 אוקיי, אז, yes, AS is currently probably the most widely used and best-known all-cryptosystems today. For example, almost 100% of TLS connections are using AES and there are a lot of other devices that use it, and its security has been extensively analyzed for more than 20 years, basically since the AS competition. And it has either 10, 12, or 14-round structure, and this depends on the key size. To date, there is no known attack against full AS that is significantly faster than exhaustive search. So what we do is we try to analyze a reduce on the AS, and I think it is very interesting because this is the best platform that we have to actually analyze what are the remaining security margins that we have, and also there are several lightweight cryptosystems that use four or five-round AS as a basic building block. When we do cryptanalysis, cryptanalysis attacks, we have three main parameters that we want to know. To know what is the time complexity of the attack, how much CPU power do we need, what is the amount of memory that we need to store in order to run our attack, and how much data, or how many different encryptions we need to see in order to break the cypher. To combine those three complexity measures, there is common to use a single number, we call it the total complexity, which is basically the marks of those three parameters. So far in the past 20 years, there are relatively very few techniques that actually led to what we call successful attacks against far from the AS, and all of them hit a specific barrier in a 2 to the 32 complexity measure that we can't do any better than that. Recently, in New York Crypto 2017, RASCIT proposed a new cryptanalysis technique, they call it the multiple of eight attack, and very recently, RASCIT applied a special version of it which is called the mixture differential attack to five round AS. However, again, its complexity was not better than previous attacks, so we are still in the 2 to the 32 barrier. In our work, we were able to break this 20-year-old barrier by a factor of more than 1,000 to get around 2 to the 22 complexity. So, as I'm sure most of you are familiar with, this is the structure of AS, we have 10, 12, or 14 rounds. In each round, we have four operations. The first one is the sub-bite operation, shift rows, mixed column, and add round key. When in the first round, we have an extra add round key operation, and there is no mixed column operation in the last round. And those are the operations. Sub-bite is the only nonlinear property of the AS block cipher. This simply takes a single byte. We have 128-bit state of AS. We can view it as a 4x4 matrix of bytes, and sub-bite simply takes one of each of those bytes separately and use a nonlinear permutation of it. Afterwards, we have the shift rows operation which take each row separately and shift it. The first row stays the same, the second row is shifted by one. This is a cyclic shift. The second row is shifted by two. And the third one, the fourth row, excuse me, is shifted by three. Then we have what's called the mixed column operation. The mixed column operation works on each column separately, and it basically takes all of the different bytes in the column and makes them using linear transformation. And in the end, we need to also add a key material. So each round is its own round key. And what we simply do is we XOR the key value to each byte, to each state byte separately. Okay, so I'll try to explain the notation that was introduced by Grass et al. It's actually a wider application, but this is what we need in order to understand our attack. So we'll also say what is the mixture of AS state pair. So we have two AS states, X and Y, and we want to create a mixture out of them. So we create a mixture ZW. And in this mixture, what we do is basically each byte in Z is either a byte taken from X or taken from Y, and W takes the other byte. In our notation, each time we show a blank box, it means that all four bytes in this specific position in the matrix are equal. And if there is a specific value written, then all bytes that have this specific value are equal. Okay, and as you can see, we take the first column and we mix it between Z and W, and we can do it with each column separately. And for each column, there are seven possible mixtures. Okay, so now we'll try to start to understand how this specific mixture evolved and the structure of it evolves over time and we input it to the AS. So we assume that we have this mixture at the input to some round I of AS. And then we do the sub-byte operation. All of the values are changed, but the structure still remains the same. Then we do the shift rows, so the different values are spread to the anti-diagonal. Then we run the mixed column operation. We simply take this one different byte that we have in each column and spread it over the entire column. Over, we still have the same equality from before, that if we look at any unordered pair of columns from X and Y, it is equal to the unordered pair of the same columns in Z and W. Okay, this is the second one. Then we add the round key. Again, the values are changed, but the structure is preserved. And now we get to the input to run I plus 1. So again, we do the sub-byte operation. All the values change, the structure remains the same. And now that we... Now we can see that although we have equality in the columns, it actually implies more weaker property that when we take all of the values in those four mixtures, they are sum up to zero. For example, if we have two... If the two columns in X and Y are equal to the two columns in Z and W, we sort them, we get zero. And this property is, of course, also correct for each byte separately. So you can see that when we have those blue blocks, then those four values sum up to zero. Okay, so now this is a linear property. And as shift row, mix column and add round key are also linear transformation, this property is preserved to those states. And this brings us to the start of round number 2. So now we have round I plus 2. We have this solve property. And now we're going to make another assumption. This assumption is that by some chance we encountered this fantastic miracle. And in this miracle, the diagonal of X is equal to the diagonal of Y. As there's a lot of random properties going on, this basically happens with probability of 2 to the minus 32. But now we can see that if the diagonal of X is equal to the diagonal of Y and the sum of all the four values are zero, this also implies that the diagonal of Z is also equal to the diagonal of W. And now we continue the evaluation of the states. And we do the sub byte operation. The sub byte is nonlinear, so it breaks the XOR property. But however, the diagonals are still equal. We do the shift rows. Everything returns to a single column. Then we do the mix column. Again, the values are changed. The structure remains. And we add round key. So now we got to round number 3 and we got this specific structure. Then we continue, again, sub byte, shift row. It spreads through the anti-diagonal. And now we're supposed to do the mix column operation. And this mix column operation breaks everything because all of the different values will be spread. However, as we said before, in the last round of AES, there is no mix column operation. So if you're looking at