 All right, so hello everyone again. We're gonna start with my report, which is on the crypto 2016 puzzle solution and prizes to selected winners. So if you didn't get your solution in by now, I'm about to reveal the solution. If you don't wanna hear it, run outside for a couple minutes, but let's go through it. So this was the piece of the text that was included in your packet that said use the GIFs in your registration packet to determine the real security quotation, and let's talk about what it was that you received. First, you got a T-shirt, and this is the back of the T-shirt, and it has a number of quotations on it, and it has some symbols at the beginning and the end of each quotation. And if you zoom in on that, you saw a little film strip. That was supposed to clue folks that these were somehow film or movie related. Now why are there a bunch of security-themed movie quotes on the back of your T-shirt? Well, because in addition to being general chair of this conference, I'm also president of the board of directors of the Seattle International Film Festival, which is the largest film festival in North America and runs for 25 days in Seattle from late May to mid June, and if you're ever in Seattle, please come to the film festival. So I thought that a film-themed, security-themed puzzle was appropriate, and I should, before I proceed further, acknowledge Josh Benelow. Josh and I worked on this jointly, and the two of us put this together for all of you to enjoy. So would clever and please kind of thank Josh. Okay. So, there's movie quotes. There is this thing now called the internet, so you don't have to actually know all these movies in your head, but if you go and look them up or happen to know them, you would find that the movies that these quotes came from often had a security-related theme, imitation game, Ghostbusters didn't, although it was about containment, sneakers, hackers, inception, space balls, and my personal favorite Blade Runner which had to make it into the puzzle. Now the second thing on the shirt was that symbol down in the lower right, which was the picture of the wine bottle highlighting the little round thing in the lower right of the label. And then you got a wine bottle with a custom label on it. This is backdoor red or backdoored wine, and my thanks to Michael Moniz of Liberton Hotels in Toronto who did the graphic design for me as a favor of the label. Again, Josh and I gave a basic design. And if you look at that symbol on the label, it says that, which is a key to understanding how to unlock the puzzle. It's a very simple substitution cipher. You take the key, you take the first letters of the films, and remember there was a hint that the is an insignificant, can be an insignificant word, so you didn't look for the T in the imitation game, but the I. And when you translate that, you get theater, which completes the security, should not be confused with theater, also a reference back into film. Okay, so that was the puzzle. We got 15 correct submissions. I want to acknowledge everybody on here who got a correct submission and got inserted in by four o'clock. I particularly want to highlight Shai Halevi's children, Gil and Sharon Halevi, who got a solution. These are in order of submission. So they were the third correct solution submitted and the youngest submitters. Okay? Now, of these 15, I have randomly selected or Excel's random number generator randomly, and if you randomly selected three people to win prize, I have real prizes up here for three of these people. And with Marshall Ball, Jeremy Jean, and Aaron Traumer, please come up to receive prizes for correctly solving the puzzle. So they are identical. So Aaron, there you go. Congratulations. Marshall, there you go. Congratulations. There you go. And congratulations to all three of you. You're most welcome. I'm glad you enjoyed it. And with that, that concludes my report on the crypto 2016 puzzle. Thank you, Ryan. Thank you, Ryan. So I hope the prize winners enjoy their back doors to run and the number generators that they're getting as prizes. And I'd like to invite Matt Robchott to take the stage. Next on stage is Bar Perniel. If Bar could get ready. Thank you, Matt. Just to remind people that please come and sit. And if there's too many people standing, there's an additional room in the multimedia pavilion. And if you don't sit down, then the rump session will be stopped by the fire marshals. We really don't want that to happen. So please take a seat or go to the overflow theater. Thank you, Matt. Okay, so good evening. It's traditional to start the rump session with a report from the program chairs behind the scenes on the submission and review process. It's my pleasure to provide that for crypto 2016. We received a new record. So in the spirit of the Olympic rump session, we have a new record to report. 