 The title of the next paper is Crypton Isis of VDR, the deosas is a gated woman from the University of Kasselink, VDR. So I'm going to talk about Crypton Isis of YDR. So first, a bit of introduction, I'm going to talk about wide web ciphers. So if you want to use a blog site for an application, most blog sites are available at a block size of 128 bits. Sometimes even smaller for lightweight designs. But maybe you need a larger blog site, maybe because you have a lot of data from a single key and when you reach the square root of your blog site, you start to have problems. Maybe you want a large blog site because you want just some kind of crazy high security and you want a really, really large key. Or maybe a better reason is if you want to design a hash function when you need a really large size because you have, again, a square root problem. So if you look at what's available for wide blog ciphers, you have a few options. So if you want something that's close to a standard, you can just rindle with larger blog sites. So it's not standardized as AES, but it's almost the same, so it's probably good. You can look at some designs used for hash functions design. For instance, Freakish is using the Shafiq Analytics game. It's probably quite good. And another option is to look at specific design, for instance, wide end. That's the one we're going to talk about. So what is wide end? It's a wide blog cipher-based idea. It's been designed by Shino on 950 and presented at FSC four years ago. The main motivation, again, is to build a hash function. But it's still presented as a blog site. So first, let's look at idea. So idea is a blog cipher designed by Lagan in the same 1991. So it's a pretty old design, more than 20 years old. And it's still mostly unbridled. There are some weakly problems, but no real break of idea. So idea is based on this kind of structure. So it's called the line assay structure. It's similar to a five-star design, but kind of different. And you have basically four registers, which are all 16 bits. So that makes a 64-bit block. And then you have this kind of structure. When you first XOR values two by two, you get some inputs. And then you have this lot of computation where you have additions and multiplications. And then the output is, again, XOR somewhere in the output. So you have eight and a half rounds of this. And an important feature is that you mix different operations, which are defined by other various algebraic structures. So they're supposed to be more or less incompatible. You have additions. What are additions? You have a bitwise XOR. And you have a multiplication, multiplicity of 16 plus 1. So this is idea. So what does w-idea look like? Basically, what you do is you have several copies of idea in parallel. So you have w copies here. So this is the first one. Then you have one behind this picture. You have those w copies. And you make them interact. So, of course, if they are completely independent, it's not going to be very good. So you have this M here as an MDS matrix. So it's used to diffuse the values from one idea instance to the other ones. There are mostly two designs, w-idea 4 and w-idea 8, which is a 256-bit block stacker and a 54-bit block stacker. As you look at the computation, it's quite efficient because you can do this using vector instructions, SSC instructions. You can do all the ideas in the same time. Then it's very fast. So that's the design of a w-idea. And the main reason why this was so proposed is that it's kind of expected that it will be about as good as idea because it follows the same kind of philosophies. You still have full diffusion after only one round. And you're still mixing incompatible operations. So now you have one more operation because the MDS matrix is defined over a finite field. So you also have the finite field operation. But it's still a new algebraic structure. So it's still expected to have lots of weird interactions between those structures. It should be very good. If you look at previous analysis, there are two very recent papers looking at w-idea. What they do basically is look at classes of w-keys. So it's known that for the original idea, there are w-keys problems. And for this w-idea, the key schedule has been modified. It was expected that there wouldn't be this issue. But it turns out that there is still a problem with w-keys. And this can be extended to a conditional attack if you turn w-idea into a hash function when you can break the compression function using this. So that's the steps of w-idea. So there are a few problems with w-keys, but more or less so far it seems good. So now I'm going to present our new attack on w-idea. And it's based on truncating differential. So what does it mean? It brings you something like a differential attack. So we look at a pair of plaintexts. And what we try to do is keep a single slice active. So a single idea instance. And we want the difference to not spread to the other one. Because if we can do this, then we just have one idea to look at. It's going to be a lot easier. Of course, the design is supposed to prevent this. So how is it going to work? So if you look at w-idea and you have one active input slice here, so the red values are active. Obviously the first slice is active and the one in the back is very active initially. So everything here will be active. And then you get to these MGS metrics. And MGS metrics will be active because the input is active. And then all the outputs become active because it's MGS. And then all the lines are active and then you get differences everywhere. So it's not very good. Because the input here is active. So now, would it be possible that the input is not active? Of course yes, it's possible. If we set differences here, what we have some probability of this difference is zero