 We are regurgitating now, this is the cycling, we are good at cycling, the French called us cheats last time because we applied too much technology, but we are winning lots of medals and real world crypto, there has been a little competition between crypto and real world crypto o'r cyfrifiad yw'r cyfrifiad ydy'r cyfrifiad gyda'r cyfrifiad yw iawn. Rwy'n cael cyfrifiad yw'r cyfrifiadau i'r hyn, ac rwy'n cael ei wneud yn ymgyrch i'r Cyfrifiad Cymru yn y Cymru yn 2017, ond rwy'n cael ei ddefnyddio'r cyfrifiad Cymru yn 2017. Mae'r dda ni'n gwybod fynd yn ymwneud, mae'n ddysgrifetio cyfrifiad Cymru yn cyfrifiad Cymru. Rwy'n cael ei ddefnyddio. White. So, clon of 100 yw awd feddwl. But we need you for contributed talks, sponsorship and leftin prize nominations. So, for those of you who don't understand any of these things, let me explain what's going on. We have contributed talks, so not the what's the cool thing about real world cryptos, we vet everybody who talks so we can guarantee you everyone is a good speaker and is talking about something really interesting. Show SEE will invite people to talk at RealWell Cryptoacc unable to contribute to a talk or suggest a talk and the deadline for submissions is October 1, paper submissions can be full 10 page papers or short 2 page abstract presentation slides or just I'm cool. Can I give a talk type thing? might not really take those once seriously but it's very personal it's very nice to have Godsוג written on this page at mewn website Ie gyda'r dyfodol, ond ychydig eu cael gwneud y ddarllen yn gwelio ardog. Mor yw'r g inaugur hon. Rwy'n cael ei ddwy i ei fyddfa yn bod ymlaen i allwch tai maen nhw yn gweld peth i gael gŷ, a'r gynhyrch yn ddweud o bwysigol iawn i'r cyfanydd dros wahanol a'r ddechrau, yn 60% yn ddechrau i chynnyddol, a'r ddwyr yn 40% i llwyster. Efallai mae'n wych i bwysig. Erdoedd o'r gweithio eich cyfanydd, cwm oful o'r hybr i dim yn y cwmwysud. Mae fydd yn fawr o ddelweddol i gynnwysu. Mae'n gweithio llei'n cael cyfanyddol fyddol yn cychwyn i'w ffordd. Cymru ond dw i fod ymweld wedi bod phwng o'i nu'r wneud. Mae'r wneud yw i am meme'n neud o wneud… …cyngor ei fod yn bethu. Mae unrhyw rhaid o'r lidden nhw yn ba. Mae'n gweithio'r wneud o'r wneud allan. If you want to donate a shed loads of money, please talk to me or Kenny or Dan Bonnet and we will gladly take the money off you, okay? Quicker than you can just basically say no. So please give us, we really need your money, I must stress. Otherwise poor academics are going to have to pay reasonable registration fees and they don't like doing that. So if you're sitting next to an industrialist and you're an academic, get them to get their checkbook out now, right? Okay, but you've got something in it for you as well because someone has put their money, handed their pocket and given a shed load of money to give out as prize money. Every year real world crypto hands out to $10,000 prizes which have been donated by Levshin who, if you don't know, founded PayPal and all sorts of other things. And we give it to people teams for sustained contributions to real world crypto or important technical contributions. So we want nominations for 2017. You can go to the website levshinprice.com and you can nominate your favourite person to win the prize, okay? Or someone else maybe. The previous winners have been Phil Rockaway and the MeTLS team or MyTLS, however you want to pronounce it. But if we're looking for more people to give money to. So not only do we take money from you, we give money out to you as well. So big hand round of applause for Max Levshin for giving us the money. Okay, and you know it makes sense. You just attend. There's the programme committee. We've got a new member of the programme committee and one of those people there is not a cryptographer and votes for who is not the cryptographer. I don't know. Top left? Top right? Who votes top right? Bottom left is not a cryptographer. It bastard. Bottom right. Okay, someone serious. Anyway, thank you very much. New York. Oh, where? I don't know. Columbia, yeah. Okay, thank you very much. So we're now going to have a special talk, a real-time rebuttal of a previous rum session talk by the man who already did his little dance and now he does something. All right. Well, thank you for giving me this opportunity to speak out of order. So as you know, recently the National Science Foundation has put a requirement that for postdoc you need to send a postdoc mentoring plan. And recently I got some extra experience in this. So I'm just going to give you some golden rules about postdoc training. So there are not too many. So first ask him to play tennis at 7 o'clock every morning. So it's very effective. It's very, you know, it's good for your cardio and otherwise also good for the postdoc. Ask him to publicise text messages and to him over a private channel. So this is kind of to prepare for a crypt analysis. Ask him to give funny rum sessions at the expense of his advisor. So that's very appreciated. Well, last but not the least, I think it's actually I learned it on my own experience. Ask him to save food for you during opening receptions of crypto conferences. That's it. Thank you. So next up will be Moti Yong, who will be representing Belgium in the ping pong competition. At the same time, Lily Chen, please get ready. Okay. So