 This round session is chaired by Brice Mino and myself. We're very happy to have you here. So before we start the contributed talks, there are a few announcements that we like to make. So I think you're all more less used to this, how it works in a round session. We have short talks and it's nice if everything goes smoothly from one speaker to another. So to do that before every presentation there will be a small slide that says well what is the presentation that's about to start and what's the next one? You have to look at the bottom of the slide that says the name of the next speaker. If you are the next speaker please come close to us so that you can quickly get on stage. So that's what it's going to look like. We thought that Napoleon was quite well known in most countries. So it's going to be a slide with something representing Napoleon with the name of the next speaker. So here the next speaker is you Sasaki for the PC church report and he's already here as you can see. Okay, so, but you cannot speak yet. I'm not done. Also, you know that one of the most important tasks as a chair is to enforce a time limit because otherwise people would just talk forever. So you all gave us, when you send your slides you gave us some expected time that you were needed and what, I don't know what to do. What should I do? No. Okay, that's how it works. That's not working. I'm afraid we have to consult the room session. Yeah, thank you. No, I will. So there is an additional rule, do not touch this remote. So yeah, so we thought that we needed some kind of implement to enforce the time limit and to me the most obvious way was to use a giraffe. We got inspired by this nice XKCD comic. I'll let you read it later. And well, if you want to use a giraffe you need to get a giraffe. So I had some reason to think that Anne had a giraffe so on Monday I asked her, Anne, do you have a giraffe? She said, yeah, I think I have one but I'm not sure if it's still going to work for the room session, so let me check. And later that day I got a quite late email saying, oh, I found the giraffe but it might really not be suitable. You might not want to use it. So, and she sent me a picture and so if you, it's not for the faint hearted so if you're a bit scared you should cover your eyes because that's the picture she sent me. A giraffe that's never going to do any sort of noise again. So then, well, I didn't get, well, Anne also gave me a good advice. She said, no, maybe Maria has a giraffe. So, well, Maria, do you have a giraffe, blah, blah, blah. So now we have a giraffe, which is this one and we also have a small version of the giraffe inside a ball, which is kind of a pocket giraffe. So what's going to happen is that one minute before the time limit, we're going to do this and then figuratively speaking, if you go over the time, we're going to throw the pocket giraffe. So this giraffe is called Sophie. So I'm going to draw, well, do this. So please actually go over time so that we get a chance to do this. So now, I'll let Brice present all of the nice prizes that you can see in front of the desk that we're going to offer to the best presentations. Also, another bit of information is that if you're curious about the program of the RAM session, it's actually on the website. So if you go to the website, you will see the order of speakers. That might also help people preparing their talks. So everything appearing in the RAM session will appear in this prestigious journal, as you can see here. And further, there will be some prizes. So there will be one prize for the best technical contribution. It is the Prix de l'Académie des Sciences, or the Prize of La Académie of Science. There will be le Prix racine for the most elegant and elaborate presentation. There will be le Prix, le Métapri, Poincaré Magry-Coupain for the best presentation that offers a prize. So you can get a prize by giving a presentation. You can also get a prize by listening to presentation and doing what they say. And finally, there will be the prize for the funniest and most entertaining talk, the Prix de finesse. And with that, Napoleon is calling the first speaker. Jury Sasaki. So as a director gives a report about the FSC this year. So the chairs are like a floor in and myself. So POC is now a journal. So we have four submissions deadline per year and we have a rebuttal and we make a decision after two months of the submission deadline. And all papers are categorized into accept, minor revision, major revision and retract. Well, and we are aiming to get included in terms of ISI, I mean having its citation index in 2020. So 2020 is approaching and the editorial team is trying really hard to get citation index. Okay, so this is the statistics. So this year we received 140 submissions and some of them are resubmission after the major revision. So by excluding them, then the number of new submissions is 122. And the number of submissions increasing as FSC approaches, so it's quite natural. So by the way, so this is the statistics from last year. So last year we received the 170 for submissions and this year it's 142. So like 20% reduction and the number of accepted papers also reduced by 20%. And so this is acceptance rate for issue by issue and the first issue, the acceptance rate is 28%. And the second issue is 32%. The third is 20% and the last one is 24%. And the other is 25%, I mean the total is 25%. And by the way, so this is data from the last FSC and by comparing those two, you can see some good strategy to get your paper accepted. So differently you should submit the June deadline as it's next deadline, so please submit your paper. But actually there is some reason why we have high acceptance rate in the issue too and this is a number of resubmission after major revision for each issue. And for the second issue we received the highest number of resubmission after major revision. And we gave major revision only if we see some potential that is a paper can be accepted. So basically resubmission after major revision has high acceptance rate and that is actually trick. And some more comments. So we are aiming citation, getting citation index. So when you write other ISI journals like VCC, JOC, or LNCS, please cite TOC papers, not from e-print or personal web page. Please cite TOC papers that help us to get citation index. And everything you published has been reviewed. So if you need more than 20 pages and go for a long paper, I mean, even for like supporting material or appendix will be reviewed, everything is reviewed. And