 Hello everyone. Today I am going to give a talk on our paper, Bumeong, Embedding EOE within Bumeong and its application to key recovery attacks on EES and Falcos. This is a joint work with Dr. Dimansai and Dr. Gautam Po. So, as we all know, Kiptenc is the way of determining the strength of Kipto systems. And in this work, we have revised a new Kiptenc technique, Bumeong, which is based on two very important Kiptenc techniques, which were introduced almost 20 years apart. One is the Bumeong attack, which was introduced in 1999 and another is the EOE attack on espioncypher, which was introduced in 2017. And like Bumeong attack and the EOE attack, the Bumeong attack is also based on adaptive fusion cypher test, 10-text model. So, first let's discuss briefly about both the Bumeong attack. So, Bumeong attack occurs in the adaptive chosen 20 cypher test setting and it is based on divide and conquer paradigm. So, the idea behind Bumeong attack is that if we are not able to penetrate the whole cypher using the differential attack, so what we do, we try to compose to different differential trails and merge them and try to penetrate more number of rounds. So, as we can see, typically a cypher E is divided into two sub cypher, E1 and E0. And by employing the Bumeong attack, we are trying to find a quartet of structures, P1, P2, P3, P4, which will satisfy some properties. So, for the E0 part, suppose there is a differential with probability P from alpha to beta and for the E1 part, there is a differential from gamma to delta which occurs with probability Q. So, over the whole cypher, we try to find a quartet structure. So, we start with P1, P2 and in the end we obtain P3 and P4 which will satisfy some properties and we will see now what properties it is going to satisfy. So, initially we start with a pair of plaintext P1 and P2 which has defense alpha and we encrypt them to obtain C1 and C2. Next, we add delta difference to both C1 and C2 to obtain C3 and C4 and we decrypt them to obtain P3 and P4. Now, what is happening in the boundary of E0 and E1 that is our main interest. So, as we can see, so over the E0, alpha is translated to beta difference and over E1, delta is translated to gamma difference. So, if this is the case, so here the difference is gamma, here the difference is beta, here the difference is gamma. So, in that case the difference here should be beta and if the difference is beta here then there is also there is a probability that this difference will translate to alpha difference. Now, the hypothesis is that we start with a pair of plaintext P1, P2 with alpha difference and we will get a pair of plaintext P3, P4 with the same difference. Now, what is the probability of such distinguishes? So, for this plane we need to pay the probability of P and for these two differentials for these two plane we need to pay the probability of Q square and again we have to pay the probability of P for this plane. So, in total we have to pay the probability of P square Q square. Now, in the boomerang header, it is assumed that the two trails, the upper trail and the lower trail, these are independent but later it is been shown by Murphy that actually sometimes these two trails are not independent, there is some dependency between them and it has been shown that some attacks have been reported but later it is shown that those attacks are incompatible. Now, this dependency between the upper trail and lower trail can be exploited further to mount a better attacks or to paint a more number of rounds and this is exploited in the form of S-box switch, ladder switch, pistol switch and middle round S-box switch and these dependencies are more generalized in the sandwich attack. So, in the sandwich attack, in addition of E0 and E1, there is another part that is the E-M part which is sandwiched between E0 and E1. Now, E-M captures the dependency between the upper trail and the lower trail and for that E-M part, R probability is incurred. So, this the whole probability of this framework is P square Q square and R. So, in the left side, the framework for boomerang attack is shown and on the right side, the framework for sandwich attack is shown and as we can see in the boomerang attack, E0 and E1 is only there whereas in the case of sandwich attack in between E0 and E1, E-M is sandwiched. Now, what happens actually with the E-M layer, if we consider E-M as the S-box layer, then some important properties pops up. So, here the upper trail ends and from here the lower trail starts. So, this is basically our E-M layer. Now, in the E-M layer, there are two plain text. So, consider here these are bytes. So, consider this as a 8-bit S-box. So, this is the one byte and then there is this defense A is there and this is the another byte and both of these are passes through the S-box layer to obtain Sx and A. So, there is some defense between them and B is added to both of them to obtain these two parts and then these are again decubed it. Now, what is the probability that x dash and x dash double dash should be A? We have to find that. So, if this is our typical boomerang framework, if there is no dependency, so the probability that this S-box should have over this differential that should be squared for this probability. However, there are some special cases occur when this probability is much better than this. So, now, first of all, for the case of ladder switch, now we want to have probability A, but in the ladder switch the B is 0. So, that essentially means that this value is exactly this one and this value is exactly this