 I'm going to talk about the crypt analysis of print cipher. It's a new kind of attack which we call the inward and subspace attack, and I'll hope to explain why. So this is joint work with Mohammed, Huda and Eric, and we're all from DTU in Denmark. So this is an outline of the talk. I'm first going to introduce, briefly explain what this print cipher is, then explain the attack, and then also outline some relations to other types of attack. In this case, to truncate the differential attack. So this inward and subspace attack implies a strange behavior of print cipher to some more standard attacks. And then at the end, conclude. So print cipher is a lightweight SPN block cipher which was proposed at chess last year, and the idea is to take advantage of a, not of a key, of a fixed key, so the fixed is missing there. Otherwise, it's not very innovative, maybe. And it's also in the chess paper, it was shown that it seems that the print cipher is resistant against the standard attacks, like mainly linear and differential attacks. And so far, there have been attacks on reduced round versions of the cipher. So this is how print cipher, one round of print cipher 48 looks like. There are two versions, print cipher 48 and print cipher 96, but I'm going to focus on print cipher 48 only in the talk. So it's a 48-bit block cipher with 48 rounds and an 80-bit key. And the point is that the main point is that this 80-bit key is the same in each round. So the round functions are identical, including the key up to a round constant. So what happens is that first the state is, where's this laser pointer? So first, the state is exored with a 48-bit exo key. Then the bits are permuted, the 48 bits are permuted according to this present-like permutation. And then six bits are exored with a round constant, which is different for each round, of course. And then to get some more, to get more than, to enlarge the key space to more than 48 bits, some more parts of the cipher have to be key-dependent. And for print cipher, what it's done is that before three bits enter this three-bit S-box, S here, each three bits are permuted in a key-dependent way. And so there are in total six permutations of three bits, but only four are allowed for print cipher. So this is how print cipher works, and this is repeated for 48 rounds. So in the talk, but not in the paper, I'm going to focus on a more simple version, a simplified version of the cipher. It has to make things more clear. So it's not block size of 48 bit, but 24. I am going to fix the permutation key to make things easier, and I'm going to modify the S-box. So it's a completely different algorithm I'm going to show you. But the point is that the kind of the attack takes over to the original. The ideas of the attack take over to the original cipher. So I start with explaining what this modified S-box is. So the modified S-box is a property that it has many fixed points. So S of 0, 0, 0 gets mapped to 0, 0, 0. S of 0, 0, 1 is 0, 0, 1. S of 0, 1, 0 is 0, 1, 0. And S of 1, 0, 0 is 1, 0, 0. And the point is that this can be, it's convenient to rewrite this in the following way, saying that S of 0, 0 star, where star is arbitrary, as a 0, 1 gets mapped to 0, 0 star. And similar things for the other bit positions. And the important remark is that the original S-box fulfills something which is very similar to this. Okay, so this is a picture of the simplified version. 24 bits. First thing is XOR with a 24-bit key. So then there is a permutation which is also very similar to the permutation of the original print cipher 48. And then there is again a round constant, as in the original cipher. And then instead of these red key-dependent P permutations, I now fix one permutation. And then you have this modified S-box applied. And then you repeat this. So how does the attack work? So the first observation is that we're going to look at these 8 bits. So I highlighted 8 bits in this linear part there. And the point is that those 8 bits get mapped to the same set of 8 bits by the linear layer. So this is kind of, if you want, an invariant subspace for the linear layer of the cipher. So this alone is certainly not a problem. For most of the ciphers, I guess you would find the invariant subspaces for the linear part of an SP network. So the main question is how does this relate to... So what happens with this invariant subspace when it goes through the S-box layer? And for this, we are going to fix some bits in the plaintext, but also in the XOR key. And because we have to fix some bits in the XOR key to certain values, that already implies that this attack is not going to work for all keys. But it's going to work only for a certain fraction of keys. These will be weak keys, if you want. So this is the simplified version again. And now I'm going to fix these 8 bits to 0 in the plaintext. And I'm also going to fix the same 8 bits, the same position to 0 in the XOR key. So this implies, of course, is that I have those zeros at the inputs to the S-box. And then for all the other bits, I don't really care, so there can be anything in the plaintext. And there can also be anything in the key. And then I get... look at what happens to these. The important remark here is that when it comes to XORing the round constant, here I have only stars. I have only values which I don't really care about. And this is not changed by XORing the round constant. So this is the state before the S-box layer. And now recalling the special property of this modified S-box, saying that 00 star gets mapped to 00 star and so on, means that I can, with probability 1, so far everything happens with probability 1. I get this at the end of one round. So I start by a plaintext where I fix some bits and then after one round I have again some bits fixed to 0. And the main point then is that those things are actually the same. And because they are the same and the round keys are all the same, this property iterates over any number of rounds, basically. So this means if certain key bits are 0, and I fix certain bits in the plaintext to 0, then I get also 0 bits in the ciphertext. So as I said, the round constants do not really help because no bit is fixed where the round constants are XORed and it works for the whole cipher. Something very similar happens for print cipher 48. So here is actually the kind of similar property that holds for the original S-box. So instead of having all things fixed to 0, one has to fix some bits to 0, some bits to 1 in the plaintext and also some bits to 0 and some bits to 1 in the XOR key, but more or