 And the final talk of the session is on cube attack like crypt analysis of round reduced catch up using mixed integer linear programming, and it will be given by Song Lin and Guo Jian. Thanks for the introduction. In this talk, we apply MIOP for searching parameters for cube attack like a crypt analysis of round reduced keyed K check. K check is the most famous permutation based on primitive designed by Bertony et al. It was selected as the star 3 standard. The underlying permutation used in K check is K check P. K check can be used under some key modes like K mic and K check mic. It also has some relatives, including authenticated encryption, K yak, K jet, pseudo random function cravat. For these keyed K check constructions, key recovery attacks of great interest. For these keyed constructions, the cube attack is a useful approach for the key recovery. There are two types of cube attacks. One is cube attack like a crypt analysis. The other is conditional cube attacks. The mixed integer linear programming models improved the conditional cube attacks greatly as shown in the works of Li et al and Song et al. So a natural question arises. How about the cube attack like a crypt analysis using MIOP? This question motivates our research. We propose an MIOP model for cube attack like a crypt analysis and apply this model to three keyed constructions and obtain the following results. Introduction to the K check P. K check P has an internal state of BBs which can be seen as 5 times 5 array of lanes. It arrays a random function nr times b and nr are two parameters for K check P. It's a random function has five steps. Theta, rho, pi, chi and yuda. Chi applies an S box on each row and pi and rho just change the position of state base. The mathematical expression of the random function is listed here. More clearly, the theta step has two columns to state base. So each output base depends on 11 input base. If all the columns have even parity, the state will remain the same after setup step. In this case, we say the state is in the column parity kernel. The properties of the so-called CP kernel is widely used in attacks against K check. Rho state rotates the base within lanes and pi state shuffles the lanes. The algebraic degree of the nonlinear layer is two and we can see that the nonlinear terms come from the product of two j's and the b's in a row. We will utilize this property in our attacks. Zudu, we can record it as a sister of K check P. It has an internal state of 384 b's. Can be arranged as four times three array of words. The random function is different from that of K check P. However, the theta and the chi are still similar. Chi applies an S box, now is on the column and the row west and the row east change the base within a lane. Also, the mathematical expressions for the Zudu random function. K check is designed by instantiating the underlying permutation of sponge with K check P. The sponge construction is shown in this figure and the K check itself takes in a message and output a digest. However, when it takes the concatenation of a key and the message as input, it becomes a mic which is called the K check mic. The combination of K check P and the monkey duplex results in the authenticated encryption K check. The K check P star here is obtained by applying the pi inverse and the pi just before and after K check P. You can see from the duplex construction, the first output here, Z here, is returned after n start around f0 and n step around f1. So that is to say n star is 12 rounds and step is one round. So the first output is returned after 13 rounds. We target on K check versions with this number reduced. Although K check has four variants, we target two smaller ones with internal state size 200 and 400 base. Zudu can be an alternative permutation in the duplex. We call it Zudu in the K check mode. In cube attacks, the output base can be regarded as a boolean polynomial. Secret variables K and public variables V. Given the monomial T i, which is a product of the public variables specified by set i, then the boolean polynomial can be written as two parts. The first part contains terms that are divisible by the monomial and the second part contains terms that are not divisible by the T i. The deep public variables here are called cube variables and D is the dimension and the factor here Psi is called the superpoly of f. Will all the cube variables take all possible values? The sum of the polynomial will be exactly the superpoly. In cube attacks, the attacker exploits linear superpoly to recover the key. In the original cube attack, the Psi, the superpoly, is regarded as a linear expression in all the keys, while in the cube attack like a cryptanalysis, the attacker uses NA auxiliary variables so that the superpoly depends on a smaller set of kibies, let's say an i kibies. Once a cube with parameters NA and i and D is formed, the attack proceeds in two phases. In the online phase, the attacker builds a lookup table which stores the cube sums corresponding to all possible NA kibies. This phase takes a time complexity of two to the n i plus D and a memory complexity two to the n i. In the online phase, the attacker gets the value of the NA auxiliary variables and then queries the cipher to obtain the cube sum. With the cube sum, he looks up the table. A right guess of the NA auxiliary variables will lead to a hit in this table. In this way, the attacker can find and recover the n i kibies. The online phase takes a time complexity of two to the n a plus D. In this procedure, we can see that a good attack should have bilimps to parameters for n i and n a. Record hat, the rounder function of K check has the algebraic degree two and the nonlinear terms comes from the product of adjacent space. If we avoid the adjacent cube variables, the first round will be linearized. After in round, the algebraic degree will be two to the n minus one. With the first round being linearized, the task of the MLP model becomes clear. That is, to find two to the n minus one dimensional cubes where m is as large as possible to attack more rounds and find the bilimps that attacks where the n i and n a are close and as small as possible. So this is our task for the MLP model. Before we introduce the MLP model, let us see a trivial example. Suppose a 128-bit key is loaded into the first two lanes of the initial state here, which means each lane is of 64 bits. And the cube variables are placed here, these two yellow lanes. And these two lanes are identical so that the cube variables will not diffuse to other places through theta. This also means that the cube variables are placed in the so-called sepical node. And we also suppose that auxiliary variables are set here just below the first key lane. If the auxiliary variables are