 Okay, so before the ramp session starts a short announcement about the dinner tomorrow So I said the buses will leave for six o'clock from Sweden plots Which you if it's explained in your back where this isn't on the web page And then there will be buses going back from the Høyrigen starting from 9 30 regularly till midnight so You can choose whenever you want to go back as soon as the bus is full or so we go just back Okay, so there will be travel provided to get back home to Vienna and Hotec and something else, please do so we had to promise the The venue here that people will not sit Be seated with drinks and the reason is the floor is very delicate And if you spill something on the floor it has to be cleaned immediately and when people sit Then they will throw them over so we promise them no drinks beyond this line So please stick to it and if you spill something, please let someone one of us know immediately so we can clean it up It's like white marble stuff or something and it soaks in red wine, especially Hotec, where are you? Hello and Principle we could start so I would like to ask you to take a seat Can we just start please? So welcome to the ramp session of this Eurocrypt I was waiting for my for my co-chair apparently got lost. There he is come on Big applause to Hotec. It's a wonderful co-chair. So you just say here so this Ramp session is for some reason Dedicated to Donald Rump because he wants to make cryptography great again Unfortunately for this evening. There's not a program on the website yet So we're working on that to put this online. However, the list of speakers is on this slide So this is what we will have is a break in the middle and two sessions So one before the break one after the break and this is the speakers of the first session So it goes that down and then on that side So I give you a minute to find if you if you present if you submit it a paper to find your name on that list I will also you will get a hint right in advance before you are going to Speak All right Then the first speaker would be mark fish lean. Is he around or is this the second guy that got lost? So always on these slides on these title slides you will find if your speaker your name eventually there on the on the Bottom corner so get ready. You will be the next one to to speak if you find your name there All right. Thanks. First. I should thank bedroom and her talk for running the ramp session. I Was lucky. I asked them last year when they were a little bit drunk and I told them that it actually accepted All right, so it's a good tradition to give a small report about the running of the program committee and so on I would like to focus on one thing only and This is the number of submissions. So these are the number of submissions to your crypto You see in the past years. It has been pretty stable at around 200 And this year you see we went up to 274 and This may be correlated to the fact that we now announced to have parallel tracks and you may wonder why We started in 2015 Why this didn't affect the number of submissions back then and the reason was that submission is usually half a year earlier and That was before we even thought about having parallel tracks Now you may want to How this is going to continue where we have a Even further increase the number of submissions the good news and this is something I would like to tell you is We're actually getting help from the outside to keep the number of submissions low Okay, do you understand what I mean? Here's what typically happens You are an author you submit your paper If your paper is good and you're lucky the program program committee accepts the paper and then your Name and the title of your paper appears on the list of accepted Papers on the web page So this year we accepted or it was clear that we will accept around 60 papers By having a parallel tracks and for some reason this insights people to submit more papers But in crypto we always have the adversary and The adversary in our setting actually try to attack the authors And this is no joke Apparently there was a company Which after list of accepted papers including the authors were out went through this list Looked up the authors looked up the contact address and called them on the phone Telling them they are responsible for hotel service and of course they need the credit card number several several authors have confirmed that this actually happened and Then if you look it up on the web actually that seems to be a New kind of phishing attack which happens all the time So we're not the only conference which gets under under these this attack For example, here's a company which seems to be EHM, which seems to be frequently cited in in this context and Since this is the Trump session actually and I saw this Trustworthy businessman here I'm just making a Trump There's nothing to do with the actual content of this this presentation So and actually they they're quite good. They provide all the details like the dates of the conference I think even the chairs name if necessary They have a home page. So this is this company. I'm not that you sure if this is the company which ran the attack for your crypto But they have a home page and you see The employees are happy and successful people But it's obvious if you look closer that there's something wrong with their business Business I Still need to work on that I think okay We caught this quite early and we send out email to the also so I don't think much damage was actually done in this case But back to the more serious stuff Why does this help us in what sense so if you think about it these companies will not stop doing this I mean, that's their business model So you cannot expect that this goes away It's unlikely that if you have a paper accepted that will not that we will not announce your Author name on the list of accepted papers Otherwise you would have to register for conference without knowing what the talks are If you submit a good paper Should get in so there's nothing you can do about this the only thing which you can it saves you from Getting on the fishing attacks. It's not submitting papers actually Okay, so think about this It will actually have future Fruture chairs Okay, just this is my last slide. I always get the Waving from the rum station chairs This is a little bit more serious. If you think about how things develop. It's actually worth wise worthwhile to look at the ex whoops To look at the acceptance rates So you see it has been stable around 20% and maybe we're going back there slowly And now you can do the math typically if you have two parallel tracks, you can host up to 60 slightly more than 60 papers and if we reach the 20% again This means the future chairs will have to cope with around 300 310 submissions and In this sense my conclusion is Boy, I'm quite happy. I've done my turn now All right. Thanks Hello everyone. I am a ticking kipchee from coach university So let's assume a hypothetical scenario where we have Bernie Hillary Raccoon Mozart and Trump's going to enter an election So they each have done their water research if they Say about if they talk about some topic or do something then they are going to gain That much waters, let's say so now they want to optimize their strategies, but they don't want to reveal Their individual research outputs. So what are they going to do? They are going to run a secure multi-party computation protocol Such that they each get their optimal strategies as output Of course, the problem is in general without honest majority secure multi-party computation is not fair So it's possible that one of the parties obtained the output whereas the others don't Which may lead to actually this arrow should have been the bottom Which may lead to catastrophic outcomes So how do we prove secure multi-party computation secure? We have an ideal world with a trusted party parties and their inputs they get their output spec and In the real world, we