 Okay, so the second talk is entitled automatic search of big-based division property, or ARX type first, and what-based division property. So there are also links when you want an image of one, and the link is going to give a talk. The title of our paper is automatic search of big-based division property for ARX type first, and what-based division property. And it is a joint work with Professor Wei Long and Mei Qin Wang. Firstly, I will introduce that long, the motivation and contributions. Division property was first proposed by the total at Europe in 2015. It was originally used to search integral distinguisher for block type structures, used to some newly identified distinguisher, Mei Qin Wang was broken for the first time. As a special case of division property, big-based division property was first proposed by total and modeling at FSE 2016. We also consider big-based division property using three subsets to improve distinguisher for sign of its block type 32. The first automatic search of big-based division property was proposed by Sion at all, at Asia 2016. They applied MAP method to realize the automatic search. After that, many works about automatic search, relying on MAP and CAP emerged in succession. Some recent related works can be found at capital 2017. Based on division property, total at all proposed cube attacks among black box polynomials. In order to find integral distinguisher for ARX type first, we construct MAPC model to describe the modular addition operation. The motivation of this paper was originally to search division properties for Shaco 2 under MAP model. However, the MAP optimizer Ruby didn't return a solution for a long time. On the other hand, we found that in the search of differential and linear characteristics for ARX server, SAT or SMT-based methods perform better than MLT-based methods. It is worth exploring whether methods based on SAT or SMT can be constructed and give better performance for ARX servers. Although the search of big-based division property takes advantage of more details, but it is invisible to propagate it for block-sets or with large-state and complicated operations. So we also consider constructing automatic tools to search what is division property. The contribution of this paper can be summarized in the following aspects. Firstly, we propose an automatic tool to search integral distinguisher for ARX servers based on big-based division property. Then, in order to identify optimal distinguisher essentially, we propose a search strategy. Then, we construct automatic tool based on SMT method for the search of work-based division property. With these new automatic tools, we obtain some new distinguisher for some servers. Now, we recall some necessary preliminaries. Firstly, there are some notations. For an undi-tovector, the S element is donated as AI. The honeyweight, the big position are labeled in big-uni. The honeyweight is calculated by summation i from i equals to 0 to n minus 1 of AI. For multi-dimensional vector, the vectorial honeyweight is defined as the composition of every component's honeyweight. For two-vector k and k-prime, we see that k greater than or equal to k-prime if every component's k i of k is not less than k-prime. The conception of division property based on the designation of big-product function for two-vector, for two-uni-tovector u and x, where the big-product function pi sub u can be defined with this equation, means that they product some particular bits of x which are indicated by the non-zero elements of u. For multi-dimensional vector, the big-product function can be defined similarly. The definition of division property is used to describe the property of a multi-side. Suppose that x is a multi-side that takes values from this space. For n-dimensional vector, u we want to evaluate the parity of the big-product function over the multi-side x. The division property actually divides the whole space of u into two parts. If u drops into one particular part, the parity will always be even, and if u drops into another part, the parity is unknown. This part is what we are interested in, and this property can be used to construct this equation. If this division property is a special case of division property, where every l, i, r is restricted to one, which means that we divide the underlying space into a series of binary fields. The propagation of division properties through different operations based different propagation rules, and these rules can be found in some previous work, and we do not really care. Like the definition of differential and linear characteristics, in differential and linear pre-analyzed, the concatenation of r plus 1 division properties of internal states constitute an r-round division trail. And the last vector on division trail is what we are interested in, because it indicates the division property of the output multi-side. With the propagation of division property rounds by round, they will eventually get a set result and an integral property. Proposition 1 can decide whether a set has integral property or not, and in the automatic search, it helps us to determine when to stop propagating. Suppose that x is a multi-side, x does not have integral property, if and only if its division property k contains all vectors with factorial honey with 1. Now we focus on the first contribution of this paper, the automatic search of fixed-phase division property for a and c ciphers. This is a simple illustration of our automatic tool. Just like other works about automatic search, we first need to construct SAT models for some basic operation so that we can transform the search problem for an objective algorithm into formulas in a conjective normal form. And then initial division property and stopping rule need to be added. After that, we invoke SAT solver to solve the SAT problem and give some of the time distinguisher. Now, we focus on the construction of SAT model. We want to construct a series of logic formulas, and these formulas are transformed from propagation rules. All the solutions of these formulas correspond to all possible division trails for the copy operation. The following logic formula are sufficient to describe all possible division trails. We also evaluate the propagation rule for and and x all operation and construct SAT models for them respectively. The construction of this logic formula takes exclusion measures. In order to construct a SAT model for the modular addition operation, x, y, z are only vectors. We first write the golden function of zi in an iterated way. Every zi equals to xi x all y i can be iterated way. And the golden function of zi also can be expressed in an iterated way. We observe that the modular addition operation can be divided into a series of copy operations. x all operation and the and operation. Since we already have a SAT model for this basic operation, we can construct a SAT model for the modular addition operation. In order to realize this work, we need to introduce some necessary intermediate variable. A model 4 is used to describe modular addition operation. In AIX, the staffers also need to consider the cases where the modular addition operation operates between a variable and a constant. The constant often refers to a sub-key. In order to handle this case, we need to slightly adjust the model 4 with a natural treatment. Now we have finished the work of transforming the search problem into formulas. And then we need to add the natural