 So at 1, I'm 2e, a team member of Crypto and Lacy's taskforce, and I'm from Lyon Technological University. It is my pleasure to present our paper, New Techniques for Searching Differential Chairs in K-Chuck. Firstly, I will give a brief description of K-Chuck and introduce previous works on differential chair search. After that, I will cover our new 3-round chair call search strategy. K-Chuck's permutation uses XOR and not a machine in its round function. The state size is 1,600 bits. It can be organized as a 5x5 array of 64-bit lengths, with XYZ coordinates. Each round consists of 5 steps, including 4 linear operations, low pi, iota, and nonlinear chi operation. It consists of 24 rounds. If you fix Z, you will get a slice. If you fix Y and Z, you will get a row. If you fix X and Y, you will get a length. If you fix X and Z, you will get a column. Sixth step adds two columns to the current bit position. Low step is length-level rotation. It rotates the 64 bits of each length by a specific offset, which is determined by the coordinates XY of the length. The pi step is the permutation on length. It rearranges the 25 bits of each slice. Chi, which is the only one nonlinear component, can be treated as a row-wise 5-bit S-box. I also step at the round constant to the state. It adds a round-dependent constant to the first length to destroy the symmetry. Since it has no effect on this kind of differential chair search, we just ignore it. As for the previous result on exhaustive chair search for K-Chuck, in the paper Differential Propagation Analysis from the designers in 2012, they claim that three-round chairs with propagation weight below 36 are searched completely, and the low bound of six-round chairs is 74. In other paper New Techniques for Chair Search from the designers in 2017, they claim that three-round chairs with stretch-hold propagation weight 45 are searched exhaustively, and the low bound on propagation weight of four, five, six-round chairs are improved accordingly. As for our result, we set the stretch-hold to be 53 for our search strategy. There is no theoretical proof for a satisfactory low bound, but we indeed found many new chair calls. Before I introduce our search strategy, I want to show you some definitions first. Current parity P of state of is the parity of all the currents. If P equals to 0, there has no effect on state of, and of is called in cipicono denoted as k, otherwise is cipicono denoted as n, with parity and kernel to represent current parity and current parity kernel. A three-round chair call is denoted by palef1 and f2, or palef1 and beta2. The target three-round chair calls means a three-round chair call beta1, beta2 with propagation weight, the reverse weight of f1 plus the weight of beta1 plus the weight of beta2 below a stretch-hold. And here, the reverse weight of f1 refers to the optimal weight of beta0 which can propagate to f1. As for the classification of three-round chair call, according to whether f1 and f2 are in kernel or not, three-round chair calls can be classified into four categories. KK chair calls with both f1 and f2 in kernel, NK and N-chair calls with always f1 out kernel, KN chair calls with only f2 in kernel. For the last two cases, the search strategies are quite similar, but for NK and N-chair a chair call search starts from out kernel state f1, but for KN chairs it starts from out kernel state f2. Now, I will explain in details how the search strategies for KK chair calls works. Firstly, we need to prepare all the theoretical candidates with one structure for in kernel f1 with m orbitals. And then, sort them in a lookup table. According to the factor, beta1 can propagate to f1, which is in kernel through the inverse of linear operation, we construct all the possible state f1. Based on the relationship between f1 and beta1, we filter all the state's f1. And then we extend forward by one round to obtain the target three-round chair. Please be noted here. Obitoes refers to a group of two active bits in the same column, with a concrete example to illustrate how KK chair search operation works. Assume four orbitals at state f1 propagate to three slices at state beta1 with 332 pattern. The 332 pattern here indicates the number of active bits in each slice. On lookup table, we enumerate all possible valid slices for z1 prime to obtain p1 double prime, p2 double prime, and p3 double prime. Through the inverse of linear operation, p1, p2, p3 are determined. And then, according to the orbital relation, we can get q1, q2, q3. Through the linear operation, q3 double prime is determined. According to the valid 2-bit slices stored in lookup table, p4 double prime can also be obtained. So p4 is also fixed. After that, q4 can be enumerated according to the orbital relation. So until now, all the four orbitals with 8 bits are determined. Then we filter all the state f1 by checking q1 double prime, q2 double prime, and q4 double prime are all at slice z2 prime or not. And check their result in incano slices at state f2 or not. After that, we extend one more round to get to the target's three round check cause. Before we go through the search operation for cases with at least one outcome of states, we need to know some definitions first. A group of outcome states, f, share the same parity p, so each parity stands for a subspace of f denoted by vp. On each parity p, there are a group of states called parity-bare states that can represent all other states in vp. Other states can be generated by just adding orbitals to the parity-bare states. So outcome states in vp can be covered by enumerating all the parity-bare states. Any outcome states f can represent a set of states simply through adding orbitals to it. The subspace represented by f is denoted as vf. The space of outcome states can be divided into subspaces represented by outcome state f. So the parity space can be divided into subspace represented by each parity-bare states. The search space is all the outcome state f. In order to cover the whole search space, we propose the ideal representative of subspace vf. For each subspace vf of vp, an ideal representative state f prime is generated based on f. Generally, the ideal representative state doesn't exist in reality, it just represents the optimal number of active rows of 3-round checkpoints of all states in vp. It indicates the low bound of the whole subspace, so if the ideal representative of a subspace cannot meet the rate requirement t3, the whole subspace can be safely discarded. The ideal improvement assumption on outcome state f assumes that f can be optimally improved at b2 in terms of the number of active rows with least number of orbitals added to f1. For k-n-chairs, the ideal improvement assumption on outcome state f assumes that f2 can be optimally compensated within outcome state f1 with least number of orbitals added to f2. So basically, the ideal representative of subspace vf is obtained when f is ideally improved. The process of generating the ideal representative state of a subspace under the ideal improvement assumption and deciding whether to delete it or not is called viability check. The outcome state of that path is a viability check is called viable. So searching 3-round checkpoints equals to generating all viable outcome states. Here is a complete process of 3-round checkpoints search. Firstly, we need to prepare all candidate parities. For each candidate parity, the corresponding parity bail states are enumerated. For each parity bail state, we conduct viability check on it and generate a viable state. For all viable state up, we add one more abit to it and conduct a viable check on the newly generated up prime. We repeat the whole process until there is no viable state anymore. For all the viable state up, we extend them forward or backward for one more round and crack the target 3-round checkpoints. Let's look at the concrete example to see how KNCHEL search algorithm works. This algorithm starts from outcome state f2. The idea improvement assumption states that for each active rule as state f2 rather than considering only the comfortable bit 1, we take all the 31 patterns into consideration. It assumes all the 31 patterns are legal. For any f2 with a subset of bit 1, it assumes that f2 always have incarnals state f1. If its original active rules cannot make f1 incarnal, it can be improved to be incarnal by just adding a bit 2 state f2. When adding a bit 2 f2, it assumes the lesser number of row increase on state f2 and bit 2. After that, we conduct the viability check and add one more abit to all the viable f2. We repeat the whole process on all the viable f2. After that, we extend all the corrected viable f2 backward to incarnal f1 by one round. Here is a brief summary of results. As can be seen in the table, the t3 in previous works is said to be 36 and 45 respectively, and in our work, the t3 is said to be 53. For the KK cheats, we only covered abitos up to 6. Since cases of 7 abitos have too many candidate structures and the time complexity increases vigorously, that's all. Thanks for your attention.