 Hello everyone. My name is Raghavendra Roy. Today I am going to present our work, misuse-free key recovery and distancing attacks on 7 round Scon. This is our joint work with Kaihu, Sumanthu Sarkar and Sivaisan. Here is the outline for today's talk. First I will give overview of the Scon algorithm. Next I will present what we mean by misuse-free attacks. Then I will present some key recovery attacks on 7 round Scon and some new distinguisers. Let's start with the description of Scon. So Scon was designed by Dovryag, Ekshader, Mandik and Sefer in 2014. Basically it was submitted to the Caesar competition and it is one of the winners of the same competition in the lightweight applications category. Also right now it is a finalist or finalist out of the 10 candidates of the on-going NIST lightweight cryptography project. So at a very high level we will look into the Scon. Then it takes as inputs a secret key K, nonce N, associate data A, message M and then it outputs a side vertex C whose length equals the length of the message M and then authenticates intact T. Here the intact T provides the integrity and authenticity for the nonce associate data and message. Now if we look into how the Scon works then it is based on the well-known sponge-to-plex mode of operation. So there are four phases. The first phase is initialization where the state and where the secret key and the nonce are processed by the permutation P A. Then we have the associate data processing, plain text processing where we generate the cybertext and in the end we have the finalizing phase where we generate the authentication intact T. So here if you note that during the initialization and the finalizing phases the number of rounds of the Scon permutations are A while for the other two phases the number of rounds is V. Now based on the amount of data the Scon processes which is actually orbits per call of the permutation and the number of rounds there are two variants of Scon which are Scon 128 and Scon 128 A. The only difference is in the rate R and the number of rounds of P B. Now if we look into the round function of Scon then it consists of three operations. The first one is PC where the round constraint where the 8-bit round constraint is added to the second 64-bit one of the state. Then we have the substitution layer where the Sbox is applied on each of the 64 columns. After that there is a diffusion layer where the rows are where each rows is mixed among themselves. So if we look into the Sbox then the Scon Sbox has a algebraic degree too which is given here and then the linear layer simply consists of the bitwise XR operations and right-side click-sept. So if you see here each word is mixed with its rotated version. So for example Y0 is Y0 XOR with Y0 right-sept Y19 and then again XOR excepted coffee by 28 bits. So the only difference here is for the other words the rotation constants are different. So now let's look into what we mean by misuse free attacks. So before going into that let's see what are the security claims of the Scon designers. So they mentioned that for 120-bit security the number of plain text and associated data blocks that can be processed by a single key is limited to a total of 2 to the power 64 blocks. And the second condition was to ensure that the public nonce should not be repeated for the two encryptions. Otherwise you know the difference of the key streams and then they will be attacked. So nonce should not be repeated. Now given these two conditions we see like what is the attack target in this work. So our attack basically focuses on the initialized interface of the Scon where we take the associated length as 0 and we just work with one block of the plain text block. So the question here is like since there are 12 rounds in the initializing phase. So given the outputs which are cyber text how many rounds out of 12 we can attack and attack in the nonce-respecting setting. So we don't care. So the constant here is the nonce values will not be repeated. Then the second question is are we targeting the key recovery attacks. So that means you are recovering the key words K0 and K1 or just simply distinguishing the outputs which are given by the cyber text. So now we are looking to both mean by misuse free. So if the data complexity of the entire attack is less than 2 to the power 64 basically it fulfills the designer's requirements then we call it as misuse free. Otherwise there could be an attacks Scon which requires more than 2 to the power 64 although they could be generic. But the data complexity is more than 2 to the power 64. So basically they are not satisfying one of the requirement of the designers but still they are generic. Okay so now we look into the existing results existing key recovery attacks on Scon. Then if we so we basically divide the existing results into two categories and some of them are valid where the data complexity is less than 2 to the power 64 and the other where the data complexity is more than 2 to the power 64. So if you see the best attack can be covered till six rounds and it requires data and time 2 to the power 64 although there is an attack on seven rounds with time 2 to the power 103 but the data complexity of this attacks is more than 2 to the power 64. So we ask ourselves whether there is an attack on seven rounds where the designer's requirements are not violated. So that's what we give here. We present an attack on seven round Scon which requires 2 to the power 23 data sorry 2 to the power 23 time and the data is 2 to the power 64 and it's based on the idea of a cube attacks in terms of distinguisors. So till now the best distinguisors can reach up to six rounds and they require 2 to the power 23 data. So we present new distinguisors here starting round four to round seven and all the all of our distinguisors require data which is much less