 Hello everyone, I am Baptiste Mabin and today I will present our paper about the degree of block ciphers which is joint work with Phil Hepburn, Gregor Leander and Yosuke Todo. The main focus of this work is the algebraic degree of block ciphers and one way to see a block cipher is as a keyed Boolean function, so a function over F2 to the n parameterized by the key k and we can represent it with its a and f, so it's algebraic normal form which is some polynomials with monomials x to the u and the coefficients are given by some polynomials pu over the key. And we can define the algebraic degree of this function as the maximum of the all-weight of u such that pu is non-zero, so essentially it's just the highest degree of any monomial x to the u appearing in the a and f of any coordinate. And if we want to show some upper bounds d on the degree of the function, then we need to show that for all keys, all output bits are of the degree at most d. On the other hand, if we want to show some lower bounds on the degree, we just need to show that there is at least one key and at least one output bits which is of degree at least d. So for example on five rounds of gift, with some previous work we can show that the degree is at most 53 and with our work we can show that the degree is actually at least 49. So this upper bounds were actually quite well studied before and see for example the paper by Bura and Kanto. And more recently we also have the division property which I will talk about a bit later in this presentation. And overall with this upper bounds we can already derive some attacks like integral and higher differential attacks on block ciphers which essentially exploit the fact that if we don't have enough rounds the degree is too low, essentially it's not maximum and then we can often use that fact to mount an attack. When we design a block cipher, these upper bounds are not so useful because for example you can get the result as after 10 rounds I know that there will be a degree at most 63 but you have no guarantee that after these 10 rounds you actually reach the degree 63 a bit much lower. So if you wanted to show something like this, you would need lower bounds. But computing lower bounds is quite hard actually and so far it was only limited to essentially just computing the ANF and so for block ciphers it was only limited to a few rounds because there are too many variables and the degree grows too quickly. So what we did in this work is actually for the first time providing meaningful lower bounds on the algebraic degree of block ciphers and it's based on a recent work by Awaita at Eurocrib this year where they use a variant of the division property and some MLP techniques to extract the super bodies of some stream ciphers. And to use this work on block ciphers the only assumption we made was that we have independent rounds. And we also show some stronger results so we show some lower bounds of the mean degree which is a stronger notion of degree where we are interested in the minimum degree of any nonzero linear combination of the output bits and also how many rounds we need so that all monomial of maximum degree appearing all of these component functions or all of these linear combinations. And just to give a brief overview so here we have the upper bounds of the algebraic degree of three block ciphers, gift, present and skinny. And so in red you can see appearing the lower bounds that we were able to compute and you can see especially that for each of them we are actually tight once we reach full degree so degree 63. So how did we prove this lower bounds? So if we take back the nf of block cipher so this sum of q of k times x to the u we can actually also consider the key as some variables and so we can write it as some the sum of lambda uv times kv times xu where essentially lambda uv are the coefficients in the polynomial's pu. And if we want to show lower bound d on the degree it means that we need to find u of weight d such that pu is non-zero. So given such a u how do we prove that pu is non-zero? So pu is a vector of polynomial so one way to show that this non-zero is just to show a point of evaluation where this value is non-zero. So it means that finding a value k tilde for the degree such that pu of k tilde is non-zero. So this sounds quite easy to do but actually in practice from our experiment this is actually quite hard. Another way to show that these polynomials are non-zero is to prove that at least one of its coefficient is non-zero. So it means finding v such that lambda uv is non-zero. And it sounds harder because we need to show that one specific coefficient is non-zero but in practice for block ciphers once we assume that we have independent honkies it turns out to be easier and that's what we did. And something to note is that if we want to show that this lambda uv is non-zero it's the same as saying that one of its coordinates lambda uv i is equal to one and it exactly means that the monomial x to the u k to the v appears in the a and f of the i's coordinate of f. So how do we find such v to show that lambda uv i is equal to one? So if we only focus on proving that we reach maximum degrees of n minus one we don't have a lot of choice for you but we can actually have a lot more freedom on vector v. So we are only focusing on block ciphers and especially ones that are built in the keyalternating framework. So essentially we have a round function f and between each of them we add some round keys which usually are derived from master key k using key schedule but in our case we assume that we have independent round keys. So each round key consists of independent variables and so if we have a monomial k to the v we can represent it as some monomial k zero times to the v zero k1, v1, etc. And so the main problem that we have to solve is if we are given uv and i how do