 chairs and general chairs, they don't get any money, right? So they do this work all for free. They do it for the service to the community. And in order to appreciate and to show the appreciation for the work they do, there used to be a tradition several years ago that the president of the ICR was handing over certificates to the certificates of appreciation to the general chairs and the program chairs. Then there was a certain gap in this tradition. So I would like today with this conference, because I think it's a good starting point to start again with this tradition. So we have the largest chess conference ever. We have a new journal model that we use. We have a new publication model with, let's say, a record of submissions. We have a record of accepted papers. So I'd like to use this opportunity to restart this tradition. And so I would ask Peter and Elena to come to the stage. I'll start with Elena. So I'm not the president of the ICR, but I'm the chair of the steering committee. And so I also feel to be able to hand over certificates. So I'll do that tonight. So on behalf of the ICR, in fact. So the certificate of appreciation reads, so the International Association for Cryptographic Research, gratefully acknowledges Elena Buhan for her contribution to the worldwide community on cryptographic hardware and embedded systems through her role as general chair of chess 2018. So thanks so much for your... So I have another one here. So the International Association for Cryptologic Research and gratefully acknowledges Peter Schwabe for his contribution to the worldwide community on cryptographic hardware and embedded systems through his role as general chair of chess 2018. And as it's not... So this is for the wall. And we also have something to drink. So this is a corn wine. So I'm told this is a local specialty. So I'm handing over this. So thanks again. So Peter and Elena, so they are responsible for the place, the food. And of course, we also have a program. And so I'd like to ask the program chairs to come to the stage. Daniel Page and Mathieu Reva. So we decided, when was it actually? One and a half years ago or something like that or almost two meanwhile. So we decided to switch to the journal model. So they already accepted to be PC chair. At the time of accepting, you didn't know that we changed the model. So they accepted being program chairs and they thought that there will be only one deadline. And then afterwards at some point, I sent them an email, you know, would you also be willing to do three and to do a completely new model and then change everything? And I'm very glad that you have been the first PC chairs to do this. I think you did a tremendous job. So we have a very successful number of submissions and accepted papers. So thanks a lot for this excellent job. So I started with Daniel. So you meanwhile know the text probably, but there's a slight change at the end. So the International Association for Cryptologic Research gratefully acknowledges Daniel Page for his contribution to the worldwide community on cryptographic hardware and embedded systems through his role as program chair of chess 2018. Thanks so much. And we have yet another one. So the International Association for Cryptologic Research gratefully acknowledges Mathieu Revin for his contribution to the worldwide community on cryptographic hardware and embedded systems through his role as program chair of chess 2018. And also for the program chairs, something to relax afterwards when the conference is over so to have a good glass of wine. And with this, I'm already at the end of this introductory part. So I will hand over actually to the program chairs to so that they can tell you what they did as their work so that the number of submissions that they received and the effort they had in getting all the reviews from the PC and sub-reversed. Okay. So that's it. As you see the grand session is professionally handled and we are happy to have such a good start and we'll continue like that. That's a good start. Okay. So the IACR guidelines say we should actually do two things. They tell us what to do. The first is that we need to present entertaining statistics. This is a quote. And the second is to present the best paper award. And actually we're not going to do either of those things it turns out because we decided to present the best paper award before the best paper presentation on Wednesday morning. And neither material are very funny. I didn't even know what statistics are actually let alone entertaining statistics. So we just that's not going to work out so well either probably. But maybe that's not such a bad thing. Because well, Stephanie already took the points here in a way. But this is a special year for chairs. It's the 20th edition. I didn't mention that actually, which is a good landmark. Although that's making me feel quite old now. But also a record breaking edition in almost every respect. The most important, well, from our perspective, I guess the most important thing was that actually this is the first edition under a new hybrid publication model. And we wanted to spend maybe a little bit longer than normal telling you about how this model looks and how it worked out in the first year because I think this is important for everyone really. So the move to the new publication model was a decision taken by the chair steering committee, I guess in 2017, mid 2017 sometime. And essentially, this follows the lead of FSE who transitioned to the transactions on a symmetric cryptography. So we now have all of the publications or the papers accepted and published at chairs appear in the tea chairs journal. There's a few important differences therefore, versus chairs as was. The first is that this is a gold open access journal. So the publications are available to everyone almost immediately in a way as soon as they're ready. So actually, if you go to the teacher's website, all of the papers are available now and we're before the conference in actual facts. One important thing to point out here is that actually, it's in everyone's collective interest to use the papers published there as the definitive source because in certain like it or not, the sort of reputation of the journal essentially depends on this somehow. So we sort of encourage you to do that. The journal is managed by Bocum and in particular Tim, who acts as the managing editor very effectively. The other difference is that teachers teach as teach as journal operates for submission deadlines per year. So this means for review processes per year. Although in this first year, we've only used three of those because getting it started, there was a sort of lead into that, obviously. So if chess happens in year end, actually, the teacher's submission process starts in year end minus one. So the previous year. In order to do the work associated with those four review processes, obviously we have reviewers and in particular the teachers editorial boards who act as the analogy to chess program committee, which is led by the co editors in chief, which again is the analogy of the chess program chairs as was. Other than that, the review processes themselves are relatively the same as they were. There's just four of them. For example, they