 The next talk is cryptanalysis of AES, PRF, and STURO. The others are Patrick, Dezu, Iwata, Linxun, Suishun, Yosek, Todou, Haoyang Wang, Meiqin Wang. And Lin will give the talk. The name of the presentation is Cryptanalyze of AES, PRF, and STURO. So we will start with the background and motivation following that we will give some related preliminaries, and then we will present the overview of our attack. Then we will look into the attacks on AES, PRF, and Dior, AES, PRF. At last, we will give the summary and conclusion. As we all know, sidorandom permutation is one of the main primitives in metric cryptography to realize some security functionalities such as encryption and authentication. It is also the ultimate security goal in the design of block ciphers. Many block ciphers with standing extensive analysis are regarded as sidorandom permutation. For example, AES, in some modes of operation, the invertibility is unnecessary, and the security will improve if a sidorandom permutation is replaced with a sidorandom function. For example, in the CTR encryption mode and the authenticated encryption GCM, a highly secure sidorandom function will ensure the security beyond the birthday bound. Given some candidate block ciphers, there are several techniques enable us to transform sidorandom permutation to sidorandom function. However, all these techniques endure a considerable efficiency cost. So to maintain the efficiency, based on the dual of encrypted Davis-Mayer structure, many can maybe propose a dedicated design called Fast PRF at last FSE. Given an iterative block cipher EK, we donate the first half part of EK as EK1 the output of PRF equals the XOR of these two values. AES-PRF is as efficiency as AES. However, the efficiency comes at the cost of prurable security. The prurable security results of EDMD requires the components to be independent permutations, which is no longer applies to AES-PRF. So we want to reconsider the security of AES-PRF in our work. We mainly focus on these open problems. Firstly, in the previous FSE paper, S equals 2 is left as an open problem, and we handle it with impossible differential and zero correlation attack. Besides, we consider the security of many other variants. We also consider the security of the dual version, which we call dual AES-PRF. The method used in this paper includes impossible differential, zero correlation, traditional differential, cripple analysis, and meeting the middle attack. So this is the structure of AES-PRF. The full encryption of AES is divided into the first S rounds and the last T rounds. The output of AES-PRF is caused by the state encrypted by the first S rounds, and the state encrypted by S plus T rounds. We also consider the security of the counterpart of AES. The full encryption is also divided into two parts, but the plan text is used as a feed-forward. Clearly, in these two structures, when S or T equals to zero, they are insecure. So in the following discussion, we only focus on the cases where S and T are all greater than zero. Before we look into the concrete attack, we give the overview. For the attacks on AES-PRF, when S is lower than or equals to two, we use the impossible differential and zero correlation method to launch the K-recovery attack. The main observation is the second part is the permutation so that we can construct trivial impossible differential or trivial zero correlation linear approximation for the second part. In the impossible differential attack scenario, the non-zero input difference and zero output difference constitute a natural contradiction, and we complement this impossible differential by the propagation rule of differential. In the K-recovery phase, given a pair of plan text, since the second part is the impossible differential, the output difference here must be equal to the output difference here. So for the first S rounds, we know the input difference and output difference. By the property of the S box, we can recover the K involved in the first S round. And in the zero correlation attack, we construct a trivial zero correlation approximation with zero input difference and zero output mask. And then we get the sub case involving the first S rounds and use the value here and here to compute the value of the zero correlation statistic. If the value of the statistic is lower or predetermined threshold, the guesses of K will be rejected. And when T is no more than four, we use zero correlation method to realize the distinguishing attack. The core observation is to construct an iterative zero correlation approximation for the second part. So by the propagation rule of linear mask, we know the input mask must be zero. So only use the output value enables us to compute the zero correlation statistic. And when the value of the statistic is lower than a threshold, and we will say that we are not faced with ASPRF. And then since the best attack results for AS is based on meeting the middle attack, so we also study how these techniques can be applied to ASPRF. For all variants of ASPRF reducer to seven rounds, we give meeting the middle attack. Since your ASPRF is the counterpart of ASPRF, the attacks are very similar to those for ASPRF. So when T is less than or equal to two, we attempt to use the weakness in the first part to realize K recovery attack. So after guess the sub case involved in the last T rounds, we use the difference of values here and here to check the contradiction. If a guess sub K indeed resulting a contradiction, we will reject the guess sub K. And when AS is no more than four, we use differential method to launch K recovery attack. The main observation is the second part is the permutation. So when a pair of plantaxe clad at the output, then they must clad before the permutation. So