 Thanks for thanks for my talk is about some new insight on the AES like SPIN ciphers. So first I will give some introduction and then give some preliminaries and then I will give some zero correlation linear cryptanalysis of the AES like SPIN ciphers and then I will give some applications of the application to hash function and to the AES and finally I give a convolution. Block ciphers are among the most important primitive in constructing cryptographic schemes such as authentication schemes and hash functions and among the most famous block ciphers the advanced encryption standard is currently the most interesting candidate to build different schemes such as these ciphers, these schemes in the ongoing CES competitions. Some of them use the AES run function directly and the others maybe use some AES like SPIN ciphers. Although the security of these schemes does not completely depend on the underlying primitives we believe that the security of the run reduced AES could give some new insight to both the design and the cryptanalysis of the authentication encryption algorithms basically there are two settings in cryptanalysis one which is the distinguishing attack and the other is the key recovery attack and for distinguishing attacks the distinguishing properties refers to those properties of a cipher that a random permutation do not have and for key recovery attack the aim of this attack is to recover some run keys of a cipher and usually the attack is supplied once some distinguishing property of a reduced run block cipher has been found for example in differential cryptanalysis we first define some differential characteristic with high probability but for a random permutation this characteristic may not exist and let's see some details of the SPIN like ciphers AES like SPIN ciphers in the design of these ciphers one usually uses the MDS matrix with elements are restricted to low hamming weight in order to reduce the workload of the multiplication over finite field and not only the MDS matrix are always circulate but also they are identical element in each row for example in the AES the first rule of the MDS MDS matrix is 2-3-1-1 and I give a little summary of the known distinguish for the AES although there exists some five-run distinguish for AES 192 and AES 256 the known distinguisher for all version of the AES only covers at most for run for example the impossible differential AES only covers for run and also the integral distinguisher these signatures hold not only in the choosing plant X mode but also in the choosing cipher setting and this is basically because the most of the distinguish are based on the fact that the mixed column is MDS matrix so since the inverse of MDS matrix is also MDS matrix so this property holds on both directions so this is the definition of hamming weight and the correlation of brain function and the vectorial functions so we did it but we will use this notation to denote circular matrix and for the AES like ciphers we always have we also know the wrong function is composed of four parts the first part is add run case and then super byte if the division layer is made up of shift rules and the mixed column there we say the S pin cipher is an AES cipher for the AES the shift rule equal to 0, 1, 2, 3 this means the first rule is we keep the first rule and the second rule left rotated by one byte and the mixed column is circular matrix and in group 2006 2016 we have proved that the longest impossible differential of the AES is for if we do not exploit the detail of the S box so if we want to construct longer impossible differential of zero correlation we should exploit the detail of the S box and also we should exploit the detail of the MDS matrix so this here give an example of the known for example for run impossible or zero correlation linear how of the AES since in the M3 the input to M3 has three non-zero element and output has one only one so the sum of this is four which is contradict with the fact that the branch number of the MDS matrix is five so if the input so if the input mask is like this and the output is only one so this the correlation of this mask should be zero to enhance the performance of a cipher designers usually use identical S box for example in AES the 16 S box that you want are the same and the diffusion layer whose element often have relatively low hamming weight which is not necessarily but often cause some weakness as shown in the following first we will recall a fact that if the input mask to linear function and is A and the output mask of a linear function is B then if the correlation is non-zero then A and B should satisfy that B equals to the transpose of L minus 1 times A and the first in the following we will always ignore the first shift rule since it can be omitted in the capital C's and we assume that the AES like S being cipher satisfy the following conditions the first one is there always exist two elements such that they are two identical element in the transpose of the inverse of the mixed column matrix and without loss of generality the S boxes in the two positions are the same then the creepiness of the following we hope let's see here so not only the input mask of the two S boxes are the same but also the values of the two S boxes are identical so so if the input mask to these two positions are the same and the output mask should be the hemivet of the output mass should be three or four and in most cases it should it always it is always four so