 Hello everyone. My name is Raghendra Rohit. Today I am going to present our work Diving Deep into the Weekies of Round Reduced Scones. This is a joint work with Santu Sarkar. Here is the outline for the today's talk. First I will give a brief description of the Scon algorithm. Next I will present the problems which we addressed in this work and our then I will show some practical weak key distributors for Round Reduced Scones and also show how to construct such a weak key space for Scones. So, let's start with Scones. So, Scones was initially submitted to the Caesar competition in 2014 by Dobriyog, Exhender, Mendel and Saffer. It won the same competition and this is also our final list of the ongoing misplaced cryptography competition. At a very high level, the Scones Authenticative encryption takes as inputs a security key public parameters nonce n as using data a message m and it then outputs a psychotext c whose length equals the length of the message and then authentication tag t. The tag t provides the integrity and authenticity for all the input public parameters. Now if we look into how Scones works, then this is based on the well-known sponge to flex construction. So, there are four phases, initialization, processing, association data. Then we have the encryption and then the finalization. During the initialization and finalization phases, we have the Scon permutation which runs for a rounds and while for the association data and plain text we have the same permutation but the number of rounds is weak. So, now we have two variants of Scon, Scon 128 and Scon 128 a. The only difference in the two variants is the amount of data which is processed per call of the permutation which is given by the rate r and the number of rounds during the association data and plain text processing phase which are given by pv. So, in one of the variant this is 6 and in Scon 128 a the number of rounds in pv is 8 while the number of rounds during the initialization and finalization phase is always same which is 12. Now if we look into the round function p then it consists of three operations. The first operation is the addition of round constant. So, we add 8 bit round constant to the second word of the state. Then we apply the non-linear layer which is basically the Sbox cooperation column wise to all 64 columns. Then we have the linear layer which is given by pl. So, it diffuses the words, it diffuses each word within a state. So, mathematically looking, so the Sbox of the Scon has lgb degree 2 and it is given by this expression and the linear layer is given here which is simply based on the X source and right cyclic 6. So, now let's move into the problems which we addressed and our contributions. Okay, so before going into that we start with the security claims made by the Scon designers. So, they mention that for 120 bit security so the first claim, first condition is the number of processed plain text and associating data that can be protected by a single key is limited to at most 2 to power 64 blocks. The next condition is the non should never be repeated for two encryptions. So, based on these two conditions, we give the target which we analyze in this word. So, our target is mainly the initialization phase of the Scon and this can be done because we can take the SS data and message length equals 0 and we can simply work on the initialization phase. So, our target is shown here. So, we have the constant IV, the secret key and the nonesni and then we apply the round function for r rounds and then we can take the ciphertext for one block of the plain text. So, the question here are how many rounds we can attack out of the 12 rounds and also we need to impose the condition that we are working on the in the non-respecting setting. Then the next question is given non-respecting setting what are we looking into whether it is key recovery or you just want to distinguish the outputs which is the ciphertext here and also the third condition here is because the designers impose a data complexity of at most 2 to the power 64 blocks. So, our attacks are within this data limits or outside this limits. So, this condition was also used in the previous one which is misuse free attacks by RHS, RHSS. So, here they present some attacks such that the data complexity is at most 2 to the power 64. So, that's why they mention it as like misuse free attacks. Okay. So, now if we look into the existing key recovery attacks. So, again the most of the attacks are based on differential and Q-attacks. So, if you see the best attack can cover up to seven rounds of Scones. So, which is basically a Q-attack. However, if you see here some of them are valid attacks and some of them are invalid. So, the invalidity here means the data complexity is crossing the value which is more than 2 to the power 64. So, if you see the best attack can only reach six rounds given that the data complexity is at most 2 to the power 64. So, in one of the previous work by RHSS and they give a key recovery attack on seven rounds using 2 to the power 64 data and it is based on the ideas of Q-attack. So, here they also pose this condition whether there exists an attack on seven rounds with data is strictly less than 2 to the power 64. So, one of our major contribution is we answer this question positively. So, we present an attack with 2 to the power 63 data in this work. Now, if we look into the value of distributors for Scones. So, for five rounds the best can have data 2 to the power 16 and it is based on the division property and it works for all keys 2 to the power 28, 2 to the power 128 keys it works. So, what we show here that there exists some keys where we can reduce the data complexity. So, for instance there are 2 to the power 115 keys where we can distinguish five rounds which is 2 to the power 13 data. Now, there are also keys 2 to the power 111 keys where we can reduce this data complexity from 2 to the power 13 to 2 to the power 9. So, compared to the previous five round distinguisers we have the improved distinguisers in this work for five rounds. Now, if we look into the six rounds then again the best known has data 2 to the power 31 and also the same time. Now, we present our three distinguisers here based on the different number of keys. So, the first one is where the number of keys is 2 to the power 104 and the complexities are 2 to the power 24. Then we have another distinguisers here with the keys as 2 to the power 1 time and data 2 