 The next talk is entitled Constructing Low-Latency Involuntary MDS Metrices with Lightweight Circuits. It's shown to work between Xiong Liu, Xiong Li, sorry, Siwei Xiong, Chaoyun Li, Xiaowei, and Leihu. And Xiong Li will give the talk. Thanks for the introduction. It's a joint work with Siwei Xiong, Chaoyun Li, Zihao Wei, and Leihu. I will introduce our work from five parts. First is the diffusion matrices. The diffusion layers are typically realized with linear operations expressed as matrices and spreading the internal dependencies as much as possible. The diffusion property of the diffusion matrix is up to its branch number. Here is the definition. It's a measurement of the minimal number of non-zero words of input and output. And it has an upper bound called the single-latent bound. The matrix achieved the single-latent bound is called the MDS matrix. Regular lightweight primitive have following types of diffusion layers. The first is the bit level commutations such as present, gift. The second is the bit-wide x-walls and rotations such as skinny, craft. And the third is the maximum distance separable or MDS matrices such as AS. And almost MDS matrices such as Midori and Cormor. Here is the definition of MDS matrices. An inevitable NK by NK binary matrices is MDS over K N-bit words if and only if the branch number of A equals K plus 1. Here is the example of MDS matrix in AS besides its succulent. The wide-chain strategy is an approach used to desire around transformations that combine efficiency and resistance against differential and linear critical analysis. MDS matrices, in accordance with the strategy, have advantages as diffusion layers in iterate block cipher. One is its relatively small number of rounds contributes to the low latency designs. Here is a comparison. We have three cipher, or they are all 128-bit block size and 128-bit tricky or key size. For skinny of bitwise x-wall constructions, the number of its round is 40. While for Midori, almost MDS, its number of rounds is 20. And AS, MDS construction, its number of round is only 10. The other advantage of it is the simple and clear security proofs followed by AS. We have some construction strategies. The first is the x-wall and rotation-based, such as height. The second is the iteration-based, such as fonton hash functions. The third is the special type-based, such as succulent, orthogonal, ADMA, toplates, cotree, involuntary, ATA. And the circuit is such-based joint work by duo and Laurent. For involuntary matrices, here is the definition. It's square matrix that is its own inverse. Well, it means M squared equals to identity matrix. Immoluntary matrices are preferable in terms of hardware implementation, since the same circuit can be used when the inverse is required. The advantage of MDS and the involuntary makes involuntary matrices more preferable. Immoluntary MDS matrices applied in some ciphers, such as anubis, iceberg, and prins. Now we go to the conjunction of lightweight involuntary MDS matrices. First, we need to give the introduction of metrics. We estimate the hardware cost of a linear operation as the number of XOR gates required in its implementation. But it's NB hard to obtain the minimum numbers of XOR gates required by Boyer's theorem. That is, for any field shortest linear program is NB hard. So only metrics determine the upper bounds are available. Here we only give two upper bounds. One is direct XOR count or DXC. It equals the hamming weight of the matrix minus its low number. And the other is the global optimization. It corresponds to a good linear straight line program, which is based on certain SLP heuristics, such as Boyer's. And we denote it as SLP. Here is a comparison. For multiplication by this matrix, its direct XOR count is four. Why is SLP XOR gates is three as following? The SLP XOR gates is less than DXC because the intermediate variable is T1. It's used twice. We introduced some previous work relative to our works. Sakai, you find the lightweight 16 by 16 evolutionary MDS matrix of this form, where the C equals to the companion matrix of X to the 4 plus X to the plus X plus 1. And its SLP XOR gates is 42. And crowns obtain lightweight 32 by 32 evolutionary MDS matrix by applying the subfield construction to the former. Well, the subfield construction is just double each submatrices of the matrix. And its SLP XOR gates is double. Here, the crowns matrices has an XOR count of 84. So we extracted the structure. Because the former two matrices are forms of less, well, the difference is the choice of A, the matrix A. We generalize it and try to fight lightweight in the literary MDS matrices of the following forms. It can be divided in four parts. The left top 2 by 2 submatrices, right top, left bottom, and the right bottom. Then we can see that all these four parts is symmetric. So to keep G involuntary, that is G squared equals to identity matrix, the four parameters have to satisfy these two equations. And this kind of equation will decrease the number of parameters from four to three. And furthermore, our goal is to find a numeratory MDS matrix such as that its direct XOR count is small. And by some deduction, we get a solution which minimizes it at least four. And we apply Boyer's algorithm to it and its SLP XOR gate is 80, better