 Hello everyone, my name is Bo Xin Zhao and I'm from Tsinghua University. The title of the paper is New Related to NK Bromero and Rectangular Attacks on Deoxys BC including a BDT effect, and the paper joins work with Xiao Yang Dong and Ke Ting Jia. And the presentation consists of four parts that overview of such new related to NK Bromero and the general strategy of carry carry attacks, and for the last, we will give two examples of attacks on Deoxys BC. And the Deoxys BC is designed by Jamie Jin, Yvaka Nikolayka, Thomas Prane, and Yannick Thierry. There are two AEAD modes of Deoxys BC. The Deoxys one is a third-round candidate of the CISA competition. It's a non-respecting mode, and for the Deoxys two is one of the six algorithms in the final CISA portfolio. It's a non-misuse resistant mode. And for the two AEAD modes, the internal primitive adapts Deoxys BC is an AES lack twinkable block cipher. For Deoxys BC dash 256, the twinkies size is 256 bits, and there are 14 rounds. And for the dash 384, the twinkies size is 384 bits, and there are 16 rounds. And for the Deoxys BC, there are four round functions. It adapts the AES round functions that are round twinkies to the internal state, and the sub-bites apply the AES S-box to the 16 bytes separately. And the shift rows, we rotate the four bytes of the JAS row left by row JAP positions, where the row is 0, 1, 2, 3. And the last is these columns that multiplies the internal state file for constant MDS matrix. And for the sub-twinkies, the Deoxys BC dash 256, the STK is obtained by X over TKI1 and TKI2 and RCI. And for the dash 384, the STKI is obtained by X over TKI1, TKI2 and TKI3 and RCI. There the TKI is updated by two liner functions, that the position function h and two liner feedback shifter registers. And for TKI1, it's updated by only the h position function, and for TKI2 and TKI3, they are permutated by the liner feedback shifter register, and then it's h function. There is an overview of the twinkies schedule and encryption process of Deoxys BC dash 384. And for the second part, we choose search new related twinkies Bermuda distinguisher. And in CID80, I propose an efficient MRRP mode to search related twinkies Bermuda distinguisher in CHP17. But they didn't take the deferent of the end of the distinguisher into consideration. So we make two improvements as follows. The first, we generate one or two more rounds of the constraints. And then we limit the number of active S boxes at the end of extra rounds. For the first round, we denote the add-round twinkie is X, XI, X over STKI equals to YI. Since the difference of our XI as TKI is unknown, so we can exclude the three conditions that 001, 01, 0, and 100 using the following three equations. And for the mixed columns, since it's after the sub-byte operations, so if one byte is active, all the four output bytes will be active. We use the following five equations and four equations to constrain that. Where DKI is a dMT variable, that DKI equals to 0 only when all the XI are 0. And for the second X round, since add-round twinkie, the state XI, the difference of the XI will be unknown. So if XI or STKI active, YI must be active, we use the following three equations to constrain that. And since the mixed column is a liner function, and for the last round, we don't consider it, so there is no constraint for it. And at the end of the model, we use YI in equation to limit the active byte. We can test it from 0 to 15. And the BDT is a Brumeron difference table proposed by 1, each at all. The definition of it is that let S be an invertible function from F2N to F2N, and the 003100 is F2N. So the three-dimension table of S, the entry for 003100 is computed by the following equation. For BDD frame, we can consider it as an opposite regression of BDT. We take into account 00, 01, and 00, and we can compute the entry by the following equation. And this is an example. We utilize BDT and BDT frame. It's a two-round Brumeron switch for Deoxys BC256. We can see the entry for 0, 0, 0, 0, 0 in BDT is 2. And the entry for 3, 2, 3, 7, 3, 7 in BDT frame is 2. So the probability of them are all 2 to minus 7. And now we introduce advantage of our new distinguisher. For the Deoxys BC256, if we append the one-round to our nine-round Brumeron distribution, we can see after the subart operation, only nine bytes are active. But if we append one-round to the nine-round Brumeron distribution in CHP17, there are 10 active bytes after subart operation. And for the Deoxys BC384, if we append two-round for our 11-round Brumeron distribution of Deoxys BC384, after the subart of the last round, only 12 bytes will be active. But if we append two-round of the two-round to the 11-round Brumeron distribution in CHP17, all the bytes will be active. And now we will introduce a general strategy of key recovery attack. So here are the notations. We denote the whole encryption algorithm by EF, E-prime, and EB, where EB is the distinguisher and EF and EB is the round prefix at the start, start, and end. And RB is the number of active bytes bits of the input difference of EB. And MB is the number of sub-twinkie bits that need to be guessed in EB. And RFMF is similar to RB and