 And this is joint work with Lev Peron and Alex Birikov. First, I will give a brief introduction to the problem. Then I will show how we managed to decompose the API on permutation. Then I will show an attempt to generalize this structure. And then I will show some interesting properties obtained using the decomposition. And then I will conclude the talk. So this talk is about S-boxes, small permutations, small functions, not necessarily permutations. When designing a symmetric primitive, we often use S-boxes to provide non-linearity. And in particular, in order to prevent differential attacks, we study differential properties of S-boxes. And so I call the definition of a difference distribution table of S-boxes. It's a table which, for each input difference A and output difference B says how many inputs satisfy this differential transition, so this equation. And we want these values for all differences A and B to be as low as possible to prevent differential attacks. All the values are even in this table and they can't all be zero. So the best possible values is when there are only zeros and twos. And when this happens, we call the function almost perfect non-linear or APN. And we know many APN functions for all dimensions, but we are also very interested in APN permutations. So objective functions. We know many APN permutations in odd dimensions, but for even dimensions, it was a very long open problem. Until in 2009 Dylan and others have found actually an example of six-bit APN permutation. And since then, no new APN permutations in even dimensions were found. So they found it using some code theory and algorithmic search. And as a result, we have this S-Box just as a lookup table. And this gives a few insights where we need to search for them. So the main, our result is that we have found extra structure in this S-Box. It should look like this. So up to a linear layer supplied before and after, this is equivalent to that APN permutation. So in this structure, A is any three-bit APN permutation and alpha is a, so dot in a circle is a finite field multiplication by non-zero alpha such that trace of alpha is equal to zero. So now I will show how we manage to find this decomposition. First recall the definition, the notion of S-Box reverse engineering. So when some cypher or some primitive designers, they publish an S-Box, they might not explain how they obtained it. Did they generate it by random, optimized it or use some structure in order to have efficient software or hardware implementation. And reverse engineering, the S-Box means to find some possible design criteria just from a lookup table. And possible targets for reverse engineering, for example, S-Box of skipjack. This work were presented by my co-authors at previous crypto, where they basically introduced the notion of S-Box reverse engineering and they showed that the S-Box of skipjack could have been optimized for some linear resistance. At EuroCrip this year, we presented reverse engineering of S-Box of Russian standard primitives where we actually found some structure. And it turns out that we can use these somewhat cryptanalytic methods and apply them to this Dylan's APN permutation. It's interesting because the APN permutation is more like a mathematical object and we know how it was generated but still we can apply this kind of cryptanalysis and that's why we call this cryptanalysis of Ethereum. So to introduce the methods, I recall definition of linear approximation table or LED of a function. It's very similar to DDT, but instead of difference approximation, we use linear approximation, which is defined by linear mask A and linear input mask A and output mask B and the dot defines a scalar product. Okay, so one of the ideas from the previous scripture paper was to draw a so-called Jackson Pollock representation of the LED. We just compute this table and assign colors to the values and draw the corresponding image. And then the idea is to look for patterns with your eyes. And here we can, so here's such representation of the LED of the Dylan's permutation, so the one which we want to decompose. And clearly there are some patterns, there are stripes and on top there are no gray areas. And using the same methods as in previous papers, we can actually apply, so we can compose a linear mapping with S-box, such that the result in S-box has this representation of the LED. It's much more structured and so there is some kind of square structure, but more importantly, there is a white square in the top left corner. And this white square is an indicator of some multi-set properties, which can be, which as a result, we can obtain the following structure for the S-box. So for the S-box, which consists of application linear layer and the Dylan's permutation. Here, T and U are key permutations. That is, for example, for T, when the layered branch is fixed, then it is a permutation on one branch. And when the key coming from left is different, the permutation is different each time. You can also think about them as small block ciphers. For example, here's table for T, the left branch selects the row and then each row defines a permutation. So this white square indicates some multi-set properties and the multi-set property is that if we fix the left branch and we put all values on the right branch, then we will get all values on the right branch of the output. That's just exactly what this T-U decomposition captures in the white square. Yeah, and we also notice that T and U, in particular in this case, are related by linear mapping, so we need to decompose only T and then we'll get immediately the composition of U. So here's a small overview of how we can decompose T. First, we detach a linear fastly function such that T prime maps zero to zero for all keys, so for all values coming from right. In particular, in this case, it turns out that T is a linear permutation. It's a good indicator that we are in the right way because in general, this can be arbitrary function. Then we look at the univariate representation of T for all different keys and we found that nonlinear part is key independent. So we can separate it into nonlinear part and linear steel key dependent part L. Then we can apply some linear permutation such that nonlinear part actually becomes the field inverse on three bits. And some few steps later, similar steps, we actually obtain the following decomposition. So the top part corresponds to T and the bottom part corresponds to U and there is a linear layer among them between them. And we remove the XOR constants and it's still