 Hello everyone, the name of the presentation is Accelerating the Search of Differential and Linear Characteristics with the SET method. In this presentation, we start with the Motivation and Contributions. Following that, we briefly recall some related preliminaries. Then we introduce how to integrate bounding conditions into the SET method. After that, we will show the Accelerating effect of the bounding condition. Then we illustrate the applications to several block ciphers. At last, we will draw a conclusion. So, let's start with the first part. The introduction of the automatic search boasts the quick analysis of symmetric key primitives to some degree. However, the performance of the automatic search is not always satisfactory for the search of long trails or separate large state sizes. Compared with the intensive attention on the enhancement for the search with MLP method, few works care for the acceleration of the automatic search with SET or SMT method. So, this paper is motivated by this vacancy. The contribution of this work can be divided into four parts. Firstly, we propose a novel method to encode measures bounding conditions. Following that, we provide a direction for the selection of the bounding condition. Then with the new method, we obtain complete bounds about differential and linear characteristics of multiple ciphers. The first one is we give a related key differential attack on 26th round, GIFT-64. Now, we briefly recall some necessary preliminaries. The Boolean satisfiability problem is the problem of determining whether there exists an evaluation for the binary variables, such that the value of the given Boolean formula equals 1. Every Boolean formula can be converted into an equivalent formula in conjunctive normal form. Each disjunction is called a clause. Each CIG can be a variable, a constant, or the negation of a variable. To discover useful distinguishes with the SET solver, we should specify the distinguisher searching problem with CNAF formulas. The clauses in CNAF formula regarding the search of differential or linear distinguisher are classified into two groups. The first group represents the propagation of difference or linear masks inside the sephir. And the second one measures the non-random feature of the trail, which can be set as a number of active S-boxes. The differential probability of the linear correlation. The first step to create clauses in the first group is decomposing the round function into a sequence of basic operations, including the linear operations and the non-linear operations. The second step should be generating set models for basic operations. Here we show the differential models for branching and axle operations. Models for other operations can be found in the paper. Then the second group of clauses characterizes the non-random feature of the trail. According to the specific goal, we should restrict the number of active S-boxes. The sequential probability of the linear correlation in the distinguisher searching problem. All these kinds of constraints can be abstracted as Boolean cardinality constraint. This constraint can be converted into CNAF formulas with the sequential encoding method. About n-multiply k auxiliary variables should be introduced, and the number of clauses is also about n-multiply k. The accelerating method in this paper is based on the branch and bound depth first searching algorithm. It is used to identify the optimal differential trails with the maximum probability of a symmetric k primitive. The efficiency of this algorithm comes from the manipulation of the known upper bounds on probabilities of short trails. Suppose that we obtain a partial trail covering the first r rounds. If the probability of the partial trail satisfies this inequality, this node will be removed from the searching tree. Otherwise, the subtree originating from this node will be further explored. Now let's move on to the next part. Before we show how to integrate bounding conditions into the set method, we first note that the conditions can be generalized. Unlike the manual search, the automatic method might not initialize the search from the input of the server. So for each partial trail from the R1's round to the R2's round, we can create a generalized bounding condition. In total, CR2-1 conditions can be constructed. For convenience discussion, the original objective function of the set problem can be abstracted in this form. In parallel, the generalized bounding condition can be converted into this form. Therefore, the essential of the problem should be how to simultaneously describe these two cardinality constraints. To address this issue, we go back to the sequential encoding method. This method is based on the sequential counter-circuit, and the circuit computes the partial sum for increasing the value of i from 0 to n-1. The partial sum si is represented with k Bouldin-Werlbos under the unary numeral system. In other words, si equals m is equivalent to the last m Bouldin-Werlbos equal 1, and the remaining Werlbos equal 0. With a careful study, we gave two observations on auxiliary Werlbos in the circuit, and these observations will be used in the encoding of the bounding condition. Firstly, the circuit already computes the partial sum of x with the index starting from 0. Secondly, the sequence of the partial sum is now decreasing. According to the index of the partial sum, the discussion should be divided into three cases. In the following, we only discussed the second case. Where the left and right nodes of the partial sum are located in the middle of the sequence. Based on the former observation, the circuit accomplishes the computation of the partial sum of x with the index starting from 0. Then the partial sum in consideration can be written by the subtraction of two known partial sums. Now, if s e1 minus 1j equals 0, then the summation of the first e1 elements in the sequence of x must be no more than j. Accompanied by the partial sum in consideration, we can derive that the summation of the first e2 elements in the sequence of x must be no more than j plus m. This inequality is equivalent to clam s e2 j plus m equals 0, and the discussion can be conducted