we prove that lambda uv i is equal to one and how do we choose actually v and in our case this means how do we choose each v i. So the first question is answered by the work of our et al at Europe this year and I will give a brief overview of it right after and how to choose v i is actually our work which I will describe after. So the work of our et al relies on the division property so it's quite technical and you won't give all of the details here but the idea of the division property is that you have a subset x of f2 to the n and a vector u in f2 to the n and you are interested in the value of this sum of all of the x to the u and essentially you have a subset k which characterize whether you know if the sum is zero with probability one or if you are lacking some information to predict the sum with probability one and so the result is just unknown to you. One variant of the division property is the three subset division property where you get a bit more information and now you also know some cases where the value of the sum is one with probability one and what our et al considered is a last variant where you consider that you have all of the information you need so you always know whether this sum of all of the x to the u is equal to zero or equal to one. So this last variant was actually mentioned in a previous work by Bura and Kanto at crypto 16 but they did not focus on the algorithmic aspect to search for it and they used the name parity set of a subset of f2 to the n is a set of few such that the sum of all of the x to the u over the subset is equal to one. So it has some interesting properties over the subset of f2 to the n and the main idea about why we use the parity set is that it can be easier to trace how the parity set evolves through a function rather than how its set of values evolves and mostly it's closely related to the nf of the underlying function we are considering. So without giving too many details about how we can use these parity sets, the idea is that we can study how parity set propagates through a function using this notion of propagation which is defined as following so essentially if we have a subset x with parity set A, we say that A propagates to B if B belongs to the parity set of f of x and so this is in the idea quite similar to propagation of differentials and so we can also define luck for differential cryptanalysis, some trails and so we just have a trail a0 up to aR if essentially each ai propagates to the next one so let's just say we have some trails and from the work by Arweta that you will create we know how the propagation works so we know the propagation rules and we know how to modelize this in MILP so that we can actually find these trails and what we will use about this is that the number of trails is related to the nf so specifically if we want to show a lower 1d on the degree of f we call that it means that we need to find a u, v and i with u away d such that lambda u, v, i is equal to 1 it exactly means that the monomial x, u, k, v appears in the nf of the i coordinate of f and from the work of Arweta that you will create it means that the number of trails from u, v to ei is odd so if we are able to count the number of trails that we have then we can prove some lower 1d on the algebraic degree of f and well like I said we know how to modelize this propagation in MILP but the difficult part is more about counting this number of trails because it means counting how many solutions we have to an MILP problem and overall something a bit difficult and so to summarize what we need to do we need to find some u, v and ei such that we have an odd number of trails from u, v to ei and let's assume that we fixed u and ei we are only focusing on searching v so it means that we know which monomial x to the u we are considering so we know which degree we want to prove the unit vector ei means which coordinate we are focusing on and we need to search what is the parity set of the key essentially so what is u and the two big issues that we have for this is that like I said counting the number of trails or counting the number of solutions to the MILP problem is not really easy and actually we realize that if we choose some v at random the number of trails tends to be very high but with some experiments we also realize that if v is of high aiming weight then the number of trails tend to be a bit lower but often it's not enough to prove what we want. Another issue is what we could parasite even sub trails so I won't give too many details here because it's a bit technical and not refer you to the paper but the idea is that sometimes we have multiple trails multiple sub trails only over a part of the cipher for example the super xbox which starts from the same value and ends with the same value but with different values in the middle which means that you can see this here with an example was over the super xbox of skinny the only two trails going from the first value in red up to the last value in blue are these two trails and if the sub trails appear in the cipher it means that the number of trails will be even and it's even worse than that is that if we have multiple of the sub trails and the number of trails will grow exponentially so it's very annoying to have these sub trails and we need to make it so that we can remove them if possible so we need to design to search for the vector v that we want and we need to solve these two problems so to avoid these even sub trails we essentially use functionality of the gruby and mylp solver which is called code box and again I refer you to the paper for more details and the main thing we still need to solve is what do we do about having too many trails because we still need to enumerate all of them so I would first give a generic idea of how the algorithm work and then give a bit of details but overall we will start