 Hello, I'm going to talk about our work entitled New Conditional Cube Attack on Kachak Kidmodes. I'm Zheng Li. This is a joint work with Xiaoyang Dong, Wenquan Bi, Ke Tingjia, Xiaoyun Wang, and William Muir. There are three parts. At first, I will introduce Kachak Kidmodes and their crypt analysis results. Then comes related works. At last, I will introduce our works. Kachak is the original design of Sha3. It is in the sponge construction. Sponge construction absorbs key and message after the Kachak internal permutation. At squeeze, the output, like tag and safer text, Kachak Kidmodes include KMAKR and so on. Kachak internal permutation is exactly Kachak P permutation. The states can be represented in a three-dimension state. In one state, there are several slices. The 1600 state has 64 slices, and each slices includes 5-bit multiplies with 5-bit. There are several rounds. Each round is the same. The round function has 5 operations. K operation is the unique nonlinear operation. We can see only the neighboring bits multiply with each other. Here are crypt analysis results of Kachak Kidmodes. We have reduced the time complexity of the same round attack. For KRSR, we have reduced the time complexity of 7 rounds attack from 2 to the 90 to 2 to the 70. Then related works, cube attack. The encryption can be represented in a polynomial F. In F, there are public variables and secret variables. The key bits are the secret variables. Among the public variables, we select S after them. So T is the product of the S variables. S can be represented as T multiplied with superpoly P plus Q. So until there is no monomial can be divisible by T. So we compute the cube sum. The cube sum of S equals superpoly P. Conditional cube attack. They introduce bit conditions to conditional cube level. So their propagation is controlled. There are two types of cube levels. For the conditional ones, in the first round, their propagation can be controlled by some conditions. After the second round, they do not multiply with each other. For ordinary ones, after the first round, they do not multiply with each other. After the second round, they do not multiply with any conditional cube level. Here is a simplified theorem. For N plus 1 plus 2 round catch-ass bound function, if there is one conditional cube level and kill ordinary ones, so the product of them, the term will not appear in the output polynomial of catch-ass bound function. To search for cube levels, MILP method is used well for set operation. We can see each bit as the sum of two columns when the parity of a column remains constant. The variables in the column do not propagate through set operation. It is also called CPCarnal property. According to the constants, to satisfy the values in this table, MILP method is used to search for cube levels with the least k-bit conditions. As we know, once the dimension of cube levels is determined, the least k-bit conditions can be represented as the lowest time complexity. And last, I will introduce our works. Here is a summary of conditional cube attacks on catch-ass MAC 512. In this figure, the red two lines means k-bits, the blue bits are the padding bits, so the last white ones are free to be available to be selected as cube levels. With different methods, different rounds can be detected. A greedy algorithm can reach five round attack. MILP methods can reach six rounds. By the previous methods, there are not enough ordinary cube levels to perform seven attacks. In our attack, we have applied new techniques so we can reach seven round attacks. On catch-ass MAC 512, let's introduce the model of k-recovery attack. As new bit conditions are introduced, the conditions are related to k-bits. As in the previous method, in the first round, all the variables do not multiply with each other. And then if the conditions are satisfied in the output of the second round, there is no way 0 with i. If the k-bits in the bit conditions are guessed correctly, then the 64-dimension product will not appear. If the k-bits are guessed wrong, the output degree will reach 64. In our model, in the first round with 0 with 1 is the unique quadratic term. This is different from the previous one. So in the following, we will control the diffusion of the quadratic term with 0 with 1. If the conditions satisfied with 0 with 1 does not multiply with each other, will not multiply with others. In the output of the second round, there is no cubic term. After the seventh round, if the k-bits in the conditions is guessed right, so the output degree will not reach 65. If the k-bits is wrong, the output degree will reach 65. In the way 0 with 1 is the kernel quadratic term. Let's explain the kernel meaning. The generation of kernel quadratic term in care operation of the first round. We can see the black bits means v0, the gray bits means v1. The bits with black slashes means v0, v1 is the product. We can see v0, v1 are in the same color. It is exactly the input of state operation in the second round. So kernel quadratic term is that in one column, according to CP kernel property, they will not diffuse. Here is a comparison of diffusion patterns. On the left side, we can see the diffusion of the conditional cube level v0. The diffusion is like two bits in the input, two bits in the output of the first round, and 22 bits after state operation in the second round. On the right round, in the input, black ones means v0, gray ones means v1. In the output of the first round, the two bits means v0, v1 the product. As they satisfy the CP kernel property, so after state operation in the second round, there are still two bits containing v0, v1. So the pattern is six bits in the input, two bits in the output of the first round, and two bits in the output of state operation in the second round. We also use the MRP method to search the variables, the wet parts are the free spaces for us to search for cube levels. The objective function is to minimize the sum of weight. It is to get cube levels with the least k-bit conditions to get independent cube levels, so f and e should be manners by MRLP's solution Of the problem, the minimum of objective function is one. It means the bit conditions related to k, the number is one. k recovery attack on seven rounds k-max, k-track-max 512. If the k-bits are guessed correctly, the product disappears. So the cube sums over the 65-dimension cube are zero. If the k-bits are guessed wrong, the product appears. Cube sums unknown zero. Thus, if cube sums of the output of seven rounds over the 65-dimension cube are zero, the k-guess is conjectured to be right. If the cube sums unknown zero, the k-guess is wrong. We compute the time complexity. So the 128 k-bits are in two half. The first 62 bits are recovered by the cube testers in order. And the last 64 bits are traversed to be recovered. So the whole time complexity is 2 to the 72. There are also other applications like seven round attack on k-ya SR, round one and round two. Nine round attack on k-max 256. About the practical attacks. Six rounds on k-ya SR, round one and round two can be attacked. They are practical. The south source cube is online. That's all. Thank you for your attention.