an apparent permutation. And we also looked for a nice representation of the central linear layer. And as a result, we obtain the final decomposition that we have. In particular, it allows for a nice bit slice implementation. So if somebody wants to design some lightweight cipher using this S-Box, it can be quite efficient. So the next question is, the natural question is, so we have this structure and we can simply change the branch size because it was six-bit S-Box and the branch size for three and now we can change it to some larger values and see what happens. And we call such structure butterfly structure, kind of looks like butterfly. And so we call this open butterfly structure and we denote it by H. And additionally, we study this another structure which we call closed butterfly and we denote it by V. It is interesting from another perspective. Now we recall definition of CCZ equivalents. Two functions are CCZ equivalent if the graphs, the functional graphs are related by an affine mapping. A good thing about CCZ equivalents is that it preserves the maximum coefficients in DDT and LAT. And it turns out that the open and closed butterflies are CCZ equivalent. So these two structures are CCZ equivalent and therefore they have same DDT and LAT maximum coefficients. And we managed to prove that both open and closed butterflies, the DDT coefficients are at most four. Experimentally, we checked for small n and we did not find any new APN because there was some force always but we don't know if for some larger n maybe there will be some. The algebraic degree of closed butterflies too and of open butterflies n plus one where n is the branch size. And experimentally, for small n we found that the nonlinearity which depends on the maximum LAT coefficient is the best known to be possible. So this is for butterflies. And this corresponds to a case when alpha is not equal to zero and one. And interesting things happen when we put alpha equal to one. The open butterfly actually becomes functional and equivalent to a three-round physter network. And the closed butterfly becomes equivalent to this lemase-like structure. They have some similar properties but for this we can prove that they are not APN always. They are just, they contain only, the DDT's contain only force for any n. And the algebraic degree of closed butterflies also too and for open butterfly it's n instead of n plus one for the previous case. And another interesting property is that for some exponents e, for example, e equal to five, the closed butterfly, this structure is actually affine equivalent to a monomial x to the power e in the large field. And since these two structures are CZ equivalent we deduce that this physter network, three-round physter network is CZ equivalent to a monomial. It's quite interesting. Okay, and now some new properties of the APN permutation. So we go back to six bits, the structure that we have found and we look what we can change in this structure so that it still remains an APN permutation. First we can replace a by any small APN permutation. We can replace alpha by any field element with trace equal to zero and non-zero element. We can solve values here, here, here and here. Like there was XOR with five in the original structure, we removed it but we can put any XORs and it still remains an APN permutation. We can apply linear functions here and here and here and here. And also we can add branch swaps before the red rectangle and after. The first four transformations, they preserve affine equivalents. That is, applying these transformations is equivalent to applying some affine mappings before the structure and after the structure. But the last transformation, adding swaps before and after, breaks affine equivalents. That is, we obtain four different affine equivalents classes of this APN permutation. But the ccz equivalents is still preserved. So from the point view of ccz equivalents, it's still the same S-box as Geon's permutation. Another interesting property is, first we define a component-wise product. And then the property is that for closed butterflies, if you multiply both input branches by lambda, then it is equivalent to multiplying output branches by lambda to the power e. And for the open butterfly, if you multiply the input branches by lambda to the power e and lambda, it is equivalent to multiplying the output branches by the same values. Also, the closed butterfly is actually a fine equivalent to a concatenation of two band functions. Actually, one band function and the same band function with swapped parameters. Additionally, in the Geon's and others paper, they present a univariate representation of this APN permutation, where the composition of two functions, where each contains like 18 monomials, which is quite complex. And using our decomposition, we managed to find much smaller representation with only like four and six monomials. Or using composition of three functions, even more compact representation. And a small remark about the key mapping. It is an APN function given by this polynomial. It's not a permutation. And it was already known before Geon and others. And actually, it was the starting point from which the Geon and others obtained the APN permutation. So, key mapping is APN, but not a permutation. And using some code theory and algorithmic search, they managed to transform it into a permutation, the APN permutation. And our structures, our decompositions are related like this. So, as shown before, the open butterfly corresponds to the APN permutation. They are fine equivalent. And actually, the closed butterfly is a fine equivalent to the key mapping. So, in some sense, we can reinterpret this transformation that Geon and others did as opening the closed butterfly. Conclusions, there is a decomposition of the only known APN permutation in even dimension. But we did not find any new APN permutations in even dimension. And there are these two open problems to prove the experimental result about nonlinearity and to see whether there are actually APN permutations, sorry, APN butterflies for larger N. But actually, there is a group which has, I think, answered these questions. So, to the first question, there is a positive answer. So, the butterflies always have the best known to be possible nonlinearity. And for the second question, the answer is negative. The butterflies are actually never APN, except this six-bit permutation. And so, the only, the main open question is whether there still is APN permutations in even dimension other than this Geon permutation. Thank you.