 Good morning everyone, thank you so much for your question. In this talk, I will give a low-data and lexical attack on the GMR-2 cyber use in the satellite through Africa. This is after this talk. First, we will give the background of the GMR-2 cyber. And then we will replace the component of the cyber. And then we will give the low-data and lexical attack. And we will show the experiment without. First, let's see the background. Mobile communication systems have revolutionized the way we interact with each other. And in some special environment, we shoot them, use the satellite based mobile phones for example in the data chip. And what is the GMR? GMR stands for the GU Mobile Regulatory. And GU stands for the GU Stationary Reversed Opportunity. There are two major cyber in the standard. GMR-2 and GMR-1 and GMR-2. Both the two cybers are stream cybers. And they are reconstructed recently. GMR-1 is a stream cyber based on AF5-2 of GSM. And it can be totally broken by cyber tech only attack. And GMR-2 cyber adopted some new design strategies. And based on the read the collision techniques, it can be broken by a new plant-ex attack. In this talk, we will focus on GMR-2 stream cybers. And first, we will study the property of each component and present a new case and a determined attack. And we call it dynamically case and determined attack. Compared with the new results, our attack needs only one frame of the data. That's to say only 15 bytes. And the time capacity is 2 to 28, which is larger than the previous one. Let's go to the second section. Each in GMR-2 data is divided into frames. Identified by the frame number with 22 bits. And each new frame is re-engineered in about every 15 bytes. Totally 128 bits. 120 bits. And the parameters of GMR-2 as follows. The key length is 64 bits. And the eigen length is 22. And the key strength in the frame is 120 bits. This is overview of GMR-2 cyber. S0 to S7 is R registers, H registers. Each one is 8 bits. And the input of the cybers are C, G, K, and S0 to S7. F, F, combined 2 bytes of session key with previous output. The error is the stream of the key stream. There is the key stream and P. At each clock, we output the error and feedback T to F. And also update the registers. C is a counter range from 0 to 7. And G can be either 0 or 1. G, G component is linear function. And H contains two S boxes, which is the S2 and S6 in S. Let's see F component. At the error clock, 8 bytes of session key K0 to K7 are input to the cybers. And the counter number C, counter number C, is the reaction from 0 to 7. T is decided by C. If C is all, then T is 1. And if C is even, then T is 0. The lower side output KC with the... First, according to the value of C, we choose some keys to explore P as input to alpha. And T1, T1 maps 4-bit to 3-bit, which selects the upper output. And T2 maps 3-bit to 3-bit, which determine the rotation. This is the expression of the output. If T is little, they output the least significant 4-bit of KC, X0, P. And if T is 1, they output the most significant 4-bit of KC, X0, P. G component is linear transformation. And we will give the expression later. This is the H component. Here, S2 is the second S-box of S. And S6 is the sixth S-box of S. Initialized... We set C and G to 0. And initialize S with frame number N. And 8-byte keys are written to F. And clock the cypher at a time until that output. In the first 8 clocks, we don't output anything. In the generation mode, for each frame number N, further clock the cypher 15 times and output the key stream. In this expression, the N-air becomes the error spike of the key stream generated after relation with the... Let's see some property of F. If P is low, then we can get the value of R, by the most or least significant 4-bit of KC. Since in the attack, we can know... C is known to us and P... P is some key stream, so it can be known to us. Property of H. In some cases, we can invert S1 and S6. For example, give the row index an output. The column index can be uniquely obtained. This property is the same as the index. Property of G is the key point in our attack. The mix between the input and output of G can be expressed by a well-structured matrix. Note that here, we can write the matrix in a graph matrix, just as this one. Values here are all 0. This value selected the row number of the S-box. This value selected the column number of the S-box. These are 0s, and the final matrix has this part to be A, and this part A, this part B. So, we can write the linear system as... Y as this linear system. Besides this one, we can write another linear system. Let KH denote the most significant four bits of K. And KL denotes the least significant bits of K. And U is defined as the four linear significant bits, X for the four most significant bits. Then we can see X2 is equal to KLX of U. Then this equation can be added to the former linear system. There are five equations in this system. The unit