 Okay, so thanks for the introduction. So this presentation is about a new property of five round of AS. So AS is probably the most widely studied and used block cipher. So far, no random property which are independent of the secret key are known for up to four round of AS. So in this paper, we propose the first property which is independent of the secret key for up to five round of AS. So the presentation is organized as follows. In next slide, I present these new property and I show how it can be exploited to set up a new secret key distinguisher for up to five round of AS. In the second part, I will give a formal description of this property. So I will reformulate it using the suspension notation which was recently introduced at FSC 2017. And then we use this notation to give an idea of the proof of this property. And finally, I reconquered with some open problems. So I guess everyone knows AS, I will remember some few details. So AS is a block cipher which is based on a design principle known as substitution permutation network. It works on block size of 16 bytes which are organized in a four times four matrix. And it used key size of 16, 24 or 32 bytes. So depending on the key size, the number of round is 10, 12 or 14. Each round is composed of four operations and S-box, a shift rolls, a mixed column and another on-cube operation. So the S-box is the only nogginia operation. Each byte is replaced by another one according to this S-box function which is derived by the multiplicative inverse in GF228. Shift rolls and mixed column are inner operations. Shift rolls simply match diagonal two columns. And then each column is multiplied by a four times four matrix. And finally, we have the other on-cube operation. So we simply add the key. So for completeness, there's also an initial other on-cube operation and usually the final mixed column is omitted. I would like also to record the definition of secret key distinguisher. So secret key distinguisher is one of the weakest cryptography attack. So there are two arches. One simulate the block cipher for which the cryptography key has been chosen random and the other arches simulate a two-year random permutation. The goal of the attacker is to distinguish these two arches. So to decide which arches is the two-year random permutation and which arches is the cipher. Secret key distinguisher are important for two reasons. First, because they provide a theoretical limitation about the security of a block cipher. So a block cipher must look as a pseudo-random permutation. And second, because they are usually starting point for key recovery attacks. So what about a yes? As I said, up to four-round of a yes, there are secret key distinguisher that are independent of the secret key. In particular, they exploit the following properties to get the differential, zero sum and impossible differential. So these property are independent of the secret key. I briefly recorded the property on four-round. So zero sum and impossible differential. The idea is to start with a set of two, the 32 shares in plain text with one active diagonal. So an active byte is a byte that can assume an impossible value, and the other 12 bytes are constant. So impossible differential was proposed for a yes in 17 years ago. So for each pair of plain text in this set, it is possible to prove that the corresponding cipher text cannot be equal in any of the four anti-diagonal. So for simplicity, I assume that the final mix column is omitted. And zero sum was proposed in 1997. So if we start with this set of plain text, then the sum of the corresponding cipher text after four-round is equal to zero. Now the question is, okay, if we start with the same set of plain text, is there any property that is independent of the secret key after five-round of a yes? So before to present our property, I would like to record briefly the state of the work in geisha too. So any key recovery attack can be used as a secret key distinguisher, but this is obviously not independent of the secret key, because in this case, part of the key or even the entire key, if you think to brute force, must be known in order to distinguish block cipher from the random permutation. So what about the yes? The most recent result about five-round of a yes was proposed at crypto last year. It is a zero sum distinguisher with this property. It depends on only one byte of the key, not all. It's independent of the S-box, but not of the mix column matrix. So it exploit the fact that two elements of each column of the mix column matrix are identical. And finally, it requires the full code book. So our property is the phone wings. Assume for the moment that the final mix column is omitted, we consider a set of two, the fortuitous and plain text with one active diagonal, so the same as before. And we consider the number of different pair of side texts which are equal in one fixed anti-diagonal. It is possible to prove that this number is always a multiple of eight, independent of the secret key of the details of the S-box and of the mix column matrix. So a similar property also indicates in which the final mix column is not omitted and also in the decryption direction. So using chosen side text instead of plain text, I will give a formal statement in the following. So assume for the moment that this property is two, I will give a proof in the final part of this presentation. So how can we use it to distinguish a yes from random permutation? Well, it is very simple. We start with this set of two, the fortuitous and plain text. We count the number of pair of side texts which are equal in one fixed anti-diagonal. If this number is not a multiple of eight, then we can deduce that the random permutation is a random permutation. So if you want to distinguish five random a yes from a random permutation with probability of success higher than 99.5%, we need two, the fortuitous and plain text and a computational cost of approximately two, the fortuitous stable lookups. So if you're interested in the implementation, you can find it in this following this thing. So this is a property I would like now to reformulate it using the subspace annotation. So subspace annotation was proposed at FAC 2017. I don't recall the details, I already recall some information that are useful for the following. So for a yes, it is possible to define several subspace, for example, the common space, diagonal space, and so on. I already focus on the diagonal space, invest diagonal space, and make space. So the diagonal space is defined as the space of all the matrices which are given by inner combination of these four matrices where EJI is the matrix with all the elements equal to zero except for the one in the row J and column Y. So this is an example for the zero where we have all the matrices with all the elements equal to zero except for the ones in the first diagonal. So for the following, what does it mean that two elements belong to the same concept of a diagonal space DI? So two elements belong to the same concept of a diagonal space DI, which is defined in this way, if and or if their defense belong to the subspace DI, which means by definition that the two texts are equal, you know, byte except for the ones in the I've diagonal. So this is an example for the subspace D zero. Invest diagonal space is defined as the inner combination of these four matrices. So this is an example for ID zero where all the bytes are equal to zero except for the ones in the first anti-diagonal. And finally, the mixed space is defined as the mixed column applied to the invested diagonal space. So all these