 Okay The next slides Our next speaker is this is the technical problem session This TCC community is trying to meddle with us Our next presentation is going to be a greater gift Struggling gift against statistical cryptonosis by link soon Bartoneel way Wang and making Wang and Ling is going to Present by recording Hello everyone the name of the presentation is a greater gift Strengthen gift against statistical crypt analyze We start with the motivation of this work The work in this paper is inspired from the automatic searching results Related to differential and linear crypt analysis of gift 64 We first look into the sufferer in itself and try to discover more properties Apart from the quantitative information about activist boxes differential probabilities and linear correlations In the second part Given the gap between the upper bounds on the differential probability and the linear correlation We wonder whether we can find a violent with analogous security levels under the differential and linear settings Now we briefly reveal some preliminaries Gift is a family of led with block suffers proposed by panic at all We consider gift 64, which is a 64-bit block sufferer with 128 bit K and with 28 runs each round consists of three steps The sub cell operation applies on an invertible 4-bit S box to every neighbor of the suffer state Then the perm bit operation permutes the state in a bit oriented manner Following that the upfront K operation as the round K and the round constant Gift was designed at 10 years after the publication of present It has much increased efficiency in hardware and software implementations And this is realized by using an S box with a lower implementation cost At the same time to avoid consecutive one-to-one bit differential and linear transitions in the sufferer The design of the bit permutation is carefully studied The 16 S boxes are grouped into two different ways The first one is the quotient group and the second one is the reminder group With this notation the design of the 64-bit permutation is converted into the construction of four independent and identical 16-bit permutations That maps the output bits of the quotient group to the input bits of the reminder group The BODF paradigm is a guideline for the creation of the 16-bit group mapping It considers the one-to-one bit DDT of the S box and Sets the input and output positions into four sets Notice that a bad output could come from a one-to-one bit transition through a certain S box in the current round To ensure that the exciting one-to-one bit transition will not head to another one-to-one bit transition In the succeeding round the differential BODF permutation artificially maps the active bits of the potentially bad output To an active bits of some good inputs in the next round Similarly in the linear case the linear BODF permutation can be derived regarding the one-to-one bit LAT The BODF permutation should be differential and linear BODF permutations simultaneously Forgift the BODF permutation is fixed as the identity mapping Now we introduce the first part of this work and give theoretical explanations on differential and linear properties of gift 64 Through analyzing the automatic searching results related to differential quick-analyze We observe that the minimum number of differential active S boxes SD is linearly dependent on R for all R greater than seven Further after decoding the optimal differential characteristics With the maximum probability from the output of the set over We observe that the optimal characteristics covering more than seven rounds always have two active S boxes in each round So we wonder is there a characteristic with a single active S box in some rounds achieving the maximum differential probability To answer this question we first consider a small set of differential characteristics D1 the characteristics in this set have at least one round Activating a single S box and the input difference of the active S box equals one They managed to calculate a lower bound on the number of active S boxes for characteristics in this set The automatic method is applied to accomplish this task and We split the search into three steps In the first step They explore the lower bound for characteristics with input difference having a single non-zero label being one then the characteristics with output difference having a single non-zero label taking one are considered In the third step, we note that the characteristics in D1 can be created with the characteristics in the first two steps So the lower bound for characteristics in this set is derived from the experimental results in the first two steps The experimental results reveal that the lower bound on the set D1 is strictly here than the original bound when the number of rounds is greater than seven The same results hold for all set DI without taking any non-zero label So we draw the first proposition If are greater than seven the optimal iron differential characteristic of gift 64 With the minimum number of active S boxes must have two active S boxes in each round Then with a similar analyzing regarding the differential probability we give the second proposition If are greater than seven the optimal iron differential characteristic with the maximum probability must activate at least two S boxes per round Now it seems that differential characteristics activating two S boxes in each round There is a crucial rule in the security evaluation for gift 64 So we wonder whether we can involve more properties of this characteristics apart from the quantitative information about active S boxes Before looking into this characteristics They first devise an alternative description for the round function In the alternative description, we keep sub cells and add round K operations and further decompose perm bits operation into two sub operations the group maps operation evokes a 16-bit imitation and independently applied it on each of the quotient group The following trans-nable operation works in label This alternative description is called a beta-oriented one If we recognize the separate state as a four multiply four metric of labels The beta-oriented description can be replaced with a label-oriented one The label-oriented description is more concise and facilitates the following analysis Now, given a differential characteristic with two active S boxes per round We assume that the two active S boxes in the S rounds are located in the same column and Donates the differential propagation of the group mapping on this column as this We show that this propagation should meet four conditions So that the differential characteristic Based on it can sustain two active S boxes in round R-1 and R-1 In other words, these are necessary conditions for propagation in long differential characteristics with two active S boxes per round Summarizing all analyzing the proof of four conditions, we derive the third proposition For an R-round differential characteristic activating two S boxes per round if the two active S boxes in the R-th round are located in the same column Then for all R-bases in equality, the two active S boxes in the R plus two S rounds are located in the same column Then we derive the lemma which tells the head of the target characteristic For the sufferer, if a differential characteristic activates two S boxes per round Then the two active S boxes in one of the first two rounds Must be located in the same column of the magic state Based on lemma-1 and proposition 3, we conclude that all differential characteristics with two active S boxes per round Can be decomposed into several pieces of two round characteristics For which the two active S