A division property is a generic tool to search for integral distinguishers, and automatic tools such as MILP or SAT/SMT allow us to evaluate the propagation efficiently. In the application to stream ciphers, it enables us to estimate the security of cube attacks theoretically, and it leads to the best key-recovery attacks against well-known stream ciphers. However, it was reported that some of the key-recovery attacks based on the division property degenerate to distinguishing attacks due to the inaccuracy of the division property. Three-subset division property (without unknown subset) is a promising method to solve this inaccuracy problem, and a new algorithm using automatic tools for the three-subset division property was recently proposed at Asiacrypt2019. In this paper, we first show that this state-of-the-art algorithm is not always efficient and we cannot improve the existing key-recovery attacks. Then, we focus on the three-subset division property without unknown subset and propose another new efficient algorithm using automatic tools. Our algorithm is more efficient than existing algorithms, and it can improve existing key-recovery attacks. In the application to Trivium, we show a 842-round key-recovery attack. We also show that a 855-round key-recovery attack, which was proposed at CRYPTO2018, has a critical flaw and does not work. As a result, our 842-round attack becomes the best key-recovery attack. In the application to Grain-128AEAD, we show that the known 184-round key-recovery attack degenerates to a distinguishing attack. Then, the distinguishing attacks are improved up to 189 rounds, and we also show the best key-recovery attack against 190 rounds. In the application to ACORN, we prove that the 772-round key-recovery attack at ISC2019 is in fact a constant-sum distinguisher. We then give new key-recovery attacks mounting to 773-, 774- and 775-round ACORN. We verify the current best key-recovery attack on 892-round Kreyvium and recover the exact superpoly. We further propose a new attack mounting to 893 rounds.

除法属性是搜索积分区分符的通用工具，而诸如 MILP 或 SAT/SMT 之类的自动工具使我们能够有效地评估传播。在流密码的应用中，它使我们能够从理论上估计立方体攻击的安全性，并导致针对众所周知的流密码的最佳密钥恢复攻击。然而，据报道，由于分割属性的不准确，一些基于分割属性的密钥恢复攻击退化为区分攻击。三子集划分属性（无未知子集）是解决此不准确问题的一种很有前途的方法，最近在 Asiacrypt2019 上提出了一种使用自动工具处理三子集划分属性的新算法。在本文中，我们首先表明，这种最先进的算法并不总是有效的，我们无法改进现有的密钥恢复攻击。然后，我们专注于没有未知子集的三子集划分特性，并使用自动工具提出了另一种新的高效算法。我们的算法比现有算法更有效，并且可以改进现有的密钥恢复攻击。在申请中Trivium，我们展示了一个 842 轮的密钥恢复攻击。我们还表明，在 CRYPTO2018 上提出的 855 轮密钥恢复攻击存在严重缺陷并且不起作用。因此，我们的 842 轮攻击成为最好的密钥恢复攻击。在 Grain-128AEAD 的应用中，我们展示了已知的 184 轮密钥恢复攻击退化为区分攻击。然后，区分攻击提高到 189 轮，我们还展示了针对 190 轮的最佳密钥恢复攻击。在对ACORN的应用中，我们证明了 ISC2019 的 772 轮密钥恢复攻击实际上是一个常数和区分器。然后，我们对 773、774 和 775 轮ACORN 进行了新的密钥恢复攻击. 我们验证了当前对 892 轮 Kreyvium 的最佳密钥恢复攻击并恢复了精确的超多边形。我们进一步提出了一种新的攻击，增加到 893 发。