we also want SOK paper, means systemization of knowledge, but SOK paper still needs same novelty. I mean, you have to provide the same thing which is known in the previous. So just like collecting previous information is not suitable. Okay, and the slide file may need some minor improvements, but please don't hack the latex file. And we are recommending using standard B file, for example, the one maintained by ENS. Okay, I just give that page. And we'd like to thank program committees. So we have 45 program committees and like 18 of them are renewed changed from the last year. So between 30% to 40% are renewed and we are trying to keep the committees fresh as fresh as possible. And we'd like to thank General Chair Jeremy for organizing this nice conference at Paris. And we also thank invited speakers, Gregor, Maria, and John. And we also would like to thank Ramp Station too. I mean, Ramp Station is just now started, just now started, but I'm pretty sure this is gonna be very fun. And Jeremy tried hard to collect a lot of sponsorships and I would like to thank sponsors. And I heard that Jeremy is counting the page view from the TOC web page to sponsorship web page. So if you have time, then please visit TOC page and like push some link. Then there's gonna be help to get sponsors in the future of this conference. And we'd like to thank managing editor Gregor and the technical support, Shai, and VD review. And we also thank FSC steering committees. And finally, we'd like to thank all the attendees. Okay, so by the way, now I'd like to announce best paper award. So this year, we first nominated nine candidates and did vote by the committees. So each committee can vote as any number of papers except for their submissions. And then we picked the paper which collected the highest number of votes. And the result, the best paper award is given to the paper. And that's all the partitions in this box of Spielberg and Kuznicek. Singles of the paper by Leo Perrin. So Leo, so can you come up to the stage? So the next talk is Oma Jarasin by Ann Canto. Next speaker, Paul Crowley. Okay, so first of all, as the chair of the steering committee of FSC, I have an important announcement. So maybe some of you know that the CSR competition is over. So we now have a nice portfolio of authenticated encryption schemes. And you also probably know that we now have 57 new lightweight primitives that are our candidates to the next competition. And we think that this is a great achievement for our community. And so within this FSC steering committee, we are considering having a special issue of task, for instance, for all these new designs. And because this is important for our community. So the details now are still under discussion because it's not so easy to handle so many papers. But please, the message is first, if you are a designer, if you are interested or think that it's a good idea, your feedback is welcome. So you know, people in the steering committee, so please just give us some feedback. And the second message is that if you plan to submit the description or something around your next candidates, for instance, please do not submit it to another conference or another journal, just wait a moment and you will get some more details. Okay, so now is my second contribution, which is a cultural contribution as a chair of the French Symmetric Encryption Conference. And this contribution is related to Racine, which is the French word for root, well, more precisely, root is the English word for Racine. So Jean Racine is actually one of the most famous French writers from the 17th century and he was a great dramatist. He wrote many tragedies. And what most people do not know is that he was also a visionary cryptographer and he was an expert in symmetric crypto. Yes, obviously he was not a TCC guy. Even if it can be argued that some TCC papers are really like tragedies. But Racine is indeed probably the author of what we think is the most famous Alexandrine in the French literature, which mentions a very famous block cipher. Actually, pour qui sont ces serpents qui ciflent sur vos têtes? I don't know if Johann is around, but I'm pretty sure that he will complain and say that serpents is probably not the best block cipher, it's even not a standard. But I'm afraid I'm not really convinced by the alternative. Pour qui sont ces raindalls qui ciflent sur nos têtes? And even with permutation-based cryptography, it's not really convincing. Like pour qui sont ces oudeaux qui ciflent sur nos têtes? It doesn't sound that nice. Well, but in the following what I would try to do is to make the importance of the French elegance and of Racine accessible to non-native French speakers. So I decided to continue this talk in English. And so I already explained that Racine is the French word for root. And so all of this is about tragedy because maybe you're not aware of that, but roots have a very tragic destiny in our community. They are often underestimated. Since Monday I could hear many claims like this that the choice of the root does not matter, that we prefer to use polynomials without roots. And so I think that we really should recognize the suffering of roots in our community. Well, fortunately, there is a trend to improve our situation, which is due to Grover's algorithm, which adds some roots everywhere. But to recognize this tragedy, I would like to emphasize the importance in the diversity of roots. So indeed, there are a lot of different roots. We usually think of primitive roots like alpha. We can also think of beta or gamma or potatoes or carrots. And we don't have to forget, of course, more complex roots like this one. And at this time, at that point, I would like to really thank our general chair, Jeremy Zhang, for making us aware of the existence of very complex roots, which are these Chinese artichokes that we have for lunch on Monday. So please join me to thank Jeremy for his amazing contribution to roots. So please, Jeremy, could you come here? So Jeremy, on the behalf of IACR and of the FSC Steering Committee, I would like to give you this back. And so, of course, to thank you for your contribution. I hope you will appreciate this nice carrot color. And I would like also to thank you for this perfect organization. So Jeremy really did an excellent job. And I think everyone here in the room enjoys a very nice banquet that we had yesterday. So thank you for your perfect organization and your hard work. And also, I would like to thank our two editors-in-chief of task, who serve as PC