 Hello everyone, my name is Fu Kangliu. The title of this talk is Crypt Analysis of World Loam-C and Loam-CM with Agibric Techniques. This is a joint work with Takano Isobe and Willi-Meir. So what's Loam-C? Loam-C is a family of block ciphers proposed at Euro Crypt 2015. It is designed to be MPC and FHE-friendly. The main feature of Loam-C is that users can have flexible choices for the concrete instances of Loam-C. Specifically, they can freely choose the affine layers, the key schedule function, and the number of S-boxes per round. You can see the round function from this figure. Specifically, it will first apply an S-box layer where the number of S-boxes is not fixed. Therefore, users can freely choose the number of S-boxes per round. Then, their affine layer will be applied. Similarly, this layer is also not fixed, and the users can freely and it is randomly generated, so users can freely choose it. After the affine layer, the key addition will be applied, and again the round key is generated by multiplying the master key with a randomly generated binary matrix. So the key schedule functions are also not fixed. The most important application of the Loam-C block cipher is the picnic signature scheme, which was proposed at ACMCS 2017. The main feature of the picnic signature scheme is that its security relies on the security of the underlying block cipher Loam-C. Specifically, it should be difficult for the attacker to recover the key from a single plain test cipher test pair. Since the proposal of picnic, there have been several versions. In picnic 2, Loam-C with 10 S-boxes per round was adopted. Last year, picnic 3 was proposed, and the 4-round Loam-C with a 4 S-box layer was used in picnic 3 as the underlying block cipher. Most importantly, picnic 3 is an alternate cell-to-round candidate in needs to post-competition. And since the proposal of Loam-C, it has received several crypt analyses. The higher-order differential attack and the optimized interpolation attack directly pushed the Loam-C to Loam-C v2. However, the difference in numeration attack revealed some parameters in Loam-C v2 were also insecure. Still, Loam-C v3 was proposed, and the number of secure rounds was recomputed. To understand the security of Loam-C in the single plain test setting, the guess and the determined attack was proposed at 2.6.2020. It can only reach 2 out of 4 rounds of Loam-C with a 4 S-box layer. And this parallel work, published at Eurocrypt 2021, is a polynomial-based method to solve a system of high-degree polynomial equations. This method can break a 4-round Loam-C with a 4 S-box layer, however, the attack requires a huge memory. So indeed, it cannot be faster than a pure brute-force attack. As we have seen, our attacks require negligible memory and only two plain tests. So, our attacks are much more efficient than a pure brute-force attack. Our attack is inspired from the difference in numeration attack proposed at 2.6.2018. So let me briefly introduce the difference in numeration attack. It is indeed a mid-in the middle attack. The attack procedure can be divided into three steps. Suppose our target is to attack our rounds of Loam-C. The first step is, for the first step, by exploiting the fact that only a few number of S-boxes are applied per round, the attacker can choose an input difference such that there are no active S-boxes in the first T-zero rounds. Then, starting from the T-zero's round, he can enumerate the differences forward for T-rounds and store all reachable state differences. At step 3, starting from the cipher test side, he can enumerate the differences backwards for R minus T-zero minus T-one rounds to match the stored reachable state differences. So, just like this figure, just as shown in this figure. The attack relies on an observation that, for the use of the 3-bit S-box, the average number of output differences for a uniformly randomly chosen input difference is 3.62. So, you can see from this figure that there must exist a value differential trail. So, the problem, so, in the attack, it is constrained that there should be an average one value differential trail left after the matching phase and this will be exactly the correct differential trail. So, for attack on parameters a, k, m, r with k equal to m using two plane tests to to mount an attack with some complexity smaller than to the k, t, r, and zero has to satisfy such requirements where a is the state size, k is the key size, m is the number of S-boxes per round, and r is the total number of rounds. Inspired from the difference in numeration attack, we will use an extended attack framework. It can be divided into three steps. In general, the extended attack framework is the same with the original difference in numeration attack framework. As the first step, similarly, we compute a deterministic differential trail for the first r-zero rounds. Then, at step two, we will use many plane tests to find a pair of plane tests such that there's no active S-boxes in the last r-three rounds. So, you can see from this figure. After the second step, we now know that at the first r-zero rounds and the last r-three rounds, there will be no active S-boxes. And at step three, the attack, we can enumerate the differences backwards for r-two rounds. At step four, we will compute the difference transitions for the middle r-one rounds while solving equations. So, at step four, we no longer pre-compute the state differences in advance and store them. Instead, we will compute the, we will find a difference transition for the middle r-one rounds by solving equations. Our attack relies on some properties of the three-bit S-boxes. So, the specification of the S-boxes is shown here. So, x-zero, x-one and x-two are the input bits and zero divided by z-two are the three output bits. The first observation is that for each value known zero difference transition, the input conforming to such a difference transition will form a fine-space of dimension one. In addition, the three output bits become linear in the three input bits. That the S-box is freely linearized for a valid non-zero difference transition. For example, if the input difference is zero-zero-one and the output difference is zero-zero-one, it can be derived that x-zero must be zero and x-one must be, x-zero must be zero and x-one must be zero. So, the expression of the three output bits can be written as zero equals to zero, z-zero equals to zero, z-one equals to zero and z-two equals to x-two. The second important observation is that for each non-zero input difference, it's a valid output differences from a fine-space of dimension two. This property also applies to the inverse of the S-box. For observation one, it also applies to the inverse of the S-box. For example, if the input difference is zero-one-one, the corresponding output differences will satisfy delta z-one plus delta z-two equals to one. When output difference is zero-one-one, the corresponding valid input differences will satisfy delta x-one plus delta x-two equals to one. So, based on the second observation, we can compute the