have Adversary controlling some of the parties. Let's say up to n minus 1 parties And then they run this protocol and we need a simulator that simulates this adversary in the ideal world As I said, it's impossible without honest majority. So we need a trusted third party called the arbiter I will skip these for now but I want to ensure that the Ideal trusted parties an ideal entity that doesn't exist The arbiter is a real entity that exists as a trusted party in the real world so what we show is first of all these Interactions with the real trusted party the arbiter must be simulated Most of the previous works what they do is they prove via ideal real simulation That the protocol is secure with aborts and then they argue that the additional messages Will cause fairness This is problematic. We need to simulate the whole protocol without any aborts in the ideal world And indeed we show that otherwise If you do the first option simulation and then separately fairness argument the protocol may be insecure We also need to ensure in our simulation that We contact the ideal trusted party only when the fairness is guaranteed So why because let's say our simulator sends the inputs to the ideal party all the ideal parties will obtain their outputs, but in reality the Adversary may choose to abort the protocol So while the ideal party is obtained their outputs the real parties didn't obtain any outputs Is it zero or one? Okay, so skipping we have optimal asymptotic performance That works for cut and choose and zero knowledge protocols in malicious and covert settings for two-party and multi-party protocol Thank you. Let me introduce to you our mascot The raccoon. Okay, so my name is Roberto and I will be fired after this talk So when we think about lightweight primitives for memory encryption, of course our first thought goes to Prince the son of enigma one of a shiny example of German technology that has been inspired by Austrian leadership and Where does this inspiration Comes well from Mozart, of course because Prince as we know has the structure of a Mozart testicle It's an involuntary core with several which is surrounded by somatic layers wrapped in a thin but opaque kind of brown shirt, which we call the whitening and It's a really nice cipher, but as everything the world There are situations where we cannot use it as it is So let's move from Austria to the second most dangerous country the world which is the States so Suppose you want to do memory encryption, but you're cannot do any memory overhead So you want to use the cipher in a cb mode? Well, the problem is that you still have traces of her dump after electronic could book encryption So another idea could be well, let's use a rogaway xcx Mode but you have additional latency in order to derive In a secure way the whitening value for each address So the idea is oh, it would be nice if there were a tweakable version of Prince Well, it turns out it's difficult to do it But after talking to friends in Haifa then in Bochum then again in Haifa. I came up with his design the light with recapable block cipher karma is a three-round even menstrual scheme Where the permutations are keyed and two are also tweaked and It's not strictly involuntary in the middle and the white niki derivation uses an automorphism So it looks like any other bricklayer substitution permutation network But you see there is a an additional rail on the outside, which is a simple tweak schedule But important thing here Is what happens in the middle that changes the effects construction into something different? So let's have a closer look at these In order to make attacks like a reflection attacks and a lot of other types of crypt analysis We use the whitening keys in the middle instead of the core key that makes finding a characteristic after the XOR impossible Also, the pseudo reflector in the middle is not invertible, but it can easily Be inverted and the matrices are quite nice are a new type of almost MDS matrices And in the paper you will see the rationale and there is also a bit of mathematics for a minute, okay? So of course, so we want to see the proof in the padding and the question is how efficient is it? Well karma has best-in-class latency in the 64-bit version So it offers quite a nice security balance, but it is not slower than the competition There is also 128 bit version, which is quite nice because for the claim the security level which I invite you to challenge It can offer for instance one third of the latency of a yes in half of the area Good news karma is in the public domain We did not patent it and we made sure we did not use other people's IP there to the best of our knowledge So have fun Right. Hello, right. Can you hear me at the back? Good Right, so all the speakers have to shout otherwise everyone at the back chats because at the back We can't hear anybody right. Okay, so there is a long tradition at rump sessions or at bureaucrats or whatever in that the long tradition is We have some jobs That's it It's the same bloody thing every time we have some jobs, right? That's it That's that's the and they're five years. So if you have anyone who's vaguely qualified warm body breathing Yeah Knows a bit about whatever We have some jobs next one Thank you in Nigel for Making everybody pay attention who went to the membership meeting before So you heard all this already Christian scooped me. I just give you a few more details and updates So a new publication model for FSC. We're switching to the ICR transactions on symmetric cryptology with the cool acronym TOSC So we're gonna publish a conference Dremel hybrid in gold open access There'll be four submission deadlines per year The review process will take eight weeks which is faster than any other conference and way faster than most journals The reviews will not be done by sub reviews or sub sub reviews, but by the editorial board members themselves This is a big difference. I think also from many conferences. There will be a battle face and then a revised final version There is five possible decisions accept Accepted minor revision and shepherding Accepted major revision and you come back Within the next two rounds. So you submit after a month or after four months reject or strong reject So our target for the average paper is three and a half months from submission to publication in the Dremel Which is faster than any conference of the ICR What are the goals? Better quality submission, you don't have to rush for the deadline. There was no more deadline in three months So we don't want half baked papers. We don't want papers full of typos if you can't fix it come back in three months As I mentioned the faster turnaround Hopefully better reviews which are to some extent sticky although we may also assign new people if we think issues are contentious There will be one version of your paper available from day one nothing with two years and four years and three years And it's just one gold version of the paper The cost is zero and we hope to get an ISI impact factor in three years Which is very important for researchers in Europe and in Asia Next headline is pretty soon June 1st. So start writing today or tomorrow There is a new format Which is you can find it on the ICR website. Thanks to get on Iran for providing this It is slightly more printer friendly than LNCS And please don't hack it. I've seen in my life so many LNCS hacks which annoy Springer Now if you will hack the format you will annoy the ICR and your Associate board and the steering committee and so on. So please don't hack the format. Just use plain latex with this style file Some other new things which Christian didn't mention. We have also sock papers Stigmatization of knowledge where you can write overviews of things. This is something we copied from security and privacy and I think CCS also has this we believe it's very valuable and Then the page limit is 20 pages But there is more on a page than there