 Hello everyone, welcome to the 30th session on automatic analysis. The first talk is on exhausting the mercy sense to meet the middle attack against reduce from the AES. And it's work done by Patrick Derbe and Pierre Lamfou, and Patrick is giving the talk. Thank you for the introduction. The first talk is about the attack of the mercy and self-suc and which is the core of the best non-attack on some of the version of the AES. So the point is to show how to mount many variants of the original attack and also how to show how to find the best ones among them. So I will begin by the description of the AES, then I will explain the original attack of the mercy and self-suc together with its improvements. After that I will present our new improvements and finally I will combine them to the differential in the Russian technique and I will describe the new attack on the H1. So let begin by the description of the AES. So the competition to select it began in 1997 and the cipher designed by Richmond and Ivan won it 4 hours later. So it's an iterative block cipher based on the substitution permutation network. It was standardised with a block size of 128 bits and 3 different key size and the number of rounds depends on the key size. So in the AES each 16 byte block is represented as a 4x4 matrix of bytes where each byte is seen as an element of the finite field f256. One AES round is composed of four simple operations applied successfully on the state matrix. So the first one is the sub byte operation that applies the same linear as box on each byte of the state matrix. Then there is the shift of the operations that shifts the rows. Then there is the mixed column operations that multiplies the state matrix by a constant MDS matrix. And finally there is the add-on key operations that performs the XOR between the state matrix and the sub-key. In some cases we are interested by swapping the order of the two last operations and in that case we will denote the sub-key used in the add-on key operation by u. And it is related to the original sub-key k by some linear combination. So in this example I will use some notation. So I denote by X the state just before the sub-byte and by Z the state just after the shift rows. So the AES was successfully designed to be resistant against linear and differential field analysis. And the main concern was about a simple algebraic structure. But it seems that attacks based on that solver or Grabner-Vezy algorithm are still far away to break it. So finally one could say that the AES was broken in the first time by related sub-key attacks on the 192 and 256 bit versions. And more recently in the single key model by big pick attacks on the three versions. But in the first case the model is not very realistic and in the second case the gain is very marginal. So let's now talk about the attack of Dimir Cien Celsuk. First I have to introduce the definition of a delta set which is a set of 256 AES states such that one byte is active and the other ones are constant. And at FSE 2008 Dimir Cien Celsuk described a problem property for the AES which is stated as follows. If we apply four AES phones on the delta set then for each of the 16 bytes of the final state the order sequence of 256 values of that byte is fully determined by only 25 byte parameters. So as a consequence the number of possible sequences is negligible compared to the number of theoretically possible. So the proof of this property is very simple. So let's consider the encryption of a delta set where there is no differences in a white byte and assume that we want to build the sequence of 256 values in the circle byte. Then we just have to guess the values of the black bytes for one message and propagate the differences from the first state to the last one. Indeed as we consider a delta set we already know all differences in the first state. Then by linearity we can compute all differences in the second one. So we will know all the values of the black bytes for all messages and we can apply the CS box on each of them. And finally as the other differences are new we will know all differences in the third state. So we can apply the same technique to obtain the sequences of values of the circle bytes. So Dimersi and Celsuc first used this property to move that attack on 7 rules of the CAS 256 which is stated as follow. So first there is an offline phase where we have to compute all the possible sequences and install them in the hash table. Then in the online phase we begin by asking for a structure such that the main diagonal is active and the other bytes are constant. And we choose one of the messages. Then we guess the values of its gray bytes and we propagate the differences from Z1 to P in order to identify and sort the data set. Then we just guess the values of the black bytes for the chosen message. And we propagate the differences from the cipher text to the black bytes of X5 to compute the sequence of values and check if it belongs to the table. And if it belongs to the table we know with the probability very close to 1 that the guest values was right. And if it does not belong to the table then we know with probability 1 that at least one guest value was close. So both parameters of the online and offline phase are state bytes that we will denote by beyond and beyond. And if the sub keys used in the activity operations are independent then the complexities of this attack is exponential in the size of the sets beyond and beyond. And in that case the memory complexity will be too high to apply this attack on the 128 and 192 bit versions. But the time complexity is low enough to mount an attack on 8 runs from CES to 56 by just guessing the last sub keys and applying the 7 run attack. But in the AES the sub keys are not independent so as the byte of B of and byte of beyond are related by the AES equations they may assume less values than expected. Indeed they lead to the knowledge of some sub key bytes that may be related by the key schedule equations. So we did not do the sub key byte by key of and key of. So the attack, the basic attack of the mercenaries has been improved. So the first improvement is to consider sequence of differences instead of sequence of variations. And that allows us to remove one byte from beyond or from beyond. Then it is also possible to store unopened sequences instead of complex sequences. And that mainly allows us to remove one byte from beyond which was used only to sort the data sets. Finally we can apply a classical data time memory code by storing in the hash table only a fraction of the possible sequences. And in exchange we have to reduce the attack many times to compensate the probability of failure and it will increase both the data time complexity. However it is possible to save some data in this trade-off by noticing that the structure used in this attack contains exactly 2 to the 21st data sets. So if we summarize the first rules, the basic attack of the mercenaries requires a huge memory and a relatively small time complexity. We can balance these complexities by applying the classical data time memory trade-off. For instance to apply the 7 rules attack on the AES 192, but it will increase the data time complexity. And for instance on 7 rules the data time complexity will be approximately to the 70th chosen test. So our first goal was to find how to reduce the data complexity. So first we notice that the mercenaries sort the data set according to the value of the active byte of Z1. But in fact it is unnecessary to know the value of that byte in the offline phase. We just have to know the differences in that byte. So as a consequence we lose one byte from a trade-off but it does not change the number of sequences built in the offline phase. But in other hand we can now reduce the data set 