, the more computing resource we will need. In the cryptanalysis of Grain128, we choose 8 Suppose we are going to estimate the degree of b i = b i 3 + b i 1b i 2. deg(b i) = deg(b i 3 + b i 1b i 2) = max{deg(b i 3), deg(b i 1b i 2)} max{deg(b i 3), deg(b i 1) + deg(b i 2)} (4) 11

12 Table 5. Degree of partial state bits i deg(s i) i deg(s i) i deg(s i) i deg(s i) i deg(s i) i deg(s i) i deg(s i) i deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i) i deg(b i) deg(s i)

13 end = r 66 for tradeoff. We estimate the degree upper bound for b 223 as an example, where end = = 157: a) First, we express b 223 = b 95 + b b b b s 95 + b 98 b b 106 b b 112 b b 122 b b 135 b b 156 b b 163 b b 97 + b b 131 +b 140 +b 159 +b 168 +b 184 +s 188 +b b 190 s 137 +s 155 s 174 +b 107 b 190 s 190 according to the iterative function of Grain128. b) According to Table?? highlighted in red, initialize d = max{deg(b 151 ), deg(b 186 ), deg(b 191 ), deg(s 95 ), deg(b 162 ), deg(b 154 ), deg(b 156 )+deg(b 160 ), deg(b 163 )+deg(b 179 ), deg(deg(b 140 ), deg(b 168 ), deg(b 184 ), deg(s 188 ), deg(b 190 )+deg(s 137 ), deg(s 155 )+ deg(s 174 ), deg(b 190 )+deg(s 190 )} = max{2, 2, 2, 1, 3, 2, 1+2, 3+2, 2, 2, 3, 3, 2+1, 2+3, 2+ 2} = 5. The other state terms are discarded directly because their degrees are zeros. c) Discarding the state terms of degree lower than d = 5, we get b 223 = b 163 b 179 +s 155 s 174. Iteratively compute b 223 and discard state terms with degree lower than 5, we get b 223 = b 47 b 130 b 142 s 130 +b 47 b 130 b 140 s 130 +b 47 b 130 b 146 s 93 s b 47 b 63 b 130 b 146 s 130 s b 141 s 88 s b 58 b 141 s 141 s 155. d) Note that there is no state bit in round that is bigger than end=157, the expression ends and there are still state terms that survive. Then the current degree d = 5 is the estimated degree of b 223. e) Note that, if there is no state item in b 223 surviving, which means the degree must be less than 5. We reset d = 4 and continue the above steps c) to d) to get a more accurate degree bound. We summarise the above 5 steps as Algorithm?? and the degrees of state bit b r or s r for 223 r 320 are shown in??. Using degree evaluation to discard state terms in advance. As the monomials of z 257 s ANF is a product of these internal state bits, the degree of a monomial is bounded by the sum of the degrees of the multiplied internal state bits, which is regarded as the degree estimation of the monomial. If the degree estimation of the monomial is smaller than 43, we delete the monomial directly. For example, if deg(b i s i ) DEG(b i ) + DEG(s i ) < 43, delete b i s i. If DEG(b i ) + DEG(s i ) 43, continue to consider degree reduction in the following section. Degree Reduction According to the observation of Grain128 encryption scheme, the high degree state terms are in the form of b i s i. Define the degree reduction If we continue to decompose b i, we find b i 1b i 2 = (b i 4 + b i 2b i 3)(b i 5 + b i 3b i 4) = b i 4b i 5 + b i 3b i 4 + b i 2b i 3b i 5 + b i 2b i 3b i 4, (5) If deg(b i 1) = deg(b i 2b i 3) and deg(b i 2) = deg(b i 3b i 4), then in??, deg(b i 1) + deg(b i 2) may add deg(b i 3) twice. So in order to obtain a more accurate degree estimation, we are willing to decompose b i for several rounds backwards. 13

14 Algorithm 1 Degree Evaluation Algorithm (DEG) of State Bit Input: The value r which indicates the state bit b r. Output: DEG(b r)=d. 1: Initialize the degree bound d similar to step b) of the above example, the end point end and the number of state terms len 0. 2: while len = 0 do 3: Iteratively express b r using state bits in rounds less than end. During each expression, discard the state terms of degree lower than d. Let len be the number of remaining state terms. 4: if len = 0 then 5: d d 1 6: end if 7: end while 8: Return d Table 6. Degree Estimation of State Bits i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i) i DEG(b i) DEG(s i)

