 Hello, everyone, my name is Fu Kangliu. The title of this talk is Automatic Verification of Differential Characteristics, Application to Reduce the Gimli. This is a joint work with Takanori Isube and Willimere. As we know, NIST now is holding a lightweight cryptography competition, and there are 32 candidates selected for the second round. Obviously, the third-party crypto analysis is necessary to understand the security of these candidates. Second, since Kechak was selected as the Shasui standard, more and more permutation-based primitives have been proposed, as can be seen from the subunitions to NIST's lightweight cryptography competition. With the development of the automatic search for differential characteristics, finding a suitable differential characteristic is reduced to constructing a model describing the difference transitions. However, as can be seen in most models, the difference transitions over runs are treated as independent. While such an assumption is reasonable for block cipher, it may not hold for a public permutation as there is no run key. Therefore, it is natural to question the validity of the differential characteristics obtained with such an automatic method. We can also learn some lessons from the literature, specifically, some differential characteristics of Shatu Blake's skin are shown to be inconsistent. To solve the contradictions in Shatu's characteristics, Mendel et al developed a dedicated search method. The main idea is to search the differential characteristics at the conforming message pair at the same time. For scan, Lurent also developed a dedicated searching algorithm, where the contradictions are avoided by using the improved generalized conditions. So similar to the introduction of ILP into the cryptanalysis, we would like to know whether it is possible to use the off-the-shelf source to deal with the contradictions occurring in the differential characteristics. We are inspired from Mendel et al's work on Shatu's characteristics. So our aim is to construct a model capturing both the difference transitions and value transitions at the same time. The technical part is how to connect the two transitions. Our target is Gimli. Gimli is a cross-platform permutation designed by Bernstein et al, and it is now included in the second round candidate in NIST's lightweight cryptography competition. Most importantly, as we may observe, the diffusion of the Gimli round function is rather slow. So intuitively, there is a high chance for the differential characteristic of the Gimli permutation to be invalid. So first of all, let me give a brief description of Gimli. A Gimli state is organized as a 3 times 4 two-dimensional array. The total number of rounds of the Gimli permutation is 24, and the sequence of operations for the 24-round permutation is listed here. So you can see that the sequence of operations of every four rounds are identical. So in the first round, the nonlinear operation sp, then the linear operation small swap and the constant operation at random constant will be applied. In the second round, only sp will be applied. In the third round, sp and another linear operation big swap will be applied. In the fourth round, again, only sp will be applied. So now let me give a description what sp is. So for sp, it will apply a 96-speed sp box to the four columns of the Gimli state in parallel. We can denote the input and output of the sp box by x, y, z and o, x over o, z. In this way, the relations between x, y, z and o, x over o, z can be specified here. So you can see that the algebraic degree of the sp box is 2. And you can also observe that each output bit only depends on at most four input bits. Now let me describe the linear operations small swap and the big swap. So you can see the illustration from this figure. So you can see that they are very simple. It is just a permutation on the state words on the first row of the Gimli state. So very simple, right? Since our aim is to construct a model to describe the difference transitions and value transitions, the linear operations is just a permutation on bits. So in the model, the linear operation can only affect the order of the variables. So let us focus on the model for the sp box. You can see from the specification of the sp box that the expressions of the output bit can be divided into four types. Two types are linear functions and two types are nonlinear functions. For the two linear functions, we can find that the difference and the value, the difference transitions and the value transitions are independent and they are not related. However, for the type 3 expression, there is a nonlinear operator and so there will be relations between the difference and the value. Specifically, there will always be a constraint on the value for a nonzero value difference transition. So as you can see from it, similarly for the type 4 expression, there is a nonlinear operator or and we can also find that for each nonzero value difference transition, there will always be a constraint on the value. So the main reason why the difference and the value are related is due to the nonlinear operation. So let us discuss how to model the difference, the relations between the difference and the value inside the nonlinear operator. But first, let us consider the end operation. We can construct a choose table for the table A0, A1, A0, A1, and A2. So as shown here, and we can use Sage and Grady-AirGridder to find the equivalent linear inequalities to describe such a choose table. So the linear inequalities are shown here. Similarly, for the all operation, we can compute the corresponding equivalent linear inequalities to describe the relations between the difference and the value. So next, let us discuss how to model the value transitions. Similarly, we can construct a choose table for the input and output. And then calculate the corresponding linear inequalities. So since the type 1 and type 2 expressions are simple, we do not discuss them. We only introduce the linear inequalities for the type 2 expression and type 4 expression. So very simple, as shown here. So this is the linear inequalities for the type 4 expression. Then we need to model the difference transitions. We also omit the models for the type 1 and type 2 expressions as they are simple. For the type 3 and type 4 expressions, we can introduce