 The last talk of the session is entitled, Good Analysis of Wrong-Reduced LED, that also are UV Sun Euclid, Lei Wang, and Zhuang Wu. Lei will give us the talk. Let's welcome him. Okay, thank you for the introduction. I'm sorry, thank you for the presentation. And my talk is, Good Analysis of Wrong-Reduced LED, this is John DeWolf with the UV Sun Euclid and the Zhuang Wu. First, I show the outline from my talk. So, first of the beginning, the background, then we give relative script. So, we are following the improvement, we use the applied slide, add the type to our LED, then we show the most important, we talk about this paper, we use a marticulation to improve the previous T-recarb attack. And then we show all the single-visual LED and then we pay attention to different show instead of characteristics. Then we give a conclusion. So, our LED is designed by Gu Laitou at chess 2011. So, yet another reason to thank our general chair. From the title, Lightweight Incorrection Device, so it's a lightweight block cypher. And the block size is 64-bit and the key is mainly 64-bit or 128-bit. And yet, even though the fact that the LED is out for light, interestingly it has conservative security. For example, they pay particular attention to the related K-attack and the two single-visual functions. So, I show the specification. So, this is what the LED look like. So, the blue text, well, acts of the sub-key and go to a public permutation, then acts of the next sub-key, go to the next sub-function and iterate. And here at the end, they produce the sub-tact. So, let's see the case Gu Laitou function is extremely simple. If you denote the master key as K, so in the 6-bit, 6-bit, 4-bit version, K will be used at the round key in each round. For the 128-bit. So, the case bleeds to half K-zero, K-one and they use the K-zero, K-one, out-turn, naked way. Then let's look at the sub-function. It's AS-like. Each sub-function has four rounds and each round we can see is similar to AS-one function. First, you add the round constant, then it goes to the sub-cell and it goes to the K-zero and makes K-one. And each sub-function goes to the round-function in different round constants. And LED64 has eight steps and the 128-bit version has twice steps in total. So, I show the template of previous analysis and then when the designer published the LED, they evaluated the resistance to differential criminal analysis, linear criminal analysis, and then many other criminal analysis. Particularly, they show that they use the Syrvya Zubov criminal analysis to show the single issues on round and reduced LED. And after that, then it's all done, this is the time it's published. Okay, recovery attack on two-step LED. So, we have 664-bit version and the first step of 128-bit version. The attack is the middle and middle criminal analysis. And after that, Mendoly published, Mendoly published the further result at the idea of criminal criminal type and it has recovery attack on four-step LED, 128-bit, 128-bit version. And also really key attack results. Yeah, and there's also one result is to do some general estimation of how we break security analysis on LED. And yet, the backlit is also applied to LED. And this is a security state of LED now and we only focus on the number of attack steps. So, you can see probably the 64-bit version, you can break the steps to single key sighting and also four-step in related key sighting. And the 128-bit version, you can do I mean four-step in single key sighting and the six-step in related key sighting. So, we give our first results. So, we apply the slide-back attack to the LED. So, focus onto this one. So, the previous single key attack on the 128-bit version of the fourth step. So, you can see this slide-back attack is proposed by Duncan Maito and Yolo Kermit in 2005. And you can see Zika and I only focus on here to simplify the story, they focus on the single key, one-step even most of the structure. For this one, for any public permutation E, you will be able to recount the key with the time date period of this time, times data is to the power n, k, the sacred keys and this lock. More is known as tax attack. So, how can we apply this one to LED 128-bit version? You can see. So, first, you guess the k-deer, then from the contact p, you can compute until the middle, I denote it as a p-plane. And then you compute it backward from c to c-plane. Then you peel off the f-zero, f-zero. Then let's look at what we mean. So, now it's for the internal at one, at two, k-zero, you know, so it's a public permutation. I denote it as E. So, now we try to, so now we can recalculate one best line at the time. So, this is exactly how we can apply the slide at the time. So, by applying the slide at the time, so we get, so comparing the previous work, all the time is normal at the time. And for the complexity, now it's like we need 2232 data, comparing the middle of their work, the data complexity is greatly reduced. They need the intact code of the book. And compared with the Isob, Isob and