 The next talk is about zero correlation attacks on tweakable block ciphers with linear tweaky expansion author by Ralph Ankele, Christof Debronik, Django, Iran Lombouy, Gregor Leander and Yosuke Toto and Ralph is going to give the talk. Thanks for the introduction. So this is on zero correlation attacks of tweakable block ciphers with linear tweak expansion and Let me start with a quick introduction so tweakable block ciphers as we all know compared to normal regular block ciphers at an additional tweak value and The tweak value doesn't have to be secure. So it's a public available value But it also gives them a decade and the freedom to choose the value and use it in an attack and the goal is to Move the randomization from vertical level to block cipher level using this tweak. So How can we construct tweakable block ciphers so we can construct regular block ciphers by using modes for example ESGCM But there are also some dedicated tweakable block ciphers like skinny mantis camera and dock deoxys and Most of them are built with this tweak key framework introduced in 2014 and basically it's Key alternating block cipher like this down there, but we also have a tweak schedule where we Update the tweaks So our contributions so we analyze several tweakable block ciphers For karma and mantis we count the instead of counting the rounds we count the number of S-boxes that we can attack so we have an attack for karma for 12 S-box applications for mantis also for 12 and For skinny we can take 20 rounds for skinny 64 128 and for skinny 64 192 we can attack 23 runs and For example, it's also interesting that comparing it to impossible differential attacks where the bigger attack actually improves about impossible differential ethics So this is my Overview of the talk so I will give some preliminaries Then I will explain the zero correlation attacks and tweakable block ciphers and then I will show some applications to karma mantis and skinny So first a short reminder about how differences in linear mask are propagated in a site in a cipher So over an xor the differences a and b just sum up but an interesting part for tweakable block surfaces when The differences are the same because then they cancel out over an Brunching point they are the same and over an S-box We just can compute it the difference of distribution table and then it holds for certain probability and For linear masks it's slightly different. So when extra the masks are the same to a branching point the again Summer summer and over an S-box we can compute the linear distribution table So when we ever evaluate the security of tweakable block ciphers for differential crypto analysis What we can do is basically we can add a difference in the tweak tweak and the difference in the state and Then we can cancel the difference in the first round if they are the same and Basically, we get one runs for free If we look at the same thing in linear crypto analysis It was shown in FSE 2017 that the tweak doesn't introduce new linear characteristics. So that trick doesn't work But what was also hinted in that paper already was that the tweak adds additional restrictions Which can then be used in zero correlation attacks So zero correlation attacks were first introduced by Bogdanoff and Riemann and Basically, it says that for two given masks alpha and beta it exploits correlation of exactly zero One of the drawbacks of zero correlation attacks is that normally requires a huge data complexity and what we can see down there is basically the Zero correlation attack on foreign DS. So what we do is we have some Active masks in the in the beginning we go with probability one We do the same from from the bottom and we see that it doesn't match in the middle and it has a zero correlation So then how can we do that for tweak your block ciphers? So for tweak your block ciphers, let's start with a very basic two round tweak your block cipher So what we can do again. So over the first XR the masks have to be the same and also from from the from the other side and When we then shift the masks into the Into the tweak is cattle. We see that over the branching points. They all have to sum up and They they just give some additional restrictions in in the tweak is cattle and What we do in our attacks We also link the zero correlation attacks later to integral attacks to reduce the data complexity So in our attack, we basically take a lot of ciphers from the tweak key framework so the tweak key framework is the rationale was to Treat the tweak and the key the same way. Therefore, it's called tweaky and It's basically completely linear and and it generalizes the class of key alternating ciphers And it's a framework that can be used to design tweakable block ciphers Some in sensation of that is the SDK construction so instead of just one line with the tweak key you can have several tweak key lines and So the it uses a state update function H, which is and permutation Which is applied to each of the tweak keywords and further there is also a multiple multiplication that is different for each tweak keyword and Then we have a sub tweak key extraction function g which just exhaust the tweak keywords together and there are also some run dependent constants added for slight attacks and the g function basically reduces my tweak keywords to one and The overall goal was to reduce the implementation overhead and also to simplify the security analysis So let me shortly introduce a small toy cipher to explain the attacks better So the run function is the same as a s so it just has a key then Xbox application then shift rows and then a mix column application and for the Tweak schedule we simply just use the permutation of skinny and nothing else and also compared to skinny We extract the whole key and not just the first two rows So if we look now on serial correlation attacks of the SDK construction with just one tweak keyword What we can do is we fix an input mask and an output mask and Then we can compute something what we call the comma sequence, which is just the mask in the tweak schedule and We do that by forward and backward propagation of the input mask and output mask with probability one and What we can observe then is if we have At least one or at most one linear active value in this in this mask in this sequence and to fix the Tweak mask also to zero we get a zero correlation How does this look like so in in our toy cipher that I showed previously so compared to the far on the deck on a s if we have The same round function but now with a tweak schedule and We we do that attack we get and get them five round attack and basically we shift Property of the serial correlation from the state into the tweak schedule and what we can see is that on the left here on the right here There is just one active value and all of the other ones are zero and if we force the tweak mask to be zero then We get the serial correlation If we want to apply that to some ciphers with more tweak key lines We can basically do a similar thing What we do is we just have to compute the gamma sequence for all of all of these tweak key lines and Then we get the serial coil and we can fix the input and out masks we calculate everything and Then we can