 Well, this is my pleasure to give a talk, yoyo tricks with AS. And the others are my former student Sondra Valium, and Nabi Bardi, my present PSD student, and myself, and I will give the talk. And what is yoyo tricks with AS? Well, I will tell you about this one. But first of all, essentially what we do is find a new secret key distinguisher for AS from three to six rounds, and a new one for five rounds. And I will describe the main ideas. In particular, it's very nice the fact that you can distinguish four rounds of AS by two, one pair of plaintext, knowing the subtext, modify it, and you can get the new plaintext. And based on this, you can say AS or random sofa. So this is the fact that you have got substitution, permutation, and that works. It basically will be your secret key distinguisher, and you will play the yoyo game. So, what is the substitution, permutation, and that works? You are quite familiar with this. You have the plaintext, adding a key, and then you take your bits into the AS box, and then you do a permutation in your permutation, or a five permutation, and then you continue adding the key, and you substitute your permutation in AS to this in ten rounds. We work on a distinguisher attack that says when you have a block cipher here, and based on some kind of output, you have to decide is this AS or is this a random cipher. So, the yoyo game is the following. Actually, we call it the yoyo game, but actually this yoyo game has been introduced by Bia Metal against Skidget using a vice block cipher, and they had a question of the duties on the SPL networks and like AS. And this is in a sense the problem we address in this paper. So, what is the yoyo game? In the way you have a pair of plaintext with some property or not the property, you can generate other pairs which has the same property by doing some exchange of words in their ciphertexts. And in the way this is what we are doing. We have like a plaintext, two plaintexts with a certain difference we are usually interested in, but we send the plaintext in and we get the ciphertext. And then based on the ciphertext, we do a new pair that we call the yoyo pair that just interchange the points or the words in these two ciphertexts. And we get a new ciphertext and we ask for the description of this and we get a new pair of plaintexts. And some of the problems are, how do we select these input plaintexts and how do we modify the open ciphertext and how do we decide from the result of this description whether this is AS or a random cipher. And actually yoyo game is that you can go back here and you can do this many times wrong and wrong to get the information. So of course the basic scenario here in this attack is the adaptively chosen cipher plaintext and ciphertext. Because every time we get the ciphertext here as a result of an encryption, we modify it and in our way we go back and modify this and continue until we have the information we need. And of course we will look at the complexity as the merit and show that this improves some of the existing AS distribution of attacks and most of the recovery attacks. In the sense you have like in ASPOS and so in a way the state could see so and works. I mean actually if you look at AS this one is like the first column, I mean like a row. You can consider this as a next column, third column, fourth column. But you can do this in general as a last cipher or as a last cipher. And AS is like a specific case of these two of cipher. So in the sense if you have the state you have an AS box that works on cabinets and then you use this on these cabinets to work and then you get the big AS box which is like a composition of these. And then you have the linear layer or a fine layer. It doesn't have to be linear, it's fine. You're not going to be considered these two situations. And because there is a representation of AS using a super as box. This AS and AS using the super as box and the super of linear layer and AS this corresponds to four columns. And this will correspond similar to six rows. So in a way the distinguishing attack actually works for all ciphers of this type in the first row and also in this situation but then the generic situation in AS is easier than the generic situation. So what is the UU function? Well, if you have two states, alpha and beta, like you play text or ciphertext then you can interchange some bytes. So you make a new state and in position i you select alpha i if this primary vector is more than this i coordinate and beta i are always. So this is what they do. And this has the property that if you add alpha plus beta this would be the same as then the new UU pair. Because I mean both you construct this one here you take the first the first word from alpha or all beta and then if you take the first word in here and then the first word would go in here. What can also happen if you take the second word you can put this in the second word of beta and then the second word here would go in alpha so you just exchange bytes. And you can do this in several different ways. It has also the nice property that if you look at the i's component it is alpha i plus beta i of course the same here because you just exchange them. And if you do the S-box if it will not change because in the i position this will be the S-box of alpha i plus the S-box of beta i here you will just get the S-box of this one this is either alpha i or beta i and this one this is the other one. So you will know that the S-box looks to be linear in the sense of this and of course if you have a linear function here on top of this one you still have this property you can just do by linearity this doesn't need any argument. So one thing this is important is the zero difference pattern of two vectors. So if you have two vectors or I mean one you can look at the vector here and the elements are in doubles and you just define a binary vector which is small with this zero so it's like you indicate the function for this zero for this one. Of course for any permutation you have a trivial property also that if alpha plus beta if you look at this state here if one position is zero then if you do the S-box it will still be zero and two positions in alpha and beta are the same before the S-box it will be the same afterwards because you have a permutation S-box. So what now? This is like the situation we can sum up for two. So I think I have an example of my actually this is an example to go over here, I just missed this slide maybe I'll do this. So in a sense if you have one state vector alpha like this and another beta like this then you look at the vector here every time it's zero you take the beta part and then if it's one you take the alpha part and then you take the beta part and then in the other component you just exchange beta and alpha you just get a complementary. So in