than 2 to the power 64. So all these distinguisors we found using the division property. Now let's look into the key recovery attacks on seven rounds. Okay so the basic idea for attack is based on the principles of cube attack. So for example consider a Boolean function in six variables so three secret variables and three public variables. Now here if we take the second order derivative with respect to public variables v0 and v1 so that means you are evaluating the Boolean function f over all possible values of v0 and v1 and v2 is constant and then you XOR their values. So this basically gives you the expression which is k0 plus q2 plus one which is known as the superpoly of the cube v0 and v1. Symptoms of cube attack notices v0 v1 is known as the cube and here since we are working on two dimensions so this is a two-dimensional cube and v2 is fixed. So this is a non-cube variable and k0 plus k2 plus k1 is called as a superpoly of cube v0 and v1. So now till now there are many methods which can recover this superpoly and these methods are based on the automated tools like groovy, constant programming, set SMD but the issue here is once the dimension of the cube is large then we don't know any information about the superpoly. So in this work what we do we try to recover this superpoly without the aid of any automated tools or at least we give some theoretical answers for recovering the superpoly. So let's start with the initial state of the Scon. So if you remember the cube variables they are loaded in the word three and word four. So we work with this state configuration where we take the cube variables in word three and in word four we fix all of them to be zero. Now for this state configuration we have the following observation. So for round r if we select 2 to the power r minus 2 to the power r indices i from the set 0 to 63 and corresponding to this indexes it will look the cube monomial and its superpoly of each state bit after r rounds then we can show that this superpoly is entirely determined by these 2 to the power r equivalent qubits which is basically k i 0 plus k i 0 plus 64 or so basically it's like if you look into one column then the superpoly depends on this equivalent qubits where k 0 plus k 64 or k 1 plus 65 or k 2 plus 65 it's like this so over as total 2 to the power r equivalent qubits rather than the original qubits. So similar observation was used for in dms 15 to attack up to second rounds up to six rounds of Scon. So in this work we use the similar observation but with a different technique to attack seven rounds. Okay so what's our goal here so the goal is to recover the superpoly of the 64 dimension cube which v0 times v1 times v63 after seven rounds and the number of the time complexity is be less than 2 to the power 128 seven round Scon calls. So now this goal this is equivalent to recover the superpoly of the cube after the six round Sbox layer this is because we can invert the last linear layer. So for recovering the superpoly we present the technique which is partial polynomial multiplication. So to give a high level idea of our technique we can consider this following example so let's say we have the algebraic normal form of the first column after round one so we have the five bits and so five bits are basically corresponding to five columns and this is the algebraic normal form. Now let's say we are interested in the cube monomials of degree 2 by multiplying some some of these columns. So for example if we multiply the second column with the first column and since k is constant here and we multiply x to 1 0 with x 1 1 0 then this will never give the degree 2 terms so we can simply eliminate x to 1 0 while multiplying. Also note that if we multiply this v0 with this expression then here also the degree is still 1 because v0 is same so the degree does not increase or if you look have a more close look then basically we are interested in these reduced terms. So basically a product of only specific terms will give us two dimensional cubes and not all so like this we don't need any terms from here because they will never contribute to the degree. So we apply this simple idea on seven rounds has gone in two steps to recover the k. So in step one we enumerate all 32 dimensional cubes and their corresponding superpolis after six rounds. Now once we have all these cubes and superpolis then we multiply them using this partial polynomial techniques partial polynomial multiplication techniques and then we recover the superpoly of 64 dimensional cube after seven rounds. Okay so now we have 64 outputs in the after seven rounds so we can recover all one by one so the entire the procedure for recovering superpolis for all 64 bits is exactly same. So we just show the procedure for the procedure for the 0th bit here. Okay so now we write a 0th bit in algebraic novel form then the quadratic terms are shown in red so we are only interested in the quadratic terms here because the other terms can only have degree 16 so if we multiply with another 32 terms then the degree could be 48 and they will never contribute to 64 dimensional cube. So we are only interested in the terms as shown in red so which is equivalent we need to compute the superpoly for this term. So now let's see how we compute this. So first we give an example of the data structure how we arrange the superpolis and their and the cubes. So let's say if we look into this bit then this basically denotes the 32 dimensional cube the poisons of the 32 dimensional cubes and in this array we have the corresponding superpoly. So now we have all the 32 dimensional cubes as well as their corresponding superpolis for x16. Similarly we have all the possible 32 dimensional cubes for this expression for this express and their corresponding superpolis. So basically how much memory is needed here because we have 64 choose 