 אני אחי אברון וזה שהתעבור של מהתלבי פרופ' נטן קדר. במקום שלנו נמצא את עתק של מיסטי-1, אז שם קצת קצת על זה. זה קצת סיפר שלו, שבמשטי ובמשטי ב-1997, ובסבירה רקוגנטיינס אינסין. הוא רקוגנטיינסין של יפנית, של פרוונטי נסי פרוונטיינסי, ובסבירה עשיתי, ובסבירה איזו סטנדרטיינסין. הוא הכסומי הכסומי הכסומי שבסבירה עשיתי של 3G סלולר קומוניקציינסין. We will return to it later. The structure of Mr. One is a 8-round fastail structure with 64-bit block and 128-bit key. Its run function is called FO, that is also a 3-round fastail structure. The same is true for the run function of FO. It is also a 3-round fastail structure. Shortly, the run function of Mr. One is a complex function. And if it is not sufficient, the designer added one more function called FL to make the structure even more complex. The FL function is a fine-simple function that applies every 2 rounds, and it uses a whitening layer. Despite of the complex structure, several attacks were published in the last year. In the first round, you can see attacks on reduced variant of the cipher. And in the last two rounds, you can see the first attack on the full Mr. One cipher were published last year by Todo. Todo attacks are integral attacks that uses a new technique Todo-invented called division property. So let's start with integral attacks. Integral attacks uses an integral characteristic. And what is that? It is a prediction that an equation holds. The equation is called a tech equation and it predicts that the sum over some intermediate values equals zero in some bit after i rounds. Such a characteristic is called i-round integral characteristic. And the full name is case-order integral characteristic of i rounds, where k is the log of the number of values examined. Okay. What we do with integral characteristic? So assume you found an integral characteristic start with a set of plain text v which the corresponding intimate values sum to zero after i rounds. You encrypt the relevant plain text and then you guess some key bits so you can check whether they take equation holds. You check if they take equation holds and if it's not, you can discard this key guess. Okay. But how you found an integral characteristic? This is the question. Here Todo came up with nice technique that uses what it's called division property. A division property of a set S is the partition of the space in our case f2 to the power of n to two groups. One is all the use such that the sum of x to the power of u over all x in S equals zero. And the other set is all the other use. Now start with a set of plain text that satisfies the division property and check how the division property changes through the encryption process. If after i rounds the set of good use contain at least one u whose coordinate sum to two or more then you get an integral characteristic of i rounds. Todo applied his technique to misty one and found a six-round integral characteristic start after the first FL layer. This characteristic, integral characteristic is two rounds longer than the previous best known characteristic. And the take equation predicts that the sum of two to the 163 specific values is zero in seven bits of the input to FL7. This means that if you get the relevant ciphertext you need to decrypt just through the last round and FL7 to check whether the take equation holds. And this characteristic is used in todo attacks. We use additional characteristic in our work. The additional characteristic is a modification of todo characteristics. Both characteristics looks the same, but while todo characteristics start at the plain text side, sorry, the modified characteristic starts at the ciphertext side. Looking at the decryption direction, the modified characteristic starts before the last FL layer and ends after the second round. Here is a better picture drawn on the same picture. So both characteristics look the same and the question is what is the advantage of the modified characteristic. We think the answer is one of the weaknesses of Misti-1 design. And the answer is simple. There are common key bits in the first round, and FL1 and FL1. So less key material is needed to guess for checking whether the take equation holds. Okay, but we still have the first round and FL4 function to pass and the first round is a complex function. So let's start simplifying starting with the FL function. The 30-bit FL function can be divided to 16 2-bits function that applied in parallel and they are roughly the same function. This gives us the ability to split the 7-bit take equation into up to 7 1-bit equation. And in addition, some calculation can be moved before FL4 instead of after FL4. This is because FL is a defined function. So the calculation is now before FL4 and we need to deal with FL1. For this, we used, we presented two of the main observations we used. One observation is we can ignore some part of the key. Why? Because we sum over an even number of values, so a key that involved linearly in the take equation is cancelled. Like KO4 and KI41 in the first round. The second observation is like this. Because of the 3-round pastel structure of the misty 1 function, the main calculation can be splitted to separate calculation. For example, calculate the 7 leftmost bits of the output of FL1 given its input can be done like this. Calculate the contribution of the left side and the right side of the input separately and only in the end joining them together. The picture is like this. The left side goes through Fi1 and the right side goes through Fi2 with feed forward. The last result is the result of these two results. Before moving the next section, it's worth to mention that the designer of Kasumi, the successor of Misty 1, made small changes to prevent this weakness. The splitting of FL function in Misty 1 cannot be done in Kasumi due to additional rotation here and here. As for the 3-round pastel structure in Kasumi, the Fi function is 4-round pastel structure. Due to these changes and others, no 5 or more round integral characteristic is currently known in Kasumi and for the section of our results. So in our work, we use several techniques. One of them is partial sum first presented by Parkinson et al in 2000. The main idea is to guess the key material in several steps instead of one big guess. First, you guess some of the key bits, then you partially encrypt the relevant values, and finally, you reduce by some magic the number of values you have to compute before moving the next steps. The next steps are similar. You guess some more key bits, you partially encrypt and reduce the number of values, and so on and so on. A second technique is two-dimensional meeting the middle, first presented by Denouretel in 2012. We performed a meeting the middle attack twice. One, we split the 7-bit attack equation to two equations, a 3-bit equation and a 4-bit equation, and compare their common key bits. This is this second. We modified each equation separately. Instead of checking if a sum of values equals zero, we split the value to two groups and check whether the sum over one group equals the sum over the second group. Adding up all techniques together, we achieve the following result. To recover the 14-9 key bits, we need three things. One is a modified characteristic. Second, we need almost all the code books, and three, a time of two to the 64 that is roughly the time to decrypt the data. The rest of the key can be recovered in two ways. One is just excessive search that increase the time to two to the 79. Last trivial way is to use also total original characteristic for extra filtering. This way, the time decrease under the two to the 17, but all the code book is required. Okay, two summaries. We significantly improved the previous best-known attack on the full misty one cipher by a factor of two to the 37. However, our attack is not a practical attack due to the amount of data that requires. In addition, our attack doesn't work against Kasumi in part because of the changes that made in its design. And that is it. Thank you.