 Hi everyone, welcome to this talk. My name is Vasrin Hadipur, and I'm going to present our paper entitled Improved Rectangular Tax on Skinny and Craft, which is joint work with Nessu Bahri and Ling Sank. I've divided my talk into six parts. As you can see, I will start with giving a short introduction to boomerang sandwich extinguishers, and then I will introduce our new method to search for sandwich extinguishers for espion black ciphers. Next, I will brief the review of the BCD framework and introduce our new method tools in BCD framework. Then I will discuss about the application of our method on to lightweight espion black ciphers, including craft and skinny, and lastly conclude the talk by summarizing our main contributions in this work. Let's start by the first part, where I'm going to give a short introduction to boomerang and sandwich extinguishers. Given the black cipher E is black size of n bits, if we have a long differential transition with probability smaller than 2 to the minus n, we cannot exploit it to distinguish black cipher E from random permutation. However, what if we can divide the black cipher E into two smaller parts, namely E0 and E1, such that for each of which there exists a differential transition with a very high probability? For example, in this case, what if there exist differential transitions for E0 and E1 with probability p and q respectively, such that p is square q square is much greater than 2 to the minus n? The core idea of boomerang kept analysis is combining these two short differential transitions in adaptively chosen plaintext cipher testing to build a distinguisher for black cipher. In boomerang kept analysis, it is assumed that the attacker has access to both encryption and decryption oracles. Let's see how boomerang distinguisher work. In boomerang distinguisher, we firstly provide a pair of plaintexts with difference delta and ask the encryption of these pair of plaintexts to derive the corresponding cipher taste C1 and C2. As you can see, the differential transitions delta 1 to delta 2 is happened with probability p. Next, we apply the same difference and derive the cipher taste C1 and C2 to generate two new cipher tastes namely C3 and C4. And then we query the decryption of C3 and C4 to derive the corresponding plaintext which are denoted by p3 and p4. And then we check the difference between p3 and p4 to see whether the difference between them is delta 1 or not. If the differential transitions in the upper part are independent of the differential transitions in the lower part, the probability of observing delta 1 on the other side of this shape is actually the multiplication of the probability of these four differential transitions which is actually equal to p2 qs2. However, the upper differential transition in boomerang kept analysis or in boomerang distinguisher is not independent of the lower differential transition in practice. The dependency between the upper and lower differential transitions can have either a positive or a negative effect and the resulting boomerang distinguisher. For example, Faisal switch which was first introduced in the seminal paper of boomerang kept analysis by Wagner or ladder switch and spike switches are some kind of dependencies that has a positive effect and the resulting boomerang distinguisher. Using which attacker can derive a boomerang distinguisher with a higher probability? On the other side, dependency between the upper and lower differential transitions can have a negative effect and, for example, implies some kinds of inconsistencies between the upper and lower differential transitions which spoiled the boomerang distinguisher. Therefore, considering and formalizing the dependency between the upper and lower differential transitions in boomerang distinguisher is of great significance. That's why the idea of sandwich distinguisher was proposed. As you can see in this shape, in sandwich distinguisher, instead of dividing the black cipher into two slice we divide it into three slices, including E0, EM and E1. Where the middle slice is considered to model the dependency between the upper and lower differential transitions. In the sandwich distinguisher, the probability of getting delta 1 on the other side is p square q square r, where r is computed using this formula and r is actually the probability of sending boomerang over the middle slice and getting it back on the other side. Given that the intermediate differences in sandwich distinguisher, namely delta 2 and delta 3 can take an arbitrary possible value, taking the clustering effect into account we can estimate the probability of sandwich distinguisher using this formula more accurately. As you can see, this formula is actually the summation of this product over all of the possible intermediate difference values. Now, I want to draw your attention to the middle slice of sandwich distinguisher and discuss in more detail about one of the switching effects which is called ladder switch and plays an important role in our method to search for sandwich distinguisher. This shape represents the middle slice of sandwich distinguisher and you can see that the probability of boomerang switch over the middle slice is computed using this formula. It can be seen that if delta 2, which is actually the difference coming from the upper differential transition, is 0, then the probability of boomerang switch is 1. It is also the case when nobletree is equal to 0. As a result, if you compare these shapes, as a result, you can see that the probability of boomerang switch over the middle slice is highly dependent on the common activist boxes between the upper and lower differential transitions. And then the entire probability of sandwich distinguisher is actually determined by the number of activist boxes over E0 and E1 as well as the common activist boxes over the middle part. More precisely, in P square Q square R formula, P is mostly determined