 Today I will talk about DASTA, which proposes an alternative linear layer for RASTA. And this is joint work together with Gregor Leander. An open question in research is the minimal number of end operations the cipher needs to still ensure security. And there are two different metrics. One is the end depth. Therefore you consider a cipher as a circuit and look at the longest path and count the number of end gates there. So for example in the right picture we have end depth of three. And the other metric is the number of ends per bit and for that you count the total number of end operations in the circuit and then divide by the block length. One cipher which performs very well in both metrics is the family of stream cipher RASTA. It has a very low end depth and number of ends per encrypted bit between four and six. There are many applications where this end counts matters. One example is the fully homomorphic encryption scheme BGV. It comes with a large ciphertext expansion and end operations are much more expensive than XOR operations in this scheme. One scenario would be the following. You encrypt your data on your own PC symmetric to prevent the ciphertext expansion just the key under which your data is encrypted has to be encrypted under FHE. But usually it's your data much larger than the key. Then you send both to the server. The server first performs an FHE encryption on your data. But then to actually work on your data the symmetric encryption has to be undone and therefore it performs a symmetric decryption under FHE. And because end operations are much more expensive in this scheme RASTA would be a good choice in this scenario. Another application is for example multi-party computation or masking which is important for site-general resistance. Let's start with the structure of RASTA. The initial state is the key and one round consists of two parts. First we have a fine mapping and this is randomly generated by an expendable output function which takes as input a nonce and a block counter. This XOF could be for example shake 256 and what is also important is that the generation of the fine layer is public so the evaluation of the XOF does not count into the end metric. If we look at the previous client server example then if the server executes RASTA it does not have to evaluate the XOF under FHE. The second part of one round is the non-linear layer the chi function which is a generalization of the chi function of cat shark. And note that this function has weak diffusion properties so one output bit depends on only three input bits. And then in the end we have one fine layer and the key is XOF again to the state. Now we have a table of the different versions of RASTA. So we have four to six rounds and that's also why we have an end depth between four and six because the chi layer just consists of one end operation per bit. Our motivation for RASTA was that we were curious if we can create a design which follows a deterministic approach and does not need the XOF. First because of security arguments which do not longer rely on an XOF and second because of performance improvement. And if we want to get rid of the XOF that also means that we have to design an alternative for this fine layer. And in DASTA now the fine layer is just determined by a counter and that also means that we need to think about a set of fine layers. Let's first have a look of what is not a good idea for this deterministic fine layer. So in this example are all fine layers the identity. We take a look at one key bit and which bits of this date are influenced by this key bit. So obviously after the application of the first fine layer nothing happens. Then after the first application of the chi layer we have three bits of the state involved. Then after the next fine layer again nothing happens. And then after the application of the next chi layer one more bit is involved. So that after a few rounds in the end there are still many bits of the state which do not depend on this key bit. The generalization of this threat are non-trivial subspace trails and in the paper we showed that there exists no subspace trails over all rounds for all versions of DASTA and we decided to split the fine layer in two parts for DASTA. So we have chosen this set of all as the composition of a variable bit permutation and a fixed L. And we showed in the paper a technique to prove the absence of subspace trails for fixed L and this is invariant over all bit permutations and that's also one reason why we decided to split in this two parts. Now we focus on the bit permutation layer and start again with an example of what should not happen. We look at the beginning of the generation of a key stream block and on the left side in the first step the key is permuted with P0 and in the second block the key is permuted with the bit permutation P1 which just differs in two transitions. So if the first two key bits are equal the state after the bit permutation is also still equal and since the bit permutation is the only variable part in one round we have a 50% chance that the state is still in both blocks equal after one round and that's something which should not happen but especially it shouldn't happen for all rounds. And what we are looking for is the probability P that two bit permutations P0 and P1 map an x to the same value and that's the same as the probability of a fixed point for the difference of these two bit permutations. To compute this probability we have to look at the number of cycles of the underlying permutation pi and we showed that in lemma 1 in the paper and you see that if you have a low number of cycles which means that M is low then we also have a low probability that our value is mapped to itself. Finally we chose for duster the set of fine layers as the ith power of a bit permutation P composed with a fixed linear layer L and this leads to many advantages in the security analysis and we saw on the slide before that for computing the probability of collisions for the bit permutations we have to compute the difference of those and the difference of bit permutations which are a power of P is again a power of P so that it simplifies the analysis and L is constructed from BCH code so that we obtain a large branch number and this large branch number ensures good diffusion properties and a very low probability for linear trails. The paper of this analysis are written in the paper. P has many co-prime cycles and choosing this number of cycles is a trade-off between the order of P and the probability of collisions. We implemented the key stream generation for RASTA and DASTA for 80 and 120 bit security level and the block sizes are for both ciphers the same. The block size is basically a trade-off between AND and XO operations the higher the block size the less rounds we need and the number of rounds is equal to the number of ANDs per bits and the number of XO operations is quadratic in the block size so if we have a small block size we have less XO operations but we need more AND operations. DASTA performs about 200 to 400 times better and that's basically because computing the bit permutation is much more efficient than evaluating the XOF plus constructing the matrix. If we look for example at the first version of DASTA with the smallest block size of 219 there we have six rounds that means seven fine layers and these seven fine layers in total already consist of over 300,000 bits which have to be computed pseudo randomly of the XOF and just for encrypting in the end 219 bits with the cipher. So that shows that these XOF leads to a really large overhead but since on a normal PC the metric that an AND operation is more expensive than XO operation does not hold the comparison is not completely fair but as mentioned in the beginning with the example of hybrid encryption this scenario on the normal PC is also important but more significant is the comparison in the FHE setting therefore we implemented both ciphers in the HEALIP. Remember that just the application of the fine layers and the CHI function have to be done under FHE but not the evaluation of the XOF and since FHE in general is really slow the evaluation of the XOF is now negligible. DASTA needs uniformly drawn fine layers for the security arguments but for DASTA the security arguments are different and this allows us to reuse some bit permutations within the generation of one keystream block and this reuse leads to some performance improvement in the FHE evaluation while for DASTA every fine layer is different because it's generated sort of randomly and this advantage of reusing fine layers leads to 15 to 20 percent faster encryption in the HEALIP for DASTA. We see a couple of further research directions the block sizes in DASTA are chosen very conservatively and we just took the same ones for DASTA but maybe they can be reduced by taking our improved security analysis into account and for the linear layer we used BCH codes which we found most straightforward but other code choices could also be interesting. And finally a more structured linear layer could be considered which could lead to better security arguments and also to performance improvements. Let's do a quick recap of what we changed from DASTA to design DASTA. First we replaced the nonce and block counter together with the XOF of RASTA by just the block counter to create a deterministic approach. The fine layer is now split into two parts. First we have the variable bit permutation determined by the block counter and the second part of the fine layer is now a fixed linear layer. The linear layer is chosen so that the branch number is large and the bit permutations are chosen in such a way that the probability of collisions is low. Thank you for your attention.