 It's a boomerang switch in multiple rounds application to AES variants and deoxys and the talk is given by Haoyang Wang. Thank you for introduction. Hello everyone, I'm Haoyang. The title of this talk is boomerang switch in multiple rounds application to AES variants and deoxys. This is John work with Thomas Perrin in the background. It's lucky to be the last one. I can skip this background very quickly. I use the same notation as the last talk. So here is a boomerang, alpha, beta, gamma, delta. So boomerang is divided, divided cypher into two subcypher and they are one trial for E0 and another one for E1. And the probability can be computed by this. Then when the boomerang tech was first proposed, the two trials assumed to be independent. But however, after some falling work and experiments shows that as a boundary of the two trials, there may be some dependencies. And so we have some positive effect or negative effect. For the positive effects, some results show that some active X boxes as a boundary can be saved so that we can improve the boomerang distinguisher. So in order to capture this dependency in the boomerang tech, similar tech was proposed. And EM is the part to contain the dependent part of the two trials. Here I will just show the letter switch and the S box switch under the sandwich attack. So the left is a letter switch. Letter switch happens when delta, net plus zero equal to zero. Which means that here, so Y3 equal to Y1 because we X or zero difference to a value, it doesn't change anything. So on the other side of this boomerang on this S box level, it will return with probability one. So for the letter switch, the probability R is one. And then for the right part is S box switch. The S box switch happens when net plus zero equal to delta one. This is because the difference between Y1 and Y2 is equal to delta one. So if we X or delta one to Y1, this means that the Y4 equal to Y1. And then Y3 equal to Y2. So the pair of values on the other side, the boomerang just exchange the position from the previous side. So on the other side, the boomerang can return with probability one. So the final probability will only count it for one side of this boomerang. Then in order to provide a systematic evaluation of the EM inside the sandwich attack, BCT is proposed. So it focus on the EM when it consists of a single S box layer. So it contains two parameters here and here. And the entrance for the T-ball can be computed by this formula, I will not explain. The advantage of the BCT is that it can cover the switching effect of the letter switch, S box switch, and incompatibility. For example, the incompatibility corresponds to the zero entry of the BCT. So besides, the BCT offers a new switching effect compared to S box switch where nabla zero equal to delta one. BCT does not require the value of a delta one, which means that during the boomerang switch, there might be some other values of a delta one. So that could lead to a higher switching probability. Now a motivation is like similar to the last talk. Can we extend EM to multiple rounds? If yes, can we apply the current switching technique to evaluate R? First let's determine the number of rounds in EM. So start with the idea of letter switch. The idea of letter switch is the wrong function of a cipher can be divided into two independent parts, which can operate in parallel. This figure is an example of AES. As we know, the internal state of AES can be departed into two parts up to two rounds. Here we omit the remaining linear layers of the second round because the linear layer has no impact on the boomerang switch. So here we can divide the internal state into the right part and the blue part. Each transformation can operate these two parts separately and they have no interaction. So if the right part is only active in the lower trial and the blue part is only active in the upper trial, so we can just assign the right part to be the part of the upper trial, assign the blue part to be the part of the lower trial. So in this way, all active S boxes can be passed with probability 1. Then let's extend this idea. Let's record that the procedure of the boomerang. So for the upper trial, first it was used in the encryption direction, which is the forward direction when we encrypt. And the lower trial is used in the backward direction, which is the decryption direction. So in EM, if the forward diffusion of the active cells in the upper trial has no interaction with the backward diffusion of the active cells in the lower trial, the right quartet of EM can be generated with probability 1. So here is a full-run EM of skinny with probability 1. So here's the upper trial. It shows the diffusion pattern in full rounds starting from one single cell. And the lower trial is also a full-run diffusion, full-run backward diffusion, starting from one single active cell. So these two trials have no overlapped active cells. They have no interactions. So this EM, a right quartet of this EM can be generated with probability 1. So the reason why skinny has more rounds in EM is that it has a slower diffusion layer than skinny than the AES. Then we found incompatibility in multiple rounds. Like I said, it is claimed that PCT can detect incompatibility while its entry is zero. So here is also an example of a two-run EM of AES. So these two trials are valid with probability 2 to the power of minus 7. And for the first S-box layer, there are only one overlapped S-boxes. And the BCT entry for this S-box is 2. It's non-zero. And for the second S-box layer, it's only also only one S-boxes are overlapped. And the DBCT entry is also two non-zero. So according to the BCT, these two trials should be compatible in the boom-run switch. But however, this is not true. So we found that for the first S-box layer here, the BCT DFA9 and DDT DFF1 cannot be non-zero simultaneously. This shows that these three values have some correlation in the boom-run switch, in the boom-run attack. So here we summarized some observations on the S-box in the boom-run switch. So here we take into the delta 0, delta 1, and nabla 0 into consideration. So when we fix the value of delta 0 and delta 1, the choices of nabla 0, the choices is limited. And the maximum number of non-travel value of nabla 0 is equal to 2 times L choose 2 plus 1. And then, of course, when we fix delta 0 and nabla 0, the choices of delta 1 is still limited. So in order to capture these observations, we propose boom-run difference table, BCT in short. This is a very simple and straightforward table. It's a combination of BCT and DDT, and takes into delta 0, delta 1, nabla 0 into consideration. Although, see, this formula is long, but the former part is a BCT, the later part is a DDT. That's all, and n is S-box size. Even though we have the three parameters in the table, but this table is still very manageable, like for 8BS boxes. And the time