 Thank you for the introduction. So what is this cryptanalysis about? It's a symmetric cryptography, right? So we have a ace and Bob sharing the same key We have an attacker if sitting in the middle that will try to intercept and manipulate Alice's messages in this talk. I won't care about privacy. That is Alice would just send plain text and doesn't care if you can read it, but I care about authentication. That is we don't want if to modify the message Alice is sending and for that what we do in symmetric cryptography, we compute what we call a message authentication code we call it a Mac or a tag and for example, if Alice has a message M, she can simply use a ECBC Mac That is a she takes a message M, padded, split into n bits blocks run it through a CBC like mode using any block ciphers she likes. We assume it's secure and the last the last block of the CBC, I call it Sigma, is again run through the block cipher using a different key and you get the Mac and Alice simply appends the Mac to message that way if Eve tries to modify the message Bob that also has the key can compute the Mac again and verify that it matches the tag he received. If it doesn't match, he simply won't read the message. It doesn't consider the message and and that way you avoid the direct modification of the plain text, but the question we ask is, is this secure, right? Can Eve still do forgeries and modify the tag so that she can still modify the message? To answer this question, traditionally we imagine a security game, right? So we have Eve we give her some power, she can for example ask Alice for any message and get the Mac of this message. She also can send a pair of message and tag to Bob and get the answer whether it's valid or invalid pair and the security game is given QT number of tagging queries and QV number of verification queries. Can Eve forge a valid tag for a message that Alice didn't see? Right, because obviously you can forge a valid pair if you ask for the Mac to Alice. But can she do it and how much queries will it need? If I go back to the case of eCBC, well, we know how to attack it. As long as when you observe you have some property when you have a collision in the Mac for two different message because the block cipher as you know is just a permutation means you have a collision on Sigma that is the internal states and if you have a collision on the whole internal states, whatever suffix you add, you still have a collision in the entire state and therefore the Mac, you can predict that the Mac will still be equal whatever you add as a suffix. So the crypt analysis of eCBC Mac works like this, you look for a pair of message X and Y, such that they collide in the whole internal state and you see it because the Mac are also equal. So you just do like this, you send a lot of message to Alice, you get a lot of Mac for those message and you look for a collision. If I give Qt queries, the number of pairs you get will go like Qt to the square and because you look at a relation on n bits, so that for a random pair you get equal Mac with one chance of a two to the n, so the advantage of if to find a good pair, grow like Qt to the square over two to the n. And when she gets a collision, she just use this expansion property I explained to do a forgery. How should we do it? Imagine she could find that the Mac of the message U must is equal to the Mac of the message, no don't. If Alice sends a can you come back to Bob? Well, she cannot do anything. But she somehow has to work a bit more and convince Alice to send a message with the good prefix she found, so now she sends you must come back. She just keep the suffix come back, modify it with no don't and she knows that the Mac and the tag will stay the same, so just copy back the Mac and Bob is fooled. He received the message and acknowledged it, but it was modified by Alice. That's a forgery. This forgery, therefore, requires around two to the n over two tagging queries and only one direction queries. We say in that case that the scheme we used is not secure beyond bus-day bond, two to the n over two being the bus-day bond. So a natural question we ask is how can we build this kind of deterministic Mac that is secure even when we give more than two to the n over two queries? That's not so easy actually, because as Prenell and Fanot showed in 95, this kind of bus-day bond attacks actually generic to those kind of Mac construction with an n-bit internal state because you get full collision on the internal state after this many queries. So the ID is double the size of the internal state, so that collision won't occur and in this talk I'll particularly look at the double block hashed and sum approach that deals with two n-bit half states and to recover an n-bit Mac at the end, you just sort them towards the two half at the end and you get your Mac. And quite a lot literature on the subject. You have some ECBC, P-Mac Plus, 3KF9, like Mac Plus, CCMSI V2, 1KP Mac Plus and some more. So I'll give an example. Probably the first such construction was approved by Yassida in 2010. It's just a CBC. So you recognize the ECBC and you just use it again with different key and sort the two CBC at the end. So no sigma is not just half states, it's the same sigma as before, and the whole state will be sigma