include a rebuttal phase still. But one major difference is that there's now a richer set of decisions that the editors and I guess the reviewers can arrive at. So rather than just accept and reject papers, for instance, we now have the option to have a major revision, which is essentially saying this is an invited resubmission. So an example of this would be where the reviewers have identified something that they want to champion, but also they've identified some deficiencies such as it's not ready for publication quite yet. And overall, the ethos is that we're able to take these papers that may have been rejected before and hopefully improve them so that they're subsequently accepted. And I think actually the statistics bear out that that's worked out well. OK, so now a few words on this year's editorial board, or what we could be for program committee. So while selecting and sending invitation for a program committee, we tried to take several criteria into account. Of course, the most important criteria is expertise to cover all the topics in the range of chess. But then we also tried to balance and bring diversity. So here are some criteria. So in the end, our program committee was composed of 53 members plus the two of us. And there was so like a majority coming from Europe. But I guess that's a bias which reflects as well the audience and probably the publication as well. We have also tried to balance academia versus industry. So we have some bias towards academia. We're so attempted to balance two other criteria which are experience and gender. So we tried to promote young people and managed to absorb a third of people who had no experience in an ISCR PC before. And I think it worked well. And we also tried to balance gender and maybe we did a poor job towards that. But it's still an improvement over some previous years and we think we should try to push that forward. So here is some overview of the program. So we have like for the fourth edition, I think, a challenge this year that started a few months ago and that you'll have some wrap up of the challenge later in the during the session. We had two parallel tutorial session on Sunday and two invited presentations when from academia this morning and another one from industry tomorrow morning. Three post-sessions. So the first one was just before the room session and the two next one will be during the coffee breaks, the morning coffee breaks for the two next days. One room session which will start very soon. 15 technical sessions with 47 paper presentations which make 25 hours of fun, which is a pretty dense program but hopefully will make it to Thursday. Okay, so now a few statistics. So first, submissions and accepted papers all over the years since the beginning of chess. So as it was already said, this year has new record in terms of number of submissions and accepted papers. So we can also observe that we have a steady acceptance rate around 25% for now more than 10 years. So although we had a new model, we didn't actually try to constrain this acceptance rate and it naturally keeps to around 25%. So now if you look issue-wise, so we are fearing not having enough submission to the first issue but actually we received a third of what is a good year for chess usually. So that was a good start. We got the same number of submissions more or less to the second issue and then it doubled to the third issue. In terms of acceptance rate, it was also, it remained around 25% more or less and we also had about 20% of major revisions for each issue. Okay, so regarding region-wise statistics, so we also see here a strong involvement of Europe in terms of number of submissions but even more in terms of accepted submissions. If we look at the country-wide submissions, so most of the submissions are with affiliations from different countries. Then we have the leading submitting countries are US and China and then the leading publishing countries are European, France, Belgium and Germany. So then if we look at the statistic in terms of number of authors, we see that we have a kind of Gaussian with a mean a bit higher than three authors per submission and per accepted submissions. There doesn't seem to be a bias with the number of authors per submission and if we look at some other statistics and possible bias we see that we have about 20% of submission that co-authored at least one PC members and which achieve a bit higher acceptance rate and also long papers although we just received a few achieve a better acceptance rate and what is important here is to emphasize that major revision achieve a very good acceptance rate so it means it's paying to take into account the remarks from the reviewers and to resubmit your work. So when Brexit happens I have to find somewhere new to live and probably a new job therefore so I decided to become a data scientist which in my mind at least means sort of just writing Python scripts and saying something interesting about the output so we try to fish around for what data sets we could feed into my Python scripts and yeah this is kind of the outcomes I guess. The first is we I think this I've seen this happen a lot so I guess it's traditional is that this is a plot of the submissions over time and what you can see well maybe this wasn't obvious but the majority of the submissions come in the last two days before the deadline so probably sort of two-thirds of the submissions in the last two days let's say so I mean shame on you for being so disorganized perhaps. If you look at the so these three deadlines the middle of the deadlines for just after the Christmas vacation and interestingly the sort of trajectory of the curve there is a little bit steeper so everyone's enjoying their Christmas vacation and then suddenly suddenly they're rushing to submit the papers perhaps. We looked at the earliest submission which was 12 days before a deadline that was the issue too so if that was you congratulations on being so organized everyone hates you now the latest submission was seven seconds before the deadline so if that was you congratulations on being so lucky or so brave I'm not I'm not sure which we also did a word cloud of the titles of the submissions so I'm not sure there's so much interesting to say about this but it's sort of reassuring that hardware and attacks are popular in the submission titles so this is all the submissions overall if you look at the submission titles that are accepted there's not so much change necessarily but apparently papers about long papers are popular that the reason for this is that it's sort of mandated that if you write a long paper then long paper should be in the title of your long paper this is this is where I fail to get the job as a data scientist I would say and then the last thing we did it was do a histogram of number of characters in the reviews and also in the title of the papers so the reviews I think is interesting because what you can see this is the left hand side the right hand side of that plot shows that there's a few reviews actually bordering on sort of 10k of plain text so I mean those reviewers either really loved or really hated that paper that they're reviewing but I think this is kind of a good thing to say about the effort that