 Hello, everyone. The title of this talk is Algebraic Attacks on Aster and Duster using low-degree equations. This is a joint work with Stanton Stakar, Willi Mer and Takanori Isope. Recently, there is a trend to design symmetric key primitives friendly to applications like secure multiparty computation, fully homomorphic encryption, and zero-knowledge proof systems. Aster is a fully homomorphic encryption friendly design proposed at Crypto 2018. The overall structure is depicted in this figure. Specifically, for IARUNs of Aster, it will iterate a run function composed of a fine layer and a non-linear layer for R terms. Then, one more fine layer is applied to the output. Finally, the key is XORed with the output and the key stream Z is generated. A notable feature of Aster is that the fine layers are ever-changing for each to be encrypted plain test block. In other words, each key stream Z is generated with a different concrete Aster instance. This is quite different from the common symmetric key cryptographic designs, where the linear layers, non-linear layers, and round constants are all fixed. Let me give a brief introduction of the Aster round function. The fine layer is generated in this way. First, use the plain test block counter C and announce in as the input to an XORF, for example, Shack 206. Second, use the output of the XORF to construct a random for rank-linear matrix M of size N times N and a random N-bid round constant Rc for each round. Then, the matrix M and the round constant Rc will form the a fine layer A. Different from the fine layer, the non-linear layer of Aster is fixed and it is indeed the M-bid calibration. Note that the file-bid calibration is used in the K-Chack round function. The designers recommended a set of parameters for the block size in the security level, for example, Rc and the number of rounds R. Indeed, the choice of these parameters is based on the resistance against the linearization attack, which will be detailed later. In addition, I have to emphasize that the key size is the same with the block size. Therefore, according to this table, it can be found that the key size is much larger than the claimed security level focused on the first the first role of this table. The key size is 327, while the designers only claim 80-bit security. Moreover, it should be noted that there is a limit on the number of flint test blocks for each M-bid key. Apart from the above parameters, the designers also propose the three aggressive parameters where the security level is almost the same with the key size in. They are called HR Star. The same data limit also holds for HR Star, and there is no attack can break any of them with such a data limit. For DAS Star, it can be viewed as a variant of HR Star. In a world different from HR Star using ever-changing linear layers, DAS Star adopts a deterministic then full-ranked linear transform matrix error. The DAS Star primitive was proposed at 2SEC 2020. The overall structure of HR Star and DAS Star are the same as shown in this figure, so both of them use the feed-forward operation. The non-linear layer of DAS Star is the same with the HR Star, so both of them use the M-bid calibration. However, the linear layer is redesigned in DAS Star. Specifically, the linear layer is now composed of a fixed linear transform error and an ever-changing bid permutation P. The bid permutation P will depend on the round number and the plaintext block counter C. Our attack is irrelevant to the details of the permutation P. Our attacks can work for any bid permutation. I will not detail the specification of P. There are two main features of DAS Star. First, no pseudo-random number generator is used. Second, there is no need to generate random full-rank matrices. The DAS Star designers propose the same parameters as HR Star, except the one whose block size is too large, as listed in this table. So, DAS Star also uses the same data limit as HR Star. Now, I will describe the analysis of HR Star. Note that the same analysis also applies to HR Star because they are in general the same design. The most challenging problems to analyze HR Star are listed here. First, it is a moving target. Second, traditional techniques like differential, linear, cube, and higher order differential attacks are fair because they require to collect many plain test, cypher test pairs and a fixed encryption instance. However, this is not the case for HR Star because each keystream D is generated with a different concrete instance. However, there are also some notable exploitable features. First, the degree of the nonlinear operation, the calibration is 2. So, the degree of the round function is low. Second, the number of rounds is small. At the last, there is a feed forward operation which implies that a mid and middle style attack may work. Or in all, the algebraic attack seems potential for the low degree of the for the low degree of the round function and the small number of rounds. The designers are obviously aware of it. Indeed, the choices of the parameters are based on the resistance against the linearization attack. There is no doubt that the linearization attack is the simplest algebraic attack. The procedure is very simple. First, the attacker collects T equations in terms of n variables and the degree of these equations is up-bounded by T. Then, if the number of equations is larger than the total number of different terms formed by the n variables, he can rename all the terms of degree larger than 1 with new variables. Finally, the problem is equivalent to solving a system of linear equations where the number of equations is larger than the number of unknowns which can be easily solved by Gaussian elimination. Obviously, the degree D will dominate the time complexity of the linearization attack. A smaller D the lower the time complexity of the Gaussian elimination and the attack. Let us see how the designers evaluated the resistance against the linearization attack. The degree of the calibration is 2 in the forward direction. For r rounds of r star, the degree of the key stream z in terms of the key bits is up-bounded by 2 to dr. Hence, the attacker will need to solve a system of nonlinear equations in terms of n unknowns and of degree up-bounded by 2 to dr. As already said, the degree will have a big influence on the time complexity of the attack. Now it is natural to ask whether it is possible to lower the degree to dr by using a mid in the middle style structure. However, is it really possible? Is it really feasible to consider the back direction? Due to the feed-forward direction, it is easy to observe that the output of the last calibration can be written as linear expressions in terms of the key bits. In other words, the degree of the output can be treated as 1. In addition, the input of the last calibration is of degree up-bounded by 2 to dr minus 1. Although the degree of the output of the last calibration is 1, the degree of the