one. So, in this case, the probability of x dash x dash x or x double dash equals to A is 1. So, that means in the case of ladder switch, this occurs with probability 1. Now, in the case of S-box switch, this B is actually the difference between Sx or Sx or A. So, the difference here is exactly the same as the value of B. So, in that case, this value is actually this one and this value is actually this one. So, again, that means that these two values are just interchanged from here. So, again, here, this A occurs deterministically under the condition that this B is actually this difference. So, again, we don't need to pay the probability for this plane. We have to pay the probability for this plane. Now, we move to the second part of our attack. So, the EOEA attack, which is again occurs in the adaptive chosen plane text cypher setting and it looks quite similar to the boomerang attack. So, initially we take a plane text pair with alpha difference. We input then using the round radius cypher to obtain C1 and C2 with beta difference. We do some operation, which is known as word swap, which we will see later what this actually what operation is this one and we obtain C1 dash and C2 dash and the difference between C1 and C2 dash is exactly the same as this one. So, this should be again beta and we then decrypt them to obtain P1 dash and P2 dash and we take the difference delta between them. Now, we see that nu of alpha is exactly nu of delta. Now, what is this nu? We have to see that. So, first of all, how can we choose alpha in the previous in this attack? So, we have to choose the alpha based on some zero defense pattern and these are all answered in the essay kit paper by Ron Geometall and the round radius cypher is actually two round generic substitution permutation networks and the swap works on based on the non-linear layer and this nu is the actually the zero defense pattern. So, Ron Geometall reported the attack and devised the deterministic decision user for two generic substitution permutation rounds. So, and they use their results to mount first key independent your distinguishes for AES and they also mounted a five round practical key recovery attack. Now, what is this Warsaw operation? So, consider this two AES states and as you can see these are the states we have actually grouped the diagonals, the bytes in the diagonals are grouped together. Now, if we interchange the diagonals between these two cypher text, this operation is known as Warsaw operation and the zero difference pattern. So, we take two plain text again, AES state is considered here. So, we take two states, we take their difference and we pattern the we construct a pattern based on their diagonals. So, if we see this diagonal, the bytes here are active. So, we consider this diagonal as the active one and all other diagonals are inactive. So, the first diagonal is active that is why it is denoted by zero and as the all diagonals are inactive, these are denoted by one and thus the weight of this zero difference pattern is three. So, the user attack it constant new pairs of plaintiffs and cypher text adaptively from the original pairs and while making the pairs, we keep certain property as invariant and at the end of the attack at the end of the game, we verify where the invariant property is holds or not. So, our main motivation behind dividing the boomerang attack is to merge the yo-yo attack with the boomerang one. So, in the left side, the framework for yo-yo attack is shown whereas in the right side, the framework for boomerang attack is shown. So, the yo-yo attack is more of a deterministic one and it is more related to some patterns instead of actual differences whereas the boomerang attack is a probabilistic one and it is related to actual differences. So, now in the context of boomerang attack, we need to revisit the words of operation again. So, in the earlier, we see the words of operation as the swap of some words based on some diagonals or inverse diagonals. Now, we can see it in some other ways also. So, here we divide the ciphertext into two parts. The parts that are required to be swapped and the parts that are not required to be swapped. So, the parts that will be swapped are subscripted by omega s and the parts that are not to be swapped are subscripted by omega l and the and these parts, the parts subscripted by omega s are interchanged between the two ciphertexts and in this way the new ciphertexts are created and the difference between them is beta omega s and beta omega l. So, this operation can be visualized as adding the difference beta omega s to this ciphertext, to these parts, to the parts that are needed to be interchanged whereas the part beta omega l that is not added to this part instead 0 is added to this part. So, basically we can consider this as a combination of s box switch and ladder switch. So, these parts we apply here the s box switch operation and in this way we just interchange the values here and for this part we apply here the ladder switch operation and in this way these parts remain the same and in this way we create the new pairs of ciphertexts. So, in this way we can actually visualize the words of operation as the combination of ladder switch and s box switch. Now, this is shown the difference between the two words and not the difference the severity between the two words of operation is shown here in this figure. So, this is the typical words of operation and here the words of operation is shown as a combination of s box switch and ladder switch and these two are essentially the