from the end so from the vector ei and you think the fact that we have independent hand keys we will try to build our vector v such that we keep a somewhat low number of trails and of course try to keep it odd also and so we will build this vector v from the end up to somewhere around in the middle while trying to maintain an odd and small number of trails and at some point we need to stop because we cannot do this forever and once we reach this point we just add a mlp solver just try to complete the vector v with some values of high weight and hopefully the number of trails is also odd so from the start to this middle round and then we check that the total number of trails is actually odd so a bit more details about that so like I said we start from the end so from the vector ei and we will try to determine the value of the vector v r-1 and the input value of two rounds before such that we have an odd number of trails and a small number of trails so in the best case that I will represent in the picture here only one trail so we try to find x r-2 and v r-1 so that we have an odd and small number of trails and we do so using mlp and then we go back round and we try to find the next value for v and also the next input value for the trail and again we use mlp to make it so we still have an odd and small number of trails and again in best case we have only one trail and then because all the trails do not necessarily go to x r-2 we check that we actually still keep an odd and small number of trails again in best case only one trail and so we keep doing this for few rounds in our implementation we try to strongly favor cases where we only have one trail so up to some round in the middle we are able to show that ok for this part of the cipher we only have best case one trail overall an odd number of trails and somewhat a small number of trails and once we have this so from the middle to the end we have an odd number of trails and we cannot do this technique of local optimization up to the start because at some point it failed because we just cannot find any trails if we keep going like this up to the beginning so at this point we just say to the mlp somewhere ok just try to find some values for the remaining vectors of v with high aming weight to try to reduce the number of trails and such as the number of trails from the beginning to the middle is also odd and once we have found something like this then we have to note that not all trails will go through the value x r-mid so we still need to compute the total number of trails and hopefully the number of trails from mu to ei will be odd and if that's ok then we are able to show that the degree is at least the weight of you and so we proved our lower bounds so something else we did was also to prove some lower bounds on the minimum degree so I won't give all the technical details here but the idea is that if you want to show lower bounds on the minimum degree of any inner combination of the output bits we would just compute a lot more of this lambda i of ei and put them into a matrix and check that this matrix is full rank it just means that essentially we show that the monomial appearance can not consider each other and so there are a few optimizations in terms of algorithm to make it work especially we can make this matrix block diagonal with a few more constraints on the parity set of the key and we also need a few small tricks that I won't give details here and you can find it on the full version of the paper on eprint and so overall what did we get so we got slower bounds on the block safer gift so the curves on the left and the one you already saw on the algebraic degree and like I said we were also able to get some lower bounds on the minimum degree so the lower bounds are given in red, the upper bounds which were known before are given in blue and we also have an even stronger result than the minimum degree is the number of rounds so that all of the maximum degree monomials appear in each component function so in each inner combination of the output bits for us at least one and for gift we need eleven rounds to reach this property and we also did it for skinny64 and so some similar curves here and thirteen rounds to reach this full maximum degree monomial property and finally nearly for present again we need eleven rounds for the full monomial property and you can also notice that for the algebraic degree all of our bounds are tight except for five rounds where we have a very small gap of only one and finally for a yes it's a bit more expensive because of multiple reasons but we were still able to show some non-trivial lower bounds up to four rounds where you know that the algebraic degree is at least 116 so to conclude well for the first time we were able to show some lower bounds on the degree of block ciphers and also on some stronger notions like minimum degree and the all max degree monomial property it's actually quite fast, it's a few hours up to a few days at most and quite a few of our bounds are tight and we still have some room for improvement of course you can when you see the curves you see that we are not tight everywhere so it means that we can still improve lower upper bounds. Like I mentioned also we strongly rely on having independent round keys so the case of a fixed key or keyless permutations is a bit more complicated and from an algorithmic point of view having a complex linear layer is an issue because it tends to make it so we have a lot of trade so it's much harder to do and overall I think it would be nice to try to either improve or better understand the heuristic we use so essentially the choice of the vector of so thanks for listening and watching this talk the live session will be on the 8th December and if you have any questions there will be a Zoologic chat that you can find Zoologic on the Azure Group website