and theta. Indeed, you have two n-bit internal states. So in our paper we asked the question many of those schemes they are proven secure when QT is less than 2 to the n over 3. But what happens really when you give more power to the attacker? What happens when QT is more than 2 to the 2n over 3? Are there actual attacks? If you can do something, is it just the limitation of the proof techniques? And our results is a generic approach that leads to an attack on all the schemes I cited before using one verification queries and in the order of 2 to the 3n over 4, tagging queries. And all these approach work where we look for a reaction of this kind. So remember for a CBC we looked for a pair of message xy so that sigma x equals sigma y. Now we look for quadruple of messages x, y, z, t such that it follows the relation r. So sigma x equals sigma y, we keep that, but also theta y equals theta z, sigma z equals sigma t and theta t equals theta x. Why? Because this directly implies that the mark of x, y, z, t with sum to zero. Oh, that happens. Well, if you look at double hatched in some schemes, you kind of, you can always write the mark like this, some transformation of sigma x, XOR, some transformation of theta x, and same for mark of y, mark of t, mark of z. And if you have the relation r, like sigma x equals sigma y, then the transformation of sigma x will be equal to the transformation of sigma y. Same for transformation of theta y, transformation of theta z. And you get this kind of alternating path of length four. And when summing all the marks together, the value will coincide each other two by two and you'll get zero. That's for all the schemes, it works like that. You will really look like this relation r, find the quadruple to attack the schemes. And that's not over. When you choose your message carefully, x, y, z and t, you can find redundancy in this relation, so that three of the relation implies the fourth one. So that would mean r is only a three and bit condition on the quadruple. So now you can understand why we have this complexity. Indeed, if we give Qt queries to the attacker, the number of quadruples will grow like Qt to the four. And therefore, we'll need to get two to the three n quadruples to have one that respects r with good probability, that means we need to give the attacker two to the three n over four queries to be able to find such a quadruple. So that's a bit generic, but maybe you want an example. I'll show you how we actually attack some eCVC with this approach. So first the message, how do I choose them? I choose two block messages, x and z will start with a block of zero, y and t will start with a block of one and then a block of any value, respectively x, y's identity. If I plug this message to the relation r, well, I just get this. Left and right, I've got the same block cipher, so I can remove it in the equation. And then I get a three n bit relation. You immediately see here that the redundancy, if you sum all the line, you get that the sum of x, y and t is equal to the sum of x, y and t, which is always true. And so you indeed get a three n bit relation for the relation r. So are we done? Not yet. We actually have to find this quadruple, right? For, as we know, the relation r will imply that the max is equal to zero. So that's the way to detect it. In the case of eCBC, if you look at, in the sum of CBC, if you look at the relation, you can also observe the first equation, right? So that's x, y and t sum to zero. But actually that's not enough, right? You will have around two to three n quadruples and that's only a two n bit filter. So you expect two to the n quadruple to pass this filter and not respect r anyway. So that's the problem. And actually that's the part that is less generic. You have to look at the relation r to find how to amplify the filter. And for CBC, it's pretty straightforward. If you look at the relation r, you see you can add one to x, y and t. And it still respects the relation, right? You should have no, you should have no change. That means we have some related solution. If x, y and t respect r, then xr1 or xr1 also respect r. In particular, that means that for a good solution, you have those max that must sum to zero. So that's another filter. Now you get three n bit filters. And now I can explain, I can show you the full algorithm to find a good quadruple. So first step, you do the queries. You build a list of size two, three, three and over four. You do it like this. You put, you append x, max of zero x and the max of zero xr1. And same for y, z and t. Second step, you find three entries, you find one entry in each list. So that's the four entries sum to zero under full three n bits. You should do that. You see that it will respect the full filter and you have found a good quadruple. What's the complexity? Well, the first step will cost you the queries. So you have to use in order of two, three and over four queries and as much memory to start the list. And the step two is about solving what we call the for XOR problem. And how much does it cost? I memorized it's still two, three and over four. But at the time, it's the square of that. So it's two, three and over two. That's how most of our attacks work. And you may think it's a lot like two, three and over