 The next paper is titled, Two Art Practical Wide Box Scriptography, Optimizing Efficiency and Space Hardness by Andrei Bogdanov and Taka Nora Isobe and Elma Tieshauser, and the talk is given by Andrei. The presentation, basically, is it possible to contain, probably, the outline of the talk. So, in other words, the adversary has full control. One of the great memories is that in this 30 goals, Wide Box, 30 implications of Wide Box, where Wide Box is setting, where the adversary can assist this entity with what typically happens. In other terms, for example, in a situation where you don't have also multiple, one idea is also shared that idea a couple of years ago, what have the existing Wide Box solutions been? Well, basically, the aim has been to implement DES or AES in this Wide Box manner, and how do you do that? You would typically mask it with some secret linear and non-linear transforms, and you would basically mask the round transform. The next round, the mask does some operation and then imposes a different mask. In this, you implement a stable lookup. Of course, there have been a lot of proposals, basically following a lot of attacks. Attacks are practical. Why? Because, well, you can observe a lot of structure after just one. Recent, nice results also include a rather generic, was an actual DPA performed on a wide-box implementation then at the best paper at chess national competition, now it's DCA, which is basically kind of DPA with different traces, but it proved to be extremely efficient and there are also differential float analysis. There was also an ancient paper a couple of years ago proposing a wide-box Cypher, which is dedicated called ASSA sound. Basically, it literally consists of five layers, a fine non-linear, a fine non-linear, and people also have been trying to analyze this construction, which is not always very easy to do, but for just five layers, maybe you need at least 12 layers of this construction to make it simple. So it looks like the underlying problem needs a bit of analysis. We had one dedicated wide-box Cypher and a lot of limitations of it and ASSA might be secure if increased. It's where we started looking at the problem. Our challenge was to come up with something robust in the web of testing which would also enjoy... You remember we have the black-box implementation and the white-box implementation, which are not necessarily the same. Black-box implementation would deal just with the standard security where we want key recovery and the instability from our Cypher. White-box setting, we want key extraction security such that we cannot extract the original Cypher key. We want some kind of incompressibility. I will go back to that, but the intuition is that you have some code, this code in its entirety, to be able to replicate things that compare with, for example, EES. EES is available in clear text. It's just enough to copy 16 bytes. The idea is that your implementation may be bigger, so you choose how much you want to invest. And then you prove that it's infeasible to compute your functionality without copying the entire on top of... Of course, we want compact and fast implementation in the black-box and some efficient implementation in the white-box. This was our proposal for EES. It's also a table lookup-based thing. It's a dedicated Cypher. It blocks Cypher, and the idea is very simple. And code is partial EES, relying EES key. You can compute it directly. In the white-box, you don't give this key to the implementation. In the white-box, you compute the partial relation of EES and tabulate it. In the black-box, you have a compact way to compute this function in the white-box. You can show that your key extraction security reduces. Then you switch that into some other partial construction that gives you block Cypher. That is compact in the black-box and secure against the key extraction in the white-box. We can also show some space hardness or incompressibility in a relatively strict sense that you need almost the entire table to be able to copy the functionality. There are some instances of that Cypher. Those numbers correspond to the size of the code. You can basically pick any numbers here. If you want to invest one megabyte of code, you just pick the parameters such that your table is about one megabyte. It's totally easy to analyze with our standard symmetric techniques like linear differential analysis, which we did, and we picked. I will show you the comparison of performance. In this ancient paper, we propose a more efficient construction, which is instead of being still nested SPN. We don't rely on the security of AES anymore, but we design small block cyphers of our own and we reduce the key extraction security to the key recovery security of those dedicated cyphers. Those cyphers are AES-based. This is the nested SPN construction of something we should call SPN box. Here you have 10 outer rounds with a full MDS matrix for diffusion. For the S-boxes, you have just a block cypher depending on how much memory you want to invest. In the black box implementation, you would tabulate this small cypher and in the black box implementation you would compute it directly such that it's compact. You can work efficiently with many keys. Those cyphers are heavily