 Hello everyone, the title of this talk is improved attacks on SLI-SCP permutation and the tight bound of limited birthday signatures. The authors are Atenori Tsuyamador, Maria Neyapresincier, and my subject is Zaki. Our analysis target is SLI-SCP, which is a cryptographic permutation for lightweight AE-Edis designed by Adatabue et al. The original version was presented at the SAC 2017, and later the improved version called SLI-SCP-LITE was presented. And the SLI-SCP-LITE is an underlying primitive for sticks and spot AE-Edis skins submitted to NIST lightweight gravity supervision. This slide shows overview of our contributions. For the first part, we present improved cryptonurses of SLI-SCP and SLI-SCP-LITE. Previous best attacks on SLI-SCP were limited birthday signatures by rebound attacks. Here, we introduced more sophisticated procedure of the inbound pace and more optimized differential trails for the outbound pace. Then we achieved a reduced complexity or more attacking rounds. This is the first third-party analysis reaching more rounds than the detainers. For the second part, we give a proof of the lower bound of limited birthday signatures for pump patients. Previously, the lower bound was known only for functions. In this research, we first defined the game and identified the best strategy to win the game, and then simply but precisely evaluate the number of queries to win the game with a sufficiently large probability. As a result, the lower bound matches the conjecture for the best generic attack in many existing worms. Our attacks only work for the underlying permutations of sticks and spot. That does not threaten the security of AE-Edis. At the time of the publication, the NIST LWC was in the middle of its second stage and sticks and spot were valid candidates. Sticks and spot unfortunately didn't make in the final round, while NIST correctly understood the impact of our other thoughts. NIST statements can be found in their status report on the second round. From now on, I will explain the past part of the paper, which is improved attacks on two foundations. This slide shows the limited birthday signatures. Limited birthday signatures are discussed to measure the security of a function or a foundation. The goal is to find a pair of texts such that the input difference is delta-in and the output difference is delta-out. The known best generic attack was presented by Gilbert and Bellon at FSE 2010, and the complexity is shown here. And this was proven to be tight for functions. However, the tightness is unknown for permutations. Rebound attacks are popular approaches to mount limited birthday signatures. Rebound attacks are inside-out approaches to satisfy differential trails for keyless primitives. The permutation is divided into three parts, and the tag consists of inbound phase and outbound phase. In the inbound phase, attacker generates many paired values, satisfying the differential transitions for the middle part. And in the outbound phase, paired values are propagated to the input and output to satisfy the target differences. The keyless nature allows attackers to stop from the middle. This page shows the structure of SLI-STP and SLI-SCP-LITE. For SLI-SCP, the permutation size can be chosen from two options. The 192-bit version is called SLI-SCP-182, and the 256-bit version is called SLI-SCP-256. Both adapt the full branch type to generalize the face-to-face version, and the permutation consists of 18 steps, and the stiff function of SLI-SCP is shown in the left-hand side of the middle. If the functions of the stiff function are reduced round the CIMEC, particularly 6 round CIMEC-48 for SLI-SCP-182, and 8 round CIMEC-64 for 256-bit version. The round function of the CIMEC is shown in the right-hand side of the middle. The design of SLI-SCP-LITE is similar to the one of SLI-SCP. It uses the full branch misty structure to introduce parallel computations. The stiff function of SLI-SCP-LITE is shown in the bottom. The previous first analysis on SLI-SCP focused on 6-step iterative differential trails. So suppose that the f-function, I mean the reduced round CIMEC, satisfies the following differential propagation. First, alpha is propagated to beta with probability P1, and beta, that's the alpha, is probability P2. Then, the 6-step iterative trail is satisfied with the probability P1 to the power 4 and P2 to the power 2. We found a similar 6-step iterative differential trails for SLI-SCP-LITE. This trail has the same probability, which is P1 to the power 4, P2 to the power 2, but the difference at the iterating point is switched from alpha to beta. In this research, we did a detailed analysis both of SLI-SCP and SLI-SCP-LITE. However, the results are often very similar to both. So, in this talk, we focus on SLI-SCP. This page shows a lot of ideas on how we gather the improvement. First, a 15-step differential trail was built by simply iterating the 6-step iterative trail. In the previous work, the inbound phase is located in the middle three steps, which is filled by yellow in this figure. This means that the other 12 steps are covered by outbound phase, and differential transitions are satisfied probabilistically. In this work, we found that the inbound phase can cover one more step without increasing the complexity, which is filled by blue in this figure. So, the number of steps in outbound phase is reduced, and the