identical to this key lane, the first key lane also won't diffuse to other lanes. As a result, only this, the second key lane, will diffuse through theta. And after theta, there are operations of pi and row. These two just change the positions of state base. And the next is the chi operation. You can see that the yellow lanes are not, yellow bits are not next to each other. So the first round will be linearized. And the cube variables are adjacent to the light blue base. That is only light blue key base will multiply with the cube variables. This means after up to seven rounds, the cube sun will depend only on the 64 light blue key base. So this is an example of the cube with parameters D and A and I being all 64. From this example, we can derive the core of our model. That is, we need to model three things. First, we need to model the propagation of cube variables and the dimension D and the propagation of key base through theta and the number of auxiliary variables. And last, the interaction of key base and cube variables just before the chi and count the number of key base the cube sun will depend on. Mixed integer linear programming has been widely used in cryptonialysis since Mohr's adult pioneering work. And MLP model problem is of the form with an objective function subjected to some linear inequalities. The variables are usually chosen from the integers. In our case, the objective is to minimize an I and an A under the constraint that the dimension is set to two to the m minus one together with other inequalities. And we can find the variables to be binary. So the problems unsolved is to find the set of inequalities that can fulfill our goal. We take KJ junior version one as an example to derive the inequalities for the model. Here, the light blue base are constant and the blue base these are key base and the white base are the non-space. Note that both the cube variables and auxiliary variables should have chosen from the non-space. We let the letters A, B, C in lower case to stand for the state. And the activeness for this state is denoted by capital letters A, B, C. That is, if a bit contains a cube variable, this bit is active. And the activeness value is one. So first part, the propagation of cube variables and the dimension D since the constants and the key are fixed. So these bits are not active. So the values for the activeness are zero. While for the non-space, we don't know, we need to find an assignment. We also introduce two extra variables, the G, for the activeness of column sums. And the G to stands for the consumption of degrees of freedom. Let's see an example. If we place two variables v0, v1 here, the sum of this column will be v0 plus v1. So the sum is active. So the value for the Gx for that column is one. And there is no consumption of degrees of freedom. However, if we place v0 at both positions, the column sum will be inactive. So the value here should be zero. And one bit of degree of freedom is consumed. So the dimension can be calculated with these variables. That is the number of active bits in the state minus the number of degrees of freedom consumed. That is here. And formally, the relation of the activeness of the state, the activeness of the column sum and the degrees of freedom consumed can be described with three inequalities per column. And with the activeness of the input of theta and the activeness of the column sums, we can derive the activeness of the output of theta. Since its output bit is the sum of two column sums and the bit itself. And from the activeness of b, we can calculate the activeness of c directly. Since it's just changed the position of b bits. So the second part, the propagation of k bits. Here we introduce the w variables for the state. It indicates whether a bit contains key information or not. Of course, the constant contains no key information. So these values are zero. And the key bits, of course, contains key information. These are one. And for the non-space, we are not sure. We also introduce extra variables capital X here to denote whether the column sum contains key information or not. See an example here? Suppose these two key bits are k0 and k1. If we set an auxiliary variables here, the column sum will contain no key information. Then the value for x for that column is zero. However, if we don't set any auxiliary variables for this column, the column sum will contain key information. For this case, we only need one constraint. That is, all the non-space and the column sum will sum to one. That is, one of them will be one. And the number of the auxiliary variables can be calculated as the number of non-space being one in the white places. Lastly, the interaction of key bits and the cube variables. Recall that we use the capital ABC to denote the activities of the state and w to denote whether the initial state contains key information or not. Accordingly, we also introduce y and z. With the z and z, we can now collect key bits that are adjacent to cube variables. So the model is done. We apply it to three key check-based constructions. For the KGA junior version one, version two, we improved the previous attacks. Something interesting is that if the key size is reduced, one more round can be attacked for these two versions. And for the version senior v2, v2, we also improved the attacks. And for Zudu in the KGA mode, six rounds can be attacked. Compared with this version, with the senior, KGA senior, one round less can be attacked. We feel that Zudu has a good resistance against such type of attacks. We also have a seven round attacks against the largest version of key check mic. To conclude, the MIOP model does help to improve cube attack like a crypt analysis with better results. And it is easier to find cubes with the MIOP model. And lastly, this work does not threaten the security of any keyed key check constructions. Thank you. Questions? Okay. So in the beginning you mentioned the conditional cube attack. How does your results compare to the conditional cube attack? Construction, key check constructions which are not listed here, conditional cube attacks performs better. Okay. Thank you. Thanks. Maybe one more question out of curiosity. So you're taking advantage of both the theta and the SBOX layer of the key check constructions. Have you also looked at whether your attack can be expanded to cases where only one of the two functions is used? For example, Ascon where we have a similar SBOX, but a different linear layer? You mean the same SBOX, but different linear layer? This attack mainly depends on the linear layer and some properties of the chi. So when we change the linear layer, I think the results must be totally different. Okay. Thank you. And thank you all speakers of the session again and enjoy the coffee break.