 The second part of the session is entitled with security analysis of prints, so this is the second paper on prints. The authors are Jeremy Zhang, Vivissa Nuclege, Thomas Barreth, Lee Wong, and Swami Kevasta. The talk, let's welcome him. Okay, thanks. Thanks for the introduction. So, we have another paper on prints. And the title is Security Analysis of prints. This joint work is Jeremy Zhang, Vivissa Nuclege, Thomas Barreth, and Lee Wong. Okay, since this slide was introduced before, I'll just go through these pages briefly. This is a library-plot side by public side. It's a group last year. The construction is followed by the FS construction. And the post-watering key is calculated from the group I think we saw in their transformation. Inside the internal box of reference code, there's no schedule. And the value of Q1 is x or directly to the state, together with the long constant for each one. And there are 12 rounds inside, but it follows a symmetric construction, which means the round function for the last six rounds is the inversion of the first six rounds. But the only difference is in the round constants. The round constants are related in such a way. So, for example, the constants in the first round, I saw the constant in the last one is a determinative value, alpha. The value of alpha is like this. And this construction, with a symmetric structure, results in an interesting property which is called alpha reflection property. Which means the decryption is equivalent to some related key. The decryption property. You just write the writing keys and x or the constant to Q1. Then we have the inversion of this, for example. The length of credit plan for prints is only for the single key attack. The complex key problem is to do the 127 minus n, where 2n is the number of data we have. In the original paper, there's no problem for the related key attack. Only a triple, with the key, the signature is given. And we are very interested in how far can we go with the ability to correct the related key work. So, the first result, I can introduce this related key attack on full prints. Here we choose the related key like this. Just the key there are the same. Just x or the constant alpha to Q1. Then we have a very interesting property here. Let P, C and P prime, C prime, be the plain text of text pairs for key and key prime. Then we can have this conclusion. If C, X or P prime, because it's like KDL, XOR, RKDL. Then we can confirm that the value of C prime, X or P is the same value. The proof is same value. This equation, from this you can know the value of Y and X prime is the same. Then from the alpha reflection property, we know the encryption in this direction is equivalent in encryption of this direction. So, we know the value of X and Y prime is also the same. So, we can have the reduction of this equation. With this property, we can have a related key attack on prints like this. First, we just query a lot of random messages, random plain text or several text to this array. We store all the XOR sounds of the plain text and subtext. And for the related key oracle, we do the same thing and store the XOR sound of the plain text and subtext. And then, once we have enough candidates, we expect the calculation between the value of X and Y and each creation on them suggests that if this value is D, then you see I XOR P J prime is a possible candidate for P 0 XOR hierarchy data. Now, how do we determine if this value is correct? We can do it like this. We just choose a random plain text and get the corresponding subtext. Then, we calculate P prime as C XOR D. Then, we get the corresponding C prime using the related key encryption order code. Then, we check if P XOR C prime goes the same thing. If this equation holds, we can know that this is the correct value. Then, we can calculate if we were following this. This is a prediction. So, the complexity before attack is copied like this. First, we need to guess the value of K1. Then, we can do this in the middle of the procedure. So, the total complexity would be 2 to the 96. Our second result is a single-core pattern on Prince code with a chosen alpha. Before introducing the single-core pattern, I want to introduce the relative key window attack on Prince code. First, we need to know that for the Xbox, you'll see Prince, the best input output difference for this probability of 2 to the minus 2. So, we can choose this difference here. Then, we have a one-gram differential class with a very high probability. Because there's no key schedule in Prince code, once we set the key difference here, this one-gram differential class can be created again and again. So, we can construct the boomerang distribution like this. The upper-sixth one, we choose one iterative differential class. And for the bottom one, we choose another. And in the middle, you see it's a new one. You can scale it. Then, the probability for one iterative pass is 2 to the minus 12. Then, for the boomerang distribution, the probability should be 2 to the minus 48. But according to our experiments, actually, we can find a boomerang quartet which is 2 to the 36, that's because of the simplified effects. Then, we can recover the key from what we found, which is a boomerang quartet. But each time, we only recover the position of the key labels at the active position of the difference. So, we can play a little trick here. We can just test different positions in data 1 and data 2. So, we will only need eight boomerang quartets to recover all the 16 key labels you want. So, the comparison will be like this. Then, we want to convert this related key boomerang quartet into a single key quartet in principle. We call the alpha-reflation of the four principles. It's only 16, even simpler. It just acts like the alpha-reflation. Then, we have the decryption of all fours. Then, because in a single key quartet, we have only access to the same, the oracles with the same key. Now, we know that the decryption oracle is equivalent to the related key encryption oracle. Then, we can apply the boomerang attack like this. Every time we need access to the encryption oracle, maybe according to key, we just call this encryption. Once we need the related key encryption oracle, we just call the decryption oracle as long as the key difference is alpha. So, if we can choose the value of alpha, we can convert this related key boomerang attack into a single key factor. But for this attack, we have a few remarks. First of all, the key difference has to be the same in