15 d r t as d r t = deg(b r ) + deg(s r ) deg(b r s r ). (6) The degree reduction can be obtained using Algorithm??. For Algorithm??, we choose end = r 48 considering the efficiency tradeoff of the computation. Algorithm 2 Degree Reduction Algorithm of State Term Input: The value r which indicates the state term degree reduction. Output: The degree reduction d t = DEG(b r) + DEG(s r) deg(b rs r). 1: Initialize the degree bound d = DEG(b r) + DEG(s r), degree reduction d t = 0, end point end and number of survived state terms len. 2: while len = 0 do 3: Express the state term b rs r using state bits in rounds less than end, discard the state terms of degree lower than d d t. Let len be the number of remaining state terms. 4: if len = 0 then 5: d t d t + 1 6: end if 7: end while 8: Return d t The degree reduction can help discard state terms of lower degree dramatically, as it can help predict the change of degree before expression operation. We take the state term b 223 s 223 as an example to illustrate the process to compute the degree reduction d t. Algorithm?? is first used to obtain the degree of state bits as shown in Table?? and??. Let end be = 175. The degree bound d is initialized as d = DEG(b 223 )+DEG(s 223 ) = 10 shown in?? and d t = 0. Express the b 223 s 223 discard the state terms of degree lower than d d t = d, there is 1 state term surviving, i.e., b 163 b 179 s 155 s 174. Continue to compute iteratively, the remaining 5 state terms are b 142 b 163 s 155 s b 140 b 163 s 155 s b 146 b 163 s 93 s 155 s b 163 s 130 s 155 s b 63 b 146 b 163 s 146 s 155 s 174. There is no state bits in rounds more than 175 in all the state terms, hence the expression ends. Degree reduction d t = 0 is returned. The degree reduction of b i s i for i [0, 222] can be obtained directly in?? as the degrees of b i s i, b i and s i can be determined exactly. Degree reductions of b i s i for i [223, 320] are given by?? and shown in??. Using degree reduction to discard state terms in advance. The degree of a monomial is upper bounded by difference value between the sum of the multiplied internal state bits and the corresponding degree reduction d t. For example, reconsider monomial b i s i, if DEG(b i )+DEG(s i ) > 43, degree evaluation introduced in?? could not delete monomial b i s i. Thus, according to degree reduction, deg(b i s i ) DEG(b i ) + DEG(s i ) d i t, if it is smaller than 43, delete b i s i. If not, continue to use low-frequency IV bits in the following section to delete monomials. 15

16 Table 7. Degree Reduction for Partial State bits i d i t i d i t i d i t i d i t Table 8. Degree Reduction of State Terms i d i t i d i t i d i t i d i t i d i t i d i t i d i t i d i t i d i t

17 Low-frequency IV Bits In our nullification scheme, 36 IV bits are nullified (set to zeros). There are remaining 46 IV bits. By testing the frequency of the occurrence of the 46 IV bits in the internal state bits of b 128 to b 222 and s 128 to s 222, we find out 7 IV Bits, who appear in the internal state bits or terms with lower frequency than others. We list the 7 IV Bits in??, along with the state bits containing those 7 IV Bits. Here, we illustrate how to exploit the 7 low-frequency bits to help discard monomials. We are finding 43-degree missing IV terms in the output polynomial z 257. In order to discard monomials, we add the conditions that, the 43-degree missing IV terms must contain all the 7 low-frequency bits. That means, the corresponding 43-dimension cube contains the 7 IV bits as cube variables. Thus, we do not need to consider the monomials that do not contain all the 7 lowfrequency bits. Those monomials could be deleted in advance. For example, express z 257 using internal state bits b i and s i i [128, 222]. Suppose b 135 b 218 s 218 is a monomial of z 257, however s 80 is not in b 135, b 218, or s 218, thus the monomial b 135 b 218 s 218 must not contain s 80. So we delete this monomial. 5.3 IV Representation In??, after Step 2, we introduce IV representation to study each left monomials. In the cryptanalysis of stream ciphers, the output is a Boolean function over key and IV bits. But obtaining the exact expression is hard, then the IV representation technique is proposed to reduce the computing complexity. Definition 1. (IV representation) Given a state bit s = I,J the IV representation of s is s IV = I i I v i. i I v i j J k j, For example, if a Boolean polynomial is s = v 0 k 1 + v 0 k 0 k 2 + v 1 k 1 k 2 + v 0 v 1 k 2, then its IV representation is s IV = v 0 + v 0 + v 1 + v 0 v 1. IV representation with repeated IV terms Removing Algorithm Due to the neglection of key bits, there are lots of repeated IV terms. According to Property??, repeated state terms should be removed to simplify the polynomial. However, it is different when the polynomial is in IV representation. In the above example, after removing repeated IV terms of s IV, the result should be v 0 + v 1 + v 0 v 1, instead of v 1 + v 0 v 1 given by Property??. Here we give the Algorithm?? to remove the repeated IV terms of s IV. This algorithm is based on a Hash function. First, an empty hash set is initialized. For each IV term T i, compute the hash value as H(T i ) (Line 3), then determine if T i is already in H. If not, then insert T i into H (Lines 4-5). Property 3. If we find an IV term is not in s IV, we can conclude that it is also not in s. 17