chairs of this conference. So Florian Mendel and Yu Sasaki. So please, you also get the plaque with the nice carrot color. So for people, for PC members, you know that the reviewing process of task is something which is really hard work because we have a pile of new submissions arriving every three months. And so you can think that it is even much harder for Florian and Yu. And they really handled all these submissions in a very nice way. So thank you, Yu and Florian. Thank you a lot. And so finally, I would like to conclude my cultural contribution on Roots by an open question with... Oh, sorry. So this, do you know? And this open question is the following, to be it or not to be it? That is the question. Thank you. Thank you. Thank you. So, picker is Yanotela. Please welcome Paul Curley for a $1,000 talk. Thank you. So I'm on the Android platform security group and tomorrow I'll be talking about how we made encryption fast on the kinds of phones that are low-end phones sold in developing countries. But I'm still not happy because I need to make hashing fast. On an Android device, the operating system is on a read-only partition and we hash that partition with a Merkle tree and every time we read from it, we compare to the hash. And on fast devices, that's fine. But on something like this Broadcom processor, we use Char-2 and it's just much too slow. It makes the user unhappy. Even if we switch to something faster on this kind of hardware like Blade 2B, it's still like less than 60 mega seconds, much slower on the underlying hardware. And it makes people unhappy. Now, I could try and design a super fast hashing primitive, but I think people have tried that before and I don't have a great hope of massively improving on the state of the art. So what I want to do is make the problem easier. So in a hash function, this is one model of how to consider the security of a hash function. We say the attacker learned some key that's maybe the initialization vectors for the cipher. They choose two messages, which are different from each other and they win if those two messages collide. The attacker has enormous freedom. They can, like every last bit they can line up, they can try every combination until they get it just right. And so these hash functions have to really do a lot of work to be sure of being secure against these kinds of attacks. And it is too slow for my purposes. Much faster are universal functions. In this model, the attacker chooses two messages which are different from each other and only then do they learn the key K. And they win if the two messages hashed at the same value with this key. These are super fast. NH is 1.5 cycles per byte. But I can't use this in Android. What I'll assign will have to include the key. The attacker gets the key and once you've got the key, it's really easy to generate a collision with a fast universal function. So this isn't gonna going to do for my purposes. The Goldilocks position is the target collision resistant function. The attacker chooses a message. Only then do they learn the key and then they have to come up with a second message that collides using that key. So this is great for me. We can generate the partition we're gonna put on the device. The last second we choose the key, hash the partition and we sign the key and the root of the partition. And the attacker learns the key but they have to come up with the collision. They don't get to choose the first message before learning the key. Here's why I'm optimistic about this. This is a diagram that Zucco, one of the designers of Blake 2B came up with. And from top to bottom there, you've got a number of different hash functions from MD2 to Blake 2 and across from left to right is time. And these hash functions turn red as breaks in the collision resistance are found. So like after about 2000, like Tiger and Whirlpool, we start to see hash functions which have stayed collision resistant. But there's a sea of red as hash functions get broken over time. It's clearly a hard problem. Here's the history of second pre-image resistance which is a problem I think is pretty closely related to the problem of target collision resistance. In all time, only one hash function that Zucco was able to find has ever had a second pre-image attack. And that's SNF ROO 2 and the attack was found in 1991, not long after the hash function was proposed. And so this is clearly a much easier problem. And in the past people have done this to kind of hedge against, you know, there's been research into target collision resistance but people have used it to kind of hedge against, you know, is this side secure? Let's just be on the safe side. I want to use it to cut rounds off and build super fast primitives. And so to that end, I'm offering a $1,000 prize from my own pocket just to move this forward. I've got a longer presentation here with some ideas about how you might use this. You can attack my proposal, you can propose new things. You consider quantum resistance because TCRs are useful in hash based signatures which are quantum strong signatures. Deadline is the end of the year. And please advance our understanding of fast and hash verification and remember this presentation when judging the prestigious Poincaré-McLeod-Coupleur prize. Thank you so much for your time. Sorry, no time for questions. So next talk is Subterranean, 2.0 by Yad Hordela, next speaker, Antonin Enko. Yeah, your right is difficult to say. I don't manage myself. So I will not say the word here. So Subterranean is days back from 1992 and it was used lately for a high function or a stream which was a stream cipher and by refurbishing the cipher we just took back only the run function and make it a sponge for doing a hash function where we absorb a byte every two runs and after doing eight runs of the function and we also use it as a duplex thing to do an authenticated encryption cipher. But this you all here know about. So let's talk about the run function. So the run function is, so yeah, it's applying on a 257 state bit. You apply a chimeping under all states and you have only one run constant which is applied on S0 and after you have theta which takes three bits and bits, so this is written here and after you have the py mapping for dispersion which maps the bits at position 12 times i to position i. We don't absorb the message before, we absorb in the run because we delete some gate delay by doing so and what we do for output the key stream we just take as 12 generates multiplicative subgroups of 256 elements. We can