than crowns. The previous results motivate us to consider a more generalized form of this. We only fixed the diagonal submatrices to identity matrix, while the others are to be selected. And we also fixed the matrices, matrix of A, to be the companion matrix of the polynomial x to the 8 plus x to the 2 plus 1 of this form. We choose it because its XOR count is just 1. And without loss of generality, we can do some operations on the parameters. While the operation won't change the number of parameters, it's still 12. But in next step, we use the involuntary property and deduce it to this form. And the number of parameters is 6. That is epsilon 1, 2, epsilon 1, 3, epsilon 1, 4, and RST. Under this limitation, we inspect all the parameters in integer range of dimension 6, satisfying the following conditions. After the exhaustive search, we identify 5,550 involuntary MDS matrices whose hamming weight are within the range from 148 to 172. That is the direct XOR count within the range of 116 to 114. And now we consider the depth of the implementation circuits. Here is an easy example. These two implementations are all the same summation y1 plus y2 plus y3. y1 is the summation of first four variables, while y3 equals the last four variables summation. And the depth of left circuit is four, while the right is five. So the sequence is important. As we said, we get 5,550 MDS matrix in the third section. And we apply Boyer's SLP's heuristic algorithm to all matrices. And we found the implementation depth is all not less than four. But AES mixed columns can be implemented with depth 3. So we wonder if our matrices can be implemented with depth no bigger than 3. And we have this theorem, the circuit depth of an MDS matrix A in 32 by 32, with branch number five is at least three. It's a true deduction, but we just counting the number of one in matrix. So we try to enhance Boyer's algorithm with depth awareness. The difference is in the choice of distance function. Basically, we modify Boyer's algorithm by only picking signals, which are not going to exceed a specified depth bound and defining a new notion of distance, which takes the circuit depth into account. We are giving some examples. First, we denote S as the sequence of signals, F as linear predicate, and third H as F as our new distance function, third SF as Boyer's distance function. If third H SF equals K, F not only can be obtained by K additions, but also have implementation of K additions within depth H. The first example, we have the input signal of five variables, and the linear predicate is the summation of the whole variables. Then the third 3 SF equals third SF equals four, because it can be implemented as first X2 plus X3, X4 plus X5, and the X6 plus X7. Then we get the summation of X2, X3, X4, and X5. The last step is X8 plus X1. This contributes to depth 3. While if we set the depth limitation to 2, nice, it has no solution. That means all operations contributed to F have depth not less than 3. And the second example, we have two more variables, X6 and X7. X6 is one, and the depth of X7 is two. Now we have to compute the summation of X2 plus X3, X4, and X5. By Boyer's algorithm, the third SF in this step equals one, because it can be implemented as X5 plus X7. That equals X3 plus X5 plus X6 equals X2 plus X3 plus X4 plus X5 equals to F. While if we set the depth limitation to 2, then it can be also implemented as we first in compute the X8 equals X3 plus X5, then X8 plus X6. This is the F. So we apply our new algorithm to all matrices. We generated in section 3, and the lightest one with depth 3 is this form. We have the A is still a companion matrix of x pointing normal x to the 8 plus x to the 2 plus 1. And its x-all gates is 88. And we will give our main results. We use our new algorithm to the AES mixed-column matrix and get the x-all gates of 105 under the depth limitation of 3. And we also constructed two involuntary MDS matrix. One has x-all gates of 78 with depth 4, and the other with x-all gates 88 and depth 3. All of our code and the results are available at our GitHub website. In conclusion, we constructed a large number of involuntary MDS matrices. Apply Boyer's SLP heuristic algorithm to our matrices, and we get the lightest involuntary MDS matrix. At last, we modify Boyer's algorithm and apply the new algorithm to all matrices. We get lightest involuntary MDS matrix with depth of 3. It's all. And thank you. Thank you very much. Any questions? OK, so maybe I'll ask a first question. Do you think your results can be further improved or this is best possible? Yes, it maybe can be improved by constructing more and new structures. Because we already limited our structure to these forms. But it may have more structures. What for that? Maybe another question I have is maybe difficult to answer. But the previous talk was also about MDS matrices with lightweight circuits, but they're not involuntary. So how big is the price to pay to get involuntary? Did you get a chance to compare your result with the ones in the previous paper? I mean, how much more X-or is do I need to get an involuntary matrix? Is the difference very big or is it rather small? Yes. We think that involuntary is better for the diffusion layers. OK, any more questions? If not, thank you very much again.