two intermediate variables, A0 and A1 to represent the output difference of the nonlinear operation respectively. In this way, the problem is reduced to constructing a model describing the expression A3 equals A0 plus A1 plus A2. And we can simply write the corresponding linear inequalities. Now, let me discuss how to connect the two transitions. Let us focus on the type 3 expression. First, we use the linear inequality system to describe the relations of A0, A1, A2, A3, and A4, which corresponds to the value transitions. Then let us use the linear inequality system 1 to describe the relations of A2, A3, A2, A3, and A0, which corresponds to the relations between the difference and the value. Finally, we can describe the relations of A0, A1, and A0, A4 using the inequality system 5. In this way, we construct the difference transitions, value transitions, and the connections between the two transitions for the type 3 expression. Similarly, we can do the same things for the type 4 expression. So now, we have constructed the model to capture both the difference transitions and the value transitions. Based on this model, we can detect contradictions for a specified differential characteristic. Specifically, given a specified differential characteristic, the variables representing the difference are fixed. So the inequality system is only in terms of the variables representing the values. If the inequality system is infeasible, then the given differential characteristic is obviously invalid. If the inequality system is feasible and the server outputs a solution for it, then the conforming values for the differential characteristic are formed. So the feature of our model is that the relations between the difference transitions and the value transitions are actually written in the constraints. Therefore, it can bring us some benefits. First one is that given a specified differential characteristic, the whole inequality system is only in terms of the variables representing the value. So we only need to consider the value transitions. Second, we can use it to find a compatible differential characteristic for the dense part of the clean generating differential characteristic where contradictions are easier to occur. We applied our model to the Gimli permutation. First, we used it to verify some existing differential characteristics of the Gimli permutation. We found that the official 12-round differential characteristic is invalid in the Gimli document. We also found that the 6-round differential characteristic for cleaning attack is invalid in an imprint paper. Apart from verification, we also used our model to search for a valid differential characteristic. Specifically, we followed the difference patterns used in the imprint paper and tried to search for a valid differential characteristic. Let me give a brief description of the difference pattern. So the difference between the first column and the third column are the same and the difference between the second column and the fourth column are the same. We can construct a probability 1 differential characteristic in the last two rounds. In this way, the input of our model can be illustrated by this figure. And we hope the server can output a solution for the question marks. And these are the constraints used to ensure their difference patterns. To further reduce their search space, we also constrain the harming weight of dirt S3. In this way, we found a valid 6-round differential characteristic as well as its corresponding message pair. This is done on a standard PC and takes about four hours. And these are the differential conditions implied in the differential characteristic. However, the conforming message pairs are just a semi-free start clean. Which is less meaningful. So we want to convert the semi-free start cleans into cleans. Our idea is to enumerate all the solutions satisfying the 6-round differential characteristic and using extra message blocks to connect one of the solutions. So first, we try to merge the conditions. Specifically, we convert partial conditions on S2 into conditions on S1. In this way, the number of conditions on S1 will be 6-1. This will allow us to exhaust all possible values of the second column of S1, as they are only in total 2 to the 35 values. Then we can find that they are in total 1632 solutions for the second column of S1. Then we try to calculate the solutions for the last two rows of the second column of S0. Similarly, we use one property of the SP box to reduce the time complexity and can find that and can enumerate the all the solutions for the last two rows of the second column of S0. In this way, we can calculate the probability of a valid capacity part. I mean, so the probability that the last two rows of S0 are valid. So the total probability is 2 to the minus 127.6. So without any specific strategy, the time complexity to convert a semi-free start clearing into clearing is 2 to the 127.6. Indeed, with a divide and a conquer method, we can convert the, we can use, we can find a message block to match one of the solutions in time complexity 2 to the 64 and memory complexity 2 to the 64. Why we wonder that? Why we need to calculate the probability in this way? This is because the difference transitions over different runs are not independent. So we shouldn't calculate the probability for a differential characteristic by counting the number of the different of the conditions. We may also wonder why the dependence is influenced. In my opinion, there are three points. First, there is no run key. Second, the diffusion of the linear layer is rather weak. And last, the expressions of the SP box is rather simple. The expressions of the SP box are rather simple. So you can see that one output bit depends on at most four input bits. And the algebraic degree of the SP box is two. And for each non-linear expression of one output bit, there are, there is only one quadratic term. So these are the three reasons we think influence the dependency of the difference transitions. So in concluding, the risk for a differential characteristic of a public permutation to be invalid is high, as there is no run key. The diffusion and confluing will also influence the dependency. As a result, we need to take care of the probability of a differential characteristic for a public permutation. That's all. Thank you.