282 submissions reduced to 275 after withdrawals. We accepted 70 for the program, which represents roughly a 25% acceptance rate. And here we see the historical acceptance rate over the last 24 years. So we're back to the levels we were seeing before the year 2000. Crypto now is getting up to around about 1,000 reviews. And given that a paper length can be up to 30 pages, that's an enormous amount of reviewing. So we had a very dedicated and hard-working program committee that went through all of this work. So thank you to all of them. We also had 320 external reviewers involved. So many of you will be in this room. Thank you very much for your contributions. Again, in the Olympic spirit, we can call out some nation contributions. So there were six countries that provided at least 5% of the submissions. France, US, Israel, China, Japan, and Germany. And this translated through, so 65% of the submissions from these countries alone, translating into 71% of the final accepted submissions in your program. Of course, there's different ways to measure cryptographic productivity. And the gold medal for the best use of available landmass goes to Singapore with one paper for every 350 kilometer square. So the rump session marks the halfway point of crypto 2016. So you're probably already thinking about next year and maybe making some submissions. So it's worth doing a little data mining to see what we might learn from this year. So the number of co-authors, I've presented here the acceptance rate for papers with single-author papers here. You can see it's very hard to get a single-author paper accepted. So congratulations to those that achieve that. And as we add authors, things get progressively better. You get a higher acceptance rate until basically after four it drops off. Probably a little bit too much partying takes place. So it seems that four is a good number for the number of co-authors. You also want to think about your first impressions, the title, because remember, the reviewers are gonna make a bid for your paper to review your paper. So it's probably interesting to look at how you structure your title to the paper. And Short and Piffy certainly wins the day. So titles that could be characterized as Short and Piffy had an above average acceptance rate of 30%. Now what's interesting is that you don't wanna get caught in this kind of no man's land of middle-length titles. It turns out if you just keep piling in the words, you can actually move on to something that's not short and not a tall Piffy. And you'll find you have pretty much the same acceptance rate at the end of the day. So Short or Long, one or the other. What about some of the words? Were there any interesting keywords? So the committee liked the following words in the title. So a green thumbs up means papers or submissions with these words in the title had an above average chance of being accepted. So practical, efficient, and cryptanalysis. The money word for crypto 2016 though was applications. That had a very high acceptance rate. So that's kind of interesting for next year perhaps. On the other side, which were the words that didn't quite capture the program committee's imagination. Well, somewhat controversially for a crypto conference I think, encryption didn't do well and really quite disturbingly new didn't do quite so well either. So anyway, hindsight's a wonderful thing and we can construct what would have been an ideal title for crypto 2016. Oh, I forgot, I'm so sorry. Let me go on. Some people like to punctuate their title. Makes it a bit more interesting, a bit more subtle, a bit more considered. So the committee liked parentheses. I get a little thumbs up there, so above average acceptance rate. The committee went bananas over colons. Colons were very popular. But the question mark, maybe it implies a little indecision or something for some reason that didn't quite capture the imagination of the program committee. So bringing all this together, we can come up with what would have been the ideal crypto 2016 title as I say with hindsight. And this would have been a good title. A efficient crypto analysis, colon. No practical impremises, applications are secure. And it would of course have been by four authors. So I'm the one talking, but crypto relies on the contributions of many. So a big thank you to John and Brian, my program co-chairs and Brian, the general chair, pleasure to work with you. The excellent hardworking program committee, all the sub-reviewers, and most importantly everyone who submitted to crypto 2016. And I hope you enjoy the Rump session. Okay, so next up we have something about Feng Shui by somebody called Bart Praniel and Nigel Smart come to the stage please. And could somebody bring me a beer that would be really appreciated. So the interesting thing to note is that of course everybody knows that Bart is the ex-president of the ISR. So unsurprisingly his favorite discipline is hammer throwing. Well, this is a plug for a use next paper, but clearly this title would never have made it to crypto. So there was in fact way too many authors. And the theme I chose was indeed hammer throw because I was thinking of Field Hockey, but today actually the Netherlands beat, was beaten by Belgium in Field