 Hello, everyone. My name is Daniel Kuisters, and I would like to thank the organizers of Eurocrypt 2021 for giving me the opportunity to present our paper called C-Minion Symmetric Encryption Based on Topholigates Over Large Finite Fields. This is joint work with Kistel Dobroni, Lorenzo Gassi, and Amagini. Now, C-Minion is a cypher defined over large finite fields. And its main motivation is to minimize the number of multiplications. So let me just start by giving an overview of why this optimization goal is important. To this end, consider the problem of multiparty computation. In multiparty computation, there are n-parties p1 up to pn, and each of these parties has an input xi. And the goal is to jointly evaluate a function of these xi called small f. And importantly, there should not be a trusted third party that is involved, but rather the party should communicate amongst each other. And there are some other constraints, namely that each party wants to keep their own input xi secret, and each party learns nothing apart from what can be inferred from the output y. There exist a number of protocols realizing a multiparty computation. And for a subset of these protocols, the following two properties hold. Namely, nonlinear operations are expensive and affine operations are cheap. And by expensive, I mean expensive relative to the affine operation. Examples of such protocols include Yao's garbled circuit protocol with a free extra optimization. And in this protocol, the function f is represented as a Boolean circuit comprised of a number of gates. And these gates are garbled. Now, it doesn't really matter what garbling means, but what is important is that the garbling of an extra gate is cheap because it involves some simple additions. Whereas the garbling of an end gate is expensive because it requires calls to symmetric primitives. And there's the GMW protocol. And again, in this protocol, small f is represented as a Boolean circuit. And the inputs to small f are shared amongst the party. Evaluation of an extra gate involves some local computation, so it's cheap. Whereas the evaluation of an end gate requires communication between the parties, so it's expensive. Suppose now that's P1 up to PN want to compute a symmetric encryption function called E in this case, which depends on a key K and an input X. Now, there are many ways that this E can be implemented. For example, there could be two parties where one party has the key and the other has the input, or maybe the keys are shared. But what is important is that we are now looking at the case that small f equals this E. In traditional symmetric ciphers, design decisions were made based on, say, your laptop as a computing environment. And the gates in your laptop are implemented in CMOS where an extra gate is a two or three times larger than an end gate, which is, I would say, comparable. Whereas in the protocols of the previous slide, the difference between the nonlinear and the linear operations are quite large. But this has led to a class of low multiplicative complexity ciphers where people have really tried to minimize the number of nonlinear operations in particular the multiplications. In the tables that you see here, you see a number of such ciphers in existence. I don't claim that this is an exhaustive list, but it's just to give you an idea of what people have been doing. What these ciphers do not have in common, so maybe what the difference is, is that basically some of these ciphers are defined over bits, whereas others are defined over prime fields. Others are defined over binary fields and some are defined over both. And it turns out because this field is relatively new that designs are not as well understood as these traditional designs. So menu or some of these ciphers at least have been broken by text. But where does Simeon come in? Well, it fits right here. Namely, it's defined over both prime fields and binary fields. And with Simeon, we wanted to give a an entire suite of a building blocks that make up encryption functionality. So that means a mode, a permutation, the round functions that make up this permutation, a key schedule, etc. And we were motivated by permutation-based cryptography, as I will show you later. And it turns out that Simeon is actually quite competitive if the key schedule, which turns out to be quite heavy, can be computed during an offline phase. So, for example, if P is computed by two parties, so in a two-party computation setting where one party computes the key and the other has the input. In the following figure, you see a number of ciphers, including Simeon, and the number of multiplications that they have. So on the x-axis, you see plotted the variable t, which corresponds to the number of elements that should be encrypted, so the number of plaintexts, basically. And on the y-axis is the number of multiplications. And as you can see, Simeon is in blue. Simeon performs quite well. And our closest competitor in terms of minimizing the number of multiplications turns out to be Hades-Mimsi. So how did we achieve such a low multiplication count? Well, in order to explain that, I will go over the building blocks that make up Simeon. But first of all, the mode that we use in Simeon is based on Farfalle. So what you see in this picture is the Farfalle mode. And Farfalle is actually defined over just bits. And there are a number of important takeaways here. Well, first, you see that there are a number of permutations involved, PB, PC, PD, and PE. And many of them can be computed in parallel. So this has a positive impact on, say, the end gate depth of a circuit implementing this mode. And there are also other performance benefits. Then a second important thing is that not all these permutations need to protect against the same attacks. So for example, PC just needs to account for some subset of attacks, whereas PE then accounts for another subset of attacks. And these are properties that will help to minimize the multiplication count. So this is the mode that we are using in Simeon. Like I said, it's based on Farfalle, but we have made a number of changes. And the first change that you see here in the red circle is that we have merged the permutations