256 times in the data time memory trade-off. So it saves some data complexity. Then we notice that the mercenaries only consider simple cases where the data set has one active byte and where the check is performed on one byte of X5 or in one byte of Z5. But in fact the meeting in the middle is performed between those two states and more precisely between the five column bytes in these two states because there is a linear combination between the differences in those states. So the idea is to consider different linear combinations and to do that we use the fact that the matrix used in the mixed columns operations is an NDS matrix. So as a consequence we know that minimal equations between those two states involves exactly five bytes on the same column and the converse is true if we choose five bytes on the same columns then there is a linear equation between them. So in fact in the offline phase we compute the part of these equations that involves the bytes of Z5 and in the online phase we compute the part of these equations that involves the bytes of X6. So we can consider different attacks like this or this. So basically we can trade some bytes of V1 against bytes of V2 without increasing the data complexity and without randomizing the attack. So this idea may be applied to the data set instead of considering set of 256 AS states such as one byte is active and the other one are constant. We consider set of 256 AS states such that exactly five bytes are active between those two states. But in that case it will affect the size of the structure needed in the attack. So by the way the data complexity and also the bytes of Z1 must be guessed despite the use of an ordered segment. So that allows us to mount new variants of the original attack and once we have chosen the middle one for the offline phase we can mount approximately to the 16 variants. But the number of sets beyond and beyond to study is a little bit smaller. Then to compare the corresponding attacks we have to answer to two related questions which are how many values can assume the state bytes and how fast can we enumerate them. So this is not an easy case because as boxes are involved in the key schedules we use the tool I developed two years ago in a joint work with Charles Beaghey and Pierre Arnauf that solves a problem very close to our problem. So basically this tool takes as input a system of equation V in variables X involving some S-boxes so an AS-like system of equations and it returns an optimal algorithm to enumerate all the solutions of this system of equations with predictable time and memory complexities. So of course the algorithm returned is optimal among a particular class of servers. So we made a new tool from the previous one so now the tool takes as input also a subset Y of the set of variables X and it returns a list of optimal algorithms to enumerate all the possible values of Y according to the system of equations. So basically the idea is to apply the previous tool to each subset between Y and X but in fact by using a good printing strategy the number of subsets to consider is often one or two. So the complexity of this tool is exponential in the number of input S-boxes since it was the case for the previous tool so it is really faster to apply it on K and key-scaled equations instead of B and AS equations. So thanks to it we have been able to exhaust all cases for all key size and user without the last X columns and for instance here you can see the results for seven rounds of the AS 192 so this table gives the log 256 of the data complexity as a function of the number of guests to perform in the offline phase and in the online phase. So as you can see whatever the complexity we want to reach all best attacks requires only two to 30 seconds plain text so as much as the original attack of Dimersian Zelsic. You can also see that we found new attacks with smaller data complexity in fact we found competitive results in the very low data complexity which for instance attacks up to 8 rounds for the AS 256 that need only 256 plain text. So let's now talk about the differential immersion technique which is a technique introduced by Denkelman, Kehler and Shamir as an alternative to the classical data I've memorised. But they didn't realize how powerful was this technique so we recently improved their result in a job in a job work with Jéréby Jean and we have obtained the best known attacks on 7, 8 and 9 rounds but as you can see the complexities of the 8 rounds attacks are not balanced so we can do better. So let's consider this variant of the attack of Dimersian Zelsic where bytes of B1 are in grey and bytes of B1 are in black and now let's consider a pair that follows this differential. In that case the possible values for bytes of B1 and bytes of B1 are very respected. In fact if we guess the differences in the circle bytes then we will know all the differences before and after the S-box for each of the black bytes so we can deduce their value and as a consequence there are at most 1, 2, 1, 28 values instead of 2, 2, 2 frontiers values for bytes of B1. So it's a nice improvement but now in the online phase we have to focus on finding a pair that follows this differential so we begin by asking for a structure such that the diagonal is active and the other bytes are constant and then we look for pairs that may follow the differential or in other words that have new differences in the white bytes of Z7. Then for each of these pairs we have to find the possible values of bytes of B1 so this is done essentially by guessing the differences in the circle bytes because in that case we will know the differences before and after the S-box for each of the gray bytes so we will deduce their values but the real procedure is a little bit more complicated since we have to take care of relations between gray bytes. So then once we have obtained the values of the gray bytes we can identify a dataset that contains the pairs and compute the sequence and check if it belongs to the table. And then we restart this procedure until a match occurs or in other words until the structures contain the pairs that follow the differential. So as before we have been able to exhaust all cases and for instance on H-runs the best results are here. So it's a gain of we save approximately a factor to choose the 30 seconds for the overall complexity on the 1.92 bit version and to choose the first C for the 256 version. It is possible to do a little bit later to save some data for this attack by performing many attacks in parallel or in other words by looking for many differential in parallel without increasing the overall complexity. So there is some limitation on the case we have been able to try in fact we only tried cases where both bytes of BN, NBF and active bytes of the pair are synchronized because else the number of cases to handle may become huge and the complexity of our tool tends to explode. So to conclude this talk in this paper we have generally the attack of Dimir Cien Celsuc we have been able to find many new attacks that need a small data complexity we also find the best known attacks on H-runs for the AES 192 and the AES 256 and this result was found in an automatic way. Furthermore this attack this is somewhat generic and it may be applied to many other ciphers. For instance we applied it on square and then the result will probably be in the full version. So thank you for your attention. So are there any questions? Juan Patrick do you think that this tool that could be adapted to take some distinguished results on fresh functions? I don't think so. Now I try to extend it to a different safer like to a twine in fact which is a little bit more different than the AES but for distribution I don't think so. Thank you very much. Let's thank the speaker again.