 Hello, everyone, and thanks for introduction. So in this talk, I'm going to talk about cryptonals of LoMC for some special instances. This is the outline of the presentation. First, I introduce LoMC and our motivation and also the previous works. Then I'll present our new technique and after that, I discuss how the purpose method can be utilized to recover the key. And finally, I conclude. So as we know, for most of the applications, standard ciphers like AES are suitable and efficient. But for a range of new applications, these ciphers are suboptimal. Actually, in these applications, nonlinear operations cost much more than linear operations. For example, we can mention sub-applications like multi-party computation, fully homomorphic encryption, zero-knowledge proof like snark and start, and very recently, some quantum-resistant signatures. So the main goal of the primitive which I'll use in this application is to minimize the number of ends and the multiplications. Example of such designs includes LoMC, Clobium, Fleet, MIMC, and very recently, Roster, which was proposed at last crypto. LoMC was proposed as EuroCube 2015. And actually, it creates suitable instances for a wide range of applications. For example, two submissions in the second round of NIST competition for post-quantum cryptography use LoMC as their primitive. The round function is SPN, but a bit tweak. The designers choose to use partial nonlinear layer. It means that the nonlinear layer doesn't apply on the whole state. It only applies on the partial of the state. And also, the Spark size is as small as possible. It's 3-bit Spark, and with an algebraic degree 2. And these choices, of course, can make decipher vulnerable against statistical attacks. So to provide reasonable security against statistical cryptanalysis, designers choose linear layer as binary invertible matrices that are generated independently and also randomly. And at the end of the round, we also have key addition, where round keys are generated by another matrices. The binary matrices are multiplied to the massive key, and then sub-keys are generated. And with respect to the number of rounds, the number of rounds provided by the designers in the work, they study a lot of techniques and different cryptanalysis. And based on the given block size and also elaborate data complexity and number of spaxes per round, where we show by M, they present formulation for the number of rounds. And they show that if we consider this amount of rounds, then the cypher is secure against this kind of cryptanalysis. During the process of the designing of Profitovich and Lowend, propose some update for the formula for competing the number of rounds to be secure against Pumbrang attack. And at year 2016, we had another paper on higher order differential, which led to the second version of the formula for the number of rounds. And in this work, we present new cryptanalysis for some special instances of LUMC, which led to the new formula for the number of rounds. And it's important to note that LUMC version 3 is actually utilized in different schemes. For example, signature scheme picnic or some group signature scheme proposed by Dan Boone and others. They use LUMC, so it's widely used in different applications. Our work is inspired by Provis techniques, so let me remind the basic idea from the previous works rapidly. Meet in the middle cryptanalysis is a well-known cryptanalysis that, at least in the basic scenario, it requires a very limited number of data. And also, actually, it's independent of the inner components. It's somehow it's a structural attack. However, it's not applicable on cypher like LUMC because the key schedule is strong enough and the sub key and round keys are generated based on the whole key. Another attack is differential cryptanalysis. It's a flexible method that can be applied on a variety of cyphers. But designers of LUMC, they provide a lower bound for the active sproxes. And then differential cryptanalysis is not applicable on the cypher. Another idea, which was proposed by Dimitri and Selcuk in 2009 to apply an AES, was the kind of combination of the truncated differential method and meet in the middle of method. In truncated differential, instead of looking just one input pay and output difference, input difference and output difference, we can see the set of input differences and set of output differences. However, they combine these ideas to somehow make you take advantage of the positive properties of both attacks. However, the application of this kind of method is challenging on LUMC because the linear layer of LUMC is very strong. It's a bit oriented matrix. And you cannot find really an efficient truncated differential characteristics for few rounds of the cypher. So what we aim to do in this work is to somehow exploit these well-known techniques to take advantage of positive properties and then overcome the limitations such that it can be applicable on LUMC. So let me first give an overview of the technique, of our technique. We divide the cypher into three parts, namely R1, R2, and R3. And for the first part of the cypher, we aim to find the differential characteristics with input delta in such that this characteristic holds with probability 1. So if we have a deterministic differential characteristic, the idea is that independent of the value of the unknown key, we can predict the difference at the output of the R1 round. Then we ask the ORACL to provide us corresponding cypher takes of the plain-text P and P prime, such that the difference between P and P prime is delta in. For the second and third part of the cypher, instead of looking for a differential or truncated differential characteristic with high probability, we aim to find all of the reachable output differences after R2 rounds. So we compute all of the reachable differences here from delta R1. And we save all of them in a list. And we do the same for the third part from the cypher takes and for the backward direction. And we compute all of the reachable differences from here to here. And in emitting the middle approach, we can compare two sets and find the common values in both sets. And if this value is unique, then it means that we could find the value of the difference in the middle of the cypher, independent of the unknown key. And of course, if it's a unique value, then we can do the same thing for other rounds and obtain all of the internal differences of the cypher. So let's go to the details for the first part to have deterministic differential characteristic. We need to have all of these boxes be passive. So each round has M S boxes. Each S box has three bits. So our R rounds, we have three, multiply M, multiply R filtration. So if we consider the length of the low MCB, then we expect to have 2 to the b minus 3 M R deterministic differential characteristics. So to have deterministic differential characteristics, it's enough to consider R1 as b over 3 M, approximately. For the second and third part of the method, we need to somehow estimate the number of