 Yeah, thank you for the introduction. So this talk will be about AS-like ciphers. And AS-like constructions have been a very popular design choice. And a wide range of primitives have been constructed, their block ciphers, hash functions, permutations, all which use ideas originally proposed in the design of AS. And also for all the competitions we had so in step three, we had a lot of AS-like designs. And probably also with the lightweight competition we will have a lot of AS-like designs. So what we mean with AS-like designs, we consider here the following building blocks. So we have a round function, and it consists of these three sub-functions. So the first one is just the application of an S-box. Then the permutation is applied, which changes the position of the elements in the state. And finally, matrix is multiplied on each column. And a lot of the designs fall into this category. So about the S-boxes, so there has been a lot of research on how to construct S-boxes. I think we also have a session later this week on S-boxes. And it's the only nonlinear component, so it's a very important building block here. But there has been a lot of research on this, and it will not be the focus of this talk. Then similar for the mixed columns operation, there has been a lot of research on how to design these matrices, what properties we want, how to get them efficiently. Also, the next two talks in the session will be about this. And this talk will not be about this. What we are going to talk about is this middle layer. So how do you change the position of these cells? So arguably one of the most important criteria for block cipher but also other primitives is resistance against differential and linear cryptanalysis. And each one of these building blocks plays quite a crucial role in constructing a primitive secure against these attacks. So the S-box directly influences the probability of a difference going through it. The matrix multiplication, it directly gives you a low about on the number of active S-boxes in a single round. But the relation of how you do this permutation is a bit less clear what happens in general. And it still heavily influences the number of active S-boxes you get in total. So the typical goal for every designer is, yeah, we want to have as high as possible number of active S-boxes over many rounds. So as an example, A-S has a mixed column with branch number five. And this gives a quite simple constraint on what can be achieved in one round. So branch number five here means just if we start with a single difference, it goes through the S-box and shift rows. And then it becomes a full active column. And this is kind of the constraint we have here. So the sum of the input differences and the output differences has to be bigger than five in the case of mixed columns. And this allows quite nice arguments on the minimum number of active S-boxes you get over more rounds. However, for other choices of mixed columns and shift rows, it becomes a bit less clear. So there are a lot of other designs following this strategy. So for instance, Midori, we heard about it before. It uses a branch number four. So OK, we would have this constraint. They have to be at least four if we sum up input plus output. But actually, there are transitions in there which are not possible. In the case of Midori, you can never go from two to three active through mixed columns. And the picture below, this very complex picture, shows you what happens through the skinny mixed columns. So skinny mixed columns is extremely lightweight. It only has a branch number of two. But not all transitions are possible. So actually, if you look at this, you will see there are only two transitions here which go from one to one and reach this minimal bound. So if you now want to analyze the size of more rounds, it becomes quite complex in the case of those designs. There are some results known on this. So for case of AS, yeah, we know if we have a square state and the matrix is MDS, then shift rows will be optimal. And there's also been some additional work on this where they look at also other shapes of states and other properties of this mixed column. So but the problem that we solve in this paper is now if you're given an n times n state and we fix the mixed columns, what is actually optimal choice for permutation with respect to differential and linear cryptanalysis? So let's look at an example. So we want to choose this permutation now. So let's assume we have a four times four state. Then we already would get like 16 factorial possible choices for this permutation. So this is quite a big number, but maybe still feasible to handle. But the issue is we need to kind of evaluate each design now if we fix the mixed column, which permutation we kind of want to know what are the bounds on the active S boxes. And this might be quite out of not be feasible for us to run for all the permutations in this case. So what we have to do is we kind of have to limit the search space. So the first observation we made here, so if you have a permutation p and a permutation theta. So if theta commutes with this matrix m used in the mixed columns, then the cipher where you use the permutation p and the cipher where you use the permutation theta inverse p theta have the same properties. And this can be quite easily shown here. So down here we have the round function. And if we change the position of the theta inverse with the S box, so we just swap them, we then have to apply this permutation also in the key. And now if the theta commutes with the matrix m, we can also swap the position of the mixed layer and the permutation here. And then we can see, OK, we have theta and then apply theta inverse, so it just becomes the identity and we get the same cipher basically. And we use this to define an equivalent relation. So we say we have two permutations, p and p prime, and they are m equivalent if such a theta exists with these properties. And the nice conclusion from this is all permutations which are m equivalent will have the same number of active S boxes. There's some drawback because we don't actually know how to test m equivalence between permutations. So we have to go a few more steps and see how we can achieve this. So what we did is we make the job a bit easier. We first look at the weaker equivalence relation, which we call weak m equivalence. The only difference here is theta has now a structure. So we say theta is composed of two permutations, phi and pi. So pi only permutes the columns with each other and phi only permutes elements inside each column independently. So if theta is of this form, then two permutations are weak m equivalent. We need one more tool, so which we term you the structure matrix. So we have here, it's probably easier to understand an example. So we have an example of a generic permutation. So on the left you see the elements of the state. On the right, how they get permuted. And this would be the structure matrix. And the structure matrix shows you from which column how many elements get moved to a different column. So first column, zero elements get moved to the first column. One element gets moved to the second column, zero to the third, and three to the fourth. Another example, in this case, the second column, two go to the first column, one to the second, one to the third, and zero to the last column. Here they are distributed to all different columns, so you get all ones. And here again you can see how it works basically. So what we know showing our paper is that there is a efficient algorithm which can enumerate all the permutations up to m equivalent. And I only give you the basic idea, so if you want to have the details on the algorithm, it's best to look it up in the paper. But the idea is we can enumerate all these permutations up to this week