 In the last 24 seconds before the official beginning of the long session we can demonstrate that we have the very low quality, appropriate, noise maker to make sure that the speakers stay on time. Can I make a demonstration? And in general we also welcome the audience to help us with clapping to make sure that the speakers stay on time. Now, is it time? It is time. Okay, so welcome to the FSE 2013 RUM session. For those of you who have computers, you can see on fse.2013.rump.co.io the schedule. For those of you who don't or just want to pay attention, there's an on deck. If you're listed as on deck you are the next person to talk. And so make sure to come up to the stage so you can quickly jump in and give yourselves. Without further ado, the first speaker will be Bart Peniel, who among his many other jobs is also the president of the International Association for Cryptological Research. And he's going to tell us about the ISDF. Anybody hear me? Is it better? Good. So by the way, I'm not even sure that that has a driver's license. We probably don't even have a valid date. This is something to think about over a period of time. Okay. So my name is Bart Peniel. I'm president of the ICR. ICR stands for International Association for Cryptologic Research. It's a non-profit organization registered in the U.S. which has called to pass theory and practice in cryptology. And ICR is run by board of elected directors and officers. And we are all volunteers, so nobody of us is paid for their time or efforts. And in most cases also we come to the competency events, all of our own expenses, the expenses of our employers. So it's a democracy, so there is every year elections. And in addition to elected board members, there are also several representatives and appointed board members. And representatives in particular of the Asian Grand PKC, FSC, CHESS and TCCC Committee and I also have the pleasure to serve as FSC representative. So I'm presenting you also in the board of ICR. To deliver three flagship conferences, you're probably well familiar with them for workshops, the Journal of Cryptology and the Newsletter. The Reading Room at Springer Railroad, we'll come back to this. We have an archive of past proceedings. We also have the well-known reprint archive and the fellows program. So I will not go into all of this in detail, I'll just give you the executive version. If you want the long version of this presentation, I would say come to Europe Crypto Asia Crypt and attend the ICR membership meeting. I only get 15 minutes here, so it's not enough to bring you to all those things. So here you see the board, so we have four officers, which I'm currently serving as vice-president. Martin Statham as secretary, I think there was a stretcher of nine elected directors and we should have Della Tombers and Amal Nisanskaya as the newly elected directors for 2013 for three years while Tom is already serving on the board since the early 80s. So we also have appointees. I will not go into the list, but you can look at the names. The changes are going to be appointed, of course, the general chairs of Europe Crypto, Asia Crypto of next year and also we have a new representative of the Asia Crypto Steering Committee, Statham over the top from Stormo Matsumoto. So membership, so by attending FSC, unless you've done special efforts to cross the boxes which we make difficult to find, you become actually a member of the ICR, not for 2030 but for 2014 and so if you attend an ICR event in 2012 you become a member of 2013 and this is quite complex but it's hard to change because of our election rules and some other things. So we keep it like this, if you would still like to become a member of ICR in 2013 you can just go to the website and pay by credit card a fee which is $88 for regular members and $44 for a student. So as you see our membership is about 1600 and we have close to 400 students. So FSC is run by the Steering Committee. You don't get the full slide but I'll help you decipher it, decipher the challenge for this afternoon. So FSC is quite an old workshop, in fact I'm one of the co-finders in 1993 and in mid-year started actually steering committee and also in I think 1999 or 2000 FSC became an ICR sponsored workshop which essentially means that the financial risk for FSC is taken by the ICR and more or less FSC also follows guidelines easily by the ICR. The Steering Committee used to be at first the permanent committee but now we have people with three year terms and so this is the current composition of the Steering Committee. And so Vincent Ryman acts as chair and he sent me all your regards and apologies. He couldn't make it here because of his busy teaching schedule I mean the second semester. The last name is Matt Roche who moves to the US. So at this moment I would like to express my thanks to the organizers of this event so the ICR and the FSC Steering Committee is very pleased to be a volunteer to do all the hard work. So first of course we have an organization of such a conference. If you've ever done this you will know it's quite hard work for a long term preparation. I'm quite sure that Thomas has been discussing here and you're a lot with the hotel here. You have to get all our hotels. It's a whole long process. In particular it gets more tight in the last months and especially the last weeks and the stress increases and then of course in the end as you can see everything goes well because it does an excellent job. I also know they have a great team behind them and in the end there's a possibility to rest with those two people and so I would like to take the opportunity to thank Cangua and Thomas Paran for their efforts as