 Hello everyone, the title of this talk is Vkeys in Reduced AGIS and Towshin. This is a joint work with Takano Isobe, Willemere and Kosei Sakamoto. This is our overview of this talk. So first I will introduce the crypt analysis of AGIS, then I will introduce the application to Towshin. Finally, I will make some discussions and draw the conclusions. First, I will briefly introduce the background of AGIS 128. It belongs to the AGIS family submitted to the Kaiser competition. In the AGIS family, there are AGIS 128, AGIS 128 Air and AGIS 256. The first of which targets for the 128-bit security were the last one targets for the 256-bit security. Among them, AGIS 128 has been selected in a final portfolio for high-performance applications in the competition for its novel and efficient designs. It's surprising that there's no crypt analysis of AGIS initialization phase during the six-year competition and there are only two paper targets for its keystream phase, where only AGIS 256 was shown to be insecure. This makes us wonder whether analyzing the initial phase is too difficult or this topic is just not interesting. Whatever it is, we think it's meaningful to analyze it because it has been selected as one of the winners of the competition and its design, using the AES run function as the main component, has inspired several ultra-fast symmetric-key primitives designs. This is an illustration of the AGIS 128 run function. As you can see, the state is divided into five blocks and each block is of size 128 bits. In this figure, A denotes the AES run function by omitting the add-round constant operation. The run function slightly differs depending on the run number R. If R is odd, updating XR0 will involve K. However, when R is even, updating XR0 will involve both K and N, where K and N denotes the 128-bit key and 128-bit nulls respectively. There are in total 10 initialization runs and the initial state is defined in this way where C0 and C1 are both 128-bit constants. Supposing the target is R initialization runs, what we can know is only theta, where theta equals to XR1 plus XR4 plus XR2 and XR3. So we cannot know the specific value of each block. What we can know is only theta, which is computed according to some combinations of the blocks. So how to analyze the security of such a construction? From its description, it's cleared out AES and AES128 are very similar. So it is inevitable to use some distinguishes for reduced AES to start it. For such distinguishes, we have the four-round integral distinguisher, the five-round multiple of eight distinguisher and the five-sixth-round yo-yo or yo-yo-like distinguishes. However, not all of them are friendly to our attacks. The main problem is that what the attacker know is only theta, not the exact value of each block of the internal state. Obviously, the integral distinguisher is more friendly because we can independently study the integral properties of XR1, XR4 and XR2 and XR3. However, if we use the remaining distinguishes, we may be required to study the interactions between them, which will increase the difficulty to analyze it. So we finally chose to use the integral distinguisher to analyze reduced AES128. The main strategy is to write down and study the integral properties of the expressions of XR1, XR3 and XR and XR3 in terms of the nouns in and the key key, respectively. So what kind of expression should we study? The boolean expression, obviously, this is not, this is impractical because it is too complex. Considering the nature of the round function, we find it more feasible to write and analyze the expressions by treating a 128-bit world as a unit. This is because the diffusion between different 100-bit blocks is very slow during the round update. So you can see from this figure, so the diffusion between each blocks is very slow. With this basic strategy in mind, we first write expressions after five rounds of updates. For simplicity, we eliminate the constant and the key variables in the expressions. Note that only XR1, XR2, XR3 and XR4 are involved in the calculation of theta. And in their expressions, M passes through at the most four AES rounds. So there seems to be chance to find an integral attack on five round AES128. However, there are still some problems. First, although M passes through four AES rounds in XR4, the way it passes through four AES rounds is rather complex. So it is unclear whether we will lose the four round AES integral property for XR4. The second and the most important obstacle is that we have to study the integral property for XR2 and XR3. However, the expressions are very complex. And there seems to be little chance we can find usable integral properties for it. So the problems now become clear. That's the integral properties for XR4 and the integral properties for XR2 and XR3. With the problems in mind, we now carefully write and analyze the actual expressions after each round of update. After one round update, the expressions are listed here. So you can see that they are very simple. Note that we always introduce new variables, new constant variables CI to represent the constants derived from K, C0 and C1. After two rounds of update, the expressions are still very simple. However, after three rounds of update, the expressions are somewhat complex. Our critical observation is that we can simply simplify the expressions by adding proper conditions on K. Specifically, if equation one holds, then we can introduce a new variable, a constant variable C9, to represent the whole complex expression. This is because when equation one holds and when n only varies at the first diagonal, then na plus n plus ak plus C1 is constant. In this way, the expressions after three rounds of update can be simplified as shown here. In addition, if we further introduce a variable T to represent the expressions C0 plus ak plus m, the