Hockey. So I guess Martijn would have rejected my paper if I did. So I didn't take any risks there. So it's a very confusing title where many authors, we each chose a word and then we put it together and somehow it got into a use next. So what would we really do? Okay, this. We broke RSA in the cloud. So how does it work? We use some very simple ideas and some simple crypto machinery, but very clever software stuff. Don Mime called us at the University of Amsterdam. So we used actually two basic building blocks. One is Rohammer, and I hope you all know that Kenny is Scottish. So I knew he actually would accept this paper with those beautiful pictures of Scottish people. So Rohammer is a very cool trick in which you can actually flip bits in DRAMM as a consequence of higher densities in DRAMM by reading repeatedly at jacquard rows. So you never have to write in the memory, you just read a lot, and at some moment you flip bits in the middle row. So now you already understand why there is flip in the title and why there is hammer in the title and why I chose the hammer throw. Okay, so it's a bit tricky to find out actually if you're in the cloud which bits flip. And the practical guys from our team, they spent about 10 minutes of effort to find one bit flip that works. So this is why we don't use hammer and hammer throw bit flips and you can't completely control the location. Next thing is memory duplication. So what happens in the cloud, you actually can rent your machines with the cloud providers and actually they try to be efficient. And using this an attacker can actually map the physical memory page of the victim virtual machine to the attacker virtual space. The scenario is that somebody has a cloud instance which you want to attack. So you actually also make a cloud instance and then from your cloud instance you're gonna attack the keys of the other guy. And how do you do it? Based on duplication and the factory part is because we have to neatly arrange memory in a harmonic way to actually get to do it. And this explains the factory part of the title. So how does it work? Very simple, you have this blue virtual machine, you have the victim, so you do host, you have the victim having his machine, the attacker having his machine and so each has their own physical memory at the bottom. And so what you do as an attacker is you put content in your virtual machine which likely the attacker will also have. Can be a list of keys that's public, public keys of course, or maybe some other things, in this case the picture. And so what will happen in the cloud is actually that the cloud will want to be efficient. What they will do is they will actually spot duplication, it will save memory and put it together with pointers. The next thing is if you then start flipping bits in your virtual machine using row hammer, what will happen in the physical memory, it will be updated and you actually now flip the memory of the victim. Without doing anything, you don't have to violate any of the access control rules of the cloud. You actually go to the software stack with your needle and you flip the bits. So what can you do in practice? Somebody is running open SSH in this cloud instance, you start SSH session with the wrong key, doesn't matter. What the victim will do is read the authorized key file with an RSA modulus, you now do your row hammer bit flip and you flip a bit of the modulus. There's no longer an RSA modulus, it's now a random integer of 4,000 bits, that turns out to be easy to factor. So the method we use to add a elliptic curve, elliptic curve factorization depends on the second largest prime factor. And there is good statistics about this, we know that on average it's about 20% of the size of the modulus. So, and if you're lucky of course, it's even much smaller. That's it more or less, we used stammer tool, it's the wrong sport I guess, but okay. So, 10 to 4 bit bodily, you can see we can factor almost all of them with 10 bit flips. What we used was about one hour time on a big cluster, 64 gigabyte RAM, then we stopped, we abandoned if we couldn't make that. We got 48 bit, we could do more, a bit less, but we could still get very close to all of them with 30 bit flips and then 50 bit flips we got up to 80% of all 4,096 bit module. And of course this was tried on real cloud instances, really in the cloud, we made this work in practice. Of course we did warn the cloud providers in advance that they should implement countermeasures against this attack. Similar thing on GPG, you can actually use the Abbit mechanism in DB and Ubuntu, the APT. You first modify the sources list, so in fact malware will be downloaded rather than from the real URL. At the moment of the signature checking you actually flip the RSA keys. The trusted GPG file, you factor again until you're forced to signature and now install malware in the victims machine. Again, you factorize and that's it. So we also extend to the DV Helman. The problem there is that your publicly available software for this read log is not as good as the others