just do 12 to the power of four and now we have a multiplicative subgroup of the multiplicative group of size 64. So we do this is like, yeah, everyone likes multiplicative subgroups. I am sure you like multiplicative subgroups. So that's why we did this and we output some of two bits and yeah, why we do this not because we all like multiplicative subgroups is that because we are very lazy we also in software implementation just never do the py application and we put this somehow this py in both the kai and the theta mapping. So that means we in the software implementation you never do the py and you change the offsets by for defining kai and for defining theta and that's it. But that's why we took the output of geof64. Thank you. So next speaker is Antonio Meco an exact MEDP MLP for heavy to round SPNs and next speaker is Cristina Bois. I would like to introduce this report and we define heavy block cipher which satisfies these three properties and typical example are Hazard and Kuznetchik. And we define two round differential trail and two round differential, differential trail as omega and differential as deep. And our goal is to calculate exact MEDP for two round heavy SPNs. And we can act as shown on this slide but we need upper bounds for non-minimum weight differential. We have a result for two round Kuznetchik and now we design dynamic programming algorithm for bounding non-minimum weight differential in two round SPNs and two round SPNs and any actual SPNs. For example, Hazard and we have exact two round MEDP on this slide and we have bound on non-minimum weight differential. Thank you very much. So next speaker is Cristina Bois for the FSC 2020 announcement. Next speaker, Gaétan Laurent on Saturna. So hello everyone. So I'm Cristina Bois and I'm here to present you, so FSC of next year. So I'm sure you're all enjoying, so this year FSC year is very well organized by Jeremie. And so the question is, where is going to happen? Of course, FSC of next year. So you have a small hint on this picture. So FSC of this next year will be in Athens. So Athens is the capital of Greece. The dates are almost as this year. So it will be in the end of March, so 22 to 26. And why in Greece? Actually, well, this is a very natural place to have FSC because Greeks, especially guys from Sparta, they already know about symmetric cryptography and they used it like centuries before AS was designed. Okay, some practical information. So the program chairs, as you probably know, are in Yusasaki and the new co-chair is Gaétan Laurent. So I will serve as general chair. And the conference will be like three days and a half exactly as this year. So we will end at Thursday on just before noon. There is already a website you can visit with some preliminary information. And so it will be in Athens, but we're in Athens. So this will be happened in a five-star hotel that is called Royal Olympic Hotel. This hotel is very well situated just in the historical center of Athens. You can get there from the international airport by a direct metro or a bus line. It is very close, for example, to the Acropolis. If you want to visit the Acropolis, it's only 14 minutes if you want to walk. And the negotiated price, if you decide to stay there, it's 130 euros for single and double rooms with breakfast. So if this is a lot, then no problem. There are many other hotels nearby that for all possible budgets. Okay, so these are some photos from the hotel. So this is the room. The main advantage of the conference room is that alcohol is permitted inside for the run session. But of course, the room is not the most important. The most important is where we're going to have lunches. So all lunches will be served at the rooftop restaurant that has this view to the Acropolis or this one if you are seated from the other side. And this is even if the weather is bad. So no worries about this. And if the weather is good, there is also a swimming pool that can be open for us if the conditions permitted. Okay, so if you want to come to FSC, you have to probably want, if you want your paper to be presented at FSC 2020, then you still have three deadlines. The deadlines are like this year. So first June, first of December and 23 of November. The tentative fees, it's a little bit like this year. So well, it's has to be adjusted, but it will be around 530 US dollars for regular, yeah, for a regular fee. And for students, it will be like half a price as usual. Okay, so that's all. So I hope to see you all in Athens. And if you have any questions or most importantly, if you want to be a sponsor for FSC, next year, you can send an email to this address. Thank you very much. So next speaker is Gaetan Laurent, Saturna and the following speaker is Stephen Colbert on the Webox contest. Thank you. So I'm going to talk about Saturna, which is our submission to the NIST competition and hopefully will be published somewhere, maybe in tasks so that we can go to Athens. So of course, so the NIST is running this competition. They have two main requirements, right? It should be well-studied algorithm and it should be lightweight. So of course, what did we do? Well, we're designing a new block cipher, obviously, and we're going to have a 56-bit key on state. So why are we doing this? Well, it's because we care about post-quantum security because if you look at our team, we have Maria in the team, so of course, it has to be post-quantum secure. And we want this in a strong sense, so we want to resist attacks against a superposition query, but we are necessary. So in this Q2 model, and this means we have to be a little bit careful and we need a large state and we need to be careful with the modes of operations. And of course, because we have a new block cipher, we also need to be careful about its security. So we're going to do something that looks very much like the AES because the AES, of course, is the best cipher ever. So if we have something that looks like the AES, it will be like the second best, so I thought it would be good enough. So of course, the main question, why is it called Saturna? Well, so we want a lightweight cipher. So what is the standard of light-weightness? Obviously, it's the duck. I mean, I'm sure you've all seen Multi-Pyton of the Holy Grail and we know that if you want to know if something is lightweight, you have to compare it to a duck. So we need a duck name and there's a famous French duck. It looks like this and it's called Saturna. So yeah, our submission will be called Saturna. Now, how do we design our