this is also a rebuttal. It's a rebuttal to the song that we just heard about believing in Q type assumptions and so on. Yeah. And it's a ping pong, but a very short ping pong game. It's about non interactive commitment. So which is essentially a primitive that emulates a public safe. You put something in the safe and then you can open it and everybody knows it's there. And it has to be the property of not hinding, but hiding and binding. And originally it was done for a beat or for one value. But it makes sense to combine it with various data structures and have more complicated commitments. And there are known generalisation and extension so concise vector commitment. That's like a lot of data committed in small values. An application is your own database with queries. A polynomial commitment that you kind of commit to polynomial values and then reveal valuations and so on. And then accumulators and older construction in which you can accumulate like hash that accumulated results. And in all these areas there are remaining questions which are about the efficiency and the assumptions. So a lot of the efficient implementations rely on this Q type, non constant size assumption that if you query many times it's still, you know. Anyway you heard about those beliefs before. So there are remaining questions in these areas and they kind of look to us a little bit under the same umbrella. So we suggested the generalisation as a functional commitment to all of them in order to exploit all these similarities and look at it in a more abstract level in a way that it will be helpful and then one solution will lead to answering other questions in the related commitment. And the idea is that revealing the commitment in the functional commitment does not reveal the value but reveal function of the value and the hiding is relative to hiding the potential messages that corresponds to pre-images of these values. And we consider in particular all these areas this functionality for linear functions. And we have a construction functional commitment for linear function based on composite order pairing. Commitment size is constant and the key size is linear. It's perfectly hiding. It's computationally binding. And constant size assumptions which is the important things to make our belief in what we are doing stronger. Or the belief we care and therefore the results stronger. And it employs the DEJAQ framework for proof from Jason, Michael John and we. And this immediately leads to concise vector commitment with order and public key which was open in this area under these implementations. When we look at polynomial commitments we get the first pairing based polynomial commitment from constant size assumption. When we translated this linear commitment to values of polynomial and applied the previous result. And from polynomial commitments we go to accumulators and we get the first pairing based construction from static assumption. So again it strengthens our belief in the construction and less belief on the, I mean, weaker assumptions. And we get accumulators that support subset queries for certain of the data structure games we need subset queries. And it gives extension to large universe accumulators. Pairing based accumulator with short inclusion witness security from constant size assumption again, not the Q type. And this last result requires extension of the DEJAQ framework. So now we have much more belief that you can have these data structures in the various domains based on better assumptions and better efficiency. So thank you very much. It's available on the print. OK. So next up is going to be Lily Shen on behalf of NIST. And David please get ready. OK. So now NIST PQC team hold the torch, Olympic torch come to this room and give an announcement. So what kind of game this is PQC post quantum cryptography. So NIST published a federal register notice in August 2, just about two weeks ago. And this announcement is to request for public comments on our requirements and evaluation criteria about post quantum cryptography standardisation. So this time is different. The game rule is a little bit different. And so the federal register notice only have this request for public comment. The proposed requirements and evaluation criteria is in our website. So it's NIST.gov slash PQ Crypto. So the deadline is September 16. So OK. This is not a competition and it's more than a competition. So why we are saying that because in this standardisation the scope is not a single block-cypher or a single hash function. This is about digital signature key establishment and the public key base encryption. So in this we have the proposed requirements. I really like to get attention that in these requirements we have secure definitions and we have the security strengths. The security strengths is not only for the classical security strengths but for the quantum security strengths. So we like to just to like to know your opinion. So this is a timeline. It's about the seven year timeline. So by the next Olympic game we are still in the middle of this competition or not a competition. So the first step is we wanted to publish the former call for some proposals. So then the first step first and so we wanted to know what do you think about these requirements. This is like a swimming pool. The swimming game. The