 My name is Mustafa Khairallah and today I will be talking about the paper with keys in the rigging paradigm application to commit and mix fit. This is an overview of what we were talking about, I will give an introduction and a timeline of the related work and then I will describe the framework in the paper and how the analysis applies to commit and mix fit. This is an informal summary for non-spaced authenticated encryption, I assume most viewers already know what this is. And basically a non-spaced authenticated encryption or NAE is a scheme which has an encryption part, takes a secret key and a unique nonce and in relation to this secret key and unique nonce takes an associated data which is the public part of the message and plain text which is the secret part of the message, it outputs a ciphertext and a tag. Then the decryption part takes the same secret key, same nonce, same associated data, ciphertext and tag. If the tag is correct it outputs the encrypted message, if the tag is incorrect it outputs an error. And ideally we want the encryption to be able to detect all invalid tags so it would only output the plain text if the query was generated by a legitimate encryption oracle. Well for the encryption oracle we require that the ciphertext and the tag are indistinguishable from random binary strings in the sense that they look random and they leak nothing about the plain text except its length. Now as I said this algorithm takes a secret key and is expected to behave this way when the key is a good key. However there can be weak keys where the algorithm doesn't behave in the way I described. Usually these weak keys are a small part of the overall key space and they have low probability of occurrence so they don't affect the security when we take the average over all possible keys. But if they occur they are usually very easy to detect and the goal of the analysis is to increase the weak key space so much that it affects the security not just when the weak key occurs but in the general setting as we can take the average probability over all keys and in that case the probability of successful attack will be high. Another topic relevant to this paper is multi key adversaries. In the multi key scenario the attacker can target many keys or many users at the same time in order to use his resources more efficiently. We will have different encryption and each using different key and each key can be a weak key or not but since we are targeting many keys at the same time the probability of a weak key occurrence is higher and remember the adversary only wins if he can attack one key he doesn't have to attack all the keys. I give a summary of this work and the related work. In April 2019 the specification of Comet and Mixfeed was published by the NIST with preliminary analysis. And in May 2019 we published an unsubmissive attack on Mixfeed. In August 2019 we published this paper the original version where we identify weak key class for Comet and from there we identify forgery and key recovery attacks on both the single key and multi keys. For Mixfeed we identified a class of weak keys and described forgery attack using this class of weak keys in the general setting. In both cases we communicated our results to the designers and shortly after the designers published security proofs for both schemes. In case of Comet the security proof covers the proposed attacks in the single key setting while in case of Mixfeed the designer proposes an assumption on the size and probability of the weak key classes and also they do not claim non-smissive security. Recently in September 2020 the designers of Comet proposed Comet version 2 to make the key recovery harder and it actually will use one of the proposed tweaks we proposed in this paper. Designers also reported that they received other weak key attacks from Bernstein, Henry and Turham but to the best of our knowledge these attacks are not public yet. More recently in October 2020 Laurent and Pernault studied the weak key classes of Mixfeed showing that they have very high probability of occurrence allowing forgery in the general setting with 44% success probability. So this is the Rekey and Chain framework and the idea is that we have an initialization function which takes non-secret key and associated data then it outputs initial session key and initial vector. Afterwards the initial vector is used as the first chaining value and it goes through a linear function with a plain text block to output a ciphertext block and generate the new chaining value. The chaining value is encrypted using a permutation of the initial key and then this is repeated and after each iteration we apply a permutation to the key and it's critical because we need the key to be unique for every block cipher call. If this permutation has a fixed point then the key will be the same for every block cipher call. As we will see in the attack on Comet this allows us to predict and control what will be the input to the cipher call and we can force it to be an input that we have already observed and this means we can predict the output which allows us to perform forced early attacks. Moreover if the permutation over Z is not a fixed point but the permutation has a short cycle then we can do the same but instead of applying it on one block we apply it on the overall cycle size. So in order to prove that the scheme is secure the designer has to prove that the probability of fixed points or short cycles in such design is very low. Now we show in the paper that using this idea we can attack Cofp and Hyena with forgery attacks with complexity 2 to the 64 however this does not affect the designs as they only claim security up to complexity of 2 to the 58. In case of Comet this allows master key recovery with the same complexity asymptotically again this does not affect the security proof of Comet because Comet assumes the data complexity is only 2 to the 60 in terms of how many blocks. In case of mix feed it allows forgery attacks with Conect and complexity however the messages are relatively large 2 to the power 34 still it's practical and this result of mix feed is a combination of the attack I just described plus the study of the weak key classes by Lorena Amperno in 2020. Let's look at the Comet how it looks like and how our framework applies to it we can see that first we have a key derivation function which takes the nonce and key and outputs initial vector y0 and initial keys at 0 it's noticeable that the initial vector y0 is just k itself this goes through a associated data absorption phase and outputs ya and za which will feed into our framework as the initial key and the initial vector and then it iterates on a similar operation to what I described so we have an ideal cipher and we have a permutation phi and the goal is to find either fixed points for phi or short cycles let's look at the permutation the permutation essentially divides the key into two equal parts each one has size k over 2 then it xors some control bits to the left half and multiplies the output by 2 or in general a generator over a finite field of size 2 to the k over 2 and concatenates the output to the unchanged right part now we can see that if the left part is equal to delta then the output of xor will be 0 and the output of the multiplication will be 0 what's important to notice is that delta itself is equal to 0 for most blocks it's you only used as a domain separation parameter and