 Bonjour à tous, dans cette vidéo, je vais présenter un travail joint avec Stéphanie Delon et Mathieu Vavry sur les distinguations de Boomerang. Les distinguations de Boomerang ont été introduites par Wagner en 1999 et l'idée principale est de combiner deux différences courtes comme cela peut lead à une meilleure probabilité d'utiliser seulement une longue différence. Pour conclure la probabilité de l'objet de Boomerang, nous avons besoin d'une certaine assumption indépendante. Sinon, cette assumption n'est pas en pratique. On a trouvé plusieurs exemples de non-retour de Boomerang et les problèmes s'occupe à la junction de l'arrière et les choses différentes. Certaines attentes ont été faibles pour refaire la probabilité de Boomerang, mais en 2018, Sidette Hall a introduit le table de connectivité de Boomerang, BCT, comme une vue unifiée de tous les works prévus dans le domaine. C'est-à-dire que la BCT est seulement une précomputation de tous les possibles Boomerangs à une seule S-box. Et la définition de la BCT est ici sur le slide. Pour rechercher les caractéristiques de Boomerang, le procès original a été le premier à rechercher les caractéristiques de la meilleure différence sur le R1. Puis, on cherche les caractéristiques de la meilleure différence sur le R2, et on combine-les pour obtenir une caractéristique optimale de Boomerang sur le R1 et le R2. Depuis que l'on sait qu'on doit refaire la probabilité de la caractéristique de Boomerang, le procès n'a pas changé beaucoup. On cherche encore pour les caractéristiques de la meilleure différence sur le R1 et le R2, et on combine-les pour obtenir une caractéristique optimale de Boomerang. Le problème est que cette approche n'est pas optimale anymore, parce qu'il n'est pas clair que les caractéristiques optimales de Boomerang vont être les caractéristiques optimales de Boomerang. C'est pourquoi on a commencé ce travail. Et en fait, notre main idée était de chercher les caractéristiques de Boomerang directement, sans chercher les caractéristiques différentes. Nous proposons une nouvelle approche de 3-step pour chercher les meilleures caractéristiques de Boomerang. Le premier, nous proposons un modèle MILP pour chercher les caractéristiques de Boomerang. Ensuite, nous utilisons un modèle CP, un modèle de programmation contrainte pour chercher les meilleures caractéristiques de Boomerang. Donc, si nous combinons le premier et le second step, nous obtenons un processus pour chercher les meilleures caractéristiques de Boomerang. Et ensuite, nous avons un troisième step, dans lequel nous allons préciser les probabilités de la caractéristique de Boomerang et de la compétition de la caractéristique de Boomerang. Ce travail est dédié à Skinny, mais il est très adaptable à plusieurs autres caractéristiques. Pourquoi Skinny ? Skinny est un block cipher très facile. Le métier de la caractéristique de Boomerang est une caractéristique de Boomerang, qui simplifie beaucoup le constrain de correspondance pour des transitions valides dans le métier de la caractéristique de Boomerang. La caractéristique de Twiki est linéaire, qui aussi simplifie beaucoup tous les modèles. Et tous les modèles de la caractéristique de Boomerang et de la caractéristique de Boomerang, contiennent beaucoup de valeurs différentes, qui sont très intéressantes pour les techniques de la caractéristique de Boomerang. Donc, ce sont les résultats que nous avons obtenus contre les valeurs de Skinny. Comme vous pouvez le voir, nous avons obtenu beaucoup de nouveaux résultats, beaucoup de nouvelles caractéristiques de Boomerang. Et en particulier, nous avons approuvé tous les prévus works. Et par exemple, si vous regardez cette ligne particulière de cette table, pour 18 rounds de Skinny 128 dans le TK2, la probabilité de la meilleure caractéristique de Boomerang, c'est le 47, le minus 47, ce qui est le 30x mieux que la probabilité de la meilleure caractéristique de Boomerang. Donc, comment avons-nous obtenu tous ces résultats ? First, to search for the best Boomerangs, we need to be able to precisely compute the probability of a Boomerang characteristic. And to do that, the BCT is not enough. We need much more differential tables. In particular, we need three extra tables, the UBCT for upper BCT, the LBCT for lower BCT, and the EBCT for extended BCT. All those tables correspond to one particular case and depends on which differences are set to specific values and which differences are free. So both the UBCT and LBCT were already introduced in previous works. Sometimes they had different names. For instance, they are also called BDT and BDT prime. Regarding the EBCT, it is mostly new and it was only proposed as a future work by Mini et Al. So once we have all those differential tables, it is actually quite easy to compute the probability of a particular Boomerang characteristic. All we need to do that is to look at whether at which differences are set to specific values and which differences are free and which differences are set to zero. That's all. So for instance, for this particular S-Box, regarding the upper trail, both the differences at the input and the output of the S-Box are set to specific values. And for the lower trail, both differences are zero. So in that case, it corresponds to a DDT and the probability of this transition is only the probability of the transition D to 2 through the S-Box. But if we look for instance at this particular S-Box, now as before, so both differences at the input and the output of the S-Box in the upper trail are set to specific values. But this time in the lower trail, the difference at the input of the S-Box is also set to a specific value et the difference at the output of the S-Box is free. In that case, it corresponds to a UBCT and so we look at the corresponding probability in the UBCT table. So what is very important here is that knowing which table will be used for the probability computation only depends on few parameters. First, we need to know whether differences are set to specific values or not, or if they are free. And if they are set to specific value, then we need to know whether this value is zero or if it's a non-zero value. And that's all what we need to know which table will be used in the computation of the probability. So this help us to derive a new model to search for tranchated boomerang characteristics where basically we just use classical MILP model to search for tranchated differential characteristics. We copy it twice, one for the upper trail and one for the lower trail. And we add extra variables. So for each S-Box, we will add extra variables to know whether the difference is controlled or if it is