some reviewers put into the process and we should I think be thankful for that the mean is that yeah around 2k or so what's interesting about this is that the minimum review length which was 109 characters is actually less than the maximum title length of the paper which was 142 characters and again with my new data scientist job Pat on I was a bit panicked about this what was my bug in my python script I mean 142 characters title is is impressive I think the next obvious step is that you put the whole paper in the title and sort of avoid the page limit some somehow but I looked into this and actually and actually the reason is that yeah this very short review wasn't a negative or bad review in actual fact they were just so impressed with a major revision they said this is all fine and everything it can go through so in actually fact this this this isn't the problem or joke that it first appears fortunately for everyone I think so the last thing to say is that hopefully it's obvious that a huge amount of effort goes into the well everything that you see and hear at chess 2018 we wrote a detailed preface to the teachers 2018 edition that tries to capture everyone involved most of whom are listed on the slide here but we'd like to sort of finish off by really saying thanks a lot for all their hard efforts and hopefully you can give them a round of applause alongside us I didn't think it would be that loud so I can now officially and definitely declare the ramp session open have fun okay um a few words about the ramp session uh the ramp session is the first time that either Danielle and I are chairing a ramp session and uh we came to realize that this is um very long process so we had the submission open the submission site for that and we received 22 submissions including some that came in unofficial channels uh side channels Danielle says um we uh the committee reviewed all of the submissions and we had to decide which one to accept and which to reject uh fortunately for Americans we had decided to accept all American submissions um we also accepted all other submissions so uh we have 22 presentations today um the presentations are time limited uh look at the uh ramp session program to know how long your presentation is if you don't know your wherein you are presenting now is the time to look uh if you run over the time you will have to compete with a gong so with this uh we start the first presentation go ahead all right thanks everyone I'm honored to have been selected from Canada I guess we've fallen in the Americas we've made the uh the cut so I'm going to talk to you about embedded hardware blockchain and concrete security metrics to help you understand this uh important problem I'll give you a quick motivation some background on hardware blockchain and then looking at embedded hardware blockchain and the difference is here so blockchain solves a lot of problems primarily um if you have money and you need to give it to IBM they'll take your money for the IBM blockchain platform if you have voting boost you can solve that if you want to go to a thousand attendee conference like what is chess doing here you can go to the blockchain conference and I'm sure it's great and you can also do cool stuff like store cryptocurrency on vaults and you might have a really great one like this asic vault so not to be confused with the you know the more uh robust vaults maybe that sponsor this uh conference here let's say um asic vault does this great idea it's a thousand times stronger security um and if you read through it what you see is they've hardware accelerated the key derivation function it's a thousand times faster to do the key derivation so there's a thousand times better um but you can also do really innovative things like if you pay 10 euros a month you only get a million rounds of the key derivation if you pay 15 euros a month you get three million rounds in the key derivation so there's a lot of innovative things blockchain is opening up for us here the bit-fi another really great wallet was unhackable which didn't work out very well so you can read that that's a John McAfee kind of sponsored product so it's a little interesting to read about all right so that's a quick motivation why we want to care about blockchain so what is blockchain so blockchain really has two aspects to it so the first part is the block so this is your standard concrete masonry unit block available in this case from canada so we're using imperial measurements here you also have your chain so this is your standard number four straight length chain there's a lot of variations of chain and blocks that you can you can go through but this is your your basic setup here how you might use it so we have a voting system we need to secure this this is a big problem um someone could steal it so if you had a very heavy block you could chain it to the voting machine and it would be very difficult to steal so these are really very useful products that you can have here um the interesting thing is although it's uh in october you know this is the the history is very wrong in this because everyone credits the initial blockchain release but in fact several months before that and you can go back and check this out this is legit um in may 2008 h simpson had an implementation of blockchain used for defensive purposes so this is the real motivation behind blockchain it was sort of stolen and popularized later um but this is the real history of it here all right so this is full-size blockchain what about embedded blockchain so we're talking iot automotive all sorts of stuff like that we need something smaller something that we can embed in our product so this is an example i have one here of like an embedded blockchain right so this is what you can fit in your product itself now we're very lucky the security aspects of this actually scale very well so we can use research from existing uh threat models on full-size blockchain so you can attack the chain or the block as you might expect and there's quite a bit of research so you have the concrete masonry unit the cmu there's a lot of research around what is the compressive strength how much you know weight can it hold there's a problem though and security people will recognize this it's done in laboratory conditions so it doesn't take attackers into consideration and we have attacks like attacks during transport so if it's incorrectly transported unlike in this diagram here the device is weakened and when you install it the security level is much lower than you expected salt usage is a huge problem so salt will corrode both the chain and salt during the curing process of the concrete or if mixed in with the water will really weaken the concrete also there's new and novel attacks that are rarely considered so you know hammer drills liquid nitrogen people with access to home depot are all new attacks that aren't really rigorously considered in the literature so yeah this is just me i know people here are really into hardware security and i thought i'd bring this kind of feel to your attention because it builds on a body of existing work you know started by h simpson as i said and it's been scaled down to the embedded blockchain there's a lot of work needed on security