is in LNCS page So it's about 22 23 pages plus references and also maybe source code and test values if you have those If you happen to write longer papers because they have proofs You can actually go for a 40-page paper But then we don't guarantee review in eight weeks. Then you have to may have to wait another round Of course, you can always try to bribe Maria and myself In some way to still get the fast treatment or can try to bribe the reviewers But on average I think for long papers you'll need more time and as mentioned before It's a hybrid between a conference and a drum. Also, you are expected to present your paper at FSE which will be in Tokyo next year and general chairs are Gio Moriai and That's what you are. If you want more details here are the links. Thank you very much for your attention. Have a nice rum session Hello So this about a contest or listen to it. So maybe you can get some money So this some work with my colleagues and also with the monsoon who's over here very and also Domingo Hyman Well, we want systems that can work in practice. So energy efficiency small messages Secure quantum secure. So we have been working on it We came up with scheme that we believe that is very efficient Collision resistant is a key prestigation scheme. So basically any pair of parties can directly set a key based on identities We have been working on this for some time last year. We started the contest we announced doing a Needs workshop on post-quantum We got results They are online on this paper What do people download the challenges work on it? Now we have updated some parameters here and You can join the contest and to join the contest is very simple You have to go to that website and Well, there are five challenges five challenges You can get some money per challenge if you manage to break it and You have some security parameters there for him. Oh That doesn't tell you much If you have all the tax are based on lattices, so if you have alpha 700 you can do it with LLL For two thousand we estimate route that meet factor that one over there for the second one that would be 1.005 For the was much smaller. So we believe that Parameters are very conservative and still are extremely fast If you want to know more details then just come on Friday and Thank you for your attention Hello, I'm Shashank Singh I'm going to show one of my work tower number field see variant for the recent of the recent polynomial selection Algorithm, this is a joint work with Palo sir car So there is a beautiful idea in the last year Asia Crypt paper that using tower number field see variant We can leverage the complexity of large prime case a large prime field to the medium prime field we have just Used our polynomial selection algorithm to that idea In fact the same idea was given by the Kim and Barbara screw in the recent E print paper But they only consider it for the conjugation method So we consider to the recent paper which I presented in the morning So this paper is the content of this tower number field see variant Here we have used the new polynomial selection algorithm presented in Eurocript 2016. So this gives Some this is the algorithm. I am not going into the detail of the algorithm But let's see the example example here. We can use the tower number field see and We get this kind of complexity there So this complexity in fact subsumes the complexity given by the team and Barbara screw paper So this is the plot so in this plot this dotted line represent the complexity of the scheme and Barbara screw paper and this Area is the place where we have the new complexity result So in fact, I think they have missed that our polynomial selection algorithm only applies to the Composite extension degree though. This is not correct. It applies to the prime degree extension as well so if we consider Then we have this new complexity tradeoff and this is the multi this is the combined plot For this multiple number field see variant and the classical number field see for the tower field number field see Algorithm so this is all Thank you so, hello, I I'm search for the name I Didn't read the instructions. Okay So the session chair says that if we talk about Mozart we have extra time Unfortunately, I won't talk about Mozart. I will talk about Wagner so in Let's consider the problem that you have a list of bit strings and you have to find for the parts which saw to zero So there are essentially two algorithms that we can use the first one. Let's call it the Mozart algorithm So if you you make pairs of bit strings and you compute the XOR and then you look at collision on the XOR You get an algorithm which has a given Time complexity which is on the bottom and a data complexity which is optimal So the data complexity is optimal by the time complexity is not so good There is a better algorithm, which is a Wagner algorithm which can compute four tuples of strings with XOR zero except that it adds some constraints on the solution So you need a higher data complexity and you have a lower time complexity So yesterday there was a presentation by Zhang, Chao and Wang About faster algorithm for solving LPN and these their method were using the Wagner algorithm Unfortunately, if you look at the computation if you look at the computation of the data complexity and the time complexity For the time complexity it matches the algorithm of Wagner, but for the data complexity it matches the algorithm of Mozart so You have actually two different algorithms and you cannot use the data complexity of one and the time complexity of the other So unfortunately the result the data the complexity for this algorithm is not correct There are some other strange results in this paper for instance at some other point in the paper they have to XOR 10 bytes so they have to XOR 10 bytes So if you consider the bit complexity of XOR in 10 bytes you have 80 bit operations But 80 bit operation for their algorithm is too much because they have to repeat it two to the 71 times So instead of multiplying two to the 71 by 80 What they do is that they use a huge table Where you can just directly read as an address the 10 bytes and look at the result and get the result for free in one unit of time Unfortunately, it's not correct because you still have to consider the time the complexity of concatenating and the complexity of reading the operations the complexity of accessing to the table and the complexity of reading So we corrected We use some more precise estimate for the time complexity of some algorithms and we after correction The complexity that the claim of two to the 74 is corrected to choose the 80 So now They may have some other parameters for which lower complexity But so far they are still above the limit of two to the 80 and we also announced our results Which are of two to the 78 which have been published on e-print so far. So I Let you with a coat of a famous philosopher, which is here. Thank you very much Okay, so I can't continue to talk so he's Eric miles. I mean so high So as we've heard obfuscation is this great tool that can imply a Lot of things in crypto some would even say it's crypto complete and that it can do anything in crypto The bad news for us cryptographers is that obfuscation is taking our jobs as a You know American political candidate has said You know obfuscation is taking our jobs and this is because Well now it's making everything so easy. There's nothing left for us to do So to combat this we've come up with the cryptographers obfuscation annihilation patrol and our mission statement is to make cryptography great again by monitoring developments in obfuscation and generating new technologies to eliminate its threat to cryptographers are We have a two-part program one is a direct offensive to annihilate the threats of obfuscation And another one is a covert program where we've inserted double agents to work with the pro obfuscation people to study obfuscation and Leak the developments to us