 Hello everyone, my name is Fu Kangliu. The title of this talk is Cube-Based Cryptanalysis of Subtrain SAE. This is a joint work with Takano Isobe and Willimere. As we know, NIST now is holding a lightweight cryptography competition, and there are 32 candidates selected for the second round. Therefore, it is necessary to understand the security of these candidates. Our target is Subtrain SAE. It is the AEAD scheme based on Subtrain 2. Subtrain 2 is designed by John Diamond et al. All the three designers are listed here. Our analytical results are summarized in this table, as can be seen from it. In the NIST setting, we can break Subtrain SAE in practical time. In a non-respecting setting, when the number of blank rounds is reduced from 8 to 4, we can achieve a faster key recovery attack and a practical distinguishing attack. So what Subtrain SAE is? The input of Subtrain SAE is composed of four parts, a 128-bit key, a 128-bit noun, the associated data, the message. The output is composed of the cipher test and a 128-bit tag. The overall structure of Subtrain SAE can be illustrated in this figure. It can be divided into seven steps. At step one, the key will be absorbed. At step two, the noun will be absorbed, then it follows eight blank rounds. At step four, the associated data will be absorbed, and at step five, the message will be encrypted. Then again, it follows eight blank rounds. Finally, the 128-bit tag will be generated. So it can be seen from this figure. When processing each 32-bit block, only one round permutation R is applied, which is very different from many sponge-based constructions. So what R is? The one round permutation R works on a state of size 257 bits. It's composed of four operations, chi, eota, seed, and pi. The chi operation is the only nonlinear operation, and it is the same with that used in the Kachak round function. The eota operation is the constant addition operation. The seed operation is used to diffuse the state bits, and the pi operation is used to order the state bits. And from many sponge-based constructions, when injecting the input into the state, the injected positions are not consecutive. For example, the first bit of the input is injected as the position one, and the second bit of the input is injected as the position one hundred twenty, one hundred seventy-six. Similarly, when extracting the state bits from the whole state, the extracted part is not a constructive part of the state. Instead, each output bit is the sum of two state bits. Therefore, sixty-four state bits will be involved in the calculation of thirty-two output bits, and these sixty-four state bits are not located in constructive positions. Our tax scenarios can be divided into two types. The first is in the nonce misuse setting. This is because the designers wrote in the document that it may require a non-trivial effort to recover the secret state in the nonce misuse setting. The second tax scenario is in the nonce-respecting setting by reducing the number of blank rounds. The reason is that the blank rounds in subtranial SAE are used to separate the controllable input and output, and the designers choose eight blank rounds. Before introducing our tax, let us recall some simple properties of the caustic function. If xi plus one equals one or xi plus two equals zero, then yi will be linear in xi. If xi plus two equals one, then yi will be linear in xi and xi plus one. If xi plus one equals zero, yi will be linear in xi and xi plus two. In summary, if any of xi plus one, xi plus two is set as a variable, we have the following simple operations. First, if xi is set as a variable, yi must be linear in this variable. If xi is set as a variable, yi must be linear in it, only if xi plus two equals one, otherwise xi is a constant. Third, if xi plus two is set as a variable, yi must be linear in it, only if xi plus one is zero. Otherwise, yi is constant. So now let me introduce how to break software as a in the non-smith use setting based on the above simple properties of the caustic functions. The non-smith use setting is that the same non- and key can be used to encrypt different messages. The main idea of our task is to choose a difference in the message blocks and trace its propagation. Then recover the secret state bits from the observed propagation in a cipher test. We will propose four types of conditional cube testers. For the type one conditional cube tester, we will recover some state bits next to the injected positions. Specifically, we can choose two variables v0 and v1. v0 is selected at s0 and v1 is selected at s1. If a specified bit condition on s0 does not hold, after one round commutation for v0, it will be next to v1. And therefore, after one more round commutation, the caustic term v0, v1 will appear in a certain bit of the, in a certain output bit. However, if the specified condition holds, the propagation is prevented and the caustic term will not appear in any output bits. This is a concrete example of the type one conditional cube tester. We can choose a cube variable v0 at s04 if the propagation two holds, after one round commutation, the position 21 will contain the variable v0. Therefore, if we choose a variable v1 at s122, after one more round commutation, the caustic term v0, v1 will appear at an output bit. So these are the parameters for the type one conditional cube tester. For the type two conditional cube tester, we again recover some state bits next to the injected positions. Different from the type one conditional cube tester, we choose two variables in s1. Similarly, if the bit condition on s0 does not hold, after one round commutation for v0, it will be next to v1. And after one more round commutation, v0, v1 will appear. So the caustic term v0, v1 will appear. After one more round commutation, the cubic term v0, v1, v2 will appear at a certain output bit. However, if the specified condition holds on s0, the propagation is prevented from the very first beginning, so the cubic term will not appear at any output bits. So we can directly recover one state bit based on the cube sum of v3. We only use