each component you have other alpha or beta you can just do this as you like but you keep the sum and you also keep this if you do the S-box of this, plus S-box of this it's the same as S-box of this, plus S-box of this so then the situation is pretty what do you do here? alpha plus beta. So this is a state and you make a union there for alpha and beta so alpha prime is this one and beta prime is just the one so if you take alpha i component here you take the other form alpha here you take the beta component there and these are those and this means the following that alpha plus beta is equal to the sum of the area there that was the previous slide if you compute as so alpha plus as so beta it's still equal to the sum here if you do the linear part here you still by linearity the next stage you know if you take the S-box here then things will not be equal anymore but the zero set will be the same since this sum of these are the same it means that if two of these are equal then they will be equal in the same position there so the zero set of this one as the last one will be the same as this one because you have to be poor in the air and then if this is zero then this is zero and the S-box will preserve this and this means that if you take a yoyo pair alpha and make a yoyo pair and do as and as the set of zero positions in these two will be the same and can you use this for crypto analysis of as and as not really but you can do it by doing this upside down so what is your situation applying the yoyo pair property you take a plain text p0 and p1 and actually we wouldn't make sure there's a lot of zeros here so these have a lot of components which are the same then you do the as and as and you get down to a side attack so if somebody touch you this then you make a yoyo pair and then based on this yoyo pair you ask for a plain text pair and what is the situation when these two are yoyo pair so if you do as and as but as is and as it goes for any as any as so it works this way and this way so it means that the zero set of this is equal to the zero set of this one so in any as if you have a cycle like this one if you put a lot of zeros in the two plain text you select a lot of zeros in position and maybe one or two not zero it means that if you ask for this one you modify and you get this one then these will have the same zeros for a random cycle that's extremely unlikely and that means you can distinguish it so it's a very very elegant the very simple idea for some reason has not really been you can extend this to the as and as in a certain sense if you have an as and as and as and as cycle and if you look at the D2 as and as and as you know that if you stop with some P0 and P1 and you have a zero set at this stage of the as and as the zero set is the same as there because the as doesn't affect this one then you can get the cycle text and you can make the u-peer and even if you don't know the zero set of this one when you stop you know that when you do as in words and in words as in words the equation at this stage you will have the same zero set and then you can go back here again and you can make a new u-peer and go down here as and as and you will have the same zero set here you can go down here make a new u-peer and you will have the same zero set in the middle so if you have a situation where you have selected plainface which has a certain zero set here even if you don't know what they are you might want something by selecting many pairs and then you can construct a lot of pairs with the same probability no other use it on as that you know what it looks like we have there four basic constructions in the row there are sub-bites shift row, mix column and add key so if you want to do this thing we use our four rows as if you write down four rows as it looks something like this maybe yeah for instance you can interchange the shift row and shift part and because you are interested in differences add key doesn't really matter so it means that this will look like I mean add key and this doesn't really matter either because if you know the difference before here you this doesn't matter and the shift row and in a way so you can start here and this is the as and as with these values on the columns of as and as state so in a way this is the situation so in a way you just have to look at this situation so when you stop because so what do you do? well you select the two plate text so that they look like this with input here in a way it means they have to be like the diagonal because of the shift row but I don't I don't care about these things so they are zero in in all these all these 96 bits and non-zero in here and then if you do as and as you get the cycle and then you will stop the European and then you go back and then you have to compare values as exactly the same 6 69 0 bits if not this is a random cycle otherwise it's as so the probability that this way is true to the minus 96 so this is basically zero this is always and what you have to do is almost nothing just there so you can do this thing with your for five round of as in a similar way you can write it as like a four rows part and then you can have like an extra operation in front no matter if you move something before and after so this stuff it survives so in a sense if you have a plain text here so then you can do the survive so you select the pair of plain text which is only non-zero in the first column and then you do the survive but not change the situation and then you do the mix columns and in this case these three are already in the same so the difference will still be zero but you may assume that you have all the situation that you have zero two zero bytes in your first column after the mix column this course wants to go away so you actually know how often this will happen so if you select the probability of this is like 4 over t times 2 to the minus 16 essentially so this will be like 2 to the 13 is the probability that you will have this situation so if you have 2 to the 13 of these pairs you will expect this to happen so and then after shift row you you get I mean you still you will still this row so you have two columns with your zero so the zero set the zero and then you have this so you go down to the subtext there and then if you maybe do your pair here you go up again here and you know that there will be two zeroes here because of this zero pattern will be preserved and in this case after the shift row you will have two zeroes in each column and and then because of the mix column you will have at most one zero here because the rate is five or it could happen that both of these bytes are zero when they come from here so this has a probability like 2 to the 11 yeah I think yeah so 2 to the 11 here so in a sense if you have like a if you have like a so if you have like a random random