All right, so how do we attack obfuscation? Well obfuscation is built from this thing called multi linear maps that sort of protects it So we need to attack multi linear maps Fortunately this has been done to some extent there's plenty of work showing how to attack multi linear maps They've weakened the armor, but there's actually been few breaches on actual obfuscation. No one's been able to get through So we have developed a new class of attacks annihilation attacks. These are the first successful tax on obfuscation We've actually breached multi linear maps in our attacking obfuscation now and this work will appear in crypto So we've annihilated several obfuscators in the literature But the threats are still ongoing we still don't know how to Annihilate obfuscation that uses other multi linear maps or particular obfuscation constructions and even more worrisome is that obfuscation becoming annihilation resistant We've just heard from our spies in the pro obfuscation community that now we can defend against these attacks So please join the cause and stop obfuscation to make cryptography great again Hello everyone My name is Kristen rechberger, and I'm going to announce the winners of the third and final Prince cypher breaking challenge so Princess a cypher that we proposed a few years ago together with company code nxp and the idea of this challenge was to Incentivize clipped analysis to not only go for the most Impractical attack with the highest number of rounds but go for really practical attacks and to give some guidance we We did this we did this competition You have two settings one in the chosen plain next setting Where you are given at most to the 20 challenges and the goal was to find Attacks as fast as possible for four six eight ten or the full twelve rounds And the same for the known plain next setting for prices we offered Belgian chocolate and beer and as a request from our esteemed drum session chairs for this opportunity we changed it to Austrian chocolates monster coogling and Even had reserved money for Really good attacks up to up to 15,000 euros in total So we had started this competition already in 2014 We had several rounds with several winners and now it's time to announce the new winners These were the results before and there's a number of Submissions that were able to beat the currently best result so on four rounds We have two to win us one by Harvard Radom and a Sharon Russell see her and the other one by a lens or grassy and myself For six rounds. We have another paper by Harvard and his students having the the best attack And in the chosen plain next setting we also have Another paper using immediate the middle attack that beats currently best attacks and Since how I this year I would like to give him a box of Monster coogling so please join me in congratulating Harvard for his very nice results Thank you. Thank you Unfortunately, I cannot hand out 15,000 euros. It would have been great But yeah, that's it. Thank you quick announcement. The program is online now Next speaker, please The program of the first session is online now the program of the second session will follow in three minutes All right. All right. Are you happy? Are you ready? I know I know this has been at the membership meeting already, but who cares about the membership meeting So I'm gonna make it better. I'm gonna be make it so much better And it's gonna be so much higher and the important thing on this slide is you have to know Noble price delay anybody knows about noble price delay It's the thing that the noble prices are getting avoided later and later of the discoveries So that means in a few years time people just gonna get the noble price because they don't die So I want to say about the test of time award. Yeah, great idea. I had it too But we should be there should be an upper limit and I'm saying 20 years because you know RSA PGP SSL DLS, you know, it takes 20 years. So all right So what have you got 20 years ago, you're a Crip 1996 Saragossa, Spain great city crazy love to see the eyes amazing It's great. So number one according to Google scholar because we know Google scholar, right? They're good, right? They they know their stuff, right Google knows everything. They're great. They're neutral objective. Whoo. So number one exact secretary of digital secrets are how to sign with RSA in Rabin and that is Mozart whoo and security proofs for signature screams Donald J. Trump and designated verify proofs and their applications by raccoon for whatever reason and Me out Okay, me not out because next slide. Whoo-hoo Kudelsky security anyone? Hello, Euro Crypt Do you want to earn some money? What already over No So I want to remind you about the Norx bug bounty program. That's currently running. We have three categories You can submit bugs for the algorithm You can submit bugs for security proofs because everybody loves finding security proofs Bugs and security proofs from Bart Menning and you can find Bugs in the source code But I have to say You won't get any money for finding bugs in our JavaScript of our website So you can still submit bugs until the end of this month to this Email address and you can find everything All informations about this program on this link here. Thanks. That is from my side Good evening, Vienna. I have the bell so I have unlimited time now Clearly the formatting wasn't done right and I have a very very well thought out title and not just to get a hilarious acronym Rumor tells that rum sessions are supposed to have funny talks in them but real humor takes time and preparation and Rum sessions are normally organized ad hoc on the day and we have very little prep time You have 24 hours to get your slides ready and put them out there Submission is on the day off the rum session and it's reviewed by the chair only. I have a solution We create an independent body to oversee all the rum sessions We appoint chairs for all the conferences much like the program chairs and the general chairs and the organizing chairs We will have rum session chairs appointed in it in advance. We open submissions Earlier, everybody can submit when they know they're coming to the conference We could add peer reviewing for our submissions. Who doesn't want to hear the jokes before they're told So the main problem is about rum sessions, but it's not all rum sessions It's mainly cryptologic rum sessions and I propose we make some sort of association Even an international association Maybe we could call it the IACR and we spared no expense and we developed a logo By which I mean I spent five minutes in paint yesterday and did that So What will the IACR do for you? It gives the chairs better time to prepare the rum session Programs will go online before the rum session starts if one could believe such a thing It allows you the speakers the audience to prepare your rum session talks to plan them out We can have the schedule before the conference even starts And we're also planning a hostile takeover of the Journal of Cryptology. Sorry Nigel. I'm a gunning for your job now And we will make Trump sessions. I mean we will make rum sessions great again So the committee the president will be this lovely fellow over here who was elected by a fair and biased coin toss Vice president who may or may not be a stormtrooper We have an animal wrangler for reasons Unbeknownst to me and I've been told that a Sceptotically negligible number of animals were heard in the production of these slides We have a membership secretary. Please see him if you want to join and conveniently he isn't here and We're setting up steering committees due to Martyn's great contributions at Martyn the Eurogroup steering committee chair and To commend Bertram for his excellent job We're appointing him as the crypto rum session steering chair and eventually I'll be able to spell his name Asia Crypt Committee steering committee chair still open. It could be one of you. Would anybody like to