attack, W1, W2, V1, V2, U are all known to us. From the system, we can find that given a value of X, we can determine the value of Y. If you give the value of Y, we can determine the value of X. And Y1 selects the following index of the xbox, and Y2 selects the row index. This equation is essential in our class. Besides, we find that some output, some bit of output only related to some, to only a part of into the bits. For example, the four bits, these four bits, only related to KC, X, or P. So in the attack, we can to determine the value of, to determine the value in here, we can only guess the value of KC, X, or P. It has no relation with these values. Now, we will give the load data from the last attack. In the traditional guess and determine attack, the guess and determine part of the internal state are known. In Korea, before applying the attack, for example, if we guess the value of K1, we can determine the value of K2, or K3. However, in our attack, which we call dynamical, guess and determine, we will dynamically guess and determine. For example, if we guess K1, in some case, we will determine K2, and in some case, we will determine K3. In some other, maybe we could modify it for anything. Let's see how these three components interact with each other. Since P and S0 must be known to us, we can analyze the cyber at the C plus H slot. In the key-stream generation phase, this is the RU1. If C is the odd number and a given value, for KH, K is the most significant 4-bit of K. If C equals to 1 alpha, then using the theory of linear consistent testing, we can determine KL together with the value of B, N, and C plus H. This is to say, if we guess 4-bit of K, we will determine another 4-bit of K. It is similar with RU1. If we guess K2, 1 alpha, and KH, then we will determine KL. If we guess only 4-bit of K, and we will determine another 4-bit of K, then RU3 can be shown from this equation. Given a guess the value of KC, if 2, 1 alpha is not equal to C, then K2, 1 alpha can be determined by key-streams. From this rule, we can see that if we guess 8-bit of K, we will determine another 8-bit of K. This is the last rule in our time. Given the guess value for KC and K2, 1 alpha, we can determine whether these guess values are RU or right. This is because if KC and K2 are unknown, that is to say the input here. According to the process of our example, we can check whether the output is this value or not. If these values are not equal, the guess value must be wrong. The attack procedure follows. First we capture a frame of key-stream. Altogether they are 15 bucks. Then we can apply the guess and the measurement attack on 8 to the 14th clock. The first 8-bit of V is used to update the registers. First we define an indexed gamma and initialize with gamma with an empty set. The numbers in gamma are the same as the index for the session key. For example, if we have no K0, then 0 is the element in gamma. Then analyze the cycle to the C plus 8th clock sequential. The process is a little boring. I think if someone is interested in this, you can see the full version in our paper. Let's see the complexity analysis. Data of our attack is only 15 bytes. The first bytes are used for verification and the last 7 bytes are used for guessing and determining. First we use the last 7 bytes for guessing and determining. Then we will get some possible value for K. We use the first 8 bytes to verify if these guessed values are right or wrong. The time complexity is as follows, just as we analyzed before. When guessing 8 bits, we will determine 8 bits. If we guess 4 bits, we will determine 4 bits. In this attack, we will get at most 32 bits of the session key. To estimate the complexity exactly, it is very difficult. We show this by an experiment result. In about 2 to 28 exhaustive search, let's see the experiment result. This is our result. We do the experiment 1000 times. We can see that the exhaustive bit is about 28. Most of them are here and only a little to 29. The experiment is done in a non-optimized realization. I think the result can be done better if we adopt some optimizers. The session keys can be recovered in about 700 seconds on average. Totally 580 seconds for using the candidate. In this phase, we should solve the equation. The time is more than in the second phase. In about 120 seconds for exhaustive search, we perform a separate analysis of the GMR2 cyber. We propose the dynamic S and the determinant structure. The design of GMR2 cyber is far from the standard watches 3 cyber. I think we should be careful when you do the setup. Thank you. We have questions for you. You will choose the daily complexity from 5 to 6 frames to 1 frame. Do we have some practical scenario in mind? This is good to have, but this is important. With 1 frame, can you do a practical attack that could not do the 5 or 6 frames? In the practical attack, maybe we could not get so much data. Any other question? Not that. Thank you.