 So thank you very much, Matsui-san. So my name is Yosuke Todo from NTT SecurePort from LabRatrice. So from now, I explain the integral cryptanalysis on following Mr. Yuan. So first of all, I explain the overview of my talk, but the result is very, very simple. So I propose a first theoretical single key cryptanalysis against Mr. Yuan. So Mr. Yuan was proposed by Matsui in 1997. And this type of was standardized by many projects, ISO INC, NSC, Crypto-REC, and RFC 2994. So Mr. Yuan, this is because Mr. Yuan is one of the most important cryptanalysis targets. So many researchers analyzed this type of, but there is no attack against full-round Mr. Yuan. But now I can reach as a crypt, I can reach the full-round. So by using the novel technique, novel integral cryptanalysis. So in Eurocrypt 2015, I propose a new technique to search for an integral characteristic and call the division property. So, and I applied the division property to generic attack against facial ciphers and SPN ciphers. But crypt this paper, so I applied this technique to cryptanalysis on Mr. Yuan, and I can reach the full-round. So first, I create a new six-round integral characteristic using the division property. And so full-round of Mr. Yuan is eight rounds. So I paint two rounds in the key recovery step so I can reach the full-round. So as a result, data complexity is two to the 63.58 chosen plain text and the time complexity is at two to the Y 121. Second one is the time complexity optimization attack, but unfortunately, so this attack has already improved by a tier balance so in lamp session last day. So in this talk, I only focus on the improvement integral characteristic. So this is the specification of Mr. Yuan. So it is a 64-bit block length and the security level is 128 bits. So as you can see, so Mr. Yuan has facial structure with FL function and the recommended parameter is eight rounds with five FL levels. So FL 12345 is a FL function and FL function has this structure. So FL function is a round function of Mr. Yuan. Compared with other facial cyphers, Mr. Yuan's function is a little complicated because this FL function has a recursive structure. So this is the structure of FL function. So FL function has three round Mr. structure using and the FL function is a F function of Mr. structure. And additionally, FL function also has three round Mr. structure using a nine-bit S-box S9 and the S seven-bit S-box S7. So due to this recursive structure, Mr. Yuan has a probable security against classical differential and linear cryptanalysis. So it may be impossible to analyze the full Mr. Yuan using classical differential and linear cryptanalysis. So many researchers analyzed, applied more modern cryptanalysis to Mr. Yuan. For example, impossible differential, higher order differential and the integral cryptanalysis. Especially higher order and integral cryptanalysis is very, very powerful for Mr. Yuan because algebraic degree of S9 and S7 is very small. So this is the history of higher order differential attack on Mr. Yuan. So 1999, 7th order differential without FL layers was first proposed and by using this characteristic, five round without FL layer were attacked. And 2004, so new integral characteristic, higher order differential characteristic with FL layer was proposed and five round with four FL layers were attacked. And 2009, by using the simple extension technique to plant a site of the integral characteristic. So 46 order differential with FL layer were proposed and this characteristic covers four rounds and six round with four FL layers were attacked. And one year later, by optimizing the key recovery part, seven round with four FL layers were attacked. And 2012, so using the heuristic improvement of 7th order differential. So 44th order differential with FL layer was proposed and B15 is a FSC this year. So at your bottom optimize the key recovery part and seven round with five FL layers were attacked. Okay, so how do we reach the full round? So as I explained in preliminary, so the gap between seven and eight rounds is very high because the round function of Mr. Yuan has a recursive structure. So I think all previous heuristic differential attack based on the initial 7th order differential, initial this one. So 7th order differential were exploit the low degree of Mr. S box, but more order degree crypt analysis as in this case. So the order of differences is higher. We have no technique that can exploit as such low degree. So this integral characteristic is not optimized. So but Euroclip 2015, I proposed a new technique division property. So this technique is a new technique to search for integral characteristic. So it can well exploit low degree even if the order of differences is high. So by using this technique, so we have found a six round characteristic. Previous characteristic is four rounds. So it's improved by two rounds. So next I talk as a concept of the division property. So we evaluate the propagation of the division property like that differential and the integral. So now let's consider differential crypt analysis. So we evaluate the propagation from differential characteristic like delta X to delta Y and linear crypt analysis gamma X to gamma Y. This two characteristic is very, very important because so impossible differential and the zero correlation linear crypt analysis, we also use this characteristic. But integral and higher order differential crypt analysis, we can't use this characteristic. So alternatively, so we use the integral property. So in the integral property, we evaluate multi set and labelled all property, balance property, constant property and property. And by evaluating the propagation of the integral property, we can search integral characteristic. But these four properties are not sufficient to search for integral characteristic. So I introduced the division property. So in the division property, we use the integer K and the propagation of this integer value. So this is the concept of the division property. So assume that the degree of S box is at most D. So now input must set as an integral property A. So output also A. And input B as put is U. So it's a propagation of the integral property. But so now we know the degree of S box is at most D. We prepare chosen plain text such that D plus one bit active as the output must set as a balanced property. But integral property can't treat this use for properties. So I believe some useful properties are hidden between A and B. So to exploit this useful property, so we redefine each property by the same statement and reveal the useful property. So as preliminary, so I introduced a bit product function pi U. So now we want to evaluate multi set X and this element takes N bit value. So now we prepare U from N bit value and the behavior of pi UX is first we choose bits that corresponding bits of U are one and output this ant. So it's a pi UX. And next we evaluate the parity of pi UX for all elements. So namely calculate this equation. Next we evaluate whether or not the parity becomes zero. So if the parity is zero, the value of U belongs to U zero. Otherwise the value of U belongs to U question. So division property focused on this separation between U zero and U question. So if all U sets that humming weight of U is less than K belongs to U zero. So we say this multi set X has a division property DKM. This is a relationship between integral and division property. So now, so multi set has an integral property A. So this multi set also satisfies the division property DN. And if the multi sets has an integral property