The conference was split in 9 sessions.
Session 1: Operating Modes
This session was on operating modes and the following three papers were presented:
- New Bounds for Keyed Sponges with Extendable Output: Independence between Capacity and Message Length
The paper "A MAC Mode for Lightweight Block Ciphers" was presented by Atul Luykx, where he presented a new MAC mode called LightMAC that focus on extending the lifetime of a symmetric key.
Session 2: Stream-Cipher Cryptanalysis
This session was on stream-cipher cryptanalysis and the following two papers were presented:
The paper "Cryptanalysis of the Full Spritz Stream Cipher" was presented by Subhadeep Banik where he presented an improved state recovery attack that takes advantage of a special state, that when entered all even values in the permutation are mapped to even values and all odd values to odd values.
Session 3: Components
This session was on components and the following three papers were presented:
- Lightweight MDS Generalized Circulant Matrices
- On the Construction of Lightweight Circulant Involutory MDS Matrices
- Optimizing S-box Implementations for Several Criteria using SAT Solvers
Siang Meng Sim presented the paper on "Lightweight MDS Generalized Circulant Matrices" where they showed left circulant MDS matrixes of order $\le$ 8.
Session 4: Side-Channels and Implementations
This session was on side-channels and implementations and the following three papers were presented:
- Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC
- White-Box Cryptography in the Gray Box - A Hardware Implementation and its Side Channels
- Detecting flawed masking schemes with leakage detection tests
- There is Wisdom in Harnessing the Strengths of your Enemy: Customized Encoding to Thwart Side-Channel Attacks
Pascal Sasdrich presented the paper "White-Box Cryptography in the Gray Box - A Hardware Implementation and its Side Channels. In his talk he presented the first AES white-box implementation in hardware and provided results of a practical gray-box (side-channel) analysis.
Session 5: Automated Tools for Cryptanalysis
This session was on automated tools for cryptanalysis and the following three papers were presented:
- Automatic Search for Key-Bridging Technique: Applications to LBlock and TWINE
- MILP-Based Automatic Search Algorithms for Differential and Linear Trails for Speck
- Automatic Search for the Best Trails in ARX: Application to Block Cipher Speck
Vesselin Velichkov presented the paper "Automatic Search for the Best Trails in ARX: Applicaton to Block Cipher Speck where they present a new automatic search tool tha applies Matsui's algorithm with optimal results. Then they searched for differential trails in Speck and presented new bounds on the security of Speck regadring to differential cryptanalysis.
Session 6: Designs
This session was on designs and the following two papers were presented:
- Stream ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression
- Efficient Design Strategies Based on the AES Round Function
Jeremey Jean presented the paper on Efficient Design Strategies Based on the AES Round Function. In their paper they present cascaded iterations of the AES round function together with intermediate XOR's which achives a high performance.
Invited Talk: On White-Box Cryptography
The invited talk on white-box cryptography was given by Henri Gilbert from ANSSI, France.
Session 7: Block-Cipher Cryptanalysis
This session was on block-cipher cryptanalysis and the following five papers were presented:
- Bit-Based Division Property and Application to Simon Family
- Algebraic Insights into the Secret Feistel Network
- Integrals go Statistical: Cryptanalysis of Full Skipjack Variants
- Note on Impossible Differential Attacks
- Improved Linear Hull Attack on Round-Reduced Simon with Dynamic Key-guessing Techniques
The rump session consisted of several short talks for a few minutes.
Thomas Peyrin presented a new block cipher called Skinny that is based on the TWEAKEY framework. Skinny has an AES like design and achives better performance than SIMON and other lightweight designs.
Jeremy Jean presented a website with standardized figures for ciphers in his talk about TikZ for Cryptographers. He aimed that every cryptographer should use this standardized figures in their papers.
Christian Rechberger presented the FHEMPCZK-Cipher Zoo where one could compare ciphers for Fully Hommomorphic Encryption (FHE), Multi Party Computation (MPC) and Zero Knowledge (ZK).
Session 8: Foundations and Theory
This session was on foundations and theory and the following four papers were presented:
- Modeling Random Oracles under Unpredictable Queries
- Practical Order-Revealing Encryption with Limited Leakage
- Strengthening the Known-Key Security Notion for Block Ciphers
- Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications
Session 9: Authenticated-Encryption and Hash Function Cryptanalysis
This session was on authenticated-encryption and hash function cryptanalysis and the following three papers were presented:
- Key Recovery Attack against 2.5-round $\pi$-Cipher
- Cryptanalysis of Reduced NORX
- Analysis of the Kupyna-256 Hash Function
Yu Sasaki presented the Cryptanalysis of Reduced NORX, where they present state and key recovery attacks on the core permutation which is reduced to 2 out of 4 rounds.
After FSE, the Directions in Symmetric Cryptography (DISC) workshop for PhD students and young post-docs took place at the Ruhr University Bochum.
The workshop was divided into 5 working groups of 5 to 9 participants, who got the opportunity to work together for one and a half day on a specific topic. Furthermore, the goal was to meet some other people that are working in the same area and to build some research collaborations.
Topic 1: How to design a bad key scheduleThe goal of this topic was to approach key schedule design from the opposite direction: Can we design a key schedule -- seemingly harmless -- that has a decremental effect on the block cipher's security. Is it even possible to hide back doors in the key schedule only?
Topic 2: The TWEAKEY framework - New Designs and Cryptanalysis of STKThe TWEAKEY framework was introduced at ASIACRYPT 2014 as a more general design idea for a tweak/key (tweakey) scheduling. In this framework, one does not to separate between key and tweak material. The authors proposed a specific instance called superposition TWEAKEY (STK) and designed three tweakable block ciphers Joltik-BC, Deoxys-BC and Kiasu-BC based on this idea. This topic was both about cryptanalysis of the STK construction and thinking about design alternatives.
TOPIC 3: Distinguishing block ciphers: Is the attack space covered?Block cipher cryptanalysis relies to a large degree on the existence of efficient distinguishers. In this topic, we want to discuss and explore possible directions where novel cryptanalytic techniques might be found or alternatively find arguments why new techniques are unlikely to be found.
TOPIC 4: How reliable are our assumption in statistical attacks?In symmetric cryptanalysis, statistical attacks such as differential and linear cryptanalysis, boomerang attacks or differential-linear attacks, play an important role in the security evaluations of block ciphers. These attack inherently rely on varying independence or randomization assumptions that are necessary to estimate their success probability. Is it possible to determine criteria when these assumptions will fail or hold? Can we sometimes remove the assumptions or substitute them with
weaker variants? Can we give heuristic arguments for their validity to increase our faith in them?
TOPIC 5: Resistance against cryptanalytic attacks: What can we prove?Unlike algorithms in public-key schemes, block ciphers are usually not based on hard-problems. To estimate the security, block ciphers are instead evaluated against the range of known attack vectors. Both from the designers and evaluators perspective it would be desirable to have proofs against larger classes of attacks. Even finding good heuristic formulas that determine the number of rounds
needed for security would be large step forward. In this topic, we would like to discuss design, evaluation and proof strategies that might help us to move towards this goal.