general co-chair of FSC for making it a great event. So Thomas I think you can start walking already so you'll be here all the time to get your plaque. Two plaques. I hope both are here. So the plaques greet the ICR. Great for the acknowledges Thomas Paran and Cangua for his contribution to the worldwide community with role as general co-chair of FSC 2013. Congratulations and again thank you very much for all your efforts. So for Knights and Fairways, for great banquets and great lunches we actually also come for a scientific program and this program is selected by program committee and the hardest work there is being program chair. The program chair has to put together this committee and then has to kind of hurt the cats, try to get to refuse in on time, try to get to decisions and then in the end also here has to make sure that the recession and everything is smoothly organized and so I think we can all agree that she did an excellent job and so for this reason also the ICR and the FCC committee want to thank her. The plaque reads the ICR. Great for the acknowledges Chihomori for her contribution to the worldwide community through her role as program chair of FSC 2013. Thank you very much. So time is running quickly. We'll get more details on this later. So FSC 2014 will be in London, in the UK. This is still tentative because there has been no vote yet on the ICR board because the ICR takes financial liability and looks at the proposal. This has not happened yet. The proposal was just approved but you can expect official approval in the following week. Say by the beginning of April it will be an official announcement but at least this is what's being decided by the steering committee and so Christian will update at the end of the session. So who has heard of the ICR reading rule? Who has never heard of this? You've all heard of this. We can be brief then. There is good news and bad news. The bad news is it will be stopped. The good news is something better will come in place. But we're still working on this so for now if you want to get access apparently many people in the room know about it so I can be very quick and don't spend too much time on this. So you can go to the ICR website, get a talk and then go to Springer and then you have access to all our great content which includes the job of cryptology, all the past FSCs, cryptos and whatever. So for the last year the ICR board has been working very hard in publications because our publication contract was expiring. Publications are very complex and I don't have time to go into all the elements but there is of course the design and archival. There is a scientific element of having a formal publisher. Most of us have bosses who want us to publish in serious venues and not on pieces of paper or just on the website. There is also some organizations that care a lot about impact factors, indexing and citations. If you don't know what those things are you're a very lucky person. If you do and I guess you know it's very important then you cannot just put papers on the web page when you may actually not be evaluated correctly by someone and say, be in Congress. And something else of course is you want a single source. And so there is also many positions of point of views. You have ICR authors, you have ICR members and then you have the broader community. I mean generally you want to try to make as much information as possible available to the broader community in the ICR authors. It's more or less the thing we have to balance because we believe that broader dissemination is also for the benefit of the authors. On the other hand, we could just put things on our web page but then they probably would not get credit in citations and so on. If there is no formal publisher. So this is more or less the tension we have to deal with. So the good news is that a few months ago we signed a new contactor springer for four years. And here are the changes. It's important for authors but also for readers. So I'll have three perspectives for authors. One is the official versions of your paper and we'll have the exact official footnotes for that. One is the springer version which is the version which is as today available in the springer's library but access to springer will go to a login at the ICR site. It will be the difference. When you log in at ICR then you get access to springer. We hope to put this in place in the next few months. Then there will be the ICR version which is the version which you submit to the proceedings and in fact afterwards you can change it so it looks more like a springer version. But you cannot change is the footnote which is specific, different between the springer version and the ICR version. You will also now be encouraged to upload your paper immediately to e-print. If you don't do it, we'll do it for you. But we prefer you to do it for technical reasons because springer doesn't want that all the FSC papers have the same consecutive numbers on e-print. So you should randomize this a bit. Who is faster on e-print? That's the case. This is going to introduce a new competition FSC paper with the lowest e-print number of that year. So copyright form will allow reuse for thesis pictures. Then if you have later revisions there will also be a footnote which you have to use. To either say this is still copyright ICR or this is more than 25%, you can say this is based on or this is an evolution of it. And of course ICR has no copyright on major revisions. This footnote will be in the new copyright statement. It should be on the website by the end of the month. So as members and confidence attendees you'll have access to all ICR copies on springer. So actually for