In this paper, we study the algebraic degree evaluation of NFSR-based cryptosystems. The degree evaluation method based on the numeric mapping proposed by Liu at CRYPTO 2017 is very fast and could be applied to a cube of any size. The numeric degree of \(f_1(\varvec{x},\varvec{v})\times f_2(\varvec{x},\varvec{v})\) is estimated as \(D_1+D_2\), where \(D_1\) and \(D_2\) are the numeric degrees of \(f_1\) and \(f_2\) respectively and the algebraic degree of a function is no more than its numeric degree. It can be observed that some variables may be counted twice in \(D_1+D_2\) and the precise of the numerical mapping heavily depends on how many variables are counted redundantly. When applied to an iterative cryptosystem, such redundances will accumulate during iteratively computing numeric degrees. This is an important factor accounting for the difference between the numeric degree and the algebraic degree of a cryptosystem. To reduce this difference, a new framework on the degree evaluation algorithm based on the numeric mapping is proposed. The main idea is to identify variables which are repeatedly counted in the numeric mapping and eliminate the redundant degrees on these variables. As illustrations, a concrete algorithm on Trivium-like ciphers is given which is shown to be useful in correlation cube attacks and the zero-sum distinguisher search. For correlation cube attacks on 835-round Trivium, we find some more useful cubes so that we could recover about 1.5 more bits at a cost of \(2^{40.7}\). Furthermore, we find several cubes leading to zero-sum distinguishers for Kreyvium variants with from 875 to 880 initialization rounds.

在本文中，我们研究了基于 NFSR 的密码系统的代数度评估。Liu 在 CRYPTO 2017 上提出的基于数值映射的度评估方法非常快，可以应用于任何大小的立方体。的数值程度\（F_1（\ varvec {X}，\ varvec {V}）\倍F_2（\ varvec {X}，\ varvec {V}）\）被估计为\（D_1 + D_2 \），其中\(D_1\)和\(D_2\)分别是\(f_1\)和\(f_2\)的数值次数，函数的代数次数不超过其数值次数。可以观察到有些变量在\(D_1+D_2\)中可能会被计数两次数值映射的精确度很大程度上取决于有多少变量被冗余计算。当应用于迭代密码系统时，这种冗余将在迭代计算数值度期间累积。这是解释密码系统的数字度和代数度之间差异的重要因素。为了减少这种差异，提出了一种新的基于数值映射的度评估算法框架。主要思想是识别在数值映射中重复计数的变量，并消除这些变量的冗余度。作为说明，给出了类似 Trivium 密码的具体算法，该算法被证明在相关立方攻击和零和区分器搜索中很有用。对于 835 轮 Trivium 上的相关立方体攻击，\(2^{40.7}\)。此外，我们发现几个立方体导致 Kreyvium 变体的零和区分器，初始化轮次从 875 到 880。