 The second talk is applying MILP method to searching integral distinguishes based on division property for six right-weight work cycles. By Zeng Jun-shan, Wen Dao-jian, Zeng Zhenbao, Dan Dai-lin, talk is given by Zeng Jun-shan. Good afternoon, everyone. My name is Zeng Jun-shan. The title of this talk is applying a MILP method to searching integral distinguishes based on division property for six right-weight work cycles. This is the overview of the talk. Firstly, we will review division property. And then we show how to combine a MILP method with division property. And last, we present a search algorithm and show some applications. First of all, we should take a look of some new launches. For any fixed u, pi ux is a Boolean function. It's divided as the product of some chosen bits of x. And we use vector u to choose the corresponding bits. So if n equals to 4, m equals to 2, pi ux can be computed as 0 to the power of 0 times 1 to the power of 1, and so on. So the value of pi ux equals to 0 in this particular situation. Next, if k and k star are two vectors, if k i is greater than or equal to k i star. So in this case, we will say k is greater than or equal to k star. Otherwise, we say k is not greater than or equal to k star. Now we review the definition of division property. Division property is introduced by Toto at Eurocrypto 2015. It's a generalized integrator property. Let x be a subset of f2n to the power of m, and k i be m dimensional vectors. x has the division property dk0k1 to kq minus 1. If the sum of pi ux equals to 0, for all u belongs to this set. In this expression, w u represents the vectorial ham weight of u, and wt u0 represents the ham weight of u0. So now, with the help of division property, we can search integral distinguishes for black ciphers. Firstly, we need to construct an input set with division property dk0, and then we propagate the initial division property around to get dkR. At last, we try to extract some useful integral property from dkR. So in order to use division property, we need to know the propagation rules. Next, we show some propagation rules for division property. For copy operation, the division property propagation is just to decompose the key value into all possible combinations. For XOR operation, the division property propagation is just to add the two coordinates of the input division property. For AND operation, the division property is to try to find the maximum value of the input division property. Now, the division property is defined and computed on f2n to the power of m. If n equals to 1, this is the bit-based division property. So bit-based division property treats each bit independently, so it can describe much more detailed division property, and it can find longer distinguishes and better results. However, bit-based division property need much more computations. At FSE 2016, bit-based division property can only apply to Simon 32 and CMAG 32. So in the following of this talk, we focus on how to compute bit-based division property efficiently. The overall strategy here is to use mixed integer linear programming method to characterize the division property propagation. MyROP problem tries to find the minimum or maximum value of an object function on some linear constraints. In this model, m is a constant matrix, a is a constant vector. A part of all the variables in x are restricted in integers. So in order to complete this conversion, we need to adjust two issues. The first one is to describe the division property propagation by linear inequalities. The second one is to convert a search problem to estimate the minimum value of the object function. To facilitate this conversion, we present a new launching here. Assume the input set to the block cipher has initial division property decay and the denoted division property after I run the encryption by decay. So we have this chain of division property propagations. For any k0, k1 to kr belongs to the product space of big k0 to big kr. If ki minus 1 can propagate to ki for all i, then we call k0 to kr and I run the division trill. So based on the definition of division trill, we can see that the set of the last vectors of all r-round division trills, which starts with k, is equal to kr. So now, if I input a division property, we do not need to compute k0, k1, k2 step by step. We only need to find all the division trills and check the last vectors of the division trill. But still, we don't know what kind of property we should check for the last vectors. So this proposition gives us sufficient and unnecessary condition of a set to have no integral property. Assume x is a set with the division property decay, then x does not have integral property if and only if k contains all the n-unit vectors. So in this case, give initial division property decay and round number r. There doesn't exist r-round distinguisher if and only if there exist n-division trills, which start with the initial division property k and ends up with the n-unit vectors. So now, the problem is quite clear. We just need to find the n-division trills. Next, we can proceed to the first issue. Describe the division propagation by linear inequalities. We will adjust these issues by modeling some basic operations usually in the block cycle by linear inequalities. The first one is the copy operation. This is the general propagation rules for division property. And for bit-based situation n equals to 1, based on this propagation rule, we can find three division trills for copy operation. And then, if a to b0, b1 is a division trail of copy operation, this equality is sufficient to describe these propagations because all the feasible solutions of this equality are all the three division trills of copy operation. So similarly, for XOR operation, this is the general propagation rule. And for bit-based situation, n equals to 1. For this case, we can compute three division trails for XOR operation. For this particular situation, k0 and k1 equals to 1. This propagation we are both. Because in this case, k0 plus k1 equals to 2, which is greater than 1. Since we considered bit-based division property here, so this division trail is