threats understanding what these threats are and how we might move forward in the embedded blockchain space thank you very much good evening my talk is the new secure scholar multiplication algorithms nowadays i received one question from my boss how to obtain a secret key in cryptosystems usually i answered my burst we obtained the secret key by black box attack or side channel attacks then my boss asked again what is the side channel attacks wow so i answered her i explained the side channel attacks through the real world scenarios because my boss do not understand side channel attacks scenarios so sweet melon has a good special special sweet melon have a special characteristics the first is the appearance and the next sound this sound is the side channel information then my burst is understand the side channel attacks in the side channel attacks there are two characteristics categories first is the single trace attack and the next multi trace attacks especially single trace attacks are more practical and powerful than multi trace attacks against the scholar multiplications the oldest and well-known attack is the simple power analysis this analysis is applicable for binary method which is the origin of scholar multiplications the next new two single trace attacks called collision attack and key bit dependent attacks also applied for all other scholar multiplications ECDSA has been used in various protocols browsers and crypto libraries and other some solutions such as FIDL and blockchains our company also has good solutions the FIDL and blockchains but ECDSA have had some attack results because the scholar multiplications is the main operations of ECDSA my company we our team already designed the new scholar multiplications this scholar multiplication named triple SMTSM this scholar multiplication already completes the theoretical security analysis and experimental security analysis with Kukmin University and third party security evaluation through the ISPEC conference this paper will be presented two weeks later in Tokyo our scholar multiplication has has three main features first our scholar multiplication do not any scholar recording method and next our scholar multiplication only used point addition operation even though all other scholar multiplication algorithms use both addition and doubling operations finally we use only the same size of security parameter but with some big public parameters in the ISPEC conference our paper only described the count measure for random scholar multiplication algorithms but now we we prepared extended paper with a count measure for chosen scholar multiplication and optimization method that's all thank you well good evening everyone I'm Helen Ahanshu from Rambus I also happen to be the security standing committee chair of an organization called RISC-5 foundation this is a very simple call to action RISC-5 for those of you who don't know it it's a foundation which is a non-profit corporation controlled entirely by its members it has today over 115 member organizations that includes companies, universities but you can also join as an individual and the goal here is to drive forward the adoption and implementation of the free and open RISC-5 instructions that architecture I repeat free and open very important this was authored among others by David Patterson who you might know as a last 2017 Turing Award winner and so today there's two documents available for everybody to look at and to use and to build processors with an open source RISC-5 instruction set architecture as well as a draft privilege spec so with the word privilege we're getting a little bit closer to the theme which is security and so earlier this year the foundation had the good idea to create a dedicated security standing committee which means to them security is now very important and they're looking for people like all of you to join and help us build something secure on top of this so it includes today already 30 plus members in the security committee you can read the names here they're all public on the website but please keep in mind it's not easy to build secure processors and everything so far has always been proprietary this is the first time in history that a foundation was created and then we're trying to do it openly all right so so far what have we been able to do well we've started by creating two subgroups one of them is dealing with cryptographic extensions to the instruction set architecture so looking at things to efficiently run AES or public key cryptography what do we need to add to those instructions to be able to run faster and the other one is trusted execution environments we also collaborate with the privileged architecture spec group and we look at vector extensions and how to achieve security on top of this so with the event of I'm looking at you Spectrum meltdown foreshadow etc this is the perfect time to join it's the perfect time to try and do it the right way from the beginning how to build open source secure processors is the question the answer I don't know quite yet but please help find out all the rescribe foundation adopted specs are open and free again and so this is a call to action please join us help us make it the right way from the start and with that you can read a couple of press releases and announcement on the rescribe website I've tried to identify the right color of t-shirt but I couldn't quite pick between yellow and orange this time so yeah it doesn't exactly match the color but it doesn't matter okay join us thank you yeah hello everybody Eli and I would like to make a short announcement you already heard that it's 20th edition of chess and next year will be the 10th edition of corset and it will be in Darmstadt and yeah I think Ilya you also want to say something about it yeah so it's it's the 10th anniversary anniversary in Darmstadt the idea of corset is to bring together practitioners and also people from academia both on the defensive and on the offensive or attackers and designers if you want to say it like this so this event is more focused on fault attacks and side channel attacks so it is nice let's say focused or more focused compare with chess event the it will be in Darmstadt the same place as the first edition was deadline is December 1st and yes we will have it we will have your submissions reviewed and then we will hopefully have a great event so thank you good evening today's my presentation topic is something that is little can often have great power sub title is kibit dependent attack on scalar multiplication using a single trace as side channel analysis become more powerful various count measures to less them have been studied for example count measures to eliminate patterns of data dependent conditional branch statistical characteristics according to intermediate value or interrelationship between data have been studied however no count measure have been taken into account for the secure design of the kibit check page although the private kibits are directly loaded during the check page since the private kibit value is extracted and stored in the variable the private key can be exposed if the vulnerability is found to exist to tell the conclusion first I can extract private kibits using a