 Hello, everyone. My name is Junting Zhou. The title of our talk is Improving the MRLP-based security evaluation algorithm Against differential or linear correct analysis Using a divided conquer approach This is our joint work with Wenhao Zhang, Tian You Ding and Zhe Junxiang This is an offline of our talk Hopefully, we will reveal the existing MRLP tool For evaluating the security of a cycle Against differential and linear correct analysis Then we show our improved search algorithm Incorporating a divided conquer approach And finally, we show some applications Differential and linear correct analysis Are two of the most effective and powerful attacks To analyze symmetric key primitives Being able to resist the true attack Is an important criterion for designing symmetric key primitives To evaluate the security of a cycle Against differential or linear correct analysis There are usually two approaches One is to calculate the minimum number of active X boxes And the other is to search for the best differential or linear correct characteristics In recent years, a method based on MRLP Is proposed for the security evaluation Due to its easy to master and general to use features The MRLP-based method has been widely used This kind of method is firstly proposed by Mocha in 2011 They introduced a model framework to calculate lower bounds Of the minimum number of active X boxes For order-oriented cycles The model consists of an objective function And linear constants The objective function is to minimize the sum of variable A Representing input words of X boxes of H rounds The constants are used to describe what level difference Or linear mask propagation through a cycle Then from 2013 to 2014 Soon extended Mocha's model framework to bid-oriented cycles Their models describe bid-wise operations That can be used to both obtain the minimum number of active X boxes And find the best differential and linear correct characteristics In 2018 Just bid up to the resolution time of solving MRLP models By incorporating matrix, branch, and bound search algorithms However, the efficiency of existing MRLP-based methods Is not enough The model can't be solved with a reasonable time What the number of rounds is large Next, we introduce our search algorithm Our motivation is to make the MRLP-based method More efficient So that we can use it to derive better evaluation Of cryptanalytic results of symmetric primitives Against differential and linear cryptanalysis In this talk, by using a divided-concrete approach We propose an improved MRLP-based search algorithm For evaluating the security of symmetric primitives Against differential and linear cryptanalysis The algorithm is applied to five lightweight block cypress In this talk And also applicable to other symmetric primitives This table summarizes the comparison of the results On best differential and linear correct characteristics Between two previous work and hours We implement the three methods on our PC And T1, T2, T3 respectively denote the resolution time Of the three methods From the table, we see that our search algorithm Has an advantage over the two other methods The number of rounds is large And for each cypher, we cover more rounds with less time The two approaches Calculating the minimum number of active S-boxes And searching for best differential or linear characteristics Are respectively equivalent to search for the correct characteristics With the minimum number of active S-boxes And with the minimum weight Our search algorithm is inspired by the idea Of a divided-concrete approach Our search process is as follows Firstly, we divide the whole search space Naming the site of our possible iron characteristics Into smaller subsites Then we separately search each of the subsites by using MILP And obtain the optimal characteristics within them Finally, the optimal characteristic within the whole site Is given by combining all the results returned from the subsites Next, we introduce the first step How to divide the site We divide the site for experienced cypher Based on observation 1 For many lightweight block cypher with experienced structure While its differential or linear characteristics Have at least one active S-box in each round And those with the highest probability Of absolute linear pairs Are likely to have at most two active S-boxes At a certain length Next, for an R-long experienced cypher We first divide the whole site into three kinds of subsites In sub-site 1, the characteristics Have at least one active S-box in each round And there is at least one long contents Exactly one active S-box Sub-site 2 is similar to sub-site 1 The characteristics in each Have at least two active S-boxes in each round And there is at least one long contents Exactly two active S-boxes Sub-site 3 includes the characteristics That have at least three active S-boxes in each round For sub-site 1 and sub-site 2 The characteristics have one or two active S-boxes At a certain length Thus we further divide the two subsites By fixing the index i Such that round i has exactly one or two active S-boxes By doing this The number of all possibilities Of inputs of round i decreases Then we show us the input of round i To further divide the two subsites Take an SPN site for present as an example Its long size is 64 bits And it uses a 4 x 4 S-box We show how to divide the site for an round size Firstly, the whole site is divided Into three subsites introduced in the previous page Then sub-site 1 is divided By choosing i such that round i Has exactly one active S-box And for each i, choosing inputs of round i When one round has exactly one active S-box There are 240 possibilities of inputs of this round In total, sub-site 1 is divided Into r times 240 smaller subsites Similar to the partition of sub-site 1 Sub-site 2 is further divided When one round has exactly two active S-boxes There are 27,000 possibilities of inputs of this round In total, sub-site 2 is divided Into r times 27,000 smaller subsites Now, the site for an R-round present has been divided Unlike SPN ciphers, for fester ciphers The differential or linear characteristics With the highest probability of absolute linear bias Are likely to have no active S-box at a certain length That's for an R-round fester cipher We divide the whole site into two kinds of subsites In sub-site 0, the characteristics have no active S-box at a certain length And in sub-site 1, the characteristics have at least one active S-box in each round For sub-site 0, we further divide it by fixing the index i Such that round i contains no active S-box The subsites divided now are not small enough Thus, we further divide the sites that show the importance of S-boxes Of active round i plus 1 Take a fester cipher L-block as an example Its block size is 64 bits, and it uses a 4 times 4 S-box For an R-round L-block, we first divide the sites Into the two subsites introduced before Then sub-site 0 is further divided by choosing index i Such that round i has no active S-box If round i has no active S-box There is at least one active S-box at round i plus 1 By choosing pydons of S-boxes at round i plus 1 There are 255 subsites for each i In summary, the site for an R-round L-block is divided into R times 255 plus 1 smaller subsites Now we have shown that how to divide the sites for SPN and fester ciphers Next, we will introduce how to search each of the subsites by using a myLP To search a subsite divided We first build an myLP model by using