 Hi, everyone. Hope you are well, staying safe and healthy. Welcome to the stock. My name is Hossein Hadifur, and I'm going to present our paper entitled Comprehensive Security Analysis of Crafts, which is a joint work with Söder Söderi, Magic Nicknome, Link Sound, and Nestor Bögeri. Let's start. I've divided my presentation into four parts. I like to begin by giving a short description about craft. Next, I'm going to discuss about the improved zero-correlation distinguishers we have provided for craft. And quickly after that, I will recall the relation between integral and zero-correlation distinguishers and introduce our new integral distinguishers for craft in this section. Finally, I'd like to tell you about how this experiment improved the differential distinguishers of craft in a single-toic model. So, let me give a short description of craft. Craft is a light with a skinny-like tweakable black sniper that has been introduced in FSE 2019, for which the efficient protection against differential fault-effects has been considered from the design phase. It receives a 64-bit plain text with 128-bit key plus a 64-bit tweak, and then iterates 31 same rounds plus one linear round to produce a 64-bit Cypher text. As you can see in this picture, each round of craft, excluding the last one, performs five basic operations on the internal state. The internal state of craft can be viewed as a 4x4 array of nevron. The first operation in each round is mixed-gallon, in which the internal state is multiplied by an involuntary binary matrix. Then, round-dependent constants and round-tweaky are explored to the internal state. After that, an involuntary permutation is applied on the position of the nevron. Lastly, as the only non-linear operation in the round, the same 4-bit S-box is applied on each nevron. The last round doesn't include pyramid nevron and S-box, and it is totally linear. Round-tweakies of craft are produced using a simple tweak-a-schedule. Tweak-a-schedule of craft splits the 128-bit key into two 64-bit keys, K0 and K1. Then, together with the 64-bit master tweak, T, it generates four tweakies according to these relations, where Q is a permutation on the position of two echnibals. Then, a starting from TK0 craft uses these four tweakies periodically. That's all I wanted to tell about craft. Now, let's move on to the next part of this talk in which I would like to talk about zero-correlation-kept analysis of craft. Before discussing about the zero-correlation-kept analysis, let's review the propagation rules for linear masks over the basic operation of blood typhers, including XOR, branching point, and SBOX. As you can see, all input-output linear masks of XOR must be the same. For branching point, the XOR of outward masks must be equal to the input mask. And the input-output masks of SBOX must satisfy the linear approximation table of SBOX. Now, by giving a simple example, I'm going to show the impact of considering tweaky schedules in zero-correlation-kept analysis. I've taken this example from the Ross-Einkely et al. paper at FSC 2019, where they considered tweaky schedules in zero-correlation-kept analysis for the first time. As you can see in this picture, this toy tweakable black cipher includes only two routes, and the same tweaky is used in both rounds. Now, assume that gamma 0, gamma 1, and gamma 2 form a linear strain for the data path of this cipher. So, let's consider the tweaky schedules in our analysis. As you can see in this picture, at positions where the round tweak is XORed to the internal state, linear masks of tweaky states are the same as the linear mask of internal states. On the other hand, because of branching points in tweaky schedules, the input mask for master tweak, which is denoted by alpha here, must be equal to the XOR of gamma 0, gamma 1, and gamma 2. Hence, extra constraints is induced when we consider the tweaky schedule that is linear as well. In conclusion, the possibility of fixing a zero correlation distinguisher is increased when we consider the tweaky schedule. Considering the tweaky schedule, our strategy to search for zero correlation distinguisher can be divided into two parts. At the first part, which is performed by computer, we generate a bit-oriented MISD problem to model the propagation of linear mask. Then, for all possible input-output masks with having weight as one, we call an MISD solver such as URV to solve the generated model. The input-output mask for which the MISD problem becomes invisible, yet as zero correlation distinguisher. At the second part, which is performed by human, the contradiction inside the discovered zero correlation distinguisher is extracted using manual approach. It should be noted that the linear behavior of craft depends on the starting bound. Given that four different tweaks are used in craft, it is set up to investigate four possible cases, which are denoted by RT0, RT1, RT2, and RT3 RT3 here. RT0 denotes the case in which the distinguisher begins from where the TT0 is used. RT1, RT2, and RT3 are defined in the same way. Using our strategy, we provide 14 round zero correlation distinguisher for craft, which improves the previous results by one round. The specification of our zero correlation distinguisher for cases RT0, RT2, and RT3 are represented here. Here, S3 depicts an arbitrary value, and gamma and delta are non-zero nevels. The linear mask of tweak for our distinguisher in cases RT2 and RT3 is the same. And as you can see, all nevels except for the elements one in the tweak mask can take an arbitrary value in all of our distinguisher. In other words, those