AES-based, but not exactly AES, obviously. They use AES-S-box and AES-MIX column-based diffusion. The matrices, most of them are in voluctions for the outer cypher and those are the diffused matrices for the inner cypher. The underlying S-box is obviously the AES-S-box. Here are some graphical representations of claims against incompressibility. Basically, this means that in many settings you have to isolate almost the entire code to be able to copy the functionality. We define a lot of different notions for how to measure incompressibility both adaptively and non-adaptively and those give you different results. You can also control those with numbers of rounds. I think Pierre will also show something in that direction in his talk. Okay, then I will finish off with a short implementation study where we compare SPN-box to space but also provide some absolute numbers in our scale-like machine where we make a lot of use of the AES-N-I. Basically, in the black box where you don't have to manipulate where you have your key available, you get those numbers in cycles per byte, which is just several dozen. If you remember, AES-B4 introduced AES-N-I was somewhere between 10 and 20 cycles per byte. Here we have quite some comparable figures in the white box. We do that now for two platforms for the Skylake and for ARM on Samsung Galaxy S6 note. Here you get the performance numbers which are quite similar. It's also a couple of dozen clock cycles per byte of data processed. Those implementations are conclusions. We have the space cycle where you can show that its key extraction security reduces to the key recovery of AES. Then you have a more efficient construction that we have presented in Stacia-Crypt paper, SPN box, whereby designing the underlying cypher in a dedicated way, you achieve more efficiency. If you want to compromise on the incompressibility, you can even go down on number of rounds for certain components, and it should get another speed up of some considerable factors, especially for the space cypher. Some related work is the already mentioned Big Key Paper 16, which is only intersecting in the sense of big tables, maybe. Then there is a notion of strong space hardness that they have omitted. Also, white box key derivation in the next stock. So that would include it. Thank you. Any questions? I have a quick question about the definition of the incompressibility. I understand your motivation, but in order to claim that the program cannot be compressed any further, you have to assume that it was optimized completely, that the current implementation of the white box cannot be replaced by any shorter program, but optimizing compilers are going to find all kinds of shortcuts and ways how to reduce slightly the size. Yes. How do you define exactly the notion of incompressible? Because some reduction might always be possible. Yes, some reduction is always possible. Where do you put the line? So I think we can also talk about it in a bit more detail. But here we just... Here we follow a simple combinatorial argument. Table-based. We assume that those tables are such are not compressible. But of course they are. Just a bit. But one could also argue that if you tabulate this partial evaluation and it's quite compressible, then it means that you find a way to attack a yes. Otherwise there is probably a distinguisher. In our assumption, for the sake of proofs, it's flat, so it's not compressible anymore. But in reality, there will be some compressible. If I take your program and find the way how to eliminate one instruction, then I've succeeded in the security game. Yes, so that's why our claims are also towards half of the table. Deal with that a bit. T over 2 means that, for example, we have one gigabyte of table to the minus 128 to compute the output, given some input, and half of the table. So that's why we also put our claims a bit. I have a question regarding the design of this new construction. Here, for instance. Can you shortly explain how does it help us to implement it in a white box scenario? I mean, you designed this in a way that we are able to actually beat everything by lookup tables. What you say is just make this lookup table as s and in. So yeah, we have two types of implementations. Implementation where you don't have to tabulate. This implementation is compact and usually faster. Then you have the white box implementation. In both implementations you do exactly this, but in the white box implementation you do this, in the white box implementation you become a table lookup. Yeah, okay. Then you don't have any, let's say, encodings here involved. No external or... No external encoding. No external encoding. Well-defined block cycle. And this AK is... Yeah, it's derived from your master key. Okay. And this is the whole of the security is involved in this AK. I mean the secrecy. Yeah, so your underlying key is some 128-bit key. For those ciphers you can expand it to a table which has a size of your choice. Yeah, it's... The overall construction is satisfying the standard requirements for... Last question. How... I mean you have the AES mix column here where I can see how the 8-bit block is possible. Yeah, for the 8-bit block it is... Mix column is removed. I see. Some metrics. Okay, thank you.