less the same thing happens. You again get a one-round iterative property for these weak keys with probability 1. Yes. So it's a probability 1 distinguisher for the whole cipher for the weak keys. Around 2 to the 50, I think it's actually 2 to the 51 of 2 to the 52, but yeah, might be a bit wrong, but around this, 2 to the 50 out of these 2 to the 80 keys a week and something similar happens for print cipher 96. And so to give a bit of an abstraction of this attack, what happens is that you have a round function where you can identify a subspace U and the constant D so that this round function maps this subspace or this coset of the subspace to a coset, to a different coset of the same subspace. And then if the key is such that it's in a certain coset again, it follows that the round function, including a final XOR in this notation here, maps a coset of a certain subspace to itself. And this is exactly what happens for print cipher 48 and this is where the name comes from. It's an invariant subspace. So next thing I would like to talk about is a relation to truncated differential attack. Actually again to simplify things, I'm not going to talk about truncated differentials but only classical differential characteristics. So what we normally see is when we talk about the probabilities of characteristics is that if I have an R-round differential characteristic, now it's a one-round iterative thing so I have a different alpha going to a different alpha and so on, with probability P for one round, then one can show that if you assume independent round keys that the average probability taken the average of all keys is P to the R. So the probabilities multiply along these characteristics. And also what one often assumes is that all keys behave similarly. So for a fixed key, you also get a probability which is very close to P to the R. And as it turns out, this is a print cipher behaves very differently in this respect for some differences, for some differential characteristics. So to explain this a bit easier to make things even more easy, I'm going to consider only a two-round characteristic. So I have a different alpha and it should go to a different alpha and it should go to a different alpha. And I have a round function. I also ignore the whitening keys if you want. So I have a round function R that I apply. I'm going to X or a key in the middle and then apply the same round function again. And then this set A, you can think of this set A as the set of all good pairs. Of all good pairs, fulfilling the one-round characteristic alpha goes to alpha. So if you want to compute the probability for this two-round characteristic, what has to happen is that if you have a good pair here, you apply the round function to the good pair and X or the key, and then this has to be again a good pair. So it means the probability for this two-round characteristic is the size of the set A, a round function applied to A, X or the key, and then the intersection with the set A itself. And then you have to scale by two to the end. So this is the probability for a two-round characteristic for the given key K. So in the picture, this means that you have to look at the intersection of the set A with the set R of A plus K. And for different keys, this intersection can look differently. So what happens now for print cipher is that you can define the difference alpha such that the set of good pairs is actually the set which is invariant under the round function. So that means that A is actually in a fine subspace U plus D and that if you apply the round function to the set, you get U plus C, so a coset of the same subspace. And then if you look at this formula for computing the probability for the two-round characteristic, you get that you have to intersect this coset of the subspace U with this coset, the subspace U. And now this is different because you have two cosets of the same subspace, there are only two possibilities how they intersect. So either the intersection is empty, so they are disjoint, or they are the same. And this means that it kind of already indicates that something strange can happen here. And actually you can show that there exists an R-round differential characteristic such that the probability is either 2 to the minus 16 for any number of rounds or zero. Depending on if the key is weak or not, you either get the probability to the minus 16 if the key is weak or probability zero if the key is not weak. So this is coming back to what I started with in this section. So here probabilities do not multiply, so it's independent of the number of rounds and they are very key dependent. So depending on the key, the probability is very different. So to conclude, so this invariant subspace attack, it identifies weak keys for the full Prince Iphone 48 and Prince Iphone 96. I didn't talk about this, it's in the paper. And I also mentioned this strange behavior for some differential actually truncated characteristics. And there's in the paper, but I don't have time to talk about this. There's a similar observation for linear attacks. And we're also again, Prince Iphone, some linear approximations don't behave as you would expect them to behave. So future work is to generalize the attack. Another open problem is that so far this is only distinguished. So if you have a weak key, you can easily identify that you have one of those 2 to the 50 something keys, but finding the correct one out of these 2 to the 50 is still not, we still don't know how to do this. And another thing which I think is interesting to explain, this strange behavior of the linear attacks directly. I think this would be nice to be able to do this. And that's all I had to say. Thanks. We have plenty of time for questions. Any questions? Yeah, the paper of whom? Okay, I'll have a look. I will ask you a question. Did you look at any other lightweight encryption schemes looking for similar properties? Yes, we were looking for similar things, but I mean this property that this S-Box has, this thing, this one, this is unlikely to happen for larger S-Boxes. So it's really the point that for 3-bit S-Boxes, any strange things might happen. I mean we looked at present a bit as a natural similar thing, but there we couldn't find something. And also, I mean one thing that you kind of need would be nice for the attack at least is to have constant round keys, because then it iterates. So we looked at Nokion as an example, but we tried kind of basic things. So we cannot say that it doesn't apply, but we were not able to apply it. Okay, so let's thank the speaker again.