same. Now, we in addition to the words of operation and the your part over in the upper part of the trail in the lower part we try to add the boomerang kind of strategy. So, we start from alpha difference with the two pairs of with the pairs of plaintext p1 p2 and we reach here with probability p and from here for the lower part we add here the delta difference and somehow if we are able to do here the words of operation. So, we add here such delta differences such that some words of operations occurs here. So, in that case we know that this part will satisfy the yo-yo game and thus this will occur with probability 1 the alpha days and the nu of alpha will be equals to nu of alpha days. So, in this case we have to pay the probability for this part we have to pay the probability of p and for this two trails we have to pay the probability of q square and for and this will occur deterministically. So, this theme was increase the probability to p square q p q square instead of p square q square. So, it is shown here as p square q this is wrong. Now, the boomerang attack the technique the framework that we have developed is we applied it on 5 round AES 6 round AES and 10 round Falcos. So, first we will we have device the distinguishing attack and then we have extend the attack to mount key recovery attack and then we have mounted key recovery at on 6 round AES and quite similar to the attack on AES we have mount key recovery attack on 10 round Falcos. So, first of all for the distinguishing attack 5 round AES we have to first identify the upper trail. So, this is our upper trail in the attack for 5 round EES. So, as we can see there are 6 bytes these are free and this bytes is we have marked it as red. So, this is a special byte we will see in the later case why this special one and all these bytes are active bytes. Now, this this value occurs with probability to the minus 48 and as shown here there are 4 4 instances of such occurrences. So, this is one such case and there are 4 3 other cases. So, in total if any of this occurs our upper trail this is the sufficient condition for occurrence of the upper trail. So, the cumulative probability of of all this is 2 to the minus 46. Now, we need to device the lower trail. So, consider here to cipher text. So, how we are actually constructing the delta? So, for the lower part we this is our lower trail. So, we have included the mixed column operation and the last round. Now, how this delta difference is created? So, as you can see so, only the this inverse diagonal is active here other values are 0 and how this inverse diagonal is created? This this value sorry sorry this value is actually the difference between these two values. In similar way this value is the difference of this value and this value. So, in this way the delta is created. Now, we add this delta to c 1 to obtain c 3 and this delta is added to c 2 to obtain c 4. Now, when this delta will be added to c 1 this will be the new cipher text. So, as you can see these are actually the this part of this cipher text and this value comes from this this cipher text. So, essentially this means that we are actually intentionally the inverse diagonal of this two plain text of these two cipher text and what effect does the e 1 layer have? So, over the e 1 layer if we are this four bytes actually only dependent of this four bytes. So, if we are changing these four bytes this essentially means that we are only changing these four bytes in the internal round. So, this is our framework for realizing the works of operation in the middle. So, as we can as we have seen in the last slide we are interchanging only this inverse diagonal. So, this essentially means that in the internal round we are interchanging only the last column of these two internal states. Now, the case that we have considered that these six bytes will be inactive in the difference. So, if these are the two states these six bytes will be act will be equal. Now, that means that if we are changing these two columns that means that this two these two bytes will only be changed because these are actually same values. So, it will have no effect on the difference. So, that means that only these two values will be changed and this means that these two diagonals inverse diagonals are changed that is very important case for our attack. So, when these six bytes are equal at that time the column swap is essentially means that it is equal equivalent to the inverse diagonal swap and this is the result is actually reaffined 35 and 36 in from the paper by Bardet and Anjum and from SACP 2019. So, this is the distinguishing attack on five round AES. So, this is our upper trail. So, we start with such alpha and we expect such beta occurs in the middle with probability to the minus 46 and from the lower part we give here such delta and if this is the case has occurred in the middle then this case occurs with probability one and at that time the values will be interchanged that means the word swap will occur in the middle and thus we will get the same pattern and same zero difference patterns as alpha in the written plain text pairs. So, essentially we start we take a 2023 plain text a structure of 2023 plain text we query to the encryption oracle using the all plain text we swap diagonals between two cipher text and then we query the decryption oracle using the new cipher text and we check whether the zero difference pattern for the new plain text are equal to the zero difference pattern of alpha or not. If this is the case then we distinguish it as a five round AES. Now, we