join the committee? I Was expecting a more enthusiastic response. Would anybody like to join the committee? There we go. Greg Rose He's a gentleman our industrial agent is Susan Thompson who's hiding right now and We got an AV technician from outside. I hear the guy's really good and Also, I would like to close with a very important announcement. I am Satoshi Thank you. Good evening Vienna and I believe this ends the first session and we'll now have a break. Yes Wait one second. So thank you for the presentation so far Remember this is a Trump session Donald Trump will build a wall around the adversary and will make the adversary pay for it So there will be a break now for about 30 minutes. Enjoy yourself All right, everyone will start in a minute and if you want to chat, please go over to the next room. Thanks Good evening everybody So let's start over this is the schedule of the second session This is the name. So if you if you present and you didn't still present then find out the the list here the Schedule of the second session is online now since 30 30 minutes actually Yeah, thank you Oh Thank you Hello again Can you read it? The only difference the second letter that was the fatal error. So we changed it back and to be serious Here is the round function it's a spec like cypher we hope that it is Compact it is lightweight it good-looking and they hope secure but It's a formula if you will prove that it's insecure will rename it from After John Nash to to Donald Trump Thank you Okay, I've got an important announcement to make if you could all just listen up for one moment, please Thank you if I could have your attention at the back No There's one guy here taking notes in the rum session. He must work for NSA, right? He's shaking his head fsb gchq. Okay. I guess you're all having a good time at the back there I want to talk about something very important that involves Donald Trump. I want to talk about the Crypto forum research group Do any of you recognize this? This is the internet Okay, it's kind of important without this you don't have Facebook you don't have WhatsApp you don't have porn sites You don't have all the things that cryptographers love to do there are two organizations called IETF and IRTF who are trying to make this thing work That's their fundamental objective and within the IRTF. There's an organization called CFRG Which stands for Crypto forum research group and that's where there's lots of interesting cryptography going on that's making the internet more secure Okay Here's the charter of the CFRG. It's a lot of words. It basically says we're trying to fix the internet We're trying to make it more secure and we need your help So if you're interested in getting involved in CFRG and making the internet stronger and more secure Then come to the meeting which is happening this Thursday at 1 30 in the floor below here We've got lots of interesting presentations and the meeting is open to everybody so Everybody you don't have to be a member of any organization. You don't have to be From any particular nationality you can come along and contribute and you can also ask me more and it's very important that you come Otherwise this happens. Okay, if you don't come and help make the internet more secure the internet is screwed Okay, thank you very much So how do I secure papers? So you might think our goal is to construct secure crypto primitives This is not true at all. Of course to be honest what we really want is to write secure papers that are secure against attacks from reviewers, right? Yeah, so I mean it's a systematic study of this and of course You first thing you have to do is to classify your adversaries. So a semi honest reviewer is one that doesn't read the paper He just reads the abstract then flips a fair coin to decide whether to accept the paper Much worse is a malicious reviewer who constructs a different set of Results that's totally different from what's in the paper and claims that because it's other set of results and is Uninteresting the papers should be rejected Okay In between these we have a covert reviewer who looks he just looked at he does look at a paper constructs a different proof of the main results and of course because he likes that proof better Understands it better if he claims that the papers will be rejected because the main result has a trivial proof So that's a classification now. We go to the model for security. Of course. We want the best possible Securities so we go for universal composition. This model was first studied by Mozart Universal composer if ever there was one he was cool of course what we want is universally composable review security Here's the definition So a paper is you see review secure if there's a simulator So for all venues V if you feed the simulator the paper and the venue you get a set of reviews That's indistinguishable from the actual reviews. You would have gotten if you had submitted the paper to that venue Okay, that's a very strong demand of course I have a theorem that I proved which says well using review security requires an honest majority of reviewers Otherwise it doesn't work Okay, it's now about about constructions. This is the next thing of course of course, we think obfuscation solves any problem, right and I have observed that obfuscation seems to be a very popular method in many papers. I've seen and Okay, I'll grant you that obfuscation might confuse a malicious reviewer It does not work for a semi honest reviewer because he doesn't read the paper anyway, right? So it doesn't work Makes no difference So actually I have a much better method you must submit to a venue with a vast majority of good reviewers such as Do you lack of quality of course? How do I know I'm the editor-in-chief the crying out loud? We have so far used 212 reviewers who put in a lot of hard work and I'm here to announce the price For review of the year. Don't worry. It's not a picture of Donald Trump or anything like this it is Tada Vincent Reimann Who accepted all? Yes. Yes. Yeah It's Vincent here It's Vincent here. No, no, okay too bad But but he accepted all 9 invitations to review and still on average submitted his views 36 days earlier than he was required to do that's amazing. I think So yeah, and and so having solved the problem of bashing secure papers. Thank you. That's what I have Hello, everyone. I'm a child and this is German with Django and Lin Song This totally brought talk about the crime last year or for a shot three and K-check is the winner of a shot three and It had 24 runs each one are four steps. So K is the only a non-linear operation and several no attacks are based on the technology of a knowledge of one once could check up a fraction We find that two or three ones could check effort presentation can be also on linear eyes And we also find the being a being in your structure of the kx blocks are given to two bit of the output we can set up one one nearly equation on the input bit and This theory table there are terrible this Three bit of the output we can set up to linear equation on the Imported bit. So this is very useful for the pre-image attack We also we use the linear structure of the K-check 3 K-check to improve the zero-sum distinguish dengue soon But true ones with the same capacity We our distinguishing either in practice is a practical up to for up to 11 once And for the travel once it almost practically the time capacity the two to 165 and we also improve the pre-image attack on the K-check We can take all the variants of the stress rate for up to three runs the Our in the military is practical for a thrill thrill once Sharks Sharks one eight four One two eight Thank you. Good evening everyone. So Recently with Martin and she we published this paper on the apron and we're kind of proud to announce it was accepted to crypto There's also a concurrent work presenting the same results So the impact of the paper is like we break those not very important stuff