free. And that's all. And then it's quite similar to a search of tranchated differential characteristics. So obviously we added some specific constraints for those new variables, for those controlled variables. And we added also specific constraints to know in which table will be used in the computation of the probability. And while for the search of tranchated characteristics we count the number of active S-Boxes, here it's quite the same, but instead of counting the number of active S-Boxes we will count how many DDT are involved, how many BCT are involved, how many EBCT are involved and so on. And so we have something very similar. So the objective is just this number of different tables weighted by the maximum probability exponent of each of those tables. An important property of this MILP model is that we did not define any middle round and actually both the lower and the upper trails are on the wall cipher. So there is no middle rounds, they are spread over all the ciphers in theory. And to show that this model is very generic we found that in some cases it automatically switches to the search of differential characteristics by setting for instance the lower trail to zero. So all difference are null in the lower trail. And in that case it automatically switches to differential characteristics, to tranchated differential characteristics. So that's our MILP model to search for tranchated boomerang characteristics. We can apply it to skinny so we didn't apply it directly to skinny before we made some simplifications. So in particular we found that for the DDT, the UBCT, the LBCT and the EBCT they all have the same probability of optimal transition. And so basically we just group them, all of them into one table to simplify the corresponding constraints. We also used the Queen-McCuskey algorithm to reduce the number of inequalities and it help us a bit. So as a result we obtain this table. So how to read that? Actually it's quite similar to the case of tranchated differential characteristics. So basically here it's the number of tables involved in boomerangs. And for instance this 40 here means that in the TK3 model the best boomerang characteristic on 24 rounds has a probability at most equals to the minus 80. So it's very similar to the search of tranchated differential characteristics. So now that we were able to compute tranchated boomerang characteristics we used a constraint programming model to find the best instantiation of them. So basically this model is highly inspired by the works we made with Minier and Charles Prudhomme and Victor Molimard which was published at ACNS 21 and actually in this work we found that a CP model was much faster than a MILP model to instantiate differential characteristics. This is because the DDT is highly non linear so using linear constraint to describe it is very complicated to lead to inefficient model. While in constraint programming model we can directly use what is called a constraint table in which we can directly set all the possible tuples for any operations. And so we used this model to instantiate many of the tranchated boomerang characteristics we found in the first step during the first step. Since this model was very fast was very efficient what we did was to start clustering with this model. So first we searched for all optimal instantiation of tranchated boomerangs and then for each of them we kept the input, the output and the difference on the key and we searched for extra instantiation with the same input, output and difference on the key. Of course we added some time limit and we also added some extra constraint on the probability of those new instantiation so they should not be too far away from the optimal probabilities but we start clustering using this CP model and this allowed us to identify interesting boomerang distinguishers and now for each of them we performed a very precise probability computation so a very precise cluster analysis so given a boomerang characteristic as in this example we can erase all intermediate differences and just replace them with variables and compute the probability of the distinguisher as a sum of the probability of all the possible boomerang characteristics Unfortunately this sum is quite big and we cannot compute it directly so what we first did was to propose a new algorithm based on dynamic programming to reorder the formula in such a way so the depth of the formula is the lowest possible so here you can see that to compute the formula I will have to guess at most 5 variables each time Unfortunately this was not always enough to precisely compute the formula and we had to perform some manual steps to approximate the formula so for instance when we have some like here maybe we can replace it by a BCT like say this is free or sometime we will just force some value for intermediate differences so we had to to make approximations on the formula because it was not always possible to compute them exactly but still we obtained very good results as already mentioned so some of of those boomerangs distinguishers have a high enough probability so we can try it in practice and we did that so we ran experiments to compare the actual probability of those boomerangs compared to what we predicted et as you can see for some of the boomerangs it's quite close but for some of them it's a bit it's not that close here there is a difference of 2 to the 8 2 to the 3 so 8 and we believe this is because in all our computations we assume that both sides of the boomerangs follow the same differential characteristics while in practice they only have to follow the same differential so this may explain the difference between the observed probability and the expected probability so to conclude in this work we propose a new combined pccp ad hoc approach to search for boomerangs distinguishers and we obtain many new results on the block cipher scheme there are still open problems regarding this work so first our MILP model generates a lot of redundant solutions meaning solutions that will lead to the exact same boomerangs distinguishers so the MILP model could be improved I also told you that we only considered the case where the same differential characteristics is used on both sides of the boomerangs and we add to use some approximations to evaluate the probabilities so all the source codes of all our different algorithms and models are available at this URL and we also have all the experiments we made there are also pdf with all the figures of all the boomerang distinguishers and if you have any question you can send me an email if you have some trouble to make it work ok, thank you for your attention