[PPT] - Programming the Demirci-Selc uk Meet-in-the-Middle Attack with PowerPoint Presentation

SLIDE 1

Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints

Danping Shi1 Siwei Sun1 Patrick Derbez2 Yosuke Todo3 Bing Sun4 Lei Hu1

1Institute of Information Engineering, Chinese Academy of Sciences, China 2Universit Rennes 1 / IRISA 3NTT Secure Platform Laboratories 4College of Science, National University of Defense Technology,China

ASK2017 2017.12.11

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 1 / 22

SLIDE 2

Outlines

1

Introduction

2

Modelling the MITM attack

3

MITM and Impossible differential application in design

4

Conclusion

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 2 / 22

SLIDE 3

Introduction

Outline

1

Introduction Searching methods Distinguisher of Demirci-Selc ¸uk MITM Key recovery attack of MITM

2

Modelling the MITM attack

3

MITM and Impossible differential application in design

4

Conclusion

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 3 / 22

SLIDE 4

Introduction Searching methods

Automatic Cryptanalysis

Dedicated search MILP ,CP ,SAT,SMT

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 3 / 22

SLIDE 5

Introduction Searching methods

Searching methods for MITM

Demirci-Selc ¸uk MITM, FSE 2008. Derbez and Fouque: Dedicated search algorithm Li Lin, Wenling Wu: General model based on MILP

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 4 / 22

SLIDE 6

Introduction Distinguisher of Demirci-Selc ¸uk MITM

MITM Distinguisher

E

SLIDE 7

Introduction Distinguisher of Demirci-Selc ¸uk MITM

MITM Distinguisher

E A

δ(A)-set: {P0, P1, . . . , PN−1}

SLIDE 8

Introduction Distinguisher of Demirci-Selc ¸uk MITM

MITM Distinguisher

E A

δ(A)-set: {P0, P1, . . . , PN−1}

B

{C0, C1, . . . , CN−1}

SLIDE 9

Introduction Distinguisher of Demirci-Selc ¸uk MITM

MITM Distinguisher

E A

δ(A)-set: {P0, P1, . . . , PN−1}

B

{C0, C1, . . . , CN−1} ∆E(A, B): {C0[B] ⊕ C1[B], C0[B] ⊕ C2[B], . . . , C0[B] ⊕ CN−1[B]}

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 5 / 22

SLIDE 10

Introduction Distinguisher of Demirci-Selc ¸uk MITM

E A B

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 6 / 22

SLIDE 11

Introduction Distinguisher of Demirci-Selc ¸uk MITM

Random Cipher: NR E A B

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 6 / 22

SLIDE 12

Introduction Distinguisher of Demirci-Selc ¸uk MITM

Random Cipher: NR Block Cipher : NE (save into a hash table) E A B

SLIDE 13

Introduction Distinguisher of Demirci-Selc ¸uk MITM

Random Cipher: NR Block Cipher : NE (save into a hash table) Condition NE < NR

NR NE

E A B

SLIDE 14

Introduction Distinguisher of Demirci-Selc ¸uk MITM

Random Cipher: NR Block Cipher : NE (save into a hash table) Condition NE < NR

NR NE

Distinguisher:(A, B, NE) E A B

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 6 / 22

SLIDE 15

Introduction Key recovery attack of MITM

Structure of the attack

a cipher is divided in three keyed permutations:E0, E1, E2 Construct distinguisher (A, B, NE) at E1

A B state0 state0 state2r0 state2(r0+r1) state2(r0+r1+r2)

E0 E1 E2 Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 7 / 22

SLIDE 16

Modelling the MITM attack

Outline

1

Introduction

2

Modelling the MITM attack Modelling the distinguisher Modelling the Key-Recovery Process

3

MITM and Impossible differential application in design

4

Conclusion

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 8 / 22

SLIDE 17

Modelling the MITM attack Modelling the distinguisher

Variables

M X, Y, Z, M X, Y, Z X, Y, Z, W W

state0 state0 state2r0 state2(r0+r1) state2(r0+r1+r2)

E0 E1 E2

Var(X) describe the forward differential Var(Y) describe the backward determination Var(Z) models the relation between Var(X) and Var(Y)

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 8 / 22

SLIDE 18

Modelling the MITM attack Modelling the distinguisher

Forward differential

Variables Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

x0 x1 x3 x2 x2

=

x0 2x3

≥

x0 + x1 x3

≤

x0 + x1

NL

L

state0 state1

Round 0

NL

L

state2 state3

Round 1

NL

L

state4 state5

Round 2

state6 A

SLIDE 19

Modelling the MITM attack Modelling the distinguisher

Forward differential

Variables Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

x0 x1 x3 x2 x2

=

x0 2x3

≥

x0 + x1 x3

≤

x0 + x1

NL

L

state0 state1

Round 0

NL

L

state2 state3

Round 1

NL

L

state4 state5

Round 2

state6 A

SLIDE 20

Modelling the MITM attack Modelling the distinguisher

Forward differential

Variables Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

x0 x1 x3 x2 x2

=

x0 2x3

≥

x0 + x1 x3

≤

x0 + x1

NL

L

state0 state1

Round 0

NL

L

state2 state3

Round 1

NL

L

state4 state5

Round 2

state6 A

SLIDE 21

Modelling the MITM attack Modelling the distinguisher

Forward differential

Variables Var(X)

Xr[j] = 0 iff P0

r [j] ⊕ Pi r[j] = 0, ∀i ∈ 1, . . . , N − 1.

x0 x1 x3 x2 x2

=

x0 2x3

≥

x0 + x1 x3

≤

x0 + x1

NL

L

state0 state1

Round 0

NL

L

state2 state3

Round 1

NL

L

state4 state5

Round 2

state6 A

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 9 / 22

SLIDE 22

Modelling the MITM attack Modelling the distinguisher

Backward determination

Variables Var(Y)

y0 y1 y3 y2 y2 + y3

≤

2y0 y2 + y3

≥

y0 y1

=

y3

NL

L

state0 state1

Round 0

NL

L

state2 state3

Round 1

NL

L

state4 state5

Round 2

state6 B

SLIDE 23

Modelling the MITM attack Modelling the distinguisher

Backward determination

Variables Var(Y)

y0 y1 y3 y2 y2 + y3

≤

2y0 y2 + y3

≥

y0 y1

=

y3

NL

L

state0 state1

Round 0

NL

L

state2 state3

Round 1

NL

L

state4 state5

Round 2

state6 B

SLIDE 24

Modelling the MITM attack Modelling the distinguisher

Backward determination

Variables Var(Y)

y0 y1 y3 y2 y2 + y3

≤

2y0 y2 + y3

≥

y0 y1

=

y3

NL

L

state0 state1

Round 0

NL

L

state2 state3

Round 1

NL

L

state4 state5

Round 2

state6 B

SLIDE 25

Modelling the MITM attack Modelling the distinguisher

Backward determination

Variables Var(Y)

y0 y1 y3 y2 y2 + y3

≤

2y0 y2 + y3

≥

y0 y1

=

y3

NL

L

state0 state1

Round 0

NL

L

state2 state3

Round 1

NL

L

state4 state5

Round 2

state6 B

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 10 / 22

SLIDE 26

Modelling the MITM attack Modelling the distinguisher

Constraints for Var(Z)

