 Hello, everyone. The name of the presentation is A Greater Gift, Strengthen Gift Against Stardustical Cryptanalyze. We start with the motivation of this work. The work in this paper is inspired from the automatic searching results related to differential and linear cryptanalysis of Gift 64. We first look into the software in itself and try to discover more properties apart from the quantitative information about active S-boxes, differential probabilities and linear correlations. In the second part, giving the gap between the upper bounds on the differential probability and the linear correlation, we wonder whether we can find a variant with analogous security levels under the differential and linear settings. Now we briefly reveal some preliminaries. Gift is a family of lightweight block savers proposed by Benek et al. We consider Gift 64, which is a 64-bit block saver with 128-bit k and with 28 rounds. Each round consists of three steps. The subcell operation applies an invertible 4-bit S-box to every neighbor of the saver state. Then the perm-bit operation permutes the state in a bit-oriented manner, following that the at-round k operation adds the round k and the round constant. Gift was designed at 10 years after the publication of present. It has much increased efficiency in hardware and software implementations, and this is realized by using an S-box with a lower implementation cost. At the same time, to avoid consecutive one-to-one bit-efficient and linear transitions in the saver, the design of the bit permutation is carefully studied. The 16 S-boxes are grouped into two different ways. The first one is the quotient group and the second one is the reminder group. With this notation, the design of the 64-bit permutation is converted into the construction of four independent and identical 16-bit permutations. That maps the output bits of the quotient group to the input bits of the reminder group. The BODF paradigm is a guideline for the creation of the 16-bit group mapping. It considers the one-to-one bit DDT of the S-box and displays the input and output positions into four sets. Notice that bad output could come from a one-to-one bit transition through a certain S-box in the current round to ensure that the exciting one-to-one bit transition will not head to another one-to-one bit transition in the succeeding round. The differential BOGF permutation artificially maps the active bits of the potentially bad output to an active bits of some good inputs in the next round. Similarly, in the linear case, the linear BOGF permutation can be derived regarding the one-to-one bit LAT. The BOGF permutation should be differential and linear BOGF permutations simultaneously. For GIFT, the BOGF permutation is fixed as identity mapping. Now we introduce the first part of this work and give theoretical explanations on differential and linear properties of GIFT 64. Through analyzing the automatic searching results related to differential quick-analyze, we observe that the minimum number of differential active S-boxes as D is linearly dependent on R for OR greater than 7. Further, after decoding the optimal differential characteristics with the maximum probability from the output of the set-over, we observe that the optimal characteristics covering more than 7 rounds always have two active S-boxes in each round. So we wonder is there a characteristic with a single active S-box in some rounds achieving the maximum differential probability? To answer this question, we first consider a small set of differential characteristics D1. The characteristics in this set have at least one round activating a single S-box and the input difference of the active S-box equals 1. They manage to calculate the lower bound on the number of active S-boxes for characteristics in this set. The automatic method is applied to accomplish this task and we split the search into three steps. In the first step, we explore the lower bound for characteristics with input difference having a single non-zero label being 1. Then the characteristics with output difference having a single non-zero label taking 1 are considered. In the third step, we note that the characteristics in D1 can be created with the characteristics in the first two steps. So the lower bound for characteristics in this set is derived from the experimental results in the first two steps. The experimental results reveal that the lower bound on the set D1 is strictly here than the original bound when the number of rounds is greater than 7. The same results hold for all set Di without taking any non-zero label. So we draw the first proposition. If R greater than 7, the optimal I-round differential characteristic of Gift 64 with the minimum number of active S-boxes must have two active S-boxes in each round. Then with a similar analyzing regarding the differential probability, we give the second proposition. If R greater than 7, the optimal I-round differential characteristic with the maximum probability must activate at least two S-boxes per round. Now it seems that differential characteristics activating two S-boxes in each round plays a crucial role in the security evaluation for Gift 64. So we wonder whether we can involve more properties of these characteristics apart from the quantitative information about active S-boxes. Before looking into these characteristics, we first devise an alternative description for the round function. In the alternative description, we keep sub-cells and ad-round-k operations and further decompose per-bit operation into two sub-operations. The group maps operation evokes a 16-bit permutation and independently applied it on each of the quotient group. The following trans-nable operation works in NABL. This alternative description is called a beta-oriented one. If we recognize the several states as a four-multiply formatric of labels, the beta-oriented description can be replaced with a NABL-oriented one. The NABL-oriented description is more concise and facilitates the following analysis. Now, given a differential characteristic with two active S-boxes per round, we assume that the two active S-boxes in the S-round are located in the same column and donate the differential propagation of the group mapping on this column as this. We show that this propagation can donate four conditions so that the differential characteristic based on it can sustain two active S-boxes in round R-minus one and R-plus one. In other words, these are necessary conditions for propagation in long differential characteristics with two active S-boxes per round. Summarizing all analyses of four conditions, we derive the third proposition. For an R-round differential characteristic, activating two S-boxes per round, if the two active S-boxes in the R-round are located in the same column, then for all R-bases in equality, the two active S-boxes in the R-plus two S-round must be located in the same column. Then we derive the lemma which tells the head of the target characteristic. For the sufferer, if a differential characteristic activates two S-boxes per round, then the two active S-boxes in one of the first two rounds must be located in the same column of the metric state. Based on lemma one and proposition three, we conclude that all differential