 Hi. So, on behalf of authors, I am going to present this paper. Mostly, I would say the paper is based on two keywords from the cryptography, nonce and fault analysis. So, they are trying to going out from the nonce barrier and introduce the fault attack when nonce becomes a countermeasure in the fault attacks. That is the overall thing. So, let us start with the nonce. So, yeah, in the sense that when Rogay defined that what is the basic principle of nonce to be used in the cryptography, it says that in every application of the crypto algorithm, the nonce would be unique. But sometimes it is with some terms and condition people, crypto theory people try to utilize it with some non-uniqueness feature for couple of times or sometimes for a chain of messages. So, that is the main thing they try to exploit in the in this area. On the other hand, fault analysis, what I understand that in a execution of the algorithm, you try to inject the fault in a particular place and then you observe the outcome after that fault injection and then analyze with the good result. That is the overall three-step of the fault analysis. So, what happens with this? Basically, if you can inject a fault in a round say n minus 1, that means you can reduce your kept analysis from a n round cypher to some n minus i round of cypher. So, basically you are reducing the number of rounds by injecting fault. That is the motivation. There are different kinds of fault attacks in the extension, but most popularly used attack is the differential fault. So, basically differential means you have a good run of the algorithm and you are playing with the same plain text in the next run and you are injecting the fault in a particular place and then find out the differential of the two run and then analyze, find out the queue. So, this is like this. So, you have the message which is going to be encrypted, getting the C and as an attacker, you reapply the same message and in some round, in some place you inject some fault and then get the fault output, try to correlate the C and C star. This is the overall idea. So, that is what I already said that this basically implies that you are going to kept analyze reduced round entry cypher. So, that is the, then so once you have a nonce in the execution, that means at every execution you are changing your input value. So, that attacker cannot replay with the same input to inject the fault. That is the nonce defined. So, in presence of nonce, theoretically good nonce, your assumption violated. So, fault attack cannot work in that sense. That is the story. So, once you try to replay, you cannot replay because you have some nonce which are different in these two case. So, you cannot encrypt the same message to get some relation. Now, what we can do to go out from the nonce barrier? We can either misuse the nonce, we can bypass the nonce or we can avoid the nonce. The same authors have two different works to one, the first one they presented in Indochip 2014. They say, they basically try to misuse, try to exploit the misuse of nonce. So, the algorithm developed, there are some Ae stands for authenticated encryption. So, there are some authenticated encryption schemes where the inventors defined that you can use the nonce for a few amounts of time, say for 20 messages or 30 messages, you can use the same nonce. So, they try to exploit that misuse basically. That means for executed nonce, you are using the same nonce. That means the same fault attack can be applied there. In the nonce bypass thing, it's another, there are some type of authenticated encryption schemes which says that if your tag does not match at the end, means the ciphertext is not authenticated, means when you are decrypting, then also you can release your output, faulty output. The sense of that algorithm was basically sometimes you have a big message and when you are receiving the big message, you need to store them somewhere to authenticate it. And if you go to store the whole thing, you, a small device may not have those amount of storage to store the whole message. So, these encryption schemes allows you to release the decrypted message before authenticating it. So, they basically, in this work, they try to exploit that unauthenticated message outcome. So, during decryption, you have the nonce, but it will allow you to output the message if it is not authenticated. So, you use the same, apply the same nonce during decryption for consecutive execution and exploit that to find out the correlation. And on the third one, which is going to be present here, this is more generic. There are against some kind of authenticated encryption scheme where people defines that you have a nonce, and nonce is a part of your input message and the rest of the part is, say, a counter, which is incrementing by one by one, and that nonce part will be fixed for a big message, means the message means the whole chunk of message what is going to be encrypted and authenticated at that time. So, they basically, and also you can encrypt those, the full messages with different chunks in parallel execution. Means you have same permutation function, say, AES, you are executing AES for n different times in parallel using different counter value and the same nonce. So, they introduce how to avoid this nonce in this kind of authenticated encryption scheme. So, divide and rule. So, here is their main idea. So, instead of one fault, here they are trying to inject two faults. At the beginning, they try to inject some fault to make the input similar with the other execution. So, technically, in this algorithm, you have a fixed part and the counter value is incrementing. So, in the first place, they try to inject some