by the number of activist boxes in E0, Q is mostly determined by the number of activist boxes in E1 and R is mostly determined by the number of common activist boxes between the upper and lower differential transitions in EM. Taking this formula into account, you can see that the cost of activist boxes over the outer parts, namely E0 and E1, is more than the cost of activist boxes over the middle part because the exponent of P and Q in this formula are 2 raised to the exponent of R is 1. With this brief introduction, I'm going to introduce our new method to search for sandwich distinguishers for SVM black ciphers. Our method to search for sandwich distinguishers can be divided into three main steps. The first step, which is actually the most important step, is devoted to finding two appropriate upper and lower differential trades, minimizing the number of activist boxes in outer parts as well as the number of common activist boxes in the middle part. I will discuss about this step in more details in the next slides. The second step of our method is instantiating the discovered truncated trades with concrete differential trade. And finally, when we have concrete differential trades in hand, we can compute P, Q, and R and put them together in P, S, Q, S, R formula to compute the internal probability of sandwich distinguisher. Let's take a look at the first step in more detail. The aim of first step is finding appropriate truncated upper and lower trades. To do so, we divide the black cipher in two three parts, including E0, E1, and E1. Next, we encode the propagation of truncated differential trades over the first R0 plus Rm rounds with an MLP problem. We do the same for last Rm plus R1 rounds and encode the propagation of truncated differential trades over Em and E1 with another MLP problem. Now we have two independent MLP models with independent binary variables. Next, to detect the common active sparks in the middle, we define some additional variables such as S here and then assuming that you denote the activities of sparks in the upper trail and L denotes the activities of sparks in lower trail, we link these two MLP models to each other by including these three inequalities for each sparks in the middle into our MLP model. According to these three inequalities, you can see that S is equal to 1 if and only if U and L are both equal to 1. It means that S is equal to 1 if the corresponding sparks in the middle is active in both upper and lower trail. Therefore, using this technique, we can detect and characterize the common active sparks in the middle. Taking these constraints into account, we also define an objective function aiming at minimizing the number of common active sparks in the middle as well as the number of active sparks in the outer parts. We also assign some weights to the, for example, active sparks in outer parts as well as active sparks in the middle part to adjust the probability of the resulted sandwich extinguisher. We can, for example, play with the weight of active sparks to drive wound-range extinguishers with different probabilities. After discovering to appropriate truncated upper and lower trails, we come to the second step where we instantiate the truncated trails with concrete differential trails. After, for example, instantiating the truncated differential trails, we compute P, Q, and R, and, for example, we do it by fixing the differences at the input-output of each single slice in the sandwich extinguisher. And next, we put P, Q, and P, Q, R together in PS squared, Q, S squared, R formula to compute the entire probability. It should be noted that we never use differential characteristic to build our distinguisher. As you can see in this shape, we only fix the differences in four positions of sandwich extinguishers, which are the connecting points between the three slices of sandwich extinguisher. The probability, the differential effect, for example, over E0 and E1, which are denoted by P and Q, can be computed using the automatic methods for differential kept analysis. However, to compute the probability of boomerang switch over the middle slice, we need a new framework, which is actually the BCT framework. BCT framework provides for us some new tools, which makes us able to formulate the probability of boomerang switch over the middle slice of sandwich extinguisher. This shape represents the boomerang switch where it includes only one slice layer. And on the right-hand side, you can see the four involved differences in this boomerang switch. Besides the DDT, using which we formulate the probability of differential trails in basic differential kept analysis, BCT framework introduced a new table, which is called BCT, and it actually encode the dependency between the upper and lower differential transitions for one spark layer, as you can see. However, BCT can only be used to formulate the dependency when the boomerang switch includes only one spark layer. To encode the dependency between upper and lower differential trails in boomerang switch where it includes multiple rounds, we need some further tools, which are actually upper BCT and lower BCT. Using these building blocks of BCT framework, we can formulate the probability of boomerang switch over the middle slice of sandwich extinguishers. However, in addition to these tables, we also introduced a new table, which is called double boomerang connected to table, which is denoted by dbcity in this slide. And dbcity is very useful to compactly formulate the dependency between the upper and lower differential transitions over multiple rounds. We defined different variants of dbcity, for example, dbcity left, dbcity right, and dbcity. Now, we come to the end of this part, and we are ready to discuss about the application of our method for craft. Craft is a lightweight, tickled by Cypher, which was introduced in FS8 2019, and this shape represents the round function of craft. The black size