boxes in the first round are located in the same column Furthermore, the differential Purportation abstracted from these two round characteristics fulfills four conditions On the other side, the characteristics with two active S boxes per round can be constructed artificially Consider two differential propagation validating four conditions If gamma i to r5 are possible transitions Then the two propagation are said to be compatible with each other As shown in the figure, we can craft long differential characteristics activating two S boxes per round with compatible propagation We implement a test and find 26 propagation validating four conditions Then we evaluate the competitiveness among them and illustrate the result in the figure After removing some isolated nodes and the short parts We notice that the graph contains several cycles On the one hand, this cycle theoretically explains the existence of long differential characteristics with two active S boxes per round On the other hand, accompanied by the preceding analysis We conclude that any differential characteristics covering more than seven rounds with two active S boxes per round must utilize certain passes in the figure In addition, the cycle also enables us to enumerate all optimal differential characteristics by hand They propose an explicit formula for the differential probability of the optimal characteristic And prove that there are 288 optimal characteristics with an odd number of rounds And 10,400 optimal characteristics with an even number of rounds In parallel to the case of differential setting We derive some analytic results in the linear setting Similarly, we show that if r is greater than 9 The optimal r-round linear characteristic of gift 64 with a minimum number of active S boxes must activate two S boxes per round The linear correlation bound is also studied However, unlike the case in differential setting The optimal linear characteristic with a maximum correlation can contain characteristics with a single active S box in some rounds We check the properties of linear characteristics with two active S boxes in each round And find that these characteristics also can be constructed artificially We find 46 useful linear propagations and analyzed compatibilities among them Based on the cycle in the graph We also theoretically explain the existence of long linear characteristics with two active S boxes per round Next, we turn to the question Proposing the first beginning Can we improve gift 64? Note that there are 2,304 group mappings meet all requirements for the winding gift 64 So, we managed to find a variant constructed with a new group mapping that processes comparable upper bounds on the differential probability and linear correlation To reduce the number of candidates, we implement a classification Proposition 7 points or sufficient condition for two variants being equivalent to each other Based on this proposition We define an equivalence relation on the set of all gift 64 leg samples and partition the set into 168 equivalence classes Therefore, we only need to check the property of one representative in each possible equivalence classes And the number of candidates is reduced from 2303 to 167 We apply the automatic method to search for upper bounds on differential probabilities and linear correlations of 167 representative variants The test results are illustrated in the figure It can be noticed that the security of gift 64 against the differential cryptanalyzed is moderate among all representatives And the capability against the linear cryptanalyzed is almost among the best of candidates Then we consider the combination of differential and linear properties According to the length of the optimal effective differential and linear characteristics The 168 representatives can be divided into 17 groups The performance of gift 64 resisting differential and linear attacks is good And 40 representatives achieve similar security levels to gift 64 Moreover, we identify that one representative may achieve comparable security level against differential and linear cryptanalyzed And its optimal effective differential and linear characteristics achieves 12 rounds We donate this equivalence class as gift 642021 This equivalence class contains 24 elements And all variants share the same differential and linear properties As in the figure, comparing to gift 64, the new variants have comparable upper bounds on differential probability and linear correlation The clustering effects of differential and linear characteristics are evaluated Similarly to the case of gift 64, the differential and linear half properties of the new variants are not significant Beyond that, we implement the automatic search of impossible differential distinguishes their correlation linear distinguishes and the integral distinguishes for the variants The experimental results indicate that the security levels of the variants be standing in possible differential attack Their correlation linear attack and the integral attack are similar to those of gift 64 Note that the best attack on new variants achieve 18 rounds which is two rounds less than the length of the best attack on gift 64 We clamp that for the variants if the security in the related care tag setting is not required, 26 rounds could be used rather than 28 rounds For the simple and clean design strategy, gift offers extremely good performance and even surpasses both skinny and salmon for round-based implementations As in the table, we compare the hardware performance The new variants achieve higher throughput and requires lower energy consumption than gift 64 On this basis, the 26 round variants may become one of the most energy-efficient sectors as of today and is probably more suitable for the lower energy consumption use cases than gift 64 Now, we give a conclusion The paper studies gift 64 with both automatic methods and mathematical analysis This hybrid method uncovers new insights into the security of gift 64 and the sum of its variants For gift 64, we prove some properties of differential characteristics Activating two S-boxes per round show that all optimal differential characteristics takes covering more than seven rounds with the maximum probability can be constructed manually This says the properties of linear characteristics with two active S-boxes per round are also provided In the second part, we find variants with analogous security levels under the differential and linear settings and show that the 26 round variant may become one of the most energy-efficient sectors as of today As to the future work, firstly, if one is concerned with related care tech, they conjecture that the resistance of the variants regarding related care differential attack can be lifted by carefully crafting the case schedule Secondly, the cases where the group mappings operating on different columns are distinct is an open problem. Lastly, checking the existence of a balanced variant for gift 128 will be interesting future work That's all for the presentation. Thank you for your attention So while we're trying to figure out if we have one of the speakers online or present in the audience, just a second, are there any questions? So I have questions for you Bart, unless we find the link online The tables and all the analysis, what are the success rates for the attacks that are reported there? Give or take? I'll have to look it up like probably 50% or so. I have to look it up and check with the others again. This is a while ago but thank you. Are there other questions? Do we have one of the If not, see you in the next session in 25 minutes And remember there is a membership meeting. We should be there