 Thank you. So I am Martin organ of Lund University and I'll be presenting our paper on the distribution of linear biases more specifically I will be going through three different examples of what can happen inside block ciphers in terms of linear crypt analysis This is joint work with Mohammed Ahmed Abdul Rahim Peter Bellen and Gregor Leander at DTU So the outline of my talk is as follows first the general setting which is block ciphers and linear crypt analysis and Then the problem as we see it with a state of art in terms of knowledge about what happens here How block ciphers behave and Then three different examples ranging from toy cipher to real-world block cipher proposal Each of these examples tells us something about block ciphers and linear crypt analysis that we hope can improve Our knowledge about this problem Then finally I will conclude the talk So first of all the general framework that we will be considering here. So we have block ciphers We just fix the random unknown key and consider the function F. So it's a permutation over n bits now we Studied this function F using linear approximations. So these brackets here are used to denote the canonical inner product Meaning we take the input to the function the x and we take a bit string alpha and then When we multiply this together. Well, we simply pick bits from x as Specified by alpha and we add them together and get a new bit We do the same with the output f of x using a bit mask beta and then we had this equation saying that Alpha times x is equal to beta times f of x now Obviously, this is a half decent block cipher. This won't happen with probability one but some probability One half plus an epsilon and this is the bias of this approximation And it's useful also to talk about the correlation, which is simply twice the bias So the general idea is that the designer of the block ciphers want to make sure that all these biases for all these possible Alphas and betas are small while the attacker wants to find some alpha and beta where there is a large bias And what is small and large? It depends on several things, so I'll just talk about small and large and That should be sufficient for this talk So a block cipher typically is constructed using a round function which we apply our times and What can we then say about linear approximations? Well, we can consider a trail Meaning that when we go from alpha on the input to beta on the output We pass through several intermediate states where we have intermediate bit masks And for each such possible choice of intermediate bit masks, we say that we have a trail There are typically a large number of trails going from alpha to beta and The correlation of such a trail we define simply as the The product of the correlation of the individual round functions What's nice about this definition of the correlation of trail is that then the correlation of the correlation of the Unapproximation is simply the sum over all trails of The correlations of each trail now a block cipher not only typically looks like this, but also like this so we have Linear round key additions in between each of these rounds and Then we update This slide slightly namely the correlation of a trail is the product as previously of the correlations, but which then Flip the sign we choose the sign depending on the particular key that we are using and Then this summation formula is updated Accordingly so we add together all these correlations of the trail But with change signs depending on the key and this is usually referred to as the linear hull equation so What about the problem that I told what do we know and what do we not know about how this behaves? So what we can do is we can bound the correlation of a single trail That's usually very straightforward. We just count the S boxes basically or study how much non-linearity is introduced here at the minimum What we cannot do is bound the Correlation for a linear approximation That is when we sum all of these trails together in a key dependent way. What happens? Do they cancel out to zero more or less or do they somehow magically all get the same sign contribution? So it becomes this huge number. Well We don't really know There is clearly a distribution when we pick a key we get some bias, but what does this distribution look like? So the first and sort of obvious solution to this is well basically ignore the whole problem Just deal with single trails we find the trail that has the largest correlation and then when we sum over all the trails we Assume that basically all other trails add up to zero so we just get basically the contribution from the largest trade And this might Work in a sense, but we don't really know if it's correct We can model the situation Somehow for example assuming that all of these trails are independent So this sum of trails is a sum of a a lot of independent stuff, and that's usually easy to handle So we might reach some conclusion there if we are even more advanced we might perform simulations to somehow verify those results of this modeling This is usually difficult in a computational sense So one studies a smaller state version of the block cipher, and then of course the question is these simulation results are they at all? Valid when we consider the actual block cipher with a larger state So on the let's say to-do list of the communities to develop a reasonable framework for studying this and We claim that it hasn't been done before it's difficult sure and We also think that well, we didn't really try very hard so far. So then we Will give the contribution here which is three different examples of what can happen inside a block cipher in this sense of the correlations First of all, we'll give a counter example to an earlier result and then two other examples and All in all we believe that this give an idea of what you can and cannot hope to prove in the situation And hopefully this will serve as inspiration for future work so the examples First of all the cube cipher, which is just a toy cipher, but it does tell us something interesting There is a result by them and Raymond saying that if we have an n-bit block cipher with independent from keys a Huge number of non-zero trails and all of those trails have the same absolute correlations So all of those correlations are just plus or minus some constant Then when we pick a key well, what bias do we get what distribution is there? And the theorem says that the bias distribution tends to a normal distribution as we increase n so for a large enough block size the distribution will looks sufficiently much like a Like a normal distribution namely If we plot the bias against the number of keys most of the keys will provide a bias Centered let's say around zero then there will Be some keys that give a larger bias in absolute terms, but there will be this normal distribution Which sort of makes sense when we have this summation formula with some a huge number of variables which have the same absolute value and We assumed independence in the keys. So it's basically a sum of independent variables, right? And we get this question so however, let's look at The cube cipher where each round function is a cubing in a finite field and There are only two rounds. So this is clearly a toy cipher. There is a lot of structure here. It's subject to various attacks, but It has independent run keys It has a huge number of non-zero trails and they all have the same absolute correlation So still while this is a toy cipher it