 Hello, I am Daniel Cogia from Inria France, and I am going to present a joint work with Christine Aboua entitled Efficient Milk Bodilings for S-Boxes and Linear Layers of SP Enzyphers. In symmetric cryptography, to ensure that cryptographic schemes resist state-of-the-art attacks, cryptographers need tools for computing many properties of cryptographic schemes. They will probably want to compute lower bounds on the number of activist boxes such for good characteristics or solve Boolean equations in the middle of a crypt analysis and so on. However, such computations can be hard problems and cryptographers do not want to spend time reinventing the wheel. A common trend in symmetric cryptography for solving such problems is to benefit from the high performance of SAT, constraint programming or milk solvers to do much of the computation by turning a crypt analysis problem into a SAT CP or milk problem. If we use the solver as a black box, we still have to make the translation between the crypt analysis problem into a SAT CP or milk problem. This is what we call the modeling process. The thing is, there is not a single way of modeling a given problem and depending on the modeling, the solver can perform a computation in a few minutes or not even terminate after several days of computation. What we are going to see in this presentation is how to get milk modeling for the problem of computing differential trays through SPN constructions that allow the solvers to perform as fast as possible. The reason we focus on milk modeling is that the industry has developed very powerful solvers that are successfully used in many different domains. First, what is a milk problem? It is the problem of optimizing an all-in-our function on variables X, the objective, and the all-in-our constraints and domain constraints, which means the variables can be restricted to integer values or even binary values. In our context, variables are often entirely binary. So what have cryptographers done with milk modeling so far? First, Muha Wangu and Prenel and Mu and Wang used it to compute lower bounds on the number of activist boxes with word-wise modeling. This means their modeling used one binary variable for each word, modeling whether this byte was active or not. Of course, such modelings are restricted to word-oriented ciphers and do not take the details of the S-boxes into account. Then, Sun, Hu, Huang, Kiao, Ma and Song proposed bitwise modelings where one binary variable models whether a bit is active or not for each bit. In particular, they proposed the first techniques to take the details of 4-bit S-boxes into account. In two different works, Sasaki and Todo explored the use of milk modeling for impossible differential trace search and tried another approach to model 4-bit S-boxes. However, none of the techniques proposed in these seminal works allowed practical modelings for 8-bit S-boxes. The first work to propose a solution for the modeling of 8-bit S-boxes came in 2017 by Abdel Kaleck, Sasaki, Todo, Tolba and Yusef. They also showed how to model the search for good probability differentials. However, the techniques gave quite heavy modelings for many 8-bit S-boxes, like the ASS-box. In this work, we first provide better ways of modeling Boolean functions of size 8 to 16, which gave us better modelings for S-boxes of any size. We then studied how to model F2Linear operations and consequently Linear layers. Let's start with S-boxes. The differential behavior of S-boxes can be summarized into a two-dimensional table called the DDT. We assume for the rest of the talk that we do not care about probabilities and just want to consider whether a transition is possible or not. This gives us this Boolean function called DDT star. For an input difference delta in and an output difference delta out, we say that the transition x, which is the pair delta in delta out, is possible if DDT star of delta in delta out is 1. Now the question is, how can I derive a set of all linear inequalities on binary variables x that is satisfied if and only if the two times n binary variables x model a possible transition? Please note that if I can do it for any Boolean function, then I can do it for DDT star. A preliminary question is, is it possible for any Boolean function to find such a set of inequalities? The answer is yes, and we will see why on this small example. Consider a Boolean function f on three variables x, y, z, when considered in the set of the real numbers or the points on which f takes a value are located on the cube. Moreover, modeling f means finding hyperplanes that discard the points of the cube where f takes a value zero and that keeps the points of the cube where f takes the value one. And since for any subset of the cube, its convex hole is inside the cube, all linear sets of inequalities can characterize any Boolean function. Now comes the real question. Given the truth table of a Boolean function, how can I get a nice set of inequalities? This question is usually answered in two steps. The first step aims at computing many correct inequalities and the second step will try to choose just some of them that are good enough for the final modeling. There are two approaches for this second step. The greedy one will change at keeping the inequalities that remove many impossible points and the minimum one will change at getting the smallest model possible. We found through experiments that the latter is a good indicator for benchmarking the first step and the former is better suited for real usage in MILP solvers. Our intuition on this fact is that a bit of redundancy in the modeling, namely the fact that an impossible transition can be discarded twice, is good for the solver. Now how is step one performed? There are two approaches. The geometric method is based on the convex hole of possible points, whereas the logical method is based on progressively discarding impossible points. For example, if we consider an impossible point A, modeling X is different than A is done through this equation, which is all linear because A is fixed. Let's have a look at the geometric method. On this drawing, black dots are possible points and white dots are impossible points. Black lines represent the convex hole of possible points. Computing the convex hole becomes too hard when the number of variables exceeds 12. In the case of DDTs, this means this method cannot be used to model seven-bit and bigger S boxes. Then simply adding inequalities that share a possible point on their edge allows to build more interesting inequalities. This simple idea gives the best results for four-bit S boxes, but we cannot apply it to eight-bit S