 Everyone, the name of the presentation is on the usage of deterministic, related to truncated differentials and multi-dimensional linear approximations for S-band samples. In this presentation, we start with the background and contributions, following that we briefly recall some related preliminaries, then we propose an automatic tool for the search of deterministic related K truncated differentials and multi-dimensional linear approximations. After that, we will introduce the improved related K differential linear attack on AES 192. As the second application of the tool, we show how to construct a related K impossible differential with PD and the zero correlation linear approximations with MDLA respectively. Also, it is implemented with several primitives. At last, we will draw a conclusion. So, let's start with the first part. In the last decade, the automatic tool for cryptanalysis obtained rapid development. However, few works concentrated on the deterministic TD or MDLA. Among the few works realizing the search of TD and MDLA, the optimality of the distinguisher should be confirmed by an exhaustive search over all possible input differences on masks. It cannot be afforded when the internal state of the primitive have a considerable number of words. The incomplete search is also a long-term problem in the search of optimal TD and MDLA, since all available automatic tools operate under fixed input and output differences on masks. Testing all possible combinations is impracticable for now. With this in mind, the contribution of this work can be divided into three parts. Firstly, we propose an automatic tool for the search of deterministic RKTD and MDLA. The second contribution is that we improve the related K differential linear tag on AES192 by a novel property. At last, we develop a way to apply the automatic tool to construct RKID with TD and this ALA with MDLA. This technique is implemented with several servers and the provable security bounds of skinny and mid-Ori-64 against the impossible differential distinguishing attack are generalized. Before we detail our work, we briefly recall some necessary preliminaries, a differential that predicts only parts of an NB difference is called a truncated differential. Instead of considering the accurate difference of the internal state, truncated differential pays attention to the differential pattern. The differential pattern is an L-dimensional vector, which each delta xi being the linear combination of the four patterns of differences. If the difference equals zero, its corresponding differential pattern is zero differential pattern z. If the difference is non-zero and fixed, the pattern is non-zero fixed differential pattern n. If the difference can be any value except the zero, the pattern is non-zero varied differential pattern n star. If the difference can take any value, the pattern is varied differential pattern u. The propagation of differential patterns through different operations obey different rules. For instance, the two output differential patterns of the branching operation should equal the input pattern. We also list the propagation rule for XOR, SBOX, and MDS metric operations. With the iteration of the round function, the differential pattern of the internal state gradually losing information, truncated differential can be extracted before the internal pattern turns into a vector with all elements being u. Similarly, in the area of linear cryptanalysis, an approximation is called a multidimensional linear approximation if only parts of input and output masks are known and fixed. So correspondingly, we have four linear patterns. Since the propagation of linear masks and the differences inside the SPN and physical samples are due to a certain degree, the propagation of linear patterns are similar to those of differential pattern. So we do not expand on the rules of propagation under the linear setting. The constraint satisfaction problem is a kind of mathematical problem. It is represented as a triple. X is a set of variables. D is a set of non-empty sets. Each D-axis specifies the domain of XI. C stands for a set of constraints. We take a graph coloring problem here to explain this definition more detail. In this problem, we find a way of coloring the vertices such that no two adjacent vertices are of the same color. We have 10 vertices here. So X is the set containing the 10 labels from A, B to G. Suppose that we want to use three colors to fill the vertices. Each domain in D contains three elements. For example, here we use red, yellow, and blue. Each constraint in C is a pair. X star points are the variables in the constraint C star. R star is a relation that limits the values of the variables in X star can take. So, for example, the constraint between the vertices A and D should be, firstly, the set of the two points, secondly, a formula clarifying their relation. The boolean satisfiability problem and the satisfiability modular series can be viewed as the individual cases of the CSP. But the CSP can describe much harder cases, which may not be expressible with some of these relatively simpler instance. Although solving a CSP on a finite domain is an NP complete problem, when ACP solvers are available to solve problems of practical interest, now we introduce how to use CSP to find deterministic RKTD and MDLA. The first step is initializing variables. For each entry of the inner state, we introduce an integral variable delta X to sense for its differential pattern. Since they have four patterns, the domain of delta X contains four integers from 0 to 3. The correspondence between the differential pattern and the value of delta XI looks like this. On the other hand, to utilize the information of the non-zero fixed difference, they import another integral variable delta X to represent the actual S bit difference. Now they already define variables and their domains. So to generate a CSP, they should study how to generate constants according to our requirement. They propose two methods to generate the expression of the relation. With this method, we first consider the relation between delta X and delta X since they correspond to a semi-inner state. Adding this expression into the CSP will ensure that delta X falls into the correct region. Then the second step is propagating differential patterns. To propagate the differential pattern across one round of encryption, they decompose the round function into multiple simple operations. They generate CSP models, in other words, constants for four frequently used operations, branching, XOR, SBOX, and MDS metric operations. Generally, these four models are adequate for us to handle most of the primitives. By organizing these basic models, we can create constants representing the pattern propagation across the cypher. The third step is clarifying the certain scope of the input patterns. Previously, the usual way is to fix the input pattern as a predetermined value, and the format of the input pattern will influence the length of the TD. An ideal solution for the optimal TD is an exhaustive search over all possible input patterns, but it cannot be afforded when the internal state of the primate tail has a considerable number of words. So to overcome this