we construct an iterative differential for the first S rounds and use the property of the S box to recover the involved sub K. So now let's look into the concrete attack on ASPRF. The first attack is impossible differential attack. First we construct a two round possible differential and since we regard this part as a permutation, so the output difference here must be equal to the output difference of the PRF. So we construct structure as a plantaxe and save the pairs with output difference of this form. Then we know the output difference here. So for the first two rounds, we know the input difference and output difference. And then we guess the involved sub K as a five colored byte and forward propagate it to the output of the sub byte operation. So for this S boxes, we know the input and output difference with the property of the S box, we can obtain the partial information for the first sub K. Similarly, we know the input and output difference for the second sub byte operation. So we can derive the partial information for the second sub K. When the first two sub K are compatible with the K schedule, we will reject it since this K validates this impossible differential. The second one is a zero correlation linear attack. We set the input mask and output mask as this form and in order to compute the value after the first, after two rounds of encryption, we guess the involved sub case and compute the value here and then we use the value here and here to compute the zero correlation statistic. If the value of the statistic is lower than a threshold, we will reject the involved sub case. Comparing to the impossible differential, we release the attack scenario from chosen plan text to known plan text as the complexity increases. We want to notice that in these two attacks, we don't restrict the length of the second component and this attack works only if this part is a permutation. The second attack is a distinguishing attack based on zero correlation method. The main idea is to construct an iterative zero correlation approximation here and then we can only use the value here to construct zero correlation statistic. So the K step is to construct, is the construction of the iterative zero correlation approximation. To reduce the complexity, we need to maximize the number of non-trivial zero correlation approximation. So we exhaustively search for all the truncated linear masks. For the three round case, we find that the input mask has at most 11 non-zero bytes and for the four round case, the input mask has at most eight bytes. So with this distinguisher, we realize the distinguishing attack for the corresponding primitives. The last one is a meeting the middle attack. We use the conventional four round distinguisher given a dirt state constructed as the first round, the output sequence of 255 differences is fully determined by 25 bytes per meter. So the number of possible sequences is reduced from this value to this value and in the K recovery attack, we put the four round distinguisher in the middle of the PRF. The concrete attack is very similar to the attack for AES. In the offline phase, we construct a hash table to store all the sequence here and in the offline phase, we construct structure as a plan text and select those pairs follow this differential pattern and guess the intermediate states to recover the involved sub case. The attacks for dual AES-PF are very similar to the AES-PF. For a given pair, since the first part is an impossible differential, so the difference here equals the difference here. So for the last two rounds, we know the input difference and output difference and use some techniques we can recover the involved sub case. Their correlation attack is similar. We guess the involved sub case and compute the statistic with the value here and here. The last attack for dual AES-PF is the differential attack. The main observation is the second part is the permutation. So by controlling the difference here, we can control the internal difference. So the K step is to construct an iterative differential for the first four rounds and the differential we use is illustrated on the right. In the K recovery attack, after detecting a collation at the output, we know the input difference and output difference. Then we guess the internal difference here and here. With all these known differences, we can derive the input and output difference for all the four sub byte operations. And then with the property of the S-Box, we can derive the involved sub case as the colored byte. So this attack reveals a weakness of dual AES-PF, that is, by controlling the output difference, we can control the internal difference. So now we finish all the attacks involved in the paper. And this table summarizes all the attack results involved in the paper. Firstly, we improve the previous attack when S equals one. And we also find that for these two constructions, they only have one round as security margin. So based on this attack, we give a comparison between AES-PF and dual AES-PF. Firstly, from the feasibility of differential attack, we know the security of AES-PF is higher than dual AES-PF. And this is consistent with the discussion in the previous FSE paper for the preference of EDMD structure over EDM structure. And the second observation is both these constructions have only one round as security margin. So it's interesting to consider the choice of the parameter. The balance case is a nature choice of the design. However, our results indicate that S equals to four is potential to be more secure, since in this case the security margin increased. So we think it's also it's still interesting to consider the security of the remaining variants. That's all for the presentation. Thank you for your attention.