 Thank you for the last introduction. So this is going to be the outline of my talk, so nothing too surprising. And we start with the brief basic definitions of what a block cipher is, because this is a block cipher station. Excuse me. Sorry. Your lap is muted. OK, thanks. And well, yeah. So block cipher is just a family of permutations indexed by a key. And well, usually we want it to be efficient. Otherwise it's not so useful. And it's one of the most basic primitives we can have in crypto and in symmetric key crypto. And we can use a block cipher to do several things. In particular, the most typical would be to encrypt data. And well, as soon as we want to do something with a block cipher, we have to embed it in a mode, because it's really a primitive. You cannot just use it by itself. So you have many modes to do encryption, also message authentication, or MAC. You can do the both together with authenticated encryption. And one of the applications of block cipher that is a bit more relevant for this talk is this one that's using a block cipher to construct a hash function, or more precisely, a compression function that can later be used itself to define a hash function. And if you want to do that, you can use the PGV schemes. And also, if, for instance, the block size of your block cipher is a bit too small, you might want to use a double block construction, such as the Hiloze scheme. What's also nice with the block cipher is that we have a very good understanding of what an ideal block cipher should be. And it's simply that for every different key, I want to draw a random permutation uniformly at random. So this would be what we would have in an ideal case. And then we can evaluate the security of an actual block cipher by seeing if it's easy, for instance, to distinguish if I have an ideal block cipher or my concrete construction. More generally, when we attack, I mean, block ciphers have been around for a long time. So we have many different ways to attack them and also many different models. So the typical models can be distinguished. I mean, the most classical is to have the secret key model where the key input to the cipher is not known to the attacker. And in this case, it's really useful if we want to evaluate all of the, well, encryption capabilities of the block cipher. So if you want to evaluate the strength of the block cipher to encrypt or to authenticate, then that's the kind of model we're going to use. And well, we can distinguish between single key related key attack. I won't really detail. And then we have also a much more generous model, which is the open key model. And in this case, a bit surprisingly, the key is known to the attacker. But it can still be relevant to analyze the security of a block cipher if we use it to build a hash function. Because in this case, that's really what's going to happen. The attacker is really going to know the key. And then, well, we can have known key, chosen key attack. I guess you can understand what it means. And well, because as I said, a known key model or open key model is much more generous to the attacker. We should expect to be able to attack more rounds if we know the key. So for instance, on AES, if we don't know the key in the most classical model, we can only attack seven rounds of AES 128. But if we know the key, then we can have a distinguish around the full cipher. But the initial motivation of this work is that this wasn't really the case on present, which I'm going to present in one slide. So for this cipher, we didn't really know so well how to exploit the additional knowledge of the key to attack more rounds. And that's what I'm going to show now. So present is one of the first successful lightweight block cipher, even though it was 10 years after Misty won, but then. So it was presented in 2007 at chess by Bogdanov and Al. And so it's a 64-bit cipher with the key size of 80 or 128-bits. But the size doesn't matter in this talk. And in 31 rounds of the very simple and elegant round structure, so we just XOR a subkey. Then we have 16 parallel application of a four-bit S-box with the same S-box, but it's just labelled to be able to talk about this bit, for instance. And then we have a permutation which might look a bit ugly, but you can actually see that it's very irregular. And it has a very simple expression. So you just have this function. You iterate it 31 times. And this gives you a cipher. Well, with the key schedule, but I want detail because it's not relevant to do this attack. So it has been analyzed a lot. And it's one of the ciphers for which the most powerful attack seems to be linear kinds of attack. So in particular, multi-dimensional linear attack. And so until last year, the linear attack were the most powerful. But actually, last year, Blondeau and Nuremberg showed that there is a way to express the multi-dimensional linear attack as a truncated differential attack. So it's somehow the same attack, but you can also see it as a truncated differential. And that can be useful, and that's actually what's going to be used in this distinguisher. So this is an overview of the previous attacks on the present. And so you see that the most powerful attack on 80 bits version in this multi-dimensional linear, the same version attack somehow expressed as a truncated differential. And all of this is in a secret key model. And you see that in an open key model, for 80 bits, you can only reach the same number of rounds with the linear attack. And for 128, you can just have two more rounds than for a secret key with also a linear attack. And so what this works shows is that an extension of the truncated differential attack can be used in a non-key model to attack the full cipher, regardless of the key size. So what's exactly a non-key distinguisher? So as I said, it's first a way to evaluate the security of a cipher in mostly hash function scenario. And basically it's just, we have some property and we know that there is a bias when this property happens in the case of the actual cipher compared to the case of an ideal cipher. So we want to exhibit some property and I'm going to show that on this picture. So this is the distinguishing property that is used for this analysis and present. So we have this block cipher and we say that we know the value on these few bits, for instance, and it's fixed for a certain amount of inputs. And we can find a bias in the number of collisions that we have for pairs of such inputs on these inputs, output bits. So basically it's just like a truncated differential. I said that I have the same value, I take a pair of two values. And then if I look at the output of these two values, well, it's more likely that there are zero, that they are equal on these few bits at the output, that if I had something, instead of the block cipher, something drawn at random, like a random mutation. So this is the kind of property that's going to be used for present. And yeah, so if we have a distinguisher of this form, it's quite easy to launch. I mean, it translates quite directly to something that you can do. You just have to pick values fulfilling this input property. Then you just count how many output values fulfill this one and then depending on how many you got, you decide on the threshold and you say, okay, I think I have present or I think I have something random. So yeah, now I'm going to show how this sort of strategy can be applied to present. And it's going to be done in a way that's still relevant to instantiations of compression function using