here. And it's a 16-bit value, so it's only probability of 2 to the minus 16. So it's not even very expensive to get this not to be active. The reason here is that this diffusion with the MGS metrics, it takes a relatively small input. It's only 16-bit of input. So we can't just kill it. We can just assume that this difference will be zero. But when this happens, the MGS metrics is inactive. And then you don't get any diffusions and you stay with a single active size. So that's how we get this truncated differential here. So if we just go through one round of WIDA, the probability is 2 to the minus 16. So we just want to kill one 16-bit value. If we go through the full WIDA, we have 8 times this MGS metrics. So we just pay a probability of 2 to the minus 28. So it's a low probability, but it's not very low. It's actually quite good for large black cybers like that. So that's really the main problem of the design. The input to the MGS metrics is very small, so we can just kill it. Now how do we use this to get an attack? So we have this truncated trait from the full version. And now what we're going to use is what we call the structure of the index. It's a nice trick in order to get the complexity down. So what we do is we take a set of indexes and we use all the possible values for one 16-bit block. So one idea instance would take all possible values for plaintext, and the rest here is fixed to some constants. This defines a set of 2 to the 64 plaintext. When you take any two plaintexts in this set, any pair will give you a candidate for the fragmented differential because all those values here will be inactive. They're the same constants. And here you will have some difference, which is it goes for values. So with only 2 to the 64 plaintexts, you have 2 to the 127 candidates. And then if you do it twice, you expect that you will have one good pair for the full W idea. So basically what you get is a distinguishable complexity to the 65. So that's a pretty strong distinguishable. And because the probability is pretty high, you have some very strong filtering that you will not have any wrong comparison. You don't have to care about this. You can pretty safely assume that it's following the trend. So that's a distinguisher. So we have this derivation distinguishable W idea. Now, can we do something more than this? Of course, what we want to do when we type in WebCypher is a cubic color. But we extend this to a cubic color. Well, actually, yes, we'll be able to do this. And the way we do this is we try to extract information directly from the right here from the differential. We're not going to use partial decryption because this will increase the complexity. So we just take the right pair and then extract the information from that. So how do we do this? We're going to look at how the values are connected inside the Cypher. And we know that if a pair is following the trend, then the input to the NDS matrix is inactive. So we can just express it. So we call this value D, the input of the NDS matrix. It can be expressed as this value in terms of the plaintext value. And what we know is, as soon as we have this D value is equal to D prime. And this gives us some filtering on the key involved in this expression. So we have five keywords involved here. So we will get a filtering of those five keywords. So if you do a simple analysis to expect that if you have five right pairs, you will get a single key candidate. But when we perform some experiments, we've implemented the attack and it turns out that you need actually a little bit more. So we're going to do about eight pairs. So it's a very small increase in complexity. The problem we notice when implementing is that there's one bit of a key that we cannot recover. So the most significant bit of that one, which is here, has a completely linear effect on D. So it will have the same effect on D and on D prime. So when you want D to be equal to D prime, this bit doesn't affect it. So you're not going to recover it. But that's just one bit. So it's not a very big issue. So that's the main idea. We have some filtering on those five keywords. I'm going to do a column here from right. So this filtering, if we look more precisely, it looks like this where this expression for D is expression for D prime. Now, we'd like to do this filtering efficiently. So what we do is we write this a little bit and we take this term, we put it to the right side and this term to the left side and we get this new equation. And this form is much nicer because now you can see that the same here. On the right hand side, you only have Z1, Z2. And when you do this, you can use a kind of method in the middle technique. Now, we're going to compute this F function for all possible choices of Z0, Z2, Z4. This G function for all possible choices of Z1, Z3. We will get two large tables for all your debates and then we just look for matches in the table. And we know that the right key will be one of those matches. And when we do this, the complexity is only 2 to the 48 and 2 to go over 3 different keywords. So we will get a very efficient key recovery at the already. So far, I'm only looking at one slice of ideas so we're only going to recover the key in one slice. But of course we can do the same in each slice. So we use 4 different trays like this and each tray will have one active slice and we will recover the key of a different slice. So we do it 4 times or 8 times so perhaps I feel we are taking and we can just do them one by one and recover the corresponding key one by one and when we do it the total complexity will be 2 types to the 48 and we get the keys in those instances for the first round. Now let's move to the second round. So we can now assume that we know the full key for the first round there are just a few missing bits