division property and the stopping rule. In order to search better this thing, we need to test many candidates of the initial division property. At the same time, the stopping rule requires us to test the unique vectors. This means that formulas corresponding to the initial division property and the stopping rule should be adjusted frequently. In order to set the initial division property and the stopping rule efficiently, they propose a dynamic search. Many SAT solvers accept assumptions as parameters. And the formulas in assumptions only operate in one code. So we put the initial division property and the stopping rule in assumptions. And when we want to invoke SAT solver under different conditions, we only need to change assumptions instead of the original formulas. Now we have finished the framework of automatic search. But we often interested in long distinguisher with lower data complexity. In order to find the optimal distinguisher, many candidates of the initial division property need to be tested. However, we cannot afford the computation of testing too many candidates. On the other hand, we find that many candidates can be eliminated. In order to simplify the search phase, we propose proposition 2 and we name it embedded property. It has an intuitive illustration. If there is no distinguisher when we traverse unbeat, then we cannot find the integral distinguisher when we traverse less beats. With this proposition, we propose two algorithms. The function of the first algorithm is to determine the maximum number of optimal distinguisher and to restrict the search scope of initial division property for the second algorithm. And the function of the second algorithm is to detect the concrete distinguisher. This is a simple illustration of the first part of algorithm 1. After this progress, we will determine the maximum number of wrongs for the optimal distinguisher. We first initialize r equals to 1 and generate formulas corresponding to r-round propagation. For all n vectors with honey weight n minus 1 as the initial division property and n unit vectors as the stocking rule, they invoke assay keys over under different assumptions. If there is at least one problem, it's not satisfiable, which means that they can find r-round distinguisher. So we update r as r plus 1 and repeat the above procedure. Otherwise, we find that there is no distinguisher under r-round propagation. So the maximum number of wrongs of integral distinguisher only achieves r minus 1 wrongs, and we donate it as rn. And we proceed to the second part of algorithm 1. We initialize r equals to rn for n different initial division properties and n vectors as output division property invoke assay keys over under different assumptions. If there is at least one problem, it's not satisfiable under the initial property in i. Which means that under initial division property in i, there is r-round distinguisher. And we will add the subscript i into a set s. And then obtain the set s and we name s as sufficient set and the complementary set s-bar as necessary set. Based on proposition 2, we know that all the elements in all the big predation corresponding to all elements in s-bar need to be traversed. Thus the big predation corresponding to elements in s-bar need to be set to 1. And this is why we call s-bar as necessary set. Now we have obtained distinguisher with data complexity 2 to the n minus 1 and the possibility of reducing data complexity left in the set of s. If s contains only one element, there is no margin to further reduce the data complexity. And we eventually obtain a distinguisher with data complexity 2 to the n minus 1. If s contains more than one element, we proceed to algorithm 2 to reduce the data complexity. They initialize r equals to rm and firstly set the initial division property in the big predation corresponding to elements in s-bar set to 1 firstly. And the remaining big predation and the remaining bits are set to 0 and under n different output factors, they evoke S8 keys over. If there is at least one problem, it's not satisfiable and they obtain distinguisher with data complexity 2 to the n minus the set of s. Otherwise, we will gradually increase the handling rate until we find the optimal distinguisher. We apply this to algorithm to analyze Shackle 2 in order to obtain the optimal distinguisher in total 410 different initial division properties are tested. Without algorithm 1 and algorithm 2, we need to test about 2 to the 8th in initial division properties. We apply this automatic tool to analyze many samples. For Shackle 2, we improve the distinguisher from 13 rounds to 17 rounds. And the distinguisher for LEA are improved by one round. We also evaluate the bits as a division property for HAC and TAC. Now we concentrate on the automatic search of word-based division properties. The main idea is similar to the DT-Z1 and the slag, the slag different slag means they use SMT method instead of SAT because the propagation of word-based division properties need to deal with vectors. And SMT formulas provide a richer modeling language so that the construction of SMT model is relatively straightforward. And they only need to translate the propagation rule directly into SMT models. These are models for word-based copy and Excel operation. These are for state and context nation operation. When we need to deal with SAFR with SAFR using MDS method as the diffusion layer, model 9 can be applied. When we want to deal with other SAFR using other kinds of linear layer, they can just divide them into basic operation and construct SMT model directly. The model for S-BOX, the construction of the model for S-BOX often also use exclusion method and we do not repeat. These formulas are used to describe 8-bit S-BOX. And in order to realize a dynamic search, we also put in nature division property and stopping raw in assumptions. We apply this method to various SAFRs. For Clifier, they improve the definition by one round. And for Riddell and Warpaw, they also improve the signatures. Now I will draw a brief conclusion. The main contribution of this paper is a paper proposed to automatic search tool. In order to search for big data division property for AI, SAFRs and work-based division property, these automatic tools are applied to improve some distinguisher for many primitives. And we think that the future work can focus on the construction of more dedicated model with more dedicated model, maybe better distinguisher can be obtained. That's all for my presentation. Thanks for your attention. So, question or comment? First of all, I have one in the conclusion page. What do you mean by the more dedicated model for the modular addition operation? So, in my understanding, your model for the modular addition operation are the two characters or the properties. We think since they introduce many intermediate variable and traces intermediate variable as independent variable, but actually they are not independent. So, we think maybe there are some impossible differentials introduced in this progress. So, we think we just guess maybe more dedicated model can be constructed and give better performance for the modular addition operation. Okay, I see. So, improving like the system. Okay, I see. So, do you have any other question? Are you planning to release the code that you use to generate the modular? I think they can release the code. I like question. Okay, so then let's send the speaker and the speaker in this session.