present. So I'm going to show the distinguisher on the cipher, but if I want to distinguish present in that Davis Major mode or Hirose mode, then I can still use the same basically unchanged distinguisher. And so this distinguisher is going to use, as I said before, the truncated differential version of the multidimensional linear attack. And the reason is that this is, well, in single key, in secret key, it's one of the most powerful attacks. And the truncated differential expression is easier to handle somehow. But then, well, we have this, we need to find a way to extend it to the full cipher and we cannot do it in so obvious ways as just saying I'm going to extend the distinguisher itself because then most likely the bias will be too small. So we have to find a way to connect it to extend to two more rounds. And this is going to be done with the mid-in-the-middle technique. So this is the figure, the overview of the whole distinguisher. This is using the existing truncated differential distinguisher and because it cannot reach the full cipher in itself, we extend with the mid-in-the-middle layer before. So we know from this distinguisher that it has some requirements on the input to be able to launch the differential. Then we know that there is some bias on some output bits and we want some distinguishing property on the input of our whole plain text, which is going to be the same basically. And so the mid-in-the-middle layers is here to find good text that have this input requirement and this output requirement which is then the input for the differential distinguisher. Okay, so just a few more words about this truncated differential, especially how good it is. So I won't detail too much, especially I would refer to the, I think don't remember your crypt or crypt, well, the Blondon Nuremberg paper about this link between multidimensional, linear and truncated differential. And it's going to have just one S-box at the input with no differences. And then we know that we can observe some bias on one of these S-boxes at the output. They will have no difference with the slightly higher probability than for a random permutation. And this slightly higher probability is centered on two to the minus four plus two to the minus 62.77. And for random permutation, you would expect something that's centered on two to the minus four. So this is for 24 rounds. So this is going to, from this knowledge, we can define the threshold that will tell us, okay, I think I have presented, I think I have something else. So yeah, so now the meeting the middle layer. So as I said, we have some input and output constraints on the texts we want to have. And we want to be able to, I mean, we cannot just choose randomly some plain text verifying this condition and hoping that by chance that we also have this condition after seven rounds, because then it would be too costly. So we just want an efficient way to enumerate all of the plain text that have this condition at round zero and round seven. And it's quite nice to do that with the meeting the middle on present because we only want to do this for quite limited number of rounds, that is seven. And we can explore the rather slow diffusion of present. So for this few many of rounds, it's quite efficient to do this sort of technique because as you can see, if we just draw the bits that are influenced after two rounds from just four input bits, well, it's not the full block, there are not too many of them and the structure is also quite regular. So we can explore the fact that these bit don't influence too much, too many of them after a few rounds. And then we're going to do something like this. So we will just start with plain text fulfilling the condition we have on this input. And we will guess partially part of the state using the knowledge of the key. That's why it's a non key distinguisher. We cannot do this technique if we don't know the key. And we're going to compute partially a state after two rounds forward. We do the same, we have also a condition backwards. So we set the condition we have, we compute partially one round and a half. And then gradually we're going to filter out the text that don't jointly verify both of the conditions. And to do this, we use four groups of S-boxes. So we can use the regular structure of the present permutation to do these sort of things. And so we have four groups of four S-boxes for the forward and backwards computations. And so we have group zero, one, two, three. And first, okay, so this is just an example of the one group forward, one group backward. And then the matching in the middle is going to be somehow classical thing. We just start with the same group forward and backward and we're going to match the tables and we're going to filter the candidates that don't, I mean, we have a condition on the matching and the candidate that don't fulfill this condition are just thrown away. And then once we have merged these TF, for instance, TF zero and TB zero tables, we do that for all of the four tables and then we're going to merge them two by two. And at each merging, we're going to decrease the number of candidates, but we only keep the candidate that are still valid. And at the end, we know that we have something that fulfills the whole conditions. So the cost, well, if we do this, we can expect to have about two to the 56 messages that verify the input and output condition. And this is essentially optimal because we have four-bit constraints on the input, four-bit constraint on the output, the block size is 64 bits. So this is what we would expect. And this allows to define two to the 111 pairs that we can use as input to the truncated differential distinguisher. And the whole meeting in the middle phase takes about two to the 56 encryption. So this is, we don't lose too much actually because the amortized cost of having one plaintext input is just one because we pay two to the 56, but we also have two to the 56 plaintext. So it's not too bad in that respect. And then we can know the properties from the differential distinguisher. If we have, so this is the probability of success after that many rounds, depending if we have these two to the 111 pairs or if we think that we're slightly less lucky that we're less a bit led than this, this is also the probability for two to the 109. And so you can see that for 31 runs you get a probability that's not exactly 50%. So there is a small advantage. You can still distinguish. So this is the main result with two to the 56 encryptions. We get a distinguisher with success probability 50.5%. So this is the end of my talk, nearly. So I presented a non-key distinguisher on present, on the full present, which is the first search distinguisher. And it can be applied also on the block cipher when used as a compression function. And so if you're considering building a hash function based on present, and if you care about distinguishers on the hash function, then, well, you should take this result into account. So there may be way to extend this work. So maybe the attack can be simplified or the complexity can be improved. Maybe a student of Addy can help. And also, well, this is a non-key distinguisher. There is another model which is chosen key. In this case, the key is not only known by the attacker, he can entirely choose it. So it is also natural to wonder if you can use this extra knowledge to improve the attack by being even more generous to yourself. So thank you for your attention. And if you have questions, I will do my best to answer them.