 Hello! Today I'm going to tell you something about the research that Christoph de Bruynech, Jan Rotella and I did on the block site for PJ Masks 96. If you are interested, you can read more about it in our paper, which is titled Algebraic and Higher Order Differential Cryptanalysis of PJ Masks 96, the title of this presentation. So what is PJ Masks? PJ Masks is a second round candidate for the NIST lightweight competition. It is designed by Kudasi, Shah, Keubel, Piran, Rivain, Sasaki and Tim. PJ Masks consist of two schemes. So the first one is PJ Masks 128AEAD. It's an authenticated encryption scheme based on block cipher PJ Masks 128. It uses the OCB mode as a mode of operations. The other in the family is PJ Masks 96AEAD. It is based on the block cipher PJ Masks 96 and it also uses the offset code book mode. In our research we focused on PJ Masks 96, the block cipher. And what we managed to do was to design a key recovery attack on the full round PJ Masks 96. The block cipher PJ Masks 96 works on bit states of 3 rows of length 32. And the round function is designed as first to be at the round key. The key of PJ Masks 96 has 128 bits. The key schedule is linear and after each step in the key schedule you get a round key of 128 bits you discard the last 32 and you add what remains you add to the PJ Masks state. Then you do a sub bytes layer where you apply a 3-bit S-box to each column. This S-box has degree 2 and its inverse also has degree 2 and that's important later. After that you do the linear round which is the mixed rows and it works by applying a circular binary matrix to each row in the state. And it adds quite some diffusion to the scheme. So you do this 14 times because PJ Masks 96 has 14 rows. And after the last round we do one extra round key. Our attack is based on higher order derivatives. I will repeat the definition and most important properties. So we have a function an element in the domain and then we say the derivative of f to a which you call delta a of f. It's a function that's defined by f of x plus a plus f of x. The interesting properties that it has is that you can repeat it as often as you'd like. So if a1 up until ak are linearly independent you can re-apply the derivative and it's shown that it's the same as summing over all factors in the space spanned by a1 up until ak of f of x plus v. We call this delta v of fx. If you have something that's not linearly independent then this re-applied derivative will give zero. So if we investigate this multiple derivative which is actually higher order derivative of f then its degree is bounded by the degree of f minus the dimension of v. So if this dimensional v is large enough then this will become at most zero or maybe at most negative and at most negative means that this is just the zero function. So if the degree of v is large then the degree of f then the derivative of f with respect to v is zero. So we can apply this to Pijama'sk but before you can apply it to any function you need to know what the degree of f is because the dimension of v has to be at least the degree of f. So the degrees of the n-round versions of Pijama'sk and 96 are bounded by the values in this table. The authors of the original Pijama'sk paper already included them and they used the bounds by Buracanto and the Gagnere. So what we see here is that if we take a vector space or an affine space of dimension 94 then 10 rounds of Pijama'sk will give constant values. The inverse of Pijama'sk has the same property and that's because the degrees of 10 rounds of Pijama'sk in the forward direction or 10 rounds of Pijama'sk in the backward direction are the same because the only thing where that matters is in the non-linear layers and that's only the sub-bytes layer and as I mentioned before the S-box has degree two but the inverse of the S-box also has degree two. So we cannot get to all rounds so we do something of a meet in the middle attack. We can get 11.5 rounds for this distinguisher. So the .5 rounds means half round which is actually the linear layers so the add-round key and the mix rows because they don't add to the degree we can just include them in our function. We don't know exactly what this function looked like altogether and if you want the algebraic normal form expression that's not doable but we know that applying this full vector space we will get some constant values. If we choose this smart enough then we can go to 11.5 rounds with a vector space of dimension 94 so that's what we're going to do. If we take U to be the space where the first column is zero and everything else can be whatever then this is a space of dimension 93. Then we take a vector space of dimension one which is zero in all positions except the first column and the first column can be any vector except the zero vector and then we add these two vector spaces to get a vector space of dimension 94. This is one dimensional 93 dimensional sum is 94 and this is a vector space that helps us in getting constant values after 11 rounds of pgmask and that's because if you apply one round of pgmask