two parameters for the type two conditional cube tester. For the type three conditional cube tester, we again use it to recover more state bits next to the injected positions. However, different from the type one and the type two conditional cube testers, the cube variables are set at s0, s2 rather than s0, s1. Again, if a specified condition on s0 does not hold, after two round commutation for v0, it will be next to v1. Then after one more round commutation, the caustic term v0, v1 will appear in a certain output bit of v3. However, if the specified condition holds on s0, the propagation will be prevented at the very first beginning and the caustic term will not appear. So according to the cube sum of v3, we can directly recover some secret state bits of s0. A concrete example of the type three conditional cube tester is illustrated here. Specifically, when the propagation three holds, after one round commutation for v0, the three positions 107, 171, 192 will contain the variables v0. Then after one more round commutation, it will propagate to the positions next to 15 and 17. So if we choose a variable v1 at s215, after one more round commutation, if the propagation three holds, there must be a caustic term in certain output bits. However, if the propagation three does not hold, the caustic term will never appear in any output bits. So we can also recover some state bits using the type three conditional cube tester and these are the parameters. According to the previous three types of conditional cube testers, we can only recover the state bits next to the injected positions. However, there are only 32 injected positions. In other words, we can recover at most 64 state bits. It is too small to recover the whole state in practical time. So we need to come up with a new type of conditional cube tester to recover the state bits not next to the injected positions. This is our type four conditional cube tester. Different from the previous three types of conditional cube testers, we will recover the state bits in s1 rather than in s0. And similar to the type three conditional cube testers, the variable are selected at v0 and the variables are selected at s0 and s2. If a specified condition on s1 does not hold, after two round commutation for v0, it will be next to v1. And therefore, after one more round commutation, the caustic term v0 v1 will appear in a certain output bit. However, if the specified condition on s1 does not hold, after two round commutation for v0, it will be never next to v1. So the caustic term will never appear in any output bits. So based on the cube sum of v3, we can directly recover some secret state bits of s1. So these are the parameters for the type four conditional cube tester. Obviously, we can recover much more state bits using the type four conditional cube tester. Now let me describe how to recover the whole state using our four types of conditional cube testers. So first, we send an encryption query and obtain the corresponding cipher test and the tag. The goal is to recover the secret state msy, ms2, and ms3. So as the first step, we can treat ms0, ms1, ms2 as s0, s1, s2 respectively. Then we can recover 43 secret bits of ms1 using the type four conditional cube tester. At step four, we treat ms1, ms2, ms3 as s0, s1 as 2 respectively. And the first message block is kept the same with that in the first query. Then we use the four types of conditional cube testers to recover 53 extra secret bits of ms1 and 43 secret bits of ms2. Repeating the similar idea for two more steps, we can recover 111 secret bits of ms1, ms2, ms3. And according to the cipher test, we can also know 16 linear equations of ms1, ms2, ms3 respectively. So how to recover the remaining unknown state bits? Our method is to use an algebraic method. We can treat the 146 unknown state bits in ms1 as variables. Then according to the cipher test, we can know 16 linked linear Bully equations in these variables. And according to ms2, we can construct 127 linked quadratic Bully equations in these variables. So by carefully investigating the relations between ms3 and ms2, we can also construct 51 linked quadratic Bully equations in these variables. So in total, we have a number of 194 equations in terms of the 146 variables. By guessing 16 variables, there will be 130 variables and a total number of 54 possible quadratic terms. Therefore, we can solve such a quadratic Bully equation system with time complexity 2 to the 16, which is very practical. So the whole state is recovered, we can reverse the whole encryption phase. In this way, with a similar algebraic method, we can recover the secret key with time complexity 2 to the 35. Now let us move to the attacks in the non-smith use setting. For the key recover attack, our main idea is to use the degree of freedom of the non-smith. Then we try to construct a similar conditional cube testers to recover some state bits of sy in. In this way, then we construct a quadratic Bully equation system of the secret key bits and solve such a quadratic Bully equation system with the guess and determine and linearization techniques. Specifically, we will choose 65 cube variables. If a specified condition holds, then the cube sum for the first cipher block, for the first cipher test block, must be 0. However, if the condition does not hold, the cube sum of the first cipher test block will never be 0. In this way, we can recover 22 secret state bits of A, S, 0, O, T. Then we can recover the whole state bit, then we can recover the whole key with time complexity 2 to the 122. For the distinguishing attack in the non-respecting setting, we can carefully choose 4 cube variables in N2 and 29 cube variables in N3. In this way, we can know that the cube sum for the first cipher test block must be 0. So, in summary, we can break subtranial SAE in the non-themed setting with practical time complexity. In the non-respecting setting, when the number of blank runs is reduced from 8 to 4, we can achieve a faster key recover attack and a practical distinguishing attack with time complexity 2 to the 33. That's all. Thank you.