should behave according to the theorem But it doesn't while the theorem suggests this nice bell curve What we get is this very let's say discrete distribution of just five distinct values for the correlation For all values of n. So no matter how much we increase the block size block size the distribution Will look like this Which is not a normal distribution So there is something wrong in that theory for sure Now the next two examples deal with the key scheduling That is how you pick your round keys One common analysis is well assume independent round keys Do some modeling for example getting this Gortion on the previous slide And then you replace your independent run keys with Dependent keys coming from some key schedule, and then the question is how valid is your analysis? I Will be presenting two examples of what can happen when you have clearly dependent round keys, but still So you replace these independent run keys with dependent from keys first of all Present which is a well-known block cipher If you are familiar with it it looks like this if you're not familiar You don't need to look at this at all We just note that there are brown functions round keys the usual stuff and The distribution is close to normal. So this is What the distribution looks like for 17 rounds of present. It's a nice Gortion That's good. Now what we do is we replace all of these Run keys which are usually non-linearly related With a constant run key and just to get rid of some trivial attacks. We introduce round counters So we have a constant run key and some round counters, and then what happens to the bias distribution We get this red curve, which is sort of flatter and wider. That is it has a larger variance so in particular if we study a Large bias so far to the right here While with the original key scheduling we have virtually no keys yielding this large bias now There is actually a substantial fraction of keys that has such a large place meaning This cipher is less secure. We need more round functions We need more computations basically we get worse efficiency So clearly here the key schedule influences the behavior in terms of linear crypt analysis the conclusion being that this present with constant run keys is Not secure or not as secure as original present It's worth noting that the hash function spongent which is sort of based on present does not have this Xbox so This does not give any attack or anything on spongent indeed This is the very reason that spongent has another S box But more rounds help with more rounds we squeeze together this distribution we the variance becomes smaller. So Everything still works given sufficiently many rounds So then for the third example where the number of rounds will turn out to be Well, it's not a parameter. Basically, we will not be able to fix things using more rounds This is print cipher and again, if you're not familiar with it don't look too much at the details We'll just note that last year at crypto Leander and France presented an invariant subspace attack this means that we consider a subspace and or actually a coset of a subspace and If the input to the round function is in this coset then the output of the round function will also be in this coset Now this is not affected by round counters or anything. So this holds for all rounds Meaning that if the plain text is in this coset Then so is the cipher text and This happens for some keys which we call weak keys Now this is clearly bad because it gives a distinguish you just try a few plain text and cipher text And then you know if you have this type of key But let's see Okay, so yeah, this extends to the entire print cipher So let's see what happens to the distribution of linear biases So this is a plot of it We have well the bias against the number of keys where we go through all all different keys here And it looks sort of like a Gaussian, but there is also some small bubble out to the left Looking closer at this This is another Gaussian, which is much smaller And it turns out that these two Distinct Gaussians correspond to the weak keys and the non weak keys So for the good keys, we have a bias centered at around zero. Everything is working as it should and the way it matches the Independence analysis pretty nicely, but when we have these weak keys We have another Smaller bubble out of the left with a large bias. So this bias is actually large enough to break print cipher in this cryptanalysis sense So that's still not good We'll try to Explain that and we do that by turning to the correlation matrix now This is a concept introduced by Damon and friends So you make this huge matrix where you take all possible alphas and all possible betas So you derive all possible correlations and then you put them in a matrix in a structured way and This is a nice tool to analyze these functions in particular It turns out that when you have an invariant subspace like this Then what happens is that in this? Correlation matrix there appears an eigenvector with value eigenvalue one and a very nice structure of the eigenvector The eigenvalue one essentially means that we have a non-zero limit of this matrix to the power r That is applying r rounds of this cipher So this this is basically trade trade clustering. Everything is adding up The eigenvector is a constant times this plus minus pattern and this gives the matrix power limit as a constant times a very nice plus minus one pattern there is really only one way you can pick this constant and This eigenvector analysis Suggests that all these biases when you increase the number of rounds will tend to two to the minus sixteen plus or minus And actually that is what happens For the for the food print cipher. It turns out that we have this large Biases plus or minus is two to the minus sixteen which is way too large for print cipher So that's pretty bad But we were also able to show that there is actually an equivalence here So the the good thing here is that if you do not have an invariant subspace which Let's say a good Pseudo random function student then you do not have this kind of trade clustering Then you do not have this eigenvector with this eigenvalue where everything just adds up to this large biases Clearly other things can certainly go wrong. So this is if you don't have an invariant subspace It's not a promise that everything is perfectly fine To conclude this talk We saw that well assessing security against linear kryptonites. It's sort of tricky There's a lot of hand-waving you make a lot of assumptions derive your conclusions and then you Don't bother about the assumptions anyway, you introduce dependency and so on and what happens is an open question At least we managed to show that an old theorem is not entirely correct New results or new attempts to describe what happens with this distribution need to somehow deal with the cube site either by describing what happens there or by somehow Removing the cube cipher from the context of the theorem. It is a toy cipher and it's In well, it's not really interesting. So if you exclude it entirely from the theorem, you might be able to say useful things still Now with identical round keys bad things happen So one lesson here might be don't use identical round keys so then the question still is how How dependent keys can you use them? What do you need non-linearity? How much non-linearity do you need and so on and there are Yeah, in short a lot of things to do still about linear kryptonites Thank you Thank you very much