 distinguishes an attack on registrar and AES, and the author is Lorenzo Grazi, and he will give a talk. Okay, so thanks for the introduction. I would like to start this presentation about Mixer Differential Keptanizes with which motivation about this work. So at U-Kip two years ago, we proposed the first secret key distinguisher for five round of AES, which is based on the multiple of eight property and is independent of the secret key of the details of the mixed column, matrix and of the details of the S-books. However, we didn't propose any attack on that paper, and it was not clear at all if it is possible to exploit this property in order to set up a key recovery attack on six or even more round of AES. So as I'm going to show, it seems quite hard to exploit this distinguisher for a key recovery attack. However, we can pose a different question. So can we reformulate this property in a different way such that we can exploit this observation in order to set up a key recovery attack? And the answer to this question is yes, and the possible answer is Mixer Differential Keptanizes that I'm going to present. So the presentation is organized in the following way. So just one slide about AES, I guess everyone knows it. And then I briefly record the multiple of eight property. The main part of this presentation is about the Mixer Differential Distinguisher, why it works, a proof of distinguisher. In the fourth part, I'm going to show how to exploit this distinguisher to set up a key recovery attack. And I will conclude with some concluding remarks. So what about AES? Well, AES is based on the S-Pen construction. It works on a text of 16 bytes, which are organized in a four times four matrix. The key size can be of 16, 24, 32 bytes, and the number of round is 10 to 14. The round is composed of three steps. We have an S-Box layer. So there are no linear operations in this round. It works independently on each byte. And then we have two linear operations, the shift rows, which works independently on each row, and a mixed column, which works independently on each columns. So what about the multiple of eight property? So let's consider five round of AES without the final mixed column operation. So if the final mixed column operation is automated, we can just swap it with the final addition. So it's an inner operation, we can always do that. And then we take a set of two, we take the 32 chosen pain texts with one active diagonal. So this means that the texts are equal in the second, in the fourth diagonals, and the different in the first one. And we consider the corresponding ciphertext after five round. And we can prove that the number of different pair of ciphertext which are equal in one fixed anti-diagonal is always a multiple of eight with probability one. And this is independent of the secret key of the details of the S-Box and of the details of the mixed column matrix. Actually, we have a much stronger result. So we can start with more than a single active diagonal. So we can also have two or three active diagonals in input. And we can also consider the difference in more than a single output anti-diagonal in output. We think that to collect and to formally describe all this result, it could be useful to use the subspace train notation. So this means to consider green text in the same closet of a diagonal subspace and to count the number of different pair of ciphertexts which belong to the same closet of another subspace M. So here the index i and j are the size of this subspace. So what happens now if we try to extend this signature into a key recovery attack? For example, we can consider six round of a yes. We can have plain text in the same closet of t and the corresponding ciphertext after six round. Well, potentially we can guess the final key. We can just partially encrypt and check if the multiple of eight property or not. If not, then the guess key is wrong and we can fit the wrong keys. However, we have a problem. And the problem is that if we partially decrypt, in order to check this property, we have to guess the entire key because this property involves the full state. So that is not a problem for a yes 192 or 256 because I mean, we can, this attack is still more competitive than brute force, but I mean, it's not so competitive. But obviously it's a problem for a yes 128 because that's brute force attack. So what can we do with this multiple of eight property? So is there a way to reformulate this property in a different way such that we can exploit it to set up a key cover attack? The answer is yes. And it's based on the way in which this multiple of eight property holds. So the idea is quite simple. We have a pair of plain text P1 and P2 and we consider the corresponding ciphertext after five round. So assume that they belong to the subspace M or assume that they are equal in some anti-diagonal. So we know that there exists other pair of texts, one and two, such that the corresponding ciphertext have the same property. But the crucial point here is that the pair P1 and P2 and the pair one and two are not independent in the sense that the generating variable of P1 and P2 are in some way related to the generating variable of one and two. So what is the idea? Instead of limiting ourself to count the number of collision and to check that this is a multiple of eight, we can actually check if the relation between these variables holds or not. So basically we are going to exploit a much stronger property. But on the other end, we can use these distinguishers in order to set up a key cover attack. Just as well here, so this distinguisher works only on a smaller number of rounds. So we can set up it up to four round of a yes. So in more details, let's consider two plain texts, P1 and P2 in the same coset of a column space C0. So this means that the two plain texts differs only in the