MB. And the S is the expected number of red quarters. And then the RF, beta, gamma, and delta is the difference of the distinguisher. So this is a general related twin-key rectangle attack. We construct Y constructors of two-to-RB plane tests each. For each structure, we require the two-to-RB plane tests by the encryption oracle, either K2, K3, and K4. We can obtain four sets. We denote them L1 to L4. And then we guess two-to-MB position MB bits sub-twinkie involved in EB. And we initialize a list of two-to-MF counters for the MB bits sub-twinkie in EF. And then we can construct two sets, S1, S2. We can see S1 is a set of the elements that M and M-pray can encrypt under K1 and K2 to the difference RF. That is the start of the distinguisher. And the S2 is similar to S1. And we insert S1 into hot table inducted by the N-minus RF bit of the self-suffer test and N-minus RF bit of the self-suffer test C-brim. For each element of S2, we can find the corresponding element in S1 that satisfies CXOR C-bar X0 and C-prim XOR C-prim bar is 0. In the RF bits, we can obtain about Y2-2 and M2-2 to Rb-2 and Rf quotas. We can call the MF bit sub-twinkie by the obtained quotas, and we can denote the time complexity of this step as YB. And then we can select the top two-to-MF-HA hit in the counter to be the candidates. And for the last, we can exhaustively search the remaining K-minus Mb-minus MF unknown key-bats. And for the complexity, the data complexity is 4, 4-multiply, Y-multiply, 2-2, and Rb-trousin's plain test, since it is the related twinkie attack. And the time complexity consists of the trousin's plain test, the key recovery, and the exhaustively search, and the lookups to obtain the quotas. And the memory complexity consists of the trousin's plain test, the volume of the set, the hash table of S1, and the key counter. And the successful probability can be computed as follows, where the S1 is signal-to-noise rate. And then it's general related twinkie boomerang attack. Since we don't append any round in the start, so we choose one structure over two-to-RF self-test each. And for each structure, we call the plain test M for each self-test C under key 1, and then X over R as difference alpha, then call the self-test M frame that C frame. So we can construct one, set L1, and then construct L2 in a similar way. And we insert L1 into the hash table, indexed by the n minus Rb of C frame. And for each element of L2, we can collect M, C, M frame, C frame colliding in the n minus Rf bit, about Y multiplied to 2RF minus n minus Rf quotas. The key recovery process is identical to the related twinkie rectangle attack. And this complexity is 4 multiply Y multiply 2 to Rf, and the time complexity is Y multiply 2 to 3 Rf minus n multiply epsilon encryption, and Y multiply 2 to Rf lookups. And the successful probability is computed as follows, is the same to the rectangle attack. And last, we will introduce the applications on Deoxys BC. This is our view of the related twinkie rectangle attack of 14-round Deoxys BC-384. And I use the general attack. The parameter we choose S equals to 1, and the other parameter Rb, Mb, Rf are all 96, and Mf is 136, and Pq is 2 to minus 61. The process of the attack is as follows. We can choose 2 to 29 structures of 2 to 96 plane test each, and then we guess 96-bit subtrancy involved in EB, and we can get about 2 to 186 quotas. And then we can guess 8-bit subtrancy related to Z, 13, 12, and can deduce 32-bit subtrancy utilizing the probability of mixed columns and different distribution tables as S-box. And then we can check the obtained 32-bit subtrancy using another self-test, self-test file. And here, we can obtain about 2 to 170 quotas. As similar as the last step, we can count all the 136-bit subtrancy involved in EF, and we can choose a proper value for H and exhaustive search the remaining K bits. If we choose H equals to 48, the complexity of data is 2 to 127, and the time complexity is bounded by the carry carry is 2 to 286.2, and the memory complexity is bounded by the K counter, data 2 to 136. The success probability is about 51%. And this is an example attack of 10-round dialysis BC-256. We extend the 2-round after the 8-round distinguisher. And for the parameters, we can choose S is 1, and RF is 70, and MF is 88, and Q is 2 to minus 48.2. And the process of attack is that we choose structures of 2 to 70 to self-test it, and can get about 2 to 100 and 12.4 quotas. And then gets countered 88-bit subtrancy use quotas, and then is the exhaustive research programming. And the data complexity is 2 to 98.4, and the time complexity is 2 to 109.1 and the memory complexity is bounded by the K counter. If we choose H equal to 28, the success probability is about 72%. Here is the summary of the analyzed result of dialysis BC, where the RK denotes reading tune key and all the analyzed RK recovery attack. We can see we give the 10-round attack on dialysis BC-256 in the lower complexity, and give the 11 related tune key RK attack on it for the first time. And for the dialysis BC-384, we give the 12 and 30-round attack for lower complexity, and give the 40-round attack related tune key RK attack for the first time. Thank you.