the top and bottom parts, because it's the same value of alpha. And with this constraint, the endpoint probability for the boomerang quartet counts 2 to the minus 40. And also, we can choose the position of the active nipples since it's determined by the constant. Thus, we can recover only one nipple of the key, but we will only need two boomerang quartets to recover this nipple. With this kind of attack, this kind of attack can apply for about 240 possible values for alpha. In the last talk, the authors introduced a class of weak constants. And here, we introduce another class of weak alphas. But it's worth mentioning that the alpha chosen by the design is not in these weak values, but it is set without. It's another single key attack. For prints, it's a slightly lower bound. With this attack, we just exploit the possibility with two linear relations that hold this probability well. First, relations coming from the half-assed construction. You know, the difference in k0 and the plane text can be cancelled by itself again without any difference of l or delta in the suffer text. This probability holds this probability well. And for the other linear relation, it has come from the alpha reflection probability. And it's written like this. So with these two equations that holds this probability well, what can we do? It's very interesting that we can use only one offline computation to test four keys at the same time. Yes, of course, this is a long-contact suffer text pair. Then we can just randomly choose a value of k0, k1. And we calculate offline to get the value of c prime. If c prime is not related to c, we know and we said there's a difference to delta. Then we will have another three equations which holds this probability well from the first equation. We know that this key equates c into a value of p, x0, some non-linear value. So we know this key equates our suffer text into a wrong context. So this key must be wrong. And for the other two equations, if this value delta is not equal to p and this value delta is not equal to c, we know these two keys are also not correct. So what we're doing here is just one offline computation to test four keys at the same time. But since some of the keys are not controlled by the class, so sometimes we will hit the keys that were already tested before. On average, the complexity is like this. There's two to the nth variance or two to the nth delta. The complexity for this attack is two to the 126.47 minus delta, which is slightly lower than the claimed value. And this complexity looks like the backlit attack, but our attack is different from the backlit attack because in the backlit attack, the number of tested keys is now reduced and only the computations reduced. But here in our attack, we can actually reduce the number of keys we tested. That's the difference. Okay, we have another integral attack on the sixth one. The idea is similar as the original square attack. We just have a four-round integral attack that will result in a binary system here. We just get some specific key labels to calculate backward from the cybertext to check if this binary system is satisfied. At last, we introduce some time-memory data tradeoffs. Because four to nine blocks separate, we have only a time-memory tradeoff. We only have a time-memory tradeoff using Hellman's paper. But for this high-fast construction, we have a very interesting equation, is that let the A-P be the input and output value of the principle. Then we can have a very interesting equation, is that this equation? On the right side of the equation, this value, the value of the right side can be calculated offline. We just choose the value of A and guess the value of K, then we get the value of B. So for some value of A and all the possible values of K1, we can calculate and store all these values into a lookup table. For the known context and surface pairs, we can calculate this on the left side and lookup into the table. Once we have a match, we have a suggested key. So with this algorithm, this tradeoff has an equation that has data times memory, where N is the size of the key space. And the pre-computation is only 2 to the 1 to the 8 minus D. It's less than the Hellman's table tradeoff. But here the times always square with N and the memory is always bigger than this one. So we want to introduce more tradeoff to make this time the time-computing tunable. So we will build another Hellman's table for principle. For the Hellman's tradeoff, the equations like this, T and square plus N square. And the tables are built for some given context. With this, no, they will give you tables. And once we know the surface text, we can use this table to find the value of K1. Then when we combine the Hellman's table and work like this, we just choose a set of values A and then for each of the values, we build the Hellman's table for principle. Then when we have a plain text text here, we just choose one value of A and then get the value of the key 0 just by calculating the actual sum of them. Then we will have the value of the post-whiting key. Then we have the value of B. Then we can use the Hellman's table to find the value of K1. With this algorithm, this tradeoff equation becomes T and this square equals N to the 25, 2.5. And our tradeoff is better than Hellman's tradeoff when the data is more than N to the 1,4. Because here we only use the table for principle which whose key size is only half of the principle. If we can store everything, if we have enough memory, we can just store everything in a single table. And then this tradeoff comes a bit better. Okay, that's the summary of all the doubts in a paper we just provide some a bunch of third party analysis of the new block-side reference and hope all the doubts will improve our understanding of this new block-side. Okay, that's it. Is there any question for Swann? Very nice work. I have a comment on another question. So your attack on single-key prints full with 12 runs is to contradict not only our claim, but also our proof. So we have a generic... What seems to have happened is that actually we misinterpreted our own proof and in fact instead of claiming 2 to the N minus 1 security, we should have claimed 2 to the N minus 2. And I think that everything would be fine. Yeah, actually this new block we can also have a proof just by following our algorithm to evaluate the complex thing with this attack. So we have improved this problem a little bit. Is there any more questions? No, let's thank Swann again.