 And everyone, this is the full presentation for the paper, efficient search for optimal diffusion layers of generalized testing networks. I am Baptiste Lombarra and this is a concern work with Patrick Derbez, Pierre-Anna Fouk and Victor Molima. So we talk about generalized testing networks. So it's one of the main construction to build blog ciphers. And the idea is that we have several fests in parallel so that you can see here on the picture with different f-function which depends on the key. And then to mix everything together, we simply have a permutation pi which is applied on each block of the state. So this construction is quite well known and the main advantage is that it's very cheap to implement because you only have to implement a bit permutation, the f-functions and a few works of unbranching. But a small issue is that it has a slower diffusion compared to, for example, SPN. But this is actually what I will talk about in this talk. And to make things a bit easier, I will first and immediately forget about the definition of the f-functions because we actually don't need them in this work. So I only consider that there is some function as you can think of it in just an S-box. The key is added to the state in some way. We don't really care. We are only interested here in the permutation pi. What we are interested in is the diffusion round. So what is this diffusion round? The idea is that we will examine how each block from the plaintext diffuses to the different blocks of the safer text. So for example, if I take the first block here in red and I see how it diffuses to other blocks, I just need to see what propagates through each round of the safer. So I see that this first block is diffused to these two blocks after two rounds. And then after three rounds, it's diffused to these three blocks. And then I keep going on and on until I reach full diffusion. So until each block here at the output depends on this first block. And I see that I need six rounds for this specific block to fully diffuses. And then I can do it for the next block. And for this one, I only need five rounds to reach full diffusion. And I can keep going for each other. So this diffusion only depends on the permutation pi, so which is why we forget a bit about the functions. It's quite interesting because it's tied to some bounds on the security against, for example, impossible differentials and integral attacks. And we can do it for encryption, so from plaintext to safer text, but also for the decryption, so from safer text to plaintext. And again, you can take one block and see how plaintext block depends on one specific output block. So here I need five rounds to have full diffusion from this block to the output. And I can do it again. And in this case, so we say that the diffusion round is six, because the maximum number of rounds we need to have full diffusion for each block both from input to output and from output to input is six. So this diffusion round has been studied a bit before. The first work about it was done by Suzuki and Minimatsu at FSC 2010. They especially gave a lower bound on the diffusion on the permutation depending only on the number of blocks. And they also did an exhaustive search for a number of block up to 16. And what they observed is that each and every optimal permutation in this specific case of 16 block is even other. So I will detail a bit later what we mean by your even odd permutation, but this is why we focus on this class of permutation later on. And what they also did is give a generic construction such that the diffusion round of the permutation is guaranteed to be two times the logarithm of k. But in general, this generic construction is not optimal, but still it was thought to be quite good at the time. And then last year, Koshua et al. went a bit further and by using an equivalence relation for even odd permutations, they were able to find all optimal even odd permutations for 18 up to 26 blocks. And they were also able to find some good candidates for 32, 64 and 138 blocks. But especially the one for 32 blocks was actually already known from the work before by Suzuki and Minimatsu. And so we still have this problem. Is this permutation on 32 block optimal? And why do we ask ourselves this question is because the diffusion round for this permutation is 10. So we have 10 rounds to read full diffusion, but the lower one that Suzuki and Minimatsu gave indicates that for 32 blocks, maybe we could have some permutation reaching full diffusion in nine rounds. So what we did in this work is we actually solved this problem which holds since 10 years, and we actually showed that this permutation was actually not optimal. And to do so, we provide a new characterization for the diffusion round, and especially this leads us to a very efficient algorithm to search for optimal even odd permutations. Again, we only focus on even odd permutations. And this allows us to give us new results on 28 up to 42 blocks. And we will not talk much about it in this presentation. You can check the paper for quicker structural security evaluation for all permutations we found. So I keep talking about even odd permutation. So if you represent your permutation as a list of integer from 0 to k minus 1, where k is the number of elements, then an even odd permutation is a permutation such that every even number is sent to an odd number and vice versa. So if we have, for example, this permutation pi here, we can split it into two parts, so further even parts, which we denote by p, and p is defined such that the image of an even number 2 times i by the permutation pi is equal to 2 times p of i plus 1. So you can clearly see that every image through pi of an even number will be odd. And in the same way, we can divide the odd part of the permutation, which we denote by q. And again, this is defined as the image through pi of 2 times i plus 1 is equal to 2 times q of i. So in the rest of this talk, I will only consider even odd permutations. And I will exclusively use the notation p and q instead of pi, because that's actually a way to