P small c and P small b into one permutation P capital C. So importantly, we don't need this accumulator stage that we saw in the previous slide. And we just need a single permutation PC. And the goal of this PC is to protect or ensure some protection against higher order differential attacks. So it's actually responsible for making sure that the degree is large. And I should emphasize that PC is called only once and it doesn't really depend on the number of inputs. Then here in the purple circle, you see that we have truncated the output of the permutation PE. And the idea behind this is that an attacker cannot easily then invert the permutation PE because this would involve guessing the part of the output that we have truncated. And this helps, for example, against protection against meat in the middle, meat in the middle style attacks. Then in the orange circle, you see that we have moved the key from the output. So that is to say, it's no longer added to the plain text, but it's moved to the inside of the month. And this prevents bypassing the key addition because an attacker is now no longer easily able to consider just differences which bypass the key addition. And moreover, we have also increased the number of key indeterminates because as we will see, this is something that makes solvers for systems of equations a lot slower because they depend on the number of equations. And in this figure, you see the C minion round function. And it is this round function that is repeated to make up both the permutation PE and the permutation PC, where the difference between the two is in the number of such rounds. An important thing to notice in this round function is that we have used the multiplication. It's our source of non-miniarity. In many of the previous designs, the non-miniarity came from the fact that a single field element was, for example, qubit. So a power map was applied to it. However, a downside of this approach is that it limits the diffusion. And using a multiplication involves different field elements, which is beneficial to the diffusion. And also the multiplication has very good properties in the context of linear and differential cryptanalysis. Next there was the choice for a linear layer. So even though I've said that nonlinear operations are expensive and linear operations are cheap, that does not mean that linear operations are for free. In fact, they can have quite a big of an impact in certain protocol. So we have decided to go for a relatively lightweight linear layer. And one of the important things is that we want to make sure that if we consider just a single field element and consider its univariate degree, that also this univariate degree doubles during each call of the round function. And this is why you see these joints in this little circuit, because they ensure that each field element occurs in many different branches, which make sure that, indeed, the univariate degree is doubled every time. Then there is the addition of a number of round constants. They are there to make sure that any symmetries that are present are removed. And of particular interest is this round constant 4. It turns out that if you look at the linear properties of the round function, and if you do not include this RC4, consider fields of characteristic two, then it's possible to find linear approximations that have a linear potential of one, thereby basically breaking this round function. And more importantly, they can be changed. So we could just attack the entire permutation in that way. But that's why we have included this RC4 round constant. So that's for the round function. In this figure, you see the key schedule. Notice that the number of keys that we need depends on the number of inputs that we want to include. So it makes sense to have an initial secret and then just derive the keys that we need on the flow, on the fly. So we start out with two master keys and an IV and then use these as input to a sponge construction. And what is important to realize here is that the permutations in the sponge construction are the PC permutations and as I have already hinted that before these PC permutations will be quite heavy because they are the ones that need to prevent higher order differential analysis. So, in fact, the key schedule itself is quite a heavy computation. And this is why I said that in order to be competitive, we assume that this key schedule is computed during an offline stage. Now in order to derive the number of rounds that make up both the permutation PC and PE, we have done some security analysis. So first we have looked at differential and linear crypt analysis. Again, the nonlinear component in our round function is the multiplication that which just multiplies to field in field elements with each other. And this multiplication that has very good differential and linear properties, namely, it's max DP is equal to one over Q, where Q is just the cardinality of the field. So if the field is FP, then that would be P and if the field is F2 to the power and then this Q would be to the power and the maximum linear potential is equal to one over Q squared. So from this it follows that as soon as as you have one active multiplication, then differential and linear crypt analysis are no longer a problem. So for a multiplication to be active. Well, that basically means that the input difference is nonzero, or the input mask is nonzero. Why is it another problem? Well, actually our security parameter s is dependent on the field cardinality. So again, as soon as one multiplication becomes active, these attacks are no longer a problem. However, when what I said during the slide about the round function is that we need this RC4 because indeed, without this RC4 it's it's it's possible to bypass this multiplication to make sure that it's never active. And yeah, the point here that I'm trying to make is that many people claim that for these the for this kind of cipher differential linear crypt analysis is not an issue. But you also need to take the linear layer into account. Then let's look at higher order differential attacks. So in a higher order differential attack. The goal is to find a f find subspace of large enough dimension