 So, this is joint work with Mitri Kavatovic from MSR and get down from University of Luxembourg. Let me start with cryptanalysis 101. What do we have when we teach or attend a course, intro course in cryptography or cryptanalysis? Well, you hear about differential cryptanalysis, you hear about linear cryptanalysis. Why is that? Well, it turned out that these attack vectors are very, very powerful for many applications since the early 90s and many different variants have been developed. In fact, this attack vectors are so taken so seriously that any new design that wants to be taken seriously in turn comes with some kind of security argument, some proof against classes of those attacks. Well, the attack vector that I'm going to talk about today is not of this type. It's a mid and the middle attack. It can be described in a very simple way, at least I have it right here. When looking at a cipher, we have a plaintext as input, a ciphertext as an output. And in case we are able to separate a key space in such a way that we can start from the input, compute forward with some part of the key that is independent of another part to compute some value v in the forward direction and do the same in the backward direction just vice versa, then we can take advantage of our birthday effect and then potentially filter out key gases faster than in a brute force way. So this is nothing new, that's a very old idea, but it was overshadowed by linear attacks and differential attacks in the last 20 years. This is now slowly changing, maybe because of the attack on the lightweight cipher cut on them from 2010. So the outline for the next 19 minutes, first I will briefly discuss the setting. We are talking about block cipher analysis here. Then I will review mid and the middle attacks and show where these gaps were in our timeline. Then I will briefly review idea of the block cipher. We will be analyzing and then describe attacks on round reduced versions of a year and also on full round idea before I conclude and wrap up. So the setting is very simple, we are given a block cipher. The goal is to find a single unknown key. We don't need any related keys, nothing fancy, very simple. Also we don't, we only ask for the possibility to choose plain text and get ciphertext back or maybe the other way around. We don't need any adaptivity here. So in the brute force attack, if we want to find this unknown key with probability one, then we need to try to decay times if k is the number of bits in our key. And then ever we find an algorithm that can do this faster, then we speak of when attack graph is speaking. So mid and the middle attacks actually are as our academic cryptography. It started with the work of, basically with the criticism of a different helmet of the differential of the data encryption standard in 97, in 77. They described a simple mid and the middle attack on a version of this when used with two independent keys. A few years later, Merck and Helman came up with a variant of this to also attack two key tripletors in a mid and the middle way. Again a few years later in 85, Schaum Evertsever refers to look into the cipher DS and perform such a mid and the middle attack there as well. The thing is DS has 16 rounds. They only managed to cover six or seven rounds. So there was a long way to begin and especially afterwards when differential linear attacks were developed that managed to cover many more rounds. This is probably one of the reasons why this attack vector was overshadowed. Now in the hash function side there was also similar applications. Maybe first Laimassie found applications of mid and the middle attacks when it came to finding second pre-images in generic iterated constructions. Then for a long time nothing happened but in a series of paper from 2008 on AUKIS, ASAC and others looked into the compression functions of various hash functions and found attacks using this attack vector. Most importantly probably the pre-image attack on MD5. Even though it's by far not practical, it's not that much faster than brute force actually but still it is certainly an important step when it comes to cryptanalysis. I give the example of Tiger here as well that I did with Gu and others because Tiger, we don't have an efficient collision attack for it even though for MD5 we have one but still this attack vector led to first attacks on Tiger as well which is a hash function that was with the cryptanalysis for more than 10 years. So then as mentioned in the beginning already, we started to look into applying this newly found attack vector, rediscovered attack vector if you want to block that again and we found a victim. The led by Zeifer Katantan and the meanwhile attacks are already almost down to 2 to the 70 showing that this is something to be taken seriously but it was still a very simple attack. Recently we introduced this framework around MD5 attacks that allows more sophisticated techniques to be applied as well under the umbrella of Big League attacks. First applied in the hash function setting Chateau and Scane were our first targets, well reduced versions of it and more recently we looked at AES as well and our results last year received some attention because we also had results on the full AES and now as a follow-up we look at idea and have more results on this as well and this is somewhat the context of my talk. The Big League approach in a single slide, well it is a formalization of the idea of Orchis Asakides first found applications in MD5 where they managed to squeeze out more rounds in the middle attack than was thought to be possible before. The beauty of this approach is that we can suddenly use tools from differential cryptanalysis in our middle attacks. We can speak about differential characteristics trails, we can use little bits, rebound techniques, all the things that we developed in recent years when it came to hash cryptanalysis actually and so far it was mostly used to squeeze out more rounds in our attacks. So let me talk about idea, it's a very old block size for relatively speaking, designed by Lai Messi