 The title of my talk is New Key Recovery Attacks from Iwamahikura Iwamanzo Cifras, this is the joint work, it's Takano Usobe. We focus on Iwamanzo Cifras in this work, both in 1991. It is known as one of the simplest pro-civil design, which consists of one fixed and public application key, and two reactions before and after application. For EMIT, EMCYPHONE, Iwamahikura Iwamanzo shows the information stability problem that any attack requires at least to the end, where T is a big complexity, which calls the number of queries to the inquisition of Ike, and T is a time complexity, which calls the number of queries to the internal foundation key. And after the proposal, it shows the plane takes attack matching the bound DT equals to the end. Then, Iwamahikura Iwamanzo shows the non-plane takes attack, which requires to do DT, non-plane takes, and to do N minus D times. So, those results imply that the crewed bounds of Iwamanzo Cifras is actually tied. In Europe 2012, Iwamahikura Iwamanzo Cifras generalized EMCYPHONE to multiple rounds. And it is proved to be secure up to the 2M over 3 queries against destination attacks. After the result, several follow-up work regarding dual security have been published. Finally, Iwamahikura Iwamanzo Cifras is secure up to the TN over T plus 1 queries against destination attacks. Also, minimum construction without losing security for EMCYPHONE has been discussed. For one end construction, Iwamahikura Iwamahikura Iwamanzo shows that a single key construction provides exactly the same security of two-round construction, which means 0 equals to K1. For two-round construction, Iwamahikura Iwamanzo Cifras shows two variants of N secured up to the 2M over 3 queries. These two designs are considered to be more, since removing any components from them causes less security. The first one, called 2M1 in this talk, consists of two different permutations P1 and P2, and a single key addition three times. The second one, called 2M2 in this talk, consists of the same permutation P, and it has a single key function 5. We focus on these two designs in this talk. This is a summary of security analysis on 2EM1 and 2 with respect to DD when N equals to 64. This green line shows security bounds for 2M1 and this yellow line, the bounds for 2M2, approved by Chen, as well. The error below these lines are considered to be secure. In the other hand, the generic distinguishing attack was proposed by Kazi in 2013. They showed the distinguishing attack required T2 to N equals to 2M2. The error above this line is considered to be secure against the distinguishable attack. In addition to distinguishing attacks, some key recovery attacks have been proposed as attacks to the Proxyquan LED. The first language proposed are non-printed key recovery attacks on 2EM1, which requires 2 to the 61 line and 2 to the 59 non-printed attacks. Then, you know about the results which require 2 to the 65 and 45 non-printed attacks. Both results require more than 2 to the 32 data because they use a magic point on the full state of the target. This is the best result on 2EM1 so far. There is still a large gap between the global bound and the actual attack. So, the question is, the 2EM1 and 2 are more secure than 1EM with respect to key recovery attacks. So, we propose a chosen plane takes a low time attack. The problem is here. We believe that our result slightly improves the previous result, but it still requires a lot of data. So, we also propose a chosen plane takes a low data attack. It requires much less data. So, we think this is the first result requiring less than 2 to the 32 data, which is the first problem. So, this is the summary of our contributions. So, we propose new key recovery attacks on 2EM1 and 2 based on between the middle attack. This is the first attack requiring less than 2 to the N over 2 data. Many thanks to between the middle plane one. So, actually, our low data attack requires DT equals 2 to the N plus 6. So, the attack for 1EM requires DT equals 2 to the N. So, this problem is close to DT equals 2 to the N. So, it implies that 2EM1 and 2 are not much secure than 1EM at this point. So, let me introduce our basic approach to apply between the middle attack to 2EM1. So, our idea is very simple. So, first, we divide N with K into 2 keys, K0 and K1. K0 is A bit and K1 is N minus A bit. Then, we find 2 key dependent functions, F and G. So, F consists of the permutation P1 and K0 additions before and after the P1. G consists of K1 additions and the encryption block of the K. So, then, we try to mount between the middle attack and this construction. So, hopefully, we can compute X and Y from S to be dependent because both functions F and G do not share key information. However, for matching P2, we need another key information, K0 and K1. So, this seems to be difficult to apply between the middle attack and this design. So, we introduce two new techniques to bypass this. The first idea is called matching with input distributed foundation. For any Y1, if we obtain X0 and V1 without one in K0, the matching is possible. However, for