 Thanks for the introduction and thanks for still being here. So this is a giant work with the Proto. And we're instigating the propagation of linear relations through an SBOX. And we provide a new measure for an equatorial in order to better understand such type of relations. I will start this talk by giving you an introduction in order to explain what type of properties we're going to look for. Then we introduce the main notion of our paper, that is we have called this notion BW linearity, that is the new measure for linearity for an SBOX. And then we will apply this notion to the analysis of work with SBOXes because these are used in many designs. And finally we will show how this notion can be applied to explain a second pretty much attack that was applied to Hansing in 2010. So this paper we're interested in iterate constructions where the round function is a simple substitution parameter network and whose nonlinear layer is based on small assets. So ideally when we iterate the round function several times after several rounds normally all output bits should be expressed also in a nonlinear way in all of the input bits. However in some attacks it was found that it was not the case and so more precisely it can arrive, but still happen that some output bits can be expressed as affine functions of some input bits where the rest of the input bits are fixed to some constant volume. So this is of course a weakness for the function and what quantifies this weakness is the size of the input and the output sets. This is because if we have large sets of input and output bits such as property then we will be able to find many other relations and these other relations will be probably can lead to build a linear system and its solution can for example give a little circuit analysis and this is exactly what was applied in an attack against the hash function Hansing 2010 and such type of properties are also used in cube attacks or some derivatives of cube attacks. So we show next that the number of other relations that we can find it depends on a new linearity measure of the outputs and we will call this measure BW linearity. Before introducing them you already made a definition of BW linearity I will start with an example. So here you can see the algebraic normal form of the Hampton C S-Box so this is just a typical S-Box for B-S-Box and it's one of the S-Boxes used in the Cephora Cephora. So you can see it has an algebraic degree 3 and all the output bits are expressed in a nonlinear way in the input variables. Let's see now what happens if we fix all that one variable to some constant value so here we fix x1, x2, x3 and x0, 0. So of course in this case all of the output bits are just a fine functions of the only variable that we have and let's now see what will happen if we fix for example two variables in constant value so here we fix x1, x2, we keep x0, x3 so here we see that y1 and y2, these two coordinates are no linear in the input set because we have some terms degree 2 however we still have y0 and y3 and that's our linear in the input variables. So we almost have one and now we have three variables in extra constant so here we can see that almost all output bits are no linear but we still have y0 that is linear in the input set that we have chosen. So this is the properties that are analysing and given a function we want to see if there are any spaces in the output and how many at what size in the way that there are some output bits that are still linear in the input variables. So for this in order to explain this we'll introduce a notion of bit-up linearity so here is a definition let S be a vectorial Boolean function with an input bits and output bits so we will say that S is bit-up linear it will have two sub-spaces one input sub-space v with dimensional small v and one output sub-space w with dimensional small w such that all the components of the function that are defined by w so this is our component have degree at most 1 on all those cosets of v. So if we want to apply this definition to the previous examples we see that in the case when we had fixed x1, x2 to some constant value the function was 2 to linear because we had an input space of dimension 2 because we have two variables x0 and x3 and we had an output space that was linear on all cosets and that was the first and the third coordinate so the same way for the other example when we had x2, x3 constant we can see now the definition that the function is 3,1 linear for this choice of v and for the first output coordinate the first interesting property that was noticed is that the notion of a w linearity is closely related to a generalization of the Majoran-McCrawl construction for bent functions I will start also here with an example so here we can see a Boolean function of four variables and algebraic degree and let's take maybe this sub space so we can see that f is 2,1 linear with the respect to this input surface this we can see because we fixed x3,x4 to a constant then clearly it is linear so now if we try to decompose the function and we keep separately the variables and what we have constant we can see that the function has this form where here it's just a scalar product and so in general from this type of decomposition we can see that any function that is v,1 linear with respect to an input surface v of dimensions small v it can be written in this way so here in the previous example x is just x3,x4 and y is x1,x2 and this form has a generalization of the Majoran-McCrawl construction for bent functions this construction has also been generalized by many people to vectorial functions so we can prove by using the second argument so that a function that is v,w, linear for some sub spaces e and w it is if and only if all its components we write all the components just a vector that we call as w it has this form that is just a generalization of the previous form and because of this link with Majoran-McCrawl construction we can now use the fact that functions that are equivalent to the Majoran-McCrawl construction can be described by the second order derivatives so here we have another proposition let's say that function s is v,w, linear if and only if all its second order derivatives the alpha and beta of this function where alpha and beta are in the input space b vanish and this proposition gives us a very nice and easy algorithm that we can use in order to find all the input sub spaces v,w for which s is v,w, linear and that is what we will use in our practical applications of course the function that is v,w, linear it has some consequences on this algebraic degree and on the nonlinear rate on the function so we can prove that a function that is s,w, linear all its components have degree at most n plus 1 minus v whereas v is just the dimension of the input space and the linearity