denote an even odd permutation that we exploit. And so what we can take a look at is what happens if we have an ideal diffusion. So assuming that we examine the diffusion of one block of index 2 times j, what happens if we just look at how this block diffuses and we assume that there is never collision. So we always reach different blocks. So we start from an input block 2j. And after the first round, since it's even, it's only diffused to actually the same block. So not much to say here. Then we apply the permutation p, because it's even, and then we land on an odd block. And now, since we are on an odd block, well, this one will diffuse us to two blocks, so one even and one odd block. And we can keep going like this until several rounds. And for example, after five rounds, we can see that these blocks 2 times j diffuses especially to these blocks 2 times j50. And we can actually compute j50 as p times p times p times p of j. And we can keep doing this. So we can see that it also diffuses to this one. And et cetera until we examine all of them. So you can see here that I only focused on diffusion from an even block to an even block. And we show in the paper that this is actually sufficient. And what this gives us is what we call the diffusion set. So the diffusion set here, j5j, is the diffusion set for five rounds. And the diffusion set is this set of expressions. And CIG is that the block of index 2 times j will diffuse us to every block of indexes contained in this diffusion set. So if the diffusion set contains every element, then we will have diffuse to each possible block. And we actually reach full diffusion. So if we take a look at something maybe a bit more visual here, on the first column, I wrote the diffusion set for seven rounds. So it's, again, only expression depending on p and q. And in the remaining column, I evaluate this diffusion set on different value of j for the cyclic shift permutation. So you only shift each block of one index to the right and it cycles at the end. And you can see that, for example, if I evaluate the diffusion set on the first blocks of index j equals 0, then the diffusion set only contains four different elements, which means that this block will only diffuse to four blocks. And we are in the case of k is equal to 8. So if we want full diffusion, we will need to diffuse to actually eight blocks. So you can clearly see that the cyclic shift does not reach full diffusion after this many rounds. And you can check again for the other value of j. But again, this one does not diffuse fully. And this is actually just a case for every block using the cyclic shift. On the other hand, if I use an optimal permutation, which reach full diffusion, then you can see that if I evaluate for the same permutation set, the same diffusion set, one doesn't change this. But if I now evaluate this diffusion set on the first block, then you can count, but trust me, each and every element is reached. And each and every element belongs to this diffusion set. So we have eight different elements. We have all possible different elements. So this permutation actually reaches full diffusion. And this is also the same for each subsequent block. So using this characterization, this diffusion set, how can we search for an optimal permutation? So just to first give it a very generic idea, the first thing is that we use back the equivalence relation proposed by Koshua et al. last year. And the idea of this equivalence relation is that from the k factorial squared, even odd permutation in total, we can reduce it to nk times k factorial, where nk is the number of partitions of integral k. Essentially, it's the number of cycle structure for permutation of nk. And to give an idea, for example, with 32 blocks, this means that we only have 2 to the 52 permutation instead of 2 to the 88 permutation to consider, which is already quite a nice reduction, but still a bit high. So the main idea to actually find optimal permutations is to use two things. So first, I would give a bit more details afterwards. But if we guess some elements in the diffusion set, for example, J8, or after 8 rounds, actually by computing these elements here in red, we already have information to compute the information in another diffusion set on block P of J. So this is very useful because it means that we can actually save some computation to not make redundant guesses. And using this and a branch and one approach, we can actually go through every permutation in some sense. So we don't examine each of them one by one, but we can actually prove that we went through all possible permutations and find optimal permutations. But to give them in more details, I first need to give some observations. So first, we give a bit of details in the paper. But checking the diffusion set of a given permutation is very easy and can be very efficiently implemented with stable lookups. So this means that for a number of blocks up to 26, we can actually just do a very naive, exhaustive search or going through each permutation one by one and check if the diffusion set contains all elements to check for full diffusion. So this does not give new results because it was already known from the previous work. But it shows that we can actually do something very simple to check off all of these cases. So what we decided was to focus on 28 up to 42 rounds for which the lower bound to reach full diffusion is nine rounds for each of these cases. And the main idea for our algorithm is that we will fix P with a given cycle structure. So this is according to the equivalence relation. I will refer you to the paper for full details. And we actually search for Q using this P such that we actually have full diffusion. And the issue is if we want to check if we have full diffusion, we need to consider, for example, the diffusion set, so J8 of J for block J. But computing this diffusion set requires to know almost all of Q. So it's not very efficient to just guess Q and compute this diffusion set and see if we have full diffusion. But what we can observe is that computing the diffusion