 Hi everyone, I'm Haoyang Wang. I'm here to present our crypto paper, the malicious framework embedding backdoors into tick-ball block ciphers. This is the joint work with Thomas Perron. When people hear about the backdoor of an encryption system, most of the time it refers to those weaknesses intentionally created in the implementation level, such as protocols of K-management and K-scroll. Another type of a backdoor is a cryptographic backdoor. It is embedded during the design phase of a cryptographic algorithm. However, there are very few known examples of such backdoor algorithms used in reality. Here are two examples. The first one is a door EC. It is a pseudo-random number generator designed by NSA. It has been verified by Snowden and many other researchers that it has a backdoor inside. The second example is the two algorithms, Kuznichik and Stripok, which are selected as Russian standards. Their Xbox was proved to have a special structure which was not claimed by the designer, so it might be a backdoor but has not been verified yet. In academic research, there are also limited number of works focusing on this topic. Unfortunately, almost all designs were either broken or cannot provide solid security proof. In this work, we try to make some progress in this research field. Firstly, we propose a malicious framework to embed backdoors into quickball block ciphers. Then, we show that our backdoor is efficient, which means that if you know the backdoor, you can easily recover the secret key used in any communications. We also provide a concrete security bond for our backdoor so that it is difficult for any adversary to recover the backdoor. Lastly, we provide a Cypher example called Blue MCM based on this framework and give security proof of this Cypher. Now, I will explain the malicious framework. This framework uses three essential components. The first one is tweakball block ciphers. Compared to a block cipher, a tweakball block cipher has an additional input tweak in order to select the permutation computed by the cipher even if the key is fixed. For the usage of tweak, there is no need to keep the tweak secret so that an attacker could know the exact value of the tweak used in that encryption. Even more, the attacker could have full control of the tweak so that he can choose whatever value he wants of the tweak. This attack scenario is also called chosen tweak scenario. The second component is partial nonlinear layers in block ciphers. When designing a block cipher, one of the most popular methods is a substitution permutation network. Each SPN round will consist of a linear layer and a nonlinear layer operating on the internal states. Partial nonlinear layer is a special case of SPN where the nonlinear layer is only applied to a subpart of the internal state. So for Xbox based block cipher, a part of the state will bypass the S boxes in each round and only goes through the linear layers as shown in this picture. For typical ciphers, Zorro is the first block cipher adopts this structure but it has been broken shortly after its publication. But this doesn't mean this structure is not secure. Later, a family of a block cipher low MC is proposed where the nonlinear layer sides can be set arbitrarily and this cipher remains secure so far. The last one is extendable output functions. An XOF is a generalization of a hash function which maps an arbitrary length input to an arbitrary length output. An XOF can also be used as a classical hash function by setting the output length fixed. A good XOF has to satisfy the security notions such as glacial resistance, pre-major resistance, and second pre-major resistance. They are not too many XOF algorithms. The typical ones are Schick 128 and Schick 256. They are defined in the Schatz standard and later will use them to build concrete instances. This is a malicious framework. It is used to build a key-ordinating tweakable block ciphers. In each round, a subkey and a subtweak will be added to the internal state. The key schedule is not specified and can be any appropriate algorithm. The framework has two special features. The first one is that the rock function is composed of a linear layer and a partial nonlinear layer. Secondly, the tweak schedule is selected as an XOF. The combination of all the subtweaks is output of the XOF. One can instantiate the framework with any components he wants, but in order to embed backdoors, some specific steps has to be followed. Till now, you may still wonder what kind of a backdoor can be embedded inside this framework. The answer is related tweak differential characteristic with probability one. With the knowledge of this in attack, one can recover the secret key in one second. This picture illustrates the basic pattern of the one round characteristic. The block represents the difference of the internal state. The hashed blocks are known zero difference while the white blocks are zero difference. As we can see, the subtweak difference delta t a minus one introduced by the tweak additional operation cancels the difference of a part of the internal state so that the part going through the subsequent nonlinear layer will be zero difference. Based on this principle, we can extend such characteristic to enough number of rounds for an attack. However, this differential characteristic cannot be used by any external entity because it can only be triggered by a certain tweak pair. We call it the malicious tweak pair. And it also should be kept secret by the decipher designer. Accordingly, the attack using the backdoor is under the chosen tweak scenario. Now I will explain how to build the backdoor. Firstly, we should choose a pair of tweaks and kept secret. And this is a malicious tweak pair. Next, for both of the tweak, compute a subtweaks by the chosen XOF and then simply axle them to obtain the subtweak differences. The next step is to generate the differential characteristic and the linear layers. Firstly, select a plain tack difference delta p as the input difference of the differential characteristic to be generated. But with the requirement that the difference of this nonlinear part should be equal to the difference of the nonlinear part of the first subtweak difference. This is illustrated in the picture in the left side. Then we just need to generate the