 Hello, everyone. My name is Kai, and I'm from Shandong University. Thanks for your listening to my presentation. The title is Finding Bit-Based Development Property for Suffers with Complex Linear Layers. This is a joint work with Qin Ju and Mei Qin. Here is the outline of this presentation. I will first introduce our main results, then give the background knowledge about the development property and the motivation of this paper, while we focus on the development property propagation model of the complex linear layers. Thirdly, I will show the ideas of our new model. The last are the applications of this new model on AES, LED, Clefere, and Chameleon Suffers. In this paper, we propose a new model of the propagation of different trials over a complex linear layer, which can be used in the automatic search for the bit-based development property. The complex linear layer includes, for example, the MDS matrix used in AES or Clefere Suffers, and it should be different from the simple case. For example, the bit-based linear layer used in present or given suffers, or the binary matrix used in skinny suffers. Our new model consists of n squared plus 1 constants. When we use the MEOP or Z-Tour to describe the propagation of the different trials, we model these constants into our model. Our new model is a universal and precise one. It means it can trace the different trials precisely, and it can be used in almost all the cases for all kinds of linear layers. With this new model, we can handle AES, LED, Clefere, and Chameleon Suffers, which cannot be handled well before. In this paper, we focus on the conventional bit-based development property, which is also known as two-subset bit-based development property. For all vectors u belonging to f2n, we can divide them into two parts according to this formula. Here, x is a multi-set, which could be the multi-set of the pre-taxis, suffer-taxis, or the intermediate states. For u in the first part, this summation will be always 0, and for u in the remaining part, the vector at the summation could not be predicted. If the suffer acts on the pre-taxis and the intermediate states, we can trace the propagation of the development property from the multi-set of the pre-taxis to the intermediate states and to the multi-set of the suffer-taxis. Finally, we can get the 0 sum property of the suffer-taxis, and the integral distinguishing could be obtained. To model the propagation of the development property, Scheid-Zentro and Asia Crypt 2016 proposed the conception of the development trial. A sequence of vectors such as k0, k1, and kr is called a development trial. If for every ki, it can propagate to ki plus 1. Then, an important topic in the development property is to model the propagation rules of these development trials. Also, in Scheid-Zentro's paper, they proposed a method with the help of the MIOP or SET model to trace the development trials according to the propagation rules of the development property. Let the solutions be valid development trials like k0, k1, k2, and kr. We can call the MIOP or SET model to solve the propagation of the development trials. MIOP or SET tools are well-known in automatic search these years. They can be used to solve some constant problems. So the most important is to model our problem into the MIOP or SET model. In the development property, if k0 to the jth unit vector is infeasible, then we can say the jth bit of the sample text is zero sum. And to model the propagation of the development trials, the propagation rules between k0, k1, k1, and k2 are very important. For the conventional bit-based development property, the propagation rules can be concluded as this. If you could propagate to V, if and only if there exists u prime larger or equal to u, satisfying that this formula is a monominal of this formula. And before our paper, the propagation rules for k0, kp, and S-box have been well-modeled in the previous papers. However, the complex linear layer has not been modeled perfectly. But we notice that many important suffers take a complex linear layer as their deferent layer. For example, AS-Cliffier take MDS metrics as their deferent components. Meantime, bit-based development property is currently the most effective method to find the integral distinct ratios. Unfortunately, no perfect method to evaluate the security of the suffers with complex linear layers against the bit-based development property. So we are interested in how to model the propagation of the development trials over the complex linear layer perfectly. Before we introduce our new model, I want to recall briefly two previous works. The first one is called S-Message in our paper, which was proposed by Sun, etc. The basic idea of S-Message is to present the matrix multiplication by kp and xor. Then if we want to model the propagation from x to y, firstly, we decompose x into a sequence of support variables by the copy propagation. And then we use these support variables to generate each yi. And finally, we will get the propagation from x to y. The advantage of S-Message is it is universal because any complex linear layer could be modeled by xor and copy. Then it can be applied to any linear layer. But it has a disadvantage because it introduces many support variables, then it may introduce some redundant vectors and trials. Then some balanced bits could be missed. The second method is called Z-R method. It was proposed by John and Raymond. The basic idea of Z-R method is based on a very important observation that every trial over the complex linear layer is one-to-one mapped to our corresponding submetrics. If the trial is valid, then the submetrics is immutable. So it has an advantage that it can trace each valid trial precisely and it will not lose any information. But it has a disadvantage because the model is more complex. So before our paper, it can be applied to all the binary matrices. The matrix is the binary matrix. For example, the matrix in the mixed column operation in Stapher, such as this and all the elements in F24, are all 1 or 0. This is called binary matrices. Considering that the S method is universal but not precise and the Z-R method is precise but not universal, our people propose a new model which is universal and precise. It can be precisely applied to non-binary matrices. So it can be used to model the MDF matrix. And we can prove that 5-round AES has no bit-based division property. And our new model can be precisely applied to non-invitable matrices. Then we can reproduce the k-dependent distinguisher of 5-round AES which will be introduced later. The second contribution is we get some new or bit-based division property. For example, we get a 7-round integral distinguisher for LED software. It is also the longest one. We also get the 6-round bit-based division property for MIST-1. And before the paper, there is only the world-based division property for MIST-1. Since with the 6-round world-based division property, the MIST-1 was broken by Todor Etcetera and Crypto2016. So we prove that we cannot find a better bit-based division property. Even we can model the linear layer of MIST-1. For Clefier and Chameleon, we also get the bit-based division property for the first time. They cannot be handled before our paper. Here is the overview of our new model. The readers should notice that in default, we always assume that the hamming width of U and V are always equal. For primitive