 Hello, everyone. The name of the presentation is Linear Crypt Analysis of 3AGAD with GIFT-128 as underlying primitives. In this presentation, we start with the motivation and contributions. Following that, we briefly recall some related preliminaries. Then we introduce the linear cryptanalysis of GIFT-0FB, hyena, Sunday gift, and GIFT-128. At last, we give a conclusion. So, firstly, the motivation of this work. Linear cryptanalysis is one of the most fundamental methods to evaluate the security of symmetric key primitives. Compared to differential cryptanalysis, we find that linear method is more suitable to the analysis of the AEAD, since it works under the known plan text setting. This paper aims to evaluate the security of some AEAD with the linear method. The contribution of this work can be divided into four parts. Firstly, we create specialized set problems for the search of linear distinguishes, coordinate with the text setting. With this method, we improve linear text on GIFT-0FB and Sunday gift. Thirdly, we propose the first cryptanalytic result on hyena. Also, we provide improved linear text on GIFT-128. Now, we briefly recall some necessary preliminaries. GIFT-128 is one version of GIFT with the 128-bit block size. It is a 40-round SPN cipher and has a cadence of 128. Each round of GIFT-128 consists of three steps. In the sub-cell operation, an invertible 4-bit S-box named GS is applied to every navel of the cipher state. Next, the per-bit operation performs a bit permutation operation on the cipher state. At last, the add-round K operation includes adding the round K and the round constant. In this figure, we only illustrate the bits that should be exiled with the round K, as adding the round constant does not alter relative types of text in the paper. The most important steps in differential and linear text are finding distinguishes exhibiting non-random cryptanalytic properties. In this work, we explore an automatic method based on Boolean satisfiability problem, or with its set, to accomplish the search of linear distinguishes. The set problem is a problem of determining whether there exists an evaluation for the binary variables such that the value of the given Boolean formula equals 1. Every Boolean formula can be converted into an equivalent formula in conjunctive normal form. Each distinction is called a clause. Each CIG can be a variable, a constant, or the negation of a variable. Since almost all exciting sets over accept Boolean formulas in CNF as inputs, although the distinguisher search and problem should be specified with CNF formulas, benefiting from the simple but elegant structure of GIFT-128, describing the propagation of the linear mask inside the sepul boils down to tracing the propagation of the linear mask across the S-box. We donate x and y as the input and output masks of the S-box. To encode the absolute value of the correlation, we employ two Boolean variables, epsilon 0 and epsilon 1, so that the summation of them equals this value. Next, we define a 10-bit Boolean function f, look like this, and simplify the expression with the off-the-shelf software logic Freddie. Then we get a set of Boolean formulas that precisely depicts the relation among x, y, epsilon 0, and epsilon 1. Aside from tracking the propagation of linear masks inside the sepul, the set problem should clarify the correlation of the targeted linear trail. Suppose we intend to search for the R-round trail with the absolute value of the correlation in no less than 2 to the minus cosine. Let epsilon Kij be the auxiliary variable regarding the JS-S-box in the S-rounds. Then the valid linear trail should satisfy this condition. This inequality constraint can be converted into a sequence of Boolean expressions with a sequential encoding method. Now let's move on to the linear crypt analysis of GIFT-COFB. GIFT-COFB is an AEAD that instantiates the combined feedback mode with GIFT-128. The input of the encryption algorithm, including 128-bit K, announces associated data and message. The outputs are several tags, say, and a 128-bit tag. The ek function in the figure I referred to as the sepul GIFT-128. The sepul tag's generating phase explores the feedback function G, which is a linear function over the 100 and 128-bit input. We target the encryption function in the message processing phase highlighted in red. The property of the primitive puts some restrictions on the linear approximation in the linear tag. Firstly, since the designers claim 64-bit ND-CPA security under the non-respecting scenario, the data complexity of a valid tag on GIFT-COFB should be lower than 2264. Secondly, note that the most significant 64-bit of the input or the ek function are masked by the value L, and the L depends on the value of N and K, and that is not unknown. Therefore, the verification of the linear relation should be irrelevant with the most significant 64-bit. To accomplish the search of linear approximation to fill these restrictions, they attempt to encode it with Boolean equations. We create a specialized set problem targeting the conditional linear trail. To begin with, given that GIFT-128 achieves full diffusion after four rounds, we conjecture the maximum number of rounds appended before the linear distinguisher in the attack is 3. Regarding the three rounds extended before the linear approximation, we introduce extra variables to locate the bits involved in verifying the linear relation. According to the functionality, the extra Boolean equation in the specialized set problem can be divided into three parts. The first part identifies the necessary bits for the calculation of the linear relation. The second part ensures the irrelevance with the most significant 64-input bits. The last part connects the extended rounds with the linear trail. Now, we look into some details. For each S-box in the three appended rounds, we introduce four Boolean variables, mu 0 to mu 3 to signify whether the four values of the input bits should be known for checking the linear relation respectively. If the value of X i should be known for the verification of the linear relation, mu i is set as 1. Likewise, we utilize four Boolean variables, mu 0 to mu 3 to signify whether the four values of the output bits are the necessary bits for calculating the linear relation. Since the S-box is a nonlinear operation, the four values of the input bits must be known if any of the four output bits turns into necessary bits. Last, the newly