Variables Var(Z) describe the relation between Var(X) and Var(Y): Zr[j] = 1 iff Xr[j] = Yr[j] = 1

NL

L

state0 state1

Round 0

NL

L

state2 state3

Round 1

NL

L

state4 state5

Round 2

state6 A B

bjective function: Minimize r0+r1−1

r=r0+1 Z2r

SLIDE 27

Modelling the MITM attack Modelling the distinguisher

Constraints for Var(Z)

Variables Var(Z) describe the relation between Var(X) and Var(Y): Zr[j] = 1 iff Xr[j] = Yr[j] = 1

NL

L

state0 state1

Round 0

NL

L

state2 state3

Round 1

NL

L

state4 state5

Round 2

state6 A B

bjective function: Minimize r0+r1−1

r=r0+1 Z2r

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 11 / 22

SLIDE 28

Modelling the MITM attack Modelling the distinguisher

MC =

              

1 1 1 1 1 1 1 1

              

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

SLIDE 29

Modelling the MITM attack Modelling the distinguisher

MC =

              

1 1 1 1 1 1 1 1

              

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

SLIDE 30

Modelling the MITM attack Modelling the distinguisher

MC =

              

1 1 1 1 1 1 1 1

              

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

SLIDE 31

Modelling the MITM attack Modelling the distinguisher

MC =

              

1 1 1 1 1 1 1 1

              

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

SLIDE 32

Modelling the MITM attack Modelling the distinguisher

MC =

              

1 1 1 1 1 1 1 1

              

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

SLIDE 33

Modelling the MITM attack Modelling the distinguisher

MC =

              

1 1 1 1 1 1 1 1

              

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

SLIDE 34

Modelling the MITM attack Modelling the distinguisher

MC =

              

1 1 1 1 1 1 1 1

              

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

SLIDE 35

Modelling the MITM attack Modelling the distinguisher

MC =

              

1 1 1 1 1 1 1 1

              

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

SLIDE 36

Modelling the MITM attack Modelling the distinguisher

MC =

              

1 1 1 1 1 1 1 1

              

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

SLIDE 37

Modelling the MITM attack Modelling the distinguisher

MC =

              

1 1 1 1 1 1 1 1

              

SB,AC AK,SR MC SB,AC AK,SR MC

Round 1 Round 2

SB,AC AK,SR MC SB,AC AK,SR MC

Round 3 Round 4

SB,AC AK,SR MC SB,AC AK,SR MC

Round 5 Round 6

SB,AC AK,SR MC SB,AC AK,SR MC

Round 7 Round 8

SB,AC AK,SR MC SB,AC AK,SR MC

Round 9 Round 10 Round 11

SB,AC AK,SR

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 12 / 22

SLIDE 38

Modelling the MITM attack Modelling the distinguisher Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 13 / 22

SLIDE 39

Modelling the MITM attack Modelling the distinguisher Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 13 / 22

SLIDE 40

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SLIDE 41

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SLIDE 42

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SLIDE 43

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SLIDE 44

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC Round 14

SLIDE 45

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC Round 14 Round 15

SLIDE 46

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC Round 14 Round 15 Round 16

SLIDE 47

Modelling the MITM attack Modelling the Key-Recovery Process

New 0-1 variables Var(M) and Var(W)

Var(M): Backward differential

MC−1 =

              

1 1 1 1 1 1 1 1

               Var(W): Forward determination

SB,AC AK,SR MC SB,AC AK,SR MC

Round 0 Round 1

SB,AC AK,SR MC

Round 2 Round3 · · · Distinguisher · · ·

MC SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC

SB,AC AK,SR

MC Round 14 Round 15 Round 16 Round 17 Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 14 / 22

SLIDE 48

Modelling the MITM attack Modelling the Key-Recovery Process

Round 5

. . . 11-round Distinguisher . . .

Round 0 SB, LN

≪ 8

SK Round 1 SB, LN

≪ 8

SK Round 2 SB, LN

≪ 8

SK Round 3 SB, LN

≪ 8

SK Round 4 SB, LN

≪ 8

SK Round 21

. . . Distinguisher . . .

Round 16 SB, LN

≪ 8

SK Round 17 SB, LN

≪ 8

SK Round 18 SB, LN

≪ 8

SK Round 19 SB, LN

≪ 8

SK Round 20 SB, LN

≪ 8

SK Round 5

. . . 11-round Distinguisher . . .

Round 0 SB, LN

≪ 8

SK Round 1 SB, LN

≪ 8

SK Round 2 SB, LN

≪ 8

SK Round 3 SB, LN

≪ 8

SK Round 4 SB, LN

≪ 8

SK Round 21

. . . Distinguisher . . .