invalid. Next, if we denote a0, a1 to b, a division trail of XOR operation, this equality is sufficient to describe these propagations. Now, for under operation, this is the general rule. And this is the bit-based situation. So we can compute four division trails for under operation. And we can compute three inequalities to describe the propagation. We can check that all the feasible solutions of these three inequalities are the four division trails for under operation. Next, we show how to model S-box. We take present S-box scale as an example. Assume this is the input division property of S-box. And we calculate the algebraic normal formula of present S-box. So from this input division property, we know that only the sum of these two monomials are unknown. But we can observe y0, y2, these two Boolean functions does not contain these two monomials. So the sum of y0 and y2 are 0. Moreover, we can compute y0 times y2. And we found y0 times y2 does not contain these two monomials. So the sum of y0 times y2 is also 0. Based on these observations, the output division property should be d0010 and 10000. So follow this similar idea. We present a generalized algorithm to compute the division choice of any S-box. The input to the algorithm is the input division property of n-bit S-box and k equals to kn minus 1 to k0. And the output is a subset of all n-dimensional binary vectors such that the output division property is dk. So firstly, we initialize as bar as all the vectors greater than or equal to k. And according to the definition of division property, fx denotes world unknown monomials. So for all u belongs to f2 to the power of n, we compute pi uy. And check if these Boolean functions contains any monomial of fx. If so, the sum of pi uy is unknown. And in this situation, we add u to k bar. At last, we run a size-reduced procedure on k bar to return k as the output. So based on this algorithm, we can compute the division choice for present S-box. These are the 47 division choice we found for present S-box. This entry in macro is red. The two division choice we computed in the example. So now for any n-bit S-box, we can compute all the division choice by the algorithm. And then we treat the division choice as two n-dimensional vectors. At last, according to Sun's idea, we can compute a set of linear inequalities based on the help of the stage software. And all the feasible solutions are all the division choice. So these are the 11 inequalities we found for present S-box. In this inequality, A3, A2, A1, A0, denote the input division property. And the B3, B2, B1, B0 is the output division property. So now for any block cypher based on copy, XOR, and S-box operations, we can construct a linear inequality system to describe the division property propagation. But still, we don't know the division property of each round. We don't know K0, K1, because this linear inequality doesn't contain any information of the input division property. So if this is an R round the division trail and let K equals to Km minus one to K0, we should add A0i equals to Ki for all i into the model. Now the input division property has been added into the model. So we know K0. And then according to the propagation rules, we know Ki, K1, K2, Kr. That's why we have solved the first issues. Now we can proceed to the second issue, convert the search program to estimate the minimum value of the objective function. And we know that if Ki contains all the in-unit vectors, R round the integral distinguisher doesn't exist. So if this is an R round the division trail, we can set the sum of the coordinates of the last vectors as the objective function. And we try to find the minimum value of this objective function. If the minimum value of this objective function equals to one, then we have found an in-unit vector. So now for any block cipher, given an input division property, we first we can construct a set of linear inequalities to describe the division property propagations for the input division property. And then we set the sum of the coordinates of the last vector as the objective function. Combine this set of linear inequality and the objective function, we can get a minor P model. And this model will be the input of the search algorithm. And the output of the search algorithm is set S. And this set will indicate the balanced bit positions. Firstly, we initialize S as all the possible bit positions. And then we try to repeat this procedure N times. N is the block size of the block cipher. And for each time we check if M has feasible solutions. If so, we optimize this model and try to get the objective value. If the objective value equals to one, we have found a unit vector and we let P denote the bit position take a value one in the objective function. In this case, P is an unbalanced bit position. So we need to exclude P from S and remove the unit vector from M. And we try to optimize this model again. So if this procedure stops, we will get a set S as the output. If this set is empty, then R-round integrated distinguisher doesn't exist. If this set is long empty, then we have found some balanced bit positions for R-round encryption. This table shows some applications of this search algorithm. We can find that we can find better result for Simon and C-max block ciphers except for Simon 32 and C-max 32. We can also find a better result for present and rectangle block ciphers. For the last two block ciphers, we find the same result as the previous best result. The more important that is this column. This column shows the execution time of this search algorithm. And among these ciphers, Simon 128 took the most time, but it's still less than an hour on a personal desktop. So this algorithm is quite efficient and practical. Okay, those are some reference. Thank you. Any question or comment? We have a long time time to discuss. Can you please go to the slide where you showed the objective function? Here. So you're trying to minimize, again, what are you trying to minimize? We try to find the minimum value of this expression, the sum of the coordinates of the last vector of the division trail. Question or comment? Let's talk speaker again.