 Hello and welcome, my name is Johannes Erlacher and I am going to present the work I did together with Florian Mendel and Maria Eichelseda on Bounds for the Security of Scon against Linear and Differential Cryptoanalysis. I want to start off with a short note on the motivation behind our work. Over the last couple of years, designs with weak alignments have become more and more popular. We see this for example in multiple proposals for the NIST Lightweight Cryptography Project. Designs like Sudiac, Scon or ISAP all have weak alignments and larger state sizes. For designs like that, if we look at Linear or Differential Cryptoanalysis, we usually see a gap between the proven bounds and the best known characteristics. For Scon, for example, we only have bounds up to three rounds, while we have found characteristics far beyond that. This holds for a differential case, as can be seen here, but also for the Linear one. These bounds are usually proven by means of MILP, SMT, or constrained programming models, while we are searching for good characteristics using heuristic search tools. With this in mind, I want to focus on recent developments in the encoding of cryptographic primitives as pure Boolean satisfiability problems. Zunit I, for example, have proposed efficient encoding methods for cryptographic functions as part of their analysis of several designs, which is also part of this conference here. We use these encoding methods to derive linear and differential models of the S-comparmutation and were able to verify existing bounds very efficiently. Unfortunately, though, we were not able to extend those bounds to more rounds. At the same time, there are also steady developments in the implementation and design of existing Boolean satisfiability solvers. But not only that, there are also new approaches utilizing multiple solver instances in parallel. We evaluated some of those approaches, but unfortunately, that did not see any major runtime improvements there. Therefore, we started to think about a manual parallelization approach utilizing these new encoding methods, with the goal of proving new bounds for the S-comparmutation. Such an approach would need to partition the search space into many independent problems. These problems could then be tackled in parallel utilizing multiple solver instances. To keep the runtime reasonable, we further want to reduce the complexity of these individual tasks. We can do this by optimizing the approach itself, but also the underlying SUT model we are using. Before I go into more details on the approach, I want to introduce S-com, the target of our evaluations. The S-com family builds upon a permutation used in sponge or duplex constructions. This permutation is defined via a state of 320 bits consisting of 5 64-bit words, as can be seen on the slides here. This state is transformed over several rounds by two main layers. Namely, a substitution layer is applied column-wise and provides confusion, while we have a linear layer providing diffusion within each of the five words. These two layers are repeated over several rounds, where the number of rounds depends on the variant in which it is used. The most common configurations are 6, 8 and 12 rounds, with a single round configuration used within ISAP. To give you a little bit more details, the linear layer provides diffusion within each word by applying a linear function. This linear function is defined as a bitwise XOR over rotated versions of each word. The substitution layer, on the other hand, uses a 5-bit S-box, applied 64 times column-wise. This S-box has a maximum differential probability of 2 to the power of minus 2, with the same maximum linear bias. Our approach requires us to model these layers as boolean satisfiability problems. Therefore, we follow the approach from Sun et al. For us, each intermediate state bit is represented by one boolean variable. Therefore, the encoding of a layer can be seen as a boolean function with 320 input and output variables. If you look at the encoding for a substitution layer, for example, this encoding would restrict the input and output variables such that they are only allowed to represent valid entries in the DDT or LAT of the S-box respectively. Since we are interested in finding new bounds, we also need to represent the weight of the S-box transitions in some way. Therefore, we encode an additional 64 variables representing the S-box activity in each round. This set of variables can then be used to limit the total maximum active S-boxes in our model. The linear layer, on the other hand, simply constrains its input and output variables such that they represent the linear function I presented earlier. With this general overview, I want to continue with our manual parallelization approach. So in order to prove the nonexistence of any characteristic up to a certain number of active S-boxes, one needs to consider all possible characteristics within the search space. To utilize multiple solver instances, we need to derive independent subproblems from this search space. Each of these problems should then consider as many cases as possible while still being efficiently solvable. One potential idea for this is to categorize characteristics by the S-box activity. We can observe that multiple characteristics share a common S-box activity pattern within certain rounds. In order to derive a partitioning approach from this, I want to introduce the concept of the girdle pattern. The girdle pattern for us is the S-box activity within the round with