water is deep for the post quantum cryptography. So remember the deadline is about one month from today. Thank you. Thank you very much. So next up will is David and Evo please get ready. Thanks for the intro. So I'm going to talk to you about some of our recent work on functional encryption. This is joint work with Shank. So well we're all playing a crypto Olympic game. So Vinicius, Tom and our friends here they're all happily competing. We go and having fun but then the Donald comes along and he's not happy. He's like I didn't win. Well what does the Donald do? Well he goes on to his favorite messaging platform and complains that everything is rigged against him. So the question is is the Olympic games rigged against the Donald and how can we help the Donald out? Well one thing we can do is we can audit the records. Let's say all of the competitors they take all of their health records. They publish them. We take a random sample of them. We check if there's any suspicious activity going on. Well as prepographers we're conscious about the privacy. We don't want to publish all of our health records and they're clear. So let's use crypto. Let's encrypt the records. So now what has our problem reduced to? Well the abstract formulation of our problem can be quite following. How do we sample a random record from an encrypted database? This seems like it falls under a general umbrella of functional encryption. So in a functional encryption scheme secret keys are associated with a function f and basically given a ciphertext or an encryption of a message m and a secret key for f you apply the decryption operation and magic you get the function evaluation at the message. But the natural question then becomes what happens if this function is randomized? What if this function takes in some random points? And especially in our case if we're trying to audit an encrypted database we're sampling a random element and the integrity of the audit process is critical that we have good randomness. So what do we do here? Well first we have to define the notion. In a randomized functional encryption scheme, the decryption function is still going to be a deterministic process. It's going to take a message m, take a secret key for a function f that could take random points and the output of the decryption function is actually should look like a random draw from the distribution of the function evaluated on an underlying plaintext. Moreover, we have two messages encrypted and we apply the same decryption function which the key got to destroy it somehow and we apply the decryption function. This looks like two independent draws from the function evaluated on the underlying inputs. So we look at this, the question then becomes does functional encryption schemes for randomized functionalities exist? If we look at the setting for deterministic functionalities, it's great. We have scenes from public key encryption all the way up to schemes using multilinear maps and indistinguishability obfuscation. So a wide variety of constructions based on different kinds of assumptions. The story is much less rosy when we look at functional encryption schemes than the randomized functionalities. In fact, we only only have one construction in a public key setting and that's using this very powerful primitive obfuscation. Moreover, it only achieves selectively secure. So the natural question then that we want to ask here is does extending functional encryption to support this richer class of functionalities, namely these randomized functionalities, necessitate that we move to much stronger assumptions such as IO? And the answer that we present in this work is no. In fact, we show a compiler, a generic compiler, that takes any general purpose functional encryption scheme that works for deterministic functionalities, along with very mild number theoretic assumptions such as DDH and RSA, and what we produce is actually a general purpose functional encryption scheme for the full class of randomized functionalities. So I'm going to give you a very high level overview of the construction and the starting point of our construction is de-randomisation. We have to produce the randomness from somewhere because ultimately we're going to use a deterministic functional encryption scheme. Where do we get the randomness from? Well, as cryptographers, we typically resort to pseudo-random functions. So we're going to put a key inside the function and basically evaluate the function using randomness derived from the PRF evaluated on the input. This is all good and all, but unfortunately, if we look at normal functional encryption schemes, the secret keys don't hide the function. In particular, the secret key is not going to hide the PRF key, and the output of the PRF is no longer random if you know what the key is. So this actually doesn't work at all. The naturalness solution is the secret share of the key. We're going to split the key and give some power to the encryptor. So now there's part of the key that's built into the functionality, part of the key supplied by the encryptor itself. If we do this, we get a little closer, but this actually, it turns out, doesn't quite work. In particular, if we get back to our original problem of trying to do an audit, the problem is that the encryptor has way too much control over how he generates