factoring. So we didn't get as far for DV Helman as for RSA, but the paper has the technical details. We also discussed mitigations and if you want to find the paper, it's on there. Thank you very much for your attention. Thanks, Bart. Would Jeremiah please come to the stage and next up we have Nigel Smart. Just let's say there's loads of seats down here for those standing. Oh yeah, thanks Nigel. Please come and sit down, otherwise we'll get shut down. Yeah, come please, if you're standing, please come sit here. We have to otherwise the rump session will be shut. Right. Okay, whoops, what happened there? What? Just advanced. Oh, there we go. No, what's my talk? Advanced. Advanced. What, what, what? Have you, if you can meet him wrong? Uh-oh. Uh-oh. Uh-oh. Okay, let's, let's, let's go to- No, you're a judge. Let's unwind and we'll have Jeremiah and we'll do something to fix Nigel's talk at some point. Thanks for your understanding, Nigel. Great talk. Great talk. All right, thanks everyone. Like to give you a quick update on the Crip Olympic Games, which as you know are taking place right now. And I want to talk about my favorite event, which is password frequency list disclosure. So, there we go. So, some of you may be unfamiliar with this exciting event. So how does it work? Contestants start by collecting a large dataset of user passwords. And then they produce a histogram, which is just a plot of the frequency of the most popular passwords. And finally, the goal is to release a frequency list, which can be obtained by simply removing the passwords and just outputting the associated frequencies. And contestants may perturb these lists to protect user privacy. So, how are contestants judged in these Olympic Games? Well, there's three criteria. The first scoring criteria is dataset size. So, the more users, the better. The second criteria is accuracy. If you can release a frequency list, that's more accurate, that's better. And the final criteria is privacy. If you're not giving away user passwords, that's also better. So, you may think this is a game that I just made up, but I assure you there's a long history of organizations competing in this event. For example, RockU submitted an entry several years ago with 32 million user passwords. Unfortunately, most of the previous contestants have had to be disqualified due to failure to properly protect user passwords. So, today I want to tell you about a new leading candidate for gold medal. Yahoo just turned in a very strong performance. They collected a dataset of 70 million user passwords, and they used tools from differential privacy to actually perturb these password frequency lists before they were released. So, I should stress that this dataset's available and it was released with permission. So, let's score this entry. First criteria, accuracy. Well, we can actually compare basic statistics like minimum entropy, guessing entropy that you'd get with the sanitized dataset with the same statistics computed on the original dataset. And we actually see that the statistics match in almost every case. With, occasionally, you'll get small variation. And what about privacy? Well, they also had strong scores on the privacy criteria. In particular, they preserved differential privacy with the value, composite value of epsilon equals 0.5. Of course, the single user might participate in multiple different datasets, so you have to scale epsilon appropriately. So, what does this mean? Well, this means we can promise Alice that if we had removed her password from the dataset at the onset, before we ran the differentially private mechanism, the probability of any subset of outcomes doesn't change too much when we exclude her password. So, this means that the probability that Alice gets hacked doesn't change too much, you know, based on whether her password was included or not. Okay, so, password frequency lists have many applications. The simplest one is just, estimate the total number of users that could be compromised in an online attack where the adversary has beta guesses per user. There's lots of other exciting applications. I hope you'll all search for the dataset. If you just search for Yahoo password frequency corpus, you'll find it. Please play around with it. I hope that it's useful for you and for many of you in your research endeavors. And finally, I'd like to conclude by saying that I hope other organizations will challenge Yahoo for gold. There are other organizations that potentially could collect larger password frequency lists and follow the same pattern and perhaps steal that gold medal from Yahoo. So, thank you. Okay, so Nigel's now going to try again with his second presentation. But Kerry, if you're in the room, please get close to the stage because you might be on sooner than expected. Okay, and please take a seat if you're standing in the back corner. I can see you, okay? I call you on your behavior. Please take a seat, all right? Or leave the auditorium, otherwise we'll get, shut down. This one works. Nigel. Okay, this one appears to