and published in 1991 as a 64-bit block size 128-bit keys. It's quite widely implemented and receives a lot of cryptanalytic attention only if at all second to the AES or the DES, more than 20 research papers since the early 90s improving results, having results on more and more rounds but still the best result so far from Azure Crypt 2009 by Sun and Lai is a result on the first five rounds. It's not that much faster than brute force, 231 25.5 and needs about a megabyte data. Idea has this property that if instead of first rounds, middle rounds are chosen then the cypher becomes weaker, that's why in this setting six rounds can be attacked as well. I will keep the talk at the level where we don't need details of the cypher but I wanted to show you this round transformation anyway just to give you a brief idea. So this is the input of our round 64 bits split up into 16 birds. The operations that are used in idea are XOR, model addition and multiplication model of 2 to the 16 plus 1. So these are incompatible group operations and the security is basically drawn from this mix of these incompatible operations. And this round is now iterated eight times and then one last time we have another key addition layer. So far five rounds were the best. In order to illustrate the power of the speaker concept that we apply for the first time through a year, I'm starting with a rather new result that was first announced at the crypto rum session last year by B, Hamshami and others where they also applied this middle attack vector for up to six middle rounds of idea. The illustration is very similar to what we had before. We find some way to separate the key into key spaces such that a small part of the key space is independent of some part of the cypher execution in both directions. Then we just start from a plain text cypher taxpayer computing both directions and look for a match. This then in turn we use to filter out key guesses. One variant of this approach gives a time complexity of 2 to the 123 so somewhat faster than brute force. It only needs two plain text cypher taxpayers. So this was basically state of the art last summer. What we can do now is to immediately add one and a half more rounds without essentially not touching the 10 complexity or with this big click approach. So we have our rounds one and a half until seven and a half year. That was the part of the cypher that was attacked so far. And it turns out that this big click contraction that we are using can cover the first one and a half rounds. So this gives us basically the same time complexity for the attack. The problem is the data complexity. So after we saw this six round result it took us only a few hours to come up with this very first huge step towards four and a half rounds. But then the hard work started because we were not happy with the fact that the attack suddenly needs huge data. So we were working on trying to reduce it. So why do we have this high data complexity actually? Well first let me illustrate you how this big click helps us in order to squeeze out more rounds. So now in our middle attack we look for all possibilities of kf in one direction or possibilities of the bits in kb in the other direction. Then we look for a match and let's assume we find a match where this choice was matching with this choice. So what we are now basically facing is the challenge of somewhat connecting our internal states that we somewhat started with via the plaintext input to the cypher that we have to match. And this big click structure allows us to do exactly that. So the problem is finding such a structure where we map key plaintext inputs and internal states in such a way that gives us this property is highly non-trivial. Actually if this round behave anyway random this structure is highly unlikely to exist at all. But for a small number of rounds, one or two rounds, this is something that can be constructed. The thing is we need to construct this very efficiently because this is happening in our inner loop. But there are amortization effects that allow us to do exactly that. So that's why time complexity is essentially untouched. So why do we have this idea of complexity? Well the thing is for all those white parts here, those key bits that are not used in the mid-to-middle attack, we need to guess them. And for every guess we need to construct a new big click. In the concrete attack of this seven and a half round idea, it's about 100 bits. So we need to do 300 times. And this gives us more and more big clicks. But we cover basically, we cannot avoid covering the complete plaintext space for this. This means that's the reason why we need almost a full codebook for our attack. And that's now where the conceptual contribution comes from. So we extend the big click framework by something we call narrow big clicks where we address this problem. The new trick is here that we use the degrees of freedom that we have in this big click area. Such that we can construct internal states that fit together with the concrete kickers that we have at this very moment. Such that the certain plaintexts collide on a number of bits. And the more bits that collide, the lower the data complexity will be. And this is something that resembles collision attacks and hash functions a lot, actually. The hours that we don't have a key. And we need to somehow construct pairs that have certain properties. Why we don't have a key here is that we have to construct this for every key guess. So whenever we construct this big click, we know the key because that's just the one that we are currently guessing. So that's why we draw heavily from tools that we developed earlier in Haskell analysis. The thing is I won't go into the details here. This can be very complicated. The details are in the paper and in order to get more confident in the results that we obtain, we practically verify them. That's something that is pretty important. To give you an idea of the impact of this narrow extension of the big click framework, I list here a few attacks that we obtained. So an attack for the first