existing work The model is used to search for the optimal characteristic for an R-round cipher And its fester region is the site of all possible R-round characteristics By adding additional constants into the model The fester region of the model is exactly the subsite Therefore, searching a subsite is equivalent to selling an myLP model For fester region is exactly the subsite To build such models, we introduce the additional constants for describing the subsites For the subsites divided for an R-round SPN cipher Characteristics in them are constrained by the following two constants In constant 1, there are at least NA active S-boxes in each round except for a certain round i This constant is described by the equation 1 The second constant is that the input from i equals a value of delta This constant is described by the equation 2 For the subsites divided for an R-round fester cipher Characteristics in them are constrained by the two constants Constant 1 is the same as the constant 1 for SPN cipher Constant 2 shows that the difference of linear mass patterns of the S-boxes at round i and i plus 1 are equal to zeros and a vector p respectively This constant is described by the equation 3 Now we can search a subsite by selling an myLP model The model's beautiful searching subsites have smaller peaceful regions Thus are easier to be solved than the model with a whole site However, it will cost a huge amount of time if we sell all the models There are two main reasons One is that the number of subsites divided is generally large Referring the subsites divided for an R-round present The other reason is that selling some of the models beautiful searching the subsites are time consuming For example, the model whose peaceful region is subsite 3 for SPN cipher Thus several technicals are needed to further improve the efficiency Revealing that our goal is to search for the R-round characteristic with the minimum number of active S-boxes or with the minimum weight We introduce three technicals in the second step of the search process The first technical is similar to the strategy used in Matei's branch and bound search algorithm At the beginning of the search, we generate a valid R-round characteristic and use it as the currently optimal R-round characteristic Its number of active S-boxes or weight is searched as an upper bound of the minimum number of active S-boxes or weight for the R-round cipher We generate such an R-round characteristic by exploding one of the optimal R-minus 1-round characteristic we have found for an R-round cipher by fixing the first or the last R-minus 1-round to have the patterns of S-boxes same as those of the optimal R-minus 1-round characteristic We generate a valid R-round characteristic During the search of subsites, if we found an R-round characteristic having a number of active S-boxes or weight smaller than the upper bound the currently optimal R-round characteristic is updated by it and the upper bound is updated by its number of active S-boxes or weight To reduce unnecessary searches, we only focus on the subsites in which the characteristics have smaller number of active S-boxes or weight than the upper bound Thus, the second technique is to estimate a lower bound of the minimum number of active S-boxes or weight within the subsites If the lower bound is greater than or equal to the upper bound there is no better characteristic and we terminate the search of the subsites To calculate the lower bound, one method is to split R-round into smaller parts, then combine them A lower bound for R-round is estimated by combining lower bounds for exact values for the smaller parts In addition, the lower bound can be updated by solving MILP models In order to make technique 2 more efficient, we aim to find better characteristics as early as possible The third technique is to choose a proper search order of the subsites divided There are two cases we can take into account The first one is that we preferentially search the subsites which are more likely to provide better characteristics The second is that preferentially searching the subsites whose corresponding MILP models can be solved within less time We apply our search algorithm to three SPN ciphers and two FISTEL ciphers For each of the five ciphers, we obtain the minimum number of differentially and linearly active S-boxes and fast differential and linear characteristics Our experiment is performed on a PC and we use the openly available software Groovy to sell MILP models This is the result of present for the forecast of experiments we respectively reached for up to 31, 18, 31, and 18 rounds Our results on the minimum number of differentially active S-boxes are the same as the results in this paper However, these values are claimed to be lower bound in this paper, where we found they are exact values Compared to the results on best differential characteristics in this paper, we cover more rounds GIFT is an SPN cipher similar to present We focus on a version GIFT 74 with 64-bit block size We obtain the forecast of experiments for up to 16, 15, 15, and 13 rounds respectively We improve the probability for 9 round characterity given by the designers and get better results compared to the results of the two papers by using MILP methods Rectangle is an SPN cipher proposed in 2015 For rectangle, we obtain the forecast of experiments for up to 16, 15, 16, and 14 rounds respectively Our results on the best differential and linear characteristics are the same as those given by the designers L block and T1 are two similar physical ciphers Both of them are world-warranted ciphers For L block, we obtain the forecast of experiments for up to 20, 16, 20, and 15 rounds respectively For T1, we obtain the forecast of experiments for up to 20, 15, 20, and 16 rounds respectively For both L block and T1, our results on the minimum number of active S-boxes are the same as those given by the designers We conclude our talk In this talk, we focus on improving the efficiency of MILP-based security evaluation algorithm against differential and linear corrupt analysis and propose and improve search algorithm by using a divide and conquer approach Applying our algorithm to five blood-on-weight block ciphers, we obtain better results than previous work For each cipher, we cover more rounds with lifetime compared to previous MILP-based measures Thus our algorithm is more efficient The future work for the five blood-on-weight block ciphers applied in this talk The permutation layers are all fit for mutation In future work, we will consider the ciphers as stronger permutation layer such as snoken and serpent For the results of the five ciphers we obtain, although the weight of the best differential or linear characteristics for some reduced rounds are larger than cipher's block ciphers or half of it We argue that it's possibly useful when the differential or linear clustering is attained into account For the security evaluation against related key differential corrupt analysis it seems to be more difficult and requires more work In the related key schedule, there are plenty of possibilities of brown keys Compared to a single key model, a related key model is more difficult to be solved because its size is larger Thus we didn't find a proper way to divide the whole size such that both the number of subsides divided is not too large and the model view for subsides is solved within a short time These are references That's all. Thanks for your attention