first column. And let's say that x, y, z, and w are the generating variable of P1 and of P2. And for the moment, we also assume that the generating variable are different. So x1 is different from x2 and so on. So there is the following. So given P1 and P2 as before, we can prove that the corresponding ciphertext after four round are in the same coset of m, or if you want to equal in some anti-diagonal, if and only if there exists other pair of plain texts for which the corresponding ciphertext have the same property. So they also belong in the same coset of m. But the crucial point here is that we know this plain text and these plain texts are simply given by swapping the generating Bible of P1 and P2. For example, in the first one, we swap the first Bible in the second one, the second, and so on. So we are going to mix in the Vibals. We are using a property which involves differences. So here they name mix of differential cryptonizes. So what happens if one Bible is equal for P1 and P2? Then we can repeat the same strategy as before, but now we can simply replace w with omega where omega can take any possible value. So we can swap. We can mix the Bible which are different and we can replace the Bible which is equal with any possible value. And again, if two Vibals are equal for P1 and P2. Now, why does this property hold? So the proof of this property is quite close to the one that we gave at Turkey two years ago. But in the following, I'm going to use the super-ass book notation. So first of all, we have a property on four round and we want to reduce this property on two round of a S. To do this, we use a toncated differential for two round of a S which holds with probability one. So the D is that if two texts are in the same concept of T, then after two round, they are in the same concept of M with probability one. So for the following, it's not important to know the details of this space. Just believe me that if we have this property on four round, we can just work on the first two round by replacing M with T. You can find all the details in the paper. So given P1 and P2, I'm going to prove the following. So if the corresponding side texts after two round are in the same concept of T, or if you want to equal in some diagonal, then there are other pair of printx for which the corresponding side texts after two round have the same property. And these pair of printx are generated as before. Now what is the idea? It is very simple. So if we consider the printx as before and we prove that this equality holds, then the previous result follows immediately. This way is to check. So assume that these two side texts are in the same concept of T. Then if this equality holds, then also these two side texts are in the same concept of T. So very easy. We have just to check that, we have just to verify this equality. And to do this, we exploit the super S-box notation, which was introduced by the designers of AES. It's defined as S-box concatenated with the mixed column, the key addition and the S-box again. So the S-box works independently on each byte. The super S-box works independently on each column. It's still not in operation obviously, but it works independently on each column. And two round of AES can be written in this way. So we have the shift rows, then the super S-box and then some linear stuff. So simple computation, we have this equality. We can just rewrite this in this way using the super S-box notation, where the printx, big P1 are defined in this way. So we apply the shift rows to the previous printx. So what happens if we apply the shift rows? Remember P1 and P2 are two texts in a column space. So the variables are in the first column. But now if you apply the shift rows, the variables are mapped into different columns. So each one of these column depends on a different and independent variable. So that is very easy. So each column of these texts depends on different and independent variables. The super S-box works independently on each column. The XOR sum is commutative. So if we take this sum and we just swap, we just mix the column of P1 and P2, for example, like in this case, then the equate doesn't change. And so the result follows immediately. For example, in this case, if W is equal for at P1 and at P2, then the sum is zero. And so we can understand that this sum is independent of the value of W. Okay, so we have this property. How can we set up a distinguisher on four round of a S? Well, consider P1 and P2 as before and assume that the corresponding ciphertext are in the same coset of M. So they are equal in four minus j anti-diagonals. Now we can generate other pair of printx by just mixing, swapping the generating variable of P1 and P2. And we know that for four round of a S, the corresponding ciphertext are in the same coset of M, with probability one. For a random permutation, the same event happens with much smaller probability. This is independent of the secret key of the details of the S-box and of the mixed column matrix. So we can easily distinguish the two cases. Just to have a comparison, we have other distinguisher on four round of a S. So the one that I just proposed requires to the 17 chosen printx or ciphertext, it can also be set up in the decryption direction. The cost is approximately up to the 17 encryption. So if you compare to the impossible differential, then the data cost is a little smaller, but the complexity is much higher. And if you compare to the integrated distinguisher, then the data cost is much higher, but the complexity, it depends on the cost of acceleration, can be smaller. And just for completeness, there is also another distinguisher which was proposed two years ago, the yoyo distinguisher, which requires just four chosen printx and four adapted chosen ciphertext. Okay, so we have a distinguisher. Now let's try to set up a key of a