complexity is also reduced. Or, this gives us an opportunity to extend the number of steps. This slide shows the previous 3-step inbound phase. There are 4 active CMACs in the inbound phase. For each active CMAC, the attacker should test all input values, and store all the paired values, satisfying the differential transition. Note that the cost of this part is to test all inputs to the CMAC, which is at most 248, or 264, depending on the parameter size. As an output of the inbound phase, any paired values for each CMAC can be chosen independently, and this will fix the interstate. So, the remaining is just to test if the outbound phase can be satisfied or not. This page shows our new inbound phase that can cover 4 steps. The first part of the dark procedure is exactly the same. For each active CMAC, the attacker should test all inputs, and store all the paired values, satisfying the differential transition. Then, we carefully choose paired values in an appropriate order. First, we choose paired values for 3 particular active CMACs, which are colored by blue in this figure. The choice of those 3 active CMACs can be completely independent, but after fixing those 3, paired values for another CMAC, filled by green, this figure updates. So, we can test the validity of step 1 here. Finally, after satisfying steps 1 and 2, we still have degrees of freedom in another active CMAC, which is filled by yellow in this figure. And the choice of paired values of this yellow CMAC is completely independent from the other part. So, we can start the outbound phase by using degrees of freedom of this yellow CMAC. This slide shows a lot of ideas to extend the number of attack steps. The techniques in the previous slides are for reducing the complexity to exploit the remaining degrees of freedom. However, to extend the number of steps, the bottom neck is the total amount of degrees of freedom. Unfortunately, degrees are short to satisfy one more step. So, the extending the number of steps is non-trivial. In the previous 15-step attack, in the last step, differential propagation is uncontrolled. So, the attacker doesn't spend any cost to control the propagation. As a result, probability 1, the attacker doesn't know the output difference from the CMAC function. So, in this research, we tried to control the 15-step only partially. So, we specify that our part is propagated to gamma, where only a part of the bits of gamma is specified up there or in up there. So, we have to be careful that with more unknown bits in the output, the general attack cost is also reduced. So, we need to find a good trade-off between the amount of consumed degrees and the amount of the number of bits of gamma, which is a specified active or inactive. And we found a configuration to be a valid 16-step attack. From here, I'm going to explain the lower bound of limited-bust-deleted signatures or permutations. Recall that in the limited-bust-deleted signatures, the attacker tries to find a pair of the text whose input difference is built in and the output difference is built out. The previous best attack complexity is as shown in the middle. And we prove the lower bound, which is tied up to the constant factor of 1 over all. The game of limited-bust-deleted problem can be formalized, as shown here. The top one is the definition of the game, which is quite natural. The middle defines the procedure for the forward query. So, when x is queried, then the oracle checks if a pair x, y is already queried before, for some point. If it is, then the oracle returns y. So, that means for the query which has already been asked, then it returns the same results as before. If x is new, then it chooses y randomly from n with space, except for the values which were already queried as well. Then the x, y, and the pair x, y are added to the list. The behaviors for the inverse query can also be defined in a similar manner. This page shows the proof approach. At each query, the adversary tries its best to obtain a new pair, such that the input difference and output difference satisfy the goal of the liquid-busted finishes for existing x dash and y dash. So, namely, the adversary performs the following in every query. First, the adversary chooses the largest subset s, such that for all x dash, y dash, and x dash, dash, y dash, dash, the input difference satisfies delta in. Then the adversary chooses a fresh x, such that the input difference satisfies delta in for all x dash, y dash in the subset. Then x is queried to p to expect that its output y satisfies the target difference. Let p i be the probability of win at the i query, and we first bound the probability p i. So then the probability of adversary wins is bound by the sum of p i, where i stands from 1 to q. So, over here p q is the largest among any p i, so it's bounded by q times p q. And finally, we evaporate p as possible wins to show that it is less than 1 over 2 if the number of queries q is smaller than of a bound. So, I try to give concluding remarks. So, in the first part of this talk, I explained improved character analysis of SLI-SCP and SLI-SCP light. The number of duct stacks reached 16 steps out of 18 steps. In the second part, we proved the new lower bound of limited bus data signatures or permutations. The lower bound matched the known best-to-generic attack up to a constant factor. That's about the talk. Thank you for your attention.