Round 16 SB, LN

≪ 8

SK Round 17 SB, LN

≪ 8

SK Round 18 SB, LN

≪ 8

SK Round 19 SB, LN

≪ 8

SK Round 20 SB, LN

≪ 8

SK

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 15 / 22

SLIDE 49

Modelling the MITM attack Modelling the Key-Recovery Process

Key bridging technique

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Round 0 1 Round 0 2 Round 0 3 Round 0 1 4 Round 0 5 Round 0 6 Round 0 7 Round 0 2 8 Round 0 9 Round 0 10 Round 0 11 Round 0 3 12 Round 0 13 Round 0 14 Round 0 15 Round 0 4 16 Round 0 17 Round 0 18 Round 0 19 Round 0 5 20 Round 0 21 Round 0 22 Round 0 23 Round 0 6 24 Round 0 25 Round 0 26 Round 0 27 Round 0 7 28 Round 0 29 Round 0 30 Round 0 31 Round 0 8 32 Round 0 33 Round 0 34 Round 0 35 Round 0 9 36 Round 0 37 Round 0 38 Round 0 39 Round 0 10 40 Round 0 41 Round 0 42 Round 0 43 Round 0 11 44 Round 0 45 Round 0 46 Round 0 47 Round 0 12 48 Round 0 49 Round 0 50 Round 0 51 Round 0 13 52 Round 0 53 Round 0 54 Round 0 55 Round 0 14 56 Round 0 57 Round 0 58 Round 0 59 Round 0 15 60 Round 0 61 Round 0 62 Round 0 63 Round 0 16 64 Round 0 65 Round 0 66 Round 0 67 Round 0 17 68 Round 0 69 Round 0 70 Round 0 71 Round 0 18 72 Round 0 73 Round 0 74 Round 0 75 Round 0 19 76 Round 0 77 Round 0 78 Round 0 79 Round 0 29 Round 1 30 Round 1 31 Round 1 32 Round 1 1 33 Round 1 34 Round 1 35 Round 1 36 Round 1 2 37 Round 1 38 Round 1 39 Round 1 40 Round 1 3 41 Round 1 42 Round 1 43 Round 1 44 Round 1 4 45 Round 1 46 Round 1 47 Round 1 48 Round 1 5 49 Round 1 50 Round 1 51 Round 1 52 Round 1 6 53 Round 1 54 Round 1 55 Round 1 56 Round 1 7 57 Round 1 58 Round 1 59 Round 1 60 Round 1 8 61 Round 1 62 Round 1 63 Round 1 64 Round 1 9 65 Round 1 66 Round 1 67 Round 1 68 Round 1 10 69 Round 1 70 Round 1 71 Round 1 72 Round 1 11 73 Round 1 74 Round 1 75 Round 1 76 Round 1 12 77 Round 1 78 Round 1 79 Round 1 Round 1 13 1 Round 1 2 Round 1 3 Round 1 4 Round 1 14 5 Round 1 6 Round 1 7 Round 1 8 Round 1 15 9 Round 1 10 Round 1 11 Round 1 12 Round 1 16 13 Round 1 14 Round 1 15 Round 1 16 Round 1 17 17 Round 1 18 Round 1 19 Round 1 20 Round 1 18 21 Round 1 22 Round 1 23 Round 1 24 Round 1 19 25 Round 1 26 Round 1 27 Round 1 28 Round 1 58 Round 2 59 Round 2 60 Round 2 61 Round 2 1 62 Round 2 63 Round 2 64 Round 2 65 Round 2 2 66 Round 2 67 Round 2 68 Round 2 69 Round 2 3 70 Round 2 71 Round 2 72 Round 2 73 Round 2 4 74 Round 2 75 Round 2 76 Round 2 77 Round 2 5 78 Round 2 79 Round 2 Round 2 1 Round 2 6 2 Round 2 3 Round 2 4 Round 2 5 Round 2 7 6 Round 2 7 Round 2 8 Round 2 9 Round 2 8 10 Round 2 11 Round 2 12 Round 2 13 Round 2 9 14 Round 2 15 Round 2 16 Round 2 17 Round 2 10 18 Round 2 19 Round 2 20 Round 2 21 Round 2 11 22 Round 2 23 Round 2 24 Round 2 25 Round 2 12 26 Round 2 27 Round 2 28 Round 2 29 Round 2 13 30 Round 2 31 Round 2 32 Round 2 33 Round 2 14 34 Round 2 35 Round 2 36 Round 2 37 Round 2 15 38 Round 2 39 Round 2 40 Round 2 41 Round 2 16 42 Round 2 43 Round 2 44 Round 2 45 Round 2 17 46 Round 2 47 Round 2 48 Round 2 49 Round 2 18 50 Round 2 51 Round 2 52 Round 2 53 Round 2 19 54 Round 2 55 Round 2 56 Round 2 57 Round 2 7 Round 3 8 Round 3 9 Round 3 10 Round 3 1 11 Round 3 12 Round 3 13 Round 3 14 Round 3 2 15 Round 3 16 Round 3 17 Round 3 18 Round 3 3 19 Round 3 20 Round 3 21 Round 3 22 Round 3 4 23 Round 3 24 Round 3 25 Round 3 26 Round 3 5 27 Round 3 28 Round 3 29 Round 3 30 Round 3 6 31 Round 3 32 Round 3 33 Round 3 34 Round 3 7 35 Round 3 36 Round 3 37 Round 3 38 Round 3 8 39 Round 3 40 Round 3 41 Round 3 42 Round 3 9 43 Round 3 44 Round 3 45 Round 3 46 Round 3 10 47 Round 3 48 Round 3 49 Round 3 50 Round 3 11 51 Round 3 52 Round 3 53 Round 3 54 Round 3 12 55 Round 3 56 Round 3 57 Round 3 58 Round 3 13 59 Round 3 60 Round 3 61 Round 3 62 Round 3 14 63 Round 3 64 Round 3 65 Round 3 66 Round 3 15 67 Round 3 68 Round 3 69 Round 3 70 Round 3 16 71 Round 3 72 Round 3 73 Round 3 74 Round 3 17 75 Round 3 76 Round 3 77 Round 3 78 Round 3 18 79 Round 3 Round 3 1 Round 3 2 Round 3 19 3 Round 3 4 Round 3 5 Round 3 6 Round 3 36 Round 4 37 Round 4 38 Round 4 39 Round 4 1 40 Round 4 41 Round 4 42 Round 4 43 Round 4 2 44 Round 4 45 Round 4 46 Round 4 47 Round 4 3 48 Round 4 49 Round 4 50 Round 4 51 Round 4 4 52 Round 4 53 Round 4 54 Round 4 55 Round 4 5 56 Round 4 57 Round 4 58 Round 4 59 Round 4 6 60 Round 4 61 Round 4 62 Round 4 63 Round 4 7 64 Round 4 65 Round 4 66 Round 4 67 Round 4 8 68 Round 4 69 Round 4 70 Round 4 71 Round 4 9 72 Round 4 73 Round 4 74 Round 4 75 Round 4 10 76 Round 4 77 Round 4 78 Round 4 79 Round 4 11 Round 4 1 Round 4 2 Round 4 3 Round 4 12 4 Round 4 5 Round 4 6 Round 4 7 Round 4 13 8 Round 4 9 Round 4 10 Round 4 11 Round 