the ciphertext. In particular, by influencing the choice of the key even the random coins used to generate the ciphertext in the underlying functional encryption scheme, he can actually induce very bad distributions, and this actually destroys the security of the scheme. So it turns out that to actually get the full power of our construction, we require a few more tools, and this is where we use the algebraic assumptions. So using DDH and RSA, we use like NISIC arguments, PRF secure against related key attacks, and techniques even from deterministic encryption, and this actually allows us to obtain simulation secure randomized functional encryption from any simulation secure deterministic functional encryption. Moreover, the key here is that the security properties of our underlying FV scheme are preserved, so we actually get the first adaptably secure functional encryption scheme for randomized functionalities. Thank you, and our paper is available on e-print. Next up, we'll be representing the Time Lords, Ivo Desmet. So what happened is that Kenny told me and said, well, if you're giving an obsession talk, it has to be about the Olympic Games, and it turned out that just a few days ago, I was talking to my friends of Japan, and they say we should move crypto to Tokyo, because in four years times, the Olympic Games will be in Tokyo, and then all people from crypto can attend the Olympic Games. So I thought, but yeah, but there are no Olympic Games in Santa Barbara, so why actually tie the obsession to the Olympic Games? And then I remembered, there used to be Olympic Games in Santa Barbara, and some of you may remember this. And so the question is, is this a joke, or is this a true story? And I see some people on the front row say, oh yes, we remember this, yes. This is actually a picture of how UCSB used to look, and if you look carefully, you actually see the hall, Alacapa Hall, there in the back, and so that's how it was transformed. Now did any of us saw that? No, because when we arrived, all this was demolished. Okay? And so there is an official report, it says official report, you can clearly see that. I find the pointer here, yeah, official report, sorry. You see official report, these things are the battery anyway. So it says official report, it says UCSB was used to house more than 800 rowing and canoeing, kayaking, athletes, et cetera. And UCSB was a complete village in terms of services provided. And it's amazing. If I would be given here 20 minutes, I could give a whole talk and all the slides that are on there, it's incredible. You see the campus in a way you have never seen, so go there and look at it, it's clearly really incredible. So what the heck is the link to crypto? Soon afterwards crypto 1984 took place at UCSB. Now what happened is that Air France was very smart. All the tickets that you tried to buy in Europe to fly to Santa Barbara, Air France had the monopoly on that. The price it costed was the same as flying from Paris to Los Angeles, okay? So if you want to fly LA to here and you bought your ticket in Europe, yeah, it was crazy expensive. And there's a long story, this is just a short version. So yes, it was very interesting coming here and people telling you, oh, you know, just recently the Olympics were here. And yeah, they used to be there. Now it's even more crazy. Do you know that 1984 was that long time ago? Now you think I made a mistake? Some people in the first world saw it. This is binary 32. But I think that we should change. And we as computer scientists should advocate binary anniversaries. Why? So we should switch to binary birthdays because what happens is that if you switch to binary birthdays, then you have exponentially fast vanishing birthdays. Who remembers basically the... Yeah, the battle in Waterloo, okay? When, what day was it? And what year? Ah, most people don't remember it. But people remember the end of World War II, yeah. And the next generation, yeah, maybe they will no longer remember it. So depending on the importance, you will remember it. And by having exponentially fast vanishing birthdays, they will automatically become irrelevant, okay? So who will remember the next time? That means in extra 32 years, 64 years after the event of the Olympic Games. Who will talk about the Olympic Games in Santa Barbara? Maybe, nobody. But anyway, Kenny, thanks for this inspiration. I think it was a great time to do it exactly so many years after the Olympic Games. Talk about it in the next session. Thank you. Next up is Susan Langford and Alex, please get ready. Susan? All right, I'm here today to talk to you about derived unique key per transaction, officially pronounced duck putt. And I promise you that I will try to make this talk exactly as exciting as watching our duck's favorite Olympic sport, golf. So duck putt is a symmetric key derivation protocol that was developed for payment terminals. And the idea is that you have perfect forward secrecy in the terminal. When somebody quietly walks away with the terminal from Walmart, they don't steal anything of value. You don't have perfect forward secrecy at the server. You have one key that lets the server talk to up to 10,000 point of sale terminals at a time. Now it was originally developed in the 1980s for single des. It was then kind of hacked to make it work for triple