But we got some feedback that our paper was kind of you know Spreading some fear about entry because it's called over stretch Attacking over stretch and true assumption and we were asked why is entry in the title? Why don't you use the DSPR name? Are you just being mongering? So we're very sorry for everyone who feel that way Our intent was very different. We didn't really meant to discredit. We really meant to credit We think that and who were very pioneers in lattice base cryptography and they Anticipated many of the series that we have today for example and through scheme kind of inspired FHC And some people called it the gen the gen through scheme And we don't really have interest in discrediting and true. I'm kind of using it in another scheme bliss My conclusion is that entry assumption is quite powerful Both for Syrian practice. It has passed the test of time. It's kind of around for 20 years So we can deem it secure Unless you over stretch it. Thank you Hello, you're a crypt You guys hear me out there Yeah, it's here. All right So I'm here to talk about how we're gonna make crypto great again through the real world In real world crypto in particular So I have to announce that we're gonna be in New York City again. One of the best cities in the world Thank you. Thank you. We'll be a Columbia University January 4th through 6 Now this is not ideal world crypto This is real-world crypto and we have to deal with all sorts of real annoying issues like the fact that seven Cryptographers cannot figure out how to get HTTPS working on their website. It's it's a painful painful situation Thank you. Thank you All right, so New York is awesome. There's lots of reasons to come there one of which is the great tourism opportunities You can go check out All sorts of great venues It is open to the public You don't have to worry about the cold weather We have a plan. We have a plan for this. Okay And it's it's going All right, a little more seriously real-world crypto is about bringing industry and academia together We have about 50-50 industry Academic talks we invite people we also accept submissions and it'll be open in the fall It is a very exciting place to be to hear and to give talks about cryptography Just to give you a sense of who comes and and and how many people I'm not going to count raccoons here I'm not going to play that's card, but You can see the attendance at Euro Crypt and crypto and the attendance at real-world crypto And the reason for this is that we get a lot of industry people to come Okay, lots of industry people and they're very excited to hear about the latest in What's happening? Also, I know I'm losing the crowd in the back come back come back. I'm talking about money now Okay, $10,000 to each of the two awards that go out for the Levchin prize Max Levchin was very Great to donate this money last year the winners were Phil Rockway and the me TLS team not Mozart Okay, and you can nominate people for this prize So go to the website We also have lots of industry engagement in terms of sponsorship and this is the obligatory Asking you to find more sponsors for us or come tell us if you're interested in sponsoring to know someone who would be so in summary, let's Let's make cryptography great again, particularly in the real world. Please go nominate for Levchin Please nominate speakers that you think would be good Submit talks and help us get sponsors. Thank you very much and see you in January next year All right, again, if you wish to chat, please go to the next room over so that we can hear our speakers All right now we have our first invited talk of the evening Could we please have a big round of applause for Yen to bravely volunteer to do this ladies and gentlemen in score Thank you Okay So as you can see this is a fortress right we're trying to attack it and this is how crypt analysis usually work So there's a lot of E&M's E&M's E&M's M&M's and these kind of things And that all goes into the scheme somehow And then there's a sieve mode, so we're doing a sieving so clearly this is about RSA factorization I'll quickly jump through and tell you about the attack results. Okay, so we have excellent performance here against breaking RSA So there's a lot of copies Because it seems to be easier to batch break RSA So we build a non-uniform Turing machine The reason we do that is we do a lot of pre-processing right so we develop a circuit that could attack RSA and As you can see the complexity of these attacks goes down With with time in the number of queries that we make So so one example where this is used is in Dentist three so this is a really real world crypto So if you want to have Dentistry done and you have problems with your teeth You can use this tool here You break RSA encryption you find out the secret mechanisms behind dentistry And that's how you It works out So we use this camera here to take a photo of the teeth and then I don't know what the eagle is about Okay, so here we have the curve again It's the same curve as you can see it still goes down and down and down and down just like this presentation here But but there's a difference here right because now we're working in the ideal model right there's an ideal T Okay, and that's a realistic T right and of course we're aiming for the ideal T We want the curve good to go up there to the ideal T and for that The only thing that can save us at this point and me at this point is to use indistinguish ability obfuscation So that's what we're going to do We're going to obfuscate the two circuits. So there's an ideal T There's the realistic T we obfuscate both of them now they indistinguishable, right? And that will bring the curve up again right so So how does indistinguish ability obfuscation work right I mean the first thing is you can create a branching program So you can go from from one box to the next one and you have multiple layers of this circuit that you're trying to obfuscate So for depth five circuits, we can do it. We can do it for greater depth as well depth six thick seven Actually, we can do it for any constant depth circuit It does however get very problematic when we get into logarithmic sized circuits There the the obfuscation mechanism doesn't work the path is too long because we've been drinking too much as this Reception and will go off of the chart somewhere So so the question now with this circuit model here is whether you it is actually possible to get full security, right? is that feasible or not right and The problem here is that you need to spend at least linear a time because you have to go through every single box You have to obfuscate every single circuit But but we have a technique for for this we write everything in a list We basically do a brute force attack, right? So we go from we take let's J going from from zero up to capital N And and we do the same operation every step. So the advantage is that it's a very very simple algorithm Anybody could come up with this And and write it in this programming language. I Realize this is not see a python But but it's pseudocode and and that's also a respectable programming language for cryptographers to use So So with that in mind, thank you Ladies and gentlemen, can we thank yens again? No preparation hadn't seen a single slide yet a big round of applause for yens Ladies and gentlemen, this is the talk about oblivious transfer from any non-trivial elastic noisy channel So we know all know oblivious transfer so I can skip that or at least most a lot of do So elastic noisy channel, it's a channel where if the receiver is honest, he could hear this loudly and If he's malicious he heard much much louder because he has a much much bigger antenna So then this question when he has a bigger antenna Can we still have a protocol that secure even if we want a receiver that speaks very That the receiver can hear very softly and the dishonest receiver can hear very loudly Well, there is a very nice result that was shown