set for a given number of rounds actually requires us to compute the diffusion set for any lower number of rounds. That means that the diffusion set J8, by computing this set, we will actually also compute the diffusion set for 7, 6, 5, et cetera rounds. And another thing is some computation between two diffusion sets for the same number of rounds but for two different blocks can be the same. And this is what I mentioned a bit earlier. Another observation is that if we know the permutation being and computing the diffusion set for six rounds, only it requires us to make seven guesses on Q. This is not a lot considering that Q is at least of size 14, so we need at most half of Q. And then if we want to compute the diffusion set for the block P of J, then we only require to get at most three additional guesses on Q. Because as I said, we already have some information from the first seven guesses on Q, and we can show that if we want the diffusion set of the block P of J, then we only need three more guesses. So what we can do is that we can see that the diffusion set for six rounds can be written as the union of two disjoint set X and Y. And we can write the diffusion set J8 as the following expression depending on X and Y. And it would become a bit clearer why we use this expression in the next slide. So how do we search for optimal permutation? So as I said, we first start with making our seven guesses on Q to compute the diffusion set for block J for six rounds. And we split this diffusion set into two parts, such that we can write our diffusion set for eight rounds this way. And remember that we fixed P, so we know the permutation P, and we know the diffusion set J6, so we also know X and Y. So this means that the first set here, P squared of X, J, and Y, is actually fully known. We know all of these elements. We can compute them. And since they are known, we will put them in a set KJ. Then in the next set, we made some guesses on Q, and we know P. So maybe we actually know some elements in P times Q of X. And these known elements will be put also in KJ. And the other ones will be put in another set, so X tilde, which is defined as the elements for which we do not know the image of X through Q. And for the next set, we can do the same, except that this one is the reverse. It's not P times Q. It's Q times P. And again, some elements might be known. And for the other ones, we put them in a new set, Y tilde, which are elements of P of X and Y, such that Q of X is known. So we can write now after having done these seven guesses on Q, we can write our diffusion set J8 as K of J. So elements that we know, union P times Q of X tilde, union Q of Y tilde. And if we have full diffusion for the block J, what it means is that we have the following constraint. So we have that the size of this diffusion set is at least K. We have at least K elements. So what we do is that we set this constraint. So we keep this constraint somewhere. And like I said earlier, we keep making guesses on Q to compute the diffusion set for another block, and especially for the block P of J. And by doing so, and doing the same thing I described for the block J, we can get another constraint C and J prime, where J prime is P of J. And what we do is that, according to the guesses on Q, we will also update and check the constraint C of J and see if it can hold. And I refer you to the paper to see how we can check if a constraint can still hold considering what we already know about P and Q, because this is a bit technical. And we just keep going. We make a bit more guesses. And we keep actually building new constraint, depending on the new diffusion set we examined. And we keep going until either we were able to fully guess Q, which means that we were able to find the permutation. Or we stop when we can see that not all constraints can be satisfied, so which is possible with how we evaluate the feasibility of these constraints. And if we are in this case, so one constraint cannot be satisfied anymore, we just go back into search tree and make another guess and keep going. So, overall, what did we do? So we provided this new characterization for the diffusion around in a generalized testing network, so this diffusion set. And using this, we were able to design a very efficient search algorithm, which is highly parallelizable. So it's just a branch and bound, so it's very easy to parallelize. And for example, we need at most one hour for each case or for each number of blocks on our 72-side server. And in terms of concrete results, so the first one is that for 28, 30, 32, and 36 blocks, the optimal number of rounds for diffusion is nine. And we found all optimal permutation reaching this diffusion round of nine. And especially, we can see that this includes the case of 32 blocks, for which we didn't know before what was the optimal. We had the permutation for 10 rounds, and we showed that this permutation was not optimal, and we can actually do better. For 34 blocks, our algorithm was able to show that we have no permutation reaching full diffusion over nine rounds. So it means that, at best, we could read full diffusion in 10 rounds. And we were actually able to find some permutation reaching full diffusion in 10 rounds. So we know that, for this specific case, the optimal number of rounds to reach full diffusion is 10. And finally, for the remaining cases, our algorithm was also able to show that there is no permutation reaching full diffusion in nine rounds. But the best we were able to find was permutation reaching 11 rounds. So there is still a question about, is it possible to reach full diffusion for these cases in 10 rounds, which will give us an open question? And, of course, another open question is, can we keep going even further on the number of blocks? But in our case, with this algorithm, it was a bit quite hard, because the complexity of the search begins to be very high. So thanks for listening. And if you have a question, you can ask them on the Zulip chat, which I guess will happen. And otherwise, see you during the live talks of FSE 2020.