 And so the last talk in this session is a presentation of a platform for evaluation, implementation and generation of S-Boxes. The paper is by Zhenzhen Bao, Jian Guo, Sang Li, and Yu Sasaki, and Zhenzhen Bao will give the talk. Introduction. So I would like to introduce our SOK paper on the design of S-Box and a platform for evaluation, implementation, and generation of S-Boxes. So many blog cipher follow the Shannon idea, sequentially application of the confusion and diffusion. Confusion are generally provided by the form of substitution box, so S-Box for short. The natural question is how to distinguish the good S-Box from the bad S-Box. So developed for the several decades, the design criteria on S-Box have been involved and both for the security respect and the implementation performance aspect. So in this talk, in this paper, we aim to provide a survey on the known results on the design criteria of S-Box and also build a platform for assist the evaluation, implementation, and generation of S-Box. And I will introduce the three aspects of functionality of S-Box and would like to use the green ball to indicate that Pagan can provide the functionality efficiently and use the yellow ball to indicate that Pagan is only efficient for small S-Box and use the red ball to indicate the corresponding functionality is currently not support by Pagan current. So S-Box mapping MB to MBs will have M coordinates and they are the unvariable Boolean function. We denote them as SEI. There are many ways to represent S-Box, the direct way is to use the lookup table and also there is B-Slice representation and they are the concatenate of the value vector of the coordinates. So both of the representation can be accepted as input to Pagan. As there is also mathematical representation, a general conventional way is to use the algebraic normal form. So use this formula given the value vector of the Boolean function, we can compute the efficiently the algebraic normal form. So given the B-Slice representation of S-Box, Pagan will output the algebraic normal form of the coordinate. So we want to make a distinguish between the coordinates and the components of the S-Box because some property can only be defined use the components. The components are the linear combination of the coordinates. We say an S-Box is balanced if they take every value the same number of times. So if all of the components are balanced, the Boolean function, the S-Box is balanced. So the balanced S-Box mapping NB to NB are of particular interest, they are the permutation. So let's look into the security aspect with respect to the resistance to differential create analysis. The property of the derivative of the S-Box can quantify the strength of the S-Box. So the solution of the derivative equation can be formed into this violin and this difference distribution table and Pagan will compute the maximum in this table. And this is well known as the differential uniformity. Our community are still seeking for larger S-Box even dimensional because they are good for the resistance to differential analysis. So besides the maximum, the frequency of the maximum occurs in this ddt and also the frequency of the values in this table may also provide distinguish between S-Box with the same uniformity because they can behave differently for specific cipher and provide more accurate upper bound for the, for example, two round of the upper bound on the maximum expected differential probability of the cipher, for example, for AES. So Pagan will compute the frequency, the differential spectrum and for the resistance to linear cryptanalysis, the property of the wash transform and the wash coefficients are important criteria. And they are related, the wash coefficient is related with the bears of the linear approximation. So we call this table formed by the coefficient, wash coefficient, say as the linear approximation table. And again, the maximum in this table, the absolute value is defined as the linearity and we also do their S-Box with small linearity. And again, the frequency of the maximum occurs in this table and the whole wash spectrum can also provide distinguish between S-Box with the same linearity. So given S-Box, Pagan will evaluate the wash spectrum. For some cipher, their linear layer only consists of bit permutation. So the S-Box not, require not only provide some confusion, but also some diffusion. So the differential branch number and the linear branch number may be the criteria for the design. So now we focus on the sub-table in the DDT and the LAT. They are named DDT1 and LAT1. So the maximum in those sub-tables and also the number of non-zero entries in these sub-tables are of significance for some cipher. So Pagan will output the difference distribution in this form. It will rearrange the rows and the columns so that they are in the honey-weight order. So that we can clearly see the DDT in the left upper corner and also output the uniformity and the spectrum then see the sub-tables. So for S-Box can be completely specified by the linear approximation table. So it's possible to recover the S-Box from the LAT and also from some good DDT. We may recover some DDT equivalence class of S-Box. However, this functionality is currently now supported by Pagan. So as mentioned by yesterday's talk, the resistance to Bormeron attack may related with the Bormeron connectivity table. And again, there is Bormeron uniformity, the Bormeron differential spectrum that may interest for evaluate. So Pagan will compute this BCT. And for the resistance to algebraic attack, the maximum among the degrees of all components and the minimum among the degree of the components may be important. So besides the frequency of the degree may be important, so Pagan will compute the maximum degree, the minimum degree and the degree spectrum according to the N and F of the components of the S-Box. So besides the degree of the linear combination of the coordinates, the product of the degree, the maximum degree of the product of k coordinates can also be useful because they may be used in the division property-based attack. And for given S-Box, Pagan will evaluate this decay and out for the table like this. Besides this decay can also provide some more accurate estimation for the degree of the whole cypher according to this theorem. So besides decay, which is related with the division property-based integral attack, there is another notion, the site which shows the appearance of a monomino in the N and F of the product of the coordinates of S-Box can be important because they may show some resistance of the S-Box against the division property-based attack. So Pagan will evaluate the table representation of this table. And for besides the algebraic normal form, which is multivariant polynomial representation, the S-Box can also be uniquely represented by the univariant polynomial. The univariant degree and the number of terms in the univariant polynomial representation may be important, but currently Pagan do not evaluate. And for the relation to truncated differential and the subspace trial attack, the linear structure of the S-Box may be important because when I evaluate the longest subspace trial, if the S-Box have linear structure, we should get considered this. Besides the linear structure of the Boolean function is actually a very early notion to provide measurements on the linearity of the Boolean function. And the linear structure of the S-Box has been used in very early differential attacks on deaths. So given an S-Box, Pagan will output the linear structure of the S-Box. So they use an efficient way to find all linear structures and use the auto-correlation table