subspace have dimension four, but we can also define subspace of higher dimension using the simple formula. What is important to remember for the following is that each coset of a diagonal space is mapped into a coset of a mixed space after two rounds. We're equivalent that if we start with two texts in the same coset of a diagonal space, then they belong to the same coset of a mixed space after two rounds with probability one. So we can use this notation to reformulate this property. So consider planets in the same coset of a diagonal space DI, and count the number of different pairs of side texts that belong to the same coset of a mixed space after five rounds. So this number is a multiple of eight. If the final mixed column is omitted, you can simply replace the mixed space with the invested diagonal space and the same property also in the description direction. So using side texts in the same coset of a mixed space and counting the number of pairs of planets that belong to the same coset of a diagonal space. Now in this final part, I would like to give the idea of the proof of this property. So we have just seen that each coset of a diagonal space is mapped into a coset of a mixed space after two rounds. We're equivalent that if two elements belong to the same coset of a diagonal space, then they belong to the same coset of a mixed space after two rounds. So we have a property on five round. The idea is to prove another property, an equivalent property on a single round. So we start with planets in the same coset of a diagonal space, but this coset is mapped into a coset of a mixed space after two rounds. So the idea is to work on only on the gas-free round. And the equivalent, if you count the number of pairs of ciftex that belong to the same coset of a mixed space, this equivalent to the number of pairs of tex that belong to the same coset of a diagonal space two round before. So instead to work on five round, we can work on a single round, so on the middle round. So the property that we are going to prove is the following, so we consider tex in the same coset of a mixed space, ciftex, we consider the ciftex after one round, and we prove that the number of different pairs of ciftex that belong to the same coset of a diagonal space after one round is a multiple of eight. So for simplicity, I need to consider the case of a mixed space, I'm zero. The proof is completely equivalent for the other cases. So we have two plain tex in this coset, I'm zero per say, so by definition there exist eight variables such that the two plain tex can be rewritten in this way. So for the following, I say that P1 is generated by x1, y1, z1 and w1 and P2 by the corresponding four variables. So the idea of the proof is the following. If there are given a pair of plain tex, if the corresponding ciftex belong to the same coset of a diagonal space after one round, we prove that there are other pair of plain tex for which the ciftex have the same property. And in particular, we study these following cases. So the case in which the pair of plain tex has three equal variables, the case in which they have only two equal variables, and so on. So the first case is very simple. If three variables are equal, then the two plain tex cannot belong to the same coset of a diagonal space after one round with probability one. So for the following, we need to consider the case in which at least two variables are different. So consider the case in which two variables are different, so we have P1 and P2 defined in this way where z and w are equal. It is possible to prove that P1 and P2 belong to the same coset of a diagonal space after one round if at P1 and at P2 have the same properties of the same property where at P1 and at P2 are defined in this way. So P at P1 is defined by x1 and y2, y at P2 by x2 and y1. So the idea is to consider a different combination of the generating variables. And to show this, it is sufficient to prove that the difference between P1 and P2 is equal to the difference between at P1 and at P2 after one round. So this is an example for the byte 0 and 0. What is important to observe is that this difference is independent of z and w. So actually we have a stronger result. So if we have P1 and P2 as before, it is possible to prove that they belong to the same coset of a diagonal space after one round if and only if at P1 and at P2 have the same property, where in this case, z and w can take any possible values. So if we give it to consider the pair of printx with two equal generating variables, then the number of collisions is a multiple of 2 to the 17. So we have a factor 2 due to this different combination of the generating variables. And a factor 2 to the 16 due to the fact that z and w can take any possible values. So a small observation P1 and P2, defining this way, can belong to the same coset of a diagonal space after one round if and only if the cardinality of g is at least free. The proof for the other case is equivalent. So we have in this case P1 and P2 with only one generating variable. So they belong to the same coset of a diagonal space after one round if and only if at P1 and P2 have the same properties, where at P1 and P2 are defining this way. So by this combination, where w can take any possible value. So in this case, the number of collisions is a multiple of 2 to the 10. So we have a factor 2 to the 8 due to the fact that w can take any possible value, and a factor 4 due to the different combination of the generating variables. So P1 and P2 defining this way can belong to the same coset of a diagonal space after one round if and only if the cardinality of g is at least 2. And finally, the final case is equivalent. So we have P1 and P2 with no equal generating variables. Again, they belong to the same coset of a diagonal space after one round if and only if at P1 and P2 have the same properties, where at P1 and P2 are generated by this combination of variables. So we can simply collect all these results, and it is very simple to observe that independent of the cardinality of g, the number of collisions is always a multiple of 8. And equivalent proof also for the other initial space. So to conclude, this is the first five round secret distinguisher for yes, which is independent of the secret key. We would like to give some open problems. So the first is to set up a six round secret key distinguisher for yes, which is independent of the secret key, or if you want to improve these five round secret key distinguisher. So to propose other five round secret key distinguisher, which are faster, or which requires a less number of plain text or side text. The second problem is to set up a key recovery attack that exploits this five round secret key distinguisher, or a modified version of it. Remember that user key secret key distinguisher has a certain point for key recovery attack. And the final problem is to apply similar distinguisher to other construction or to non-key distinguisher, or to construct non-key distinguisher. So that's all. Thanks for your attention. So we have some time for questions. Yes? Thank you. So have you considered the probabilistic frontier here, basically? Can you do six, seven rounds if you admit something which works like for 1% of the keys? Not yet. It's beyond future work. Thanks. More questions? I have one. Do you have any directions you plan to follow in order to extend it into a key recovery attack? We are planning to use this distinguisher in order to set up key recovery attacks so it's a working progress. OK. And can you give some clues on how to do it? Not yet. Maybe it's too early. Sorry.