cipher? Well, we had a bit of a hint. According to Kepler in Mysterium Cosmograticum, the planet's cipher is associated to the cube. So of course, our cipher will be a cube. So the state looks like this. So a cube and we're going to do a bit-slice operation. So we have nice components like this. If you look at the MDS matrix, maybe you recognize it from one of the talks yesterday about lightweight MDS matrices. So those are all very good components and when we combine them, we have this very nice picture. I'm sure you can understand very easily what's happening. The nice thing is we have MDS matrices so you can have bounds on the number of activities boxes for one round. And then if you look at two rounds, we have super boxes. So we have five to the square active boxes. And then if you look at eight rounds, we have meta boxes with even more active boxes. So everything is very nice. Of course, this picture is a little bit hard to read because it's a 2D picture, but we have a 3D cipher. So that's not optimal. So I also have a 3D picture. I'm not sure if you can see it very well. Maybe when the slides will be online, it will be easier. But yeah, this is maybe the first time we have a 3D picture in the slides of a Ramp Session conference. So thank you. So next is Stefan Kolbal on the Webox Contest. Edition two. And the following speaker is Tomer Aschur on efficiency metric. Yeah, thank you. I would like to bring your attention to another competition which is the Webox Contest. So this is the official capture deflect for chess 2019. So if you're not familiar with the previous edition, the goal is here. You can be both designer of challenges but also break challenges. You can upload C implementation of AES 128 which embed the key. So you should maybe not put it just in in the plane. And other people can then break these challenges. And the longer your challenge survives, the more points you get. So this already started last Friday. So you can join from now. So if you have any ideas, feel free to submit immediately. And the competition will end shortly before chess and whoever gets the most points up to this point, will win. For those of you who know about the previous Contest, we added a few new rules and changed the scoring a little bit to make it more exciting. So this time you will also get bonus points for inverting some ciphertext. So for every challenge submitted, you can request through an API some ciphertext. And if you manage to invert them, you will get points. And also we will score this time if you provide more efficient white box implementations. So if you need less code size, if you can compute faster, you will get the highest score more quickly. So there are already quite a few people registered. So this is a bit outdated. So here it says there's this one challenge which is still open, but it got broken last night, I think. So too late for you, but I'm sure there's gonna be more challenges coming in the next days. Yeah, you can find all the information on the Contest on this website. There will also be a workshop co-located with Eurocrypt about the white box in general. So if you're attending Eurocrypt, this might also be interesting for you. Otherwise I hope a lot of people will participate. Thank you. So please all speakers, I'd like to remind you to advance the slide to the next one so that we get the chance to see the Napoleon picture. Thank you. So this is now Tomer Shuro on efficiency metric primitive for advanced cryptographic protocols, a marvelous contribution. Our next speaker is Laurence Ograsi on how this design. Okay, so I don't have much time. I'll need to be super efficient given the amount of information I want to put in my presentation. I'm Tomer Shuro from Kozik. If you don't know me, I don't care. My, I'm presenting what we call efficient symmetric primitives for advanced cryptographic protocols or just a marvelous contribution. And the background for this is that the Ethereum Foundation, the organization behind Ethereum cryptocurrency is considering adding zero knowledge mechanism into their engine. And this company, StarQuer, it's a startup in Israel, contacted us in Kozik to help them build a hash function efficient for their product. Promoting zero knowledge starts. And well, after a few months of work, we came up with the hash function Javis. So the idea behind Javis is that we start from the AES, the best cipher ever invented, which is already quite efficient for StarQs, but it has a state of 16 bytes, which means that every operation you perform, you need to perform 16 times. Instead, you can work with a large state element and a fine polynomial after that. And then just the AES just immediately becomes Javis because you don't need to shift rows and mix columns anymore. But, well, so we put that online and a few weeks later some of our colleagues published an attack against this algorithm. So Javis was hit. Now, just to say that we actually have some different, we don't necessarily agree with this attack. We have some reservations, like every other designer ever. Marcus will present their attack later today. I'm sure he will be super honest about it. I'm no kidding here. And we're actually talking about where we disagree. But when we found out about this attack, we were already in the middle of developing something even better than Javis and you're the first ones to see that. Vision. Vision is similar to Javis, only that the state is now composed of M state elements. M is expected to be a small number, like two or three. And then you can adjust the size of each element. And similar to AES, we defend against differential and linear attacks. And then you compose in a fine layer, which is a fine linearized sparse polynomial that is efficient to compute in zero knowledge. And this is a round. It's composed of two steps. So in the first step, we use the inverse of that polynomial and in the second step, we use directly that polynomial. And we mix the elements using the MDS matrix. Yeah, so that gives a high algebraic degree. And that's very stark friendly. Vision works for binary fields. One thing we noticed for Javis when he published that is that although we stressed everywhere that it only works for binary fields and we don't claim any security for prime fields, people were sending us emails asking but how do you use it for prime fields? So instead of just publishing something that they'll be misusing, we decided to also design another cypher in a prime field flavor that's rescue. Now there are no good fine linearized sparse