is the barrier or equal to 2 to this so we see that if the value of v is big enough so the degree decreases and the linearity increases this proposition is not the unversed hold in general that means that we have a function with this degree and this linearity it will not mean that a function is v,w, linear but the googles holds for the special case where v is equal to n minus 1 and w is equal to 1 next we will analyse the 4-bit S-boxes under the spectrum of this new notion why the 4-bit S-boxes because they are used in management constructions and what we call optimal S-boxes is just S-boxes that are optimal against linear and differential binarities so in the paper of 2007 Lerner and Pochman they started this type of functions and proved that upon a final equivalence we have 16 classes of optimal 4-bit balanced S-boxes so what we did here is to study these 16 classes under the spectrum of v,w linearity here are the results and I will try to explain this table so in the first column you see the 16 different classes and GIs are the prior representatives of these classes and we have taken exactly the same GIs as in the paper of Lerner and Pochman in the second column we see the number of equivalence of the function and what is inside is just a number of input subspaces v such as S is v,w linear for some output subspace w I will not enter in the details for explaining all this but we can almost explain all the table and you can find the results in the paper however what is nice to notice is that we have a number of quadratic components so we can see that functions that have for example 0 quadratic components they are not 2,3 linear and we can explain this theoretically and they are not 3,w linear we can also explain this and for functions that have big quadratic components the situation is much worse and so they are more vulnerable what is in red here is just a class where the hamster box belongs we will see now an application to the hamster hash function actually we will try to explain an attack that was published in 2010 with the notion of v,w linearity so the hamster hash function was designed by Oswald Cusuk in 2008 for the chapter competition and it was one of the 14 functions that were went to the second chart of the competition so here we can see the compression function of hamster 256 we have a small message block that is expanded to 256 bits then this is concatenated with the chain value of the same size and the permutation p applies to the complicated state we will concentrate on the permutation p that is just a simple sbm construction with 3 rounds which is based on the 4-bit fbox that I have used as an example so in 2010 Thomas Fleur presented an attack that was at the moment the first attack of the hash function and we will not of course describe the attack here but the basic idea of it was to find affine relations between some amplifiers and some amplifiers of the compression function and what we have other amplifiers are fixed with some well chosen values then Fleur used these affine relations in order to build a linear system the solutions of the system gave pre-matches for the compression function and when after transformed to second pre-matches for the hash function so here we concentrate to the start of the attack so how did Fleur find affine relations the first step was to choose the variables in the beginning of the compression function in such a way that they go linearly through the first round so this was possible however then we had a second and a third round but to go through two non-linear layers that of course I give some non-linear relations and what Thomas Fleur did for this case it was that he noticed the following two properties of the Hermesier's box the first property was that the Y0 had a coordinate at only one monomial degree of non-linear degree 2 so if this monomial was linear a degree of only 1, then also Y0 similarly the last coordinate has only two non-linear monials so if each of them has a degree at most 1 then this also would be the case for Y3 so we can now describe this in terms of PW linearity so this means that Y0 is 3-1 linear for three different error planes and Y3 is 2-1 linear for three two-dimensional subspaces B but as we could see in this table as the Hermesier's box lies in this class there are actually many many more relations that one can exploit so more precisely there are 23 subspaces B of dimension 2 such that the S-box is 2-2 linear and 3 subspace B of dimension 2 for which the S-box is 2-3 linear so we did an automatic search by using the algorithm that I used back in the beginning and so we could find all the possible relations to propagate some more relations through the second and third rounds together with some of the improvements to the attack and so what we got is that if we fix nine variables in the beginning we get 13 of them relations and this is two relations more in the original attack and with 10 variables we can have 11 of them relations in the attack of our film but what is important here is that we actually see that the attack seems really to it has a relation with the quality of the effort that is used so what we ask us ourselves is what happens if we replace this S-box and keep all the other parameters the same and try to repeat the attack and so we for example for the beginning we chose the S-boxes that are used in the GH function that is one of the panelists that also uses two different format S-boxes that have no quadratic components and then we implemented again the attack with the S-boxes G3 to G7 to G11 to G13 following the previous notation also have no quadratic components so we repeated the attack and what happened is the attack was not working anymore because a number of fine relations and it was not enough to permit to build a linear system so coming to the conclusion of this talk we have introduced a new cryptographic property which is a territorial boolean function that will probably be used as a new measure of linearity for S-boxes and we have shown that the success of the first attack against Hampsey depends on the choice of the S-boxes and here we can leave us we have an open question if such attacks as the one meant against Hampsey can be related to other recently proposed attacks that was applied against the cypher so that's all thanks very much other questions? Christina do you think that ideas a little bit similar to this one could apply to, for example some cypher's built using feedback-based registers for building linear attacks or have you had a look at that? I didn't have a look at it but I don't know probably the problem is that here for Hampsey works really well because the number of rounds is not big so I was searching for a blog site and still now the response is not positive but that's probably ok thank you thanks Christina thank you again