 So, hello back everyone, this is now the last session of today, before the RAM session. And this session is about new exciting results on the AES, new cryptanalytic results. So the first paper is called New Yuyo Tricks with AES-based permutation by Diman Sahar, Mostafizah Rahman on Guten Paul, and Mostafizah will give a talk. Thanks for the introduction. What I may have to present today is a joint work with Diman Sahar and Guten Paul. It's New Yuyo Tricks with AES-based permutations. And in this work, we have tried to devise distinguisors for AES-based permutations. For this purpose, we have chosen two AES-based permutations, AES in the non-key setting, and AES-based permutation ask. This is a typical distinguishing setting where a distinguisor D tries to distinguish between random, uniform random permutation and given permutation. So, our distinguisor will work in the adaptive chosen plaintext and sabotage setting, and the attacks will look similar, quite similar to the boomenang attacks. They are the plaintext, they are the, we will give some difference to the plaintext and will get in the return pair some difference. So, these, we choose the two plaintext with some difference alpha, there are some special ways to choose the alpha, which we will discuss later in the slides. And we use round radius ciphers to encrypt them and get new pair of text C1, C2 with given difference beta. And now we use the function msof on C1 and C2 to obtain new pair of ciphertext C1 dash and C2 dash. And the relation between C1 and C2 dash is that C1 dash, the difference of C1 and C2 dash is equal to the difference of C1 and C2. And we, and this C1 and dash and C2 dash are decrypted using the round radius cipher and new pair of plaintext are obtained. Now, we look into the matter where, actually this work is done by Sondra Ranjum et al in 2017. And they showed that there is a special relation between this alpha and delta. And they found out that the zero difference pattern between alpha and the delta is equal for two generic SPN rounds. So, for the round radius ciphers, they use the two generic SPN rounds. And they showed this result that for two generic SPN rounds, the zero difference pattern of the P1 and P2 is equal to the zero difference pattern of P1 dash and P2 dash. And they generalize this work and use this result to find the first key-independently your distinguisher of AES. And also, they implemented this error to find the five round key recovery attack. So, how does the MSOF work? We have defined two things there, the MSOF function and the zero difference pattern. MSOF work, this is the typical AES super S-box. So, in the upper part of the super S-box, this is the diagonals. And the diagonals are the super S-box parts. So, if we want to implement the super MSOF function on the upper parts, so what we'll do, we will swap according to the diagonals. So, there are four diagonals. And in total, there are 14 combinations of the swapping functions. And if we want to swap in the last layer of the super S-box, we'll swap according to the inverse diagonals. And here also, there are 14 combinations of the swap functions. And this is the example of the swap, how the swap works. There are two AES states. And after the swap, there's only one diagonal swap between them. And this, the new states became. This is how the swap function works. And the zero difference pattern is we just draw two plain text and see whether some of the super S-boxes are active or not. If the super S-box is active, we denote it by zero, and otherwise it is one. So for this particular case, the ZDP becomes 0-1-1-1-1. And the weight is the number of inactive super S-boxes in the difference. So the UO game basically works with choosing new pairs on plain text and cypher text. And these are made adaptively. And while making these new pairs of text, a certain property kept invariant. And at the end of the game, we see that whether, we verify that whether the property is satisfied or not. So this work is basically done by Sander Rajanmada. We exploited their work and further extended the results. So our target is here, ask permutation, which is AES based permutation, and the AES in the non-key setting. This is the ask permutation, two round. You can see there, there are four AES states. Each of the states goes through two rounds of AES rounds. And after that, there is a permutation. And in the original ask, these steps are repeated 10 times. So there are 20 rounds in total. And to implement the SLS work of the UO game, we have to first identify the super S-boxes or some other non-linear construction in these results, in these works. So first we have identified the super S-boxes in the ask. We can see that this is similar to the AES super S-boxes. And there are 16 super S-boxes in this result. So now we can use the SLS, UO game on the SLS work in this result directly. And this is the mega S-boxes of AES ask, which was given by the designers themselves. It covers 3.5 rounds. And the super S-boxes also starts from the event rounds. And the mega S-boxes also starts from the event round. And in the last round, the mixed column is omitted. Now the first result, which is the direct implementation of the UO result. So first the four mega S-boxes, it starts from the round 2. So there are 3.5 rounds. The mixed columns completes the fourth round. And after that, again, the 3.5 rounds of mega S-boxes. So in total, there are eight rounds. And it starts from the event round. That's why it's the 2 to 9 ask, 2 to 9. And in this, we can directly implement the result of the UO paper. So for extending those results, which are already implemented in UO game, we look further into the super S-boxes itself. So like previous, where only the super S-boxes are denoted, whether they are active or inactive, we further look into the super S-boxes itself and denote that whether each of the bytes in the super S-boxes are active or not active. So for the first super S-box, it's all bytes are active. So nu square alpha 0 is 0. And see the last super S-box, that is alpha 3. Only one byte is active. So its value is 0, 1, 1, 1. So our first strategy to extend the UO game is prepend append strategy. So what we have done, this is the classical UO game. And this is the deterministic distinguisher. And because nu of beta goes to nu of eta with probability 1. Now