work, okay? I don't know, there's something wrong with the computer. We're gonna fix. You'll see the other talk later, I've been promised. Okay, so this is about Speed King. You're gonna hear me sing. So if anyone gets the reference there, if I'm just far too old, really. Okay, okay, except, oh, there we go. Okay, I'm not actually going to sing, right? But if, thank you, thank you for the, that's exactly what I want, yeah, thank you. I'm not gonna sing. But if you're interested in NPC, this is the Rump Session talk for you. So we've got four things to announce. Speed is now open source, and I'm gonna give you the link to that. It will be made open source. It's not actually open source yet, but it will be by the end of the week. There's still some tidying up that they've got to do. Okay, but everything's ready to go. We're gonna give you some timings with achieved. There's gonna be a new conference on NPC, and there's gonna be some jobs, because basically every bloody Rump Session I have to get up and tell you, there's some jobs. Do you know where the jobs are? Which university? Bristol, yeah, that's kind of right. There we go. Okay, next one, yeah, right. Okay, so it's now open source. Hopefully now, well, it's gonna be in the next couple of days. The documentation is a little shaky. If you want to sign up for announcements and to find out all about it, there's a Google group called speeds at googlegroups.com, and you can visit the webpage, which is really long, just type Bristol speeds, and you'll get it into Google. Other search engines are available for Brian. You can use Bing if you want, but Google will do it for you. So that's when you can see me fly. If you're gonna have a party, then you need large numbers of people to come to that party. So we decided we wanted a very large party, so we actually ran, well, Marcel did, he ran a 100-party auction. So this is not sugar beet because they only had three parties in their auction, and it was only semi-honest when they did it. This is a proper auction with 100 people, fully malicious, and we actually ran. So when people talk about multi-party computation, the record now is running a computation on 100 parties. We hope to be able to push it to 1,000 parties at some point in the next few months. So the goal is now not to make things faster, but to have more people at your party. And we can now do 22,000, 22,000, 20,000, sorry, blocks per second of AS. This is not as good as Yehuda's record, which is going to be presented at CCS, where he could do a million blocks of AS per second, and he's integrated it into a Kerberos system. But this is a system that will work for many parties, whereas Yehuda's thing only works for three. There we go, so we've got some new kind of cool stuff coming up there. And there's a new workshop. It's going to be, if you go to the website, wwwmultipartycomputation.com, you know, why else would you choose a different URL from that? It's a bit like real-world crypto, which you should have already heard about, okay? It's a bit like that thing, in that there's invited talks. There's a contributed talks call that was announced today on the IECR website, and it's going to be held from April 3rd to April 7th in Bristol. It kind of continues on from the event that used to be held every two years in our hoose, but now we're going to hold it every year and we're going to move around Europe, probably. Oh, I should say that all of my slides have a sort of rowing epitaph, you see, to them, because we're Great Britain, well, we are currently. Um... LAUGHTER And we only excel at Olympic sports where we can apply our Formula One technology. So we're good at cycling, which you would have seen in the real-world crypto talk, but we're also good at rowing as well, because we could just apply technology to it. Doesn't have to be any good at athletics. So that's why we've got the rowing metaphor in all my slides, you see, because we're very good at that. And of course, rowing's quite good for multi-party computation because you need many people to do a good rowing team. You know, it's amazing. Every year we have this Oxen and Cambridge Boat Race. I'm not quite sure how both of them always get into the final, but there we go. But there's eight in each team. Um... Yeah. And so we... So when you need a team of people to do rowing, you need extra people on your team. And so what I want to say in my last slide is, I've just got paid. Shed loads of cash, right? And so with this shed loads of cash, I want to make a better, bigger rowing team. So if you want to join our rowing team, come and help us spend the money. Talk to some of the postdocs who are here. They will tell you, travel is no objective. And come and work for us. Five years, apply online now. Just come and do it. Thank you. Thank you, Nigel. So if you'd like to be a galley slave in Bristol for five years... Hey, hey, hey, hey, hey, yeah. We also have postdocs at Roll Holloway. Please come talk to me. And I'd like now to introduce Kerry McKay or McKay. Good Scottish name there from NIST. Thank