 And in this talk, what we try to do is to revisit and to give a new vision to a property, a distinguishing property that was introduced last year by Yusuf Ketodo in Europe in 2015 and that's called the division property. So the general setting, so we're interested in work ciphers, and a particular analysis of book ciphers. So in general, when an attacker wants to break a cipher, the first thing that he will try to do is to find a distinguishing property that should hold for every value of the secret key key. Okay, once this distinguishing property is found, he can probably try to mount a key recovery attack to find the value of the secret key or part of it. But in this talk, we'll only be interested in this distinguishing, in how to find a distinguishing property for our block site. So last year, Yusuf Ketodo presented, introduced a new distinguishing property that he called the division property and in some way this can be seen as a generalization of integral and higher order differential distinguishes. So he managed in particular by using this to break, to fully break full misty one for the first time and this was the best paper award at last year of crypto. So I will try to explain a little bit what is a division property, but before this, I will introduce the notation that I will need. So the first notation is the way I will represent monomials of n variables. So imagine you have two vectors, two n-bit vectors, x and y. I will denote y, x to the power of y. The product coordinate by coordinate of xi to the power ui, where xi and ui are the coordinates of the vectors x and y. So let's see this with an example. Imagine you have the u is the vector 1010. So x to the power of u will be, so the coordinate x4 to the power of 1, the coordinate x3 to the power of 0, the coordinate x2 to the power of 1 and the coordinate x1 to the power of 0. When we have a coordinate to the power of 0, actually this always will give 1, so we don't care about dispositions. So this will give the monomial x4, x2. Then imagine we want to evaluate this monomial. So at the point, let's say x equals to 1100 and what we will get is so we compute 1 to the power of 1, 1 to the power of 0 times 0 to the power of 1 times 0 to the power of 0. And actually this product always, almost always gives 1. Only, we have 0, only in the case when the base is 0 and the exponent is 1. So what we can say is that from this, if we evaluate a monomial, we say that it will be 1. If and only if we avoid the situation where we have 0 in the basis and x1 to 1, which means that we have, the sum will be, the product will be equal to 1. If and only if all the coordinates of U are strictly smaller or equal to the corresponding coordinates of x. And this is, so this is the partial order and so when I will say U is smaller or equal to x, I will use this, I will mean in this sense and I will use this special notation. Okay, so what is the division property? Actually, if we have a set of elements in order to the n, we will say that the set x has the division property of order k and we will denote it by dnk. If the sum, when we take the sum over all elements in x of x to the U, so of these monomials, is 0 for all vectors U that have a humming weight that is strictly less than k. So if this happens, we say that our set has a division property of order k. So the division property is a kind of generalization of integral properties because for some particular values of k, we get some very well-known integral properties. For example, it is needed to see that when we have k is equal to 2, if a set has a division property of order 2, then actually it has the balance property and when it has a division property of maximal order, then it has saturated property. That means that all the values in the sets are taken exactly once. However, the novelty in the division property is the introduction of these intermediate properties, that means properties for ks that are between 3 and n minus 1. So there is not a very nice, we don't have as an interpretation of these intermediate properties. However, we can propagate them and get some information and use some information about the algebraic degree so to construct distinguishes. So this will be the outline of my talk. I will start by introducing the main notion of this paper, that is the parity set of a set. I will show how this is linked to the division property and how we can use it to get a very nice description and easy description about sets having the division property actually of any order. Then I will show how we can use this property to construct distinguishes for iterated block ciphers based on the SPN construction and finally I will show an application with some low-data distinguisher on the lightweight block cycle present. Okay, so what is a parity set of a set? So the notion is very easy. Actually it is exactly the set that is composed of all exponents u such that the sum, I want to take the sum over all elements x of the monomals x to borrow u is 1. So actually this sum can be 0 or 1 so you put in the set all the exponents that make the sum is 1 and this will be the parity set of x. Okay, so what is nice? First thing is that you can compute the parity set of a set very easily. So to do so I will need a notion of the incidence vector of a set. So the incidence vector of a set of x to the n is just a binary vector of 2 to the n that has 1 at all the positions for which x is in the set. So let's see this with an example. For example, let's say n is equal to 3 and the set x is composed of 3 elements 1, 4 and 7, then the incidence vector will be a vector of length 8 of coming way 3 that will have once exactly the positions were corresponding to the elements in the set. Consider now a binary matrix with 2 to the n rows and 2 to the n columns where the coefficient of intersection of row u and column a will be the evaluation of the monomial a to the u. Okay, and what we can actually show quite easily by just taking the different affiliations right on them down is that if you want to obtain the incidence vector of the parity set of a set you actually