 Hi, my name is Augustin Barian, and I'm going to present the first part of our work, Crypt analysis of FoxSafers, by Getton Laurent, Nicolas David and myself. The FoxSafers from work was introduced by Henri Van Aal in Azure Crypt 2019. A FoxSafers outputs two safer texts, C0 and C1, out of a single plain text and a key. It forms a family of authenticated block safers, because the second safer text can be interpreted as a Mac. It is efficient for very short messages, as there are a lot of common operations between the computation of C0 and C1. They are constructed from block safers and two cable block safers. There are two instances of this from Mac from now. There is a fork AES derived from AES and fork skinny from skinny. The plain text goes through RI rounds of block safer, then the state is duplicated, and it goes into R0 rounds of block safer to output C0, and R1 rounds of block safers to output C1. Note that TK0 and TK1 are different tweaking material, and TK0 corresponds to the base block safer tweaking material, while TK1 has been derived from the original tweaking material. This framework gives a lot of freedom to the attacker, as there are two safer texts, and actually it needs to be carefully analyzed, and this interested it. The new attacker model is interesting because it gives three articles to the attacker. The first one is the encryption and decryption of the first branch. So this is exactly the same as the base block safer, so it has already been deeply studied, and we will not focus on that in our paper. The second article is the encryption and decryption of the second branch. It differs from the first branch because TK1 is different from TK0. Actually, TK1 can be poorly generated, and our attack on fork skinny exploits a weakness in the generation of TK1. And third, there is the reconstruction query. So out of one safer text TK0 and TK1, we can ask for the corresponding safer text. This reconstruction query is interesting because it consists of error 0 decryption rounds followed by error 1 encryption round, and actually this implies lack of diffusion in the middle round, and our attack on fork AS exploits this fact. To illustrate this, let's look at the propagation of a single byte input difference and two encryption rounds of AS versus one decryption, then one encryption round of AS. So in the first case, with probability 1, we end up with a full active state, whereas with probability 2 to power minus 24, we end up with only one active byte in the second case. So first, I will describe fork AS, and then I will present our new attacks. So as you all probably know, AS is a block cipher introduced by Damon and Richmond in 1999. That's when the AS competition, the round function of AS is composed of four operations, add key, which adds the round key to the state, sub bytes, which applies an S-box on each byte of the state, shifts row, that shifts each row by a certain offset, and mixed column that multiplies each column by a linear and valuable matrix. Kizubisi was designed by Jean and Al and presented in Azure Group 2019. It's a tweakable block cipher derived from AS128 with an extra input, a 64-bit tweak. It has 10 rounds like AS128, but a lower security margin, as most attacks on AS128 can be extended by one run on Kizubisi. The only difference between Kizubisi and AS128 is that the tweak is absorbed to the first two rows of the state at each key addition. So the tweak is controlled by the attacker. So this gives some more freedom to the attacker. 4K yes is based on Kizubisi, with R0 equal R1 equal RI equal 5. So there is no, the branches are exactly half of the cipher. So there is a loss of diffusion, but no more round added. So what are the existing attacks on 4K yes 4 4? Banik and Al in ACNS 2019 proposed a reflection differential. This is a truncated differential which exploits the lack of diffusion in the middle rounds. The total probability of the differential is 2 to the power minus 64. And this means that if you have an active column in input, you end up with only an active column in output was probably 2 to the power minus 64. The structures of 2 to the power 32 plain texts are enough and the attack is very cheap, as 2 to the power 35 encryptions are needed. However, it's not extendable directly to 4K yes. If we add one run at the beginning and one run at the end, the complexity grows too much to be a right attack. So our idea was to do another reflection differential with a lower probability, but to attack only with keys. So we suppose that the key has zero in diagonal bytes of K5 plus K11, so this corresponds to the key in the middle rounds, so that middle rounds pass with probability 1. Also, we generate twin pulse P and P prime so that if P passes the differential, then P prime also, but with a much higher probability as P and P prime has some common inputs at the beginning. And so if the differences in P collapses, then the difference of P prime also. P and P prime are generated from couples of 96-bit vectors U and V, so a single structure can generate pulse pulse seamlessly. We first guess the first byte of K10. And with that guess, the probability of the full differential is 2 to power minus 16 and if P passes the differential, then P prime also, but with a much higher probability 2 to the power minus 13. And this is because it passes all the first rounds with probability 1 if P passes it also. How do we construct this twin pulse? So we build a structure of 96-bit vectors U, then we compute P0U, P1U, P0 prime U, and P1 prime U. We filter the output difference simultaneously and if a pair passes that has the right output difference and if it passes the differential, then because of the last rounds we can deduce some information on the key. And if this information deduced is compatible between P and P prime, we keep the pairs, else we reject them. So this leads to an additional filter. So this attack breaks the 2 to the power 96 keys and the complexity of the attack in data is 2 to the power 74.5. In time is 2 to the power 75 and in memory it's 2 to the power 59.5. We have two more attacks actually. The second one has a different 2 to the power of this. We only suppose that k5 plus k11 has one zero diagonal byte which happens with probability 2 to the power of minus 6. We can perform this attack by rotating the columns thus attacking four times more keys. And in total we can break 2 to the power 124 keys. The probability of the differential of the differential is 2 to