characteristics with two active S-boxes per round can be decomposed into several pieces of two-round characteristics for which the two active S-boxes in the first round are located in the same column. Furthermore, the differential propositions abstracted from these two-round characteristics fulfill four conditions. On the other side, the characteristics with two active S-boxes per round can be constructed artificially. Consider two differential propositions validating four conditions. If gamma-I to alpha-I prime are possible transitions, then the two propositions are said to be compatible with each other. As shown in the figure, we can craft long differential characteristics activating two S-boxes per round with compatible propagations. We implement a test and find 26 propagations validating four conditions. Then we evaluate the compatibility among them and illustrate the result in the figure. After removing some isolated nodes and short parts, we notice that the graph contains several cycles. On the one hand, these cycles theoretically explain the existence of long differential characteristics with two active S-boxes per round. On the other hand, accompanied by the preceding analysis, we conclude that any differential characteristics covering more than seven rounds with two active S-boxes per round must utilize certain passes in the figure. In addition, the cycle also enables us to enumerate all optimal differential characteristics by hand. We propose an explicit formula for the differential probability of the optimal characteristic and prove that there are 288 optimal characteristics with an odd number of rounds and 10,400 optimal characteristics with an even number of rounds. In parallel to the case of differential setting, we derive some analytic results in the linear setting. Similarly, we show that if R is greater than 9, the optimal R-round linear characteristic of Gift 64 with a minimum number of active S-boxes must activate two S-boxes per round. The linear correlation bound is also studied. However, unlike the case in differential setting, the optimal linear characteristic with a maximum correlation can contain characteristics with a single active S-box in some rounds. We check the properties of linear characteristics with two active S-boxes in each round and find that these characteristics also can be constructed artificially. We find 46 useful linear propagations and endless compatibility among them. Based on the cycle in the graph, we also theoretically explain the existence of long linear characteristics with two active S-boxes per round. Next, we turn to the question proposed in the first beginning. Can we improve Gift 64? Note that there are 2,304 group mappings meet all requirements for the one in Gift 64, so we managed to find a variant constructed with a new group mapping that processes comparable upper bounds on the differential probability and the linear correlation to reduce the number of candidates by implementing classification. Proposition 7 points or sufficient condition for two variants being equivalent to each other. Based on this proposition, we define an equivalence relation on the set of all Gift 64 like samples and partition the set into 168 equivalence classes. Therefore, we only need to check the property of one representative in each possible equivalence classes and the number of candidates is reduced from 2303 to 167. We apply the automatic method to search for upper bounds on differential probabilities and linear correlations of 167 representative variants. The test results are illustrated in the figure. It can be noticed that the security of Gift 64 against the differential cryptanalyzed is moderate among all representatives and the capability against the linear cryptanalyzed is almost among the best of candidates. Then we consider the combination of differential and linear properties. According to the lengths of the optimal effective differential and linear characteristics, the 168 representatives can be divided into 17 groups. The performance of Gift 64 resisting differential and linear attacks is good and 40 representatives achieve similar security levels to Gift 64. Moreover, we identify that one representative may achieve comparable security level against differential and linear cryptanalyzed and its optimal effective differential and linear characteristics achieves 12 rounds. We donate this equivalence class as Gift 642021. This equivalence class contains 24 elements and all variants share the same differential and linear properties. As in the figure, comparing to Gift 64, the new variants have comparable upper bounds on differential probability and linear correlation. The clustering effects of differential and linear characteristics are evaluated. Similarly to the case of Gift 64, the differential and linear half properties of the new variants are not significant. Beyond that, we implement the automatic search of the impossible differential distinguishes, their correlation linear distinguishes and the integral distinguishes for the variants. The experimental results indicate that the security levels of the variants based on the impossible differential attack, their correlation linear attack, and the integral attack are similar to those of Gift 64. Note that the best attack on new variants achieve 18 rounds, which is two rounds less than the length of the best attack on Gift 64. We clamp that for the variants if the security in the related care attack setting is not required, 26 rounds could be used rather than 28 rounds. For the simple and clean design strategy, Gift offers extremely good performance and even surpasses both skinny and salmon for round-based implementations. As in the table, we compare the hardware performance, the new variants achieves higher throughput and requires lower energy consumption than Gift 64. On this basis, the 26 round variants may become one of the most energy-efficient samples as of today and is probably more suitable for the lower energy consumption use cases than Gift 64. Now we give a conclusion. The paper studies Gift 64 with both automatic methods and mathematical analysis. This hybrid method uncovers new insights into the security of Gift 64 and some of its variants. For Gift 64, we prove some properties of differential characteristics activating two S-boxes per round so that all optimal differential characteristics takes covering more than seven rounds with the maximum probability can be constructed manually. This has the properties of linear characteristics with two active S-boxes per round are also provided. In the second part, we find variants with analogous security levels under the differential and linear settings and show that the 26 round variant may become one of the most energy-efficient samples as of today. As to the future work, firstly, if one is concerned with related care tag, they conjecture that the relations of the variants regarding related care differential tag can be lifted by carefully crafting the case schedule. Secondly, the cases where the group mapping operating on different columns are distinct is an open problem. Lastly, checking the existence of a balanced variant for Gift 128 will be interesting future work. That's all for the presentation. Thank you for your attention.