m equivalence for a given structure matrix. And there are not too many valid structure matrices, actually. So if you consider four times four state, there are only around 10,000. And some of them also have some symmetries. And you can further reduce this number. What we can do now is we can just pick one of the smallest representatives of each of this equivalence class and then carry out the crypt analysis on those. So this still only gives us this weak m equivalence. So it's kind of the obvious question then when does this weak m equivalence actually imply m equivalence. And there's a nice property on m which can be used to show this. So if we take this matrix m and use it as a adjacency matrix for a graph, we can test this graph for strong connectivity. And if the graph is strongly connected, then weak m equivalence will imply m equivalence. In the paper, we now use this approach to look at two ciphers. So the first one is Midori with a lightweight energy efficient cipher. And it's probably the most obvious target because it introduced using this arbitrary permutation. So often you want the most structured permutation, so you have some implementation advantages. But also in hardware, it doesn't matter because it's often, if you do a round-based implementation, just rewiring. So our question was, is the permutation used in Midori optimal? So first, yeah, this mixed column is used in Midori, as I said before, as a branch number four. And a good thing is if we look at the graph of it, it is strongly connected. So you can basically go from every edge here to every other edge, and there's a path in both directions. So it took a few days then to, on a normal PC, to find all these permutations up to m equivalence. It turns out there are around 2 to the 22 classes. So we then pick for each of these equivalence classes one candidate and try to determine the number of active s boxes. So first, we tried this there with mixed integer linear programming, but it turned out to be a bit too slow for running it on all these 2 to the 22 permutations. So we then decided to implement some custom branch and bound algorithm to do it faster. But you can also find here. So this is basically the summary of all our computation. So I guess for full effect, you should look into the paper and zoom in. But just to show you the general picture, so if you can spot that like a red line going through all these other blue and green lines, so the red line is the original permutation, the blue line are all permutations which are at least optimal in one of the rounds and the green are then another random sample of permutations. So the main conclusion from this is, well, the original permutation is actually optimal up to 12 rounds, except for nine rounds. It seems an outlier here. But for any higher number of rounds, it is never optimal. So when you look at the picture, you will see there are a lot of blue permutations on top of the red permutation. But it's also mostly outside the number of rounds of Midori, so maybe it doesn't matter too much in this case. It's also quite interesting there's not a single permutation which really stands out here. So a lot of the permutations, they are better for some rounds. So it really depends on what parameters use, which permutation actually is the optimal one here. We also show a nice proof in the paper, which gives you an easy to check condition on your permutation. So if your permutation, p, p squared and p cubed, if they all have the structure, all one structure matrix, then you'll get at least 28 active S-boxes over six rounds. In the second example, we looked at is the skinny block cipher, which we also had a few times already. So it uses AS shift rows and a very sparse mixed column, so you only get a branch number of two. And it's, again, an interesting choice here because the mixed column seems very simple, and the shift rows is a bit structured. So maybe if you use a more generic permutation, you could improve the bounds. So we applied again this algorithm to find all the permutations, all the equivalence classes. But in the case of skinny, it turned out there are quite a lot more, so it's almost two to the 40 equivalence classes here. It already took 24 CPU days to find all these equivalence classes. So doing this crypt analysis, counting the active S-boxes for all these two to the 40, then we probably would have submitted the paper only around now. But we then decided to filter it a bit further. So we reduced the permutations and only picked those permutations which have at least as good diffusion as the original one. There's still around three million permutations left, and it took roughly 3,000 CPU days to test all of them with the Matsui algorithm. We again get, like, this picture here. So red line is, again, the original skinny permutation. Blue are all the permutations which are optimal in at least one of the rounds. And green is a random sample of 10,000 permutations. And we can see here quite clearly that actually the skinny permutation, even though it's quite structured, it holds up quite well, and it doesn't make too much difference if you loosen this restriction to only operate on the rows. So to summarize, I think our paper gives a quite nice theoretical understanding of how these permutations behave, how they influence the number of active S boxes. And it's especially, I think, a useful design for any future designers if you want to make a new design. You should maybe look at this, and it's often actually feasible to test the full design space. So if you have a four times four state, there's a very good chance you can actually find the best permutation for your design. This concludes my talk, so if there are any questions, feel free to ask. Thank you. Thank you very much. Any questions for Stefan? There's one here in the front. Yeah. So assuming you fix some arbitrary key schedule or even don't put some, could you do the same kind of thing to evaluate security for a related key model? Yeah, we didn't include the related key. So the problem here is really probably that your search is going to be much more expensive on the active S box count. So this might be quite tricky than to do. Exhaust is searched. Yeah, you still have to do for each of the equivalence classes here the test on the active S boxes. So if you can do that efficiently, then it might be possible. OK, thank you. More questions? So I have a question. Would it make sense for the best choices to then look for characteristics or even differentials to find out whether this really also active S box is a good indication for the best attacks? Is that feasible or? So that's, I think, quite difficult to evaluate for the AS-like ciphers because you have this strong alignment to really say, this permutation is better than the others in this differential setting. So I think that might be, at the moment, I don't think we have such good tools to evaluate these properties for AS-like ciphers. And it might not be feasible to do this for all the permutations. But only for the best ones, you find. For the best ones, you can, of course, do that, yeah. And what about other attacks, like structural attacks? Do they depend on the permutation or is this orthogonal? It depends on the structural attack, of course. So for some, it's probably a good. So the nice thing is also you can pick the permutation which is best in this equivalence class, then you could also generate all this permutation in this equivalence class, and then check those again as a second filter against the structural attacks. Also for if you want to do efficient implementations, you could also do that. You just test one in the equivalence class and then test other attacks and implementation properties. OK, if there's no more questions, please join me in thanking Stefan for his talk. Thank you very much.