or a multiplicative subgroup of large enough cardinality such that summing over this affine space or this multiplicative subgroup gives the zero value. So basically it's a kind of zero sum distinguisher. And in order to prevent this kind of attack, you want to make sure that the degree of your function representation is quite large, large enough. The main permutation responsible for the degree growth is this POC. And again this POC consists of the composition of the round function and each round function has degree to over at you. In other words, if we want to make sure that our function has degree at least two over s, we need to figure out how many rounds we can linearize and turns out that we can linearize the first two rounds. So from this it immediately follows that if we have s plus two rounds then PC will have degree two to the power s and these higher order differential attacks are no longer a problem. And as people have done in the past in other papers, we also conjecture that if Simeon is secure against higher order differential attacks then automatically it is secure against interpolation attacks as well. Then we have considered group nerve basis attacks. The idea behind a group nerve basis attack is that you represent your cipher as a system of equations, and then the system of equations corresponds to an ideal. And the group nerve basis is a particular kind of generating set for this ideal, from which it is easy to to read off the solutions to your original system of equations. In general this this happens with back substitution. So importantly, the cost of computing a group nerve basis depends on the number of indeterminates in your system of equations, the number of such equations and their degrees. We have considered a number of strategies that we thought were the most promising. The first one was relating the input to the output. And in this strategy the attacker has both PC and PE involved, and you can kind of view them as one big permission permutation where the number of rounds involved is the sum of the number of rounds of PC plus the number of rounds in PE. The idea is that each nonce is input at the start. But you don't know that the two key bits so the two key elements so the two keys are actually the indeterminates. So if we then have two nonce inputs, this means that we have actually two equations in two key indeterminates. And the goal is to pick the number are of such rounds. So we have a group nerve basis computation to be infeasible. So we want. So we have actually a system of equations of degree two to the power r. And then we plug this into the group nerve basis cost and it follows that already by picking for PC, the number s plus six for the number of rounds. That's enough to the part this this kind of attack. This relating the intermediate state to the output. So in this case, only the permutation PE is involved. And here we have an unknown intermediate state, the state actually after applying PC to the nonce and the two key elements. And the goal of the attacker is to recover this unknown intermediate state because from that intermediate state it becomes easy to to break the system. What we have done is conjecture that a different kind of, of modes is, let's say easier to to break than the original mode. So if we can not break the easy mode, then it's also not possible to break the motive we're actually using. So what we are considering here is a mode in which the key addition that is in the middle has been moved to the end again, because that allows us to consider differences. And by considering differences, we can remove this key addition at the end. But what do we do we consider two nonsense. And each nonce leads to an unknown state of three unknown elements. And that gives actually three indeterminates. And because we are considering two nonsense we have six indeterminates. And it turns out that we then have a system of six equations in six indeterminates of degree two to the power minus one to the power r to the power r plus one and two to the power r plus two. And by substituting these numbers into the grubner basis cost equation. We find that if we choose are such that it's at least as plus 37 over 12, then this kind of attack becomes invisible invisible. And that's then the number of runs that we choose for this PE permutation. So this gives the following table where a particular interest is the row in the middle, where we consider a data limit of two to the power s over two elements, where this corresponds to the birthday bound. So for PC we then have a number of rounds equal to two thirds of s plus six. For the PE we have the maximum of six and as possible 37 over 12. And I just wanted to point out that if you for choose for as the number 128 which is a kind of standard security level then the number of rounds for PC is much, much larger than PE. And not is not something that you can neglect because PE is called many different times, depending on the number of output words. So, in this table you see what I showed at the beginning in a graph, but here with concrete numbers. And I would just like to show you the first row that will see minion, where in both it shows you the number of multiplications, which is equal to 14 times t over two plus T plus 89. This 89 follows from the number of permutation sorry the number of rounds of the number of multiplications of the PC permutation, which is called only once. Then for each running function in the mode. One multiplication is performed so that's why we have this T value here. And each PE call has for around 14 multiplications involved, however, you output also two elements. So that's why you have this this 14 times to T over two years. So indeed we think we are quite competitive. Now we have done some preliminary security analysis. However, we believe that maybe more can be done so we encourage you to try and break round produced versions of see me. Moreover, we have a version of see minion in the paper, in which the round sorry the the rolling function is instead of a linear linear to maybe even minimize the multiplications further, and we also encourage you to have a look at that. I would like to conclude this talk and thank you for your attention.