the fewest active S-boxes. For example, I've included here the S-box activities for the currently best-known differential characteristic over four rounds of S-con. Round two is the girdle round with its girdle pattern for this specific characteristic. It has a total of three active S-boxes and which we refer to as the girdle weight. For this specific case and for this specific characteristic, also round three fulfills our definition of the girdle pattern. So in order to derive a partitioning from this, we would fix a specific girdle pattern in a specific round in our SUT model. If we run this model, we would simultaneously check all characteristics which fulfill, which have this specific girdle pattern in this specific round to give you a little bit more details. So the properties of this are that the girdle round for any characteristic can be in any round. So for our partitioning, we need to consider every girdle pattern in every round. The second point I want to make here is much more interesting. Since the girdle round requires all other rounds to have at least as many active S-boxes, on the other hand, we can say that there is an upper limit to how many active S-boxes the girdle round has. So we do not need to consider all possible patterns, but only up to the maximum weight of the girdle round. To give you an idea of this, let's take the example of four rounds with a bound of at most 35 active S-boxes. For this, we would need to consider all possible girdle patterns up to a weight of 8. This gives us a total of 2 to the power of 32 different patterns we have to consider. Each of those patterns would then need to be fixed in our model in all different rounds and run for each experiment separately. With this, we have achieved the partitioning of our search space, but we still have open questions. First of all, we have a huge number of individual checks we now have to make. Probably we can reduce this number. The second point is the complexity of these individual sub-problems is still relatively high because the complexity of our model grows with the number of rounds we have to encode and also the bound we have to encode. Therefore, I want to first consider rotational symmetries in the S-comparmitation. We can observe that characteristics for the S-comparmitation are actually rotational invariant. This means that rotating each word of a characteristic by a constant value gives us an equivalent valid characteristic. This property also applies to our definition of the girdle pattern. For example, if we take these internal states I've included here on the slides over one round of S-con and we shift them by 3, for example, we get an equivalent characteristic in terms of structure and weight. With this in mind, we can eliminate duplicates from our search space. And we do this by applying Necklace theory. Necklace theory can be used to enumerate all rotational unique patterns of a certain length with a given weight. For us, this length would be 64 given the Xbox activity and the weight would be defined by the different weights we have to check for each girdle pattern. Overall, this reduces the number of patterns we have to check by a factor of 2 to the power of 6 and gives us a rotational unique set of girdle necklaces which removes redundant checks from our search space. So with this, we now have, we only have to solve the last problem here which is to reduce the complexity of the individual problems. For this, we can make another observation. Given a characteristic over, for example, four rounds with a girdle pattern in the first or second round, this is the same girdle pattern here. For these characteristics, they share a common precondition, namely that they must contain a partial characteristic over three rounds with the specific girdle pattern in the first round. A similar property holds for the, for a characteristic with a girdle pattern in the third or fourth round over four rounds. With this in mind, we can, first of all, only check patterns, all the patterns over three rounds and only if this precondition holds, we will consider them for full round checks in their specific cases. This reduces the model complexity in two ways. First of all, it reduces the number of rounds we have to encode, but second of all, since the girdle round requires all other rounds to have at least as many active S-boxes, we can also reduce the bound we are checking for this reduced model by the weight of the girdle round. So now we have a partitioning without redundant checks and with this prefiltering approach, we can, first of all, check all our patterns in a reduced way with reduced complexity and also only consider certain rounds instead of all of them. Finally, I also want to mention that in our paper we describe further optimization approaches, like combining similar subtasks into one and an evaluation of different methods to encode the bound in our sub-model. I want to continue with the results we were able to acquire using this new approach, starting with a new bound for four rounds of S-con. Our goal here was to prove at least 36 active S-boxes over four rounds. We therefore need to consider all girdle necklaces with weights up to eight. This gives us a total of two to the power of 26 different patterns we have to consider. We, first of all, do our prefiltering over three rounds, checking all these patterns in the first and third round. This prefiltering is very successful because only very few patterns actually fulfill this precondition. There are around 4,000 patterns