to make it be three here if the input mask is A A 0 0 and we already have these two elements at D so this element should be 0 to make this hold when we need we need the condition that the input mask are the same and also the value to the two S boxes are the same so in this case the two the input mask of this form the output of then the output mask should be of this form and then like as we aware as I have already explained before and this this is a four round zero correlation linear how so in this case if the input is always from the an output or the only one active expected in the output then this correlation should be 0 and since we have established some relationship between a zero correlation linear how and the integral distribution integral distribution we can turn the the zero correlation linear how to an integral one um let for AES like spin cipher if the let delta equals to the difference of two sub bytes of the let delta equals to the two bytes of sub keys and we denote a set like this then the output of five round AES like spin ciphers will have the following property the sum of each byte equals zero but for a random permutation it happens with it can it is not always holding so this can can distinguish a five round AES like cipher from a random permutation so let if the if the if two bytes of the plain text if two bytes of the plain text equals to uh uh to to delta and then uh we denote by t delta f like this uh this is the sum is let me see so the sum is in this set so there are since we already know if if delta equals to the two sub bytes of the keys then the sum is zero and the delta can only be one two three and zero two two to the power n minus one so there always exists a delta such that the sum is zero and for random permutations the property is too low so this we can say that this can distinguish uh uh block cipher from random permutation and we can also give a direct proof of this theorem and we refer for refer to our paper for the details so next we give some applications to the hash schemes since in block cipher we cannot know the value of the key but in the hash scheme we can sometimes we can know that that if if the if the chain value act as the key then we can know the difference of the two bytes so in in the if we consider a hash scheme we cannot to guess the value of the two the difference of the two sub keys so in the hash scheme in the hash scheme the this the value is we can always know this value so if the the different of the two parts of the planet x equals to this value then uh we can determine that the sum of the output can always be there since the whirlpool hash fancy is a special constant of m p hashing scheme so this this result can be generalized to a m p hash hash mode and in this case the subset we does not necessarily form a subspace this is different with uh uh integral attack uh basically in uh integral attack the the subset v is always a subspace of f2 to n and for the let's see the application to the a s and since the the inverse the transpose of the inverse of a s like this e 9 d b and they are we cannot find a two element sub we cannot we cannot find a two equal element so it seems that we cannot construct such distributors for the five-run a s but if we uh we consider the the decryption of the a s then since the matrix 2311 we can find the two elements that are equal so we can construct the distributors for the inverse of a s so like this if the this is the cipher text if the two part of the side text cipher text is equal to the corresponding as a case the the sum of the planet x is always zero just like this but for random permutation it happens with the probability 2 2 minus 120 so this this property can be used to uh for instance when the code book is provided to determine whether it is a s when both the block cipher and the keys are unknown since the a s adopts a circular mds matrix we can get many other different variants of this property by dividing the whole set into different subsets so let's see the conclusion uh distinguishing of the a s like x being structured are covered extensively in this paper and we all these results are based on the two observations so uh the first one is they are two identical elements in the rule of the transpose of the inverse of the matrix and the second one is they are the s boxes are identical and they in the husband mode the where the change in value serves as the secret key in the block cipher we can further remove the constraints on the matrix and s boxes and we apply the new result to the workflow and construct five run integral like distinguishes and although we cannot build a distinguisher in the chosen planet text mode we can construct a five run integral distribution for the a s in the chosen cipher text mode um which is the best distribution for the a s with respect to the number of run it covers so our result shows that despite the key schedule the second margin of the run reduced a s on the chosen planet text deck may be different from that on the chosen cipher text attack and we we also try to apply a key key recovery tag using the new distinguisher and if we can ignore the ignore the complexity of the doing the partial sum then we can attack seven run but in this case the complexity of the of doing the partial sum is too high and someone may think that it cannot be ignored so someone may regard it as a correct or someone may be thinking it's wrong so we can we did not add this route to the paper so that's all thank you