des. And now the ANSI X9F6 financial subcommittee is actually trying to clean it up and make it use AES in a secure way. I'm sure that at this point in the evening all of you really want to go over formulas, right? Yeah, all right. It's a tree-based key derivation scheme. Please read the paper if you care. Again, at the terminal, you keep parts of the tree. You throw away keys as you use them. So what did we change as we modernized this? Well, some of it was just pure cleanup. There was a very lovely 21-bit counter that the programmers just adored. We got rid of that. It's a 32-bit counter by the lineman. It's a lovely thing. We also, and this is the most important part and the reason we want people to look at this, we cleaned up the key derivation. Our key derivation is now based on the NIST SP800-108 key derivation technique. We use the counter mode. However, as you can see from the very high-level description I've given you, we do a huge amount of key derivations for every transaction, and every transaction is 8 bytes, 100 bytes max. This is a lot of key derivations. Therefore, instead of using HMAC or even CMAC as the pseudo-random function, we are actually proposing the use of ECB. Now, we understand ECB is not a pseudo-random function. It is a pseudo-random permutation. However, we note that CMAC is also a pseudo-random permutation when your key derivation data is a single block, which is what we are using. So, we cannot see any security problem with using ECB in this function, but that is why we come to you and said, please look at this. Have we missed something? We have missed something else we could do. This is almost two times faster to do it this way, and when you're talking about 15 key derivations for 8 bytes of data, that's a significant performance impact. So, we also have a fun re-keying option that you could use the last key to send in more keys because people are encrypting credit cards now. Where we are only encrypting pins, the life of a pin pad was very long. With credit cards, it's a lot of transactions. So, that's another thing we'd like some feedback on, is that a good idea? So, this back is not quite finished. We will be putting it out on the web as soon as we get our ducks in a row. This is probably going to be a few weeks to a month from now, but no guarantees, you know how standards bodies work. The x9.org website will have a copy of this document. If you're interested and you have any problems, email me and I will tell you where it is or put you on the list and notify you when we get it out and get it in a place that you can find it. So, thanks. So, the next speaker will be Alex. His favorite sport is tug-of-war, and Hilary, please get ready. So, apparently tug-of-war actually was an Olympic sport back in the day, which I think summarizes multi-linear maps very well. So, I'll be presenting, if this thing works, I'll be presenting a benchmark on multi-linear map applications. This is joint work with a lot of different people. So, first I'll mention that this comes out of the DARPA Safeware project, which is a program funded by DARPA to study cryptographic program obfuscation and the tools used to develop obfuscation, such as multi-linear maps. So, the goal here is to understand the security, improve the runtimes as best we can, and more information can be found here. So, the goal with these benchmarks is to better understand the concrete security of multi-linear maps and their applications. So, what's the required effort for the known practical attacks, and what are the security parameter implications of these attacks? So, the mechanism of this benchmark is we'll release a bunch of challenges and information on how these challenges were created. And the goal of a participant is to recover the secret. And we'll accept any submission that demonstrates recovery, and we'll also rank the submissions by their efficiency and have a leaderboard for the most efficient breaks. So, the first benchmark is order-revealing encryption. So, the basic idea here is you have a data owner who encrypts a bunch of plaintexts, and any user can compare the plaintext just using the ciphertext and shouldn't be able to learn anything else. So, for this benchmark, we'll release 10 ciphertexts and the public parameters used to be able to compare the ciphertext. And the goal of an attacker is to recover a single plaintext. The second benchmark is obfuscation, in particular point-function obfuscation. So, here a data owner in some sense encrypts a plaintext, and a user can compare equality or inequality to that plaintext. So, the benchmark here is an obfuscation of some function f where f of x equals 1 for all inputs but 1. And the goal is to recover the x such that f of x equals 0. So, in order to win, you have to, of course, satisfy the requirements of the benchmark. You have to break the scheme. You have to make the attack code publicly available to us. We want to build a repository of the known attacks. And we also want to reproduce the attacks on a reference platform so we can get some normalized running time of the break. And we also require that you submit by the end of the year, although that can change depending on how the benchmark is going. And we don't actually know what you'll win now, but it's some type of recognition or work from DARPA, either anything from a