 My name is Zhong Rui, my presentation is Toward Key Recovery Attack Friendly Distinguishers is application to gift 1 to 8, it's my drawing work with Dong Xiaoyang, Chen Huifeng, Luo Yiyuan, Wang Si and Li Zheng. My presentation contains four parts, the first one we talk about the background and our motivation to write this paper, the second is our strategy for searching differential or linear distinguishers, then we talk about the differential cryptanalysis result of gift 1 to 8, then we give the linear cryptanalysis result of gift 1 to 8, gift COFP and a Sunday gift, because the first part, differential cryptanalysis is proposed by Beham and Shamir in Crypto 1990, it evaluates the security of a sufferer by its difference propagation property and in this method, it often uses differential tools as a distinguisher, linear cryptanalysis is proposed by Manchui in Eurocrypt in 1993, it evaluates a sufferer's safety by the linear approximation property, in this method, it uses linear holes or linear trails as a distinguisher and during a differential or linear attack procedure, it contains four steps, the first, find a wrong distinguisher with its inputs denoted by alpha and its output value denoted by beta with probability P, the second, extend the wrong functions at the top from alpha and the bottom from beta, third, check the involved k bits in the extended wrongs, last, collect enough messages and use statistical methods finding the right key value, so in this procedure, the first and the real step is to search out some valid distinguishers, the two steps, first searching distinguisher, second attack procedure are usually regarded as to its independent steps, so when we mount an attack, we usually have two expectations, the first is long, it means that the procedure should carry more and more wrong functions, it also means that more wrong functions should be extended at the top and at the bottom of distinguisher, the second is low complexity and it is very related with the involved k bits number in the extended wrong function, so the number should be very small and we find that both expectations are decided by the distinguisher's input and output, some distinguishers are advantageers when utilized to mount k recovery attacks, it means that if we have two distinguishers, it carries the same wrong function, but when can be extended four wrongs at the top, the other one is only can be extended by one wrong, we mean the first one is advantageous, so we want to find which values of alpha and beta can satisfy the two expectations, once a distinguisher with this input and the output values is found, then we can mount an efficient attack, it means carry more wrongs with lower complexity and we also notice that a work on gift 1 to 8 by Wen Liu Wu, it gives the longest differential distinguisher of gift 1 to 8 that it covered 21 wrongs, but it cannot be derided used to attack more wrong functions, so in their paper, they use its first 20 wrong differential trail as a distinguisher to attack the 26th wrong version of gift 1 to 8, then we give a very simple introduction of gift 1 to 8, it is proposed by Bannick at chess 2017, its key says is 128B with the same set state, it employs a spin structure with 40 wrongs, and a gift is also one of the most competitive that bit bosses suffers, the wrong function contains three operations, the first one subcells, it applies 32 4-bit S-bosses to every nibble and the primal base operation is a very simple linear bit permutation operation, and add a wrong key, its key schedule is also very simple, with most key sets as 128, the wrong key set is 64, and the key state is updated by a very combination of very simple operations, for example the rotation, the second part is average strategy for searching differential and linear distinguisher, it is a two-step process, the first step we specify the input and output values inside called the initial site, and the values in the sites satisfy the above two expectations, the first more wrongs can be extended from the input and output values, then the amount of involved key bits in the extended wrong is small, the second step we search for advantageous distinguisher with input and output values showing only from the initial site, given in the first step, and we first introduce the process of searching for differential trails, for the first step we use the MRP technique to search for the initial site, and here are the two reasons why we do with MRP, first searching space of this step is very small, and when compared with the length of the distinguisher, the number of extended wrongs is usually very small, and the second is MRP technique with sessions and efficient, then we talk how to construct the MRP model, and during attack that this activity matters, but not the difference value, for example for S-Balls with input difference value 0 0 0 1, its output difference can be 8 values, so we mark all four output bits as answered bins, and every bit in these 8 output difference values can be both 0 or 1, then we use 0 to denote inactive bits and use 1 to denote active or answered mesh, and the constraints of the activities of the S-boxes input and output, we notice that the 4 output bits are 1 as long as the input has at least one active bit, we use 8-volume variables denoting its input and output difference, then the root of each output bit can be constrained by the following 5 inequalities, and 20 in order for each S-box, and then we talk how to describe the inner layer, we use 128-volume variables describing the activities of the input state of each extended round, and also as prompt bit is linear operation, no extra variables are needed to describe it, then we construct inequalities describing all relations between the states in 2 consecutive rounds, and here are the other constraints, first we extend it as a bottom of differential, its output difference denoted by S0 should have at least one active bit, and the output difference of the last extended round denoted by SR should have at least one inactive bit, and these 2 constraints can be described with the following 2 inequalities, then till now we can construct the MRP model describing the states activities in the added R-round at the bottom of the differential, we solve the MRP model with R equals to 1, if the R-round model is feasible, we construct the R plus 1 round model and see whether it is feasible, finally we find the largest R-round feasible model is the number of rounds can be extended at the bottom, and the objective function can be optional, and the MRP model describing the rounds extended at the top is a similar