Obtain a zero correlation when at most be linear active values are in there and To be is the number of of lines we have in the tweak key. So if it's decay to then we have to active and So how does that look again on our toy cipher so we have now two tweak key lines and We can have two active values in there and We can extend the attack to a six round attack. So our first application then is karma As it was already introduced before so karma looks like this It's a tweakable block cipher based on the tweak key framework. It's a reflection like cipher so the The middle part is this reflector It has some extra round center that just keyed but not the tweak is added and Then it just it the rich the same run functions in the beginning and to the front and So it uses a very light with in world to a four-bit S box it uses the cell permutation of Midori and Mix column Matrix look like this It's basically a sequel and matrix that's just repeated and The tweak is cattle consists of a permutation H and the bit based LSFR and so if we Construct and distinguisher for for karma What we can see so we basically Just fix some input masks and an output mask We iterate that as many rounds as we can get and then we look in the tweak Schedule and what we can see is there's just one active value in here and Yeah, we Can then what we do is we later translate this serial correlation Distinguisher to an integrated extinguisher to reduce it at a complexity and also move it then to Related to a key attack In our key recovery we basically can prevent one round and Append three runs and what we can see is that in the run after the distinguisher we have to balance the bytes and We didn't use So we prepent one round and that means we once we have this X zero and X eight balance at the same time and To calculate Both values we use the mid in the middle technique for integral attacks so we can evaluate the values independently and For the attack we use the FFT key recovery technique and The time complexity is then about two to the 66 where we recover 56 bits of the outer keys and 28 bits of the of the inner key The data complexity some stand up to two to the 48 point four and the memory complex is two to the 53 So for more details, please check in the paper So then we also applied the same attack for mantis Mantis is quite similar to karma. It's also a tricky block cipher based on the tricky framework And it uses it's a reflection cipher So as a comparison between mantis and karma so the run function looks slightly different so the S box in mantis is applied first and then there's the keys added and for karma the keys added first and the S box is at the end and Also, the S boxes are the are different and the linear layers Different, but they have the same structure and because our deck is generic enough, so it doesn't exploit the S box we can Iterate the the round function and basically apply the same attack So the same attack that holds for karma is then also valid for mantis Then let me show the attack skinny So skinny is also a tweak your browser from the tricky framework It's similar to run functions to a s so it has a S box application Then the tweak is added just to the first two rows. So just the first two rows of the tweak Extracted and then added to the state The shift rose similar sin in the S and for the mix columns it uses a binary matrix and in a tweak is cattle there's application of the of a permutation and then an LFS are on the top two rows Again, it uses a very lightweight for bid S box. It uses as like shift rose But it shifts the right instead of left and the binary matrix like this here is applied to for mix columns for the tweak is cattle the permutation issues like this one here and There's an bit based LSFR that is added to the top two rows But only in a setting for DK2 and DK3. So with just one tweak line. There is no LSFR So far at X so we can attack 20 runs of skinny 64 128 in the DK2 setting where we use then certain run distinguisher Which has a complexity data complexity of two to the 56 plain text and to use two to the eight related tweaks and for the larger version of skinny in the dick is resetting we use again two to the 56 plain text and Then two to the 12 related tweak is So that that's the key recovery for skinny 64 128 so basically we can prep and one round and up and six rounds and again Values Set 14 in a 14 rounds at the 11th Position is then balanced and what we do is we just see how many statement tweak values are included and then we can recover parts of the key and one interesting observation is that The FFT key recovery method is not as sufficient And the reason for that is that just the two top most rows of the tweak he added So therefore we saw that partial sum technique is actually more efficient and we can get them more rounds for the attack and The data time complexity is around two to the 97 Data complexity is two to the 68 and The memory complex is to the 82 So for the attack on DK3 what we do is we can prep and one round again and this time I've been eight rounds and This time to values in the state of balance at the same time Again, we use the meat in the middle technique for integral attacks to ever let them independently similar as for karma and yeah, again the partial sum technique is more efficient than the FFT key recovery technique and the time complexity is 255 and The data complexity is two to the 73 and the memory complexity of 138 So in conclusions What we show is a new attack technique for analyzing tweakable block ciphers We have currently the current the best attack for karma In comparison of number of runs or S box applications So an interesting thing is that the attack is independent of the keyed middle runs So if karma would that even more keyed runs in the middle, we could just simply ignore them and for Mantis and for skinny we had some further insights So we have a lot of time for questions Yes, we have So first I want to give credit to my colleagues. It's karma that looks like mantis and not mantis like karma Second you just mentioned that the complexity on mantis is the same But are there any optimizations that actually use the the simpler linear layer or? Really it's a peer truncated approach The rotation to play a no role at all So I think it's quite generic. So we don't use Something from the S box. So it can't be just any 4-bit S box We also don't really exploit Linear layer so and the linear layer is basically It's basically the same from the number of ones and series in in the In the matrix so the tech The only thing we had to do is reshuffle the Run function, but that's again results in the same thing and Yeah, so the attack just simply applies the same So just our attack is most probably other attacks Completely different Not I'm just curious that Can you actually apply to non-linear quickie scheduling or is there any reason that you chose only the linear expansion? Yeah, most probably you can but Then The calculating of the mask is most probably a lot more difficult So the issue is the only the complexity part So most probably it's just how the how the gamma sequence is calculated Most probably slightly different, but we haven't we haven't checked Thanks, let's thank the speaker again