t-shirt to a plaque to money. We're still deciding that. So, some more details about these two benchmarks. So, the first one is ORE. We consider two multiliner maps, GGH Lite, which is based on GGH 13 and CLT 13. And for GGH Lite, we consider the security parameter of 40. And here what we mean is lambda bits of security. It should take an attacker to the lambda clock cycles to break. These schemes have known attacks, so it will be quicker than that. So, yeah, we have GGH Lite at 40 bits of security, CLT at 80 bits of security, and the same for the point function case when we set the size of the point to the security parameter. Because these sizes are quite large, I don't expect people to be downloading these from the internet, so I have USB keys available for anyone who's interested. I have, I think, 15 or so, so don't use this as an opportunity to get a free 128 gigabyte USB key, but use it as an opportunity to break these schemes. More details. This is based on a framework that we developed that's going to be published at CCS. It's fully open source if you want to play with it. And the most important slide, because this has a website that has a lot more information, and an email that you can email us questions, comments, concerns, anything, and the entries if you ever break. And that's it. Thanks. Thank you. So, next up will be Hilal Orman. He chose a very specific Olympic discipline, namely the discipline of quilting. So, well, Hilal? OK, well, I don't think that quilting is an Olympic event, but this is more about memory than quilting. And I think that the original Greeks at the time of the Olympic Games would, if they could see forward, they'd be very impressed with the athletics right now, but they would be baffled at how bad we are at memorizing anything. I'm a normal computer user. I have a couple of hundred passwords. They're probably even too short by today's standards. I should go back and make them all longer. How in the world can you memorize passwords of that length? Well, we should go back to the way the ancient Greeks did it. They had very good memories. Human memory is excellent. It's just kind of hard to control it. So, if you want to know about memory championships, which I really think should be in the Olympics, this book, Moonwalking with Einstein, explains a lot about it. So, I had an experience here at UCSB and I was looking at the bedspreads in the dorm, which I think are particularly unattractive and I've seen them a million times, and this is what it looks like. But for some reason, when I saw it, I thought it was a beautiful thing, actually. It's got these squares. It's got these extensions. It illustrates the formula n plus one squared is n plus two n plus one. I mean, it's got all sorts of things going on with it and I found that the next day I perfectly remembered this unmemorable design. So, I had a way of describing it. There are ways of describing geometric things, but what I came up with on this was I have a three square, I've got a five L, I've got a seven L, I've got 14 dominos and a two square. And I googled this and it turns out that it doesn't correspond to anything on the internet. So, this is a way of generating fairly long passwords. What I like about it is I don't have that character string in my memory. I have not sub-vocalized it at all. What I have is the image and the image leads to the password. So, I propose this as a possible method for being able to enter into real password memorization, which seems to be with us forever. Can you get enough unique passwords from this? I'm not sure, but it is an exponential problem. I think if you go up to around somewhere under 15 by 15, you probably can get enough tessellations and variation on it, especially if you preserve the diagonal symmetry. I propose that security conferences have password memorization contests so that people can come up with more methods like this. Next up will be Yu Suzuki. Vladimir, please get ready. I'd like to talk about our new impossible differential search tool, and this is joint work with my colleague Yos Ketodo. At first, we thought that we made big results, huge results, like titanic results, but we have to report some research collision later in the stock. So, impossible differential has a correct analysis approach for rock cifers, and at its core, attackers need to find input difference and output difference that can't be connected, so impossible differential propagation. So, how to find such impossible differential? The previous work propagates input difference in the forward, at the same time, propagates the output difference in the backward, and tries to find some contradiction in the middle. The approach is called missing the middle. This approach has several issues to be improved. First, the attackers need to encode some contradicting reasons in advance, which is sometimes difficult. Many of the previous work, S-box-wise analysis, they didn't consider inside S-box due to some technical difficulties. Attackers need to make code to evaluate the impossible differential just for evaluating the possible differential, which is a time-consuming. So, in this stock, in our tool, we want to solve everything, so the result is very good. First, our such tool can find any contradicting reason, and our tool can look inside S-box, and we can prove the maximum length