situation you would just pass better you have if you have at least two zeroes here that's not possible for the AS situation for this row but for a random situation this will happen after 2 to the 11 tests so you make a lot of pair in pair then you test each of them and you test and you test whether you have two zeroes here in this case you go to the next pair otherwise you maybe do your pair and you just test this and as soon as you get two zeroes here you go to the next possible pair and in this case you will get rid of if this is a random cycle you will get rid of all possibilities by testing about 2 to the 11 for each of these what would this be like 2 to the 13 possibilities so in a sense this would give like the complexity of 2 to the 25 if this is AS this is crazy there that you can expect means that when you go around here you have at most one zero here so this pair will and in the right you need 2 to the 40 pairs to find something so you can actually use this to find one of these as a pair so that is just select so many pairs and every time you get two zeroes here you throw away the pair and you continue to get rid of all 2 to the 13 pair if it's AS this you have a pair that will survive in a sense so in the right this is the 5 and this is like the complexity 2 to the 25 so many pairs you need to find like the right pair here and so many for eliminating and then you can do similar for the 6 of AS then you do the sorry then you do the similar situation for 6 rows it's same as this for using the super AS box and then you can make something for different pairs here and you can do as part and you can hope for this pattern here and you can compute the probability of this pattern and then you follow this and because of the the mix the color of this non-zero verse will be 5 this is actually from the proof this is just not some AS box but this is also true for the super AS box in this case and then you continue here and you can do and making this type of or your your pairs and actually if you just have one of these one it means that when you got up here you have 3-zero-zero and so all of these colors has to be non-zero so the probability of a zero column if you have a zero column here you can just have it the way but this will not happen for the AS case because you have already 3 so in a sense the complexity for this attack is 2132 added to chosen ciphertext so this is the third complexity for STIS you can also do it for STIS but this is not a complete source but not very much STIS attack has not been implemented but all the others attack have been and actually one of the referees implemented it that way so in a way this is like the situation you can also have like a 4 4 on key recovery attack and and this is slightly slightly different so you select pairs of plaintext so are identical in 3 order worlds as usual first world it looks like this one in one of them and the first column in the other one is like this for some load see and then the eye runs through everything and you can do some partial encryption because no biology for the key before if you do this calculation you can show that there actually are two possibilities there are two possible solutions two of these plaintext the eye will have a zero in the third position so this means that if you look at this one you start with something here and then you do the zeroes in these positions and we have at least one zero here in one of these to do 28 and if you have this situation it means that this will give you a zero column there and because of the SLS there is the same zero set here a zero column here and after this one you have a zero in each of them and actually you can test all possible keys in the first column and then you can test you can ask for this one and you can test whether this will give a zero column here and you can do this for like 5 pairs to make sure since you have 224 possible keys that you are looking for that you don't know that you know why you need to relate it to the keys so it means that if you do this you can get a tag that meets the complexity of 2 to the 11 over 3 so in the way this is like 2 to the 8 pairs of plaintext so that 2 to the 8 times 2 and then you do it for 5 5 pairs here and you just test this one and this will work and you can see that key distinguishable so for 3 rows the yo-yo right there is 3 adaptively chosen subtext and 2 actuals so it's better than the previous one if you do it for 4 actually 3 rows I didn't do but we also did we slide this in about 4 rows it cannot be much simpler than a 4 but it's better than you do there for the 5 rows you have this one which is better than the previous one and the 6 rows is like this one and this didn't really exist I think 5 rows is quite you may be lost a year or two and if you look at the person for the 5 rows we only did the 5 rows we had the data 2 to 11 like this one and the computation corresponds to 2 to 1 5 row encryptions and then the memory is quite small so in a way these are simple techniques give a surprisingly improvement of 4 rows we're still struggling to improve on the yo-6 rows that would be nice to do but of course you cannot be into a record in the first paper so there are probably a lot of people that can improve on this thing but the idea is really I mean I like that idea the main idea comes from my student he was a smart student he did his thesis on stream cycle but with some block cycle he has good ideas and I think this is pretty much my talk so this is what I did I did 2 to 6 rows and if you do all the records on the 3, 4, 5 and 6 rows then you need a key to go over the 5 rows and all of that improves the record and of course it shows a lot of normal problems that's it this is what I wanted to say that simple things can improve the text so thank you I'm not sure about your notation when you are 4x4 matrix says when you have white it means zero difference when you have gray it means definitely non-zero or it could be anything it could be anything it could also be some zero but no door look it depends on that one question have you considered any application to the key recovery of ideas of this not yet if you are looking you can use the same see your technique maybe it needs to be modified it's still interesting to do and we also would like to of course the 6 rows would be nice to improve because that is so simple and stupid I mean it's very naive but it works so maybe a more sophisticated will give an improvement and of course beyond 6 will be really nice to improve because it's amazingly valuable for firms in the lower 3 to 6 rows do you consider the first positive probability the first a success probability you have discovered a random permutation as the AES standard 6 around AES what's the probability of that I mean if you look at the paper you can see what it's what's there one question