polynomials. So instead, we use a power mapping for the nonlinear part and we alternate between using the power map directly and the inverse of that power map. The MDS part works the same. And those two designs, in addition to being wonderful, secure and great, also lend themselves pretty well to sponge constructions because you can have, let's say, two elements. You designate one as the rate, the other as the capacity, or you can have three state elements and then two rate parts and one capacity part or the other way around. And that's the team. Simon de Hoche, Abdel Rahman Ali, Eli Ben-Sasson and Alan Shapienyats. Thank you. So next speaker is Lorenzo Grasi on Hades, which is a strategy for NPC snark-starks picnic. And the following speaker is a merge of two speakers, Letov Bayerin on Sparkle. Okay, so thanks. So I would like to give a brief presentation about a competitor of the design proposed by Tomah. And application of these design are many, for example, security, security, multi-party computations, zero knowledge, signature scheming and so on that requires primitive from symmetric crypto. And where the performance of this application depends on the performance of this symmetric crypto. In particular, the major cause is due to do non-linear operation. So what we try to do is to try to reduce the number of non-linear operation. A possible way to do this is to move from SPN to partial SPN. But I mean, it's not very nice because some strategy, for example, the white-ray strategy doesn't work for partial SPN site. So you have to think about new strategies and in general they are very complicated. So we are quite lazy. So what we did is just to mix SPN and partial SPN and we obtained the other strategy where some round of full S-box layer, the middle round is just one S-box per round and then we have again round with full S-box layer. So in this way, we can, for example, reuse again the white-ray strategy. So for example, this other strategy, we have just round with full S-box layer, big MDS matrix, and then again round with partial S-box layer and round again with full S-box layer. And this Cypher can be implemented both in FB and in F2 to 10. So I'm not an expert, but many people in this group works on applications. So just let me give some result about practical application. For example, what about the signature? Well, using this design, we can obtain the result that are better than low MC, which is submitted at least. For example, we can have a smaller signature size, 700 bit versus 1,000 and it's much, much faster. So factor 10. For MPC, the best schemes for this application are MIMC and Regent PRF, and we can have similar result using this strategy. And we also work on stack and stack application. So for example, we can improve the result that we're obtained using the Pedeson-esh using Snack. And for stack, well, the competitor, we are now a competitor. What about Jarvis and Friday? This design is a little less competitive, but it seems that they are broken. Thanks. So now are the Sparkle permutations by Letov Bayram, and the next speaker is Stefan Kolbal again on the third scheme. Thank you. So our quantum superposition collapsed, so it's either me or Christoph, and it turns out to be me. I'm going to talk about briefly our NIST submission, which is called Sparkle. So the city of Paris was kind enough to stage a bit of advertisement for us yesterday. When you arrive by boat close to the Eiffel Tower, it's Sparkled to advertise our algorithm, which was pretty kind of the city. So Sparkle is a family of sparks like permutations, hence their name. So we have an arcsbox. Think of it like an AS super S-box that operates on 64 bits using arcs operations. And we have a linear layer, which is built like a Feistel network, just like in sparks. And this gives us a nice espion structure. So although it's arc-based, it's also much easier to study than other arc-based algorithms. Much like in Ascon, we have two versions, a slim one, which we use during absorptions, and a big one, which we use just before squeezing. Our goal, although this is the French Symmetric Encryption Conference, I think for historical reasons, this used to be referred to as the fast software encryption conference, so we thought it was relevant to introduce it here. With this Sparkle permutations, we built two families of algorithms, hash functions called Ash, it's a city in Luxembourg with a nice coat of arm, and we use them to build the Schwem, authenticated encryption algorithms, using the biter mode. There is more information on this webpage, and we also have a mailing list, and I'm also very curious to see what happens if we spend too long on stage, so I'm going to wait for a bit. 20 seconds, that's going to be a hard one. Questions, do you have a question? Any questions for? Yeah, that's not a very good question, so I'd rather have another one. Now you are going to have to ask me riddle, we are not security-proof people, I can tell you about the design process, but unfortunately... Okay, I'm sorry, you'll have to take the question online, please. So next up is Stefan Kolbo on the third Kinect Analyst Competition, and the following speaker is going to be Markus Schoff-Negger on Algebraic. So yeah, well, previously I announced the competition starting, now I'm announcing a competition ending, which is the third Kinect Analyst Competition. So I think you already heard a lot about Kinect, there were a lot of papers dealing with it, and it's a lightweight tweakable block cipher, received quite a lot of Cryptoanalysis, and we also had a Kinect Competition, I think since three years, every year at FSE we announced the competition and ended the competition, and extended the competition, and if you're interested in the previous competition, just go to the website, there's a lot of information on that, but for the third competition, we wanted to do something a little bit different, so before it was always like, okay, if you break that many rounds, you will get one present, if you break that many rounds, you get two presents, if you break a lot of rounds, you get five presents. This time we wanted to do something a bit more practical, so we provided a set of plaintext ciphertexts, which you could download on the Kinect website, and your goal was to extract the key from this, so it was in both cases, we had a Kinect 64 and Kinect 128 with 128 bit key, and you should send us the key. So this is the timeline of the competition and basically everything happened in last April from the submission point of