just take the incidence vector of a set and you multiply it by this matrix g. For this example, so here n is equal to 3 and here is the matrix g corresponding to this n so the columns are fixed so the column corresponds to the basis and the rows correspond to the exponent so if you do this computation you obtain this binary matrix that is upper triangular and let's say your set x is 1, 2 and 4 at 3 and 4 you compute the incidence vector you multiply them and what you obtain will be the incidence vectors of the parity set corresponding parity set. So finding the parity set of a set is actually very easy and what is nice about this what we will see is that actually the parity set of a set is unique so there is one-to-one correspondence between a set and a parity set and for this I will need the notion of of read-mular code so a read-mular code of length 2 to the n and order r is just the set of all value vectors of all Boolean functions that have degree that is less or equal to r and if you look if you are a little familiar with read-mular code and you look at this matrix actually you will immediately see that this matrix is a generational matrix of read-mular code of length 2 to the n and order n and so what is nice about this is that we know that this matrix has full run that's invertible and that is inverse it's the matrix itself so it's involutive and exactly from this what we see now because of this we have an esomorphism of binary vectors that matches the incidence vector of a set to the incidence vector of the parity set so which proves that for each subset u there is a unique x such that u is a parity set of x and you can go backwards so there is a 1-1-2-1 correspondence so what is now the link of this parity set and the division properties so actually it's easy to see that if you have a set x that fulfills the division property of product k this just means that the parity set all the elements in the parity set will have a height and weight that will be greater or equal to k which means that the division property for product k is just a lower bound on the weight of the elements in the parity set so here what we will try to do so instead we'll see after to propagate just the division property so this element k and to see how it downgrades through the wealth we will try to propagate actually the elements in the parity sets and this will be nice and we'll have a more accurate actually representation and we'll have the form of the elements we'll better see what happens okay for the moment let's stay for in the more theoretical part so actually what we can buy this link and by using rhythm law course I will not get into details but what we can prove is that if you have a set x that fulfills the division property of product k and this is the true if and only if it's incident specter belongs to the rhythm law code of length to the n minus k and order n okay and this correspondence permits us to show actually things about what does it mean for a set x to have a division property of a certain order this was a question that last year many people tried to answer so therefore some extreme cases for one, two and n the answer was given but very often in a very complicated way but if we take the correspondence with the rhythm law code we can actually give some proofs just in one or two lines so for example it was proven by son and our last year that if it's x fulfills the division property of product k then what we say about the set x of product k elements this is the result the proof was very long but with rhythm law codes we can prove this in one line just using the minimum distance of this code and what we get more is that we know when the quality happens it happens exactly for sets that are as fine subspace of dimension exactly k okay so we can recover easily results that were already known what is new is that we know we can describe exactly all sets that fulfill division property of order m minus 1 we say that we know that they're exactly all the final hyperplanes okay so now we will see how we can use this property, how we can propagate it through the round operations of a substitution permutation network in particular we will see what happens with the party set when we go through key addition and when we go through sbox okay so the first operation usually in SPN Cypher is the addition with an unknown key so unfortunately as the key is unknown we cannot we don't know exactly what happens with the party set after the addition but what we can prove is that the elements that will be in the party set after the addition will be all the successes of the elements that were there before so with an example let's say n is equal to 4 and the party set of x is composed of 2 elements 3 and c and now we are the same secret key to all the elements in the set we don't know exactly what will be the value but we know that the party set will be included in all the successes of 3 and c that gives this the following 7 elements so let's see now what happens when we go through an sbox so we would like to so we have in the beginning a party set then we apply an sbox to all the elements of the set and we want to see what is the party set at the output of the party set so if you use a definition if you want to find which are the elements v that are in the party set of after the sbox the definition says that there will be all the elements p such that when you take the sum of s to the power of v this sum is equal to 1 which just means that the algebraic normal form of this function that is just the product of some output coordinate of the sbox contains some x to the power of u for some u that belongs to the party set and why this is so because if it was not the case then the sum would be 0 so now I will define the set v as u that will be exactly all the vectors v such that s to the v that is just the product of some coordinates designated by v will contain the monomial x to the u and now we can see that the party set so after the sbox will be the union it will take all the elements in the party set of x of this set v as u and this set will contain the formal