like I said earlier but we're just going to guess that so it's not a problem. Now we can go up to the MDS metrics and now we know the full input of these MDS metrics. So we can just compute the effect of the metrics just compute the output and then we can go back to a single active slice. For the first round we do the slices one by one then we get the full input of the MDS compute the output and now we can again look at the slices one by one. So when we look the first slice again here there is one key Z5 that we don't know yet so again we guess it and when we guess this one it's here after one round and then we can just attack the second round and we know the full input of the second round and we can just use the same attack as earlier. So now complexity will be 2 to the 64 because we have one more key to guess. So we can write the full up over again it's relatively simple so for the first round we just have to iterate over K1, K3 then the keys will be 2 to K4 we build two tables, we look for matches then we go to the second round with a few more loops because we have to guess the missing bits then we have to guess K5 and then we do the same kind of algorithm. So in the end we get the full keys for the first two rounds then we look at the key derivation we know that the master key is just the 10 meters keys, we can get it and then we have the full key and we have a full key recovery. So if we do a more accurate complexity analysis we can actually reduce the complexity a little bit what I explained so far will give you this complexity 10 times 2 to 64 plus W we can reduce it a little bit and actually what turns out is that the bottleneck is just finding the right pairs so it's the first step we have to find pairs which follow the track then the actual complexity of extracting the key from both pairs will be smaller than finding the pairs So how do we find the pairs? The simplest way is just to build the big cash table we put all the pairs in then we just look for collisions basically this is nice and efficient this gives you a very small time complexity the problem is you need a very large memory and you're going to need this in random access memory because we make this in random accesses and so this time complexity is almost practical but memory of 2 to 64 is not really practical that's the end of the problem so we can look at other options for this step another simple option is instead of putting this in the hash table we just store it on this this will be probably more practical because a disk of a hard drive of size 2 to 64 is probably easier it's not yet possible to get one we'll probably get one before we can get a RAM memory of this size another option is to use some kind of time memory trade basically this is a condition search so there are very good time memory trade that you can use for this then you get this kind of trade off if you reduce the memory by faculty you're talking about the time going back to you so the basic message is that this attack is almost practical so it makes sense to look at how you would implement a really good thing so that's the retrieve recovery attack it's a very nice complexity and we can also look at other applications of the truncating trade we're going to look at hash collisions because like I said earlier WIDA was designed mostly to build a hash function so how do you build a hash function? well, you use Davis layer so this means that the previous chaining value is used on the plaintext then you repeat it and you XOR the plaintext on the side and the message is used so if you want to use our truncated differential trade you want to add just a single instance active so we need to have two chaining values which are almost colliding so we need a 448 bit collision so this would be a bit expensive but it's still cheaper than making a full collision so it's good we can assume that we have one such pair of chaining values when we get this what we can do is just take a random message block and compute the output of the black-cylinder and with some probability this random message block when you take voice two chaining values this is going to follow the path and then you get the same pattern so this probability is 2-28 so you have to pay this and then when you go for a feed forward you have this difference and this difference so with some probability they're going to cancel out again and then you have to pay 2-2-64 for this to be expensive but it's still cheaper than a full collision attack what you get is a very very simple collision algorithm so the first thing is to find a collision in 448 bits and then you just iterate in front of the messages so it's very very nice and simple collision pattern what's really funny is that it's completely independent of the message extension collision attack and hash function you don't even look at the message extension on the block-cylinder so that's a bit surprising and you can easily extend it if you want to use a chosen prefix if you want to use meaningful messages that's very easy to conclude my talk what we did in this work was look at complicated differential trace for a WIDA and it turns out that we can add very very efficient complicated trace because the diffusion across the instances, in case it's NTS matrix the problem is that the input of the SES matrix is just too small just that 16-bit input of the diffusion that's not just too small you can easily give it now thanks to this we get two different attacks the first one, the key recovery which is actually a very strong key recovery because the 70 is a 71 for block-cylinder which is supposed to have a security of 512 or even to the 1024 and the second application is hash collisions and we get four collisions in the hash functions for a person of 2 to the 24 instead of 2 to the 26 so thank you for your attention