4 14 12 Round 4 13 Round 4 14 Round 4 15 Round 4 15 16 Round 4 17 Round 4 18 Round 4 19 Round 4 16 20 Round 4 21 Round 4 22 Round 4 23 Round 4 17 24 Round 4 25 Round 4 26 Round 4 27 Round 4 18 28 Round 4 29 Round 4 30 Round 4 31 Round 4 19 32 Round 4 33 Round 4 34 Round 4 35 Round 4 65 Round 5 66 Round 5 67 Round 5 68 Round 5 1 69 Round 5 70 Round 5 71 Round 5 72 Round 5 2 73 Round 5 74 Round 5 75 Round 5 76 Round 5 3 77 Round 5 78 Round 5 79 Round 5 Round 5 4 1 Round 5 2 Round 5 3 Round 5 4 Round 5 5 5 Round 5 6 Round 5 7 Round 5 8 Round 5 6 9 Round 5 10 Round 5 11 Round 5 12 Round 5 7 13 Round 5 14 Round 5 15 Round 5 16 Round 5 8 17 Round 5 18 Round 5 19 Round 5 20 Round 5 9 21 Round 5 22 Round 5 23 Round 5 24 Round 5 10 25 Round 5 26 Round 5 27 Round 5 28 Round 5 11 29 Round 5 30 Round 5 31 Round 5 32 Round 5 12 33 Round 5 34 Round 5 35 Round 5 36 Round 5 13 37 Round 5 38 Round 5 39 Round 5 40 Round 5 14 41 Round 5 42 Round 5 43 Round 5 44 Round 5 15 45 Round 5 46 Round 5 47 Round 5 48 Round 5 16 49 Round 5 50 Round 5 51 Round 5 52 Round 5 17 53 Round 5 54 Round 5 55 Round 5 56 Round 5 18 57 Round 5 58 Round 5 59 Round 5 60 Round 5 19 61 Round 5 62 Round 5 63 Round 5 64 Round 5 14 Round 6 15 Round 6 16 Round 6 17 Round 6 1 18 Round 6 19 Round 6 20 Round 6 21 Round 6 2 22 Round 6 23 Round 6 24 Round 6 25 Round 6 3 26 Round 6 27 Round 6 28 Round 6 29 Round 6 4 30 Round 6 31 Round 6 32 Round 6 33 Round 6 5 34 Round 6 35 Round 6 36 Round 6 37 Round 6 6 38 Round 6 39 Round 6 40 Round 6 41 Round 6 7 42 Round 6 43 Round 6 44 Round 6 45 Round 6 8 46 Round 6 47 Round 6 48 Round 6 49 Round 6 9 50 Round 6 51 Round 6 52 Round 6 53 Round 6 10 54 Round 6 55 Round 6 56 Round 6 57 Round 6 11 58 Round 6 59 Round 6 60 Round 6 61 Round 6 12 62 Round 6 63 Round 6 64 Round 6 65 Round 6 13 66 Round 6 67 Round 6 68 Round 6 69 Round 6 14 70 Round 6 71 Round 6 72 Round 6 73 Round 6 15 74 Round 6 75 Round 6 76 Round 6 77 Round 6 16 78 Round 6 79 Round 6 Round 6 1 Round 6 17 2 Round 6 3 Round 6 4 Round 6 5 Round 6 18 6 Round 6 7 Round 6 8 Round 6 9 Round 6 19 10 Round 6 11 Round 6 12 Round 6 13 Round 6 43 Round 7 44 Round 7 45 Round 7 46 Round 7 1 47 Round 7 48 Round 7 49 Round 7 50 Round 7 2 51 Round 7 52 Round 7 53 Round 7 54 Round 7 3 55 Round 7 56 Round 7 57 Round 7 58 Round 7 4 59 Round 7 60 Round 7 61 Round 7 62 Round 7 5 63 Round 7 64 Round 7 65 Round 7 66 Round 7 6 67 Round 7 68 Round 7 69 Round 7 70 Round 7 7 71 Round 7 72 Round 7 73 Round 7 74 Round 7 8 75 Round 7 76 Round 7 77 Round 7 78 Round 7 9 79 Round 7 Round 7 1 Round 7 2 Round 7 10 3 Round 7 4 Round 7 5 Round 7 6 Round 7 11 7 Round 7 8 Round 7 9 Round 7 10 Round 7 12 11 Round 7 12 Round 7 13 Round 7 14 Round 7 13 15 Round 7 16 Round 7 17 Round 7 18 Round 7 14 19 Round 7 20 Round 7 21 Round 7 22 Round 7 15 23 Round 7 24 Round 7 25 Round 7 26 Round 7 16 27 Round 7 28 Round 7 29 Round 7 30 Round 7 17 31 Round 7 32 Round 7 33 Round 7 34 Round 7 18 35 Round 7 36 Round 7 37 Round 7 38 Round 7 19 39 Round 7 40 Round 7 41 Round 7 42 Round 7 72 Round 8 73 Round 8 74 Round 8 75 Round 8 1 76 Round 8 77 Round 8 78 Round 8 79 Round 8 2 Round 8 1 Round 8 2 Round 8 3 Round 8 3 4 Round 8 5 Round 8 6 Round 8 7 Round 8 4 8 Round 8 9 Round 8 10 Round 8 11 Round 8 5 12 Round 8 13 Round 8 14 Round 8 15 Round 8 6 16 Round 8 17 Round 8 18 Round 8 19 Round 8 7 20 Round 8 21 Round 8 22 Round 8 23 Round 8 8 24 Round 8 25 Round 8 26 Round 8 27 Round 8 9 28 Round 8 29 Round 8 30 Round 8 31 Round 8 10 32 Round 8 33 Round 8 34 Round 8 35 Round 8 11 36 Round 8 37 Round 8 38 Round 8 39 Round 8 12 40 Round 8 41 Round 8 42 Round 8 43 Round 8 13 44 Round 8 45 Round 8 46 Round 8 47 Round 8 14 48 Round 8 49 Round 8 50 Round 8 51 Round 8 15 52 Round 8 53 Round 8 54 Round 8 55 Round 8 16 56 Round 8 57 Round 8 58 Round 8 59 Round 8 17 60 Round 8 61 Round 8 62 Round 8 63 Round 8 18 64 Round 8 65 Round 8 66 Round 8 67 Round 8 19 68 Round 8 69 Round 8 70 Round 8 71 Round 8 21 Round 9 22 Round 9 23 Round 9 24 Round 9 1 25 Round 9 26 Round 9 27 Round 9 28 Round 9 2 29 Round 9 30 Round 9 31 Round 9 32 Round 9 3 33 Round 9 34 Round 9 35 Round 9 36 Round 9 4 37 Round 9 38 Round 9 39 Round 9 40 Round 9 5 41 Round 9 42 Round 9 43 Round 9 44 Round 9 6 45 Round 9 46 Round 9 47 Round 9 48 Round 9 7 49 Round 9 50 Round 9 51 Round 9 52 Round 9 8 53 Round 9 54 Round 9 55 Round 9 56 Round 9 9 57 Round 9 58 Round 9 59 Round 9 60 Round 9 10 61 Round 9 62 Round 9 63 Round 9 64 Round 9 11 65 Round 9 66 Round 9 67 Round 9 68 Round 9 12 69 Round 9 70 Round 9 71 Round 9 72 Round 9 13 73 Round 9 74 Round 9 75 Round 9 76 Round 9 14 77 Round 9 78 Round 9 79 Round 