incomplete search in our new model, we do not fix the format of the input pattern and only claim that the input difference is non-zero. So after adding this constraint into the CSP in the searching phase, the CP server will automatically traverse all possible input patterns and the exhaustive search turns into an inherent feature of our model. To ensure the existence of R&TD or MDLOA, at most, the searching program should be implemented for three RL times. An instance in the paper is that the number of rounds to search for the optimal ID of MinaparP is reduced from 2 to the 128 to 2 to the 10.9. The last step is clarifying the certain scope of the output patterns. With the iteration of the round function, the differential patterns of the internal states gradually lose information. The output differential patterns that we are interested in are the N and N stars since they carry useful information and they can be exploited in various attacks. So if we add TD, these third attacks in their rule, they add this assertion into the CSP. Also, the assertion can be adjusted according to our requirement. A nature generalization of this tool is to search for multi-dimensional linear proclamations. In addition, for cypher space for the R&TD case schedule, the constraints about the case schedule can be integrated into the whole CSP so that we can realize the search of related K truncated differentials. Now let's move on to the improved related K differential linear attack on AES 192. Since the previous background RKDL distinguisher relies on a four-round RKTD with probability 1 for the first subcypher, we try to implement this method we introduced above to search for better RKTD so that we can construct better RKDL distinguishers. But after the complete search with the model, we find that the length of the optimal TD cannot be extended due to the vial-designed diffusion layer. However, we discover another non-trivial property in the DL distinguisher. This is the previously used distinguishing property and it relies on difference of two bytes. While the new property we found only required one byte of difference, note that the bears of these two properties are almost the same. So the complexity of the distinguishing attack with the new property basically remains unchanged. But the complexity of the K recovery attack drops because less K-bat gets involved in the K recovery phase. Since the new property depends on an artificial randomness property, we also provide experimental verification for it. We construct a statistic and use central limit theorem to drive the distributions of the statistic under different settings. The distributions are verified for some randomly selected values of lambda. From the samples, we find that the test results fit very well with theoretical distributions. With this new feature, the data complexity of the K recovery attack basically remains unchanged while the time complexity is reduced from 2 to the 187 to 2 to the 170.5. Now we show how to apply the automated tool to construct RKID and DCLA. We start with the basic version and it applies the missing the middle approach. After constructing two deterministic TD in opposite directions, we check the compatibility of the two output differential patterns. If there exists at least one word such that the corresponding difference of the pattern dirt01 cannot be interpreted by dirt02, dirtI1 to dirtI2 forms an R1 plus R2 round ID distinguisher. We use our tool to automatically finish this approach and name the new method for an ID distinguisher as U star method. The distinctions between our tool and the U method let's see firstly the way to implement the search, secondly the set of differential patterns applied to Yale contradictions. We take a smaller set U star which is also the reason for the name of our tool but we prove that regarding a spin surface, the U star method has almost the same performance as the U method. Thirdly, the difference also lets in the certain scopes of the input and output patterns. So in this sense, we partially handle the longstanding incomplete searching problem in the field of ID and DCLA. As discussed in previous literature, the U method only centers on the contradictions at the meeting point. However, in some cases, although the two differential patterns at the meeting point are compatible with each other, the given input and output difference still encompass inconsistency. Based on this observation, we intend to generalize the basic approach so that we can detect impossible differential with contradictions belonging to the second category. To finish this goal, we first define the message collecting function. It is used to unify information of two compatible differential patterns. After propagating the unified patterns in the forward and backward directions, we check whether the newly derived patterns are compatible with the previous ones. Longer ID distinguishes can be constructed if some contradictions here are identified. We also use CSP to do these works and name these methods as the optimized U star method. This is a comparison of all tool targeting RK IDs of spin surface. An outstanding feature of our tool is it supports the exhaustive search. Our source codes are openly available and all tests in the paper are implemented with one processor. Since the runtime vary with different settings, they only provide some kind of rough runtime for the applications of Skinny and Midori 64. All programs finish in several seconds and for Minava P, it takes several minutes to return the result. These are results for the applications to Skinny. We find some 12.5-ground impossible differentials and some new 12.5-ground related 2K impossible differentials for Skinny n n and some 11.5-ground zero correlation linear approximations. With the tool, we also prove that under a certain assumption, a 13.5-ground encryption of Skinny is secure against impossible differentials with arbitrary non-zero input and output differences. Under the related 2K attack setting, we also prove a conditional provable security bound. These are results for the applications to Midori 64 and Minava P. We obtain some 6.5-ground impossible differentials for Midori 64 and some 8.5-ground impossible differentials for Minava P. Also, we give the provable security bound of Midori 64. We finish all the contents in the paper and give a conclusion. In this paper, firstly, we propose an automatic tool for the search of deterministic RKTD and MDLA. The second contribution is that we improve the related K differential linear attack on AES 192. In addition, we develop a way to apply the automatic tool to construct RKID and ZCLA. We acknowledge that some of the newly identified distinguishes are extensions with probability one of those published in previous literature. However, we think that the center of the paper is more the new technique and since the new tool can realize the exhaustive search in a surprisingly rapid manner, we hope it may play an essential role in the designing phase of new servers. In the re-battle phase, the reviewers suggested to construct a unified framework involving the K recovery approach and they think it will be a nice future work. That's all for the presentation. Thank you for your attention.