FSC this is automatic. This also will be the case for FSC for the rest of the conference. But for all the other conferences you will be at the conference website or on springer's website. We can freely distribute the print PDF. We can also distribute the individual papers. So you have to cut it yourself or hire someone to do this for you or get them one by one at springer's website. Don't ask me why but those details are for springer very important. We didn't complete the development but we discussed weeks and weeks about this. So get the access. So springer, in fact if you want the paper you go to e-print. All our papers from 2013 will be on e-print. It's where you can find all the versions. All our support more versions of a paper or in a more visible way. In the ICR archive you'll get all papers from up to 2000 onwards which are older than two years. The ICR archive will always be two years behind. And then finally springer's website all ICR papers older than four years will become public for everybody in the whole world. Plus they will open up the whole past. So in fact in the next weeks or months all the whole ICR papers which are at least four years old will be openly available to anybody on springer's website. If we stop the contract in four years they will lock every whole content back up. So please download, download, download. But if you come to it they will never lock up again. So it's a one-way function. If everything is published after 2013 even if you break the contract it will never go back behind their books. It's not perfect but I think we are way better than we were ten years ago and so it requires some efforts from you and from the ICR so it will take about six months to implement all of these systems but you also will have to do some effort to take into account our new rules. If you have questions come and see. I'm not allowed to put the contract online but I can tell you everything which is in there. So publications opt in for paper proceedings are already currently opt in so you will not get a book anymore unless you pay extra for it. From cryptology I want to encourage you to opt out. So please go to the ICR website if you don't want those pieces of dead wood go there and save the ICR money. In the end you can use this to reduce membership. So this is my one but last slide so I think I will not get the noise to stop me. So flagship conferences there was an encouragement to program chairs to accept more papers and if you serve on the committee you should be aware of this and I think you will also see this. I think Asia could be closer to 30-30 something. I think they now more 40-40 something and there is some encouragement to go further. We are also working on a discussion forum on ICR.org. There is new ethical guidelines for office and reviewers in case you wonder what your rights and duties are and sometimes there are problems people actually violate these rules and for this reason we written them down so if you have doubts you can actually go there and look at what we expect from office and reviewers and as you see here everything is being recorded but of course only with for example supervision and so the new copyright form will also require a license probably to distribute the slides and the video and you will be able to of course reduce this. So if you have further questions about ICR just ask me I have just one announcement only for local people so I will come back to Singapore in two and a half weeks I will perform with my band on the Esplanada Thursday 4 April 8 p.m. so you are all warmly invited to come back to Singapore. Thank you. So one request for the speaker whenever you are done advance the slides to pass the slide so we have a chance to see who is the next speaker and who is going to be our next guest next. Now the next talk is a new surprise from the chair of FSE and the topic is statistics and best paper award. Okay I talk about FSE 2 I talk about FSE 2 and I am studying as a statistics and we will have later we will have best paper award ceremony. Okay we have we received 97 submissions from 24 countries. Now we receive the largest number of submissions from China and the top 5 submission numbers top 5 submission number countries are China, France, Japan, Singapore and Korea and regarding the the number of accepted papers top 3 countries are France, Belgium and UK and this graph shows the statistics by country the number of authors in submitted papers the top 5 countries are China, France, Korea, Japan and Germany and I think Asian power is coming there and this graph shows the number of submissions we open the submission server on October 8 and the deadline was November 12 and that's a timing of one week before the one week before the deadline we only have we receive the less than 10 submissions and that's a timing of 14 hours before the deadline we had only 43 submissions I was so impatient during the last 14 hours the number of submissions doubled and finally we received 100 submissions thank you very much for your contributions and I'd like to talk about the time difference for them our submission deadline was November 12 5 o'clock in the afternoon in Japan Standard Time, JST by the way Japan Standard Time is generated and disseminated by NICT, my organization and this is an email box at that time oh my god, email box during the deadline time I suffered a dose attack from the submission server and I received never ending emails notifying re-submission, re-submission, re-submission and even after 5 o'clock I received many re-submission emails and I waited half an hour until the email stopped and the process started I received other kinds of emails after that for example I