 Hi, today I will talk about overwork, automated search-oriented 2K recovery on cyphers with linear case schedule, applications to boomerangs in skinny and faux skinny. This is a joint work with Xiao Yang Dong, Xiao Yun Wang, Ke Ting Jia and Yun Wen Liu. This talk includes the following four parts. First, motivations and contributions. Differential attack proposed by Beham and Shamir is one of the most successful corrupt analysis techniques. In differential attack, an attacker's goal is either to distinguish E from a random function or to recover the master key based on the differential and partial decryption technique. When searching for differential distinguisher, the attacker aims at differentials that cover the highest number of rounds, always to maximize the probability. But for K recovery attack, attacker needs to append several extra rounds EB and EF before and after the differential distinguisher to recover the keys. Using such a good differential distinguisher is more likely to launch a better K recovery attack. However, in practice, a good K recovery attack often requires a comprehensive tradeoff between the K recovery phase and the differential distinguisher. In this talk, we try to maximize the number of attacked rounds with data complexity and time complexity larger than the exotic search. The constraints that we take into consideration include the probability of the distinguisher, the number of active bits of the input and output, and the number of key bits need to be guessed in the extended rounds. Bombering attack is a statistical corrupt analysis proposed by Wanger in 1999. The bombering distinguisher is constructed by splitting the incorporation function into two parts, E0 and E1. Then two short differentials are combined into a longer bombering. The probability of the bombering distinguisher is P22Q22. The bombering attack is a chosen plan test, chosen cipher test attack. It can be converted into a chosen plan test attack, known as the applied bombering attack or rectangle attack. In the rectangle attack, considering multiple differentials whose alpha and data are fixed and the internal differences beta and gamma is arbitrary values, the probability of the rectangle attack is 2 to minors n P22Q22. A number of studies have shown advanced techniques for a better evaluation of the bombering's probability, as the bombering switches sandwich attack. In the sandwich attack framework, the ND round cipher ED is slated into three parts. The middle part EM handles the dependence and contains a small number of rounds. In 2018, previous observations on the bombering switch are unified in the framework of the bombering connectivity table by CID et al. Then several works talked new techniques to consider the middle part consisting of multiple rounds. For block ciphers with linear case schedule, draw et al-purposed a new generalized related key rectangle attack. As a differential attack, we analyze the detailed factors that restrict the rectangle attack framework. Then we propose a new automatic MIOP model for related key rectangle attacks on skinny. There's a probability of a distinguish and the dominating factors of the key recovery phase are systematically processed by the constraints. We're able to find new good properties in the distinguishers, which can be used to perform key recovery attacks covering more rounds than previous results. Second, automated search oriented to key recovery on skinny. At Crypto 2016, Bayer et al-purposed a new lightweight block cipher family, skinny. It has comparable hardware software performances with Siemens and also has much stronger security guarantees. Skinny follows an SPN structure and a tag key framework. Let n denote the block size, t denote the tag key size, c denote the cell size. The family of skinny has six main versions. In each round of skinny, the state is updated with five operations. Subcells add constants, add round tag key, shift rows, and mix columns. The designers of skinny first gave the MIOP model to search truncated differential for skinny. Later, Liu et al-purposed the model to search boomerang distinguishes. Recently, Haddipo et al-purposed a heuristic approach to search boomerang distinguishes using MIOP SAT models. They introduced some new tables for S-boxes to model the dependence between the upper and lower differential and evaluated the probability of middle part experimentally and mathematically. Almost at the same time, D-loan et al-purposed a new automatic tool to search boomerang distinguishes and automatically handle the middle rounds. They also provided their source code to facilitate follow-up works. Our new model is mainly based on the last two works. We present an extended model for searching the entire NB plus ND plus NF rounds attack. The aim is to find new distinguishes that result in key recovery attacks with more rounds. Our target is to maximize the total attacked rounds. However, in practical programming, we take NB, ND, and NF as parameters to input the model and the target is the time complexity. Our new model takes the model of Haddipo et al-purposed and D-loan et al-purposed to search for a NB plus R-link plus R-M round upper truncated differential and a R-M plus R-1 plus NF round lower truncated differential. The modeling strategies of the distinguisher paths are the same to the previous models. For the active cells, propagation in the EB and EF, the truncated differences are propagated forward and backward with probability 1. Hence, the key screens are different from those in the distinguisher. The time complexity of the rectangle attack is highly related to the number of guest keys in EB. We hope that the smaller NB, the better. Since the matrix in the MC operation is not an MDS matrix, the sub-track keys involved in the partial encryption and decryption are different. So we model NB from two aspects. Phase 1 partially encrypts P1 to the active cells in Y3. Phase 2 partially decrypt Y3 back to get P2. In phase 1 shown in the finger, in