to prepend, we have added one round to it. We have prepend some round with probability P. And same rounds are added at the end of the game with some probability. So alpha 2 delta now will not be a deterministic distinguisher. It will come with some probability. And we have implemented this for the R9 round, starting from round 1. So what we have done here, for the first part, we have chosen four. We have activated only one super S-box. And there are only four bytes. And after the one round, because there are shift rows and mixed column with probability to the minus 22, it will become 4 to 1 property will come. And only one super S-box, only one byte will be active in beta. That means one mega S-box get active in beta. So in eta, there will be one mega S-box active. And that means there are 16 bytes in each mega S-box with some probability. One of those bytes will be inactive in eta. And which in turn, in delta, make four bytes inactive. This is an example of this result. There are four bytes in alpha which are active. After first round, due to the property of mixed column, one byte gets active with probability 2 to the minus 22. And due to the EOO game, there are one mega S-box active here. And with some probability, we get one byte inactive in the active mega S-box, which in turn, in the delta, gives us four free bytes. So our strategy is composing impossible differential with the EOO game. For this, we have used the inverted EOO, like the previous EOO. We can play the EOO game in both directions. Here, we'll use the inverted one. So in this, we have first used the inverted EOO game. And then we have appended linear layer. And after that, we have appended S-desk layer. Here, S-desk can be a sub S-box, super S-box, or mega S-box, anything it can be. And after that, we get beta. And we try to impose impossibility condition of beta based on alpha. And we have applied this result to found the six round AES distinguisher, and ask distinguisher for nine, 10, and 12 rounds. This is the impossible differential for six round AES. So here, the SLS in the SLS, construction S means on super S-box. So SLS compose the 3.5 rounds in the left side. So 3.5 rounds, and L means they had the mixed column. And after that, again, 1.5 rounds. In total, it makes six rounds without the last mixed column. So it starts in alpha, we make one super S-box active. So in gamma, there will be one super S-box active. So that means that in each column, there are one byte active, at least. There will be one byte active. So after mixed column, all the four bytes will get active in one column, which in turn will activate all the super S-boxes. So in delta, for the AES case, we will have never the case that will get inactive super S-box. This is the impossibility condition, and this is how the AES six round distinguisher is devised. For ask, the same thing is done. We have used the previous result of ask two to nine. And after appending the linear layer, that is the MMC, mega mixed column layer. For 10 round, we have appended as simply the S-box to extend one round. For the 11 round, we have appended the super S-boxes to extend two rounds. And for the 13 rounds, we have appended mega S-boxes to extend four more rounds. And these are all the same conditions like impossibility conditions. Now the last one is the bidirectional yo game. Here we have used two yo game, and those are added by the linear layer. So this is the first inverted yo game. And then we have appended a linear layer, and after that we have used another yo game. Now we start from alpha, we start from alpha, get the delta, and try to impose impossible condition on delta based on alpha. For we have used the strategy to find the first, we have used the strategy to find distinguisher for eight round AES and 16 round usk. So these are distinguisers. So what I mean here, in the AES case, again we start with one super S-box active, and in alpha, in eta we get one super S-box active. So there will be one active bytes in each column. So after mixed column, all the four bytes will be active in each column, which in turn makes all the super S-boxes active. So in delta, all the super S-box will be active for the AES. So in AES we'll never get inactive super S-box. In the ask case, what we get? We are using, instead of super S-boxes, we are using mega S-boxes. So in alpha we are activating only one mega S-box, which in turn, in eta will activate only one mega S-box due to the yo-yo game. So in delta, due to the mixed column, all the four bytes of a column will be active. So this activates all the four mega S-boxes. So in delta, all the four mega S-boxes will be active, and the impossible condition is that in delta, we'll never have inactive mega S-box. These are the distinguisers on us, and our work report the first nine round distinguisers, starting from round one. We have also reported the eight round deterministic distinguisers, and all other distinguisers using negligible memory, very. These are the eight round neon key distinguisers, and again, due to the byte excel yo-yo game, we are using very negligible memory, and these are the distinguisers which are reported in this work. In total, we have reported eight distinguisers, of which six are related to ask, and two are related to AES, and all of the distinguisers are using negligible memory. So we have so new ways to extend the yo-yo game. We have composed classical differentials, and impossible differentials with the yo-yo game, and also we have composed two yo-yo games to show the byte excel yo-yo game. And our technique can be used for the public computations, and using these techniques, we have so far achieved the best results for ask, and we have also shown new known key distinguisers for AES, and all the practical distinguisers that have been reported in our work have been practically verified. Thank you. So we have time for some questions. Okay, I have a question. So when you look at AES queue, do you think you could improve its security by modifying the mixing layer where the wire mixing in between the AES rounds? Is it a weakness that you exploit in your attack, or is it optimal? I mean, could you make AES queue stronger by changing this mixing layer? No, we have not looked into that till now, but we'll certainly look into that. Okay. Thank you. Thank you. Let's thank the speaker again.