of craft is 64 bits, and the tweaked size of craft is 128 bits. As you can see in this shape, the round function of craft applies five basic operations on the internal state, which includes the diffusion layer, as well as the non-linear layer. The internal state can be viewed as a 4x4 area of nibbles, and the non-linear layer includes the... for example, is consistent of applying the same formulas versus on every single nibble. And the diffusion layer includes, for example, some XORs between the rows, and, for example, 2EK addition, and round constant addition, as well as a pyramid nibbles, which is a permutation over the position of nibbles. I just skipped the description of 2EK schedule of craft because our boomerang distinguishers are in the single 2EK setting. This shape represents our six round, deterministic distinction for craft, which is discovered by our tool and our method. Yellow square in this shape represents non-zero differences, and green square represents any possible difference, which means that in green square, the difference can be zero or non-zero due to the differential cancellation over the diffusion layer. This shape represents the activeness pattern over the upper trail of sandwiches single share. And this shape represents the activeness pattern over the lower trail. Now let's put them together in one shape. As you can see, there is not any interaction or any common active sparks between the upper and lower trail. And as a result, due to the ladder switch, the probability of this distinguisher is one. This is another example, which is actually the seven round distinguisher for craft. And interestingly, it can be extended up to 14 rounds of craft, like this. Now let's take a look at the middle slice of this shape to see how we formulate the probability of boomerang switch over the middle part. If we follow the propagation of upper and lower crossing differences over the middle slice of this shape, we can see that the probability of boomerang switch in the middle slice can be encoded using four DBC tables, as well as some additional DDT, which is a very compact formulation of probability of boomerang switch over several rounds of craft. This table summarizes our boomerang distinguishers for craft. And probabilities which are marked in red have been experimentally verified. As you can see, in comparison to the differential kept announces of craft, the boomerang distinguishers have a great advantage. For example, let's compare our 10 round boomerang distinguisher with a 10 round differential effect of craft. As you can see, the probability of our 10 round boomerang distinguisher is 2 to the minus 19, 0.83, whereas the probability of 10 round differential effect of craft is 2 to the minus 44, which reveals that boomerang distinguishers have a great advantage over the differential distinguishers for these rounds of craft. We also applied our method to a skinny in the related tweak setting to find boomerang distinguishers. A skinny is a lightweight to equilibrate ciphers and has different variants, depending on the black size of a skinny, which can be 64 bits or 128 bits, and depending on the number of involved tweak is, a skinny has actually six main variants. This shape represents our 22 round practical sandwich distinguisher, which is discovered by our tool for one of the variants of skinny. For example, in this shape, as you can see, we have included the first air rounds in E0, we have included the last eight rounds in E1, and we included the six middle rounds in the boomerang switch, or namely, EM. The probability of differential effect over E0 is computed using the automatic tools based on a mild P or SAT, which is 2 to the minus 2.41 here, this is also the case for the differential effect over E1. It should be noted that to compute a differential effect over E0, we only fix the difference here and the difference here, and then we compute the probability of boomerang switch over the six round middle part using the BCD framework, which results in, for example, 2 to the minus 2 and E, 0.02. If we put these three terms together in P square, P square, Q square, R formula, we can see that the probability, the entire probability of this distinguisher is 2 to the minus 38.84. In comparison to the probability of best previous sandwich distinguishers for 22 rounds of this variance of a skinny, you can see that we have significantly improved the success probability. This table summarizes our result regarding the boomerang distinguishers of a skinny. And again, the probabilities marked in red represents the probabilities that have been experimentally verified. As you can see, in all cases, we not only significantly improved the success probability of sandwich distinguisher, but also we improved the sandwich distinguishers by one or two rounds in all cases. We also provided curicory attacks upon our distinguishers for a skinny and craft. The bottom of this table represents the previous results and the top of this table includes our results. As you can see, in all cases, we could improve the rectangle attacks by one or two rounds, or in only one cases, yeah, we could improve the success probability dramatically. We also provided rectangle cryptanalysis for craft for the first time. Now, we come to the end of the cycle where I would just like to summarize our main contributions. The main contribution of this paper is introducing a new heuristic method to search for sandwich distinguishers. We also introduced new tools in BCT framework, including DBC team. And we applied these new tools and this new method to two SPIN black ciphers, including a skinny and craft which was resulted in significant improvement in boomerang distinguisher or rectangle attacks on this cypher. I would just like to mention that all of our codes to reproducing the results or experimentally verifying the results are publicly available in this GitHub repository. Thank you for your attention.