only four round AES, this is the structure that we get after four rounds. So what we basically get here is a distinguishing because if we start from a mixture structure, we'll get with probability 2 to the minus 32, we'll get this structure in the end. If AES was a real random permutation, we've gotten this structure with probability 2 to the minus 64. So this allows us to distinguish between AES and random permutation, but we're more interested in recovering keys. So the basic idea that Rassi has shown is that we proceed those four rounds with an extra round before them. What we do is we take this input structure and where all of the values remain the same except for the values on the diagonal, and then we encrypt all possible values of A, B, C, and D. What we get as an input to run one is this structure. And this is actually all of the values in the first column here are a simple permutation of the diagonal of the state input to AES, and they only depend on four specific key bytes. And this actually gives us all of the possible mixtures that we can have on the first column. So we try to follow the original Rassi attack. Basically what we do, we look for a single good ciphertext pair where we have equality on the anti-diagonal, and then what we do is we retrieve the plaintext because we encrypt all of the possible values where the plaintext of X and Y. And then what we do is simply iterate over all possible two to the 32 key bytes, and we do a partial encryption of X and Y. And we get this structure. Now what we do is we choose one possible matrix after the possible seven, and create the mixture of Z and W. Then we go back, we use the same key that we used before to partly decrypt Z and W and get a plaintext suggestion. As we have all of the possible encryption of this structure, we can find what is the ciphertext that we get from Z and W. And what we do now is simply check this equality condition. If the anti-diagonal is equal in this case, then we get the right key and we finish. Otherwise we discard this key and keep on iterating. So this is a new type of attack. However, we still have the same previous complexity that we had before of two to the 32, and we want to improve it. So we had several ideas on how to improve the original attack. The first idea is that we can reduce the amount of data that we need. So we pay with extra time complexity. So this is not really good. Then what we do is we switch the order of operation inside the attack algorithm. This help us reduce the time complexity even further to two to the 33, but we're still worse than the previous attacks. And then what we see is that we can use some small pre-computed tables to further improve our attack, and this is already the best currently known attack. But then we can add a smarter selection of the input structure that allows us to get to the 22 and improve it by a factor of 1,000. So I'll try to expand those ideas. So the first idea that we have is that, in Rusty attack, we get all of the possible good metrics that we have on this specific one column structure. But we only need one good mixture in order to retrieve the key. And we can do the calculation, and we'll see that with 2 to the 33 data, we get a lot of possibly good pairs. And if we use only 2 to the 24 data, we can still get enough 2 to the 15 good pairs, which have equality on the anti-diagonal, and this gives us at least one good mixture with very high probability. So we can reduce the data complexity. However, it means that we have 2 to the 15 different good pairs that we need to iterate over them in order to find the one good pair that gives us the good mixture. And this takes time. So we have now 2 to the 47 because we have the original 2 to the 32 complexity times 2 to the 15. And basically what we get is just a time data trade-off, not a real improvement, and this is actually not a very good time data trade-off, because we increase the time by a factor of 2 to the 15 and only improve the data complexity by 2 to the 8. The second idea that we add is that we actually can change the order of operation. And because the basic observation is that if we have a mixture after the first run, then again the sum of all values is zero. This again is true to each byte separately. And for each byte, there is only one key byte that will give us this zero sum after we do the S-box operation. So we can find a suggestion for each of the four key bytes separately. This is, of course, much more efficient than trying to hold 2 to the 32 together. And then after we have the four key byte suggestions, we take them all and we actually do the partial encryption and we check if we get a mixture or not. Okay, and again, this is not good enough because for each key byte we need to have 2 to the 8 S-box application in order to get the right key byte. And this still gives us too much time complexity. Okay, so the third idea is that instead of doing this 2 to the 8 operation, we can use a pre-computed table. The details are not really important, but basically we can optimize it to a really, really small table of 2 to the 21 table of 4 byte values and a pre-computation takes about 2 to the 24 S-box application and this is all negligible compared to the entire attack. And by using this pre-computation we can remove this 2 to the 8 factor. Okay, so now we got 2 to the 24 data and 2 to the 29 time complexity, but again we want to do a little bit better. And what we see is that now we only need part of the input structure. We don't need to go over the entire diagonal. And instead of just picking random values out of the possible 232, we use a specific structure and we actually keep at least 1 byte content. And this actually boosts the probability of getting a good mixture by factor of 2 to the 8 and this allows us to use less data accurately 2 to the 22.25 data. Okay. Due to the very, very low complexity of the attack we were able to experimentally verify our attack and actually run quite a lot of simulation and to get the real distribution of probabilities of key recovery. And we did it to different amounts of data and quite a lot of keys and we got the whole key recovery probability matrix. We also tried to extend our attack and we were able to extend this up to 7-round AS and in 7-round AS so it's not there, right slide, but okay. 7-round AS we actually get an improvement in a specific regime that we call the particle data and memory regime in which we assume that it's much harder to get a lot of data and a lot of memory than extra time complexity. So we want the data and memory complexity to be something that we find reasonable even today however the time complexity is still not very fast but the best that we can have. Okay. So to summarize we were able to break a 20-year-old attack complexity barrier on 5-round AS and we proved it by a factor of more than 1,000. We also obtained and improved what we call particle data and memory attack on 7-round AS and what we ask ourselves now is it possible to extend this new attack technique to larger versions of AS which we were not able to do before and can we take the result of this attack and this distribution properties and try to use them to attack this new light-water crypto schemes that use this reduced-round AS as a component. And that's it. We'll be able to take questions. Thank you.