view, but a lot of people also worked afterwards. So on 4th of April, at 12 o'clock, exactly 12 o'clock, so Mirshini broke the five rounds version of Kinect 64, but then I think just a few hours later, maybe she noticed that she missed breaking the four rounds. I'm not sure, maybe she can comment on it. And very quickly after just one day, we got another contender who started working on the Kinect 128, and then it kind of started a little race, so catching up on the five rounds, okay, we had to do six rounds, okay, then I also do six rounds, seven rounds, seven rounds for 128, but then finally the Kinect 128 got a bit ahead, maybe, I don't know if it was around the Easter, and then the other Kinect 64 people were on holiday, and we continue, and you can see the time spent gets a bit longer, but for Kinect 128, nothing happened anymore, and the best result we got was then 12 rounds for Kinect 64, at the end of April. So we would like to announce now who are the winners of this, which are Patrick Dapé and Mirshini Lallimant, who broke the Kinect 64 challenge for 12 rounds, so I would like to join them for getting their prize, and all give them a round of applause. So I hope we go over time, also. No, Dorian this time. Just for explanation, for those who are not familiar with our procedure, we offer it on Skiddie from five different countries, and we always bring prizes from everywhere. So we have prizes from Japan, prizes from Singapore, prizes from Denmark, France, Germany, so a lot of nice things for you to enjoy. Yeah, you still have to stay, but it's a bit of a spoiler, but you have to stay. And for Skini 128, Alexei Udovenko is the winner. He broke 10 rounds of Skini 128. Unfortunately, he's not here today because he's preparing for his PhD defense. But nonetheless, we would like to thank him for his participation and his nice results. Also, if you're interested in for both these competitions, the both offers provided us a short report explaining, and it's quite interesting. And we also had the competition for the most interesting cryptanalysis. So we would also like to award the most interesting cryptanalysis to Patrick, no, Patrick Tadeuil and Birshini Lalimant, who provided, from our point of view, the most interesting cryptanalysis. So the interesting thing was with the challenge we gave, there was some bias in the plaintext, which was quite interesting to see if this makes a difference for the text and how you can exploit it. And they showed a very nice drunken differential attack. Also, it needed quite a lot of operations. So maybe it's not only Bitcoin wasting a lot of computations. Also, the Skini computation quite used some electricity for your university, I guess. So please thank them again for their nice results. And we would like to thank all the participants, also the people who tried to break things and didn't succeed. And if you want, you can still submit the results and we will put them on the website. Thank you. Thank you, even though you were a bit over time. So next talk is Algebraic Cryptanalysis of Jarvis and Friday by Marcus Chofnega. And the next speaker is Gaetan Laurent, again on the Shaxit. Thanks. So it seems I have three minutes to convince you all that this attack does indeed work. Four, oh, I have four minutes, so even better. So it's joint work, basically. First about the design. So Jarvis is a block cypher. Friday is a hash function using this block cypher. Both primitives were proposed by Tommand Siemen recently, so last year. Their goal is efficiency in the stock setting and some security arguments are bought from the best cypher out there again. So the structure is very similar to another cypher, which is Mimsy, which you can see on the left side. And the right side shows the Jarvis round function. So basically we have the inversion S box and then two affine polynomials of degree four. And also similar to the AS 10 to 14 rounds. The attack idea is very simple. We exploit two facts. First, the both polynomials have a very low degree, so this is good for the Grebner basis. And the second fact is that for all non-zero x, we can basically say that if y equals to the inverse of x, then y times x equals to one, which is a degree two function. And the procedure is then to describe a round from both sides, and basically we connect both parts at the S box. Then we compute the Grebner basis and we try to solve for the unknown variables, which include the keys. So the resulting equation system then includes intermediate variables for every second round. So this is after another optimization we've done. And we also exploit the fact that every round key is a linear function of the master key, so we only need one variable for the keys. And the resulting system has then our half equations of degree 32 in our half variables and to be secreted against this kind of attack. So these are just preliminary results and the full results plus a practical verification will hopefully be published soon, yeah. Thanks. And so the final and last talk of this rep session is the Shaxid by Gaetan Laurent, next speaker in no one. Thank you. So this is a joint work with Thomas Perrin. Just before I begin, I would like to make some comment about the previous talk about hash functions. I'd like to point out that MD2, MD4 and MD5 are broken by pre-image attack, just. So the point of this talk is about SHA-1 and yeah, basically we've been trying to get rid of SHA-1 for a while now. Yeah, really, we wanted to get out, right? So in terms of crypt analysis, it's been broken since 2005. It was the first theoretical attack, it's been improved, and it was implemented in practice quite recently. And yeah, basically cryptographers are spoken, broken means broken, SHA-1 must go, right? So there's been several attempts at withdrawal agreements to get rid of SHA-1. So the first one was in 2006 and this said basically we must switch to SHA-2 before 2010. Yeah, that didn't really work. Next attempt was in 2011 and people from CAs and browsers, they said, well, SHA-2.56 is not widely implemented enough so we can still use SHA-1, but really we should think about moving out. So yeah, still not very strong statement. In 2014 we had a real plan and the idea was that in 2017 SHA-1 would should go away from certificates. They considered moving the deadline earlier but that didn't happen. Then finally in 2017, beginning of the year, now all modern browsers actually reject SHA-1 certificate. So good, right? That's done. Well, actually no. If you look at what's happening today, well, SHA-1 