18 Table 9. Low frequency bits low-frequency corresponding state bits bits b 128, s 128, b 160, s 160, b 161, s 161, b 163, s 163, b 165, s 165, b 167, s 167, b 172, s 172, s 175, b 177, s 177, b 183, s 183, s 186, b 188, s 188, b 189, s 189, b 191, s 191, b 193, s 193, s 0 b 194, s 194, b 195, s 195, b 196, s 196, b 197, s 197, b 198, s 198, b 200, s 200, b 202, s 202, b 204, s 204, b 205, s 205, b 206, s 206, b 207, s 207, b 208, s 208, b 209, s 209, b 210, s 210, b 211, s 211, b 212, s 212, b 214, s 214, b 216, s 216, s 218, b 219, s 219, b 220, s 220, b 221, s 221, b 222, s 222 b 130, s 130, b 162, s 162, b 163, s 163, b 165, s 165, b 167, s 167, b 169, s 169, b 174, s 174, s 177, b 179, s 179, b 185, s 185, s 188, b 190, s 190, b 191, s 191, b 193, s 193, b 195, s 195, s 2 b 196, s 196, b 198, s 198, b 199, s 199, b 200, s 200, b 202, s 202, b 204, s 204, b 206, s 206, b 207, s 207, b 208, s 208, b 209, s 209, b 210, s 210, b 211, s 211, b 212, s 212, b 213, s 213, b 214, s 214, b 216, s 216, b 218, s 218, s 220, b 221, s 221, b 222, s 222 b 157, s 157, s 158, b 165, s 165, b 189, s 189, b 190, s 190, b 191, s 191, b 192, s 192, b 193, s s 193, b 194, s 194, b 196, s 196, b 197, s 197, b 198, s 198, b 200, s 200, b 201, s 201, b 202, 37 s 202, b 204, s 204, s 205, s 206, b 209, s 209, b 212, s 212, b 214, s 214, s 215, s 216, b 217, s 217, b 218, s 218, b 220, s 220, b 222, s 222 s 133, b 163, s 163, s 164, s 165, b 168, s 168, b 171, s 171, s 180, b 182, s 182, s 191, b 195, s 195, b 196, s 196, b 197, s 197, b 198, s 198, b 199, s 199, b 200, s 200, b 201, s 201, b 202, s 43 s 202, b 204, s 204, b 205, s 205, b 206, s 206, b 207, s 207, b 208, s 208, b 210, s 210, b 211, s 211, b 212, s 212, b 213, s 213, b 214, s 214, b 215, s 215, b 217, s 217, b 218, s 218, b 219, s 219, b 221, s 221 b 146, s 146, s 150, b 178, s 178, b 179, s 179, b 180, s 180, b 181, s 181, s 182, b 183, s 183, b 185, s 185, b 188, s 188, b 190, s 190, s 193, s 197, b 199, s 199, b 201, s 201, s 204, b 206, s 60 s 206, b 207, s 207, s 208, b 209, s 209, b 211, s 211, b 212, s 212, b 213, s 213, b 214, s 214, b 215, s 215, b 216, s 216, b 217, s 217, b 218, s 218, b 219, s 219, b 220, s 220, b 221, s 221, b 222, s 222 b 129, s 129, s 138, b 148, s 148, b 161, s 161, b 162, s 162, b 164, s 164, b 166, s 166, b 168, s 168, b 173, s 173, s 176, b 178, s 178, b 180, s 180, b 181, s 181, b 183, s 183, b 184, s 184, s 80 b 185, s 185, s 187, b 188, s 188, b 190, s 190, b 192, s 192, b 194, s 194, b 195, s 195, s 196, b 197, s 197, b 198, s 198, b 199, s 199, b 200, s 200, b 201, s 201, s 203, b 205, s 205, b 206, s 206, s 207, b 222, s 222 s 137, s 148, b 158, s 158, s 169, b 172, s 172, b 181, s 181, b 183, s 183, s 184, b 186, s 186, b 190, s 190, b 191, s 191, b 193, s 193, b 195, s 195, b 197, s 197, b 198, s 198, s 201, b 202, s 90 s 202, b 205, s 205, s 206, b 209, s 209, b 210, s 210, b 211, s 211, b 213, s 213, b 214, s 214, b 215, s 215, b 216, s 216, b 217, s 217, b 218, s 218, b 219, s 219, b 220, s 220, b 221, s 221, b 222, s