the Cititan, it's work, and we can have the same trade-off for the same data, same time complexity, but we can go even further. We can use more data to reduce the time complexity further. Now we talk about an active result. We applied the work condition. So, let's look at the two-step even ratio. So, this is what, this is, this single key, two-step even ratio. So, the k is a bit long, and the E-zero, E-one can be any public permutations. So, we know that if these three key are different, like P-zero, P-one, P-two, independent, we can recover all these three keys with the complexity to the power n. But now we have further, we have extra information that they are equal, I mean they are the same key. So, the question is, can we recover the key with the complexity less than to the power n? So, we use the extra information. So, these three key are equal. So, we sublate the computation to three parts. So, first we, they input it to P-zero's x. So, k can be computed by P-x or x, and then we compute the middle, and we can also use the x and the y to get key. And for the last part, we can get the key y-x of c. And the way was we recover x for some p. If we know the x for some p, immediately we can recover, we can know the key. So, we combine these equations, we will erase the y, we erase the key, and immediately we get this equation, p, c, and x. If we look into it, the left side is p, the right side, the only part with p and the c is p-x of c. So, we will find a teamwork collision, I mean from the data that, teamwork relation on p-x of c. So, we can see there are t, one text after text, there is x all equal to a collision, maybe not as a constant. So, there we can see the equation changes to, all the right side is only related to x-sign. So, to make it simple, we can denote it as, we can denote it with a t. So, then we can recover some x-sign, one x-sign of this, of one of this one, this one, separate text, right? So, there is a complexity to n divided by t. So, we just try this random values as x, and then you match the g-x, no g-sign public function, you match g-x to one of this one text, one text, if one match, it will give us that x-sign. So, how we applied it to six steps, how we did 128? So, first the same we get p-zero, it will help us p-off at zero, at five. Then the remaining one, you can see that when we got in this part, because we know everything, we get the p-zero, so we denote as e-zero. And the later part, we denote as u-one. So, this is exactly single key, two steps, even on zero. So, we can use just one observation, we can recover p-one, and we fast faster. So, here's the attack. And we would like to mention that, actually this attack is independent of the step function, specific key, and so forth. Ending, step function, this attack can be applied. And now we talk about all distinguishing. So, first let's see the difference, and the characteristic definition we know, about the difference. About the difference, you define the input difference, the output difference, but you just don't know what the input will look like. The input difference, an internal difference, but for characteristic, you already define the difference after each round, each step. So, the designers have analyzed, have analyzed the characteristic of probability on the step function. For one active step function, it means four active AES rounds. So, it was at least 25 IQS blocks. So, the probabilities are bounded by 2 to minus 50. So, this gives the designers the proof of the resistance to differential attacks, but all concerned openly citing. We pay attention to difference, differential in standard of characteristics. Let's see an example. Choose that, LED64. So, you define the input difference. This is the data one on the index, data two on the key, and you define the output density. So, what is the complexity? You get a solution that satisfies solution PT, that satisfies this difference. So, we can do it by leading the middle approach. So, we started here. We generate, we started here a value, and you can see we know the difference. The difference, data one, data two, we know the difference. We compute, like a birthday, birthday pairs. Here we compute back birthday pairs. We match the difference first. After we match the difference, we can adapt to the value of a key, to make the value of the match. So, then after we get the internal value, we can compute the key and we can backward compute to determine the value of the text. So, we just need a birthday bound complexity. We can get the one solution. This will also give us, then this gives us differential multiplication distinguishing. Now, you can see that we can find the minus solutions with a linear increase of the complexity, but the differential multiplication initially, so we are sure about the distinguishing. And we can send this one to fourth type, but we cannot for all the differentials. So, we choose the difference. So, we choose all the difference of the different key in P and in the self-text, all with the same equal difference