 Hello everyone. My name is Paul-Luin and I'm gonna be presenting some crypt analysis results on Spook. This was a joint work with Patrick Derbez, Virginia-Lalement, Marianna Placencia, Leo Perrin, and André Chrottenlauer. All right, so Spook is an authenticated encryption scheme with associated data that was submitted to the NISLite with crypto competition and it is currently part of the 32 candidates that made it to the second round. It was designed to achieve both resistance against side-channel analysis and low-energy implementations. It has three sub-components, the sponge one-pass mode of operation, S1P, a tweakable block cipher, Clyde 128, and the shadow permutation, which comes in a 512-bit version and another one of 384 bits. In the Spook specification, the security analysis of the mode of operation used, S1P, relies on the assumption that the permutations are random and that they provide collision resistance. Now it turns out that we were able to challenge this assumption by exhibiting distinguishes for the permutations, which we then later used to find a practical collision on 128 bits of the output. And in doing so, we also solved the first mathematical crypt analysis challenged on the permutation that was proposed by the designers. So what exactly did we do? Well, first we found practical distinguishes, one on the full six-step version of Shadow 512 and another one on a step-reduced version of Shadow 384 that covers step 1 to step 5 instead of step 0 to 5, so five steps instead of six. We also found an attack against the integrity of Spook reduced to steps 2 to 5, so that makes four steps. Now all the analysis are practical and they have been tested and the source code is available online. Okay, so let's talk about Shadow first. Shadow combines bundles. Now a bundle is a 4x32 array of bits, so 128 bits in total. And if you combine four of them, you get a shadow state for Shadow 512. For the smaller version, Shadow 384, you only need three of them. So that's for a shadow state. Now let's talk about the encryption part. Both versions iterate six steps. Now one step is made of two rounds, round A and round B. And in between those rounds, there are some round constants additions. So here's one step for Shadow 512. Shadow 384 is exactly the same except for the D-box layer, which I'll show very soon. So round A first applies a 4-bit S-box on each column of each bundle. Then the L-box transforms the first two rows and the last two rows of each bundle. Round B starts with the same layer as round A but has a different linear layer that we're going to denote by D. And the purpose of D is to provide diffusion between the bundles of the state. To be more precise, each bit of each bundle is modified by the application of a near-MDS matrix. And between those rounds, some constants are added. They are generated using an LFSR and are added to come i of bundle i. So that's one step. And for a complete shadow, you need six of them. Now let's have a look at the only component that differs between the two versions of shadow, which is the D layer. So D is the only diffusion layer between the bundles. So for shadow 512, D is actually an involution. So for each bit of each bundle, the value is updated by exhoring the same bit of the three other bundles. That's not the case for shadow 384, which is part of the reason why our distinguisher doesn't cover the full version. So looking at this D layer, we wanted to see if there was a way to exploit the similarity between the functions applied on each bundle. And for that, we used truncated differentials, which are a variant of differentials in which only a portion of the difference is fixed, while the other part is undetermined. So for instance, if we start with two shadow states that are equal on the last bundle, but we have no information whatsoever on the first three, then actually some properties are still kept after encryption. And more precisely, the first three bundles turn out to be equal if we invert the D layer. So here the zero symbol denotes that the two bundles are identical, and the star symbol means that the difference between the bundles is not determined. So in order to study the differences and similarities in the bundles, one thing we can do is rewrite shadow using super S boxes. So here's a shadow step, like I've already shown. And what we can do is regroup the first four operations of the step. So the S layer, the linear layer L of round A, the constant addition that is done on the different positions for each super S box and the S layer of round B. So we're going to consider all these operations as one super S box. So we're going to let's call it sigma zero. And obviously we can do the same thing for the three other bundles. And now for the D box application layer, we can also see it as one big linear permutation layer that's operating on the full state, just like that. So what we have now is an SPN structure with four 128 bit super S boxes and a linear permutation layer D. The round constant addition after round B is not represented here, but they are implicitly considered. So now with this new representation, what we can do is, for instance, consider two shadow states that are equal on the last three bundles. Well, after the super S boxes, we know that the last three bundles are still equal. Then after D box, since each bundle is updated with the XOR of the three other bundles, we know that the first bundle are equal. Now in the following, I will present some of the properties that we exploited in our analysis. So one interesting observation is that even though the bundles go through different S boxes, super S boxes because of the round constants, it's possible to have a shadow state with four equal bundles that is transformed into a shadow state of the same form at the output of a step. So that's something that we call I identical states whenever we have I bundles that are equal. Let's see what happens when we start with a four identical state. How can we