single trace because the power consumption is related to the DI value we can distinguish traces of the kibit check page into two groups depend on the kibit value we refer to this attack as kibit dependent attack we consider binary scalar multiplication algorithms which are less done against SPA and DPA in particular our target algorithms are based on regular algorithms protected by intermediate data randomization therefore we suppose that an attacker is obligated to use a single trace rather than use numerous traces the first experiment platform is hardware implementation on Hasebo G2 FPGA board the second one is a software implementation on AVR microcontroller we use power consumption traces and electromagnetic traces we summarize power consumption properties as follows electromagnetic analysis is similar to the power analysis therefore we describe focusing on the power analysis in hardware implementations power consumption in the kibit check page is associated with the hamming distance between two consecutive bits DI plus 1 and DI for example when the private kibits are 1 0 0 1 1 power consumption is associated with the hamming distance 1 0 1 0 between two consecutive bit values in particular in hardware implementation of SPA-resistant regular algorithms the operations are executed in parallel so registered to be accessed and the DI value are determined simultaneously hence power consumption when checking the DI value is also affected by the hamming distance between the registered addresses using two consecutive loops thus in addition to property one property three occurs in hardware implementations this is our experiment result we attack the Montgomery Lopez DAB ladder algorithm protected by scalar multiplication experiment results show that the private kibit can be recovered with over 96 percent success rate using only a single power consumption trace and electromagnetic trace second experiments on software implementation our target algorithm are composed based on the kibit check functions of Invert TLS and OpenSSL here we distinguish traces into two groups according to the hamming weight of DI as a result secret scarabit can be recovered over 90-30 percent success rate especially if we attack power consumption trace using the lukiji associated with reference registered addresses the success rate is 100 percent thus we need to apply countermeasure in this phase if you have any questions refer to following articles thanks for your attention Hi, some of you might be wondering in the audience does Frodo fit on an embedded device? any fault to lithium? does new hope suffer a cold-beat attack? does hardware designs of code-based schemes exist? or worry no more? may I present PQC Zoo a website created to store NIST post-quantum candidates with regards to microcontroller designs hardware designs and side-channel analysis here's just an example of the side-channel analysis page where we store the information where a reader can be further pointed towards so yeah as I said this is the breakdown of the website so you can just visit this URL and you can find all the information about all the schemes that all the information that have been done so far so far we have a lot of representations of lattice-based schemes and some based on code-based schemes and as you can see there's really underrepresented classes here on the other types of post-quantum crypto schemes I'm looking at nobody in particular there are some more there's more research here that can be submitted to the website so please feel free all you need to do to submit to the website is have a github account and essentially do a pull request on the the data table where whether it's hardware, software, side-channel analysis I'll be notified of that and then I can accept the pull request so if you need any more information go to the website there's an about section to follow to actually submit your research or you can catch me here or send me an email thank you okay so that concludes our first session let's take a short break and be here at 9.05 so I was supposed to have one more co-presenter but I don't see Emmanuel here so I guess I will start unless Emmanuel will come to the stage okay so during the dinner this dinner I was telling people that I'm going to announce the Chess CTF award tonight and they were asking me okay but what is the Chess CTF so many people were surprised so I'm just gonna briefly remind you what the Chess CTF was about and in fact we did not have just one challenge we had two challenges one was the challenge where we published some traces and people had to capture the flag and then the one that captured most flags were the winners but the other challenge behind the scenes were actually a battle between deep learning techniques that we hear so much about lately and classic side-channel analysis and we wanted to find out which of the techniques is more successful in extracting keys so we had two CTFs and not one the first CTF was sponsored by Riscure so the one that is with challenges and having the prize and we have here the first prize would be a Nintendo for the winner and the second competition looking at the state of the art between the deep learning versus classic side-channel analysis is actually sponsored by Reassure it's a Horizon 2020 project and we also have the help of Google who hosted our traces such that you could download the trace set in a timely manner so that being said some quick stats because we like stats so there were 58 players that were registered for the CTF the CTF actually run for 70 days and we put out their 35 gigabytes of data for you to mine there were seven rounds to this challenge we looked at key recovery for both profiles and non-profile challenges there were three types of there were three trace sets so hardware desng software asng and an RSA and you can see how many submissions we had correct how many submissions we had and how many of these submissions were actually correct submissions now here you see that we have submissions for both the classic profiling and deep learning but in fact we suspect that many of the submissions many of the flags that were captured were actually obtained with one technique and then were submitted to both sides because I think the players thought that they will get double points but that was not the case and so we suspect that that is the case because the time stamp between the submissions was very very short not enough time to run your neural network so I'm not sure how accurate the distribution between the two columns is second we also used a model which for for taking the points which was winner takes it all that means that not only you had to solve the challenges but to get the points you had to be the first one who submitted the flag so that was it so let's see who are the winners to the first competition so the first the third place goes to the teams that are known as Coderspace 2018 Idefix Zodkin and yeah a name which is very hard to pronounce at the time I when I made this slide this morning because I submitted them on time I did not know who the teams are so I emailed them and said if you want to be to have a public recognition let me know and I will announce it so I only know about the identity of one team and that is