 Hello, my name is Grigory Anna and with this video I would like to get you interested in our work, constructing and deconstructing intentional weaknesses in symmetric ciphers. This is joint work with Christoph Bialet, Tim Beiner and Pat Noors and our intentional weaknesses, both overlapping subjects is a long-standing interesting topic and has many dimensions. It's interesting for political reasons, it's actually deployed in many examples and it also is interesting from an academic point of view with dedicated designs or frameworks to construct such backdoors or weaknesses in crypto and an important disclaimer I want to make is that we don't think backdoors are a good thing, we actually think it's very bad and we would like to understand them better in order to be able to prevent them. So in our work, our contribution is two-fold. We are on the one side, we are deconstructing existing intentional weaknesses, namely we explain how the GA1 cipher was backdoored and probably how this has been constructed with the backdoor, which was an open question and on the constructing side we show how to build applicable block surface respectors and we do this in what we think is a more natural way than before. So let's start with the first topic, which is the GA1 algorithm, which is an algorithm which was used in previous versions of GSM to encrypt the data between the mobile phone and the antenna. The last paper shows that this cipher has a very particular weakness, namely two registers jointly only have two to the 40 possible states after the linear initialization process, even so they could have two to the 64 possible states running over all possible keys. So there's a high loss of entropy. And in this picture it is shown how unlikely this constellation of loss of entropy is. So in one out of a million tries the highest entropy loss was nine bits, while GA1 has the entropy loss of 24 bits. So this shows that this is not a property that can happen by bad luck, but it's something that was chosen on purpose. And in the Yucre paper it was unclear how you could do this and this graphic also shows that it's very hard to find this even if you are searching for it and it's just to be expected. And we saw a technique which we believe was the original way to construct these by basically turning around the property and starting with the entropy loss and searching at a particular entropy loss and searching for the LFSRs or more precisely for the characteristic polynomials of the LFSRs in a bit more clever way. The second topic is constructing cyphers with backdoors and in this case tweakable block cyphers and what we do here is we build upon the malicious framework which was presented last crypto 2020 where the idea is to use a particular tweak t0 and hash it and use this to construct using variants of low MC probability one differential and what we do here instead of using pairs of tweaks and constructing probability one differential we use one tweak and make use of invariance and so we show this in two parts one is malicious AS where we make use of a well-known invariant that is normally destroyed by the case giddling and we modify the case giddling and edit tweak very much like in the original malicious way to have a variant of AS where for one tweak you get a very weak cypher and for all the other tweaks you get something which is very secure. You also have a different version for this idea which we call in boomslang and this is more involved it uses a non-linear invariant over two consecutive rounds and I think that's highly non-trivial to detect in the sense that for now you don't have tools to detect this weakness and automatically so please have a look at the paper I think that's an interesting construction and if you want to do so then you can find the paper on e-print already or you are very welcome to contact any of our authors and we are happy to discuss the paper further. Thank you very much for listening