TACM, five round of a S. It is very simple. Just try to extend the distinguisher by one round at the beginning. So we start with pair of printx of this form, so with one active diagonal, and we simply compute one round of encryption. So we have after one round text like this, so potentially we can repeat the same distinguisher as before, but the problem now is that this generating Bible depends on the secret key. So we cannot work anymore independent of the secret key, but we can exploit this property to set up a key of a TACM. So that is very easy. We just guess the key in the first round, and then we use the distinguisher on the next four round to feed the wrong keys. Where we remember that the mix of differential property holds only for the secret key, so we can exploit this information. So in more details, let's consider two to the 32 chosen printx with one active diagonal, and let's find a pair of printx, PMP prime, such that the corresponding ciphertext after five round are in the same coset of M, which we want I equal in four minus J, anti-diagonals. So the idea is to guess part of the key, for example, the first diagonal, to partially encrypt PMP prime with respect to the guess key, to swap the generating Bible of PMP prime, so we generate new text going to prime, then we partially decrypt with respect to the guess key, and then we ask for the corresponding ciphertext after five round with respect to the secret key. Now, we know that if the guess key is equal to the secret key, then we know that these two ciphertexts are in the same coset of M. So if this is not the case, then we can just fit the wrong keys, so we know that the guess key is wrong. And the point here is that when we encrypt, or when we decrypt using our wrong guess key, basically we generate random text, so there is no relation between this cool and cool prime and these two texts, and so we cannot expect that they're mixed to differential property holds. So what about this attack? So if you set up this attack in this trivial way, so this is what I did, the cost is approximately of three times two to the 32 shares in plain text, and basically the same amount of computation. At crypto 2018, so last year, Baron, Dukeman, Keller, and Adishaneer, I hope I didn't forget anyone, proposed an improved version of this attack, which requires just two to the 22.25 shares in plain text and basically the same amount of encryption. And as you can observe, this attack is one of the best one among all the attack on five round of AS and the data is still competitive. Moreover, they also propose a way to extend this attack on seven round AS 192, and they propose attacks with practical amount of data and memory. That's very nice. So to conclude this talk, we started with the multiple of eight property and we found a way to translate it into a more, into a simpler and more convenient distinguisher that can be exploited to set up a kick away attacks. Obviously the work is not finished. There are many, many open problems. For example, what happens if we apply this distinguisher on tweakable AS like Cypher? So can we exploit the freedom of the tweak or can we work in the related tweak mode in order to break more rounds? What about AS PRF or fork AS? So is this attack works also against this scheme? Other problems, what about if we try to extend this distinguisher? So for example, what happens if we try to combine this distinguisher with a boomerang attack? Or what about an impossible mix of differential? So until now we exploit property which holds with probability one but potentially we can also work with property which holds with probability zero. I started to look into this direction. You can find some result on this e-print paper but at the moment they are not competitive at all. So that's great to work on this topic. And I also would like to conclude with this message. So I would like to send a positive message to the community and the positive message is just keep an open mind. So when we propose the multiple of eight property, actually we didn't know any possible application of this distinguisher. So we didn't know if it was just a theoretical interest or if it was possible to set up any practical application, so any caregiver attack of this distinguisher. But now the situation is completely different. So after just two years, we saw that these theoretical property can also get to practical attacks. So we have new distinguisher, new attacks which are the one that they just proposed and the one that were proposed at crypto last year. We have new direction of research. So for example, the next talk is still about this topic and we have also some unpublished result. So the message that I would like to send is the following. So it's very important to work with non-techniques. It's very important to try to break Cypher using non-techniques, but I think it's also important to try to consider completing new idea, completing new idea of cryptocurrencies. It's true that at the beginning maybe they are not competitive as other techniques in the literature, but maybe after a few years they can lead to very strong result. So just keep an open mind. That's all from my side. Any comment or question? So we have plenty of time for questions. Nobody in the audience? Okay, just have a small question. I think your techniques looks very similar to the yoyo attack that we saw in the previous slide. Can you comment a little bit on that? How is it different and similar? So they are very similar because we swap columns or a Bible. The difference is that we don't need adaptive shows and ciftex or adaptive shows and paintings. In a yoyo game you have to work with adaptive shows and ciftex, so that's the advantage. Okay, thank you. Okay, you're welcome. Offer questions in the audience? No, still no. Okay, so let's thank the speaker again. Thanks. Thank you.