certificates still exist. You can still buy them actually. Some CAs will happily sell you a SHA-1 certificate and they're used in several contexts. And interestingly, even though browsers now reject them, if you go to other software like a mail client, like the mail application in Windows 10, it's perfectly fine with a SHA-1 certificate and some servers are still using them. Like this server from one of the department of in the computer science of to Darmstadt, yeah, they have a SHA-1 certificate and it's still valid and if you connect with a mail client from Windows 10, you get no warning and everything goes fine. So yeah, there are still some SHA-1 certificates around and it's not just certificates. If you look in TLS, for instance, in the handshake of TLS, you need the hash function and SHA-1 is still quite widely used there. About 5% of the website and they have some nice examples. Springer uses SHA-1. Oh, there should have been a second one. Yeah, it's here. Parliament.uk also uses SHA-1 for a nice example. So yeah, so we need to negotiate new standards but turns out it's quite complicated when you try to get rid of something that used to be there for a long time and yeah, you have our legacy issues, you need a transition period, you need to make up a plan, you need to negotiate, you extend the deadline, yeah. So yeah, nobody knew this would be so complicated, right? So I suggest maybe we should get some help from people who are experts in getting rid of stuff. So like this is a nice timetable. I think we should make a similar plan like several phases, several options and so on. It's all very simple. I'm sure we can get rid of SHA-1 with a plan like this. I mean, yeah, just go to the exit, right? It's easy and yeah, just keep moving and yeah, you will go forward, right? It's not, yeah, so we came up with a different plan and basically it seems that users don't care much about collision attacks. I mean, yeah, we have had collision attacks on SHA-1 for 15 years and it's still there. So let's try to do something else. Let's try to do chosen prefix collisions and in practice, chosen prefix collisions are much more important. You can break a lot more stuff. In practice, you can break certificates, you can break the handshake in TLS. And so the idea is to follow the MD5 model that was applied a few years ago and there was some really nice work by Mark Stevens and others doing a chosen prefix collision on MD5 and this really helped kick MD5 out. So the plan is to do the same with SHA-1 and so we have the first step in this direction. We have a nice paper that will be presented at Eurocrypt and we have an attack with complexity between two to the 67 and 69. And so we estimate it will be something like 67.3 and the previous best result was two to the 77. So that's the nice improvement. So of course we need some last minute negotiation before the actual exit. So there's something good that came out of the cryptocurrency bubble. There are actually lots of cheap GPUs that you can rent now because yeah, they're not using them anymore, right? It's not worth it. So you could actually run this computation this to the 67 something. It will cost you about 500,000 euros. So that's about the price of a one bedroom apartment in Paris. So it's not that much, right? Or maybe something more familiar to you. It's about the price of four grants for PhD students. You can choose four students or one Chawan chosen prefix coalition. So that's the current state. We're trying to look forward to the future relationship with Chawan. So we have some few extra ideas and we think we can bring it down a little bit and it should be below the cost of a single PhD student. And hopefully we are trying to implement this soon. Well, as soon as we can. Thank you. Sorry, but PhD students don't come. They don't need homes. Thank you, guys. And thanks all of the speakers of the session again. So please don't go because now we have the ceremony de prix. We just need a few minutes together with Brice to decide who gets what. Hopefully it won't take more than an hour. And especially if you gave a talk, please stick around and you can come and look at all of those marvelous prices that some of you will get. Okay, so we are now ready to offer the prizes. So we will describe what those are. So we'll start, which one? Okay, in order. Okay, so this price is for the prix de l'académie des sciences. 700 grams of fine Beaufort des alpages from, so it's cheese. And this price is awarded to, let me check. Brice will announce the winners. Thank you. And also, which is quite unfortunate, really. Even though I have to disagree with the fact that collisions don't matter if they're not chosen prefix. Thank you. Some people don't agree. Yeah, he keeps the price. Maybe I get a small bite, I know. Next prize. Le prix racine for the most elegant presentation which is this box of macarons is awarded to. For homage to racine. Congratulations. So the meta prix, so how many of you actually got the joke of Poincaré de Magritte-Couprin? Don't be ashamed. One, Roberto, okay. Ah, well, that's good enough. So for this price, we have awarded this recording of some chosen piece de Clafsin by François Couprin. So François Couprin is a French composer born in 1668, died in 1733. So I will read the different pieces that you can have. So first, the troisième prélude from l'art de toucher le Clafsin. Then from the second livre de piece de Clafsin, la méné-tout, les petits âges, la basque, la chasée, les amusements. From l'art de toucher le Clafsin, le 7e prélude from the second livre de piece de Clafsin, again. Les moins sonneurs, les langueurs tendres, le gazouillement, la berçant. Les barricades mystérieuses, les bergeries, la comère, le moucheron. And from the premier livre de piece de Clafsin, la ténébrose allemande, la première courante, la second courante, la lugubre au sarabande, la gavotte, la favorite chaconne à deux temps. All of those are played by Aurélien Delage. And this price is awarded to Paul Crowley. Congratulations. So the last price is Le prix de finesse for, well, to be honest, we had a hard time awarding it. Maybe we thought we should drink the bottle ourselves, but that would not be very nice. So this is a bottle of a fine-crows hermitage, wine from the Rhône Valley. And this price is awarded to, for being the first to try to see what would happen if we went over time. Not really. Congratulations. So that's it for the ramp session. We hope you enjoyed it. And see you tomorrow for the last day of the conference.