you, Kerry. And next up, Marcel. Kerry McKay from NIST, you may have never seen me before because I generally don't like to give these talks, but here I am. So I want to talk to you tonight a little bit about lightweight cryptography and our standardization plans. So you may have heard of us, and we have these standards like AES, SHA-2, SHA-3, but what we're hearing from people is that AES is just too damn tall for the uneven bars. We need something a little bit lighter. So NIST initiated a lightweight crypto project to understand kind of where our standards fall short. So some of you might have come to our first lightweight crypto workshop in July of last year at NIST, and we're gonna hold the second one this October. And what we're looking for is lightweight algorithms for constrained environments and, of course, use cases. So how are we gonna do this is the big question. It's something we've been struggling with. We did just last week put out our draft report, NIST IR 8114, and it's posted for public comment. So after you've had a few drinks, go and look at it tonight. It gives an overview of the project, includes our plan for standardization, which boils down to two essential things. We're gonna recommend primitives based on the application and device profiles, and we're gonna create a portfolio of the lightweight primitives through an open process similar to our 838 series for the modes of operation. And the reason that we're doing this is because if we try and do a competition for this, by the time we finish with the standardization, no one's gonna be using that technology anymore. So the profiles are really the key to what we have. Or the key to our plan. So we're gonna have profiles that represent classes of devices and applications, and we're gonna build these profiles based on public feedback. So this is just a template from the report. If you want more information about what actually goes in these fields, please look at the report. But in general, we've got a primitive, the physical performance and security characteristics, and also some design goals. But here's the thing. We work at NIST, and we're not actually out in the field using this stuff, but you guys are. So we really need your help in developing these profiles. So we have a list of questions in the draft report that we need your input on. We need your answers. Otherwise, we're just gonna be a bunch of people just in a room making stuff up. We'll try our best to make up something useful, but you actually know what you need, not us. So right now we've got the draft report out. The comments are due by October 31st. And if you are going to be awesome enough to help us out by answering these questions, to help us develop profiles, it would be really great if you could get those to us by October 1st so that we actually have time to draft some profiles to discuss at the workshop, which again is being held in October 17th or 18th, again at NIST. And if you wanna participate in that, the deadline for submissions is September 9th. So if you would like to contact us or get more information or join our mailing list, we have a lightweight email list like the hash form. There hasn't been much activity on it yet, but hopefully that'll change soon now that the project is picking up. We also have information on the workshop and the project in general. Thank you. Excellent, thank you very much. I've been asked to speak up. Can you hear me at the back okay? Is it good? Yes, excellent. Thank you for one thumbs up at the back. Martyn would like a cup of tea. So if somebody could go fetch Martyn a cup of tea, that'd be great. And if someone could bring me a bottle of vodka, that would be good too, okay? Okay, and that's to prepare us for Marcel Keller, who's next up. And he's gonna be followed by Johan Damon. So if Johan Damon could come to the stage. Thanks Johan, hi Johan. Okay, Marcel. Thank you. So I'm Marcel, I'm one of the slaves. So come talk to me. Please! What I'm gonna talk about today is homopathic encryption. And I have to say it's essentially a shameless deal by a work-in-progress talk from Useniks. I think it was Eric Wustrow. I hope I don't mis-attribute this. So yeah, come talk to me if that's wrong. Anyway, homopathic encryption. Of course, it's gonna be round-based because that's how proper encryption schemes work. We start unsurprisingly with a message M and a key K. And there we go. First round with probability 2 to the minus 12.8, we're gonna assign K to K, otherwise K is XOR, K, XOR, K. We continue with round two. Again, with probability 2 to the minus 12.8, K is equal K, otherwise K equal K, XOR, K. And this already brings us to round number three. Which says that with probability 2 to the minus 12.8, K is K, otherwise K is K, XOR, K. And oh, that's already round number four, with probability 2 to the minus 12.8, K equals K. Otherwise we assign K to K, XOR, K. And now you might be surprised. That's round number five. Probability 2 minus 12.8, K equals K, otherwise K equals K, XOR, K. And let's quickly move to round number