 I will give a brief background about the soundscated encryption and specification of the algorithm of LMD. As we all know, all this cryptography is known as encryption which provides confidentiality and due to the other needs, the other motions have appeared like message authentication which provides data origin authentication. And in many applications with encryption you have always, most of the time we have message authentication also needed. We cannot think of them separately. Here, in one hand we have encryption which provides confidentiality, on the other hand we have message authentication which provides authenticity. And in the middle we need an algorithm which achieves both confidentiality and authenticity. Authenticity and encryption teams were proposed but due to security, many of them have security flaws and maybe implementation flaws. Because of this crypto community came together to announce further computation which is short for computation for authenticated encryption, security, applicability and robustness. The aim is to identify the portfolio of authenticated cypher. They offer advances over AES year terms, authenticated mode of AES, and it is suitable for wide speed adoption. Now the computation is on the third round and the announcement of the winner will be 2017, expect the next year. Submissions are categorized according to the base algorithm, block cypher system cypher and others and our target cypher is a block cypher base. ALMD is proposed by Dutta and Landi for CEDAR competition. Now it's the third round CEDAR candidate. Its process method is in the encrypt mixed in the group parabidin. Its access is also associated with data. It is online. It means that type of text is only different from previous type language and it's paralysable. In order to mix the branches in the algorithm, the role function is defined. It takes two inputs X and T and outputs Y and T prime. Y is equal to X exhaust three times T. T is updated to T prime X exhaust two times T and the multiplication here is done in a gallop. Such paving rules, let's end the message of AL blocks and the last block can be incomplete. In the submitted program, the paving if the last block is incomplete, there will be one zero paving, otherwise we keep it. And there is an extra message block which is for a tech generation and AL plus one. It will be the exhaust of all previous methods. But in the more, and they provide modified version in order to increase the security. Here, they added all previous messages to an AL block page and AL plus one will be again an AL block. Okay. Parameters of ELMD. As I said, it's block-cipher based and AES128 is used in either six or ten rounds. Also, there is provisions of intermediate tech in order to fasten the encryption and verification. Also, there is internal parameter mask which is secret in the algorithm. This is generated by encryption of zero. If it is ten rounds, it's just one encryption. If it is six rounds AES, it will be twice encryption. In order to generate initial value for encryption algorithm and encryption algorithm, associated data is processed. Let the first associated data be the public number which is unique for each encryption. Parameters will be the first associated data always exist. And the others will be the one up to DD. And there will be, again, padding if it is incomplete. The processing is here. There will be zero in the beginning. And the zero will be mask with three AL. AL is an internal mask we generate before. This is AES in six rounds or ten rounds. It depends on the choice. And the output will be mixed with the row function. And this will continue until all associated data finishes in order to generate the initial value. Here, there is one difference. If the last block is incomplete, the masking rule will be changed. This is important in our attacks. Encryption function. This is, in fact, the encryption itself. That will be IV. And the message will be M1, M2, and up to ML. This is padded message. And the first message will be mask. And you'll be encrypted. And the resulting value will be mixed with row function. And there is decryption here. Decryption of six or ten rounds AES. It's either 6-6 or 10-10. And there will be masking again in order to generate the ciphertext. It is the same until the last block. For the last block, there is one bit difference here. Also, same with associated data. If the last block is incomplete, ML star, the masking rule is different in the last two blocks. Other blocks are the same. For decryption, first IV is generated in the same way. And the encryption function will be reversed in order to generate the messages. But the plain takes are released if the last two plain takes are equal. Otherwise, nothing will be released. For the security claims, authors claim that for confidentiality and integrity, there is 62-bit security. But for the key recovery attacks, without providing any proof, they said that the algorithm has 128-bit security against key recovery attacks. And we disprove this claim by providing successful attack on ALMD-661, only one version. First, we need to recover internal state L. Let me remind you, L was generated either in twice encryption of zero or encryption of zero if it is ten. As we see from the algorithms, it's used to mask associated data plain takes and Cypher takes. By making collision search on Cypher takes, we can deduce this internal state L. And this L helps to make forgery and key recovery attacks for Cypher. We use the different masking, I mean, the rule of different masking if the associated data is different, different length. Here we get two sets of, for fixed D zero, two sets of messages, alpha M and beta M, alpha and beta are associated data here. M the message, we get the same, we have the same message. And alpha is incomplete and beta is complete block. So there are differences in masking here. We search collision on the first plain takes, on the first Cypher takes. If we have a collision, we go back and we see that this message are equal. We have a collision here, IVs are equal. So since D zero are chosen as the same, we have same internal value here. So everything is equal until here. So this equality means that mask value of associated data are equal. So we have this equality. Since we know D one and D one prime, and we don't know L, we can compute L here. With birthday complexity. Now we know L, we can make, there are several forgery attacks we can make, but I just give one example. First assume that we have a message, target message. We want to find it Cypher takes an attack. First it has D zero and D. This D can be any length and message M. First here we query associated data D zero and we have query message. After masking their values are equal. I mean the encryption of this mask D zero and encryption of mask message are equal. So here, due to the, we have IV here and we have another same value here. After