 های اوروان، ام شاہرم رسوزاده فرام قدباد یونورسی اف نمخن این دن ندر لیندس. و این دن this video, I'm going to talk about our paper نیمت وی کتوی کیز فرد کرافت بلاک سیفر. This work is done together with my PhD supervisor, گیگر لانده، فرم رور یونورسی اف بوخم این جرمنی. First, I will talk about the Kraft block cypher itself, how it is designed, how and how it works. The cypher was designed by our group in Bukhum and we presented it at FSC 2019. The main motivation and the goal to design this new cypher was to present a cypher, which is which to be efficient while it is implemented together with fault detection or fault correction countermeasures. However, there were other secondary goals. We wanted the cypher to support decryption on top of encryption while with a small overhead. Also, we wanted to be a two-equival block cypher and be lightweight as much as possible. We came up with the Kraft block cypher, which its name is crafted from this phrase, efficient protection against fault attacks. Its block and tweak sizes both are 64 bits and the key size is 128 bits. About its security, we claimed 120-bit security level in the related tweak model. Its general structure is a substitution permutation network. It has 32 rounds that the first 31 rounds up to key and constant additions are identical. The last round is all linear and does not add any security to the cypher. The reason for being there is to make it possible to have the same structure for decryption as the one for encryption. The internal state of the cypher is shown by four times four matrix of nibbles and its overall structure is very similar to the one in Iskini and Midori block cypher. But there is a big difference here and that is all the round operations used in Kraft are involutive operations. In more details, there are five operations in each round. Starting with an input state shown by this figure, the first operation is mixed columns, which a binary matrix is multiplied to each column. Then there is a round constant that only a 4-bit and 3-bit values are absorbed to the fifth force and fifth nibbles of the state. It follows by an add round tweak key, which depending on the round index, one of the four tweak keys is absorbed to all of the state. The force operation is permute nibbles that using a permutation P changes the position of the nibbles in the state. The last and the only non-linear operation is the sub-box layer that an involutive S-box is applied to each of the nibbles. Note that, in the last round, only the first three operations are included. About the tweak key schedule, it's a tweak key iterating one. It builds four tweak keys and depending on the reminder of the round index to four, uses one of them. Precisely, it splits the 128-bit key into two 64-bit keys, K0 and K1. K0 will be used in the rounds with an even index and K1 in the rounds with an odd index. By exhoring the tweak itself to each of these keys, the first two tweak keys are produced. Then by using a circulant permutation Q, it changes the position of tweak nibbles and by exhoring this modified tweak to each of the keys, it computes two other tweak keys. All together, this structure of craft makes it possible that the decryption with this cipher to be as same as the encryption up to a modification on the tweak keys and the round constants. It just needs to reverse the order of round constants and also modify the tweak keys with this equation shown here. Now, we explain how to get the weak tweak key structure of the craft cipher. We started by explaining two properties of its round operations. The first one is about the mixed columns operation. In the mixed columns operation for the JS column of the state, we have this equation. It means that only a linear combination of the second and third nibbles is absorbed to the zeros and first nibbles. Extending this to all of the columns and the state and considering x' as the upper half of the input state and x' as the bottom half, in the output of the mixed columns operation, x' stays unchanged and a linear mapping of x' is absorbed to x'. We showed this linear mapping on x' by mc'. The second property is about the permit nibbles operation. As previously shown, in this operation, the upper half of the state in the input goes to the bottom half in the output and the bottom half in the input goes to the upper half in the output. We separate this operation to pn' and pn' and since pn itself is an involutive operation, it makes that pn' to be inverse of the pn'. Using these two properties, it is possible to represent the round function for craft and for this purpose, we also separate both the at-round tweaky and sub-box operations into two parts that each part works on half of the state. Here, in this figure, we depict the two consecutive rounds of craft. The left branch shows the upper half of the state and the right branch shows the bottom half. It starts with mixed column, then at-round constants, at-round tweakies that is separated to two parts, then sub-box, that is again separated to two parts and then permute nibbles. It is possible to bring the sp' and pn' and switch their position and also here sp' and pn'. Moreover, it is possible to bring these sp' and pn' from here, end of the left branch to the beginning of right branch in the next round as it is shown in this figure. Again, these two operations can be transmitted to inside of bridging branch and also after the bridge point, so like this. We bring these two operations to here and also here. As I said, we can switch the position of these two operations by switching position of these two operations since pn' and pn' are inverse of each other, we can remove them just by modifying this tweaky addition. We denote this modified tweaky by tk triple prime. This is a new representation of the craft-round function, which is very similar to the Feistel network. The only difference is that in the Feistel network, the right branch transits to the left branch of the next round without any changes. In our case, here this transition is over a key-dependent sp' layer for craft but in the case of Feistel network, it should be identity function. However, due to the involutive being of the sp' if and only if, the value for tk triple prime is 0, then this key-dependent sp' layer