9 Round 9 15 1 Round 9 2 Round 9 3 Round 9 4 Round 9 16 5 Round 9 6 Round 9 7 Round 9 8 Round 9 17 9 Round 9 10 Round 9 11 Round 9 12 Round 9 18 13 Round 9 14 Round 9 15 Round 9 16 Round 9 19 17 Round 9 18 Round 9 19 Round 9 20 Round 9 50 Round 10 51 Round 10 52 Round 10 53 Round 10 1 54 Round 10 55 Round 10 56 Round 10 57 Round 10 2 58 Round 10 59 Round 10 60 Round 10 61 Round 10 3 62 Round 10 63 Round 10 64 Round 10 65 Round 10 4 66 Round 10 67 Round 10 68 Round 10 69 Round 10 5 70 Round 10 71 Round 10 72 Round 10 73 Round 10 6 74 Round 10 75 Round 10 76 Round 10 77 Round 10 7 78 Round 10 79 Round 10 Round 10 1 Round 10 8 2 Round 10 3 Round 10 4 Round 10 5 Round 10 9 6 Round 10 7 Round 10 8 Round 10 9 Round 10 10 10 Round 10 11 Round 10 12 Round 10 13 Round 10 11 14 Round 10 15 Round 10 16 Round 10 17 Round 10 12 18 Round 10 19 Round 10 20 Round 10 21 Round 10 13 22 Round 10 23 Round 10 24 Round 10 25 Round 10 14 26 Round 10 27 Round 10 28 Round 10 29 Round 10 15 30 Round 10 31 Round 10 32 Round 10 33 Round 10 16 34 Round 10 35 Round 10 36 Round 10 37 Round 10 17 38 Round 10 39 Round 10 40 Round 10 41 Round 10 18 42 Round 10 43 Round 10 44 Round 10 45 Round 10 19 46 Round 10 47 Round 10 48 Round 10 49 Round 10 79 Round 11 Round 11 1 Round 11 2 Round 11 1 3 Round 11 4 Round 11 5 Round 11 6 Round 11 2 7 Round 11 8 Round 11 9 Round 11 10 Round 11 3 11 Round 11 12 Round 11 13 Round 11 14 Round 11 4 15 Round 11 16 Round 11 17 Round 11 18 Round 11 5 19 Round 11 20 Round 11 21 Round 11 22 Round 11 6 23 Round 11 24 Round 11 25 Round 11 26 Round 11 7 27 Round 11 28 Round 11 29 Round 11 30 Round 11 8 31 Round 11 32 Round 11 33 Round 11 34 Round 11 9 35 Round 11 36 Round 11 37 Round 11 38 Round 11 10 39 Round 11 40 Round 11 41 Round 11 42 Round 11 11 43 Round 11 44 Round 11 45 Round 11 46 Round 11 12 47 Round 11 48 Round 11 49 Round 11 50 Round 11 13 51 Round 11 52 Round 11 53 Round 11 54 Round 11 14 55 Round 11 56 Round 11 57 Round 11 58 Round 11 15 59 Round 11 60 Round 11 61 Round 11 62 Round 11 16 63 Round 11 64 Round 11 65 Round 11 66 Round 11 17 67 Round 11 68 Round 11 69 Round 11 70 Round 11 18 71 Round 11 72 Round 11 73 Round 11 74 Round 11 19 75 Round 11 76 Round 11 77 Round 11 78 Round 11 28 Round 12 29 Round 12 30 Round 12 31 Round 12 1 32 Round 12 33 Round 12 34 Round 12 35 Round 12 2 36 Round 12 37 Round 12 38 Round 12 39 Round 12 3 40 Round 12 41 Round 12 42 Round 12 43 Round 12 4 44 Round 12 45 Round 12 46 Round 12 47 Round 12 5 48 Round 12 49 Round 12 50 Round 12 51 Round 12 6 52 Round 12 53 Round 12 54 Round 12 55 Round 12 7 56 Round 12 57 Round 12 58 Round 12 59 Round 12 8 60 Round 12 61 Round 12 62 Round 12 63 Round 12 9 64 Round 12 65 Round 12 66 Round 12 67 Round 12 10 68 Round 12 69 Round 12 70 Round 12 71 Round 12 11 72 Round 12 73 Round 12 74 Round 12 75 Round 12 12 76 Round 12 77 Round 12 78 Round 12 79 Round 12 13 Round 12 1 Round 12 2 Round 12 3 Round 12 14 4 Round 12 5 Round 12 6 Round 12 7 Round 12 15 8 Round 12 9 Round 12 10 Round 12 11 Round 12 16 12 Round 12 13 Round 12 14 Round 12 15 Round 12 17 16 Round 12 17 Round 12 18 Round 12 19 Round 12 18 20 Round 12 21 Round 12 22 Round 12 23 Round 12 19 24 Round 12 25 Round 12 26 Round 12 27 Round 12 57 Round 13 58 Round 13 59 Round 13 60 Round 13 1 61 Round 13 62 Round 13 63 Round 13 64 Round 13 2 65 Round 13 66 Round 13 67 Round 13 68 Round 13 3 69 Round 13 70 Round 13 71 Round 13 72 Round 13 4 73 Round 13 74 Round 13 75 Round 13 76 Round 13 5 77 Round 13 78 Round 13 79 Round 13 Round 13 6 1 Round 13 2 Round 13 3 Round 13 4 Round 13 7 5 Round 13 6 Round 13 7 Round 13 8 Round 13 8 9 Round 13 10 Round 13 11 Round 13 12 Round 13 9 13 Round 13 14 Round 13 15 Round 13 16 Round 13 10 17 Round 13 18 Round 13 19 Round 13 20 Round 13 11 21 Round 13 22 Round 13 23 Round 13 24 Round 13 12 25 Round 13 26 Round 13 27 Round 13 28 Round 13 13 29 Round 13 30 Round 13 31 Round 13 32 Round 13 14 33 Round 13 34 Round 13 35 Round 13 36 Round 13 15 37 Round 13 38 Round 13 39 Round 13 40 Round 13 16 41 Round 13 42 Round 13 43 Round 13 44 Round 13 17 45 Round 13 46 Round 13 47 Round 13 48 Round 13 18 49 Round 13 50 Round 13 51 Round 13 52 Round 13 19 53 Round 13 54 Round 13 55 Round 13 56 Round 13 6 Round 14 7 Round 14 8 Round 14 9 Round 14 1 10 Round 14 11 Round 14 12 Round 14 13 Round 14 2 14 Round 14 15 Round 14 16 Round 14 17 Round 14 3 18 Round 14 19 Round 14 20 Round 14 21 Round 14 4 22 Round 14 23 Round 14 24 Round 14 25 Round 14 5 26 Round 14 27 Round 14 28 Round 14 29 Round 14 6 30 Round 14 31 Round 14 32 Round 14 33 Round 14 7 34 Round 14 35 Round 14 36 Round 14 37 Round 14 8 38 Round 14 39 