to the power 18 and also we show we can reduce the data complexity further due to 2 to the power 17 but in this case the number of keys the number of keys will reduce to 2 to the power 95. Now, if we go into the seven rounds so the seven round best known distinguisers requires 2 to the power 60 data and this is not practical. So, we give our distinguisers we improve the complexity of the previous distinguisers from 2 to the power 60, 2 to the power 46 and then 2 to the power 33 which is practical and can be verified easily. However, the trade-off here is the number of keys for which such distinguisers work is less. So, for the distinguisers with 2 to the power 46 data the number of keys are 2 to the power 82 while for the second one the number of keys are 2 to the power 63. Okay, now we look into it how we came up with these sort of distinguisers. Okay, so before going into the overall idea first review I love the idea of what are the distinguisers we are looking into it. So, let's say we have been put a nonce n0 and the message m0 and we receive this hypertext c0. So, we repeated for q queries where we know are distinct and we obtained their corresponding ciphertext and some all this hypertext. So, what we are looking into it we are seeing whether this sum x or sum of all this ciphertext equals 0 with probability 1. So, this is the distinguisers which we are looking here. Now, if the size of the ciphertext is 64 bits and your Scon output behaves like a random function then this probability should be 2 to the power minus 64 and not 1. Now, if we look theoretically about this high level idea so this is nothing but this follows the principle of q at x. So, let me give you an example for this. So, we consider our Boolean function f in six variables which is given here. So, here k0, k1, k2 are secret variables and v is our public variables which we can control. Now, if we take the second order derivative here with respect to v0 and v1 and fix v2 to some constant so that means our value of v2 is fixed and we are evaluating f on all possible values of v0 and v1 and then and summing the output. So, after doing that basically we will receive the value which equals k0 plus k2 plus k1. So, in terms of q at x here our this these q variables v0 and v1 where we are varying all the possible values. So, this is known as q and since we have like only two variables here so this is a two-dimensional q and v2 is fixed. So, this is a non-q variable and after summing up all the possible values of v0 and v1 then we get a superpoly which is here k0 plus k2 plus k1 and this is a superpoly of q, v0 and v1. So, now if we see that here the superpoly is linear. So, basically it gives some knowledge about the key bits and now there are a lot of automated tools like groovy, constant programming set SMT which can give some information of these superpoly's but the problem here is once your algebraic normal form becomes complex then it is difficult to guarantee these sort of informations or simply saying these solvers do not finish when the when you increase the dimension of the q. So, what so now the q at x is also the idea of the q at x also goes back to 94 by say Jalai where this was given as higher order differences. So, the basic idea is if your Boolean function of degree 2 for example then its third order derivative with respect to the public variable is always zero. So, simply saying if the degree of Boolean function is t then its dth order derivative is zero. So, in the previous example if you see the degree with respect to v0 and v1 is 2 so if you take third order derivative with respect to v0 v1 and v2 and sum them up sum the values of f then it always equals zero. So, what's our goal here? So, the goal here our goal here is to reduce the algebraic degree of the S-con out of bits as much as possible. Okay, so now we look into how we actually construct these distinguisors. So, if you remember the state of the S-con is loaded with these values at the beginning. So, the word x0 is loaded with a fixed constant which is given in the row 1. Then in the next two rows we have the 128 bit keys and then finally we have the public variables b. So, now we have to find some conditions on vi and then we have to find an upper bound in the algebraic degree in terms of vi and we want to ensure that the degree does not grow too much. Okay, so now if you look into the output of the S-works after the basically the S-works output after round 1 then we can see that only the second bit y20 there the term is quadratic in terms of vi plus 64 and vi the rest it's not quadratic. So, if you see this is the only term here which is where we have this term. So, now what RHS S21 proposed was to set each Q variable in register 3 equals register 4 and then see how the degree propagates. So, if you set vi as vi plus 64 and then again look into the S-box output. Then they found that the bit y2 and y3 sorry the ith bit of y2 and y3 they becomes independent of the Q variable after the S-box while the other words they depend on the Q variable vi. So, now based on this condition they found the upper bounds on the algebraic degree after till seven rounds. So, if you see after seven rounds their maximum algebraic degree is 59 in the Q variables and this is still not practical. So, what we do here is right now we know that two words are independent of the Q variables. So, we see whether we can make another word independent of the Q variable. So, for that we introduce another condition on word 1. So, this can be done by setting the key bit Ki equals 1 plus Ki plus 64 for indices 50, 66 to 59 and for the other one we just said take Ki as equals to Ki plus 64. So, now what is the impact of this additional condition? So, if you look how the degree propagates once we add this condition then you find that so we can start from here. So, let's say after three rounds without that condition the degree was three. Now, if you add this condition then the degree becomes two after four rounds it is six while the previous was seven. So, if you go like this then we find that after seven rounds now the degree is 45. So, the degree reduces by 14 compared to 59. So, this is still practical. Also, if you see after round two only the word x3 has quadratic terms. So, now if we can somehow ensure that there are no quadratic terms after round two by putting some additional conditions on x3. Then after next five rounds the maximum degree can be 32. So, based on this we can create