fault in the counter, which is going to be incremented for every message. So, that counter will make, will basically, by fault, will make the input with some another instance of the same algorithm. And in the second place, they inject the second fault as you have in the fault, means somewhere in the round. So, here is the more idea in the pictorized. So, let's say the parallel encryptions. So, counter value AX, X plus I up to X plus n and rest of the parts of this input are same nonce, using the same nonce or some domain parameter. This part are same. So, what you can, and then, then parallel you are using the same permutation function, say, yes, or any other cyber algorithm to find out, to generate the final output. Sometimes the output can be truncated. So, what they are doing, in the first case, they are placing a fault here, injecting a fault here, means at the counter values. So, injecting this fault in this counter value means that they try to inject in a particular byte, say, so that byte transfers this whole part to some other execution of this chain. So, that they can find out the relationship between, say, this one X plus I transfers to X, that means this guy, this part and this part will be the same. The input is same. And in the second fault, they basically inject the fault here as per standard fault analysis algorithm, and then tries to relate the internal state, and finally, they get the internal differential fault analysis. That's the overall idea. So, as the case study, they pick the algorithm, which is the pick algorithm. It is a candidate in the CISAR competition in second round, but this is going to end out in third round. So, due here is nothing to say. So, main idea is this parallelizable and counter mode, what I explained before already. And then here is one story that this went out. The algorithm is no longer in the CISAR competition. Another thing, nothing to say here. So, here is overall the relationship between what I explained the parallelized encryption versus this exact algorithm. So, here all these inputs C, this counterpart is only changed from every instance. Rest of the inputs are same. N stands for non-case transpose key, some key, et cetera. D is some domain parameters. So, only this counter value are changing. And then encryption happened in the cases that basically you have the plain text extra with the part of the cipher text, part of the encrypted value, and then generated the C and the rest of the blocks will go down for the authentication part and then finally authentication tag is generated here. Here is the idea about how that epic algorithm constructed. It's basically 512 bit states. So, basically you have four AES blocks put in four parallel session and then they have 20 rounds instead of 10 rounds of AES. And every two rounds, they alter the columns in each other. So, that is basically the algorithm how it works. So, you have four AES blocks, let's say now, and after two rounds, one and two, after two rounds, these columns are suppled around others. So, that way the algorithm is defined. Here is little bit detailed about how they define the distinguisher, how they're playing the internal differential. So, as I explained, basically they're trying to inject the fault at the counter first and then try to find out that the change of that counter matches with one which particular column of this AES execution and then trying to find out the distinguisher to perform the fault analysis. So, basically equalize and differentiate what I already explained. So, basically they inject fault, equalize it J say or any other J and then trying to differentiate here. Here is more detail about that. Interested people can go and read the from the paper. So, basically here main idea is sometimes you can say that when you are injecting the fault at the first place, then how do you guarantee that the faulted input is matched with one of the other branch of that. So, they ensure that the counter is going to be changed from 1, 2 to 55. So, the main requirement of this attack is that you need to have at least a message which is 255 block of AES. So, if they inject a fault in the byte, that means that byte, faulty byte will map in one of the value from 1 to 55, what is already in the chain. So, that can be used as the fault free execution and then they will use their one as the faulty execution and then try to find out the distinct ways and co-relation. That's the story. These are much more detailed. I do not want to go. And then finally, they have shown some experimental results on a big different versions. A peak 64 indicates the 64-bit key, 80, 84-bit key and 128-bit keys. And after their analysis, they shown that if you have a 255 blocks of message encryption and you can implement this fault attack injector fault in round 17 or round 16 kind of place, then the complexity or the state space reduced from 64-bit 2 power 64 to 2 power 16.14. And in this case, 2 power 50 only. And this is estimated because this amount of round they cannot perform in their environment yet. So, that is the estimation based on these two results. Here is their experimental data, little bit more detail. So, here is the conclusion. So, overall main thing is the execution with counter-based modes where you have some nonce. Nonce plays a role to counteract against the differential fault attack. But they shown that if nonce is misused or nonce can be avoided, then counter type of execution or parallel execution are attacked by the fault analysis. Here is the author. He is unfit now. So, very enthusiastic guy, but unfortunately after getting all arrangements, he cannot make it. So, I'm going to present that. That's all. Thank you. Thank you very much.