Idefix who is actually Idemia security team that won the third place so let's give them a big and for the others if if you contact me then I will make sure you get something like this certificate okay now the second place actually they sold they were very to the point they solved two challenges out of the seven challenges they were very focused and they submitted a flag for these two challenges the first and this was the AES challenges so they got a total of a thousand and five hundred points and the team that won this is AGSJWS but actually the members of the team are here with us and Mr. Werner Schindler will actually get the the second prize and now the winner of the challenge and of this Nintendo Switch is the team that solved actually seven of six of the seven challenges they oh oh no no they submitted the the first flag for four out of these six challenges and they got a total of three thousand points and the winner is the hot eight team and for them the prize will be I will hand the prize over to Mr. Matias Wagner who will then hand it over to them yeah thanks guys so this was my former team when they were still working in an XP but they all moved on for some unfortunate reasons and this is really huge and I I love that team I wish they would come back but maybe they will at some point so I will pass this on at some point but only when they come back thanks so much so this is the winner's board and then for the second competition we had I told you that there is a competition between deep learning versus classic SCA well at this point in time the jury is still out of who the winner is we will publish so the the dataset that was used for this competition will be public for you all to try out and it would be great if you let us know which one of them works for you so with this yeah this was the chess 2018 this is it before we proceed with the program this was found in the catering room so whoever this belongs to come find us it's right here on the podium good evening Hi I'm Sung Hyun Jin studying in Korea University this time I will talk about simple-sized channel analysis on program play quantum key distribution system this suggests that we need to consider side channel analysis even in quantum secure system to exchange the key secret key securely through an insecure channel we use key exchange protocol such as DPR man or elliptic curve DPR man of course if you can snatching ciphertext in this channel to prevent it from this snatching action QKD is ongoing active research area the security of QKD is rising in quantum physics through the fundamental theory of quantum physics physics if you can no longer snatching or if it's drop the quantum channel between Alice and Bob QKD can guarantee whether someone is if it's dropping the channel or not this may seem unreal or too theoretical but recent advance made QKD to live out of the lab the DARPA project or Tokyo QKD network experiment shown QKD has been performed in distance over 100 kilometer more recently China has launched the mission to create the QKD channel between China and Austria however also QKD is quantum secure we always need to consider other weak point like side channel analysis in the QKD system the QKD equipment is mainly implemented in FPGA the timing side channel analysis had already performed on PAP site so the constant time QKD is proposed program play QKD system is another form of QKD implementation that prevent timing attack as we all know we only need to know 1 bit 0 and 1 in the C-Cricky to simplify the beach have two kinds of basis two beach two basis means that we need to know four kinds of stage as in the table to implement this four kinds of 0 and 1 we give four kinds of voltage to a photon which depending on different voltage this means leakage we had an offer to check the vulnerability in the QKD system from professor of in Korea University as expected we had to obtain four different trace that directly to four different type of qubit to some of we also need to consider side channel analysis even even in QKD thank you it's a short announcement for the hiring at IoTeX IoTeX is a very young blockchain startup with a core team located at Silicon Valley United States and multiple small task forces currently distributed globally those small task forces are being added into the core team and distributed manner more like how blockchain works we are currently building the next generation blockchain platform for the IoTeX applications and to power large scale and decentralized IoTeX applications we're currently hiring the software engineers and the cryptography engineers it's a unique opportunity to use all of your knowledge in cryptography distributed system and the game theory to build something which has significant impact for people's life please check our website IoTeX.io for more information if you are interested in our projects and would like to take that adventure with us if you have any questions please do arrest me to hello at IoTeX.io thank you very much good evening this is a short announcement of the ECC 2018 ECC 2018 the 22nd workshop on additive cryptography will be held on November 19th to 21st at Osaka Japan the second largest city in Japan the ECC is the world of cryptography and related areas since the first ECC workshop ECC has broadened its scope beyond additive cryptography and now covers a wide range of areas within modern cryptography and the ECC workshop have invited presentations only presentations tend to give an overview of emerging or established areas of modern cryptography often combined with new research findings the ECC workshop is accompanied by a two-day autumn school on additive cryptography for graduated students involved in this area the school will take place on November 19th and 18th just before the main workshop and here is the list of the great speakers for the workshop and the school and the presentation title is announced and the details of the workshop is shown at the URL the first one is about the generic ECC workshop and the last one is the ECC for this year and the registration is now open and the early board of registration is applied until October 9th thank you okay so this is also a very short one and Peter submitted it and put me on stage but okay so what he meant is like if you're up for even more great talks good food a nice company and above all very smooth organization you should come to our summer school next June which is not 20th but 6th edition so I guess we are doing pretty fine and the challenge here is to click very quickly on this link and to find out who's speaking there and what's going on thanks okay I'll start with a small disclaimer I'm going to show some things that are quite ridiculous but everything is real so my talk is about the Tesla Model S and specifically the Tesla Model S keyfob as you can see it looks quite simple we have the entire PCB on the left and an X-ray picture on the right there's a simple microcontroller that communicates with a transponder that stores a key so what we found is that they actually are using a 40 bit cipher that accepts a 40 bit challenge and returns a 24 bit response there's also no they also have no mutual authentication in their authentication protocol so we built a small 5.4 terabyte lookup