nevels that are depicted by a star in tweak masks have no effect on our distinguisher. Moreover, we showed that there is no 14 round zero correlation distinguisher in case RT1. Right. Let's move on, and take a look at our distinguisher for case RT0 in more detail. Using this shape, we prove that the correlation of linear approximation that is provided for 14 rounds of trapped in case RT0 must be zero. To do so, we follow the propagation of input and output linear masks for several rounds in forward and backward direction respectively. In this shape, white, black, and gray cells illustrate the inactive, active, and unknown cells respectively. Then, we add the tweak schedule in our analysis. As you can see, because of XOR, the round tweak mask must be the same as the internal state mask after the add round tweak layer. Now, I want to draw your attention to the element cell of tweak mask that is tracked by retrain over the tweak schedule throughout these four rounds, 14 rounds. It can be seen that it is inactive everywhere except for two rounds, including rounds 5 and 6. Given that the value of the cell in tweak mask is equal to 8 the XOR of elements in 8th position, in round tweak of rounds 5 and 6 respectively, must be equal to 8 branching point in tweak schedule. Now, keeping this relation in mind, I want to draw your attention into rounds 5 and 6 where the contradiction is occurred. In this shape we focus on rounds 5 and 6. If we look at this figure you can see that the value of active cells that are illustrated by yellow frames in the left side must be the same. Similarly, the active cells marked in green frames at the right side of the figure must be the same as well. Therefore, this relation between the cells of tweak mask that's what drives in the previous slide can be converted to this relation between active cells in linear masks of internal states somewhere before and after the aspect layer of round 5. On the other hand GOMA511 and GOMA860 are the input and output linear masks of the same spots respectively. Therefore, there must exist a pair such as X, Y satisfying the linear approximation table of the spots such that the XOR of X and Y equals to 8 as well. However, referring to the linear approximation table of craft spots, one can see that there is not such a pair. And this is contradiction. As you can see the contradiction is occurred in bit level in this case. Whereas the contradiction occurs in board level for our distinguisher in cases RT2 and RT3. Here, I conclude this part and move on to the next part to discuss about the integral distinguisher of graphs. In ASCII Actrips 2012 Buk-Dano-Mason revealed a fundamental relation between zero correlation and integral distinguisher where they proposed this theorem for the first time. More precisely, let f be a function from f2 to dn to f2 to dn and a be a sub-space and beta is a non-zero vector such that also this is a zero correlation linear approximation for any alpha in A. Then, for any lambda in f2 to dn this linear combination of the output bits is balanced over the orthogonal complement of A. The next theorem shows that the set of input maps should not necessarily form a sub-space and a non-trivial zero correlation linear halt can always be converted to an integral distinguisher. Therefore, based on this relation we can convert our zero correlation distinguisher to integral distinguisher for the same number of rounds. Given that only one level of tweak is involved in our zero correlation distinguisher attacker can choose an arbitrary fixed value for the other two ignibles and the domain space of the corresponding integral distinguisher is 68 instead of 400 to 28. On the other hand, the required data for the corresponding integral distinguisher must be taken from the orthogonal complement of A. In conclusion, the data complexity of the corresponding integral distinguisher equals to 2 to the 68 minus dimension of A. This table summarizes the specification of our integral distinguisher. As you can see, they cover 14 rounds of graphs where the best previous integral distinguishers cover up to 13 rounds of this type. Now we come to the last part of this talk where I'd like to tell you about how we use a combination of automatic methods based on set solver and partitioning techniques to significantly improve the differential distinguishers of graphs in single tweak models. Our strategy to search for the best differential trace can be divided into three steps. Given that finding an actual differential characteristic is a time consuming task to estimate of it, we use a word oriented mind piece or set model to find the optimal truncated differential characteristic at first. Next, using a bit oriented mind piece or set model, we look for an actual differential trace satisfying the discovered truncated trace. If there is not any actual trace instantiating the discovered truncated pattern, we try another truncated pattern. In order to evaluate the differential effect we use Kupter SMT. Kupter SMT and set solvers, which performs the following steps to evaluate the differential effect. The problem of searching for the best differential trace is encoded into a set problem in CNA form at first. Next, the input and output differences are fixed. And after that, a set solver such as a cryptomine set is called to fit to find one solution X. Solution X here is for example a differential trace. Soon after finding a solution some new constraints are added to the model to exclude the previous solution and again the solver is invoked to find a new solution. Steps 4 and 5 are repeated until the problem