six. Probability 2 to the minus 12.8, we assign K to K. Otherwise, that's with probability one minus two to the 12.8, we assign K, XOR, K to K. And then there's my lucky number, round number seven. Probability 2 to the minus 12.8, K equals K, otherwise K, K, XOR, K. Yes, oh yeah, that's one more. That's now round number eight. Probability, so we flip a very heavily biased coin, essentially in all those rounds, 12.2, probably, oh man. Probability 2 to the minus 12.8, we assign K to K, otherwise K is gonna be K, XOR, K, K, K. Oh yeah, that's round number nine. Yeah, I think we have to go to 10, 12, 14, AS style. Two to the minus 12.8, we assign K to K, otherwise K, XOR, K, K, K. 10, oh yeah, that's one more. You're gonna be surprised. Two to the minus 12.8, K equals K, otherwise K equals K, XOR, K. And oh yeah, finalize, cybertext is gonna be C equals M, XOR, K. So that's the scheme. Let's talk about implementation. So we, as you might have seen, that we heavily rely on fast random number generation. And of course, like I know there are chess people here, so you're really concerned about, you know, embedded systems, hardware, maybe there's no fast random number generation. I can assure you I don't have time for this, but there's a slight tweak to the algorithm that makes this algorithm much more efficient on restricted systems. And last but not least, also very important, the design encourages constant time implementation. So if you do if statements on either the message or the key, like you're really doing it wrong. Last but not least, there's also special properties. So we had a thought about this and we're really sure about the fact that quantum attacks are really no better than classical attacks on this one. So that's like for the post quantum probably community. And on the other hand, like for the fancy pants community, of course it's also fully homomorphic. And now here's a nugget for the more, I would say like policy oriented community. We think we strongly believe that this one is particularly suitable for compliance and marketing because it's encrypted after all, right? And this already concludes my talk. Thank you very much. Thanks Marcel, hilarious as ever. And next up, we have a talk called Kangaroo 12 by Johan Daemon and if Brian would like to come to the stage, that would be great. Johan, take it away. Yeah, good evening. This is a more serious talk, I'm afraid. It's a joint work with the Ketchak team and Ronnie, so I call it Ronnie. I choose a sport, so it's a kangaroo. What does a kangaroo do? The boxes, but I don't know if it's an Olympic discipline. Maybe it has been. Haven't seen any boxing, but okay. Our kangaroo boxes and I think you will need it. So what is this basically hashing based on Ketchak P a bit like Châtrier, a bit like the shake functions, but then more efficient. So what we did is we did the exercise to bring Ketchak more down to where it should be to, if you look at the safety margin and we also tried to exploit parallelism. So first, the safety margin. So if you look at the state of crypt analysis, up to now, the best attack, the best collision attack against Ketchak is five rounds. And the best published, there may be some distinguishing stuff, but the best attack is five rounds. But it has 24 rounds. So we basically have more than four and four, a factor of four more rounds than we really need. So in Keeak, we already took that into account and we reduced the number of rounds to half to 12. So let's do also the hashing with 12 rounds. So we reduced from 24 rounds to 12 rounds and that still gives us a factor of two safety margin. So then if we look at modern CPUs, we see more and more these same D instructions going broader and broader. So we have a lot of parallelism that we can do and there's also many CPUs with many cores and we would like to exploit that parallelism. But then in points, basically it's a serial mode. So we introduce a kind of three hash structure and that's basically what we did. So this is the structure of a kangaroo 12. So these blue blocks, they are basically the input blocks of the message. So we split our message into 8192 byte blocks and we can do them in parallel. So you see there those vertical bars that are all inputs to Ketchak. So to a Ketchak version with 12 rounds and we can do them in parallel. And then we append the chaining values to the first block, this S0 and that's also one call. So each of these arrows represents a call to the underlying hash function which is Ketchak with 12 rounds and the whole thing is a three hash mode. So you see also there these chaining values that's some more hashing you have to do but it's compensated by the parallelism. So if you look at these symbols 110 and so on that's in fact padding and frame bits that complies to the Sakura mode. So if you do it this way you get a provable reduction of security to the security of the underlying hash function. So what does this give us? Something went wrong with the slide but okay. Yeah there was a kangaroo there. So on the Haswell and Skylake for short messages you