end up with another four identical state at the end of the step? So here are our four bundles and they are equal and whenever one difference is introduced, it will be highlighted in color. So here's our initial state. After the S box layer, the bundles are still equal. Same thing after the L box layer. Now we're going to add the first constants. So let's call them C. So C is added to column I of bundle I. So we've introduced four different values at column I of bundle I. Then we apply the S layer of column B. So now the values are changed but the positions are the same. We still have four different values. Now the D layer is going to spread those differences to the other bundles. And finally, if we add the round constant, let's call it C prime, then we have a total of eight different values. So what we can see here is that if we want the input state and the output states to be equal, then this highlighted equation needs to be satisfied. Now this happens with some probabilities that are round dependent and that's because the S box transitions need to well exist. So for instance, what we can see here is that starting from a four identical state, we can only recover another four identical state at the end of step two and three. And that's because for the other steps, the transitions don't exist. This also works for three identical states or two identical states. And the choice of the positions of the bundles that are identical doesn't matter. As long as the positions are the same in the input and in the output, the probabilities are valid. Alright, so now that we've seen this interesting property, I'm going to talk about our distinguisher. So for shadow 512, we can exhibit pairs of states X prime with a zero difference in the last bundle such that the states after encryption are equal on the first three bundles after inverting D. So generating such pairs for a random permutation would require about two to the power of 64 queries. But in our case, we only need two to the power of 16 calls to the permutation. So this distinguisher is based on two properties. First, there's a probability one truncated differential and two, there's the propagation of three identical states. So what we're going to do is that we're going to start at step two. And what we need is that the first three super S boxes transition from a difference alpha to a difference beta. Just like that. Now we're going to go backward. If we invert D on the input of step two, then for each bundle, we need to explore the three other bundles. So we have zero, zero, zero alpha. Then we invert the super S box. So we have a something of the form zero, zero, zero and a difference that we don't know. And then we do the same thing with step zero. So in the end, the pattern propagates with probability one through steps one, then zero. And the input difference of step zero equals zero on the third bundle, as expected. Alright, so now going forward, we need something a bit stronger this time. We need to propagate three identical states. So this will be represented in the red dotted rectangles. So we must ensure that at the end of step two, the two output messages are three identical. Now in step three, we want to keep these three identical property. And as we've seen before, this has a probability equal to two to the power of minus nine. Now next for step four, we need differences to be the same after the first three S boxes. And this has a probability equal to two to the power of minus 7.245. And I'll explain that in a bit. And once this condition is fulfilled, then we automatically have a difference of the form star, star, star, zero at the end of step five. Alright, so a bit of detail. So first, for step two, how do we build a pair, the right pair for step two? Well, on the first three bundle, we need the same differences before the super S boxes and the same differences after the super S boxes. But there's actually more to that. We also need the states to be three identical. So how can we do that? How are we going to choose alpha? Well, the first thing we can notice is that the impact of the constant additions is limited to the S boxes with indices in zero, one, two and three. So the first four indices. Now a second observation is that bits with indices 22 and 23 in each of the four input words of a super S box have no influence on the output bits with indices in zero, one, two, three. And this stems from the L box there. So we can define a vector space nabla such that for every alpha in nabla, the XOR of sigma X and sigma XOR alpha equals zero on the last four bits. This means that if we add the round constants right after the super S boxes, then they will cancel out in the difference. And so the states can be equal, identical. So that's how we construct the pair for step two. Now step three, like I said, is simply a matter of propagating a three identical state and that has a probability of two to the power of minus nine. Now for step four, well, we aim for a difference of the form 0000 delta at the end of the step. So by writing the corresponding equations, what we find is that these four equalities need to be satisfied and each of them has a probability of two to the power of minus 2.415. And once that is fulfilled, then we automatically have the required difference of the form star, star, star, zero at the end of step five. So in total, we have a probability of two to the power of minus 16.245. To summarize, first we are going to select a difference alpha in nabla. Then we can select a state that is three identical, that is going to be the state at the end of step two. Then we can invert step two to obtain the input of step two. And from that input, we are going to create a pair of state such that the difference is alpha alpha alpha zero. And if we go backwards to step zero, then we obtain a state, a pair of shadow states with a zero difference in the last bundle. And this pair satisfied the differential trail with a high probability that is higher than two to the