the power minus 137 and the probability of the second pair passing the differential is the first pair passes is 2 to the power minus 34. So the final complexity in time is 2 to the power 114 which is enough. Our final attack has no hypothesis on k5 plus k11. We have to add an intermediate filter because the output filter and the compatible key information filter are not enough. The probability of the differential is 2 to the power minus 144 and the probability of the second pair passing it is 2 to the power minus 41. Eventually the complexity in time is 2 to the power 125. So to conclude with 4KES, 4KES is based on KSUBC which is already less secure than AES128 and the difference in security between the 4KES55 and KSUBC is even higher because of this reconstruction query. So the FoxCypher authors should be aware of that. We now move on to another section focused on FoxKiney cryptanalysis. FoxKiney is based on this block cypher skinny which is an SPN cypher inspired by the AES and first introduced in crypto 2016. Its internal state is represented by a 4Y4 matrix which is either 64 or 128 bits. There are three different versions of FoxKiney, FoxKiney NN, FoxKiney N2N, and FoxKiney N3N. All the dispersion differs from the size of the 2G material compared to the internal states. The round function of skinny describes as follows. First there is a subset operation, we apply an xbox of each of the 16 cells. Then there is an add constant operation where we add a constant to the internal state. Then there is an add run tweaking where we add tweaking material to the 2 first row of the internal state. Then shift flow operation like in AES and a mixed color operation which is described by the circuit in the picture over there. Regarding the tweaking schedule, first there is an extraction operation that consists in extracting the 2 first row and transferring it to a round function. Then there is a permutation which is applied to each of the 16 cells and then an LFSR, something to apply to 2 first row. Something to remark regarding the permutation that it globally swapped the 2 first row and the 2 bottom rows. Hence if we place ourselves in the related tweaking and we choose one precise cell in which we put some difference, its difference, this difference will be extracted and transferred to the round function every 2 rounds. Forkskine is a block cipher built on skine. There are different versions of it and today we will be interested in building an attack forkskine 128 to 156 that have initial round equal to 21 and fork round equal to 27. The number of fork rounds is greater than the number of initial round 2 weekend reconstruction queries. Forkskine has been submitted to the NIST and still ends in round 2. If you want to build a crypt analysis for forkskine we will first look at some skinny crypt analysis and especially at skinny end-to-end crypt analysis. So we look at some previous work from Sadecki from the in-task paper that built a related tweaking attack using impossible differential and that achieved 23 rounds. This attack uses some property of the tweaking schedule and in particular some property of the LFSR which is that the LFSR to its power 15 has some fixed point indeed there is some delta about the LFSR to its power 15 of delta is equal to itself. So this actually has some consequences which is that in the end-to-end scenario the tweaking material will cancel itself every 30 rounds. So at some precise round the tweaking material can sell itself because delta plus LFSR of delta is equal to zero. The round before is also blank because there is no difference introduced because it's every two rounds and the one after the cancellation will also be zero. Hence three consecutive rounds no difference will be introduced in the interval state. But in the case of fork cipher we can actually do more than three consecutive rounds because we have some unique thing happening when we cipher from P to C1 which is called the tweaking jump. Indeed when we look at the queries from P to C1 the tweaking schedule will actually do some rounds that will be skipped. If we look at the picture here the rounds achieved in TK0 that we get data in blue will be skipped. Hence if we have some odd number of rounds for C0 we can actually have two consecutive blank rounds because the blue part will be skipped. But in the case of end to end skinny end to end with 27 jumping rounds jump of 27 rounds what we can do is have six consecutive blank rounds and this is how we achieve it. Just before the fork the forking point we put our three blank rounds from that was described in the previous work. Then we have our 27 jump and we will have actually once again the three blank rounds. And this is because the tweaking schedule is have a period of 30. So in the end we obtain six blank rounds and with this we have everything we need to build our attack on fork skinny. So we'll target 148, 156. Place ourselves between P and C1 where it's a tweaking jump. Use a reduced version with R0 still equal to 27 like in the next submission and it will reduce for R, I and R1. Our attack would be mostly the same as in previous work but this time we will have three more blank rounds due to the tweaking jump hence our attack would be three rounds longer. This is our impossible pattern. As we can see we have three blank rounds before the forking point and then three blank rounds after the forking point. The rest of the impossible pattern is based and built from previous work. Like in the characteristic we have our 18 round screen whisher and then we have three rounds before and five rounds after. And the decoration of this is basically based on previous work. The characteristic is an adaptation of previous work. So then these conclusions are about fork skinny. So we have our attack at the chief 26 round and then when we have 256 bits of key and when we have 128 bits of key and 120 bits of tweak we have we build an attack in the paper on 24 rounds. As a conclusion we can say that the design of fork scythe allows the attacker to mount attacks using three types of queries. The first one from P to CS0 corresponds to the underlying sector therefore there is no security leak. When the attacker uses queries from P to C1 there is the tweak jump hence there is security leak because there is an expected tweaky schedule behavior. And when we are asking queries from cypher to cypher there also is security leak because there is a lack of diffusion. Thank you for your attention.