reach about something below around four and between four and five cycles provide but for long inputs you can really exploit this parallelism. So for instance for the Haswell you get down to 1.44 for Skylake 1.22 cycles provide so there you exploit a four level four wide parallelism and on this new CPU night landing basically you can get down to 0.74 cycles provide. So there we put the paper on ICR and you can find the code that has achieved these results in the Ketchak code package that's made public by show. Thank you that's it. Thank you. Thank you. So I'd just like to emphasize that no kangaroos were harmed in the making of that talk. We just don't like kangaroos. And here comes Brian. Okay I'm back for something special. So for what we're calling the charity auction or a long jump for charity. So for the purposes of this talk I am representing the Great Britain and their team in the long jump. For reasons that'll become apparent in a moment for as long as Great Britain it still exists. Iran thanks me for taking you down a walk on Cinema Lane. I'm now gonna take you a walk down ICR lane. In particular I wanna go back 25 years to Eurocrypt 1991. Who knows where Eurocrypt 1991 was held? Okay Kenny go ahead. Brighton and the United Kingdom my first ever Eurocrypt. It was your first Eurocrypt. It was my first Eurocrypt as well. And it was here at the University of Brighton in the UK and who was the general chair? It was Andy Clark that's right. And what was the Eurocrypt 1991 special beverage that everyone got? Beer. In particular something that looked like this. It was Eurocrypt 91 Celebration Ale. And it was my memory of this beer that Andy did that caused me to think about doing a custom label for something which is why we have a wine bottle here with a nice custom label because I kinda grew up from the beard of a wine. Now I accepted to be general chair two years ago and about six months after that I was cleaning out an old box in the back of my closet that had been there probably since graduate school days that I had moved from a bunch of places to places and I'd never seen the light of day and I found this little cardboard box here from Harvey and Sons. And when I opened it up I found inside one unopened original bottle of Eurocrypt 91 Celebration Ale. Best before end of date July 91, okay? It was in April. So I thought what should we do with this bottle since it's a special occasion and it's 25 years and I thought the thing we should do was to have a charity auction to benefit the National Museum of Computing at Bletchley Park. Now so I am about to auction this off for charity. Open your wallets up. Why National Museum of Computing? Well because Andy's a director and trustee of that and it's his favorite charity, he's trying to bring it back. So I thought a way that we could honor Andy in Eurocrypt 91 was to auction this bottle off. So someone here who bids high enough is going to get to walk home with this bottle tonight or make me drink it if they pay me enough. And I hold my fellow members of the board of directors and they have pledged along with me to match the donation that is made by the winning bid tonight if the clicker will advance. So we will get a 27 time multiplier on whatever this goes for that will all go to charity, okay? With some limits so that people don't get too crazy, okay? So what I would like to do right now is open the bidding for this bottle of beer and since it's 25 years old I thought I'd open the bidding at 25 cents. Does someone offer 25 cents? 10 dollars. Okay, I've got a bid of 10 dollars. I've got a bid back there, how much? 20 dollars, 100 dollars over here. And I'm gonna hold you this, thank you very much. Yeah! Wow, fantastic. All right, I've got a bid of 100 dollars for a Eurocrypt 91 celebration ale. How much? 200 dollars, I've got 200 and back. I will offer, he's bid 200, 250, I've got 250. Do I hear 300 in the back? How about 275? Come on, it's for charity. Two, come on, 275. All right, I've got 250 over here. Anyone else? Come on, somebody wants to go a little bit higher, right? It's for charity. 256, I've got 256, all right, all right. All right, 256, it's 512 to you. Or maybe I'll let you go to 384. 384, I've got 384 over here, fantastic, okay. Tom, 384 back to you. No, you're out, you're tapped out. Too many bids, huh? Okay, I have 384 dollars over here, bid for this bottle. Don't you bid dollars? Good, good, we'll be here all night. 384, anyone else? Anyone want to top it? 400, four and some other weird number added onto it. 512, all right, I'm gonna take that 384 dollar bid and I'm gonna let it go once, twice. Last chance, folks, sold for 384 dollars. I think we have raised well a lot of money tonight for the National Museum of Computing. Please meet me afterwards, we're about to go to the break and we will discuss how to make sure that everybody gets tax deductions appropriately for a donation, okay? Thank you all, again, I believe this is the first break. Yeah, so we'll see you all at 2045 for something special involving vegetables, okay? 2045.