am from China when I submitted the submission system this afternoon unfortunately the submission system has been closed because the submission deadline has fastened previously I thought that the submission deadline was Beijing time I did not notice the time difference wow I received another email saying another email saying I just found out that we couldn't upload the link last version of our paper and that the website closed I apparently missed one hour in my time conversion wow I received another email saying that I was expecting the FSC submission still open for this hour and was surprised to find it already closed and so after I received another email saying I realized now that time zones in Japan and Singapore one hour apart this is my confusion and I received while updating the submission access in the last minutes the server was closed we greatly appreciate if you kindly remember so please be careful time difference paper reviewing the paper review was done by 21 PC members and more than 90 external reviewers thank you very much and in total they delivered 37 reviews and each submission was reviewed at least 3 program committee members and submission by program committee members received at least 5 reviews and in total we accepted 31 papers among 97 submissions the accepted rate was 32 and here two papers were merged into one and the four papers were improved in the process of jeopardy so I'd like to talk about the best papers the general of cryptology is now soliciting soliciting a few good papers from the top cryptographic companies and with the program committee of FSC selected two papers for general cryptology solicitation one paper is on weak keys and forgery attacks for nowhere based mach schemes by Gordon Proctor and the other paper is reflection of gift analysis of prints like by Harry Sweeney Celine Blonde Shelly Yu Welling Ulu Kaiser Newberg they sent a young friend one congratulations and I'd like to move on to the FSC two thousands are setting best papers it goes to on weak keys and forgery attacks against for nowhere based mach schemes by Gordon Proctor and Carlos Seed Gordon would you come up on the stage this paper awards the program committee of FSC 2013 is glad to present the best paper award of the conference to Gordon Proctor and Carlos Seed for their contribution titled on weak keys and forgery attacks against for nowhere based mach schemes So next Sasaki-san will tell us about fault analysis with Kupan Collector's trouble This is you Sasaki this is John work with with Yan and Hikaru and Kazuro are the hardware guys from the university and inside the channel are analysis with Kupan Collector's program so first I'd like to introduce what the Kupan Collector's problem but I hope it's well known but anyway for Kupans inside the box for each Kupan drawing event one random Kupan is obtained and after the event you will read the Kupan in the box again so one simple question is how many events are expected to complete so this is called Kupan Collector's program but it is well known that the expected value is n log n and this problem can be applied to the fault attack so what is the motivation why we apply Kupan Collector's problem to the fault attack the motivation is because it is fun but as a by-product the function for the fault injection can be more realistic so when you inject the fault the noise may occur but we can still recover the key even with a nose so I'd like to introduce the ES but I think everyone knows so just two notes key and the big square arms are swapped here and I give the detailed description of that right key in the last round so this is the concept differential fault analysis proposed by Pan and Yin and in 2006 so the same correct is again in 256 times for each time the attacker tries to inject the fault at the beginning of the same round at one byte so he wants to collect all values at one byte so that denoted by 8 is the constant I think everyone knows the integral property so this old property will be preserved at the last state of the round 9 then how to recover the key so the last round is described here the attacker gets the last round sub-key K10 run byte 1 guess that 4 bytes and decrypt all 256 texts up to here and because all bytes take all these key values so you can recognize the correct key so the probability that the random choice the random wrong key will satisfy this property described by this equation which is really 0 so the correct key is recommend so this is the previous idea and actually the key propose an improvement of the 280 VA so he showed that 256 values are not necessary so collecting only alpha is enough and if you guess the key if the guess is correct then you will observe alpha decimated values at this state and the probability is not so big actually the key shows that the probability is smaller than 2 to the minus 32 for alpha equal to 45 that means the key is reduced to 1 okay the previous theory is assumed that unintended thought never occurs but in practice we intended for the white positions but it may be injected in different white positions or it may affect several white positions but still we can recover the key so that's the idea this is the idea so we have 2 parameters one alpha is the number of these divided by 4 values and the other is n so the total number of text to be analyzed and for the correct guess you will observe at least alpha decimated values due to the correct text and what's the probability of this event actually this is equivalent to the coupon product of the problem so suppose alpha is 256 so now there are 256 coupons for each for each guess you will apply partial declaration and it will take some value of 256 