Round 14 40 Round 14 41 Round 14 9 42 Round 14 43 Round 14 44 Round 14 45 Round 14 10 46 Round 14 47 Round 14 48 Round 14 49 Round 14 11 50 Round 14 51 Round 14 52 Round 14 53 Round 14 12 54 Round 14 55 Round 14 56 Round 14 57 Round 14 13 58 Round 14 59 Round 14 60 Round 14 61 Round 14 14 62 Round 14 63 Round 14 64 Round 14 65 Round 14 15 66 Round 14 67 Round 14 68 Round 14 69 Round 14 16 70 Round 14 71 Round 14 72 Round 14 73 Round 14 17 74 Round 14 75 Round 14 76 Round 14 77 Round 14 18 78 Round 14 79 Round 14 Round 14 1 Round 14 19 2 Round 14 3 Round 14 4 Round 14 5 Round 14 35 Round 15 36 Round 15 37 Round 15 38 Round 15 1 39 Round 15 40 Round 15 41 Round 15 42 Round 15 2 43 Round 15 44 Round 15 45 Round 15 46 Round 15 3 47 Round 15 48 Round 15 49 Round 15 50 Round 15 4 51 Round 15 52 Round 15 53 Round 15 54 Round 15 5 55 Round 15 56 Round 15 57 Round 15 58 Round 15 6 59 Round 15 60 Round 15 61 Round 15 62 Round 15 7 63 Round 15 64 Round 15 65 Round 15 66 Round 15 8 67 Round 15 68 Round 15 69 Round 15 70 Round 15 9 71 Round 15 72 Round 15 73 Round 15 74 Round 15 10 75 Round 15 76 Round 15 77 Round 15 78 Round 15 11 79 Round 15 Round 15 1 Round 15 2 Round 15 12 3 Round 15 4 Round 15 5 Round 15 6 Round 15 13 7 Round 15 8 Round 15 9 Round 15 10 Round 15 14 11 Round 15 12 Round 15 13 Round 15 14 Round 15 15 15 Round 15 16 Round 15 17 Round 15 18 Round 15 16 19 Round 15 20 Round 15 21 Round 15 22 Round 15 17 23 Round 15 24 Round 15 25 Round 15 26 Round 15 18 27 Round 15 28 Round 15 29 Round 15 30 Round 15 19 31 Round 15 32 Round 15 33 Round 15 34 Round 15 64 Round 16 65 Round 16 66 Round 16 67 Round 16 1 68 Round 16 69 Round 16 70 Round 16 71 Round 16 2 72 Round 16 73 Round 16 74 Round 16 75 Round 16 3 76 Round 16 77 Round 16 78 Round 16 79 Round 16 4 Round 16 1 Round 16 2 Round 16 3 Round 16 5 4 Round 16 5 Round 16 6 Round 16 7 Round 16 6 8 Round 16 9 Round 16 10 Round 16 11 Round 16 7 12 Round 16 13 Round 16 14 Round 16 15 Round 16 8 16 Round 16 17 Round 16 18 Round 16 19 Round 16 9 20 Round 16 21 Round 16 22 Round 16 23 Round 16 10 24 Round 16 25 Round 16 26 Round 16 27 Round 16 11 28 Round 16 29 Round 16 30 Round 16 31 Round 16 12 32 Round 16 33 Round 16 34 Round 16 35 Round 16 13 36 Round 16 37 Round 16 38 Round 16 39 Round 16 14 40 Round 16 41 Round 16 42 Round 16 43 Round 16 15 44 Round 16 45 Round 16 46 Round 16 47 Round 16 16 48 Round 16 49 Round 16 50 Round 16 51 Round 16 17 52 Round 16 53 Round 16 54 Round 16 55 Round 16 18 56 Round 16 57 Round 16 58 Round 16 59 Round 16 19 60 Round 16 61 Round 16 62 Round 16 63 Round 16 13 Round 17 14 Round 17 15 Round 17 16 Round 17 1 17 Round 17 18 Round 17 19 Round 17 20 Round 17 2 21 Round 17 22 Round 17 23 Round 17 24 Round 17 3 25 Round 17 26 Round 17 27 Round 17 28 Round 17 4 29 Round 17 30 Round 17 31 Round 17 32 Round 17 5 33 Round 17 34 Round 17 35 Round 17 36 Round 17 6 37 Round 17 38 Round 17 39 Round 17 40 Round 17 7 41 Round 17 42 Round 17 43 Round 17 44 Round 17 8 45 Round 17 46 Round 17 47 Round 17 48 Round 17 9 49 Round 17 50 Round 17 51 Round 17 52 Round 17 10 53 Round 17 54 Round 17 55 Round 17 56 Round 17 11 57 Round 17 58 Round 17 59 Round 17 60 Round 17 12 61 Round 17 62 Round 17 63 Round 17 64 Round 17 13 65 Round 17 66 Round 17 67 Round 17 68 Round 17 14 69 Round 17 70 Round 17 71 Round 17 72 Round 17 15 73 Round 17 74 Round 17 75 Round 17 76 Round 17 16 77 Round 17 78 Round 17 79 Round 17 Round 17 17 1 Round 17 2 Round 17 3 Round 17 4 Round 17 18 5 Round 17 6 Round 17 7 Round 17 8 Round 17 19 9 Round 17 10 Round 17 11 Round 17 12 Round 17 42 Round 18 43 Round 18 44 Round 18 45 Round 18 1 46 Round 18 47 Round 18 48 Round 18 49 Round 18 2 50 Round 18 51 Round 18 52 Round 18 53 Round 18 3 54 Round 18 55 Round 18 56 Round 18 57 Round 18 4 58 Round 18 59 Round 18 60 Round 18 61 Round 18 5 62 Round 18 63 Round 18 64 Round 18 65 Round 18 6 66 Round 18 67 Round 18 68 Round 18 69 Round 18 7 70 Round 18 71 Round 18 72 Round 18 73 Round 18 8 74 Round 18 75 Round 18 76 Round 18 77 Round 18 9 78 Round 18 79 Round 18 Round 18 1 Round 18 10 2 Round 18 3 Round 18 4 Round 18 5 Round 18 11 6 Round 18 7 Round 18 8 Round 18 9 Round 18 12 10 Round 18 11 Round 18 12 Round 18 13 Round 18 13 14 Round 18 15 Round 18 16 Round 18 17 Round 18 14 18 Round 18 19 Round 18 20 Round 18 21 Round 18 15 22 Round 18 23 Round 18 24 Round 18 25 Round 18 16 26 Round 18 27 Round 18 28 Round 18 29 Round 18 17 30 Round 18 31 Round 18 32 Round 18 33 Round 18 18 34 Round 18 35 Round 18 36 Round 18 37 Round 18 19 38 Round 18 39 Round 18 40 Round 18 41 Round 18 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 16 / 22