of the impossible differential by assuming the environment with some assumptions. The design is universal. I mean, the tool for the impossible differential can change to standard differential or linear, with a slight, very difficult. So, the runtime is fast, like one-hour per algorithm, so it is very fast, so as fast as a sign bolt. The tool can be applied to many styphers, so it's as versatile as coheu gymwla, and application results are so strong, so as strong as TD linear, and the tool is going to be as legendary as Michael Pettis. So, what's the idea behind? So, the tool is based on a differential linear search with mixed integer linear programming. In the previous bound search, the input to the tool is a Cypher's specification, and then the MIIP's output is lower bound of the number of active S-boxes. So, in this search, we additionally specify input difference and output difference, then learn the MIIP tool. So, the tool returns some error in some times, which means system is invisible. That means delta in and delta out does not have any solution, so they are impossible. So, by testing all the input and output differences, then we can exhaustively search all our impossible differential. And here is the table for the application results, and as you can see, the number of impossible differential distinguishes were improved in many Cypher's. In particular, we could analyse Cypher's with 8-bit S-boxes. And we can prove maximum length of impossible differential. I don't go into the details there. I don't explain the technical details, but I just wanted to say a lot of Cypher's are evaluated here. But then some tragedy occurred. So, we started this research from May 28, and the research proceeded in a good pace. But in July 11, a paper appeared on the imprint. The title is New Automatic Search Tool for Impossible Differential from China's TM. So, this is a collision on the research topic. Actually, I read the paper, and this is very good paper, so I recommend everyone to reading it. But I just wanted to make comparison. So, two researches use exactly the same idea and the basic. That several advantages, they have several of their own advantages. For example, the imprint paper extends the tool to ARX, or zero-coordination analysis, and they found some imperfect distinction on the height block Cypher. Well, we have strong applications, and we propose some techniques to analyze it with this box. So, in the conclusion, actually I can see some research collision, but the impact seems not so big. So, I hope that two research groups have good futures, and I hope such a happy end for our Titanic story. Thank you for your attention. I'm not sure whether iceberg hitting is really an Olympic discipline, but... So, next up will be Vladimir Sukharov. After that, Adi, please get ready for the very last talk. So, this will be the penultimate one. Vladimir, please. Hello everyone. Just a quick pre-story. I prepared my slides before the submission was actually due, and then all of a sudden I read that there is supposed to be an Olympic theme, and I started thinking about it. Well, what should I do? And I realized our founder, Tahir Al-Gamel, has actually taken care of it, because if you look at our logo, it has two of the Olympic rings. So, I was said there. And so, now we can go to actual crypto here. So, what are some challenges that we can sort of see nowadays is one of them is vulnerability due to the lack of diversification. So, one attack can be widely devastating if, you know, there's a lot of systems that are working on the same... using the same crypto systems. It's easier for adversaries to concentrate on one scheme. So, less schemes, more concentration for adversaries per scheme. And so, just the natural higher probability of being attacked. So, what is the solution? Well, we use cryptographic agility. So, easily changeable cryptography, custom cryptography, and then combination of cryptography so we can construct schemes and make them unique for each other big organization or even a country. Another, of course, threat that is coming up. It's going to be quantum attacks. And as we know, all asymmetric crypto that is currently being standardized is going to be broken. And what is safe encrypted today will be broken successfully tomorrow using quantum computers. And if we need long-living secrets, then we're in trouble. And the future, I mean, is fairly near, maybe 15, 20 years. And the solution, of course, is post-quantum cryptography. And there's different approaches. But at some point it was said that ECC is gone. But no, it's not actually gone. If we use isogen-based super-singular elliptic curves, then ECC survives. And we can reuse a lot of libraries and use it for our future implementations on isogen-based crypto systems. All right? Thank you. Thank you. Now, time for the very last talk of this room session, which apparently is a discipline which has something to do with smart and something to do with screwing. So I'm worried a little bit. Adi, please, go ahead. Something is screwed up. Going back. Okay. This is joint work with Jal Ronen and Achior Reingarten. And as you know, one of the hottest buzzwords today is the Internet of Things. And if you look at which Internet of Things had been selling reasonably well, smart lights, and especially the smart lights made by