row function we have two IV here. So what we have, due to the structure of the algorithm, this mask Cypher takes encryption of this mask Cypher takes is equal to two IV. So what are we going to do with this? We can make internal state here zero by choosing this Cypher takes as an associated data. So we have IV here. Zero comes here. Two IV and we have zero. And we can, if we choose D two is as D zero. And these are arranged masking values. So if you don't think of masks, these run D two are equal and we have the same IV here. So if we query the oracle different associated data with D and the message M, we will have the Cypher takes and take, which is also valid for this target message. Also we exploit two types of plaintext pairs for AES. In the algorithm we can generate new multiplicative pairs for AES. This is for any plaintext and for any constant in the Gala field, we can find another plaintext P two, which is encryption is new times encryption of P one. We can generate this from algorithm. Also we can have one difference pairs, which means that we can have two plaintext. Their encryption differs in the least significant bit. And by using these two, in the algorithm we can query any Cypher takes to the decryption mode of the AES Cypher. In fact we can find any plaintext given Cypher takes. First we find two multiplicative pairs, which means that we have one, for any plaintext R one, we find another plaintext satisfying this property. Here again in the forger attack, we use this plaintext which is encryption is two IV. Then we again use this to make IV to the encryption function is zero. So we take two messages, which is, mask values are the same. Here the same encryption of R one, same encryption of R one. We have two encryption R one. So if we go backward, this mask Cypher takes, we call it R two and encryption of R two is two times encryption of R one. And by using this pair, we can also make it for any constant. Assume that we have a pair P one and R two. They are two multiplicative. And we have 190 blocks encryption and each plaintext, now since we know L, so I will just starting from mask after mask in order to not to be confused. We have M one and R P one or R two in every block. Here this means that if we have P one, this is encryption of P one. If we have R two, this is two times encryption of P one. And here there will be M one encryption of P one. Here M two encryption of P one. And due to the row function, we have two and one encryption of P one, M two encryption of P one. Until here we have M two times encryption of P one. In the last block we choose the messages P one. And here we have the encryption of P two, which is mask Cypher takes, will be the M two times encryption of P one. So here we can generate this. We have these pairs. Also we can generate one difference pair. As I said before their encryption differs in the least significant bit. Assume that we have two two two multiplicative pairs. One is used here. You can use the same as well. One is is to make IV zero. And the other will be for the messages B we have two B and two B makes this zero. So the last message, this is the take generation phase. And will be encryption of P one and P two. This is M three. And the encryption, we say it's R one. Encryption of R one comes here due to this zero. And the encryption of R two, this is mask Cypher takes, will differ in the least significant bit. So we can also find here. Now how can we query the encryption oracle of AES inside LMD? First we take a pair. We get a pair which their encryption differ in one bit. And we obtain plain text R three for R one. Satisfying this property. Because this is mu. And for every R one we can find, for every we can find a plain text. So we query the oracle by choosing associated data making IV zero. We can do this. We did it before. And for the first message we have R three. And for the second message we have R two. Here we have encryption of R three. Since this is zero, this comes here. And there will be encryption of R two. And after row function we have three, encryption of R three and encryption of R one. Which is, this is due to this equality, this is encryption of R one. And we know that their encryption is, their exor is one. So we have a plain text. Since there is inverse. We have a plain text whose encryption is one. So by, again by using mu multiplicative pairs, we, by picking ciphertext mu we can find another, we can find a plain text which is encryption is mu. So we can, in this way we can query the, the decryption oracle of AES. And this complexity is generating mu multiplicative pairs which is around two to eight encryption of, operation of AES. So now we can query a, we have chosen plain text, chosen ciphertext. So we can make attack on six round AES. We choose two attack. One is partial sum attack and the other one is just such a meeting the middle attack. In this partial sum attack the time complexity is two to the 44 and the data complexity is 34. And the total complex, but the total time complexity will be dominated by generating, pardon finding internal state L which is a collision search. So this is around two to the 65, this attack for ALMD, for key recover attack. But this attack was chosen plain text. We have chosen ciphertext, but it's not hard to adapt the attack to the chosen ciphertext because of AES structure. We also proposed the emergency action meeting the middle attack with less data complexity, but a bit bigger time complexity. And the total complexity is two to the, around 66. There was, as far as we know there is only one analysis of LMD which is, which was proposed by Zank and Wu in terms of both authenticity and privacy. For authenticity they provide successful forgeries, but for the privacy they attack on reduced version of LMD. In fact they use four round AES inside the cipher. And they consider L as encryption of zero with four rounds. But the complexity of attack two to the 123, this is huge. But if you consider this and you can make a middle, within the middle attack to find the key, so you don't need to make a port on this. Also this four and four is not in the proposal of LMD. So to conclude our attack was the first kryptonians of full round LMD and we discovered the security claim such that we reduced the security of one version, 66 version of LMD from 128 to 65 bits. And we are expecting that they should remove this version from the proposal. Thank you for your attention. Any questions? Do you have any questions? One round some days is COMN. So what do you see in the second round? I saw that some rounds she's a company. So the year you need month is COMN. So what do you see in the security of COMN? Yeah in fact COMN is a mix of LMD and COMN. Here in this attack in fact we exploit the structure of encrypt and decrypt case. But for COMN there is encrypt and encrypt. Also they consider AES only ten rounds so this attack is not applied.