possibilities so this is draw one coupon and you will repeat this for all texts so draw a coupon in time and if all coupons are completed then the guess is right key candidate otherwise the guess is wrong so you can reduce the key space and actually we evaluated in a precise way and I only did the details but we obtained some results ok so this is the conclusion so we generalize this 2-way DFS so that the noise for the injection can be extracted and we did the probability estimation with the coupon product of the problem and the people will appear at financial crypto and we are very welcome or any suggestions or comments in the feedback thank you for your attention ok next up if I need an image we will talk about work with Cliffi on 128 so we try to apply the complementation property the general complementation property that I talked about yesterday to the BlockCypher Cliffia 128 which is a 4-brand generalized FISEL cipher with 128 bit key it has 18 rounds and the important thing is the FISEL round first it has XOR of the sub key followed by some brand transformation meaning we can apply the complementation property if we can find a good differential for the key schedule now here we are dealing with 4-brand generalized FISEL cipher meaning the iterative characteristics has 4 rounds instead of 2 so if we take a look at the key schedule we have the master key and then in 12 rounds we produce this intermediate key L and then the sub keys are just output of this and then we have some linear transformation output of the key output then again linear transformation output of the XOR linear transformation output of the XOR and so on so basically as we need to alternating differences with 4 rounds meaning this output and this output has to be the same the difference and then this output and this output and this output and following output and so on so actually we have found that among the 2 to the 128 differences there are 2 to the 14 such that this after 2 rounds becomes this and then you can find the difference in the key so you have this, this, this they are all good for the complementation property so basically for each of these 2 to the 14 differences in L we have corresponding 2 to the 14 differences in key we can apply the complementation property the only problem is of course that here we have 12 rounds of FISEL meaning that no differential but we have 2 to the 14 such differences another thing that we have noticed that these 2 to the 14 differences actually can be divided into 2 independent sets 2 to the 7 and 2 to the 7 differences so we can so basically we can iterate through these 2 to the 7 and 2 to the 7 if we take any difference from these two sets it's one of these 2 to the 14 differences meaning go into structures of 2 to the 7 plaintext and corresponding keys and another structure of 2 to the 7 plaintext and corresponding keys obtain the ciphertext and then we use another property that we just have to find collisions on these 2 sets so instead of testing 2 to the 14 pairs we only have to find collisions between 2 sets of 2 to the 7 elements which can be done into the 7 time so basically we just save this factor of 2 to the 7 and as a result we get a distinguisher for full round mafia this is the only distinguisher it's not a key recovery we exploit the facts that we have 2 to the 14 for weak keys and we can launch the distinguisher with 2 to the 122.5 encryption and similar data complexity and we can obtain similar results for mafia 256 as well so again just based on the general complementation property and finding a good differential for the key schedule and few more other tricks we've used thank you all right remember that when you're done with your talk you should push the right arrow so that you get to the slide announcing the next speaker we're very happy to have Takashi Kurokawa who will give us a brief introduction of cryptwreck activities in Japan I'm Takashi Kurokawa I'm a researcher of NNCT and a member of the secretariat of cryptwreck in Asia crypt in 2000 Professor Imae and Dr. Yamagishi reported about early activity of cryptwreck here at past I'd like to talk about recent activities of cryptwreck cryptwreck is the abbreviated name and is a research project in Japan since to aim is cryptwreck is to contribute to the realisation of the government cryptwreck makes a list of secure cryptographic techniques which are examined closely by a lot of experts domestic and international experts organization is divided into two parts advisory board is run by two ministries we call Minkan meeting and several committees and working groups are run by two corporations NICT and IPA NICT IPA get funded from two ministries of the government mention here is the line plot of the meeting count ever had irregular it seems irregular but there are several good reasons and here is the line plot evaluation report written by experts the title but the cost of performance we have just released new list this March the list divided in three parts the government the candidate the monitor three standard categories added website in English will be updated the first list is here the first list newcomer is K-Cyber 2 the list is and and the final list is we would like to thank all the reviewers who helped make the list the next speaker is the next speaker is please get ready up there the next one is about security hello everybody ASQ the third Asia workshop asymmetric cryptography will take place in Shandong Weihai of China the time of the conference is August 20,000 to 29,000 of eastern China is famous for it's only one hour fly from Beijing to Weihai conference place is international exchange center of Shandong University in Weihai this