Philips, are the biggest sellers. I've been trying to find out exactly how many smart lights Philips had sold. I couldn't find any reliable figures, but I assume that they sold at least hundreds of thousands of them so far in the last three years. Okay. So this is the Philips U system. And it, of course, Philips is one of the world's largest corporations and they employ thousands of engineers. That's a hint to the number that solves the puzzle in the title. And we decided to test the actual security of the system. So I'll give you a crash course of one minute about what's involved. Each installed light that you screw into the socket is connected to a central controller wirelessly using a protocol which is very important in IoT. That's probably one of the main protocols that will be in use. It's called Zigbee. And the Zigbee light link, ZLL, by the way in Israel it means dead, that's a different story, is enabling the controller to send instructions to the smart light. The light controller itself is connected to your secure home office wifi network or you can also connect it through a wire and you use your smartphone in order to issue instructions. You can ask each light to turn on or off or to increase or decrease the intensity or change the color, etc. Very nice and convenient system. Now how about the security? It uses all kinds of clever cryptographic schemes, looks solid in particular the way you initialize it and associate it with a particular controller is to bring the controller to within 10 to 20 centimeters from the smart light, otherwise from further away it's not supposed to obey any instructions. This is only initially. After it had been paired together with the controller you can move the controller to a different room and still control the smart light. So they have this proximity test and of course you can try to overcome it from far away by using a very strong signal because signal decays quadratically once you get to 100 meters away there's no chance that you'll have enough power in order to overcome this proximity test. But as we heard yesterday in the invited talk by Brian Sniffen implementers will skip all imaginable checks and we actually found an amazing bug. It may be the first zero-day bug. Do I hear anyone wanting to buy zero-day bugs here? No. One million bitcoins. So what did we do? We bought a very cheap Zigbee evaluation kit. It cost a few dollars and it weighs only a few grams. Here you can see somebody holding the evaluation kit and this is the computer science department at the Weizmann Institute and we are actually having fun taking over all the smart lights in the computer science building. But this was not fair enough. We wanted the harder challenge so we went to one of the most famous buildings in Israel this is a building which has the highest concentration of cyber security companies in Israel, maybe in the world. It has the RSA company, the EMC Oracle. The Israeli cert by the way is just next door. They are responsible for cyber security protecting the whole of Israel. So what we did was to use a quadcopter. We tied our attack kit which weighs only a few grams underneath and we started our attack from 400 meters away and the next movie will show you what we did. So watch carefully. As soon as you will see lights in that building starting to flicker, it means that we are taking over all the lights in that building and let's run the movie. You will start by having a view of the drone on the ground then later on we will switch to the view of the drone's camera. We are taking off and we are hundreds of meters away from that building, about 400 meters away and you will see that some of the lights will start flickering already. We are flying still silly along the railway line approaching this building and the lights are all obeying our instructions and if you look very carefully, those of you who know Morse code will immediately realise that this is... S-O-S. We are being hijacked. All the lights in that building are doing this. Okay, I thought about bringing the drone here and flying over Santa Barbara I have no idea how many smart lights, Philip's smart lights are installed by Santa Barbara residents, but within a couple of hours I could probably disable all of them just by flying the drone around. We informed Philip's about it and they confirmed that the bug is real and they thanked us and now they are scratching their heads how to fix the problem with this huge number of installed devices. So this is a warning sign about the security of IoT devices. Thank you. Thank you very much. So that concludes the room session, but I would like to take this opportunity to thank various people. So first of all the speakers for I think contributing some very excellent talks and very funny ones as well. Secondly, the people at the front and at the back from the AV systems for their excellent help with making sure that everything went smoothly. Brian Lemechia, the general chair for setting out also the extra room. And then Jo-Wen for getting me some tea. And I'd like to thank Martin for being such an excellent senior vice presidential Olympic rump session committee member. Thank you. I'd like to thank you as well. And we'll be looking for new rump session chairs next year because we're done. Thanks a lot. Hope you had a good time. See you next year. Thank you.