matrix M belonging to F2N times N, the M is the corresponding matrix of the complex linear layer, and we always denote it in the F2 field. The DeVerient Trial UV is valid if and only if U and V meet the following constants. The E is our identity matrix, and Eij is the element of E located in the I-th row and J-th column, and it is similar for MIK. And MVU Expand Prime is a support matrix with N squared support variables. We can always describe this N squared matrix constant into our automatic search model over the complex linear layers. For the remaining part of the automatic search model, it is the same as the model used in the previous papers. Then our model totally needs N squared constants, but the constants are four-degree constants. As a result, our constants are not suitable for the MILP model because the MILP is good at describing the linear constants, but sometimes it cannot be used to describe the high-degree constants. So in our paper, we use the set tools to describe these constants. In the next, I will introduce how we get such constants. Our starting point of the new model is the theory that John and Raymond proposed in their method, and they find that if U, V is a valid-division trial, then a matrix of M called MVU is always invertible. Let's see the example. If we want to check whether U and V is a valid-division trial over this matrix M, then we can put U here and put V here. According to the one element, so U and V, we can extract a sub-matrix, and this matrix is MVU. Remember that we have assumed that U and V have equal hamming weights, so MVU is always a square matrix, then we can check whether it is invertible, and if so, U, V is valid. To check whether MVU is invertible, common knowledge is that if MVU has an invertible matrix, then it is invertible, and it is equivalent to whether this equation has solutions. So in the automatic search model, if we can describe these relationships into the automatic search model, or we solve this problem, however, there are many changes to describe these constants. Firstly, we do not know the exact U, V, and their hamming weights. The second is a result that MVU, the exact size of MVU is not known. However, in the automatic search model, when we want to use a variable, we always need to declare it beforehand, and to declare it, we should know its exact size, but now we do not know them. To solve this problem, we propose a new method. Our method is to define a supported matrix MVU-expand, and MVU-expand is defined as this. According to the one element where i and uj, we can assign the MVU-expand ij with mij, and for other ij, it is over the zero. Let's see the graph. This is the matrix m, and this is u, and this is v. The expand matrix of this sub-matrix is this. You can see that the sub-matrix is located in its original places, but for other positions, they are always zero. It has an advantage that we can always know the size of this matrix beforehand, because it is the same as the original m-matrix. Then we could use the automatic search tool, such as FTP, to declare this matrix, use this sentence. Then we can use the matrix MVU-expand to help us to determine whether MVU is invertible. Our theorem says that MVU is invertible if and only if MVU-expand times MVU-expand pram equals ev hand solutions. Please note that ev is not an identity matrix. It is defined as this. I will briefly introduce the basic idea of the proof. Without the loss of generality, we assume MVU is located in the top left corner in m. Then you can check that the left is totally equivalent to the right two equations. Firstly, we look at the second equation. Since x01 is free variable, the second equation always has solutions. Then we look at the first equation. We can say that if this equation has a solution, then MVU is an invertible matrix. If it has no solution, then MVU is not an invertible matrix. Then we transform the problem of determining whether MVU is invertible into constructs like this. These constructs can be described easily in the automatic search model because the size of all the variables can be known in advance. The last step is to put all the things together and make it a compact algorithm. This is based on several observations For example, the MVU expound matrix can be generated by the following formula. You can check it. The EV can be written as this. So we can put all the things together. Then we get the constants we introduced earlier. Very interesting. We find that we can remove the invertible condition of John and Raymond's theorem. So our method and their method are suitable for the nine invertible matrices. And the concrete proof could be found in our paper. The last part of my presentation is other applications. Firstly, I will introduce the K-dependent integral distinguisher. This distinguisher was proposed by Sune et cetera and Crypto-2016. The key point of this distinguisher is here. The two bytes are always equal. To construct such a special input state we prepare a Schreck matrix like this. If this matrix multiplies this vector then we will get the special vector here. So we will describe these constants with our new model into the automatic search problem. And finally, we can solve this problem and find that after 4-1 AES inverse all the play text bits are balanced. The second application is the longest bit-based development property of LED software. As you all know, LED software takes MDS matrix as its diffusion layer. And we can use our model to describe the propagation over this operation. And finally, we can get the several round distinguisher like this with one bit of play text constant and other play text bits active and all those of text bits are balanced. The third application is the bit-based development property for mist1. It cannot be handled before our paper. We handle the fbl function and the inner structure of fo function and fo function use our method. For example, this part and this part we use our model to describe the propagation of delivering trials. And finally, we reproduce the integral distinguisher for 6th round mist1. And it is the same as the world-based development property total-proposed. The first one is the bit-based development property of Claffier. And Claffier uses also the MDS matrix as its diffusion layer. And we can also describe this MDS matrix using our model. And then we find the 10 round distinguisher like this. The last application is chameleon sulfur. And we can describe the linear layer using our new model. And it gets a higher efficiency. The fbl and fbl inverse function located after the first round. And finally we get the bit-based development property for 7th round chameleon for the first time. At last, I want to give a summary of my presentation. Our main results is a new and effective SAT model to describe the development property propagation over a complex linear layer which can be used in MDS or any other kind of matrix. We also remove the invertible condition from the R method making it universal even for non-square matrices. We reproduce or find some new integral distinguisher for many important sufferers. With many experiments, we have several tips for choosing the models. For binary matrix, our and the R method are suitable. And for non-binary matrix with signs n less than or equal to 64 hours is the best choice. And for non-binary matrix with larger size S method will be the only choice. Thanks for your attention.