included variables should satisfy this constraint, and it can be converted into Boolean expressions with a similar approach used for the S-box. These expressions constitute the first part of extra Boolean equations in the specialized set problem. Then donate mu k i j and mu k i j the variables for the J-size box in the S-appended round before the linear approximation to make sure that the evaluation of the linear relation does not rely on the most significant 64-bit of the input. They should append 64 equations to the set problem. These equations are the second part of extra Boolean equations. Now, suppose that the input mask of the linear trail in the original set problem is symbolically represented as a 0 to a 127. The value of the bits masked with a i equals 1 should be known so that we can estimate the validity of the linear relation. Thus, to establish the connection between the affixed three rounds and the linear trail, they generate 256 equations. These equations form the third part of extra Boolean equations. We apply the specialized set problem to assess the search of linear distinguisher for GIFT COFB. In the test surface, we observe that the absolute value of the correlation for the optimal 11-round linear trail regarding GIFT 128 is 2 to the minus 31. Given the linear heart effect of GIFT 128 is relatively big, we guess that the data requirement for linear attacks with 11-round approximations may be larger than 2 to the 64. Thus, we utilize 10-round linear approximations to realize k-recovery attacks for 3ADAD. The maximum absolute value of the correlation for the 10-round linear trail is 2 to the minus 26. We find no trail satisfying the specialized set problem if the absolute value of the objective correlation for the linear trail is fixed as 2 to the minus 26 or 2 to the minus 27. When the objective correlation is set as 2 to the minus 28, about 70,000 of linear trails are returned by the set software, but none of them can be used to launch 16-round attacks. So, we lower the objective correlation of the specialized set problem to the minus 29 and discover more than 400,000 of linear trails. The distinguisher is unique when achieving the minimum number of guesses of k-beads. The ELP of the linear approximation is 2 to the minus 57.68. The data complexity of the 16-round attack is 2 to the 62.1. The total time complexity is 2 to the 122.8. The memory complexity is roughly 2 to the 47 and the success probability is about 80%. Now, we look at the linear cryptanalyses of hyena. Hyena is the instantiation of the hybrid feedback-based encryption with authentication mode of operation with the safer gift 128. The input of the encryption algorithm includes 128-bit k, 96-bit non-associated data and message. The outputs are safer text C and 128-bit tag. The ek function in the figure are referred to as the safer gift 128. The safer text generating phase explores a linear feedback function. We target the encryption functions in the message processing phase highlighted in red. There are some restrictions on the linear approximation in the linear attack. Under the non-respecting scenario, the designer claims that for a valid attack, the data requirement should be less than 2 to the 64 and the time complexity is bounded by 2 to the 128. Beyond that, hyena also creates a 64-bit unknown value data before they associate data processing phase. So, the verification of the linear relation should be irrelevant with the least significant 64-bit. To accomplish the search of linear approximation to fill these restrictions, we replace the second part of extra Boolean equation in the specialized set problem. The turnaround distinguisher is a unique one achieving the minimum number of Gauss sub-KBs. The linear correlation of the dominating trail is 2 to the minus 28 and the ELP of the linear approximation is 2 to the minus 55.36. The data complexity of the 16-round attack is 2 to the 61.51. The total time complexity is 2 to the 122. The memory complexity is roughly 2 to the 52 and the success probability is about 80%. Next, we introduce the analyze on Sunday gift. Sunday gift is a family of AEAD that explores the scheme Sunday with gift 128 as the underlying block server. The encryption algorithm takes as input of 128K associated data and message. The output of the encryption is a separate text and a tag. Unlike the case in previous two primitive, because there is no limitation as the input of the K function, they propose to attach four rounds and three rounds before and after the distinguisher. The ten-round distinguisher is a unique one achieving the minimum number of Gauss sub-KBs. The linear correlation of the dominating trail is also 2 to the minus 28 and the ELP of the linear approximation is 2 to the minus 55.36. The data complexity of the 17-round attack is 2 to the 61.51. The total time complexity is 2 to the 123.38 and the memory complexity is roughly 2 to the 49. The success probability is also about 80%. In the last part, we introduce the cryptanalytic result on GIFT 128. We intend to attach four rounds and three rounds before and after the distinguisher. All the 8,192 optimal 19-round trails with correlation 2 to the minus 59 cannot derive 26-round attacks. So we gradually reduce the objective correlation. When the objective correlation is reduced to 2 to the minus 682, we find the unique distinguisher attaining the minimum number of Gauss sub-KBs. The ELP of the linear approximation is 2 to the minus 123.11. After a careful investigation, we notice that the time complexity of the 26-round attack goes beyond 2 to the 128. Thus, we finally launch a 25-round linear attack with a newly identified 19-round linear approximation. The data complexity of the 25-round attack is 2 to the 124.75. The total time complexity is 2 to the 126.77. The memory complexity is roughly 2 to the 96, and the success probability is about 50%. Note that the success probability of the attack can be improved by repeating the entire work with a new group of plant-axe sub-attacks pairs. Now we finish all the contents in the paper and give a conclusion. In this work, firstly, we create specialized set problems for the search of linear distinguishers coordinate with the attack setting. With this method, we improve linear attacks on GIFT COFB and Sunday GIFT. We propose the first cryptanalytic result on Hyena. Also, we provide improved linear attacks on GIFT 128. That's all for the presentation. Thank you for your attention.