SLIDE 50

Modelling the MITM attack Modelling the Key-Recovery Process

Key bridging technique

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S

Shift to the left by 29-bit

S S S S

Round 0 1 Round 0 2 Round 0 3 Round 0 1 4 Round 0 5 Round 0 6 Round 0 7 Round 0 2 8 Round 0 9 Round 0 10 Round 0 11 Round 0 3 12 Round 0 13 Round 0 14 Round 0 15 Round 0 4 16 Round 0 17 Round 0 18 Round 0 19 Round 0 5 20 Round 0 21 Round 0 22 Round 0 23 Round 0 6 24 Round 0 25 Round 0 26 Round 0 27 Round 0 7 28 Round 0 29 Round 0 30 Round 0 31 Round 0 8 32 Round 0 33 Round 0 34 Round 0 35 Round 0 9 36 Round 0 37 Round 0 38 Round 0 39 Round 0 10 40 Round 0 41 Round 0 42 Round 0 43 Round 0 11 44 Round 0 45 Round 0 46 Round 0 47 Round 0 12 48 Round 0 49 Round 0 50 Round 0 51 Round 0 13 52 Round 0 53 Round 0 54 Round 0 55 Round 0 14 56 Round 0 57 Round 0 58 Round 0 59 Round 0 15 60 Round 0 61 Round 0 62 Round 0 63 Round 0 16 64 Round 0 65 Round 0 66 Round 0 67 Round 0 Round 0 Round 0 Round 0 Round 0 Round 0 Round 0 Round 0 Round 0 Round 0 Round 0 Round 0 Round 0 29 Round 1 30 Round 1 31 Round 1 32 Round 1 1 33 Round 1 34 Round 1 35 Round 1 36 Round 1 2 37 Round 1 38 Round 1 39 Round 1 40 Round 1 3 41 Round 1 42 Round 1 43 Round 1 44 Round 1 4 45 Round 1 46 Round 1 47 Round 1 48 Round 1 5 49 Round 1 50 Round 1 51 Round 1 52 Round 1 6 53 Round 1 54 Round 1 55 Round 1 56 Round 1 7 57 Round 1 58 Round 1 59 Round 1 60 Round 1 8 61 Round 1 62 Round 1 63 Round 1 64 Round 1 9 65 Round 1 66 Round 1 67 Round 1 68 Round 1 10 69 Round 1 70 Round 1 71 Round 1 72 Round 1 11 73 Round 1 74 Round 1 75 Round 1 76 Round 1 12 77 Round 1 78 Round 1 79 Round 1 Round 1 13 1 Round 1 2 Round 1 3 Round 1 4 Round 1 14 5 Round 1 6 Round 1 7 Round 1 8 Round 1 15 9 Round 1 10 Round 1 11 Round 1 12 Round 1 16 13 Round 1 14 Round 1 15 Round 1 16 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 Round 1 58 Round 2 59 Round 2 60 Round 2 61 Round 2 1 62 Round 2 63 Round 2 64 Round 2 65 Round 2 2 66 Round 2 67 Round 2 68 Round 2 69 Round 2 3 70 Round 2 71 Round 2 72 Round 2 73 Round 2 4 74 Round 2 75 Round 2 76 Round 2 77 Round 2 5 78 Round 2 79 Round 2 Round 2 1 Round 2 6 2 Round 2 3 Round 2 4 Round 2 5 Round 2 7 6 Round 2 7 Round 2 8 Round 2 9 Round 2 8 10 Round 2 11 Round 2 12 Round 2 13 Round 2 9 14 Round 2 15 Round 2 16 Round 2 17 Round 2 10 18 Round 2 19 Round 2 20 Round 2 21 Round 2 11 22 Round 2 23 Round 2 24 Round 2 25 Round 2 12 26 Round 2 27 Round 2 28 Round 2 29 Round 2 13 30 Round 2 31 Round 2 32 Round 2 33 Round 2 14 34 Round 2 35 Round 2 36 Round 2 37 Round 2 15 38 Round 2 39 Round 2 40 Round 2 41 Round 2 16 42 Round 2 43 Round 2 44 Round 2 45 Round 2 Round 2 Round 2 Round 2 Round 2 Round 2 Round 2 Round 2 Round 2 Round 2 Round 2 Round 2 Round 2 7 Round 3 8 Round 3 9 Round 3 10 Round 3 1 11 Round 3 12 Round 3 13 Round 3 14 Round 3 2 15 Round 3 16 Round 3 17 Round 3 18 Round 3 3 19 Round 3 20 Round 3 21 Round 3 22 Round 3 4 23 Round 3 24 Round 3 25 Round 3 26 Round 3 5 27 Round 3 28 Round 3 29 Round 3 30 Round 3 6 31 Round 3 32 Round 3 33 Round 3 34 Round 3 7 35 Round 3 36 Round 3 37 Round 3 38 Round 3 8 39 Round 3 40 Round 3 41 Round 3 42 Round 3 9 43 Round 3 44 Round 3 45 Round 3 46 Round 3 10 47 Round 3 48 Round 3 49 Round 3 50 Round 3 11 51 Round 3 52 Round 3 53 Round 3 54 Round 3 12 55 Round 3 56 Round 3 57 Round 3 58 Round 3 13 59 Round 3 60 Round 3 61 Round 3 62 Round 3 14 63 Round 3 64 Round 3 65 Round 3 66 Round 3 15 67 Round 3 68 Round 3 69 Round 3 70 Round 3 16 71 Round 3 72 Round 3 73 Round 3 74 Round 3 Round 3 Round 3 Round 3 Round 3 Round 3 Round 3 Round 3 Round 3 Round 3 Round 3 Round 3 Round 3 36 Round 4 37 Round 4 38 Round 4 39 Round 4 1 40 Round 4 41 Round 4 42 Round 4 43 Round 4 2 44 Round 4 45 Round 4 46 Round 4 47 Round 4 3 48 Round 4 49 Round 4 50 Round 4 51 Round 4 4 52 Round 4 53 Round 4 54 Round 4 55 Round 4 5 56 Round 4 57 Round 4 58 Round 4 59 Round 4 6 60 Round 4 61 Round 4 62 Round 4 63 Round 4 7 64 Round 4 65 Round 4 66 Round 4 67 Round 4 8 68 Round 4 69 Round 4 70 Round 4 71 Round 4 9 72 Round 4 73 Round 4 74 Round 4 75 Round 4 10 76 Round 4 77 Round 4 78 Round 4 79 Round 4 11 Round 4 1 Round 4 2 Round 4 3 Round 4 12 4 Round 4 5 Round 4 6 Round 4 7 Round 4 13 8 Round 4 9 Round 4 10 Round 4 11 Round 4 14 12 Round 4 13 Round 4 14 Round 4 15 Round 4 15 16 Round 4 17 Round 4 18 Round 4 19 Round 4 16 20 Round 4 21 Round 4 22 Round 4 23 Round 4 Round 4 Round 4 Round 4 Round 4 Round 4 Round 4 Round 4 Round 4 Round 4 Round 4 Round 4 Round 4 65 Round 5 66 Round 5 67 Round 5 68 Round 5 1 69 Round 5 70 Round 5 71 Round 5 72 Round 5 2 73 Round 5 74 Round 5 75 Round 5 76 Round 5 3 77 Round 5 78 Round 5 79 Round 5 Round 5 4 1 Round 5 2 Round 5 3 Round 5 4 Round 5 5 5 Round 5 6 Round 5 7 Round 5 8 Round 5 6 9 Round 5 10 Round 5 11 Round 5 12 Round 5 7 13 Round 5 14 Round 5 15 Round 5 16 Round 5 8 17 Round 5 18 Round 5 19 Round 5 20 Round 5 9 21 Round 5 22 Round 5 23 Round 5 24 Round 5 10 25 Round 5 26 Round 5 27 Round 5 28 Round 5 11 29 Round 5 30 Round 5 31 Round 5 32 Round 5 12 33 Round 5 34 Round 5 35 Round 5 36 Round 5 13 37 Round 5 38 Round 5 39 Round 5 40 Round 5 14 41 Round 5 42 Round 5 43 Round 5 44 Round 5 15 45 Round 5 46 Round 5 47 Round 5 48 Round 5 16 49 Round 5 50 Round 5 51 Round 5 52 Round 5 Round 5 Round 5 Round 5 Round 5 Round 5 Round 5 Round 5 Round 5 Round 5 Round 5 Round 5 Round 5 14 Round 6 15 Round 6 16 Round 6 17 Round 6 1 18 Round 6 19 Round 6 20 Round 6 21 Round 6 2 22 Round 6 23 Round 6 24 Round 6 25 Round 6 3 26 Round 6 27 Round 6 28 Round 6 29 Round 6 4 30 Round 6 31 Round 6 32 Round 6 33 Round 6 5 34 Round 6 35 Round 6 36 Round 6 37 Round 6 6 38 Round 6 39 Round 6 40 Round 6 41 Round 6 7 42 Round 6 43 Round 6 44 Round 6 45 Round 6 8 46 Round 6 47 Round 6 48 Round 6 49 Round 6 9 50 Round 6 51 Round 6 52 Round 6 53 Round 6 10 54 Round 6 55 Round 6 56 Round 6 57 Round 6 11 58 Round 6 59 Round 6 60 Round 6 61 Round 6 12 62 Round 6 63 Round 6 64 Round 6 65 Round 6 13 66 Round 6 67 Round 6 68 Round 6 69 Round 6 14 70 Round 6 71 Round 6 72 Round 6 73 Round 6 15 74 Round 6 75 Round 6 76 Round 6 77 Round 6 16 78 Round 6 79 Round 6 Round 6 1 Round 6 Round 6 Round 6 Round 6 Round 6 Round 6 Round 6 Round 6 Round 6 Round 6 Round 6 Round 6 Round 6 43 Round 7 44 Round 7 45 Round 7 46 Round 7 1 47 Round 7 48 Round 7 49 Round 7 50 Round 7 2 51 Round 7 52 Round 7 53 Round 7 54 Round 7 3 55 Round 7 56 Round 7 57 Round 7 58 Round 7 4 59 Round 7 60 Round 7 61 Round 7 62 Round 7 5 63 Round 7 64 Round 7 65 Round 7 66 Round 7 6 67 Round 7 68 Round 7 69 Round 7 70 Round 7 7 71 Round 7 72 Round 7 73 Round 7 74 Round 7 8 75 Round 7 76 Round 7 77 Round 7 78 Round 7 9 79 Round 7 Round 7 1 Round 7 2 Round 7 10 3 Round 7 4 Round 7 5 Round 7 6 Round 7 11 7 Round 7 8 Round 7 9 Round 7 10 Round 7 12 11 Round 7 12 Round 7 13 Round 7 14 Round 7 13 15 Round 7 16 Round 7 17 Round 7 18 Round 7 14 19 Round 7 20 Round 7 21 Round 7 22 Round 7 15 23 Round 7 24 Round 7 25 Round 7 26 Round 7 16 27 Round 7 28 Round 7 29 Round 7 30 Round 7 Round 7 Round 7 Round 7 Round 7 Round 7 Round 7 Round 7 Round 7 Round 7 Round 7 Round 7 Round 7

