 And the next talk is on generalized non-linear invariant attacks and a new design criterion for our constants by Wei Yong-Juan, Ye Tao, Wu Wang-Ling, and Enes Pasalik. And the talk will be given by somebody else, namely by René Rodriguez. Well, thanks for the introduction. Thanks to the organizers for giving me the opportunity to give this talk tonight, today. I'm Enes's PhD student, and well, they decided to send me to give this talk and let's see what happened. Okay, so first of all, the title is generalized non-linear invariant attack and a new design criterion for run constants. Well, we have seen so far two different works and these invariants and nice presentations by Gregor Landa and Christoph Weierle. And we'll give, well, we'll see. I'll explain you. This is the summary of the talk. First, an overview, a quick overview of the talk because, well, we now know a bit about this invariance. And then I'll talk about this generalized non-linear invariance. After that, a concept of closed loop invariance and some conclusions. Well, the overview. As already pointed out by Landa, this attack was introduced by Todo, Landa and Saki in 2016 in the Asia Crip. And, well, the core idea is considering an end date block cipher whose encryption function is a key. And you're looking for a non-linear Boolean function such that this relation holds, which means that you're looking for symmetries in the block cipher. Okay, we call this G a non-linear invariant. And when fixing a key, we're looking for an invariant. So those keys which admit this kind of invariance are called weak keys. And why are they important? Because commonly induced distinguishing attacks on block ciphers, especially in lightweight block ciphers, because these lightweight block ciphers are designed specifically with a simple key scheduling algorithm. So these lightweight block ciphers are susceptible to this kind of cryptanalysis. And, well, this is an example of non-linear function defined like this. And the point here is that if the addition of the key after that, the rank constants, in certain cases, you can have this relation, for instance, and you'll have an invariant. But some cases, well, it doesn't work that well. And we'll see how to use this to generalize this invariance. Okay, there are some vulnerable lightweight block ciphers already mentioned before. And this is print cipher, ice cream, Robin, Zorro, Midori 64, ice cream, Scream, Midori 64 again. And, well, it's kind of vulnerable, this Midori 64. And Sempera, Haraca, and Orcs, and different other works that probably I'm missing here. And after that, Bayerle, Cantor, Leander, and Rotella proved in 2017. And, well, they started certain structural properties of the linear layer to protect the block cipher to this kind of tax. And, well, this is the main theorem of the work. And it says that if you have an invariant of the permutation layer, the substitution layer, and from the linear part, then the linear structures, the space of the linear structure must be subspace invariant under L, and it has to contain all the differences of the keys. So this is a really nice characterization, well, it's not a characterization, but it's a really nice condition to protect the cipher. And, well, also this WLS is the minimal invariant subspace containing Z. So as this is, as the linear structure space is invariant under L, and it contains all the differences, then this set must be contained in the linear structures of an invariant. So, as mentioned before, if we have a large dimension of this space, then the only possible invariance will be trivial. Okay, I think this is the result. And in some other cases, when you have the differences, the difference of this, of the total space with respect to this space, they found certain structure of the S layer, which allows you to protect the ciphers again, while using certain cosets and so on, but they prove that those three lightweight ciphers are resistant against this kind of invariant attacks. Okay, so this nonlinear invariant attacks can lead not only to a distinguishing attack, but also you can have different kind of attacks under different scenarios or different modes of operation, and it depends exactly on the cipher and the mode. And two natural questions arising here are, if there are more attacks similar to this, and how can we protect the ciphers against them? Just a moment ago, my brother did, well, presented a work in which there is a unified framework to probably protect the ciphers. Okay, the goal of the paper is to provide useful generalization of these invariants, and of course, as Gregor mentioned before, this generalization has to be useful because you need to have a target, something to attack because otherwise are just theoretical contributions, and that's the main goal of the paper, to provide these generalizations and to give some targets. So the main idea is pretty straightforward. It's the same idea. You look for a nonlinear Boolean function, but you also look for a pair, a pair of vectors which in this equation has to hold. And it's like you're just looking for an invariant of the whole encryption algorithm, but linear shifts of the encryption algorithm. So those are called generalized nonlinear invariants, and we denote the set of those invariants with UfA1A2, and, aha, oh, I think I can use this, okay. So in the tags performed by Gregor Leanda, you have to have certain relation with the rank constants in the linear part of the invariants in order to extend the tag to the whole cipher, but here. So here in the generalized nonlinear invariant tag, you also need to have certain, under certain circumstances, you can apply the tag, and those are the circumstances that you need in order to perform the tag. So I won't explain this too much, and here is the proof. How can you extend to the whole cipher? So you just do some technical details here, which I'll skip. But the main idea is the same as before. Just this allows you, the linear relation with this allows you to expand and to go forward to the next round, and under the key assumption, the weak key assumption scenario, you can extend to the whole cipher and then recover, well, recover this equation for the plain text and the cipher text, and you can perform a distinguishing attack. Okay, this is the second case, and it's pretty much the same. And after that, you can perform a distinguishing attack using this generalized nonlinear invariant text, this nonlinear invariance, and, well, just, aha, it's important, well, at the end. So the standard procedure is as follows. You're looking for invariance of the whole round, but the complexity of looking for those invariance is really hard. It's impossible if anything grows bigger. So the main point is to find invariance for the components of the round function. For instance, you start with an invariant for the S-box, and then you extend it to the X-box layer, and then under certain circumstances you can extend it to an invariant of the L layer, and then you can perform, then you have an invariant of the S-layer and then you have an invariant for the whole