 Okay, thank you for introduction. So my name is Yu Suzuki, and this, so actually we had the similar incident as Fast Talk. I mean, my colleague Dan Pin, Siwei and Chaoyun, the way it worked really hard, and they wanted to come here to present the results, but unfortunately they faced some visa issue, and that's the reason I'm presenting the paper. Okay, so this talk is about cryptanalysis on the Morus, and so first I'd like to give overview of our results without mentioning technical details, and the second part is technical details, which is automated thread search, and to do it, we have to sort of send programs, and we propose the way to solve the program, which is particular to the ciphers, which use undergates for the source of non-lineality. And third part, I give some detailed analysis on Morus. Okay, so this slide shows the fundamental knowledge about authenticated encryption. So privacy and authenticity are two basic notions, which is required for secure communication. And previously encryption and MAC are independently computed to provide both privacy and authenticity, and authenticated encryption is only in one approach. So this simplifies the security discussion, this simplifies some issues for implementations, and moreover we can enjoy some higher performance by sharing the computation of MAC and encryption. And from 2014, the community had some competition to select the portfolio of authenticated encryption, so this is called CSER. So the competition started from 2014 with 58 candidates, and most notably, the last round started from March 2018, and the seven candidates were selected for the final round. And this year, six schemes were chosen as a portfolio. Well, this is the list of seven final round candidates, and our tag tag Morus in the center, and this is the six final portfolio. And so you can see that Morus was not chosen, and we guess that our tags affected the decision. Okay, so the Morus has three members depending on the state size and key size, and so the confidentiality depends on the key size, and the integrity is always 128 bits, and the bottom table compares the results of the previous work and this one. Now actually the biggest version of Morus has already been attacked at the Azure Crypt 2018, and the complexity was a two to one five two, so it's a bit high, expensive. Due to this complexity, the tag couldn't be applied to a smaller version of Morus, which claims security up to 128 bits. And in this research, we found linear trails with much higher correlation, which requires only 276 data complexity and a time complexity, and this allows us to attack old versions of Morus. Okay, so I'd like to explain linear through the search. This is the really basics of the linear crypt analysis. So suppose we have an event E, which occurs with probability one over two plus minus epsilon, and we say that this has bias epsilon. And then the correlation is defined as double of the bias, and the weight is it's negative localismic. So let's consider the case of a linear approximation of an operation. And so we consider the probability, so we consider the event that bit A and bit B goes through the AND gates, and let's consider the case that we approximated its output as zero. So the probability is, of course, three over four. So the bias is one over two plus one over four, so the bias is two to the minus two. And the correlation is it's double, so two to the minus one, and so weight is one. And we have piling up lemma, which is quite convenient to calculate the correlation of X over several independent events. And the correlation of two X over events says that the correlation of X over two independent events is just like a multiplication of the correlation of each event, which is quite easy. Okay, so the piling up lemma is very convenient, but in many cases, inputs are dependent. So suppose that we have an equation Y is computed by that equation, including two quadratic terms. And actually the equation is illustrated in the figure. So the question is, can we approximate its output Y to zero with correlation two to the minus two? Well, the implication is, if we approximate the first AND gates to the one with the input X two with correlation two to the minus one, and if we approximate the second AND gates to zero with correlation two to the minus one, then the result will be zero. So if piling up lemma applies, then the correlation that Y is zero can be calculated as two to the minus two. So however, this answer is no, because the piling up lemma only works for independent approximations, and in this case it's dependent. So we need the same tool to deal with dependent AND gates. So we provide an algorithm to evaluate the correlation of any quadratic boolean function, including independent AND gates. Okay, so to that we first introduce the concept of disjoint quadratic form. So the definition is as follows. So let f is a boolean function, quadratic boolean function. And let sigma of f x i denotes the number of quadratic terms involving variable x i, okay? So at term x i, x j, x i and x j of f is a separated quadratic term if sigma for each variable is one. And in particular, f is called disjoint if all its quadratic terms are separate quadratic terms. So the both demonstrate some examples. So let's focus on the right most one which is not a separated quadratic term. So for this example, the variable x two appear involved in two quadratic terms. So this is not separated the quadratic term. And then the example for disjoint quadratic form, each variable appears only once in the quadratic terms. We don't have to consider the impact from linear term. So this is the definition of disjoint quadratic form. And the why we introduce this one because then the correlation can be easily calculated by finding a dilemma because every term is now independent, okay? So now we propose an algorithm that converts any quadratic Boolean function to a disjoint quadratic form. So this shows the basic procedure of the transformation. So let's consider some Boolean function shown above so which contains four quadratic terms. So in the algorithm, we first extract the variable appearing most in quadratic terms. In this example, the variable is x two which appears three times. Okay, so after that, for the term with the smallest index, I mean in this case x one, x two, replace the counterpart of the variable, I mean x one. So that is the index one can disappear from all other variable, all other quadratic terms. So that means we replace x one to x one, x four, or x three, x four. And then by this replacement, other quadratic terms with x two disappears. Okay, so the bottom is the results of the application. We still have like several other variables which appears more than once, but for the index two, the number of occurrences only one. So by just applying this basic procedure iteratively, we can eventually get disjoint quadratic form. So this is the algorithm for this example. So first is applying the basic procedure. So the example is the same as the previous one in the