at I Yesterday that shows that in some cases it's possible and this is a very nice result And what we've done is we've extended this result to show that it's always possible as long as there's some upper limit on how well he can hear so this is the nice colorful slide and Sorry for being as loud as Trump Hello everybody So We are all the new cold breakers Okay so Six years ago. There was a meeting in Luxembourg about Do a face for the 80 Years of David come and we did it and the DID was to have a Volume of LNCS Prince finger Putting together a Lot of papers about that. So at crypto 2011 I did a call for that and the result is The following volume about the new code breakers By the way, if you don't know an anagram of new the new co-breakers is the new record heroes They are speaking about us So here is the volume so maybe you don't understand the cover And I will explain Maybe there It's a encrypt a form of Mozart there maybe it's a Stylized Arcoon why not and the volume We edit together I have 73 authors and in the room here there are about eight Autos so it's from the community the most Downloaded paper at the moment Is post quantum cryptography state of the art? So it's about 2000 download. So it seems that the subject is very important and I have a price for you One volume time to to springer matter I have only one or to share it So if need I need to to set a challenge The question will be The author the next door ring and you send me an email to address there and the first one I Know there are delays for for several and so on is the rules We sent to me. I was thinking to send me An email about The inventor of Bitcoin Satoshi Maybe you don't know that they are six and I wanted to to to know One From you, but I think that is difficult. I am not joking and so the question is Give send me an email about the author of that drawing About David Khan and the price is The volume from finger is finished. Thank you very much Does anyone want to participate in a little quiz show? We have a quiz and we need participants. Do we have any volunteers ladies and gentlemen? Anybody come on up come on up Come on We need more we need one more person. We have one more. Oh, we can do come on We still need one person There we go ladies and gentlemen, we have our contestants. I Need to remind you no drinks in the seating area all right, I Will now hand you over to our quiz master for the evening ladies and gentlemen Is there a price for the quiz? Yes, there's a prize if I can find it Anyways, all right. So the first game is this one name these acronyms I'm gonna give you a acronyms from the crypto like there's a ton of acronyms at times and now I'm gonna test your knowledge Okay, so the first eight acronym is B. Hey First I should have asked the participants names to present them so I'm Remy I'm Florian. I'm sure for a nice to meet you So number two number two B. Hey, I hope you all agree I I hope at least half plus one agree. It is busy team agreement. I'm gonna go faster TRE TRE quickly TRE has something to do with quickness. I'm time time release encryption I'm sorry. No points for this round to appear today So or in this session so the sessions that have been so far actually today The first one is T. T. It's been in a talk today traders Tractor tracing We'll switch to the second game. It's called the periodic table and Crypto this one has both an accurate Actually, these ones are both a cryptographic Primitive and a chemical element. Can you name both of them? The first one is F. E Correct iron and functional encryption. The next one is G. E Yes, that is correct. The first one is good And that is correct again. Germanium and the final one Hey, I'm damn, you know And that is correct Arthur Merlin and not in the quiz. Well done. No, no participants Thank you for listening. All right So ladies gentlemen and cryptographers I'm gonna tell you about the USB sticks that you all received when you were at the reception so Of course the USB sticks do have the proceedings on them as Is expected and as no one ever looks and reads But there is also a bootable partition. There's also an OS on your USB sticks and Getting those two things to work at the same time was a huge pain in the butt, okay? So I hope you all appreciate it. Please do look at the proceedings for once it took a lot of work to get that to work on Mac and Linux and Windows and Definitely special thanks to Björn and Patrik for helping Okay, so first thing Because we actually wanted this extra partition We kind of had to sacrifice for security a little bit So that it actually auto mounts and everything works nicely In other words, we went for appeal because appeal Trump's soundness Yes All right, so the point of the sticks and the point of the distribution the OS is for you guys to play with it and Important if you like it, it's not production quality. Okay, it's not like as secure as it could be and So if you'd like it and you want to use it make your own, okay, it's not that difficult So what's this OS? All right tails. Well tails Okay a little more seriously It's an OS and it provides so the goal of this distribution It's a Linux distribution and the goal is to provide easy to use strong Privacy and anonymity tools. Okay So it's Linux, but don't worry. No command prompt needed for all the fun stuff everything is pre-configured and Equipped with nice setup wizards for you guys to try. It's all, you know clicky pointy kind of stuff and Yeah, so what are some of the features of this OS? Well Okay, it leaves no trace. So what do we mean here when you boot this thing it mounts the USB stick in read-only mode It doesn't touch the local hard drive on the computer Okay, and afterwards if it's working correctly It wipes memory so that there's no cold boot good tax and things like that. All right It also has an option if you actually want to store data Then there's a wizard that lets you set up an encrypted partition And for those of you who've tried to do that It's not always that easy, but in this case, it's super easy. All right. It's like just two clicks and So right so it does full disk and it does disk encryption for that partition It also has tour tour browser all pre-configured ready to go PGP integrated with the email client if you generate if you want to generate keys It's stored on the persistent partition So also encrypted There's an app for doing integrity checks so you can compute all your favorite hash functions of files Password managing Bitcoin wallet. This one's pretty cool. I didn't know about this document metadata anonymizer So in your word files or PDF files these programs leave a lot of metadata Lying around which you don't actually see in the document. So these things anonymize that collaborative document editing Lots of other stuff So basically try it. It's recommended by some pretty serious people who care about privacy not recommended by the NSA and And by Mozart. So, yeah So welcome the second guest for the PowerPoint karaoke Let me explain in some words what a PowerPoint karaoke is. So our two candidates Martijn some the second Are given slide six slides which are randomly taken from presentations from past ISCR conferences from the last five years a big Thank you to the anonymous contributors of these slides. I hope it's okay to steal the slides for this for the show. I Add over to Mattine here six lights to present Thank you So we start with this slide and I can't see it from here So I'm going to join you because I noticed that the audio over here is shit anyway So if I yell while I'm sort of standing in the middle of you, you might be able to hear it So the first idea that we have here is that we have controllable malleable soft software encryption. Oh, this is very convenient Yes, and There's a teddy bear and a robot and and a little devil and the little devil is actually the good guy and Robot is also good But the bear is cheating on the robot So any questions so far? No, thank you. No