boxes. So we now focus on improving the logical method. The goal here is to pack the impossible points in sets we know how to discard with a single inequality. We have just seen an example with single tones. A first step is to pack impossible points into sets A plus PrecoVue. This is just a notation denoting the points that share the bits of A and whose bits can take any value at the positions given by U. Those sets only need one inequality to be discarded and there is a very simple algorithm to cover the impossible points with such sets. It is interesting to note that this is in fact equivalent to using the first part of the Quine-McLeosky algorithm. The Quine-McLeosky algorithm is a classical algorithm for computing minimal product of some representations of Boolean functions and used by Abdel-Kalek et al. to find the first modeling of eight-bit S boxes. The difference with our technique is that the second part of the Quine-McLeosky algorithm has no interest for us. Indeed, it does the same job as step two in our setting, but for a different goal. Another possibility is to pack impossible points into bores with the hamming metric. Indeed, with center C, we can easily express the weight of X plus C with all linear expression. Furthermore, by tweaking the coefficients of this all-linear expression, we can discard bores while keeping some of the possible points on their edge. The thing is, for a random Boolean function or a dense DDT, it is quite rare to find bores of radius bigger than two. We then came up with the technique for removing three neighboring bores of radius one as they appear more often. A condition for this technique to work is that the exhaust sum of three centers should give an impossible point as well. Here are two results we got on eight-bit S boxes with the two techniques compared to using the Koin-Maklowski algorithm. In the first case of the skinny S box, we see that using the bores technique with the A plus Precovue technique does not make a big difference when we try to compute the minimum number of inequalities. However, we see that for the A-S S box, we got a significant improvement. We think this difference comes from the density difference between the two DDTs. Indeed, the sparse Boolean function of the skinny S box DDT allows to find many big sets A plus Precovue and those big sets too much of the work. For the A-S S box, because the DDT is so dense, the bores techniques are better suited for covering the impossible points. Now we know how to model S boxes, but they are not the only components of symmetric ciphers. Linear layers which provide diffusion are also important components to model efficiently. We will start with bad news. Modeling a multiple XOR constraint without introducing dummy variables needs an exponential number of inequalities. Now, imagine you have to model an F2 linear operation given by matrix M. You can rewrite the constraint as M slash identity matrix times X equals zero. Your only hope will be to find equivalent constraints given by matrix A, which means computing an invertible matrix P such that P times M slash identity equals A. More precisely, we want to compute P that minimizes the weight of the rows of A to tame the exponential complexity of XOR constraints. There is very simple example given by the skinny mix columns on the right. The matrix on top is the matrix M slash identity. We see that the first row has weight four. Now the matrix below is the same matrix, but we added the last line to the first one, which is an invertible operation. We see that this simple operation could decrease the weight of the first line to three. We pushed this idea a bit further and also considered searching for block diagonal matrix to multiply on the right to decrease the weight of those rows. This modification will need to model a fine equivalent S-boxes instead of the original S-boxes. It appeared throughout our experiments that the fine equivalent S-boxes were very close to the original ones and that their respective modeling were very close as well. Now, how does it perform? For Aria and Midori, maximal branch number matrices were chosen so we cannot do anything with our techniques. We just saw a slight improvement for skinny. AES and Anubis matrices can have better modeling with compensating with the S-boxes. And finally, for Sarturna, our technique can significantly improve the modeling. We have just seen and seen now results about number of inequalities, but what we are really interested in are computation times. We benchmarked our techniques by computing differential paths for five round AES and 32 round skinny. We see that for the AES, the S-box improvement has more impact. For skinny, the linear layer improvement is much more interesting. This difference can be explained by two reasons. First, for the AES S-box, the modeling was greatly improved, whereas for skinny, the difference was barely interesting. Second, we show an experiment for many rounds of skinny and the small improvement on the linear layer modeling can have more impact. Five rounds of AES only need four linear layers and a difference in the linear layer modeling has not much impact. Finally, we showcased our techniques by computationally proving partial resistance against impossible differentials for 13 rounds of skinny, 128, and five rounds of AES. More precisely, we checked that there exists at least one path between any input and output difference without one active byte. Those computations are based on exhaustive search, but to speed up this search, we use the natural extension of the differential possibility equivalence technique by Sasaki and Todo. To conclude, we provide techniques that could help you to use Milpsorvers in your works, and some of them can definitely be used outside the differential cryptanalysis world. What we did for the DDTs, you can do it for modeling LATs, for modeling division property, for modeling any Boolean function you need. Please keep in mind that Milpsorvers only allow to do complex computations without writing complex code. They won't magically provide solutions for problems we already know as too hard. However, since cryptanalysis often puts ourselves on the edge of what we can compute, searching for more efficient modeling is definitely a way of pushing that edge a bit further. In fact, there are many open questions left. Are there better ways of solving step two than the greedy algorithm? Could it be more interesting to introduce dummy variables in some situations? Or what improvements can be done in the linear cryptanalysis and division property worlds where milk modeling need an explicit copy operation? Thank you for your attention.