table that allows us to recover the cryptography key in 2 seconds this is what the proof of concept hardware looks like so it's a simple power bank Raspberry Pi, a Proximal 3D low frequency stuff and your stick want to do high frequency stuff so we tested our attack on Tesla Model S but we also found out that the system was actually developed by Pectron which also made systems for McLaren, Karma and Triumph if you happen to have a McLaren please let me know so we first notified Tesla about one year ago and from June onwards this year they are actually using new keyfobs and they introduced some software updates that people that own a Model S can enable to help stop the attack and Elon Musk improves so if you would like some more information we have a blog post up on our website I will be doing the poster sessions from now on you can check us out on Twitter there's an article on Wired and if you happen to have a Tesla Model S I would be happy to show your live demo now we have a small video okay so I'm John Kelsey I'm going to give you an update on what we're doing at NIST so lightweight crypto standardization you can see we've got a plan to standardize some lightweight crypto algorithms we made a call for proposals that finally came out so you can go look at our web page and find the call for proposals and all sorts of other information and you can also subscribe to the mailing list if you're interested threshold crypto so this is an area that we've not had standards in before and we're looking at doing standards so we have a draft NIST NIST is basically NIST speak for a white paper so we have basically a white paper on threshold schemes for crypto and we'd like public comments so if you have thoughts about this, it's an area of interest of yours let us know what you think there's also a workshop in March and so you can see all the contact information here the PQC stuff is continuing apace you can see kind of where we are we're going to have the conference collocated with crypto so it's a good excuse if you're interested in either of those to come to both this is already the comment period has just closed on this this is our plans to basically to get rid of triple devs as much as possible if you have strong feelings about this though we will still read your comments so if you're in an industry where getting rid of triple devs FIPS approval for triple devs is going to utterly screw you and then please let us know so we can take you into account and you can see with the email address for that 890B it's come out as of the beginning of this year the final version we've found some bugs and we're in the process of correcting them this is something new that we're able to do now is issue a corrected version with Arata that's not something where you could revise the whole document but if you found like a typo and a formula you can fix it and so I'm also giving a talk about the NIST BC on Thursday so if you're interested come listen to me and you can hear more about 90B the NIST beacon is now switched over to a new format we've got two organizations Universidade de Santiago I think is the not Chile and in Metro which is the Brazilian sort of Brazilian version of NIST or maybe if you're Brazilian you think NIST is the American version of them so we're planning to follow our protocol or our format and there's a NISTR coming soon that will describe the new format and you can find this at this URL also FIPS 186 a digital signature standard this is under revision soon it will be going out for public comment so if you're interested in this you probably are digital signatures matter for pretty much everybody this is a good, when this comes out fairly soon it'll be good to get your comments in and one of the interesting things here is moving the elliptic curves to their own document rather than having them as part of the signature standard even though they get used for other things and that's it, thanks a lot my name is Christof and this is a serious talk so I won't be funny at all and if I'm funny then it's an incident and I want to apologize for that this talk is about CIFA statistically ineffective for the text so suppose you want to protect simple block CIFA call against implementation attacks what do you do you mask this stuff against certain attacks and then you add some error detection capabilities like multiple execution of this stuff and see if the right thing comes out and then you end up with this piece so but it turns out with the CIFA you can attack this piece using single faults per execution of this stuff and what's also cool about CIFA is that the effort of the attack typically does not increase with the protection order or the degree of redundancy so what is CIFA it's the union of statistical fault attacks and ineffective fault attacks and basically there exist two papers one of them which contains the basic is actually the last session of chess conference and the paper which explains why this stuff also works on mask implementation appears at Asia Crypt so if you are thinking okay it might be hard and it might be quite special location to fault in order to mount the CIFA then I have good news so principle for this certain implementation of mask AS in software it turns out if it can stack a pie to zero or always set a pie to zero then around 70% of the instructions are susceptible to an attack I also have to point out that we do not exploit any weakness in this implementation or that this implementation is not weak the reason why we have chosen this specific implementation of mask AS is that there are not many mask implementations out there which are publicly accessible and good and useful so probably people should change that and if you think always setting a pie to zero is a quite hard task to do what you can also do is for instance flip on pit not having successful attack or set one pit to zero or always randomize one pit or flip a whole pie or set one pie to zero or randomize one pie or in skip an instruction so how does this thing work I do not have time to tell you so if you want to know this then you have to read the paper to talk. Thank you very much so let's go back in time so anybody knows this kind of computer TRS-80 so would you use that still now probably not maybe for fun but the crypto of that time what is that what would you use in 1978 for crypto Das would you use Das now but the banks are still using Das so you want to be in that crowd you want to investigate Das maybe not so let's go make a jump in time we go to 98 anybody remember that kind of computer I had one like that compact 98 what would be the crypto then I was still Das but there was something new coming up in 98 AES contest so there was a lot of evolution but you see it's still it's not quite modern it's like some old stuff but we do a lot of investigations on AES let's make another jump in time we go to 2008 what happened in 2008 it was the start of the Châtres competition a lot of evolution and we got to also a different model we're not looking at PCs anymore we're now looking at other devices this thing, this blackberry that was really hot that was like this thing to have you know that was the start of permutation based crypto but would you investigate that kind of stuff would you do