to this vector space three then the result will also be an affine space and if and then you have basically have a degree decrease of two so therefore you can get two 11 rounds. So now this left part the solving equations part I did not discuss yet so that will be the next thing because higher than 11.5 rounds with the distinguisher it's not helping us break the system. So what we do for each key bit we put a variable and then we run this together with corresponding plaintext through the system and we get equations in the key bits polynomial equations that we can try to solve. So how do you solve polynomial systems of equation? The easiest is to linearize the system and so we need to replace every polynomial with a variable and then we have a linear system we can do Gaussian elimination to solve it. If we apply the full codebook so for all possible ciphertext we compute the plaintext and we compute all the or actually pre-compute all the equations that we can for our variable key we get 448 equations. If we want to be able to solve the system the number of variables in our case would be number of monomials should be at most 448 but unfortunately we have way too many monomials at this point so what can we do? We need to decrease the number of monomials and for that we have some tricks. The first one we try to reduce the monomials by looking more specifically at the s-box so for instance the first coordinate of the s-box is defined by the first coordinate times the last one plus the middle one and if you expand these brackets and then reorder the terms you see that you apply the s-box to p and you add the s-box applied to k and then you have these two mixed terms. So if you would write it out you would see that the number of monomials in this upper equation would be 6 and in the lower one if we say this will be a new variable and this will be a new variable we will only have 4 so it's not a very big decrease but it's still a decrease and we can do this even further so if we also apply the mixed rows and the add round key layer then we get this equation so we added the linear layer to these first parts and we apply the linear layer to this last part which consists of all mixed terms and then we add the new round key so now if we take this part as a new variable and this part as new variables we get equivalent keys and equivalent plain text and we reduce the number of monomials by quite a big amount and of course since these are bijective you can always go back to the results you needed afterwards but it's still too many monomials so at this point there's only one thing you can do or at least there's one thing that that's trivial to do maybe is to do guess and determine so what we do we guess some of the round key bits and see if it works so we guess the all the bits in the first round key so that's 96 bits that we guess that are either 0 or 1 and that reduces the number of monomials of the equation to 569 and that's quite close to the 448 but not yet close enough so what we need to do we guess four more bits the specific bits they're called kappa 1, kappa 13, kappa 25 and kappa 26 but if you guess them so that means you have to guess 100 bits in total then we are left with 411 monomials and for computation it introduces a factor 2 to the 100 so it it will cost some more time but we can now solve the system with a caution elimination and adding all this together we come to the complexities of our attack so for 14 rounds we have a time complexity of 2 to the 115 and the data complexity of 2296 so this is the full code book and this is less than the exhaustive key search on 128 bits so therefore technically or theoretically it's a brick and then we also have some reduced rounds we did the computations of the amount of data you need and the amount of time it will cost and this is all not very practical or not practical at all to get this amount of information or this amount of time it's it's too much but if we take eight or seven rounds it will improve greatly so this is actually in time this is doable getting this amount of information is still quite hard but they're both below the birthday bounds so technically that's quite a relevant attack on these reduced round versions and of course there's always room for some future research some easy things to mention well they're not easy to research but if you can do something to improve the attack is to give a better bounce on the degrees I think that's quite hard but if you produce the upper bounce on the degrees you immediately have an improved attack but more importantly you can try to attack the AEAD scheme beach and mask 96 we also tried that and we got to seven rounds with a huge time complexity and quite a big data complexity but maybe someone else can do better or you can even if you're feeling very lucky try attacking the beach and mask 128 AEAD scheme to which this attack did not help us at all so we don't have any results so then there's nothing to that remains except for thanking you for your attention and hopefully seeing you at the online part of the presentation