workshop is a closed workshop we limited the workshop included two parts the invited talks and group discussions the subject include block cyphers, high functions, improvements for researchers from Asia but we also welcome Asia the suggestion of this workshop is a completely free limited type of statement for play activities may be available for people using welcome to we were asked actually some month or so ago by Jean-Francois Beaumasson to present some slides on the password hashing competition so Tanya will be presenting those slides Jean-Francois Beaumasson wasn't able to come actually it was after that we were asked to run the rump session but we decided to present the slides anyway so there is going to be not only the competition but then in October this morning we just had a hashing competition so what's the difference so when you look at this there are three requirements when you look or when you get all the meaning in if you turn the volume back up then it's much more reasonable okay so there are three requirements whether the hash should be secure, fast and better than any 5 inch or 1, 2 and so on so the illustration there is going to be a fast hash function now if you look at what password hashing needs then slightly overstating it it wants to have a secure and slow and better than the 5 inch or 2 inch and some password hashing functions which you know from e-code, s-code and 3 inch f2 so there is a difference that here it should be slow because well you want the attacker who is doing a root force attack on you so if you go to passwordhashing.net and you find all the details about the password hashing competition so here you see in way too small a font some details about what you submit and why this competition matters such as well it's important to get the poor state of password protection and web services passwords are too often stored I think clear and so on so if you look at latest security we just say LinkedIn all passwords leaked which is then easy to root force so what the competition asks for is the one password hashing for web services such as LinkedIn they also would like to have key information for folder subscription then also pin hashing for other films if you go on the web page they have a quite impressive list of lots of people some of our community some are more practical people some are government employees some are in the industry of password hashing schemes so the engineering challenge is to design something which is costly to evaluate for attackers sure you still want to run this on a mobile phone but you want to stop an attacker with a GPU phone from doing it quickly or if he has FPGA so you want something which is like memory country you want to have a big state in the middle and it's a theoretical challenge then if you're rather into proving things then prove lower bounds on password hashing there are some associated events so there is a conference in Las Vegas on passwords so one of them is the tech one that's in July and then there's no one in December more academic so that's it so I'm going to present to you me a very recent some very recent results from last week that Virginia, Lebanon and I have found so the main result is a full return analysis on Claim 64 Claim, it's a lightweight block side part that was presented at RFID stake in 2011 by Gong Nikovan Law it has a 64 bit state and it can have a key size of 64, 80 or 96 depending on the version and depending on the version the number of runs performed is 12 16 or 20 so those runs are formed by four operations the first operation is a key addition this key is added by ATSOR and each time we add a different sub key that is generated by key schedule that has an important property that we have exploited in the past and that has had been previously pointed out in another paper that's the lower levels of the key not mixed by computer next the other operation performed in one round is the sub-needle operation which means that four bits boxes are played in the state that means that there are 16 sub-needle boxes in total then we'll have a rotation of the levels which rotates the state of 16 bits to the left and in the end we'll have a mixed level operation 32 bits of states on one side and 32 bits on the other and it applies one mixed column to each side so as you can see the first the three first operations are level wise we said that the key can completely be separated into parts when we compute it through the key schedule and the only operation that makes both parts interfere is the mixed level one this is the main property that had been already exploded into analysis so far there was a paper in Inscript 2011 that proposed an attack on 7 rounds of the 64 version and on influence of the 80 key bit version on another trip to 2011 we presented an attack that worked for 8 rounds of the 64 key version and recently on e-prints we classified it in another category as it is not really an attack but it's an accelerated exhaustive surge of the key and that it supplies some 12 rounds so on the Cypher an accelerated exhaustive surge that it is and allows to recover the key a bit faster than just doing it two to a 64 times so our new results permit to recover the key on the full plane without needing to perform an exhaustive surge on all the bits of it and we also provide the two results for the other two versions so how were the attacks worked first we had a look at the differential pattern in the print 2011 and there first we have a distinguisher and then we exploit this distinguisher in order to recover some key bits also we use some neutral bits for distinguisher to be more efficient and we have a look at that and we do not need neutral