two. It's more than two to the n computation. Yes, it's a lot. So we thought, how could we optimize this? And that's less and less generic. This, we have found a way to optimize time complexity. That's only applies to some SBC and GC MSI V2. But I will show you the intuition of how we can also optimize this complexity. Actually, I used one as a related solution in the previous slide, but you can obviously generalize this for constant C. So you get all, lots of related solutions for every value C. That means you get this equation, the mark that's on for zero, for any C with a good quadruple X, Y and Z. So we just do that. We take a lot of those equations and we sum them. Sum them for C equals zero, one, two, three, up to the three and over seven. So now I have a good, I have a big, big ZOR. It's only ZORs inside, total commutes. So I can just distribute the big ZOR. And if I look carefully at like the first one, the sum for all C of max zero X XOR C, well, actually C taking all possible value in the list, significant bits, will mean that only the four N over seven bits of X, Y and Z will be meaningful for this computation. In, in particular, you can see that for this to be true, that these, those bits just must respect three times this. That is a 12N over seven bits relationship for this to be true. So we do just that. We build our lists, just taking only the most significant bits and do like before, we do, you, you compute the big, big ZORs max and you, to increase the filter, you again add some constants, obviously not one because it will be eaten in the C now, but you add a constant and you increase the filter and now you, you, you, you, you, you do the same for four lists and now you only need lists of size to the train over seven because you look for a smaller relationship. And in that case, the four XOR problem will take again the, the, the, the square of that and that's two to the six N over seven time. However, to have one entry in the list, now I have to do two to the three N over seven queries, one for each C. So that will also take two to the six N over seven queries. If you compare what we had before to the two to the three N over two time to the three N over four queries, let's use less time, but more queries. We have a trade-off. Okay. So imagine you use the method you want and you found a quadruple. I've yet to show you how you can do forgeries using those quadruples. Well, it works quite the same way as the simple CBCs. For a good reason, the sigmas and the titas, they're actually like simple CBCs, internal states. So in particular, you still have this expansion property that if the sigmas are equal, you add the same suffix, you keep the sigmas equal. And R is just a relation, it's just a collection of equalities between sigmas and titas. So if, so we have actually this kind of the same expansion property for the sum of CBC, that is, if we have X, Y, and T that satisfies R, then adding the same suffix to X, Y, Z, and T will still get your quadruple that satisfies R. And in particular, you'll know the MAC works out to zero. So you forge in the same way, kind of. You imagine if you could find that the message you should please help, you must, and please never, short prefix. She found that the MAC belongs to the same, the quadruple that respects the relation R. And now she's again asking Alice to encrypt some messages, but Alice agrees to send those messages. So Tel-Bob should come back, she said you should come back, and what does Ev do? Well, nothing yet. She cannot forge right away because it's a relation on the four, but she remembers the tag she saw, and she continues. Please help Tel-Bob to come back. Okay, she agrees to send that, and she remembers too. And now, at the third one, when Alice sent you must come back, now she can, she knows because it shows the same suffix again and again, come back messages. And she knows that if you add the same suffix to the four messages, it will respect the relation R. So the tag, the tag will have to sum to zero. So you just compute t4, that is the sum of the three tags she saw, and she replaced the prefix by the last one. And now she could spoof, please never come back to Bob, Bob verified the tag, she found it's right, and it's been filled. That's a forgery. So when you find a quadruple, you easily do forgeries. So that's it. Most of our tags, like the first one I explained, using 2D3N over four queries and 2D3N over two time. I also showed a variant that works for some MSV2 using 2D6N over seven queries and time. Additionally, we also found that the scheme 1KF9, which was already withdrawn because there was a problem with the proof, is actually subject to a birthday bond attack. So we could show it's not a birthday bond scheme. And also, we have recent results on the circuit of flight mile plus by Naito. That is just simply proved wrong by your attacks because it provides a counter example to the results. So that's all the scheme we attacked, the time, the query complexity. Remember, I told you most of those schemes are proven secure when Qt is less than 2D3N over three. And all results show that they are not secure when Qt is greater than 2D3N over four. So that remains an open question. What happens when Qt is between 2D3N over three and 2D3N over four? Thank you.