formed by the auto-correlation coefficient of the components of the S-Box. So given S-Box, Pagan will output the auto-correlation table also. So for the resistance to some cube-like attack, the notion of VW linear linearity may be important because it can quantify the ability of the S-Box to propagate fine relations. So an S-Box is VW linear if there exists two linear subspace, the input subspace way and the output subspace W of dimensions, small way and W such that all components of the S-Box in this output subspace W are fine, all cosets of the input subspace. So given S-Box, Pagan will evaluate the VW linearity of the S-Box and output table like this, it shows the number of subspace of dimension V such that there exists a W dimension of W such that the S-Box is VW linear and also output of the subspace VW. And as mentioned by the first day's talk, the resistance to VW subspace attack may relate to the existence of the nonlinear VW of the S-Box, especially the quadratic ones. So maybe it's of interest to evaluate the nonlinear VW of the S-Box that's currently Pagan do not suppose this functionality. So lots of the previous mentioned cryptography property are invariant under some transformation. For example, the linear transformation, the permutation transformation and the knowledge on the largest transformation group that preserve criteria is very important to study such criteria and also to reduce the space of the S-Box we should focus on. So given S-Box, Pagan will evaluate the representative of its permutation or equivalence class and also the representative of its linear equivalence class and it has whether two S-Box are fine equivalents and if they are equivalent it will output the fine permutations. However, the more general, two more general concepts of equivalence are the extended fine equivalence and this is the equivalent of however Pagan currently do not evaluate this equivalence. So this previous is on the security aspect, on the implementation aspect we first provide a survey on existing tools and through the comparison we found a tool named lighter provided by Jain etc. have the most features and the speed is acceptable and they are open-coded. So we want to build the implementation aspect of functionality based on lighter. So given S-Box, Pagan will evaluate the implementations good in terms of the falling performance criteria, the B-slice gate complexity, the gate equivalence complexity, the multiplexity for complexity and the depth complexity and a inherent from lighter Pagan can consider that a different gate can have different cost both for the gate equivalence and the gate equivalence complexity and the depth complexity. So the approach in later used the bi-directional Dijkstra shortest-pice funding algorithm and they expand two graphs, one from the identity function and the other is the target function the S-Box and it uses a meeting the middle strategy to find the implementation of the target and the nodes are all developed expanded use the right hand side kind of function they are invertible and so based on this approach Pagan and Vipro pose some optimization method because we found some these two graphs are actually also as a morphic and so actually we only need to compute one graph and which is independent with the target so by use the composition and concatenation method we can find the implementation of the target and because this graph can be pre-compute and stored so they can be used once for all and so we also use some equivalence between the implementation sequence to reduce the third space so that Pagan is efficient even for given a large side of a small S-Box and we want to enrich the functionality by make it cover some larger S-Box and support finding the depth optimal implementation while it's currently only efficient for three and four-bit S-Box and for the generation aspect we use the simple circuit construction method which is very similar for the construction method of Lufa the S-Box of Lufa actually it is a direct extension of the implementation functionality it's still use the pre-compute graph and compose the nodes in the graph to get the composition function and given a site of criteria it check the results whether fulfill such site of criteria and also use the invertible small functions so the tool usage of in Pagan is that if given a site of criteria together with the site of S-Box it can filter out the S-Box fulfilling this criteria and output the more detailed evaluations and if only given a site of criteria Pagan can generate some S-Box some new S-Box fulfilling the given criteria and classify the results according to their detailed properties so let's make a summary in this work we try to provide us the V on the known results on the design of S-Box and we want to build a platform to assist the evaluation implementation generation of S-Box however Pagan is still missing some functionality and it's not yet powerful enough for the implementation generation of strong larger S-Box so but we believe there exists a heuristic and theoretical method that can tackle the larger S-Box and integrate into this platform so for interest readers we refer to the GitHub website for the source code and all the generate results thanks for your attention questions yeah thank you for the talk suppose someone wanted to contribute code to this Pagan platform what would be the best way to go about it through GitHub or yeah okay thank you other questions yes did you do some benchmarking about the speed of your implementation compared to other open available implementations we just implement other tours and try and try some experiments and it shows that there are the site-based method and the site-based method is not very efficient for the implementation and also there is the depth for the third algorithm and the output is not guaranteed to be optimal but it's the speed is compatible with the later based method and for the security evaluation methods is it did you also do some benchmarking so for this computing the differential uniformity and equivalence classes and stuff like this you mean the evaluation speed of the tour or the result no say that if I have I don't know a large set of S-Boxes and I want to pick the best from this set regarding some security notion maybe for differential uniformity so did you and there are I don't know for example SageMath can also do this and did you compare your implementation speed-wise to the implementation from Sage I tried Sage first but for large set of S-Boxes Sage does not provide the the result efficiently okay thanks for this tour we can evaluate to two to the for example 20 or S-Boxes simultaneously efficiently okay any other question well I have one or how hard would it be to add for example another design criteria in your tool like is it based on a lot of small modules and you can add the small module which says well I have another criteria for my S-Boxes and I plug the module and everything will work quickly or you need to do a bit more technical works in the code to make it work you mean to evaluate the given S-Boxes yeah you can write the truth the lookup table representation in the file yeah the pagan will read the file to generate the the evaluation no this was more in the other way like imagine that I found some new design criteria for S-Boxes yeah you can is it easy to add it code a file named this file provide the class the CPP class and you can add new functions to this class and to evaluate a new criteria okay thank you is there any other question so I think you will get some new contribution to this tool so thanks very much let's thanks all speakers of the session we now have lunch and the next session