previous slide. And so we get the second one with variable y. And after we get it, then the second process is check if the variable for non-IDTT substitution means the variable for y one appears multiple times. And in this example, y one appears actually twice. So the answer is yes, so we have to go to step. And if this is no, then we just can go back to step one and just like iterate the analysis. Okay, so in step three, we apply basic procedure for the non-IDT substitution terms, substitution variables. So I mean, in the example in the middle, we try to reduce the number of index one to one by doing the same approach. So after the second application, the number of terms with index one is only once. So we still have Z five twice in two different quadratic terms. So we have to iterate the basic procedure for Z five later. But after several more iterations, we eventually get disjoint quadratic form. Okay, so by using this algorithm, we combine it with MIRP approach and then we get some good linear trail on Morris. Okay, so first I try to introduce the overall structure of Morris authenticated encryption scheme. So it has a stream-cyphal-like structure. So first the state is initialized by some key and some nones and some constant and some initialization process run. And then we also observe some associated data if there exists and then step is updated. Okay, so then we have some updated state and if in each step we extract some key bits by using the function D and then the extra message to produce the corresponding ciphertext. Then the message is used to update the internal state and then this process is repeated until all message blocks are encrypted. Okay, well, then F is a step-up data function, right? Looks like this picture. So I don't get into the details but the important thing is step-up data function consists of just XOR and AND gates and rotation which is easy to model in a mixed-engine linear program. Okay, so this is the overall structure. So the approach is linearly approximate this encryption process only by using ciphertext. So in the first thing to do is approximate ciphertext bits in the first block to some internal state. So I mean lambda zero is linearly approximate to gamma zero. And then similarly, lambda one is approximated to gamma one and so on. Well, we also need to make some approximation for step-up data function. So alpha zero is approximated to some beta zero and alpha one is approximated to beta one and so on. Okay, so because all operations are simple, this can be modeled by mixed-engine linear programming very easily but to be a valid linear trail, we need to set some conditions. The first one is the input, I mean the state after the initialization must be all inactive. And the last state which is denoted by alpha K must be also inactive. And the sum of the internal state must be some like a valid. But by just like imposing those conditions, we can model the transformation by mixed-engine linear programming. Okay, so this is a rough sketch of the searching procedure. So first is the preparation phase. So we needed to fix the target number of blocks first. Of course, we can try several choices of K. And then we model the step-function and the key stream generation by mixed-engine linear programming and by setting some conditions mentioned before. Okay, so after I make the model, the phase one is to solve mixed-engine linear programming to find the trail with minimum number of active undergates, okay? So this just minimizes the number of active gates because it involves some dependent undergates. It doesn't really mean that the results are like best. So after that in the phase two, for each solution of MyLP, we calculate the correlation by transforming the system to disjoint quadratic form. And this allows us to evaluate the correlation of the entire structure. Okay, so the next two slides are somewhat like for expert which knows the previous results. I mean, how the discovered linear trail look different from the previous one. Well, again, don't explain the details, but the idea is in the linear trail, we pass approximated ciphertext bits to some bits in the second state, second internal state. And then the bit of second internal state is approximated to the fourth internal state. Okay, but the approach here, I mean the trail here is exactly the same as the previous one. The new one is in the next slide. So after we get the bits of S4, yeah, here, after we get the bits of S4, we approximate that bits to XOR sum of three bits of the internal state. Then this XOR sum of three bits is approximated to the ciphertext bit. So after we reach one bit of S4, we only need just two approximations. This is really short compared to the previous one. That's the reason why our trail has much higher correlation. So here is again the summary of the attack results. So our trail has correlation two to the minus 38, which only requires data complexity two to the 76. And the span shows the number of blocks we need to complete the linear trail. So the previous one requires five message blocks that we can build our trail only by using four message blocks. Okay, so the information below is about the verification process. So we tried to verify our trail. And so there is a smaller version of Morris proposed by the previous work called the mini Morris. So this is like a shrink version. And yeah, because the state is small, we can experimentally bit by the correlation. And so we checked the correlation. And the theoretically suggested correlation is two to the minus eight. And our verification confirms that the correlation is two to the minus seven point eight for mini Morris 640 and two to the minus eight point 15 for bigger version of the mini Morris, so which is quite close. And we also did some verification of the real Morris, but due to the high complexity, we can't do the experiment. So we separated the trail by fragments, separate fragments and bit by the correlation of the fragments one by one. And it worked very well. Okay, so I'd like to give the concluding remarks. So we did automated linear trail search on Morris. And we showed that we showed new algorithm to convert a quadratic boolean function to the disjoint quadratic form. And the searching procedure is combined with MLP-based automatic search. And as a result, we broke security cream of all versions of the Morris. And so one open program is, so our algorithm is now taking the input as quadratic boolean functions. So the open program is extending this conversion to deal with boolean functions with a degree higher than two. Yeah, that's about it. Thank you for your attention. Thank you very much. Is there any questions? Thanks, you for the next work. So quadratic S-boxes are becoming quite popular in the Ketchup-Key layer, UMC, Raster and so on. Can you imagine implications to those constructions as well? Yes, I think it should work, but we didn't try to apply it to the Ketchup. But in general, yeah, the conversion should work. Thank you. Any more questions? Okay, then let's thank the author again.