differential characteristic run by run by selecting an appropriate linear layer of each round. With the requirement that after the linear layer, the difference of the nonlinear part of the state can be neutralized by the next subtweak difference as shown in the picture in the right side. The remaining components of the cipher such as the XBOX and the K addition don't affect the differential characteristic. And the specification of these components should be determined to ensure the overall cipher security. We also know that it is possible to impact multiple such differential characteristics by just selecting other plain tack differences and adding extra constraint to the linear layers. Now I will explain the backdoor security of the Malaysia's framework. Firstly, let me introduce the security notion target difference resistant. Its definition is as follows. A hash function H is target different resistant if it is hard to find two input X and Y such that H X X or H Y equal to delta where delta is a nonzero constant. This notion is similar to the classical collision resistance of a hash function where delta equal to zero. And complexity is also the same at that of the collision resistant that is a birthday bond to the power of n over two. n is a lens of the hash value. The target different resistance naturally applies to XOF as XOF is also a kind of a hash function. In terms of a shake 128 is security strength against the tack is a minimal value of n over two and 128 and the security strength can be doubled for a shake 256. Now I will show that the backdoor is protected by the XOF. Assume that even if the embedded differential characteristic is publicly known that is a plain tack difference, the internal state differences and the subtweak differences are known. Finding the malicious tweak pair is still difficult. Actually this task is equivalent to solving the target difference problem of the XOF as shown in this equation. Given the string of the subtweak differences, the target of the tacker is to solve the equation to find the malicious tweak pair. And if the lens of the subtweak string is long enough, the complexity can be due to the power 128 for shake 128 and to the power of 256 for shake 256. Actually there might exist other backdoors in the framework. Since we did not fix the tweak lens, as long as the tacker can find a tweak pair whose output difference is the subtweak differences, it will discover a backdoor, even if this is not embedded intentionally. Moreover, it is also possible that there is a suitable tweak pair for randomly given differential characteristic. That is, the subtweak differences can be any given value. All of these tweak pairs will imply new backdoors which are not intentionally embedded. However, finding these backdoors is still as hard as finding the originally embedded backdoor. Next, I will explain a concrete instantiation of the malicious framework which is named low MCM. Low MCM is a family of tweak ball block ciphers derived from the block ciphers low MC. Compared to low MC, it has an additional tweak addition in each run, and it also uses an optimized representation where the key, the tweak, and the constant are only added to the nonlinear part of the internal state. A single run of low MCM is depicted in this picture. The size of the nonlinear layer S can be set arbitrarily by choosing the number of S boxes used in the run function. The linear layer is an invertible binary matrix operating on the full state, which is different in each run and can be chosen randomly. But in order to embed a backdoor inside low MCM, the linear layer matrices has to be customized following the building steps of the malicious framework. Lastly, tweak schedule used in low MCM is shaped 128 or shaped 256 depending on the expected security of the backdoor. We proposed three security notions to capture the backdoor security in different aspects. Accordingly, we proved that low MCM has the following security properties. Firstly, low MCM is undetectable. As I explained, an instance of low MCM can be generated without any backdoors but choose the linear layers randomly, or we can generate an instance with a backdoor by designing special linear layers. However, we show in our paper that the attacker cannot detect the distinction between these two kinds of instance. Secondly, the backdoor in low MCM is undescoverable. It is computationally difficult for the attacker to recover the backdoor. This is due to the target different resistance of the XOF. Lastly, but unfortunately, our backdoor is traceable. Since the tag using the backdoor is a chosen tweak attack and also a chosen plain text attack because this is a differential attack. Once the backdoor is used in an attack, it will review the selected tweak values and plain text values. The entities who know it can try all the combinations of them to recover the backdoor. Without considering the backdoor, the Cypher is also secure in the classical black box model. We proved in our paper that the security of low MCM can be reduced to the security of low MC, and currently, low MC remains very secure. Since low MCM has an additional tweak, we discussed the security in two aspects. The first one is a text without using the tweak. Without considering the tweak, low MCM is an equivalent representation of low MC, and there's nothing different if no backdoor is embedded in low MCM. Even if a low MCM instance is backdoor, we showed that the customized linear layer matrices can be considered as independently and randomly chosen from the wheel of the attacker. Thus, the attacker cannot utilize the special linear layered matrices to attack the Cypher. Secondly, it's a tag based on the tweak. Since the tweak schedule is an XOF, the attacker can't control its output, so the tweak can provide additional advantage for the attacker. For the future works, since we only use the framework to build block ciphers, can we build other backdoor cryptography algorithms such as hutch functions and max? For the usage of the backdoors, we only apply it to plain differential attack. Is there any other cryptanalysis techniques that works more efficiently? Lastly, since our backdoor is traceable, so how to make it untraceable so that it can be used powerfully? That's all. Thank you for watching this presentation.