five rounds. The five rounds were so far the highest number of rounds that were attackable. We have a time complexity of 201.5. That's much faster than everything that existed before. And with this narrow, a big click technique, we reduce the data complexity from something that is close to the full code book to 225. Then with a higher number of rounds, these are all versions of idea that haven't been attacked before. The time complexity increases and the data complexity increases as well. This seems intuitive. It's actually a bit of a coincidence because these are all different attacks with different keyspace separations and so on. That could also be non-monotone behavior of this kind of complexities. Here I give only those results that minimize time complexity. In the paper, we have more on that. Okay, so we have now seven and a half rounds. That's already pretty close to the full idea. Idea has eight and a half rounds, so one more round to go. We tried to find attacks that would cover the full idea in this way, but we didn't manage. But what we can do, that's something the big click attack vector allows us to do, is to introduce us more brute force phase into the attack. And indeed, again, designing a new attack with new sets of kf and kb and so on and new methods to construct big clicks. The new bottleneck of the attack then becomes at least the brute force phase that needs to cover one round contributes to the time complexity. The new time complexity is then 2 to the 126, still a bit faster than brute force, but now suddenly we can make a statement about full idea for the first time. Put this into the table again. I give now here two variants. Again, it becomes more difficult, but still we can lower the data complexity a bit to 2 to the 52, for example, and the time complexity is roughly four times faster than brute force in our model. So let me conclude. I think we show two main contributions in this paper. First is a variety of new results on idea that seemed like a sudden jump in cryptanalysis. It took us almost 20 years to start from one to up to five rounds, and suddenly we have attacks on seven and a half rounds, and even full idea if we consider this trick with the brute force phase as an attack as well. So after our realization that we can immediately gain one and a half rounds with this big click trick, Behem and others also updated their work, and they now compliment our results in a nice way. They consider not only initial rounds but also middle rounds. Sometimes they minimize data complexity, whereas we are minimizing time complexity, so I warmly recommend to study this paper as well if you are interested in the state of the art in idea. Secondly, not only do we have these orders detailed results, we also add a new tool to the toolbox for the cryptanalysis. This is something that will find applications to other sizes as well. Something else that I would like to point out is that so far the big click attacks we saw on a yes and on other constructions are all very close to brute force. Here in this paper for the first time what we have is actually a demonstration that this is not necessarily the case we have variants of our attacks that are many million times faster than brute force. And if you ask now what does it mean for full idea, is it broken? Well if you like to think that a yes is broken because of our results of last year, then I'm sorry to say that it's the same for idea, it's about the same security that we get 126 bits. Well for practical purposes it's a very secure surface. It's just, our research just showed that we still can make progress with new attack vectors. So last but not least let me talk a little bit about open problems in future work. Well the big click attack vector itself came already from hash cryptanalysis and was applied to self-cryptanalysis. Now the new tools that we used and developed for this particular result again draw a lot from the know-how that we obtained in hash cryptanalysis and reasonings. So there may well be more techniques around that will find applications to self-cryptanalysis as well. When it comes to finding new targets for middle middle attacks and big click attacks there may well be other surprises lurking not only in here. And last but not least it seems we are seeing an immersion of a new subdiscipline of cryptanalysis that one could call brute force like cryptanalysis. Let's say we want to implement a brute force attack on a cypher that has a key space that is not too large let's say 80 bits. So far statements about the cost of such an attack were purely in the realm of implementers basically. But now with this combination of brute force like cryptanalysis and big click attacks suddenly cryptanalysis can help there as well and can squeeze out speedups that were simply not possible before with simple implementation tricks. For cyphers with 128 bit keys or even more this remains more of an academic discussion but for key sizes of 80 bits or less this can have very practical impacts actually and can even save lots of energy in our data centers if you want to find keys in a brute force way. Cyphers like present come to mind or also the 64-bit version of Kazumi is a very interesting target in this respect. With that I'm done. Thanks a lot for your attention. Do we have questions? Okay so maybe I could ask do you see any chances of making it better than brute force? I mean integrating some techniques. I mean it seems that your conclusion is that big click attacks are basically smart brute force attacks. Well this is only part of my conclusion really. For reduced versions what we show is that big clicks attacks can be many times faster than brute force search even a million times faster. Key schedule you need to. Exactly. Yeah less key bits. Yeah but in some sense idea is also resistant against this kind of advance of attacks because we do need this brute force phase. We still squeeze out a factor four which is certainly not negligible but that's as far as we can go at the moment. But improvements may be possible. Okay let's thanks. Thank Christian again.