19 After applying Algorithm?? to s IV, it is easy to know that if an IV term exists in s, it must also exist in s IV. But the opposite is not right. For example, x 1 = v 0 (k 1 k 2 + k 0 k 2 ) + v 1 + v 0 v 1 k 2, x 2 = v 2 k 0 k 1 + v 1 v 2 k 1 and s = x 1 x 2. We use the IV representations of x 1 and x 2 to approximate the IV representation of s. Thus, x 1IV = v 0 + v 1 + v 0 v 1, x 2IV = v 2 + v 1 v 2, and s IV = x 1IV x 2IV = v 0 v 2 + v 1 v 2 + v 0 v 1 v 2. However, s = x 1 x 2 = v 1 v 2 (k 0 k 1 + k 1 ). We use Property?? to determine the missing IV terms in the output ANF of Grain128, i.e., we compute the IV representation s IV of the output s, find the missing IV terms of s IV and those IV terms are missing IV terms of s. Algorithm 3 Repeated-IV term Removing Algorithm Input: The vector T with n IV terms, i.e., T 1, T 2,..., T n. Output: Updated T with m IV terms, where m n. 1: Initialize an empty Hash set H. 2: for i 1 : n do 3: Compute the Hash value of T i, i.e., H(T i). 4: if H.contains(T i) is false then 5: H.insert(T i). 6: end if 7: end for After using IV representation combined with Algorithm??, all the existent IV terms are left by ignoring their repetition. With collision-resistent hash function H, the time complexity of Algorithm?? is O(n) for processing n IV terms. It needs several minutes to apply Algorithm?? on 1 billion IV terms on a single core. IV representation with Covered IV Term Removing Method We also use IV representation by removing covered IV terms. As shown in Property??, if we are estimating the degree of a polynomial s, instead of detecting the missing IV terms, the covered IV terms have no effect. For example, s = v 0 k 1 + v 0 k 0 k 2 + v 1 k 1 k 2 + v 0 v 1 k 2, then s IV = v 0 + v 0 + v 1 + v 0 v 1, after use Property?? to remove covered IV terms from s IV, we get s IV = v 0v 1. It is obviously that deg(s) = deg(s IV ) = deg(s IV ). This method can help discard (state, IV) terms dramatically, since we could get a more accurate degree evaluation of s than degree evaluation technique and degree reduction technique. Determining the 43-degree Missing IV Terms As shown in??, after Step 2, the degrees of left state terms are possibly bigger or equal to 43. For the left state terms, we are going to use IV representation to determine the missing 43-degree IV terms. First, we use IV representation technique combined with covered IV term removing method for each left state terms. It could maintain the degree 19

20 information by ignoring the low degree IV terms and get a more accurate degree. Thus, if the degree of a monomial is smaller than 43, the monomial is deleted. Second, for the left monomials, we use IV representation technique combined with Algorithm??. It could not only maintain the highest degree IV terms, but also the lower degree IV terms by ignoring the repetitions. Then we maintain a table 43-bit indexed by all possible 43-degree IV terms who contain the 7 low-frequency IV bits in??. As there are 7 fixed bits, the number of freedom variables is 39, so that the table size is ( ) = Initial the table with 0. Then, if a 43-degree IV term exists, the entry turns to 1. At last, the indexes with entries equal to 0 are the missing 43-degree IV terms. According to Property??, if an IV term is not in z 257 s IV representation, it must be also not in z 257. Choose the missing 43-degree IV terms as cubes shown in??, whose cube sums must be zero. Table dimension Cubes Cube Index of Cube Variables 1 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,89,90,91 2 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,89,90,92 3 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,89,90,95 4 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,91,92 5 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,91,93 6 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,91,95 7 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,92,93 8 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,92,95 9 0,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,90,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,89,90,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,90,91,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,90,92,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,89,90,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,90,91,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,88,90,92,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,89,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,89,90,92,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,90,91,92,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,89,90,91, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,89,90,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,89,90,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,90,91,92, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,90,91,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,80,87,88,90,92,93, ,2,4,7,11,12,13,18,19,21,26,27,29,34,37,39,40,43,45,46,47,48,49,52,54,57,58,59,60,62,63, 65,66,72,73,74,78,80,87,88,89,90,93 20