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 16 / 22

SLIDE 51

MITM and Impossible differential application in design

Outline

1

Introduction

2

Modelling the MITM attack

3

MITM and Impossible differential application in design Results of Lblock Results of TWINE

4

Conclusion

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 17 / 22

SLIDE 52

MITM and Impossible differential application in design Results of Lblock

LBlock

SB, LN

≪ 8

SK0

8! = 40320 variants ciphers against MITM and ID

SLIDE 53

MITM and Impossible differential application in design Results of Lblock

LBlock

SB, LN

≪ 8

SK0

8! = 40320 variants ciphers against MITM and ID

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 17 / 22

SLIDE 54

MITM and Impossible differential application in design Results of Lblock

Results of LBlock

All exist 14-round ID distinguisher 32 permutations are good: no 15-round ID distinguisher strong against the MITM Distinguisher

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 18 / 22

SLIDE 55

MITM and Impossible differential application in design Results of TWINE

TWINE

TWINE Cipher:

RK RK RK RK RK RK RK RK

Enumeration: 22 · 8!

SLIDE 56

MITM and Impossible differential application in design Results of TWINE

TWINE

TWINE Cipher:

RK RK RK RK RK RK RK RK

Enumeration: 22 · 8!

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 19 / 22

SLIDE 57

MITM and Impossible differential application in design Results of TWINE

Results of TWINE

144 permutations: no 15-round ID Distinguisher. 84 permutations are good in the view of MITM. 12 permutations are best: no 11-round MITM distinguisher

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 20 / 22

SLIDE 58

Conclusion

Outline

1

Introduction

2

Modelling the MITM attack

3

MITM and Impossible differential application in design

4

Conclusion

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 21 / 22

SLIDE 59

Conclusion

Conclusion modelling the MITM attack ID and MITM for variants cipher of LBlock and TWINE Future Work Differential enumaraion Key Bridging

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 21 / 22

SLIDE 60

Conclusion

Thanks for your attention.

Shi et al. Programming the Demirci-Selc ¸uk Meet-in-the-Middle Attack with Constraints ASK2017 2017.12.11 22 / 22