 The second talk is entitled on the role key of a randomization and key equivalence hypothesis in Matsui's algorithm 2. Jousa's Andrea Broughton and Erma's Tishhauser from Technical University of Denmark and Catholic University of Georgia. And Andrea will give a talk. Hello everybody. I will be talking about the linear problem analysis and more importantly about the crucial assumptions one has to do when one wants to estimate the complexity of the problem analysis. More specifically I will be talking about Matsui's algorithm 2 and the assumptions behind its complexity estimation, its drag work with Elmar. So I will start with a very brief overview of what linear problem analysis is about just maybe to fix some notations. So we have some key function with some plaintext and cybertext and we have masks on the inputs and outputs of this function. Then we have linear approximation and then we can compute the probability of the linear approximation. And usually in linear problem analysis we are dealing with something like bias or correlation value which is basically two probabilities for the linear approximation to hold minus one. So a factual tool is also what is called bias. And then in Matsui's algorithm 2 what we do, we try to fill off some rounds maybe at the end of the segment also in the beginning of the side form. And by using multiple inputs and outputs we are able to distinguish this part from the one we have guessed, partial key. And now for our right we want the counter that counts how many times the linear approximation is actually fulfilled to deviate significantly from n over 2 And that is our data for the number of inputs and outputs. So once again for each of the candidate keys, for each of our key guesses for the partial key we made the counter then we implement it once the linear approximation is satisfied and it's the basic power distribution. So we expect the counter or the right key to be somehow sticking out. And to formalize it a bit more, Cellshock proposed to consider this notion of advantage. So for instance if we want our counter for the right key it is there to be along the top to be our counters on our list after we have run our tests. Then we also can guess m bits in the last round key or in the keys which the guesses can be also in the top round. But let's say for the moment it's on the last round then the advantage a is defined as m minus r. That means it corresponds to the number of bits gained. Okay, then Cellshock proposed this formula for the estimation of the success probability of the deck which combines the data complexity of the bias or correlation and the advantage. So this combined all together gives you usually a nice curve for your complexity. But it's based on several essential assumptions, first of all all the counters are independent. But secondly, and it's exactly the point that will be drilling, here is that for wrong key guesses the approximation has to be zero. Or that the approximation for wrong key guesses is unbiased. So this can be formed in this standard wrong key generalization type of thesis which basically says that whatever the value is for wrong key the linear approximation is unbiased. And of course we know from very early results by O'Connor that this is not true. And actually over the wrong keys the bias is normally distributed with mean zero value and some non-zero variance. Which is fairly small but we'll see which on how complex it is. So basically you can see it holds pretty tightly for some cypress project. So we checked small present with small block size and here we can see the sample for the correlation value over quite some wrong keys. And it's almost never exactly unbiased. So what self-check seems is basically this distribution of the relation or bias for the wrong keys. So it's around zero and the variance of this normal distribution is one over n where n is your data complexity. Because you will get some noise from the fact that you are not using the full code. So when you are estimating a correlation or bias value you will get some noise. So this corresponds to the noise of that. And for the right key it will be your correlation value you have estimated in what you exploit. So what Celtic is missing here is that actually for different wrong keys this distribution will be more common. And we can easily break it into the model by just increasing the variance. So it means that this distribution is a bit wider actually. And this can be translated to some adjusted wrong key relation hypothesis which says that the bias for the wrong keys is actually distributed. And this is our estimate for the necessity of the senior factor. Instead of Celtic's one so it basically says that here have a factor. And it can make a difference we will see now. So let's consider this graph. It's for small presents 20 bits so that we are still capable of computing the exact relations for bias values etc. So here it's important to see that this red curve with pluses it's our exact experiment. So it's what you expect in the real life. Now if you take Celtic's approximation you will get this blue curve. If you take our adjusted estimation you will get this red one. So what the axes are here we have this advantage in bits so I'm going to keep it actually game. And here you have this complexity. So what this basically says is that up to some value of this complexity and the advantage of the estimation by Celtic is absolutely better. So it follows the experiment pretty tightly but then after some point when the advantage grows and the data complexity increases you have some disturbances between the experiments actually and so it is significant well. So for instance say that you claim that you have an attack close to the full codebook in that you can extract something like 16. And it's important for your attack. So if you are using Celtic's approximations you would say that you can still do that. But actually as the experiments in our estimation show it's no longer possible. So it's the idea that once your data complexity grows and you want to extract more bits from your attack or keep it from attack it can be different. You want to become. So that was the first part about the wrong keys. Now we are switching to the right keys. And for the right keys the standard key equivalence type of thesis is that your approximation has exactly the same value of bias for all keys and for all right keys. So maybe it's trivialized but it's what you're telling us are using in many cases. So and we know actually that it is not considered true for instance for cyphers like Celtic and Cyphers. We have this exact formula of the dependency between the key value and the bias. So what this basically says is that if you consider all the linear characteristics which are contributing some absolute bias to your bias for the entire linear approximation. The signs of those contributions will actually depend on the key. Actually the signs will be opposite for different values. So you here is your linear characteristic. The concatenation of your intermediate linear masks game is the expanded. Okay so now the question arises actually for the estimation of this. What we have here C zero and this bias for the right key. What do we take? Which value for right key will correspond to the value of relation or will be actually using for the complexity estimation of the tag. And our proposal is to consider linear health statistically. So either estimate it for some randomly chosen keys or to use AOP if you can do that. So what we do here is to split the linear model into two parts. One part is so called signal where we have some dominant characteristics that we do consider specifically and the other one is the rest. And we estimate the signal part exactly for some values of the right key and we account for the remaining part of the linear model in a statistical manner. And this can actually make a difference because now if you see here quite some curves here but what is important is to see where the reality is. Exactly here in those classes. So it's the exact experiment we're getting at. Now if you use the estimation for just one value of C zero so it's the bias value for one fixed key. Say you want to take a cypher and then you want to estimate what your bias will be for the right side. What you would do in such a scenario you would take one key for instance all of the errors and expect the key and estimate your C zero for that. And actually you might get such a curve for one fixed key. Here is just one fixed key for the estimation of your bias for the right key which is quite far from the reality. And so now we have the next approximation to the reality by averaging for the signal characteristics for the dominant characteristics over many keys in key of the cypher such as present or EES and then we get this curve which is closer to the reality. And now if we additionally take into account this and the rest of the curve then we're getting something which is closer to that. So that is about the significance of accounting for many dominant characteristics in how if you have them and for the rest of them in the statistical manner. Okay, so which brings me to my conclusions. We have revisited the assumptions behind the complexity estimations for what's used up in the tool. Now we basically derive two conclusions. There is more noise previously consumed due to the two more optimistic wrong key recommendations which were used before. And it's also important to take the linear algorithm to account when you're estimating the bias value for your right. So we have some procedures in the paper how to actually estimate the accessibility and physical attack using those adjusted hypothesis. And especially it's relevant if you want to take the highest number of rounds you can and extract highest number of qubits you can. So their distributes is highest but it's sort of where as crypto is many times you want to stretch it as far as we think it's sort of interesting at this point. Thank you so much. Thank you very much. I'm going to really accurate estimate.