 ీ ṇṋ▃ ṇṋ ṇṋ ṇṋwan Harvard five. Kong FiveZentialWish new member the family proposed in two three ten eighty no one said firing the. Two five six bee security level for the five G system. Hem 2021 school six was proposed as an improved version of so fastest framework of sue and five. සච්ගසත්පිය්න්මුහ ෻්සතබය්ට්ඈknowg. ළවටෙන්ම් පාරයරමිදටුමත්නා. ිලෙතෝ අව උ෋නෟසත්ය එල්ක්ඛදවම් in වැඪුරයයයයදඞනා. SMO6 is the same as SMO5 except to the tab T2 is switched to the left half. The previous results are listed here. As we can see, there is no result faster than exhaustive key search on SMO5 or SMO6. Now we introduce our way to construct the correlation attack is extinguished. Our motivation is to find a burst binary approximation of this form. A distinguisher only relates to the open words and the LFSR states. The method is to convert the linear approximation equation into the approximation of a composite function. Besides, there is a linear relationship between the four tabs, meaning we can use three of them to generate the rest one. For the approximation of a composite function, we can compute the correlation by the widely used Welsh spectrum theory. It is worth noting that the input variables x in this formula must be mutually independent and uniformly distributed. The core step is to compute the correlation of the distinguisher. We expand it and get the equivalent linear approximation equation. And observe that the black variables can be generated by the red ones. Because there is a one-to-one mapping between the red variables and the memories R1, R2, R3 and the three LFSR tabs. So it is easy to get the function that can generate the black variables using the red ones. And the correlation of the equation is exactly the Welsh spectrum of this function. Then we construct the six sub-functions and their composite function f. Thus we have theorem 1. The correlation of this linear approximation of the function f is equal to that of the distinguisher. By this way, we convert the problem of finding distinguishers into searching for linear approximations of function f equivalently. And we can evaluate the correlation of linear approximations by measuring the linear trials directly. If this equation holds, we will get a linear approximation equation containing only the output words, namely a distinguisher for a distinguishing attack. When the equation does not work, we shall get a distinguisher for a correlation attack. The linear approximation process is shown here and we can search for linear trials on time limit. The correlation of a linear trial can be calculated by this formula and get the accurate correlation of an approximation by summing up all the correlations of the trials containing it. For SO5, we can get the accurate correlation by exhausting the intermediate masks A, B, C, D and Q. We model the set-based automatic search program and use the STP server to search for linear trials with high correlations. There are two nonlinear transformations in the approximation process, the modular addition and the S-books. For modular addition, the characterization based on both set and MIRP have been given. We can characterize it in this way. Z is the dummy variable. T is the parameter used to keep the modular addition the same precision as S-books is. Where is the characterization of the S-books of AES? We first adopt the idea of a dual-colour to split the linear correlation table into eight main functions. Then we need to get the product of sum representation of each main function and convert it into a series of shorter constraints that are fully satisfied where the software is much conflating. Finally, we add the bijective constraint. We can see that fk equals 1 if and only if the corresponding absolute correlation equals 4 times k divided by 256. As STP server does not support the floating point data type, we also use parameter t to adjust its accuracy. The absolute correlation of a trial can be evaluated by summing up degrees of the modular additions and S-books. After STP server returns a linear trial, we verify it, we compute its correlation and get its sign. We can keep searching for other solutions by adding these constraints to avoid the same solution. And we can approximate the accurate correlation step by step in this way, and the best trial we've found is this one, where we also focus on another trial with a smaller absolute correlation. In fact, the trials we've searched out have part of masks in common, and we can get the accurate correlation of these type of approximations by costing the intermediate masks. By the property of the modular addition, we can reduce the inverse of C to 255, and so as A, B and Q. For D, we proved 0 is a unique solution. Thus, we only need to inverse the 4 bytes to get all the trials with another correlations and reach the accurate correlation for fixed alpha, beta, gamma, L, M, N and H. We can also traverse 2 bytes of alpha and beta to find the absolute correlations as large as possible. Based on the two trials we have searched out, we calculated their correlations. The second one is the best result we got. The last part is to launch a correlation on S5 using the distinguisher. Assume U and U hat are the initial state, and guess the initial state respectively. The distinguisher will show the correlation if U hat equals U. Otherwise, the distinguisher FITI shall be uniformly distributed. We cannot guess all the initial state's bits at once, so we will find some effective collisions such that part of the masks of the initial state are 0 in the pre-processing stage. By collision, we can get parity check equations of this form, which only contains part of initial state bits. The number of check equations can be calculated from the collision probability. In processing stage, we set up the statistic T. Evaluate each parity check equation by plugging output words and guess the initial states, and predict the U hat that maximizes T as the correct one. For the remaining bits, we can recover them by repeating the same process. Thus, we launch a correlation attack on S5. The best of our knowledge is the first attack on S5 with the time complexity less than exhaustive case search. For S6, we can construct sub-functions and composite functions in the same way. The four LFSR types are mutually independent. In S6, we shall take all of them and the input variables, which differs from the composite function of S5. Using the same method, we can get the linear approximation process of it and the correlations of linear trials. Compared with the trials on S5, we have the observation that the linear approximation trials of S6 correspond one-to-one to the trials with D equal to 0 of S5. And this observation indicates the set consisting of all linear trials on S6 is a subset of that of S5. So the results of S5 are also appropriate for S6, and the correlation attack on S5 is effective for S6 as well. This is also the first attack better than exhaustive case search on full S6. To summarize, we propose a carefully designed method to convert the linear approximation of the LFSR and part of S5 into that of our composite function equivalent. Based on this method, we present a full coverage automatic search of S5 and find a valid binary distribution. Using this approval simulation, we mount the first correlation attack on S5 with time complexity less than exhaustive case search. When we approve the correlation attack, it is effective for S6 as well. That's all. Thanks for your attention. Now question? Any question, comments? Okay, then let us thanks figure again.