extend the distinguishing attack of five round AES to the key recovery one. So, we take only the last part of the attack the last round of the attack. So, we guess here the key writes and we see we try to see so once the right pair is obtained we know that for the right pair here only one byte will be active. Now, we guess the key for this last column and we check whether this difference transits to this kind of difference or not. If this is the case we identify this as the right key candidate and we repeat this process for all the four diagonals here and for all four columns here and in this way we recover the key for the five round AES. Now, the attack on five round AES is further extended to convert it into a six round attack on AES and in this attack we prepend a round in the beginning. So, we choose pairs of plain text with such kind of differences and with probability 2 to the minus 22 this difference will transits to this kind of difference with only where only one byte will be active. So, here it means that only one diagonal is active that means one super S box is active here. Now, so in the case if we consider here the zero difference pattern it pattern should be 0, 1, 1, 1. Now, if the five round boomerang attack from here occurs successfully here so we expect here this kind of differences so this super S box will only be active here. Now, if all the bytes are active here then this full state will be active and we will not be able to distinguish some we will not be able to retrieve any useful information from here. But if this if any of the one byte is inactive here then this state this pair of state will be useful for us and this occurs with probability 2 to the minus 6.4 and when this occurs here the four bytes will be active in the output states. So, the bytes will be actually be related to each other this should be a part of a diagonal. So, it can be this diagonal it can be this diagonal it can be this diagonal it essentially will not be this diagonal otherwise will not be able to record the key it will be very problematic for recovering the key if this diagonal is inactive. So, the inactive diagonal should essentially be the diagonal which is not this one. Now, here we retrieve such kind of pairs but as you can see this the pairs which will confirm to this property will be such kind of pairs but apart from that there can also be random pairs. So, we will obtain a pool of right pairs and wrong pairs and the right pairs will suggest the right key candidates whereas wrong pairs will suggest the wrong key candidates and the right key candidates. Now, we have no way to distinguish the right key candidates from the wrong key candidates and for that purpose we have used the notion of single diagonal to noise ratio. So, what we do here we take this difference here and we guess the right key and we guess the key candidate here and we see whether the 4 to 1 transition occurs or not and we also do the same thing for the return plain text pairs and see whether 4 to 1 transition occurs or not and if in the both sides such kind of transition has occurred we we consider it as the candidate a key candidate and for each key candidate guess. So, if we are guessing for this diagonal so, there will be 2 to 32 key guesses. So, if a candidate guess is considered if a candidate guess if a key candidate for a key candidate if both this kind of differential occurs here we increment the counter value for this key candidate and in this way 2 to 32 key candidate counter value for the 2 to 32 key candidates are maintained. So, we expect for the right pair the counter for the right pair will be among the top values and we found out that using the notion of signal to noise ratio to detect the right key candidate almost 10 right pairs are required here. Next we mount the attack on 10 non-falcos. So, falcos is a AES based pickable block cipher and its design strategy is quite similar to the ask AES based permutation ask and in this attack we have considered the 512-bit falcos state and the 512-bit falcos state can be considered as 4 parallel AES substrates which goes through 2 rounds of AES operations and after 2 rounds of AES operation its columnized permutations between the different substrates are operated and the 512-bit AES has 20 rounds and we have mount the attack on falcos which is quite similar to the attack on the 6 round AES and using the attack we have been able to do we have able to mount a 10 round attack on this cipher and again here we have used the notion of signal to noise ratio. So, these are the attacks that have been reported in this work. So, the 5 round attack on AES, 6 round attack on AES and 10 round attack on the falcos cipher. So, finally the computing remarks here. So, in this work we have revised the generic strategy which has embedded the yo within the boomerang and we have shown the way of visualizing the workshop operation as a combination of the sbox switch and the ladder switch and our techniques have successfully mounted attacks on 5 round and 6 round AES and 10 round falcos and we have verified the attacks on AES by implementing them on the mini version of AES that is the 64-bit AES and we expect that our attacks provides a better understanding of AES and AES like surface and there is a small query in them. So, in our paper we have missed to cite our lemma 1 and lemma 2. So, in our paper the lemma 1 and lemma 2 are actually the special case of theorem 5 and theorem 6 of this paper the exchange attack paper by Sander Anjom and Bhadde which was published in ASAC 2019. Thank you.