or distinguish about seven rounds with complexity two to the power 33 because the maximum degree can be 32. Okay, so now let's look into some concrete examples of the distinguishes. So, what we do here is we start with some indexing set. So, here our set is starts from zero and ends at 45. So, basically we select an indexing set of dimension 46 and corresponding to this set we define a weak key space for seven round as follows. So, what we do for each index i in i1 we set Ki equals Ki plus 64. So, now if we look into how many keys are there then there are 46 places where Ki equals Ki plus 64. So, that means we can only have two to the power 46 values. The remaining 18 values they can take any arbitrary value. So, that is basically 64 minus 46 times 2. So, overall we have two to the power 82 keys. Now, now for each of these keys if we select a Q of the form v0 to v45. So, basically 46 dimensional cube then for each of these cubes the cube sum after seven rounds equals 0. So, this is one of the example. Now, let's look into another example. So, here we decrease the size of the cube. So, from 46 period is 2 to 32 and we define the weak key space as so for each index in i2 we set Ki and Ki plus 64 equals 0. So, this is one condition or we will take that union where Ki equals Ki plus 64 equals 1. So, now once we have this condition then the number of keys are basically it is fixed because you can only that can only the first 33 values can only take two values either 0 or 2. So, we only have two possibilities. The remaining can take 64 minus 33 times 2. So, basically 2 to the power 62 values. So, remember these are the conditions which ensure that the word x3 after round 2 becomes initial it was quadratic. So, once you put this conditions that word becomes linear. So, after 5 rounds next 5 rounds maximum degree can be 32. So, that's why we select this indexing set of dimension 33. So, these are just the one of the examples and it depends on a particular indexing set only just once at i1 or i2. Now, we may have multiple sets. So, for that we have to define like what is the actual number of keys. So, for that we define like how we can construct such a weak key space for Scon. So, this is the definition. So, we fix around R and also some pursuing DUD. Now, we say that a key K in WKRD is a weak key only if the following conditions holds. So, we look at the algebraic degree of the output bits after our rounds and we say that that key is weak if there exists a D dimensional cube and we compute its degree after our rounds in all the 64 output bits then the algebraic degree is at most D minus 1. So, if and this key satisfy if for this key there exists always exists this search queue then we say that key belongs to the weak key space WKRD. So, how we construct this sort of set? So, the first step is we start with the indexing set i of diamonds in D and which is which is subset of indices 0 to 63. Now, we say we define WKRD as a set of 120 to be keys which satisfies this equation. So, if the index i belongs to 56, 57, 58 and 59 we take the complements. This is because at these positions the round constant bits are added. So, that is why we have to take the complement. Otherwise, we take the key bits as equal. Here, this set WKR is defined for this index at i only. Now, we have 64 choose D sets. So, we define WKRD as the union or also sets i. Now, note that if a key is weak for some D some i equals D that means there exists a cube of diamonds in D and the algebraic degree is D minus 1. So, then it is trivial to say that if it is weak for i equals D then it is also weak for i equals D plus 1. So, in that case we can define we can take union for all the values of i starting from D. So, we can again take union for all such i's. So, i starts from D till 64. So, now we have this sets. Now, we have to find out like what is the actual size of this WKR where R is the number of round and D is some value D. Okay. So, if we compute the lower amounts for this expression then we find that for if R equals 5 and D equals 30 then almost every key is a WKR. For six rounds we take D is 24 then again like there are 2 to the power of 127 WKRs. For R equals 7 there are 2 to the power of 116.34 WKRs. So, now this D prime is like the second distribution for which we have the another conditions where Ki's are either equal to 0 or equal to 1. So, these are the only lower rounds. The exact value does not differ from the does not differ too much from the lower round. Okay. So, now we know the size of the weak key. So, in our paper we also presented attacks given that a key belongs to this weak key space. So, we presented actually 2 attack. Our first attack requires 2 to the power 64 data, 2 to the power 74 bits of memory and 2 to the power 97 keys and this attack is for the 7 rounds. So, and we also presented another attack which requires 2 to the power 63 data, 2 to the power 69 memory and 2 to the power 115 time. So, basically our attack to answers the questions posed by RHSS 21. So, for more details I suggest to look into our paper. Okay. Also note that the time complexities which I mentioned here they are in the worst cases. So, there is a lot of chance to improvement these complexities in terms of data memory and time. So, to conclude, so what we have achieved in this work. So, for the first time we presented our distributors for Scon on 7 rounds with practical complexities. We also presented the first key recovery attack which requires less than 2 to the power 63 data and so also what we tried but we still did not achieve was let's say here we are looking into the distributors with probability 1. So, now let's say we restrict the probability of the distributors to some alpha between 0.5 to 1 then definitely it should increase the number of the keys but we did not find a direct way to how to work on this. So, maybe it's possible to improve the number of the keys for 7 rounds and then come up with a new attack. Also another question is how we can extend these big key attacks to full key space. Also, one important thing is as you know right now there are no 8 round distributors for Scon when it is used in the authenticated encryption mode. So, it could start with whether there are any big key distributors for 8 rounds. So, yeah that's it. Thank you very much for your time. So, if you need more details the source codes for all our attacks and distributors are given in our paper and also it's available in print. Thank you very much.