 Hello everyone, this is Seiyang Huang from University of Haifa. Our topic today is Reconstructing an Xbox from its Difference Distribution Table. This is a joint work with professor or document. First of all, let me introduce the background and motivation of our research. A Difference Distribution Table of an Xbox is an essential component in differential crypt analysis. We show the definition of Difference Distribution Table of an Xbox in the following way. For here, the Xbox is from unbeat input to unbeat output. It can be seen from the definition that deriving DDT from Xbox is very easy, but the opposite way is a very difficult problem. But the problem is interesting and important because the ability to recover the Xbox from the DDT of a secret Xbox can be used in a lot of attacks. Bora at all proposed a straightforward guess and determine algorithm to solve this problem. In our talk today, we will show a new approach by applying the we will establish the relation between the DDT and the LAT. Similarly, the LAT of an Xbox is an essential component in linear attacks. And the LAT of an Xbox is defined in the following way. Wash-hard mud transform is used a lot in our research, so we show the definition here. We can build the links between an Xbox, a DDT and LAT with the help of wash-hard mud transform. In lemma 1, you can see that when we apply wash-hard mud transform to the LAT, we can obtain the characteristic function of S. It means we recover the Xbox. And from Serium 2, we apply the wash-hard mud transform to the DDT and we get squared LAT here. To summarize the properties, we can go from the given DDT to the squared LAT with Serium 2, and we can go from the real LAT to the Xbox with lemma 1. The problem is how can we go from the squared LAT to the real LAT? If we solve this part, we can go from the given DDT to the Xbox. It means that we recover the secret Xbox. In our approach, we firstly define the sign determination problem to recover some columns in the squared LAT. If we can recover m columns in the LAT, we can recover the real LAT and we can derive the Xbox. If we don't have m columns recovered, we can still apply our improved GD algorithm to reconstruct the Xbox. And usually for this routine, it's quite trivial and less efficient. So we will stay on this research line and focus on improved GD algorithm. We define the sign determination problem in the following. And before we define the problem, we need to show the cross notation as the following. V cross here is a vector of absolute values of the entries in the original vector. And the sign determination problem of the B column in the LAT is a problem of recovering lambda B from lambda cross. It is to determine the signs of a column in the LAT. So next, we will propose a new algorithm to solve the sign determination problem. We firstly introduce the linear relation between lambda B and S B. For any B column of the linear approximation, the following formula always holds. For the formula here, HN refers to the hard-mod matrix. And the hard-mod matrix can be represented as a following way. Because of the special form of the hard-mod matrix, we could solve the system of linear equations interactively. And we just apply the elementary transformation to the independent subproblems by n times. And finally, we get H0 as the diagonal of the matrix. So as H0 is exactly one, so we solve the problem. And then we introduce our basic algorithm. We apply the idea of solving the system to reduce the problem into two independent problems. We firstly guess all the possibilities and combine the possibilities related values and compute the possible ice constraint of subproblems. We recall the ice constraint as a vector, and all the possible constraints are contained in a full site here. The problem of our basic algorithm is that the size of the full site grows so fast. And we try to solve this problem by proposing an improved algorithm. In the new algorithm, we observed the symmetric structure in the full site. It means that other vectors in an equivalence class can be obtained by simply operating transforms and permutations on the representative vector. So we don't need to record all the vectors. We just record the representatives of the equivalence classes in the compact set. The compact representation reduces both time and memory complexity. Every time we derive the component site in the next layer, we construct a middle site to guarantee that the derived site is indeed the compact site. Here is our improved algorithm. We compute the middle set and we compute the new vector and check the consistency of the vector. If it satisfies the consistency, we include the new vector in the new compact set. Still, for some cases, the size of a compact set grows very fast. To solve this, we set a heuristic threshold according to the accessible memory of the tyker. And we define good columns and bad columns according to the threshold. We call a column in the absolute LAT good if it can be recovered under the threshold applying algorithm 2. Otherwise, we call the column bad column. According to our experiments, the solutions for the good columns usually contains at most two equivalence classes. We analyze the complexity of algorithm 2 here and we give the upper bound of memory complexity and time complexity. Before we introduce the improved GD algorithm, we need to describe the matching face for K independent good columns. Suppose that we have solved the site determination problem for K independent good columns. It means that we have already had some candidates for the K columns of the LAT. So, we need to find the right combination which matches the real LAT. And we define the independent columns here when we have K columns. And the binary representation of the indices are linearly independent over the field. We use this formula to find the matching Boolean function. And we try all the possibilities and compute the vector and check the consistency. Next, we will show the improved GD algorithm. For here, we have already known some components of S-box. For example, C0SX to CK-1SX. With this knowledge, we can check the consistency every time we get the new assignments. We analyze the complexity of GD face here and the time complexity is shown as following. We show the complexity curve for 8-bit input S-box with different sizes of outputs. It can be seen that when the size of output of S-box increases, the reconstruction process becomes much easier. It means that it is insecure to keep such an S-box as a secret S-box. In this figure, we show the complexity curve for random N-bit S-box with different key. The K here is for the number of good columns. The original GD algorithm, when K takes zero, quickly becomes impractical with the size of S-box growing. To optimize the original GD algorithm, the attacker has to find at least two independent good columns. When the number of good columns grows, the effect of reducing the search space becomes less efficient. We tested our results with experiments. We implemented our algorithms on the following three types of Boolean functions. All of our experiments are done on a single curve of less Intel CPU. It is amazing results because we could recover a random 14-bit S-box in no more than one year. For the GD algorithm, the processor is very time consuming and takes more than 15,000 years. From the standard derivation, we can see that our approach is much more stable than the GD algorithm. From the arrow bar here, we can see that the advantage of our approach over the GD algorithm sharply increases with the size of the S-box growing. When the input size of S-boxes is larger than 11, our approach is better in all cases. We also tested our algorithm on several specific S-boxes. Our approach outperforms in several S-boxes. Well, it is difficult to find good columns in the absolute LAT of some S-boxes. For example, the four differential uniformity S-boxes and APN functions. Finally, we will conclude our talk and show some open problems. We presented a new algorithm for reconstructing S-boxes from SDDT. The new algorithm is more efficient than the guess and determine algorithm in many cases. For example, the random S-boxes starting at the size of 10 bits, it outperforms the previous GD algorithm by several orders of magnitude. The new algorithm should be very useful to explore problems related to the DDTs. Some other related open problems are the problems of reconstructing an S-box from its BCT and its DLCT. This is our report and thank you very much for your attention.