 Thank you for the introduction. Welcome to all. I will present some recent results about the correlation theory. This is my title resistance against its attacks by the correlation revisited. It's a joint work with Atefe Mashatana and Serge Wadane. This is my outline. I will first briefly talk about the correlation theory, which is defined in the Lyubirakov model. Then I will mention the advantage of an adversary and a distribution matrix of a block cipher, and its link with the advantage of the adversary A. Later I will talk about contributions of the paper, which are solving two open problems. These are necessary conditions for the security of block ciphers and the effects of input distribution on the advantage of the adversary. As you all know, in asymmetric key cryptography, the security of crypto systems relies on some hard problems like factorization, discrete logarithm. But this is not almost the case in symmetric key cryptography, especially for block ciphers. It's not easy task to prove security against existing attacks. It can be done somehow in ad hoc ways, but no one knows what will happen if a new attack is proposed. To fill this gap, Wadane proposed a tool, proposed the correlation theory as a tool for proving security of block ciphers against a wide range of statistical attacks. These attacks can be differential attacks, linear attacks, truncated differential attacks, and their variance. The bit of this theory is that one can even prove the security of the primitives against not yet discovered attacks. Although this theory is not very practical to prove the security of existing ciphers like AES or Kasumi, but there are many block ciphers whose security were proven by this theory. For example, DFC, I think they correlate space cipher, not families of block ciphers. The block cipher C and Cray is a Faisal cipher, which is called KFC. The correlation theory is defined in Lubirakov's model. In this model, the adversary is unlimited in terms of computational power, but it is limited to number of queries that he makes. When the adversary makes the queries to the oracle, we call this adversary's D-limited adversary. Let's see how this distinguisher works. There is an oracle omega, which either implements an instance of a random block cipher C or ideal block cipher C star. This block ideal cipher is a permutation, which is selected uniformly at random over all permutations. There is an adversary A. The adversary makes D queries to the oracle. Then the oracle replies with D outputs. The goal of this adversary is to guess whether or not this block cipher is implemented in the oracle. If the adversary thinks that C is implemented, he outputs one, otherwise zero. When these inputs are chosen at once, we call this adversary as a non-adaptive. The success of this distinguisher or this adversary is measured by the advantage, which is defined like this. This is the probability that A thinks that C is implemented in the oracle and probability that A thinks that C star is implemented. When designing a block cipher, our aim is to minimize this advantage for all adversaries, which are limited to some number of queries. If this is the case, we call the block cipher a secure. Computing this advantage for block cipher is not easy, but the correlation tool provides some tools for computing the best advantage. The best advantage is the maximum advantage over all limited adversaries. We compute this advantage by means of device distribution matrices. Basically, this matrix is when, if M is the message space, this matrix has size, the cartilage of the message space, power D, and same here. Each row is indexed by the input tuples, which includes all possible inputs here. Each column is indexed by the output tuples, and we have all possible outputs here. Each entry, we call it P, is the probability that corresponding input tuple is mapped to corresponding output tuple by this block cipher C. And the best advantage of distinguishing between C and C star is, was proven that half of the distance between the correlation matrix of C and C star. Here we use L infinity matrix norm, which is defined here for non-adaptive adversaries. When we look at the definition here, the sum is maximized by the inputs, and these inputs are chosen at once, like our non-adaptive distinguisher. So this is the most suitable norm to compute this best advantage. Let's move to iterated distinguisher, which is simply the iteration of the limited non-adaptive distinguisher a number of times. Let's call it n times. Roughly speaking, we have an adversary again, and we have an oracle which implements either C or C star, either cipher. And the adversary sends the inputs to oracle, oracle replies with the outputs. And adversary picks the test function, and this test function outputs one or zero according to some calculations. And this one round is iterated a number of times. At the end of these iterations, adversary picks another set, a set we call it acceptance set here. If the output tuples, the output of all iteration we call the ti up to tn is in this set, the adversary says that yes, C is implemented in this oracle and outputs one, otherwise zero. The algorithm is given here basically. And this set of attacks includes many statistical attacks that we know. For example, linear attack is an iterated attack of order one, because in each iteration, the adversary sends one input, let's say, plain takes to the oracle and gets output and computes their mask and iterates this several times. Differential attack is iterated attack of order two. Here the adversary sends two plain takes with some difference to the adversary that gets its output. Let's move to the one of the main theorem of this theorem. This theorem proves the upper bound on the advantage