will be the same as the identity function. Then for a round with these tweaky values, we will have this round function and if all the rounds have the same kind of tweaky value, the cipher will follow the Feistel network's structure. Therefore, for the current tweaky schedule of craft with the proposed key-premotation, the 128 bit key must be one of the 2-88 week keys and for each week key, there are exactly 2-8 week tweaks. We should emphasize that the key-premotation plays an important role here in determining the size of sets for weak keys or weak tweaks. In the paper, we showed that depending on the key-premotation, the size of the key set can vary from 2 to the 68 to 2 to the 96. We recall that the only criterion for the current key-premotation was to be the circulant permotation. From those 15 factorial circulant permotations satisfying this condition, only 1000 were taken randomly and the one with maximum resistance against the related tweak differential was chosen as the key-premotation. Here in this paper, we showed that the key-premotation could be also chosen in a way to minimize the size for the weak key set. There is another observation in the tweaky structure of the craft. It is well known that we can bring the round tweaky from here to input of the bridging branch. Since the round tweakys used in the craft are iterating over every four rounds in the round functions in the right figure, the equivalent tweakys will be iterative over eight rounds and these equivalent tweakys will be as it is shown in these equations. As you see, the first and the last tweakys, equivalent tweakys, both are zero and the two middle ones are only dependent on the tweak values. This new representation and the weak tweaky structure of the cypher can be applied against different types of attacks to evaluate its security. But in this paper, we only did it for differential analysis and now I'm going to talk about the details. We started with counting the number of minimum activist boxes in the differential trails. For this, we used the MILP tool introduced by Sunatal at AsiaCrypt 2014 to find all the differential patterns with the minimum activist boxes. And here are the results. The numbers in the first row are for the original craft and the numbers in the second row are for the weak tweaky structure of the cypher. As you see, in almost all of the numbers for weak tweaky is half of the ones for the original cypher. Note that this tool does not consider the S-box used in the cypher and only considers the transitions within the linear layer. Then, using these differential patterns with the minimum number of activist boxes for each number of rounds, we used the tool introduced by Maria Alseta, Gregor Landa, and me at IndoCrypt 2020 to find the differentials with the highest EDP value. Precisely, for all individual input and output differential values, this tool sums EDP of all differential trails within the given activity pattern. Therefore, the EDP value written by this tool will be a lower value than its exact value. In the table, we report the maximum value for EDP of these differentials. Note that the values are given in the logarithmic in the basis of 2. As you see, we could find 19-round differences with EDP of slightly better than to the minus 64, but it was not possible to find any for 20 rounds or more. For the next step of our analysis, we tried to make the weak tweaky sets larger. For this goal, we used this simple relation that for an inactive keyed S-box, we do not necessarily need the tweaky value to be 0. Because for any tweaky value, if the input difference to this keyed S-box is 0, the output difference also will be 0. For example, here we show one of the four 18-round differential patterns with the minimum number of activist boxes. And also, the one differential pattern that includes a differential with the highest reported EDP value. Here we only need to fix the round tweaky nibbles, which correspond to the activist active keyed S-boxes, and we show these nibbles in blue color. Those tweaky nibbles are listed here, and since the round tweaky are iterative after four rounds, all of these equations can be simplified to this short list. Satisfying these equations needs that the 128-bit key must be one of the 2 to the 112-week keys, and the tweak must be one of the 2 to the 48-week tweaks. But with three extra conditions between key and tweak nibbles, so there are exactly 2 to the 36-week tweaks for each weak key value. Until this point, we have discussed the single tweak differences. To use the related tweaks in the weak key structure of the craft, we need to make sure that in the keyed S-boxes, the tweaky difference all are equal to 0. Using this condition on all the rounds, we need that the differences in these nibbles listed here to be 0. Therefore, 2 nibbles of the tweak, namely nibbles index 2 and 5, are free to have a non-zero differences. The second attack represented in this paper is based on the 21 round differentials with index RT0. Using these differentials, we could do a key recovery attack on 26 rounds of the cipher. The differences used in this attack have an EDP of about 2 to the minus 61, and we extend them by 4 rounds on the plain text side and 1 round on the cipher text side for key recovering. The attack works for 2 to the 108-week keys and 2 to the 52-week tweaks. But there are 3 extra conditions between key and tweak nibbles, so it means 2 to the 40-week tweaks for each weak key value. The complexity of this attack is about 2 to the 105 encryptions and 2 to the 73-chosen tweak plain text cipher text samples of data. And it needs 2 to the 60 blocks of memory. To summarize this paper, first we presented an equivalent representation of Kraft block cipher, then we showed how to make this representation to a weak-tweak key structure that follows the Feistel network. And then we analyzed this structure against the differential attack. We presented 23 rounds single tweak and 26 rounds related tweak differential attacks in the weak key scenario. And as far as we know, they are the best attacks against Kraft by definition of bests to be with the highest number of rounds. We emphasize that these attacks do not overcome the security claim of the cipher. And thank you for watching this video.