for each index j. Then, with the circuit of the original objective function, we can establish the constraint on the partial sum. Note that this constraint can be converted into Boolean equations in cnf, and we finish the closer encoding for the second case. The discussion for the two remaining cases are similar. The advantage of this encoding method is they do not climb new variables, and the number of clauses is reduced. In the next part, we will show the accelerating effect of the encoding method. Since we generalize the bounding condition, we can create CR2 minus 1 bounding conditions. So, the problem is which sets of bounding conditions potentially result in extraordinary advances. The following tasks are implemented on a PC. We take the distinguishing searching problem of GIFT64 as an illustration. We compare the runtime for solving set problems with different sets of bounding conditions. We set the goal as searching for the optimal differential trials with a minimum number of active S-boxes for GIFT64 from 1 round to 28 round. The runtime for the standard set method with no bounding condition is about 4300 seconds, which is the benchmark for the accelerating effect. In the following, we use this notation to represent the bounding condition from the R1 round to the R2 round. In the first test, we consider the set of bounding conditions with the same initial or terminal round. A comparison of the runtime is illustrated in the figure. From the results, we note that all the 56 sets indeed shorten the runtime, thus the automatic search with the set method can be accelerated after integrating some of these bounding conditions. Besides, it also can be notified that the degrees of improvements for different sets exhibit parent variation. The sets say 0 star and say star 27 result in better performances. The second test checks the units of multiple sets defending the first test. As in the figure, all the 54 sets achieve improvements on the runtime in almost equal measure. Probably, we cannot significantly improve the runtime with 0 star and say star 27 by combining multiple sets. Besides, this test indicates that adding all the bounding conditions into the set problem does not always give the best performance. Furthermore, the union sets U, R star and U star, R with R being a small integer might have good performances. The third test concentrates on the set of conditions covering the same number of rounds. From the runtime illustrated in the figure, we note that this kind of sets speeds up the search only when the value of R is relatively small. The performance is getting worse with the increasing value of R since long bounding conditions cannot be united into the search of short trail. By the way, when R takes relatively small value, the performance is not bad. Now, we summarize the strategy on how to select the sets of bounding conditions. First of all, we think the two sets say 0 star and say star R minus 1 as the first choice and are more likely to show remarkable improvements in the runtime over the standard method with no bounding condition. Secondly, if the performance with these two sets do not meet the requirement, the union sets U, R star and U star, R with R being a small integer was a short. The last thing we want to mention is that we also studied the efficiency of sets with randomly drawn bounding conditions and evaluate the outcome. The accelerating effect is not visible when the number of conditions in the set is not adequate. Therefore, we do not recommend using random set. According to a considerable amount of experiments for different primitives and our experience, these strategies can be generally applied to various block ciphers even though these ideas are explained with the test on gift 64. Now, we look at the application of the new method to several block ciphers. For present, we obtain full information about differential active S-box, differential probability, linear active S-box and linear correlation from 1 round to 31 round. As far as we know, we are the first one to provide all these results. Compared to the round time with MLP, the new method achieves significant improvements. This is the test result for gift 64. This page illustrates the test result for rectangle. They also apply the accelerating method to two fixed-tail ciphers. The first one is help log. The second one is string. For this ciphers, we obtain complete bounds on the number of active S-boxes, the differential probability as well as the linear correlation. For all versions in the semi-family of block ciphers, we obtain the full learning of differential probability and linear correlation. We claim that the result of the linear correlation is heuristic. The acceleration method is also practiced on all versions of spec-family of block ciphers. Our results reach the maximum length of differential and linear trail among all methods targeting the optimal trail. We also use the acceleration method to evaluate the cipher with 128-bit block size gift 128. We get complete knowledge of active S-boxes from one round to 40 rounds. Moreover, we discover the optimal differential trails for up to 29 rounds and the optimal linear characteristics for up to 25 rounds. Notice that the acceleration method also can be utilized to speed up the search of related k differential characteristics. With this method, for gift 64, we discover an 18-round related k differential trail with probability 2 to the minus 58. With the 18-round detinguisher, we launch a related k differential attack on 26th round gift 64. Now we finish all the contents in the paper and give a conclusion. In this work, we first propose a novel method to encode method's bounding conditions. Then we provide a direction for the selection of the bounding condition. With the new method, we obtain complete bounds about differential and linear characteristics of multiple servers. Moreover, we give a related k differential attack on 26th round gift 64. Lastly, we note that our result is far from threatening the security of gift 64 since the authors recommended users to double the number of rounds under the related k attack setting. That's all for the presentation. Thank you for your attention.