middle R1 round difference transition in this way with the following three steps. At the first step, we can introduce some intermediate variables to represent the output difference of each S-box in the middle R rounds. So, there will be m times 3l minus 1 intermediate variables. Then, after step three, in the extended framework, the input state difference and the output state difference for the middle R rounds are already known. So, according to observation two, we can construct m minus 2m equations in these variables. At step three, we solve the system of equations and get the solution of the variables. Then, according to the solution, the output difference of each S-box in the middle R1 rounds is now. We can easily check the validity of the difference transitions in each S-box by according to the differential distribution table. So, to make R1 the largest, we need to ensure that the number of variables should be smaller than the number of equations. To make the attack faster than the brute force attack, we need to ensure that the time complexity to enumerate differences cannot exceed 2 to the k. So, we have two extra constants. To make the attack reach as many rounds as possible, that's to make R1 plus R2 the largest. The time complexity to enumerate differences will be computed as the maximum value of 2 to the 1.86 m R2 and 2 to the m times 1.86 R2 plus 3 R1 minus 2 minus m. So, the details of how to derive such formulas can be referred to in our paper. So, compared with the original difference enumeration attack, there are two advantages to use the new strategy to enumerate differences. The first is that the memory complexity is negligible since there is no need to store all possible reachable state differences anymore. Second, it allows many possible differential trails exist after the difference enumeration phase. While only one valid differential trail is allowed to exist in the original attack, so we can extend the number of attacked rounds. However, this also naturally causes a problem. That's how to find a correct differential trail among all the possible differential trails after the difference enumeration. Next, I will discuss our solution to this problem. In a word, we will devise an algorithm to efficiently retrieve a key from a random given differential trail. So, note that in the extended attack framework, for the last R3 rounds, there will be no active Xbox. So, for the last R3 rounds to recover the key from a random given differential trail, we first introduce some intermediate variables to represent the input of each Xbox in these rounds. There will be in total three MR3 variables. According to observation 1, once Xbox is active, the Xbox is freely linearized, and there are two linear conditions on the three output bits. In supporting all the Xboxes in the middle R1 plus R2 rounds are active, we can note that from observation 1, we can extract at most two M times R1 plus R2 linear equations in terms of the KB key and the three MR3 intermediate variables. If the number of equations is larger than the number of variables, we can expect only one solution to the equation system and according to the solution to the equation system, we can get the key value and the key and the correctness of the key can be easily verified by using the plain test, the cipher test pair. So, indeed we only need to use B rounds if B satisfies two times Mb greater than K plus 3 MR3 and B is smaller than R1 plus R2. So, in the above explanation, we only discuss the case where all the Xboxes in the middle R1 plus R2 rounds are active, but it is possible to happen that there will be some inactive Xboxes in these middle rounds. So, what will happen if this happens? One way is to introduce some intermediate variables to represent the input bits of each Xbox just as our way to perceive the last R3 rounds. However, this will not be friendly to compute the time complexity of our attack. So, we instead choose to get two output bits to linearize an inactive Xbox. Then we can find an easy way to bounce the time complexity to retrieve the key for a random differential trail. So, it is given here. So, now we have now the time complexity to enumerate differences and the time complexity to retrieve the key for an arbitrary given parameter NKM R. So, we can compute the maximal number of rounds that can be attacked. So, from this table, it can be found that we can break one instance of low MC when the block size N is much larger than the key size K. This is indeed benefits from our efficient way to enumerate differences. And from this table, it can be found that we can break seven instances of low MCM and we can compute analysis and we can analyze much more rounds than the proposed number of rounds. At last, we will briefly describe our attack on the four round low MC with a four Xbox layer. The general idea is the same. That's the way we enumerate the differences and retrieve the key from a differential trail with algebraic techniques. So, the attack procedure can be divided into four steps. First, we choose an output difference for the first round, the output difference of the Xbox layer in the first round. We expect that 3rd S can maximize the number of inactive Xboxes in the second round. Based on some statistics knowledge, we can compute the expectation of the number of inactive Xboxes in the second round. Then, we choose an input difference, delta zero such that delta zero can propagate to delta zero S. Then, we choose two plane tests whose difference is delta zero and encrypt them and obtain the cipher test. According to the cipher test, we can compute the state difference delta three S. Then, at step three, delta one is already known and we enumerate differences from delta one to get delta two. For each delta two, at step four, we will enumerate differences while solving equations to get all possible different transitions from delta two to delta three S. So, by solving equations, we can always get a possible four round differential chair. Then, we use our algebraic techniques to retrieve the key from this differential chair and then check the validity of the key with a similar way to bounce the time complexity to retrieve the key and the time complexity to enumerate differences. We find that the four round low MC with a four Xbox layer is insecure. So, you can see from this table that our attacks are much more efficient than the brute force attack and they require negligible memory. In conclusion, we devised some efficient attacks on low MC with only two children plane tests and negligible memory. Parameters with two plane tests are required to be secured in the picnic security proof and hence, such attacks are meaningful. Second, it's not difficult to observe that our attacks much benefit from some special properties of the three-bit S-books. However, these properties have now been used before. And at the last, making progress in the cryptanalysis of low MC directly threatens the security of seven instances of low MCM, which is a backdoor construction built on low MC and proposed in crypto 2020. That's all. Thank you.