32 cubes and for each of the cubes we have we can have at most 2 to the power 32 monomials and we have 3 ton days state bits. So overall you need around 2 to the power 101 memory. So this is the worst case you know it's just an example. Now how we compute the superpolis for the 7 rounds. So instead of 1 we find the cubes and superpolis of 6 rounds. So what we have we have 64 choose 32 cubes and this is the dimension of the cube due to the power because it's the dimension of the cube. So we evaluate over all possible values of the cube and then now we also can find out the degree of the superpoly is at most 15. So now in one superpoly we can have at most these many monomials. So this means the total time which is needed to compute all the superpolis for 6 rounds and for all these 2 bits is 2 to the power 123.48. Now once we have these superpolis we only need to multiply our very specific polyomials. So for example this is the 32 dimensional cube. Now this cube corresponding to this cube we can get a 64 dimensional cube only by multiplying this cube. For the other cubes the degree is at most less than 63 because there will be some common variables. So now we multiply all of them and we know for each of them the number of monomials is at most this one. So for that we need to access memory. So corresponding to each of the cube we have around 2 to the power 120 to memory access. Now this is just for one bit. So basically we can do this in parallel fashion. So this will require the same amount of time. So now once we have the superpolis and we know that this depends on the equivalent qubits. So for each of the equivalent qubits we compute the superpoly and store in the hash table. So this requires around 2 to the power 70 bits of memory. Now in the online phase corresponding to each cube we compute the cube sum and if it matches with one of the entry in the hash table then this is basically one of the key candidate one of the right key candidate. Now once we opt in this then we do an excessive search on the remaining 64 qubits because we know the keys are equivalent. So from the equivalent keys we compute the original key and then do an excessive key search and this requires around 2 to the power 64 7 round scone calls. So in terms of overall attack complexities we require 2 to the power 64 data memories around 2 to the power 101 plus 2 to the power 70. Now this memory we just do for computing superpoly once this is done we can discard the once we know the superpolis we will discard this. So and also in terms of total time we only need 2 to the power 1237 round scone calls. Now some remarks on this key recovery text. So we know like all these we know that this offline phase is done only for once and there are some other state configurations and there are some optimized syntax which are given in the paper where we can reduce the time complexities and here all the all our assumptions are the worst in worst case. So for example then the total number of cube dimensional cubes the total number of monomials in superpoly and the number of partial polynomial distributions. So there is a high chance that these complexities can be improved. Now let's look into the new distributors. Okay so the idea of new distributors is very basic the only thing is like how we construct them. So here again so basically what we are trying to find is for given initial state we are trying to find some conditions on the non-slip so that the algebraic degree of the outputs in cube variables is at most 63. So now if you look into the existing distributors so in all the former distributors the idea was to linearize the first round because if you look the s-works output of a round one then only the bits in work 2 are quadratic in cube variables. So if you set one of them as constant then the round one becomes linear and after that there is a quadratic growth in the algebraic degree. So basically if the after round one the degree is 1 then after round two is 2 then 4, 8 like this. So that's why the previous distributors can reach up to 6 rounds and the degree is 32 because for 7 rounds the degree becomes 64 and for that you need 2 to the power 65 data. So what we observe here so if we set the cube variables in word 3 and word 4 is equal. So that means after setting cube variables v0 equals v0 in word 3 and 4. So if you see here all the green that last two green rows are equal then we can note that the word 2 and word 3 they becomes independent of the nonce variables. Now using this observation we compute the upper bounds on the algebraic degree by giving improved model for the three subset bit waste division property. So we found that after 7 rounds the degree is at most 59 so that means we can have a 60 dimensional cube whole superpolis are always 0. Also we found another observation that if we choose a 5 dimensional cube like vi, vi plus 8, vi plus 16, vi plus 17, vi plus 24 and vi plus 63 then we found that this cube variables do not multiply with each other after round two. So basically if you choose any 5 out of 6 then we can have a distribution for 4 rounds with 32 nonces. So the previous here was with 2 to the power 7 nonces so this is also an improvement. Okay so now to conclude so in this work we have given the first key recovery attack on second 7 round scone and we did not violate the data limit as well as the non-respecting setting of the design. We also gave the first 7 round distributor in the AED setting which was not known before and improved the existing distinguisers for 4, 5 and 6 rounds. And we have like since our attacks are based on the first case scenarios so we believe that there are a lot of room for improvements in the attack complexities. That's all for the talk and all the source codes for our distinguisers are available in our GitHub page so if you are interested you can have a look. Thank you.