for the differential and linear case left. These patterns have an interesting difference in their distribution for the linear and differential case. In the differential case, these lower weight patterns are favored in the first round in the initial round, while the linear case favors these lower weight patterns in the last round. This makes intuitive sense, since the diffusion in the backwards direction is much larger for the linear case. These prefiled patterns are then of course rechecked over the full four rounds for the respective cases. Overall, these experiments took around 600 CPU days for the linear and differential case each. We executed those experiments in around half a week on 176 cores. The runtime is dominated by the prefiltering checks for patterns of weight eight. This makes sense, since they contribute the largest number of individual patterns. Overall, we can conclude that we did not find any satisfiable instances and therefore a single characteristic for four rounds of SCON must have at least 36 active S-boxes. With this new four-round bound we wanted to extend our approach to even more rounds and therefore target a six-round bound for SCON as well. For this we can make this observation that any characteristic with at most 53 active S-boxes over six rounds must contain a partial characteristic with less than 27 active S-boxes in its first or last three rounds, as visualized on the slides here. For this we can additionally reuse our prefiltering results from the four-round experiments, since these covered this bound of less than 27 already. The only thing we have to do is extend those prefiltering results for the second round case, since we previously only considered the first and third round. With this in mind we can do the following approach. We consider all prefiltered patterns over three rounds and check these patterns in their respective case in the first and second half over six rounds. This means, for example, a prefiltered pattern in their first round over three rounds would then be rechecked over six rounds in the first and fourth round. A similar case applies to the second and third round patterns as well. If none of these checks yield a satisfiable instance we can conclude that this bound holds as well. We did all of those experiments in around 60 CPU days for a linear and differential case each. The prefiltered patterns we had to consider were around 6000 for each case. Therefore the additional second round prefiltering results contributed around 2000 patterns to each case. In conclusion we can say that we did not find any satisfiable instances and therefore also this bound of at least 54 active S-boxes over six rounds of Scon holds. With these new bounds established I want to take a look at the implications for Scon. From our results we can derive three new interesting bounds namely a 6 and 8 and a 12 round bound. First of all let's take a look at the authenticated encryption schemes. There the initialization and finalization phases both use 12 round configurations of this permutation. Our 12 round bound which is almost certainly not tight already provides an ample security margin for 128 bit security there. The data processing on the other hand uses six and eight round configurations. There we can only make this argument that with the data limit of 2 to the power of 64 encryption blocks per key it is very unlikely with our new bounds to find pairs among those queries. But we are working towards extending the six round bound to a probability of at least two to the power of minus 128. So finally I want to mention Scon hash and Sconxoth. These are unkeyed modes and therefore hard to evaluate based on probability. We can make this intuitive argument there based on the assumption that if we have two to the power of 128 attempts utilizing all degrees of freedom the rate provides so 64 bits we would get a probability of 2 to the power of minus 192. While our 12 round bound which is almost certainly not tight already implies a probability of 2 to the power of minus 216. So this gives confidence in the resistance of those schemes against such attack vectors. With this I want to give an outlook of potential future work. So a bound of at least 40 active S-boxes over four rounds should be possible with our approach. We estimate a runtime of around 6.6 thousand CPU days which was unfortunately beyond our computational budget. Another interesting bound would be at least 64 active S-boxes over six rounds which are already mentioned. This might only be possible if we only consider constraint characteristics though. Since our bounds are almost certainly not tight we did not specifically evaluate probability bounds but the modeling techniques by Sunet Al are most certainly able to model such to derive such models as well. Finally I want to mention the application to other designs. There are other designs which share a similar structure to Scon as well as some designs having this rotational invariant property as well. So therefore our approach is generally applicable to other designs as well. So to summarize I've presented a manual parallelization approach with which we were able to derive new bounds for the S-compimitation namely a bound of at least 36 differential or linear active S-boxes over four rounds as well as at least 54 differential or linear active S-boxes over six rounds. These bounds are almost certainly not tight but they are enough to support trust in this permutation. With this I want to thank you for your attention and have a nice day!