bits anymore and we do not even need to find first distinguisher before performing the attack so the main idea is going to be that we can push the path further and we will get the lower needles of the key as we said before once we know the lower needles of the key at one step we can compute the lower bits of all the keys and then for each step that we want to and do we have to get some more information bits that are going to be compensated by the conditions of the differential path and that way we can compute many rounds backwards without increasing the number of people that are passing the rounds so when we arrive at the first round we have to put values and differences and this means that we will have no collision for filtering out the complexity of this first attack this is the path when we arrive at the 11 rounds I do not have time to go into the details and we also found out that this can be improved if we relax the differential path and we allow to have differences in each of us in the beginning so this way we can use structures to reduce a lot the data complexity and also have a negligible memory so this is the result that we obtained in the three versions so in claim we improved four rounds the previous attack so it works on the full and full round in claim 80 we can attack 14 rounds which improves 6 rounds the previous attack and we also provide the first results in claim 96 which work on 15 rounds out of the 20 thank you push the right arrow right arrow ok next up there is going to be the input feed authenticated encryption modes and the presenter will be meeting thank you for your introduction the most important one I'm Li Tingjuan from China here I'm going to use our newly designed AEM mode and feed it our motivation is that we have observed in the current with one path and the blogger software based AEM modes in their decryption process they all have to make an investment with the blogger software so our target is to design such one path we welcome the blogger software a bit more than without calling the investment current of blogger software our method is that in design we feed our inputs to blogger software to a lot of back about to blogger software so to get the inputs to blogger software in decryption we just use other calls to other blogger software and they will get the current we will see that later we have turned to two different modes R4 and R4 similarly this is the future for our R4 it's a non-space device so to increase the message we need to announce a message a single key and in decryption we first increase the zero block to get a single value and then use U and announce you get another single value and by U and U we get long enough single mask the I and use this single mask we mask them to the different message blocks and then put to the blogger software that they put to this blogger software for R2 here then we get a subtext it's a long it is that it's only one path in single key and in decryption it can be done in a very long way there is a way to calling the end of software key and it also keeps the subtext the subtext learns I mean that the subtext C1, C2 and C1 their total length is equal to the length of announce plus the length of all messages unfortunately the current we online that is we have to first message block the total length just in the beginning I need you to figure in the design that we give a new method to combine the privacy and the authenticity protection together that is the subtext C1 protect the privacy for message 1, C2 for M2 and for the also protection the subtext C2 protect M1 and similarly in decryption we do not need the inverse and unfortunately we have in a sequential way and watch it that we do not need the SPRP only PRP is enough to control the security after the first bound and generally I need to use the conversion function because we do not need the inverse query we also have another model that is feeding the inverse back forward to the output it is achieved both online and then put them together unfortunately in decryption we have to do it in a universal way the model is still in adjusting and I like your comments thank you push the key ok we have a zero minute slot for Christian Rechberger announcing something about postdoc positions and postdoc in PhD positions and we have a real announcement from Christian Rechberger together with Carlos Sitt on the next FSE hi everyone my name is Christian Rechberger and I would like to talk about FSE 2014 and answer the question that some of you might have had where do we go next year so it is going to be London and I will be together with Carlos Sitt what's up title of FSE 2014 could have been cryptic with dinosaurs and I would like to explain why so first of all it will be the first week of March the winner will be the National History Museum in London and Carlos and I will be both general coaches and program coaches in London it's a very exciting city and it's extremely easy to reach it has five airports and if you don't want to fly directly you could even fly to some European country like France or Belgium the Netherlands is still very convenient and efficient training so that's rather safe some costs for sure the menu that's where the dinosaurs come into the game it's going to be the National History Museum it's the nice central location in London closer to Heichbach in addition to having our conference facilities there during the couple of breaks we will be able to enjoy the skeletons we will provide you with a number of good things we hope it's but for the time being this is a good search edition and you are about the immediate approximate so far so good I hope to see all of you next year in London thank you