 So the next talk is on Boomerang connectivity table revisited applications to Skinian AS and the talk is given by Ling Sun. Thanks for the introduction. OK, since I use different notations, so I introduce Boomerang attacks again. The Boomerang attacks combine two short differential trails to get a long distinguisher. It treats the cipher as two sub ciphers, the zero and e1. Suppose e1 has a differential alpha to beta with probability p, and e1 has a differential gamma to delta with probability q. Then the probability for the Boomerang distinguisher is p squared q squared. That is, if we choose the p1, p2 with difference alpha encrypt then to have the corresponding ciphertext c1, c2, and then add a data difference to have the new pair of ciphertext c3 and c4 decrypt them to have the plaintext p3 and p4. The difference of them will be alpha with probability p squared q squared. Actually, Boomerang is a thrown tool. It is said in the Wagner's paper that when you send it properly, it always comes back to you. However, this holds only when the two trails are independent, which are not the case in many applications. The dependency is the key issue for Boomerang attacks. As shown before, the dependency can help the attackers. It can also invalidate the attacks. Later, sandwich attacks were proposed to particularly deal with the dependency. The sandwich attack decomposes the cipher into three parts. The middle part, em, handles the dependency so that the differential trails for the rest of two parts can be zero-tuned and u1-tuned can be regarded as independent. If the probabilities for the differential trails over u0-tuned and u1-tuned are p-tuned and q-tuned respectively, the probability for the Boomerang distinguisher can be formulated as p-tuned squared q-tuned squared r. And the r here is actually the probability that the Boomerang returns for the em in the middle, with difference beta here and the gamma here. Usually, em contains a few rounds, and in the paper of sandwich attacks, a dedicated analysis was carried out to calculate r. Last year, state-at-all proposed the Boomerang connectivity table, which can calculate r theoretically when em is of one S-box layer. It can also unify previous observations on the S-box. However, two questions, two problems still remain unsolved. The first is to identify the active boundaries of em, which contains dependency. The second is to calculate r. The probability r when em contains multiple rounds. In this work, we propose that the generalized framework of BCT, which enables us to solve these two problems. Some basics of DDT and BCT. DDT records the number of solutions, satisfying the differential alpha to beta. The differential probability is the DDT entry over 2 to the n, where 2 to the n is the size of the input space. And BCT records the number of solutions that such that the Boomerang returns for the S-box. And the Boomerang probability is actually the BCT entry over 2 to the n, where 2 to the n is also the size of the input space. Both the BCT paper and the previous talk started the relation between DDT and BCT. First let's introduce two sets, XDDT and YDDT. XDDT is the set of input values satisfying the differential alpha to beta. And YDDT is the set for the output values also satisfying the differential. Our starting point is this proposition from the previous talk. It says that the number of inputs, let's say X1 without loss of generality, such that the Boomerang returns is the sum of two terms. When the gamma difference here equals beta, the Boomerang returns. When gamma here does not equal beta. In this case, the Y1 must be in the set YDDT alpha gamma. And after exploring the beta difference, we have the Y3. The Y3, if the Y3 falls into the same YDDT set, YDDT set alpha gamma, the Boomerang also returns. So for those values, solutions, they are counted in the second term. And due to the symmetry, the BCT can be calculated using the YDDT or so. And actually, we can merge these two terms to have an expression here. When the EM has one S-box layer in the middle at the connecting point of E0 and E1, the R probability can calculate by the BCT over 2 to the n. Instead of using this expression from the previous slide for BCT, we use a more detailed one. This expression looks more complex. But it is helpful when we extend it to other cases. Similarly, the R probability can be calculated with the set YDDT. Note that in this case, both the alpha and the beta difference are known or fixed. Since this S-box is located at the connecting point, the alpha and the beta are known from the upper trail and the lower trail. So how about the S-box is far away from the connecting point. For those S-boxes, either alpha or beta is not fixed. Let's look at the figure on the right side. Look at the S-box in E0. The difference alpha gamma are known from the upper trail. While the difference beta here, it is the difference between the left facet and the right facet and propagated from the lower trail. We call it the lower crossing difference. The lower crossing difference is not fixed, but it may follow certain distribution. Similarly, for the S-box in E1, the input difference gamma, output difference beta are known from the lower differential trail. And the alpha difference here, which is between the bike facet and the front facet and propagated from the upper trail. We call it the upper crossing difference. And this difference is also not fixed, but it may follow