becomes unsatisfiable, which means all differential trace with the given input-output differences have been found. Lastly, the probability of all discovered differential trace are added together to compute the differential effect. It should be noted that Kupter SMT used a naive approach to encode the differential distribution table of a spot. Therefore, we decided to optimize the S-box encoding to SBDOP the search. To do so, firstly, we used the DDT of this box into this Boolean function where X and Y are the input-output differences respectively and P is a 3-bit binder vector such that the integer sum of P0, P1 and P2 satisfies this relation. Next, we obtained the minimized CNF representation of this Boolean function using Klein-Maklesky or Schrodinger-Adderton and used this minimized CNF representation in our model. Upline our simple strategy on 10 rounds of graph we found a differential distinguisher with probability of 2 to the minus 50.25. Whereas the best previous single tweak differential distinguisher covered 10 rounds with probability of 2 to the minus 62.65, 61. However, competing the differential effect using this strategy is a very time-consuming task especially for higher number of rounds. For instance, the enumeration of about 2 to the 21 optimum differential trace for our 10 round distinguisher took about 4 days on a desktop and we had to entrust it due to the lack of enough memory. This limitation motivated us to exploit graph properties to estimate the process. Looking for a better strategy, we had some observations. We observed that for these input-output differences there is always an optimal differential train with the same activity pattern for every even number of rounds starting from 8 rounds. We had a similar observation for odd number of rounds with these input-output differences. Another interesting observation is that these distinguishers can be divided into 3 different parts where the middle part is a repeatable one. These inspiring observations led us to the partitioning technique. For example, this figure represents 3 parts of our distinguisher for 10 rounds of graph. Let me explain this figure in more detail. All color cells except for cyan color cells represent active cells for an optimal differential train with a fixed input-output differences. Cells highlighted in cyan represent them in active cells due to the cancellation after miscolon. As you can see, the middle part can be repeated as much as required to construct longer distinguisher since its input-output activity patterns are the same. Moreover, as you can see the difference at 14th and 10th position of X4 here, I mean. Must be the same and they both must be different than the difference at 6th position of X4 to satisfy the optimum truncated pattern that is depicted in this figure. Therefore, there are in total 3,150 possible cases for the internal differences at 6th output of the first part. A similar argument can be provided for the input-output differences of the middle part and input difference of the last part. Now, given that, competing the differential effect for each of these as smaller parts is too much easier than competing the differential effect for the whole distinguisher, we compute the differential effect of each part separately at first. To do so, for all possible output differences of the first part, for example, we compute the differential effect and store the result into a matrix. In the same way, we compute the differential effect for the middle and last part, for all possible cases. Finally, assuming that Kraft is a Markov cipher, the total probability is obtained by multiplying the probability matrices provided for each part. Given that, there are in total 3,150 possible values for the internal differences, and we were not able to compute the differential effect for all of them using our computational sources, we limited the intermediate active levels to be in a special set. Referring to the Kraft's box, we choose this set which consists of 5 differences including 5, 7, A, D and F because of two reasons. Firstly, for each x in this set there exists a Y in the set such that the probability of x to y is maximum since as you can see the Kraft's box is a differentially four-uniform box. Secondly, for each x in this set and for each z out of this set the probability of x to z is non-optimal. Now, as you can see in this picture by limiting the active levels in the output of the first part to be in a specified set there will be only 100 possible cases for it. The input output differences of the middle part and input difference of the last part are limited in the same way. Consequently the number of possible cases and the size of probability matrices for each part will be significantly reduced which makes us able to efficiently compute a lower bound for the differential effects of longer distinguishes. Thanks to the combination of partitioning techniques and automatic methods based on sets we could significantly improve the single-trick differential distinguishes of Kraft. For example, as you can see in this table we concatenated three smaller parts of lengths 4, 4 and 6 as first, middle and last part respectively a 14 round distinguisher. That completes my presentation. Now, we come to the end of this talk where I have summarized our main results as you can see we improved the single-trick differential distinguishes of Kraft by 4 rounds and we improved zero correlation and integral distinguishes of Kraft by 1 round. Before I finish, let me just say that all of our codes are publicly available via the following link. Thank you for listening.