## Sunday, March 27, 2016

### FSE 2016 and DISC workshop

This is part two of a two-part blog post collaboratively written by Matthias and Ralph.

## FSE 2016

From 20. to 23. March the 23rd International Conference on Fast Software Encryption (FSE) took place in Bochum, Germany at the Ruhr University Bochum. The conference focus on fast and secure primitives for symmetric cryptography.

The conference was split in 9 sessions.

### Session 1: Operating Modes

This session was on operating modes and the following three papers were presented:

The paper "A MAC Mode for Lightweight Block Ciphers" was presented by Atul Luykx, where he presented a new MAC mode called LightMAC that focus on extending the lifetime of a symmetric key.

### Session 2: Stream-Cipher Cryptanalysis

This session was on stream-cipher cryptanalysis and the following two papers were presented:

The paper "Cryptanalysis of the Full Spritz Stream Cipher" was presented by Subhadeep Banik where he presented an improved state recovery attack that takes advantage of a special state, that when entered all even values in the permutation are mapped to even values and all odd values to odd values.

### Session 3: Components

This session was on components and the following three papers were presented:
Siang Meng Sim presented the paper on "Lightweight MDS Generalized Circulant Matrices" where they showed left circulant MDS matrixes of order $\le$ 8.

### Session 4: Side-Channels and Implementations

This session was on side-channels and implementations and the following three papers were presented:
Pascal Sasdrich presented the paper "White-Box Cryptography in the Gray Box - A Hardware Implementation and its Side Channels. In his talk he presented the first AES white-box implementation in hardware and provided results of a practical gray-box (side-channel) analysis.

### Session 5: Automated Tools for Cryptanalysis

This session was on automated tools for cryptanalysis and the following three papers were presented:

Vesselin Velichkov presented the paper "Automatic Search for the Best Trails in ARX: Applicaton to Block Cipher Speck where they present a new automatic search tool tha applies Matsui's algorithm with optimal results. Then they searched for differential trails in Speck and presented new bounds on the security of Speck regadring to differential cryptanalysis.

### Session 6: Designs

This session was on designs and the following two papers were presented:

Jeremey Jean presented the paper on Efficient Design Strategies Based on the AES Round Function. In their paper they present cascaded iterations of the AES round function together with intermediate XOR's which achives a high performance.

### Invited Talk: On White-Box Cryptography

The invited talk on white-box cryptography was given by Henri Gilbert from ANSSI, France.

### Session 7: Block-Cipher Cryptanalysis

This session was on block-cipher cryptanalysis and the following five papers were presented:

• Bit-Based Division Property and Application to Simon Family
• Algebraic Insights into the Secret Feistel Network
• Integrals go Statistical: Cryptanalysis of Full Skipjack Variants
• Note on Impossible Differential Attacks
• Improved Linear Hull Attack on Round-Reduced Simon with Dynamic Key-guessing Techniques

### Rump Session

The rump session consisted of several short talks for a few minutes.

Thomas Peyrin presented a new block cipher called Skinny that is based on the TWEAKEY framework. Skinny has an AES like design and achives better performance than SIMON and other lightweight designs.

Jeremy Jean presented a website with standardized figures for ciphers in his talk about TikZ for Cryptographers. He aimed that every cryptographer should use this standardized figures in their papers.

Christian Rechberger presented the FHEMPCZK-Cipher Zoo where one could compare ciphers for Fully Hommomorphic Encryption (FHE), Multi Party Computation (MPC) and Zero Knowledge (ZK).

### Session 8: Foundations and Theory

This session was on foundations and theory and the following four papers were presented:
• Modeling Random Oracles under Unpredictable Queries
• Practical Order-Revealing Encryption with Limited Leakage
• Strengthening the Known-Key Security Notion for Block Ciphers
• Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

### Session 9: Authenticated-Encryption and Hash Function Cryptanalysis

This session was on authenticated-encryption and hash function cryptanalysis and the following three papers were presented:
• Key Recovery Attack against 2.5-round $\pi$-Cipher
• Cryptanalysis of Reduced NORX
• Analysis of the Kupyna-256 Hash Function
Yu Sasaki presented the Cryptanalysis of Reduced NORX, where they present state and key recovery attacks on the core permutation which is reduced to 2 out of 4 rounds.

## DISC workshop

After FSE, the Directions in Symmetric Cryptography (DISC) workshop for PhD students and young post-docs took place at the Ruhr University Bochum.

The workshop was divided into 5 working groups of 5 to 9 participants, who got the opportunity to work together for one and a half day on a specific topic. Furthermore, the goal was to meet some other people that are working in the same area and to build some research collaborations.

### Topic 1: How to design a bad key schedule

The goal of this topic was to approach key schedule design from the opposite direction: Can we design a key schedule -- seemingly harmless -- that has a decremental effect on the block cipher's security. Is it even possible to hide back doors in the key schedule only?

### Topic 2: The TWEAKEY framework - New Designs and Cryptanalysis of STK

The TWEAKEY framework was introduced at ASIACRYPT 2014 as a more general design idea for a tweak/key (tweakey) scheduling. In this framework, one does not to separate between key and tweak material. The authors proposed a specific instance called superposition TWEAKEY (STK) and designed three tweakable block ciphers Joltik-BC, Deoxys-BC and Kiasu-BC based on this idea. This topic was both about cryptanalysis of the STK construction and thinking about design alternatives.

### TOPIC 3: Distinguishing block ciphers: Is the attack space covered?

Block cipher cryptanalysis relies to a large degree on the existence of efficient distinguishers. In this topic, we want to discuss and explore possible directions where novel cryptanalytic techniques might be found or alternatively find arguments why new techniques are unlikely to be found.

### TOPIC 4: How reliable are our assumption in statistical attacks?

In symmetric cryptanalysis, statistical attacks such as differential and linear cryptanalysis, boomerang attacks or differential-linear attacks, play an important role in the security evaluations of block ciphers. These attack inherently rely on varying independence or randomization assumptions that are necessary to estimate their success probability. Is it possible to determine criteria when these assumptions will fail or hold? Can we sometimes remove the assumptions or substitute them with
weaker variants? Can we give heuristic arguments for their validity to increase our faith in them?

### TOPIC 5: Resistance against cryptanalytic attacks: What can we prove?

Unlike algorithms in public-key schemes, block ciphers are usually not based on hard-problems. To estimate the security, block ciphers are instead evaluated against the range of known attack vectors. Both from the designers and evaluators perspective it would be desirable to have proofs against larger classes of attacks. Even finding good heuristic formulas that determine the number of rounds
needed for security would be large step forward. In this topic, we would like to discuss design, evaluation and proof strategies that might help us to move towards this goal.