of iterated distinguisher. Here we have an adaptive iterated distinguisher of order d. This means that the adversary sends the inputs to the oracle in each iteration. And there is a block cipher, random block cipher with 2D-decorated block cipher, such that its distance to the ideal cipher is epsilon. This advantage is bounded by this formula. Here n is the number of queries, m is the coordinate of the message space, and there is here delta parameter, which is probability that any two iterations at least one query income. This delta is important here because one of the open problem is related to this delta. And this theorem poses two open problems. The first problem is that it is possible or not to extend this theorem for a cipher with one less the correlation degree, 2D-1. But we show that this is not possible by giving a counter example. Second open problem is the effect of high delta on the advantage. Because in this advantage delta, if delta is high, the advantage can be high. So we try to show that this extension is possible, but we gave a counter example such that this is not possible. Let's first give a three-round file style scheme that we created to use our distinguishers. Each f function is a polynomial over a finite field, a polynomial of degree kappa minus one over a finite field with characteristic p. Each coefficient is uniformly distributed over this finite field. We know that these three f functions are perfect or ideal functions. This was proven before. And according to the Librakov theorem, this block cipher is kappa-decorrelated with epsilon, which is 2 kappa-scar over the cardinality of Ca. Let's move to the solution of problem one. Here, we gave a counter example such that we proposed block cipher with the correlation 2D-1. And we broke it by a non-adapt iterated distinguisher of order d. In this presentation, for the sake of simplicity, we consider d is equal to 2. We used the previous construction with kappa is equal to 3. With Galafith characteristic is greater than 2. And we focus on to distinguish under the right part of the ciphertext because this can, because by this way, we can also distinguish the block cipher c. Here f is can be written as a function of this f1 and f2, composition of f1 and f2, which is a polynomial of degree at most two. Since the attack has two iterations, in each iteration, we have chosen plaintext such that the right part is zero and the left part is something zero and they are different. When we write f is a polynomial of degree at most two that are able to recover a1. The adversary sends two inputs to the oracle with the given property that I mentioned before and he gets two outputs. Since the adversary knows two inputs on f here and the input has these two properties by subtracting one from another, we can easily get a1 here. The point here is that a1 is fixed for f, but it's random for the ideal function. So even with two iterations, we can distinguish f from f star. So we can distinguish c. Let's move to the solution of problem two. Here we show that high delta probability that any different iteration may have common queries can help to adversary. We gave a counter example to show this. We proposed a cipher with the correlation 2D and we broke it by iterate attack of order one. For the simplest case, we consider d is equal to 1 here, but in the paper there are general cases for both distributions. We use again the previous construction. Here in order to have high delta, we consider the adversary's choice of plaintext as very small. For d is equal to 1 case, we consider this s as four elements. These elements have right part zero and the left part are these things and they sum to zero. Since the attack is iteration, iterate attack of order one, in each iteration, the adversary picks a random plaintext from this input set. Here the delta, this probability delta is one part. Let's first remind the trace of an element in Galafiut, which is the sum beta, beta squared up to beta power 2 to the k minus one. Then we notice a distribution property of f, which is not intuitive. We notice that the sum of all trace here, trace of f of x i's is zero when we consider all elements in this set. This is because the linearity of the trace and f is polynomial and the characteristic of this field is zero. We notice this implies that in fact there is an even number of f i's such that their trace is equal to one. This is distinguishing property of f because for the ideal function, this is not the case. Basically distinguisher, the adversary computes a trace of right ciphertext in each iteration and at the end of all iteration, he calculates the average of all outputs of iterations and what we expect from, we call it t bar, what we expect from this t bar for f function or for the ideal function. Because of the previous property here, there is an even number of f i's such that their trace is one. We expect that these expected values for f will be around zero, two over four and four over four. But for the ideal function, it will be around every point here. Now, if we pick our distinguishing set around this point, zero, two over four and four over four, with some number of iterations, we can distinguish f from f star with high advantage. According to the advantage complexity, in the paper, I computed that for this case, we need one thousand iterations to distinguish f. To conclude, we settled two open problems in this theory. We conclude that two d minus one correlation degree is not sufficient for a cipher to resist against a non-adaptive iterate attack of order d. Also, we conclude that having a common query, the probability of having a common query between different iterations is high. The advantage of the distinguisher can be high, too. Thank you. Any questions?