reachable differences. We compute the somehow exactly reachable differences in our paper more precisely. But here, I prefer not to go to the details, but just give an overview. So if we consider only one S box and we fix the input difference, then the output difference of S box of low MC can get at most to the two different values. And if we consider all rounds of the ciphers with the assumption all of the S boxes are active, then each round has M S boxes. So if we consider all rounds, then totally we have M R S boxes. So totally we have 2 to the 2, multiply M, multiply R, different values at most. So the time complexity for computing all of the reachable differences and creating the list is 2 to the 2 M R 2 for the second part and for the third part. And of course, it should be less than 2 to the k because we want to have a return on this faster than excessive search. Another limitation is to avoid run collision. To avoid run collision, the number of rounds in the second and third part should be less than this value. So of course, we cannot manage this inequality because it's a time complexity and we want to have a faster attack than excessive search. But the question is how we can manage this inequality? How we can solve this problem? Because if we have more than one collision in the middle of the cipher, then it's somehow challenging. The idea is simple yet very effective. We move from differential to poly-topic characteristic, which was for the first time proposed by TSN at Eurocrypt 2014. Instead of considering one difference and the propagation of one difference, we consider the differences and a couple of the differences. And similarly, we can also estimate the number of the differences available and reachable in the middle of the cipher. So for one S-box, we have at most one S-box of low MC, we have at most two to the three different values at the output of the S-box. And if we consider R rounds, each round has M S-boxes. So totally, we have M R active S-boxes in the worst case. So at most, we have two to the three multiply M multiply R different values for the differences. And now to avoid any wrong collision is enough to consider the dimension D larger than the C value. So we can simply manage this by actually increasing the dimension of the D differences. So far we have discussed finding and obtaining internal differences over the cipher without computing the key. Now it's important to understand how it affects the security of the cipher. We want to know if we know the internal differences in the middle of the cipher, can we retrieve the key actually efficiently, how we can compute, obtain the key efficiently. So let me remind the well-known definition for S-boxes. We call an S-box delta uniform if for a specific input difference alpha and another specific output difference beta for alpha and beta value bit. The number of X that satisfied in this equation would be less or equal to delta. If, for example, for low MC, low MC S-box is two to the two for uniform. And so in general, if the S-box is two X uniform and if we assume that in the last rounds all of the M S-boxes are active, then we have two to the M X different solutions for a given input differences and output differences of the last rounds. And each of them, each of this solution leads to a specific value for the state before the S-box and after the S-box and each of them can lead to a unique sub key. And of course, if we use more pairs then we can retrieve the last round of the key. But the key point here is that we cannot retrieve the whole sub key at the end of the cipher because the non-linear layer is partial. So to be able to continue this way for other sub keys we need to present this equivalent representation of low MC. So this is the structure of low MC and if you look at the last two operations both of them are linear. So we can simply swap them and consider equivalent sub key instead of original sub key. And again if you look at this key addition and this key addition as the non-linear layer is partial then we can combine this part and this part together like this and then again we consider equivalent sub key for the round before the last round. And of course we can continue this way and finally we have this kind of representation for low MC. So if I can retrieve this value for the last round of the cipher then we can simply retrieve one round and again apply the method to retrieve the sub key for other rounds. These are the results of our attack. For example, if you look at this instance the key length is 256, the number of rounds is 158. The allowable data is 16 and number of S-box is one and block size is 128. And the time complexity of the attack is two to the 165 at most which is notably faster than two to the 256. The key point here is that if in our formulation we have found that if the block size is larger than the key size then it's better to use conventional differential characteristics. It means that the differences with dimension D1 like conventional differential. And when the block size and key size are equal then the dimension two is the best choice and of course when the block size is much smaller than the key size then we can increase the dimension of the D differences. For example, we consider D4 and then we can avoid any round collision in the middle of the cipher. So all of the instances we could attack, they have the same structure, say property, that the number of S-boxes in each round is very limited. For example, one five, one five. So it's only applicable on low data instances and also the allowable data is also very limited. So it's only applicable on low data instances of low MC but it's a very important family class of low MC family of cipher because it's already used in some signature, post quantum signatures and so it's a very important class of low MC. So to conclude, we present, we propose a new presentation, representation for the block cipher with partial non-linear layer. The presentation that I just introduced, it can be applicable on any cipher, SPN cipher with non-linear layer. And we provide a new insight into the security evaluation of low MC and also block cipher with partial non-linear layer. And our results are the best results for some version of low MC that led to a new round for them. Thank you very much. Question, any question? So have you tried these techniques on other partial SPN ciphers? Yeah, so for example, if we consider Zoro, then it's also applicable on Zoro or other ciphers but in compared to other ciphers, other equipments as on Zoro, our results are not better. But the point is that our attack can be applicable on Zoro and independent of the linear layer. So if we change the linear layer, of course differential and linear attack can not be applied or at least it can be challenging to apply on Zoro or similar ciphers, but work is independent of the linear layer and inner properties of the cipher. But yeah, it's not like better than produce well-known attack. Okay, thank you. But naturally it's applicable. Okay, thank you. Thank you. Thank you.