complexity for the construction is big O n to the power 2n, which is exactly the same with DDT. And we omit the algorithm here. Please check the paper for detail. And some properties. Since the combination of DDT and BCT, so we can convert BCT to DDT when nabla 0 is equal to 0 or equal to delta 1. And also, we can convert BCT to BCT. So in some evaluations, in some cases, we can just convert, use DDT and BCT to evaluate the boom-run switch for simplicity. And also, the BCT can detect incompatibility when the corresponding entry is 0. So for example, for the previous example, it can easily detect incompatibility here. So I will show a tag on turn-run AS256. First is the attack model. Our attack is under the related key attack, which is that the registry can choose a relation between several keys and get an encryption oracle with this key. And also, there's a special key like related sub key. So instead of choosing a relation between master key, the other three is allowed to choose a relation between sub keys. So the advantage is obvious. It will be easier to obtain a desire-related sub key difference in a nonlinear key difference, a nonlinear key schedule, so that he don't have to pay some probability in the key schedule. And his advantage is it requires a complex key access scheme, which means it will be less practical and sometimes even too contrived for academic interest. So this is our tag. We stick to related key attack. Since the key schedule of AS is nonlinear, so we use the related key difference parts, differential parts in the upper trial and the single key difference parts for the lower trial. And the strategies of constructing the upper trial, we use the local collision like in this figure. So first, we introduce the difference into the internal state. Then after one round, the next key difference will cancel out the internal difference. So we can repeat this pattern for several times constructing this upper trial. And also when we're constructing the boomerang distinguisher, we apply the boomerang suite in two rounds in mind in order to gain some benefit. Here is the upper trial, left is the upper trial of our tag, and the right is the lower trial of the other tag. So the upper trial covers two round nine, it's nine rounds. And the lower trial covers round eight to round ten. Round ten is used for key recovery. And round eight and round nine is covered by EM. Okay, then I will explain how to evaluate the two round EM by BDT here. So the color here, the red, blue, or the dash gray are fixed value. Only the green values are random, we don't care what the value is. So first the beta, the beta here, beta is the state difference. Gamma is a state difference. They are determined by E0 and E1, so they are fixed. So let's first take a look at the first S-box layer here. So first, they are only one overlap active S-boxes, right? So for this S-box, we fix value of delta one, so that after she threw a mixed column, the difference of the first column can be cancelled out by the runky difference. So that at the second S-box here, there are no overlapped S-boxes. So after we fix delta one, we can look into the BDT to check which values of nabla zero, which satisfies that entry of a BDT is non-zero. So after we found the values of nabla zero, the switching probability is obtained accordingly. Then for the second S-box layer, even though there are no overlapped S-boxes, but we still have to pay the switching probability because the nabla one prime is uniquely determined by nabla zero. So since nabla zero prime is zero due to the relation between BDT and DDT, so for simplicity, we can use the DDT here to evaluate the switching probability of the second S-box layer, like the entry nabla one zero nabla zero prime. So the result of attack is we only need two related keys and time and data complexity to the power 75, we can recover the four key. So compared to the result existing attacks like this, even though they claim that the time to the power 45 is lower, but they only can recover 35 sub k bits. So actually if they want to recover the four keys, they will need to the power over 221. And also their attack model is a related sub k difference. So compared to them, we have both improvements on the attack model and the complexity. And also we apply the boomerun three multiple rounds and BDT in four round AES 192 and deoxys BC. So we apply to the three current works. So the first one is a well-known paper that is proposed the first related key boomerun attack on four round AES 192. And the second one is improved based on the first paper and the result remains as a best attack. And then we apply to the deoxys BC at 10 rounds. So I will only explain the improvement of the best attack on AES 192. The idea of original attack is they use a similar idea of a local collation and also their improvement based on the improvement from the first attack faster attack on AES 192 is that they optimize the boomerun switch in their boomerun distinguisher. And we have already tried our BDT to do a re-evaluation of their boomerun and we found no improvement. So then we try to search a new upper trial and then we manage to extend the boomerun switch to two rounds. And also there is a similar two round EM of our improved attack like say even here the first S-Box layer and the second S-Box layer we can see there's no overlap active S-Boxes and so does here. But this does not mean this boomerun switch is totally free because here the delta one of this value and delta nebula one prime of this value is fixed. So we still have to use the BDT to evaluate this and this S-Boxes to get the switching probabilities. And the result that we can for the best attack we can get an improvement not too high to the power 1.3 and re-evaluate the boomerun distinguisher of the first attack and we did not change anything and we found that their attack should be better like with the factor of 2 to the power of 4.8 and we also use the BDT to improve the DxBC 256 and the improvement is 2 to the power of 1.6 to conclude. So the slower diffusion in ciphers and more rounds will be impact by the switching effect. Then we introduce the BDT to easily evaluate the boomerun switch in multiple rounds and then we propose an attack on 10 round AES 256 and the 4 round AES 192 and the DxBC 256. Thank you. Thank you. So are there any questions? I have one. So do you think that you could combine your ideas with the ones from the previous presentations in order to improve? Yes. Of course. And it might provide better applications. We will try. I think that these can match perfectly. You have started to look at this? Have you started to look at this? Not yet. Okay. Looking forward then. Okay, sure. Thank you. Thank you. Any other questions? If there are no more questions, then we'll go into lunch that will be at the first floor and we'll be back at 2. Thank you. Thank you to all the speakers.