power of minus 16. So that's it for the six step distinguisher. Now if we were to add two extra rounds to the complete version of shadow to create a seven step version, then the distinguisher would actually extend to that seven step at no extra cost. Now real quick, I will just show you the shadow 384 case. And as I said previously, the distinguisher works from step one to step five. If it could also extend to an extra seven step, and in that case it would be a shifted version of the full shadow 384. But the reason why we cannot cover step zero is because of D and the round constants. So the middle rounds of the attack cannot be moved. And that's because of the round constants because we need to be able to cancel out the constants to propagate some identical states. But because of the D layer, we had to use a different path that only has two active bundles at each round, which leads to two unknown differences at the beginning of step one, and that gives no info on round zero. I'm not going to go into more details, but it's very similar to what we've done previously, and more details are available in our paper. So now we're going to enter the final part of this talk, which is focused on for three. So our attack targets spook in its what is called aggressive parameters, which were introduced by the designers as an interesting target for crypt analysis. And these parameters specify 12 rounds for Clyde 128 and four rounds for shadow 512, also for steps. So our attack considers the shadow permutation, but restricted to rounds two to five. So it's a shifted version. And what we're going to do is that we're going to build two different plain text that yield the same tag. Using the same nonce three times. So we will be in the nonce misuse scenario, but it is allowed by the security game considered by the authors. So here is S1P. S1P is a sponge based mode of authenticated encryption with associated data that uses shadow as its underlying permutation. It has a rate of size 256 bits and a capacity of the same size. So 256 bits. The bundles zero and one are the rate part and bundles two and three are the capacity part. And we can't see the capacity part. In our attack setting. So for the sake of simplicity, we're going to consider a version of S1P without associated data. And we are only going to consider two block messages. So four bundles M zero and M one. Pi is going to be the shadow permutation reduced to step two to five. Initialize is a procedure combining Pi and the Clyde block cipher to produce a 512 bit state from a nonce and a secret key K. And finalize is a procedure that produces a authentication tag of 128 bits from a 512 bit state. So here is the differential trail that we are going to use. And I won't go into the details, but it's very similar to what I've shown you before. In this case, we only need to propagate two identical states and the probability equals two to the power of minus 24.83. So what do we have? So we have this property for Pi. That's Pi. And basically this allows us to find a collision on the capacity part of the states after applying Pi. But we still need a collision on the part as well on the rate part. Because if we want two different plain tags to yield the same tag. Then we need to generate two messages M0, M1 and M'0, M'1 that yield a zero difference after Pi. So we're going to need three queries to do so. So the first one will allow us to recover the value of the rate part after initialize. So since the nonces reused, this value stays the same for the remaining of the attack. And to recover this value, we are going to encrypt a two block message. So four bundles. That is equal to 0000. And the first part, the first block of the ciphertext C0 will give us the two bundle rate value after initialize. So we're going to denote it X1, Y1. Now that we know the value of the rate after initialize, we can generate two pairs of rate bundles. X'1, Y'1 and X'1, Y'1 that satisfied the truncated trail that we found in our distinguisher. Now we need to know the value of the rate after Pi. And that way by choosing the right second block of the plain text, we can cancel it out and find a collision on the tag. But first let's recover that difference. So we're going to encrypt two messages built from the pair that satisfied the trail, XORed with the initialize value that we've recovered. And each time the second part of this ciphertext C1 will give us the value of the rate after Pi. So we're going to denote this value by C'2, C'3 and C'2, C'3. Now that we know the value of the rate parts after Pi, well we can cancel it by injecting it, so by injecting the previous ciphertext that we found into the second block of a plain text. And this will cancel out the rate parts after Pi. And so with a probability equals to about 2 to the power of minus 24, then the internal states before finalize are equal, which means that we have a collision on the tag. So that's the end of my presentation. To summarize, I have presented two practical distinguishes. So one on the 6-step version of Shadow 512, and one on a step-reduced version of Shadow 384, or the full version but shifted. And that some forgeries are possible with a four-step Shadow 4DS1P mode of operation in the non-Smith use scenario. As a consequence of our work, the authors have proposed a second version of a spook called spook V2, which includes a new matrix, which is MDS this time for efficiency. The round constants of Shadow have been changed for efficiency as well. And there's currently a second mathematical crypt analysis challenge ongoing, so feel free to go to their website and have a look. Finally, I think our work defines a new criterion for choosing the round constants in a way that they do not only prevent innovative subspaces attacks, but they also need to be chosen carefully in such a way that their effect cannot be cancelled out in the internal symmetries. So thank you for your attention, and if you have any questions, I guess I'll see you at the end.