order to compute the active cells in Y3, we need to know the cells marked by read dots in X3. Since the cells need to be known in Z2 can be deduced through the linear diffusion. We define a binary variable known in C to identify whether the cell in Z2 should be known in phase 1. In phase 2 in the finger, we compute Y3 back and then deduce delta X3 and delta Y2. Then the calculation from P1 to Y2 is similar to the calculation from P1 to Y3 in phase 1. So in overprogramming of the model, we integrate the above two phases. We define a binary variable known for each cell in XR to indicate whether the value is needed either in phase 1 or phase 2. Through the round NB-1, only active cells need to be known. From round NB-2 to round 0, which cells to be known in ZR can be deduced from XR-1 through the linear diffusion as in phase 1. In round NB-2 to round 1, the cells in XR need to be known in all two types. The active cells need to be known in phase 2 and the cells need to be known in ZR. The objective function is the time complexity of the rectangle attack. We add the variables on behalf of different parameters to the objective function. For the probability of the distribution, the target is same with Hedipal-8Ls. Besides, we also add known in C on behalf of the NB, DXL on behalf of the RF to the objective. Because different parameters have different coefficients in the time complexity, we give them different ways to model the objective more accurately. With our new MILP model, we search for more purple truncated upper and lower differentials for K recovery attack. Then use the CP model to get the institution actions for the truncated differentials. We also calculate the probability considering the clustering effect, and experimentally calculate the probability of the middle part of the distinguisher. The table gives a summary of related tag key bomb ring distinguisher for skinny. Then related tag key rectangle attacks with new rectangle distinguisher on skinny. We use the 22-round related tag key rectangle distinguisher for foxy skinny 16-4-192. By extending 4 rounds EB and 4 rounds EF, we attack to 30 rounds. In the first round, we first apply SR and MC operations. And then apply the ART operation with the equivalent sub-track key ETK0. So there is no sub-track key involved in the first round. And we can build over structures at W0 prime. Trading W0 prime as the plan test, and the 29 as the cycle test. We get the corresponding attack parameters. Based on Zhao et al's key recovery algorithm in data collection, we generated Y22-2288 quotas. The key recovery is a guess and filter process. For example, according to the property of the MC operation, we can deduce the difference of X297. Since for the Xbox has two non-zero differences in input and output, there is only one solution on average for the input or output of the Xbox. So we can deduce the STK297 for pairs C1, C3 and C2, C4. The difference in STK297 is fixed and acts as a 4-bit filter. So the number of remaining quotas is reduced. This table gives the time complexity and guess or deduce the sub-track keys of each step in the TK recovery process. Set the expanded number of right quotas as equal 1 and the advantage at equal 36. We construct 2287 structures. The data complexity is the chosen plan text under the four related techniques. The memory complexity includes the memory to store the plan text, several test sets and the key counters. The time complexity includes the time of generating quotas in data collection and the time of recovering the case. The success probability is 59.5%. For other versions of N2N and N3N of skinny, they also give input attacks using the new rectangle distinguishes. There are several correct analysis results on skinny under single twenky and related twenky settings using different techniques. We summarize the correct analytic results on skinny in related twenky setting. For three versions, our results cover one more round than the best previous attacks. Last, the related twenky rectangle attacks on fox skinny. Fox skinny is designed under the Fox AE lightweight authenticated encryption framework. The primitive is based on skinny as shown in the finger. After the first R, you need round skinny. The encryption procedure is forked. Two copies of the output are separately processed by R1 and R2 round skinny. The track keys are generated by the track key schedule of skinny for R in it plus R1 plus R2 rounds in total. There are several instances with variant block sizes and track key sizes. Previous analysis of skinny can directly be applied to fox skinny. But as point out by variant it all, encryption from M to C1 use a slightly different track key schedule, lead to better analysis. When R0 is odd, the round keys before and after the forking point are taken from the same half of the master track key. So if data SDK are in need minors 1 equal 0, we can deduce data SDK in need plus R0 equal to 0, especially when R0 equal to 27. When use a data whose period of the LFSR is 15, if data SDK are in need minors 2 equal to 0 and there is no difference in SDK are in need minors 1, one can have 6 consecutive inactive round track keys. We add constraints of those properties to the model of skinny to search new distinguisher. For fox skinny 128 to 156, we select a 21 round related track key rectangle distinguisher. As in the finger, there are 6 consecutive inactive round track keys in the 14 round to 19 round. By adding 3 round before and 4 round after the 21 round distinguisher, we give a 28 round K recovery attack on fox skinny 128 to 156 with 256 bit K. The attack procedure is similar to the attacks on skinny. Using the same distinguisher, we add 1 round before and 3 rounds after the distinguisher to achieve a 25 round attack with 128 bit K and 128 bit TIC. We summarize the attacks on fox skinny in related track key setting. All the results cover 1 to 2 more rounds than the best previous work. That's everything I want to talk about. Thanks for your attention.