process, except that when extending backward at the top of the distribution, the number of active bits in the last added round should be less than 128 to avoid a full code bulk attack, then after we did mean how many rounds can be extended, we added the involved key bits, we use 64 boolean variables denoted as the round key, and its value is 0 if a round key bit is not involved, and we set it as 1 if it is involved, and also if a round key bit is surrounding with xg before the sub-cell operation, we set it as 0 and set it as 1 otherwise, and also the key trend can be described by the following in quality, and two round key bits share a similar variable if they are derived from a small mass key bit, the object function is about the number of involved key bits, it should be as small as possible, finally we get the initial size, using the above model, we collect all values that can be extended by most rounds with small amount of involved key bits into a set called initial size, and once a differential with this input and output values is formed, we can mount an efficient attack, the second step, and during the second step it can be described as a revisited or matrix branched bond or algorithm, and its feature is that the algorithm guarantees to return all best trails for some specific initial value, which is very suitable for this step, and also we have some dedicated settings, first we only choose initial values from the initial set of course, and the second is set the upper bond of active s-boxes in each one function to before, and third we set the lower bond of the probability of valid differential is to be 22-1 to 8, and here is our matrix branch and bond algorithm, first is the initialization, and the second is the rec serve search, and finally we require all qualified results, and we are searching for linear trails, we use everything instead of DDT to describe the linear mask propagation through the subcell operation, but the inequalities describing the constraints is the same as DDT, and also due to the fact that the interplay of the s-box and linear layer in gift 1 to 8 is very crafted to resist linear cross analysis, we cannot search all the long linear trails when T is less or equal to 4, so we set it as 5, then we give the differential cross analysis of gift 1 to 8, during the first step we find that at most 4 runs can be extended at the top of input value, and at most 3 run functions can be added at the bottom of the distinguisher, and for the best solutions 62 kb is involved, but with this number of involved kb we cannot find valid distinguisher, and the second best solution is with involved kb's number is 18, and with this number of involved kb's we can find valid distinguisher, and here is 8 20 run differential with probability of 2 2 minus 1 2 1 dot e3, and here is 2 21 differential trails with probability of 2 2 minus 1 2 4, finally we mount a 27 run attack differential attack on gift 1 to 8 with differential its input difference and output difference is as shown in this slide, we add 4 runs at the top and add 3 runs at the bottom, and the attack is 27 run version, its data complexity is 2 2 1 2 4 dot e3, and the time complexity is 2 2 1 2 3 dot 5 3, and the memory complexity is the 2 2 8 0 bit to store the value of involved kb's, and in this slide it shows the state of 4 added run functions at the top, and in this slide it shows the details of the activities of the state during the 3 added runs at the bottom, and here is the details of the kb's involved during the attack procedure, the last we give our in-acrobat analysis result of gift 1 to 8 and the gift cvfb and sonic gift, and also for the first step we find the 4 extended runs can be added at the top, and the 3 runs can be added at the bottom, and for the best solutions 56 bit kb's are involved, but no valid distinguishes are found out, finally we find the valid distinguishes with 76 kb's, and here is the 8 15 run linear holes of gift 1 to 8, and these are two 17 run linear trails with probability of 2 2 minus 118, finally we mount 22 run linear hole attack, its complexity is decided by its involved kb's numbers and the compressed counter, and we find that using the original 15 run linear hole we cannot mount attack its 22 version by adding 4 runs and 3 runs at the top and the bottom, so we use our 15 run linear hole to derive our 17 run linear hole with probability of 2 2 minus 115, and finally the 17 run linear hole is as shown in this slide with input mask and output mask, its probability is 2 2 minus 115, we add 3 runs at the top and add 2 run at the bottom to attack its 22 run version, its time complexity is 2 to 170, its date complexity is 2 to 170, and the memory complexity is 2 to 78 bit to implement the counters, and in this slide we show the details of the activities of the stat in the 3 run function at the top, and in this slide we show the details of activities during the 2 extended run function at the bottom, and here is the kb's involved in the linear attack, maybe also capital analysis is the secretary of gift cofb against linear crop analysis, and for gift cofb it has a brush day bound and as the secretary claims, so its date complexity should be less than 2 to 74, and also in the input or ek shown in this equality l is unknown, so no active mask bits in the most significant half of the input, finally we attack it with the 9 run linear hole with its input mask and output mask as shown in this slide, the attack is 15 run version with 3 extended runs both on the top and bottom, its date complexity is 2 to 32, and its time complexity is 2 to 90.7, and its memory complexity is 2 to 96 bit, we also give a linear crop analysis result on Sunday gift, and for Sunday gift it also has a brush day bound, so its date complexity should be less than 2 to 64, so we use some short turn around linear trail with its input mask and output mask shown in this slide to attack it, and finally we attack its 16 run version with 4 extended runs at the top and 2 extended runs at the bottom, for this attack procedure the date complexity is 2 to 60, and the time complexity is 2 to 91.2, and the memory complexity is 2 to 96 bit, we give a summary of differential on the linear trails of gift 1 to 8 by the time this paper is submitted, as shown in this list we can find that our differential trail is not the longest, but we give the longest attack of gift 1 to 8, and for linear trails our distinguisher is the longest, and here is the summary of crop analysis result of a gift 1 to 8, we give the best differential crop analysis, and the linear crop analysis result of a gift 1 to 8, okay thank you