certain distributions. So for these S-boxes, the crossing differences are not fixed. Next, we are to extend the BCT to these cases and take into account the distribution of these crossing differences. This is our intuition for the generalized BCT. Let's go deeper into the S-box in E0. The S-box in red is located in the E1. It has input-output difference alpha gamma and is lower crossing difference beta here. Suppose the beta is independent of the upper trail, which means the value of beta is not affected by the upper trail. Then we can calculate the r probability in this way. We just take into account the distribution of the lower crossing difference. Actually, when the beta is constant, the calculation is the same as the basic BCT. And if beta is uniformly distributed, the calculation becomes this, which is identical to the p squared q squared in the classical Berman attack. For S-box in E1, we obtain similar results. The only difference is that we consider the distribution for the upper crossing difference alpha here. The result is similar. What if two S-box are interrelated? In this case, the S-box A from E0 and S-box B from E1 are interrelated. The interrelation means that the lower crossing difference for S-box A comes from S-box B and vice versa. In order to handle this case, we introduce a new set, set D, BCT. It records the number of solutions such that the boomerang will return with the gamma difference here. Then we calculated r probability. The r probability is actually the ratio of inputs, such that the difference propagates from alpha to gamma. And then gamma propagates to alpha prime. And then it will return with the gamma prime here. And the gamma prime propagates back to the beta difference. The beta is actually the lower crossing difference for S-box A. If it brings the output value back to the same YDDT set, the boomerang will return. So actually, the gamma and the gamma prime can take all possible values. Considering this, the final r is calculated with this. So these other general cases are composed of these three basic cases. And then we can propose or generalize the framework of BCT, which is captured in this algorithm. First, we initialize the EM with two middle runs and then extend both trails with probability 1 towards the other side. Through the extension, we can trace the distribution of the crossing differences. In step 3 and step 4, we identify the upper boundary and the lower boundary respectively. And lastly, we calculate the probability r using formulas in the previous slides. And if a zero r is returned, it means the two trails are not compatible. And note that the boundaries of EM are marked by the rumps where the crossing differences are uniformly distributed. Then we apply the generalized BCT to skinny and AES. We re-evaluated the four boomerang distinguishes of skinny and construct a six-round related subkey boomerang distinguisher for AES-128. Skinny is an SPN lightweight block cipher with a tweak key. Skinny nt denotes the version with block size n and tweak key size t. Next, I'll show example EM for skinny 64-128. In the related tweak key setting, the final EM contains two rumps from the upper trail and four rumps from the lower trail. If using the formula p squared q squared, the probability for EM should be 2 to the minus 44. This table shows the detailed information for the trails calculated in seconds on a desktop. With the r probabilities, we can calculate the probabilities for the four distinguisher in this column. These probabilities are much higher than the probabilities evaluated before. We verified all the r probabilities and the 17-round distinguisher for skinny 64-128. This is the result of skinny. For AES-122, we construct a six-round related subkey distinguisher. It is known from previous research that the minimum number of active S-boxes for three-round related key to French trails is five. There are only two trails with five active S-boxes, while there are 18 trails with six active S-boxes. From these three-round trails, we select two to construct a six-round related subkey boom-round distinguisher, which is shown in this table. And the probability is 2 to the minus 109.42. In this case, we use the generalized BCT to exclude incompatibility, since most combinations are incompatible. And we'd like to mention some properties for EM. The lengths of EM is mainly determined by the diffusion effect of the linear layer. And also, it depends on the density of the active cells of the trails. The R probability is strongly affected by the properties of the S-box. There is also an imitation of the generalized BCT for a long EM with large and strong S-box, calculating R might be time consuming. And to conclude, in this work, we propose the generalized BCT, which enables us to identify the boundaries of dependency and calculate R in the sandwich attack. Future problems to investigate include extension to non-S-box based ciphers and improving previous boom-round attacks. Thank you. Thank you. Thank you. Are there any questions for Dingson? I have one. Do you think there's a way of playing a version of your results to super S-boxes, for instance, S-boxes combined with some linear parts? I guess it's quite difficult. Because to calculate R, accurately, we need to know the distribution of the crossing differences. If the S-box is too large, I think it's quite difficult. Thank you. Any more questions? OK, so let's thank Dingson again. Thank you very much.