expressions can be further simplified as shown here. So now the expressions has become much more concise and simpler, which is ideal for the whole complex expression. Which is ideal for us to do some analysis. The benefits to introduce the variable T is obvious. First, it can make the expressions more concise and easier to study. Second, it can invisibly append one. We can invisibly append one round four, perhaps for key recovery, if we can find properties of theta by only starting T rather than m. Append in runs for key recovery for a distinguisher, it's common for the equivalencies of block ciphers. This is obviously not intuitive for AEGIS because due to the construction of the run function. At the first glance, we seem to lose its integral property. However, is it true? We can introduce a new variable G to represent the expression. We proved in the paper that when G0 takes all the 2 to the 8 values and the remaining bytes of G are constant. For each IJ, the same value of GIJ will appear an even number of times. Specifically, so for this state, the same value of each byte will take, the same value of each byte will appear an even number of times. Obviously, this property will be preserved through the Xbox transformation. Then after the linear transformation, obviously each byte is balanced. In other words, the sum of X54 is zero. At the last, we need to study the integral property for X52 and X53. This is now simple because we only need to study the integral property for this expression. And from this figure, we can immediately observe that the last three columns are all balanced. So for file round AHS128, we have such, so we have this integral property. By considering the relation between T and N, we also, we have that when the first diagonal of N takes all the 2 to the 32 possible values, the last three columns of theta are balanced. Indeed, we can further pull that, in this case, the whole state of theta is balanced. This is mainly because, so here, we can pull that, in this case, these four bytes are also balanced. So based on the distinguisher, we can mount a key recovery attack. Specifically, according to the weak key condition, we can pre-compute 2 to the 24 possible values for the first diagonal of K. Then, according to this, according to the distinguisher built on T and the relation between T and N, we can really recover the first diagonal of K with time complexity 2 to the 32. After recovering the first diagonal of K, we can recover the remaining diagonals independently by checking the condition. On KII and by checking this condition. And in this, after this phase, we will obtain 2 to the 24 possible values for each of the remaining diagonals of K. So there are in total 2 to the 72 possible candidates for the whole K. And therefore, the time complexity of the key recovery attack is 2 to the 22 and data complexity is 2 to the 32. Since the number of weak keys is larger than the time complexity of our attacks, so we obtain a valid key recovery attack. Due to a time limit, I will only describe the main problems we met when constructing the eight-round integral distinguisher The draw of the weak keys in Kaoxing is to turn a probabilistic integral distinguisher into a deterministic integral distinguisher. Specifically, for an arbitrary charge of four constants C0, C1, C2, C3, there will be no deterministic integral property for this one. So there's no integral property for this one. However, if we add any one of the three conditions, this, this, or this, there will be a deterministic integral property for the sum. So this is where we need to add the... So this is why we need to use the weak keys. Then, we're analyzing the expressions. We also faced with the problem to determine the integral property for this expression. As the first glance, it seems that we may have the integral property because S only passes through four eight-round. However, if you start it by drawing some figures like this, you will find that you don't know what the actual integral property it is. It has. Indeed, we prove that for arbitrary aim, or it will always be balanced. This is surprising. And the main reason why we have such a property is that the same value of this will appear an even number of times when a certain diagonal of S traverses all the two values. It's interesting to see whether the devine property can capture such an integral property. We gave an example in the paper to explain why the conventional bit-based devine property cannot capture such a property, where the same value of the whole state appears an even number of times in a match set. A possible solution is to count the number of devine trails, which is a reasonably new idea. However, for large aim, that also seems impractical because such trails will explode as the number of missed column increases. This seems to reveal the importance to prove such an integral property, and this also seems to reveal there are still some, there is still some room for devine property for this problem. At the last, we draw some conclusions of this talk. First, starting AEGIS and Telshin-like ciphers in a weak key setting has more potential. Second, for AEGIS 128, we use conditions on the key to simplify the quadratic part of the observable outputs, which can be equivalently viewed as reducing the algebraic degree. For Telshin, we use conditions on the key to turn a probabilistic integral distinguisher to a deterministic distinguisher. However, we have to carefully study the expressions before we noticing it. In addition, for Telshin, there seems to be one useless round because we indeed study AN rather than N. Finally, for both AEGIS 128 and Telshin, key recovery techniques are short and its feasibility much depends on the dedicated analysis of the expressions. And this is not visible as common methods to append rounds for key recovery. That's all. Thank you.