data. So, what we do is by this one, the difference here, the input difference to f0 becomes the difference becomes 0. So, this is passive. And the last one, the output difference here f3 is 0. So, we know here the input difference to f3 is also 0 and we know the input difference to f1 is data, the output of f2, the output difference is also data. So, we can again apply the meeting the middle approach. So, we first here, we determine the value of key under the internal state, we backward compute, you'll see the probability is 1. So, again and it's a differential marked collision of fourth type. And we can apply it to the eighth type LED of LED128 version. So, actually we randomly set the value to key k1 and we also set the difference on the key k1 is 0. So, then you can see this one is computation in the LED, you can regard it and it's not a public computation. So, I denote it as a DI. So, by this notation you can see so, the eighth type becomes exactly this one the same. So, we apply the same attack to get a distinguisher. Also, notice that we just set a random value of k1. So, maybe if we load the freedom I mean by choosing the value of k1 we can do better. So, before that so, I give a definition, we will propose a distinguisher, it's random difference distinguisher. We make this simple by just show what we exactly will do on LED128. So, we for a given or real random difference data. So, we set the data key here equals this data and the data key 1 is 0 and we try to find the solution so, what is the complexity to find the solution? For the idea case, yeah, I need to for the can we do better? So, we show a distinguisher on 10 steps of LED128. So, this is the difference propagation. So, because the difference will be canceled so, the first of two step function will be passive so, there's no difference and the last of two will be also be passive and as we set here so, we make here the output difference about cancel. So, we will get another two passive step function in the middle. So, how we attack it? So, this is the procedure. First we focus on the two active step function. So, we try to find the solutions on them. By doing this, we exploit the freedom of P1. After this phase the value of P1 is determined. So, this one actually we do the middle independently and then we try to, then we merge these two parts by finding collisions on K1. So, in the end, we want to get a set, we will get a set of K1, XI, YI for this side, they all have the same K1 and one part of K1 XI follow the step differential on F2F3 and K1YI will satisfy the differential on F6F7. So, then in the phase two that we exploit the freedom of K0 we will link one solution here to one solution there. So, in the end, we will get a solution from F2 until F7. So, how we do it? So, actually this attack you can see that we want to we have many the XI YI. So, we try to link one XI to one YI. Actually, this we know P1 so it's the single P1 step even on zero. So, the attack will be very similar with the K we cover attack on this one. So, here I will skip the details and then after we get the solution from F2 and the F7 then we just backward compute to get the blue attack the pink then we get one solution. So, this is the complexity you can see how complexity is smaller than to do the idea case. So, maybe I mean maybe we can see that 10 step LED one understanding is a denominator and I would like to say that this attack is also here is active to the specific specification of that function. So, it would be right you can see the generic attack and then finally goes to the conclusion so the security state of all it is updating. So, we improved the single extended the single P attack on 120 interview version from four to six step and we also extended the attack starting distinguishes. So, thank you for your attention. Any question? In the five attacks which is different to the key difference and the separate difference is in the five side here. In this attack or? Yeah, the telegram. Ah, yeah. Well, we need it you can see that by setting the equal of a peel of like a false pass because the first two and the last two will be passive so I don't know because they are we cannot attack because they are not making their way. I want to point out can you go with the last slide? So, this is chosen key distinguisher. It's not a real distinguisher for the side friend the secret king was chosen here. So, that's why maybe we can see the knowledge though we don't know the formal definition of idol and the knowledge. Any more question? I have a question when we designed the cyber we were very constructive about the security. Yeah, yeah. So, for real use we had to take care of the speed so we may trade or do some trade between the security and speed So, if you were the designer how many rounds will you choose? I don't know increasing the amount of practice the license will become worse so you don't care about the license as much as possible yeah, as much as possible if there is no question let's thank all the speakers of the session.