round. And, well, this is one technical property that you have that in the paper of Lander, in the classic attack of an invariant attack, you have this property. If L can be viewed as an orthogonal matrix in the degree, and you have a quadratic nonlinear invariant, then you can extend it to an invariant of the linear layer. So this generalized nonlinear invariant, as their name suggests, is that indeed you can have this also for this kind of invariance. So you can extend them to the S-box layer in the same fashion as the classic ones, and also if the, we are here working with the SPN network under this assumption, and if the linear layer, well, the linear function is an orthogonal matrix, then under the assumption of quadratic invariance, you also have the generalized nonlinear invariance can be extended to the whole round function. And, well, the natural question is, are journalists invariant useful? And in the paper they proved that they lead to an efficient, distinguishing attack on ice cream, obviously under the wiki assumption, and those wikis are different from the works before. That's the important thing, because otherwise they're just classical invariance. But here is, the point is that generalized nonlinear invariance are just translates of standard invariance. So in order to protect the block cipher, you need also to extinguish all the invariance for the translations of the S-box. I mean, obviously under certain circumstances, you can perform this attack, and this is those additional vectors that adds up to the invariance can be helpful to perform this distinguishing attack, even though the classical attack depends on the linear part, and, well, here those constants can be helpful for eliminating this impact. And, well, this is the first part of the talk. Now, the second part of the talk is another generalization of this invariance, and, well, of course, I'll explain you why they're useful also. And as mentioned before in the paper of, I will call it BCLR for reducing time, the question is if this criterion is optimal. Well, it turns out that a large dimension of this WLD could prevent from some invariant attacks, regardless of the S-layer when the dimension is large enough. But here we're going to sketch why this is not optimal. So we consider the following set. We're taking two Boolean functions which satisfy this. It's like an invariant but alternating. So you need that G1 and G2 satisfy this, and G2 and G1 are constants in the input and the output. So it's a really straightforward generalization of the classical invariance, and we can prove that they form a linear subspace. And also for every invariant, every standard invariant, this is trivial, the GG, the diagonal is on this subspace, and, of course, also you have the invariant and the complement are here in the same space. Those are pretty trivial results, but this is the important fact that usually you have more elements in this CLI than those induced by standard invariance. So you can have more than this diagonal and this complement thing. So as a proof of the efficiency of this CLI as invariant attack, the authors of the paper provided a slightly modified version of Midori 64. And I'll explain you a little bit quickly how Midori 64 works, and it uses an SPN structure, so it uses S-box layer, linear layer, and adding constants and constant rounds and the key schedule. Well, we'll go through it in a second. We perform here in the S layer, we perform a sub-cell, which is a permutation, and this is a shuffle-cell, and then a max-column, which is part of the linear layer, and then adding the constants, and well, this is more or less the structure of Midori. And the variant of Midori, it's the same round function, just the key schedule is a bit modified. This is just the selection of round constants, it's a bit different. Well, you just need to satisfy this property, and other round constants can be selected randomly. So it's just a bit modified version of Midori 64. Okay, so by using computer simulations, they found that those two functions are a closed loop invariant for Midori 64, for this version of Midori 64, and using the same ideas as before, we can extend them to a closed loop invariant of the whole cipher. And the important thing is that they can be used to perform a distinguishing attack to this variant of Midori 64. Well, here, even though the degree of G1 is 2 and the degree of G2 is 1, we can still do something, it's not that restrictive here in the Li attack. So this gives rise to distinguishing attack, as mentioned, but even though we have the dimension of this WLD is large, which means that the criterion of BCLR is not optimal at all. I mean, under this new framework of attacks. So here's a bit of explanation why these, the rank keys repeat just each second round, and you can prove that this has dimension 64. So I have to mention that the random constants are selected, not like just some random constants, and that's it, they're selected properly to avoid obvious weaknesses of the cipher. So this is the main conclusion that it appears that this criterion is not optimal. And one strong or strict design criterion is this one, but it's a really strong criterion because you just need to make sure that every rank constant is selected outside the linear structure of all the closed loop invariants. Well, even though probably we can relax this criterion a bit, but we need to work more on it. And using computer simulations, one can verify that press and prints, L block, all of them are resistant against this kind of attack. So to finish the talk, because I'm running out of time, and in the paper they introduced these two new frameworks of generalized invariant attacks and works of Vane, Vane proposed a unified study within the framework of correlation matrices and, well, this gives more structure about the classical invariant and also with the previous talk of Bayerle showed the nice proposal to study the actual mathematical nature of these invariants and the framework of linear approximations. And what we could ask is if we can plug this generalization into these frameworks and how to employ this structure to avoid attacks. And, well, there's a lot of open questions here and we need to further generalize these concepts and to give deeper theoretical analysis. And, well, thank you. Do you have some questions for me? Maybe I have a quick question. So you mentioned that there were some results on the security of certain tweakable blocks like skinny or mantis that they are resistant to the other attacks. Did you have a look at how your criterion applies to tweakable block ciphers and whether you can find anything there? Well, so you mean here in the paper of this block cipher, right? Those three. You mean this criterion applied to those? It's hard to say because the criterion is like a really strong criterion. So it's just like the straightforward thing to do is just avoid linear structures. Why? Because we want to avoid slight attacks or linear cryptanalysis, so just avoid them. So I couldn't say anything more about those specific cases. Okay, then thanks again. Thank you.