research on that or use that maybe yes maybe no but that's the modern age do you want to know what this crypto looks like in that age well then you come to this workshop that will take place and I think it's about a month from now in Milano Italy so it's a day on permutation based crypto and we have a number of speakers so you will recognize Christoph de Bruyne who just spoke just before me but there's a lot of experts speaking about it and I invite you to visit the website and subscribe, it's cheap and it's very educational thank you my name is Diego Aranha until recently I lived in Brazil and I work at Alhus University in Denmark so there was like an upgrade yeah thank you I have friends in the audience so I don't want to turn this into alcoholic anonymous style meeting but I have to admit that for the past six years I've been as likely obsessed about the insecurity of Brazilian voting machines so the reason for that is 140 million voters use these machines every two years and they have been in production for more than two decades and this is a paperless voting machine so there are no meaningful ways to verify that the results are correct so at CHAS 2012 I gave a short talk at the Rump session about how we hack these machines for the first time so we essentially had to only do this across the codebase so we actually broke the vote shuffling mechanism to break ballot secrecy of course and then after running this we found this right and the time stamp there was printed in an official document that's kept for five years for transparency reasons so last year we did it again this time we tried something slightly more sophisticated it was this and then we found a cryptographic key that allowed us after a few escalation with other vulnerabilities to manipulate the voting software so this was the key we found the key protecting the file system so we could actually tell to modify the voting software to tell the voters to vote for that radar which could be a great present to Brazil I think so I think the punchline in this is for all governments and voting system vendors out there elections are not really a playground for your crappy software get your shit together, thank you hi everyone I'm going to present today a magical parallel variant of SIDH which is a post quantum candidate and the idea is to have a parallel version of it so we present here a variant of the super singular SIDH protocol the variant will be run by three characters instead of Alice above we will have Hermione instead of Alice and Ron and Harry instead of Bob they learn the Curbaberto spell that transforms an elliptic curve into magical stones into another curve so this is the way that it works first instead of selecting a prime as usual we will select one prime that has Hermione in one side and Harry and Ron in the other side so the way that it works is the following we have three bases instead of two bases one for Hermione, one for Harry and one for Ron and then Hermione works as Alice will compute the isogenic from the base elliptic curve E0 and then Ron will work out the SIDH protocol from his side and will carry out the point of Harry then Harry will take from the isogenic computed by Ron and we will have this second isogenic and then they need to exchange so Harry sends on all to Hermione Hermione does the same and then Hermione ends her work and computes this elliptic curve then Ron works again and then Harry and finally they met here running this variant of the SIDH protocol we got a modest but noticeable acceleration factor of about 10% in the best case and sometimes we lose but this variant is really nice for parallel implementations so if you happen to have more than one core say two cores or even better three cores then you get an acceleration of up to 1.67 acceleration factor so this is an on-working work and we are looking for new combinations of primes for more Montgomery-friendly primes and to optimize the single-core version of this proposal thank you Hi everyone so in 2017 we organized this white box crypto competition called white box and we it was actually a tremendous event 200 competitors like nearly 100 submissions so challenge programs were submitted we had nearly 900 breaks and so it was co-organized with crypto experts so we developed the submission server the server was hosted by TUE and it was sponsored by eCrypt CSA and we thought it was a tremendous event so let's go for our second edition what we would like to do would be to run an edition of white box so again it will be about AES 128 with no external encodings and there will still be this dual system of points with strawberry points that you can accumulate as long as you are not broken and banana points strawberries being converted into bananas whenever the challenge is broken we would like to put some limitations on the code size and execution time and so on but there were some kind of feedback from the community on the rules like at some point 50 megabytes for the sea source other challenge was too small for some people was too large for some others one second of execution as a limit was either too slow or too fast for some people so the Slack forum so you can go there for your own opinions about what the limitations should be and so the tentative timeline should be so it should last for about 6 months in 2019 so starting beginning of February maybe and end of August but the main problem is that we are looking for a volunteer or a group of volunteers who would like who would be willing to actually host the submission server so the submission server was developed by crypto experts it's totally open source you can find it on github and we would like also to apply a few improvements so that the second edition runs more smoothly compared to the first one so if anyone is willing to do that please contact me on my email address thanks good evening I'm the last one so I guess I have no time limit so I've did some work with a lot of cool people which I will not enumerate because I don't have so much time but they're very cool and skillful so we've been working on the cryptanalytical algorithm for lattices and we've made some progress so just the core idea is that sieving used to be thought of as a black box function you give a lattice basis you get a short vector and then you insert it in the vector and then you restart at the next position the core idea we have is to view it as a stateful machine where a lot of information is kept inside and can be reused from one sieve to the next basically recycling a lot of information to amortize the cost we have been working on implementation it will be made open source we have several sieving side it's highly optimized it's parallelized so for designing high level algorithm we made an interface in python that make your life a bit easier and with it we've been able to break new challenges we're about 400 time fasters in the previous algorithms so stay tuned for a paper an open source implementation and maybe more records especially LWA challenges for what do you care here at chess maybe you need to worry about this base candidate because of this the answer is not so much thank you ok so that concludes the ramp session let's thank the speakers again and I hereby declare the ramp session over