inverse of the largest scale calibration is rather high, so it is a well-known fact. Hence, if we simply consider it inverse, the degree of equations will be much higher than 2 to dr, and we can benefit nothing from such a kind of equations. The time complexity of the attack will only increase, not decrease. Indeed, this is exactly what the designers thought, and hence, they directly gave up such in the middle style attack. It is too costly to consider the inverse of the calibration. This is a summary of what I explained just now. The analysis indicates that we should never consider the full inverse of the calibration. Then, how should we analyze R star? It can be found from our paper that our used method is surprisingly simple, so I think it is more helpful to explain how we find the simple improved linearization attacks. This is inspired by the study on the 3-bit low MC S-Box, which is defined below. So, the degree is also 2. Then, the authors of that paper described how to generate more linearly independent chaotic equations for these 3-bit S-Box. The idea has already been known and has already been known in the Vienna XOR algorithm. Specifically for the output bit y0, we can multiply x1 and x2 with both sides of the equation and we will again get two different chaotic equations because the only chaotic term in the expression of y0 is x1, x2. Similar strategies can also be applied to the output bit y1 and y2. Moreover, we have two additional chaotic equations generated with different ideas. Thus, we consider to eliminate the cubic term x0, x1, x2 as shown in the last two equations in this slide. So, to do so, we have to consider two different output bits. So, combined with the inverse of the 3-bit S-Box, there are in total 14 linearly independent chaotic equations to describe the low MC S-Box. Based on similar procedure, we first list the end chaotic boole equations for the n-bit calibration. Then we can simply derive some chaotic equations by multiplying proper variables with both sides as shown in the last two as shown in the last two equations in this slide. Then we ask ourselves whether there are other ways to generate chaotic equations in other forms. This is a natural question because we can have two additional chaotic equations generated in different ways for the low MC S-Box. So, whether this also so whether we can do the same for the calibration is worth investigating. Then, we observe that we can consider two consecutive output bits of the calibration. This is also inspired by the way to generate the two additional chaotic equations for the low MC S-Box. So, we have to consider two different output bits. By looking into two consecutive output bits of the calibration, we find a chaotic equation in a quite different form. X i and Y i plus 1 equals to 0. Specifically, different from the chaotic equations in this slide. So, the last two equations in this slide, the input bits of the calibration we are no more multiply with each other. What does this equation imply? First, we should note that X i is the input bit of the calibration while Y i is the output bit of the calibration. Second, we should also note that the expression of X i is of degree 2 to the r minus 1 while the degree of the expression is 1. Hence, although the largest scale of the equation is not fully inverted, we can obtain an equation in terms of the key bits whose degree is upper bounded by 2 to the r minus 1 plus 1, which is smaller than 2 to the r and the degree of the inverse of the calibration. By simply using the above chaotic equation, we can greatly reduce the degree of the equations used for the linearization attack on R star. As illustrated in this figure, specifically the degree is reduced from 2 to the r to 2 to the r minus 1 plus 1. Note that we do not fully invert the calibration. Instead, we only carefully investigate the relations between certain input bits and output bits. That's why we use a dashed line in this figure. For when R is large, we can see that this is a great reduction in the algebraic degree. For example, when R equals to 6, the degree of the equations is reduced from 34 to 33. This equation also implies that the linearization attack will be improved by one more round because attacking R round R star with the new chaotic equation is now equivalent to attacking R minus 1 R star with the trivial linearization attack that stops the system of nonlinear equations of degree to the R minus 1 plus 1 in terms of n variables. Then, another question natural arises. Can we find other similar useful equations? If so, how to find them? To answer this question, we should first understand what kind of equations are useful to improve the attack. To do so, we first make a definition for the exploitable equation. An equation is defined as the exploitable equation is defined as an equation where the input bits of the calibration are only allowed to form linear terms or quadratic terms with the output bits. Finding exploitable equations is indeed not that difficult because we already know the constant on their form. We can use a three-step method. First, we consider a small-scale calculation. For example, n is 7, 9, 11, and 13. Then we use a similar technique to find quadratic equations for the small-scale calibration. Finally, we check whether the exploitable equations also hold for the calibration of any size. The five exploitable equations used in this paper are listed here. Note that equation 1 has already been widely used in the pre-media attack on HRC. However, it is always interpreted in a different way in that context. In other words, so its form does not attract too much attention. As for that star, we find that the attack can be further optimized due to the usage of a deterministic linear layer air. In a word, we can only, in one-output bits of the inverse of the last linear transform air based on equation 2, we can construct a system of nonlinear equations in terms of the key bits and of degree 2 to the r-1 rather than 2 to the r-1 plus 1 from many plain test cycle test pairs. So in a sense, this is an r-star. In summary, so this is a summary of our results. First, based on the improvements of the linear relation attack, we directly broke two out of three instances of HR-star. Second, the generic linear relation attacks on r-star and d-star are all improved by one more round for most instances. Second, third, r-star is weaker than r-star that's while rating the designer's claim. In concluding, our analysis shares new insights into the large-scale cooperation. Moreover, our analysis also shares new insights into how to analyze the r-star-like primitives. Finally, we significantly improve the linear relation attacks on r-star and d-star. Moreover, we believe that it is interesting to further investigate whether it is possible to construct nonlinear equations of lower degree for the r-star family. If it is feasible, we may even break r-star and d-star. That's all. Thank you.