each Y1, the number of candidates of X0 and V1 is about 2 to the A. This means we need to compute 2 to the N computation to calculate X0 and V1 from Y1. But if we can fix some input of P2 like X0, we can fix X0. We can prepare the computation table of P2 with Western 2 to the N computation because the input space of P2 is reduced to 2 to the N minus A. So, the next problem is how to fix such X0. So, we use another technique called partial invariable pair. The partial invariable pair is a pair of input X and a puzzle of Y1. Since that Y1 is not affected by K, in other words, Y1 is unchanged for all K. We can find such partial invariable pairs by root for such. It requires about 2 to the B to the A computation. It is clear that the required computation rapidly evolves by the parameter A. So, A must be small. So, now we can have a fixed X0 and a pre-configuration table of P2. We can do matching here. Then, so, between the middle of attack, it is successfully mounted onto the N1. So, let me introduce our basic data to you. In open space, first, we find the partial invariable pair SX0 of FK0. And make a pre-configuration table of P1. Then, we make a pre-configuration table of P2 by using the fixed X0. Now, we have fixed X0 and pre-configuration table of P2 and P1. In online space, first, we get K1 and compute Y by using the function G with some trace to the encryption record. Then, compute B from Y by using the pre-configuration table of P2. Finally, we check if X1 prime equals V1 plus K1 is in the pre-configuration table of P1. If we can find such X1 prime, the corresponding K0 and K1 must have to be a candidate of the correct key. So, this is the complexity analysis. The first step requires B to the A to the A P1 computations and the 2 to the A box memory. Step 2 requires 2 to the N minus A P2 computations and the 2 to the N minus A box memory. In online space, steps 1 to 3 are expected to be divided into 2 to the N minus A times. So, this requires 2 to the N minus A memory accesses and 2 to the N minus A chosen prime text. So, here is a summary of a variation for basic attack on our basic attack on 2 to the A1. For example, in the case of N equals 64, we need 2 to the 60 prime and 2 to the 60 data. It is cross to the 2 to the 64, which is required by the post-attack. Our attack does not seem to be much efficient than the post-attack. So, we propose further improvement. The first is a low-data attack. The main idea to reduce the data complexity is that we fix mobiles or different things like this. So, it is possible by using a gradient of star state S for each K1L, if it is K1L, we choose S1L so that K1L plus S1L is awesome. By dynamically computing partial invariable pairs in the matching phase. Then, the number of pairs to the N control of EK, which is the data complexity, is reduced to the N minus A minus D, because the space of prime text is reduced to N minus A minus D. So, this is a summary of a variation of our long time attack on 2 to the N1. For example, in the 64 case, we need only 2 to the 8 data. Suppose for the case N equals 128, the gradient is still 2 to the 8. We also propose a time-optimized star. The main idea to reduce the time complexity is that we fix some result between it. By using the derivative freedom of star state S. So, we can fix more Cp's here. Then, the number of pairs to the international permutation P, which is time complexity, is reduced to 2 to the N minus A minus D. So, here is a summary of a variation of our time-optimized attack on 2 to the 1. So, our time-optimized attack can reduce some time complexity, but it is a slightly improved strategy. So, we propose a new category of attacks on minimal design of two round even ones or side first. Our attacks are based on between the middle attack. So, to apply between the middle attack to round even ones or side first, we introduce two new techniques. We also show two optimizations with respect to the data complexity and the time complexity. In particular, our loaded attack requires DT equals to the N plus 6. So, we need 2 to the A, chosen characteristics, and 2 to the N minus 2 optimizations for any N. It implies that 2 E.M. 1 and 2 is not much secure than 1 E.M. at this point. And our attack is a part of that, requiring respect to the N minus, N over 2 data. Thank you for your attention. This attack applies to the general even ones or side first. Generalize? Yes, general even ones or side first. We try it so we can apply our attack to three round even ones or side first, but they use an identity culture. Any single three round construction, we can post it, we can attack. But, maybe, general construction has a different key. Even for the two round. The general two round is not so secure. But, two round even ones or side first, with identity culture is good to be secure. And the same security is two round even master with two or three different keys. More questions? Maybe I didn't follow, but we are your work. We are your attack work, but if the limitations are the same. For the N1? If not, send a speaker and all other speakers in message.