B, this multi set also has division property D2. So integral property can't treat properties hidden between A and B, so no, nothing. So but in the division property, we can treat such properties using K is equal to three, four, five, and minus one. So finally, I took a propagation characteristic of the division property. So it's a most simple case, a basic propagation. Let S be an S box with degree D. So and set X is input mass set and set Y is output mass set. So YI is equal to SXI. So now assuming that X has a division property DKN, so then output mass set Y has a division property DK over DN. But if S box is a permutation, so in only this case, X has a division property DN output, Y has a division property DNN. It's a special case of the propagation. And so finally I took a vectorization. So it's a little complicated thing. So but it's very important because practical block cipher doesn't consist of one S box. So many practical block cipher consist of several S boxes. So especially concatenating S box are often used. So let S be a concatenating function that consists of M S boxes with degree D like this. So in this case, division property as represented by some vectors and footh vector has M dimensional element. So it's very complicated, but propagation is simple. So in the propagation characteristic, we only focus on each element of each vector and by using this basic propagation, basic propagation, so I calculate the output division property. So from now I talk the integral new topic, so on crypt paper. So your crypt 2050, I focus on secret S box with restricted algebraic degree, but practical block cipher doesn't use such secret S box. So many case are public S box and secret key in session. But single key XOR linear, sorry, since key XOR is a linear function, so we can remove the key XOR when we want to evaluate the propagation division property because the division property does not change against a linear function. So now we can remove the key in session, so attacker can know the specification of S box. So by exploiting the knowledge of the S box, we can improve it. So this is the application to miss the S box S7. So generally seven bit bijective S box with degree three has following division properties. For example, input must set as a D six, output is D two because of the six, over three is equal to two. But for only miss the S box, the seven, D six is D four from D six. So generally as K is small, the mass set is near to balance, but as the input mass set has a division property D four and from D six and it means the speed to approach the balance is slow. So by using, it's a very important. So finally I took the cryptonized on full misty one. But using propagation characteristic of the division property, we create, I create pass such algorithm and implement by using a C++ and create so new integral characteristic. The method is first we create, I create a propagation characteristic table for S nine and S seven and next using this table, I create that table for a function. Next create table of a function and next create table for a function and by assembling this all tables, we create a pass such algorithm. So but the limitation of time, so I only explain the propagation for the FI function and this figure is a FI function. So FI function has three round misty structure with S nine and S seven. So since bit lengths of each S box are different, so it uses zero extend XOR and truncate XOR. So to evaluate the propagation, we use a new representation for the FI function and named a seven to seven format. This is a seven to seven format of the FI function. So by using this format, we can simply represent zero extend XOR and truncate XOR. So this is a zero extend XOR and it's a truncate XOR. So by using this circuit, we evaluate the propagation characteristic of the division property. So first of all, so I remove a round key because it does not change the division property. So next, assuming X one has a division property D four to six. So since the first seven bits and the second two bits are concatenated, so X two as a division property X is a D six six because four plus two is equal to six. Next, X two has a six six. So since S nine is a bright so X three has three six from six over two is equal to three. Next, X three has a three six. So since the first nine bits is split into two bits and the seven bits, so X four has a zero three six one two six two one six. But we don't care three zero six because the first line is at most two bits. So we can't choose three bits from two bits space. So now X four has this division property. So since the second, and next operation is the second seven bits X third with the last seven bits. The division and the rotation. So the division property of X five is calculated from zero three six two like this, one two six two like this, two one six two like this. And then next S seven is a price. So first we calculate the propagation twice seven using a propagation characteristic table and only apply the first element because it's a first element. So next, and remove redundant vectors. Using this evaluation, we create a propagation characteristic table like this. So it's a characteristic table from division property D seven K two K three. So by using similar technique, we create the propagation characteristic table for F O function using seven to seven seven to seven format. And F L function using seven to seven seven to seven format. And by assembling these old tables, we create a path such as to entire mystery one. Finally, we create this algorithm to, by using a C plus plus. So we get two to the C, we get the six round integral characteristic with two to the 63 chosen plaintext. So, and this means that first bit of the first seven bits is constant and other bits as a 63 bits active. Then this first seven bits value has balanced. So next part is key recovery. But now integral characteristic covers six rounds. So only two rounds key recovery. So I want to evaluate this balance value from this ciphertext and I guess round key and evaluate this balance. Partial sum technique is useful for this evaluation. So, and I did, and I did the full round cryptocurrencies. Yes, so last topic is the balance of optimization. So, yeah, last day launch session, so this new improving technique was proposed. So I sort of summarized the difference between my key recovery and my technique and the balance technique. So first of all, no improvement of integral characteristic. Namely, so it uses the same six round characteristic. So improvement is only key recovery part, but in key recovery part, balance uses a more intelligent technique. So for example, a setting is I use a CPA, but the balance uses a CC and then CPA. And the key recovery is I only use partial sum, but the balance uses a partial sum and the meter-in-the-meter technique. And so as a result, data complexity is say, data complexity optimization attack is the same result, but the time complexity is dramatically reduced to the 69.5, but this kryptonesis uses full code book two to the 64 children print text and the full code book kryptonesis. Finally, I conclude my talk. So I propose a kryptonesis against full mystery one. So division property proposes the existence of the characteristics that covers six round with two FL layers. So following work, so at your bottom, optimize the key recovery part. And so now, security level of mystery one reduced to about to the 70. But I left open program, so how do we, how to analyze the full mystery one with more practical number of text? So thank you very much. Thank you.