matrix and it is very very important actually for the resistance of the cipher against this type of distinguishes so here is the matrix v as u for the sbox of the block cipher present so what we see here so the columns they correspond to the products of output coordinates so what does it mean so we have here and correspondence directly with the algebraic normal form of a function so here you have the four coordinates the algebraic normal form of four coordinates of present and actually what you see if you look at the first four columns what you have vertically is just the algebraic normal form of each coordinate because for example if you have the x at the intersection of the row 4 and the column 1 just means that the monomial x x4 belongs to the first coordinate so there is also of course we can also compute the this set v as u not only from the sbox system but also from the inverses box I will not explain this into detail but actually as the cipher mutation we can easily go from one to another and probably we won't have to explain this but what we can see that so columns correspond to the algebraic normal form of the sbox and two rows so if we see rows they correspond to the algebraic normal form a kind of algebraic normal form of the inverse sbox so ideally we want that this this matrix is as cool as possible we don't want to have sparse lines or columns so to see this I will show an application to a block cipher present so the only things I need from this design is the fact that it has 64 bits of block size that there are 16 sboxes of 4 bits of degree that are applied in parallel and that the linear layer is a bit permutation so Yosuke Toto in his seminal paper he describes some generic distinguishes based on the division property that only exploited actually the degree of the function and not any other any other properties so if we fix the input size so the data complex of the distinguisher to do to the 12 he managed to find a distinguisher for three rounds present so what I will show here that is that the bus taken into account the linear layer and the sbox we can find distinguisher for four, five and six rounds by keeping the same data complexity so for doing so we will start with the input set X we will have the following form so it will be of size to do the 12 where we have three nibbles that take all possible values and the other nibbles will be fixed to a constant value so we can see from there that the part is set actually just after we have the key addition we don't know what will be the value so for the parts when we have the constant value the values of the part we don't think but us in the three nibbles we have the all property we know that there is only one element in the party set that is the all one vector so we know that the form of the party set after the key addition will be like here and this is concerted of the first sbox layer then we can now take into advantage the linear layer of present because we know exactly which is its form so we now just previewed the elements in the party set and then actually we can just use some, well we know what happens with the degree so we know which kinds of monomials we can have so we had gone with the details but it's very easy, we can prove that after four rounds we only have elements that have any way strictly great or equal to two and that means that our set has a balanced property so if we have an element that is equal to one then we stop the distinguisher we cannot say anything anymore we would like to move to five rounds but however as we can see this is not possible for all type of sboxes because we have found a propagation of the party of the values in the party set that leads to after the fifth round to an element of timing weight one but this is possible so this propagation is possible if the sbox makes the transitions from the elements e to one and e to two possible so we will see what happens for the present sbox so if we look at the line that is a row corresponds to e we saw that this row is very sparse and in particular there are no transitions to elements of timing weight one and only one transition to an element of timing weight two so this is a weakness of this sbox so we use it and indeed we were able to verify the computer programming that there were no elements of timing weight one after five rounds so that means that the output set after five rounds has a balanced property if we want to move more actually we cannot have a distinguisher like this for six rounds because there are elements of timing weight one after six rounds however if we look at the column now of this matrix we see that the first column is very sparse because actually the first coordinate of the a and f of the algebraic normal form of the present is only quadratic and has very few terms so what you manage to see is that there are after six rounds elements of timing weight one but not awful the elements are possible in particular elements that are correspond to the first coordinate of each of the 16 sboxes never appear that means that we have 16 values that are never appear so this gives a kind of weaker distinguisher so to conclude about this part the present sbox is probably not the best for this type of distinguisher that's why we had we were able to find this attack so if you want that your sbox design resists to this kind of attack the best way is to choose sboxes that have all of the components of the sbox are of maximum degree so now then we can prove that you will not able to have this sparse rows and columns so to conclude so we saw that the notion of memory is that it actually to capture more information during the propagation compared to the division property and so there are some open questions about this so the drawback is of course that it takes more time and memory to do the propagation because actually you have a lot of information to propagate when compared to just the timing weight that you have with the division property how to make this more time and memory efficient probably don't have any time anymore so I will stop here thank you very much for your attention