it only affects transitional blocks so the beginning of the absorption phase of the associated data or the beginning of the encryption phase or the beginning of the tag generation phase so if at the beginning of one phase we have the left part is equal to delta and this leads output to be equal to 0 and over all the next blocks of that phase delta will be 0 and as we can see this will lead to a fixed point over the left half and since the right half is unchanged then it's a total fixed point now the number of fixed points is 2 to the k over 2 and this is how it looks like probability is 2 to the minus k over 2 and the probability of successful forgery for the attack is q over 2 to the k over 2 how the forgery operates is that we start to use a message with two blocks and we assume that the key is weak so all the block cipher calls use the same key what we do is that we convert this to a single block message because of the properties of the linear function we can control the input to the cipher call to be this one instead of this one and if that is actually weak this succeeds with probability 1 if that is not weak the key afterwards will be different but since we don't know z and that is selected randomly we can assume that once in every 2 to the power 64 queries it will be weak and this leads to forgery with to the power 64 complexity what's important about comet is that its initialization function can be then used to recover k itself here's how the initialization function works first we take n encrypted under k to get z then we encrypt k under z to get iv and if the forgery succeeds it means our prediction for the internal state was correct so we know iv we know also that that belongs to the wiki class which has size of 264 in offline complications the adversary can apply to the bar 64 decryptions and get to the bar 64 candidates 4k then the adversary can take this to the bar 64 candidates 4k and encrypts n under all of them to get to the bar 64 candidates for that however for every candidate of k we know what should be the value of that so for most of them this will lead to a contradiction and we can see that we need to satisfy this equation and under the wrong key assumption this equation has probability to the minus 128 since we are doing to the bar 64 queries with very high probability we will not be able to find a wrong key that satisfies this equation and only the correct key will satisfy it which will lead to key recovery and this has complexity 2 times to the bar 64 of line cipher codes to sum up we described first an existential forgery attack against comet with complexity to the bar 65 encryptions and to the bar 64 decryptions in terms of number of blocks then we extended by adding to the bar 65 cipher calls to convert it into a full master key recovery now we move on to the multi key domain and we can see because that is selected at random we can assume that the initialization function is converted to a random oracle that outputs that and this random oracle does not really depend on the master key k so if we target many users we can assume that one of them will have a weak key at some point and we can forge against that one so we try a forgery against all of them and when one succeeds we can recover the key of that one it's important to see that in the multi key domain the attacker doesn't have to attack all the keys he only have to attack one key so we see that the per user complexity skills by a factor mu however the overall complexity is fixed and in terms of the next competition this means that one in every about half million users is vulnerable as we can see in this visualization how to fix comet a cheap fix is to change the size of the finite field so instead of having k over two it can keep be k minus c where c is small and actually a similar fix was adopted in comet version 2 recently as I described earlier we move on now to mix feed mix feed is a similar mode very similar it's analysis is based on tweakable block cipher so we have a tweakable block cipher which takes secret key and nunce and a block index then the feedback part is very similar the details of the function are a bit different you can refer to the paper to see how it operates but we skip it here for simplicity another difference is that the control bits are added to the state and not to the key but again this has no effect on the attack here is that we call block cipher used it essentially takes n k how about skin and for block i it operates a permutation row i times over kn essentially in reality what will happen is that we will operate the permutation once at block one and take the output and then operate it again at block two and so on and the permutation itself consists of 11 rounds of this round function sub words is the sub words function of a yes so essentially if you're familiar with a yes this is basically just one round of the key schedule of a yes and mix feed applies 11 times the rationale behind this is because mix feed is built using a yes then this operation is already computed inside a yes and we can take its output and directly use it inside the mode now if we look at how this round function operates when we unroll it many times we can see that after four rounds all the initial inputs go back to their original locations and there is a feedback function which is different for every location and if we have this feedback function equal to zero it means we have found a fixed point over these many rounds of course what we want is that we want to find a fixed point over a multiple of 11 rounds such that it presents a short cycle for the mix feed modes we have found 20 such cycles and the cycle length is this number shown here which means we have found 20 times this number we keys for mix feed and I just here show some examples of representative candidates of these cycles all the cycles we found are presented in the paper in response to this the designers gave an assumption such that for any secret key chosen at random the probability that k has a period of l is at most l over 2 to the n over 2 now our results do not contradict this assumption but they show that there was a gap in the analysis and this led Laurent and Pernault to do a follow-up work where they characterize the cycle structure of the AES key schedule in more details and apply it for the 11 round case they showed that this cycle length which is about 2 to 34 has a probability 44 percent this means that we can practically implement forgery against mix feed with single message of size about 220 gigabyte and they have done practical experiments with success probability 41 percent which is very close to their theoretical result and using the attack in this paper plus the results on the AES key schedule this disproves the assumption provided by the designers and shows that mix feed is not secure in practice when the messages can be of size 2 to the power 34 and higher to conclude we showed that Comet v1 satisfies the NIST requirements for data complexity but the margin is very small and it allows key recovery in this small margin and when we move to the multi-key setting the margin is even smaller Comet version 2 however which was recently proposed has sufficient margin to throw out these attacks mix feed offers no integrity for messages longer than to the power 34 blocks finally i would like to thank Laurent and Pernault as they identified an overflow block in the cycle lens in the original version of the paper