questions here questions here And Are these guys are they serious? Are they serious? Yes, they are serious. So we will continue with transformation So you've all seen the transformers movies So they were going to go up next and one of the things that will happen in the transformer movies if you pay attention is that there is a client and a cloud and a key And that leads then eventually to lower bounding the probability of Good transcripts, which is a major challenge and if you want to know more about this I really urge you to come to the session on Indifferentiability tomorrow where John Rand will give an excellent talk and he will explain these sort of techniques in much more detail And And then you will see this probably Yeah, so that's that's it Good evening everyone. I'm Wei Qiang. I'm coming from Yen Sturion I'm going to Describe a improved reduction from BDD to USVP. It's a driver with a Shi Bai and Damiang's Delay BDD is a variant of CVP We're promising that the distance of the tractor and the rectus is within some bound distance and the USVP is Soaring SVP problem we are promising that the first That's a gap between the first two minimum in 2009 Luba-Safis game essential present the first reduction from BDD to USVP in that reduction They reduce BDD 1 over 2 gamma to USV gamma and then later on the Ming Jie Liu Describe improve this reduction to reduce from a smaller alpha and then Read more recently in 2015. This alpha is getting even slower smaller Finally in this year we found a way to decrease alpha to a square 2 gamma To be more clear you can see the graph here the up is Drillier the pink Drillier is our it's our research and It's going to be up here in iCAP 2016 To start from Luba-Safis game essential 2009 They reduce the BDD 1 over 2 gamma to USV gamma with cannot embedding and we improve this reduction combined with a cost of specification like on lattice to make it even Closer now a BDD and USVP. That's only a 3 x square 2 room between a BDD and USVP so We also know that that's a reverse reduction from USV gamma to BDD 1 over gamma so we can improve if we can in what we can improve is that That's a USV 1 over a gamma to BDD 1 over square 2 gamma So our conjecture is that with some parameter BDD and USVP is a combinationally identical and This parameter We also conjecture is that a BDD 1 over square 2 gamma is equal to a USVP gamma So we need your help to complete this this rocker to combine these two problems together Thank you. Thank you very much alright listen people This talk is about solving a problem that you have so you better take pay attention and because it's an important problem a Seemed professor Jens growth and kind of okay superficial guy me will roleplay it for you So let's get started Jens. What do you do? Well, I'm a cryptographer That's super interesting like please Jens do tell me more Sure, I saw hot mathematical problems Okay, so you see the problem right so we put together this demonstration to show how To get through and explain what it is that you do without boring people too much Okay, so let's try again. I Study group theory That is so interesting I'm super interested in that as well. So Jens in your research. What is a group? Well, every group has an identity Yeah, I can totally relate to that But Jens, do you think that there is no friction whatsoever in a group? Well There's always a negative element Yeah, indeed like Rachel and actually Rachel and chat like whenever kind of they are together They're always trash talking everybody else at the brunch meeting, right? So every Sunday we meet for brunch and they're just like nagging everybody complaining about everybody But they're still kind of part of the group aren't they Jens? Sure, if you combine two elements, they stay in the group Wow, this is so insightful Jens indeed I can see how this result generalizes because when chat and Peter got married, you know chat and Peter from our brunch group They would still come to brunch every Sunday. There was no problem But you know what is a problem in groups is Anna because Anna moved to the other end of the town And she doesn't attend the group meetings anymore. Do you have anything to say about that Jens? Well We call it groups where members commute a billion That is so helpful. I mean Realistically at this point your conversation partner thing like that's awfully specific, right? So we have group theory for commuting groups, but hey, it's academia They study all kinds of nitty-gritty details, right? So that's fine So Jens that really was helpful and that relates a lot to my life, but like so what is your focus? What do you care about most in your research? Well, I focus on studying secret powers in groups. Yeah, I can totally relate to that Because Ashley right whenever we make lunch plans. We're always ending up going to a restaurant She wants every single time. So Jens, can you tell me anything about these members with secret powers? Oh, it's hard to say anything about secret powers as evidenced by Diffian Hellman Okay, that that is really helpful that this is a really hard problem Thanks kind of that science clarifies that Clark can distinguishing him as Superman is a hard problem So but anything else kind of you focus? I mean like now I'm really hooked on your research and I want to so know much so much more Well, right now. I'm very interested in groups with hit and order Yeah, did you know that Mozart was a Freemason? alright So Jens, what is the hottest result on groups in your research? Oh There was a cool thing I discovered this morning You can construct a general purpose in distinguish ability of investigation for all polynomial size circuits from constant They great degree graded the code is keeps it a plate model assuming the existence of subject exponential is a cure So the random generator is computable by constant degree arithmetic circuit or equivalent and it's a zero at this Up expedited the hotness of the noting with errors problem. Hi another commercial. I'm not gonna trump the previous one. This is a book That appeared recently Let me see how this goes So here's a book If I convince you you can buy it downstairs at the springout table at a reduced rate Table of contents. It has technical sections Where I go into great detail for some systems, but I it's not a handbook in that I talk about everything a special feature is many Historical chapters his Cryptography is unique in science in in having such a universal appeal secrecy communication it has a It has a rich history and you find that in in many examples that have not appeared elsewhere in in this text There's a lot of illustrations. I'll show you two technical ones Which you probably know the AS flow and this is a pseudo random generator physical Hardware generator that I really like and is one of the very few that are certified to be true Here is something that will look like crypto to you It's not to Egyptologists in general they can read hieroglyphs, but this is hieroglyphic writing that was encrypted at the time So then the Egyptian scribes and today Egyptian Cryptologists still fight over the hidden meaning of these symbols This is a picture I took at black tree park a while ago Colossus is often called the first computer The book was published in December last year and this is the statistics I got in March I Was dumbfounded 7,700 downloads in just three months is Is rather incredible it My suspicion is that these are not 7,700 downloads, but that when you download the whole book 25 chapters then you're counted as 25 downloads, but still this is a very satisfactory number and my very last slide is The explanation is one of the explanations for this the book is made for students in that in In many for many protocols. I give the great in great detail the the foundations in order for the Instructor to be able to say well go and look it up in the book because that's my experience if you tell the students Go look it up in the literature it's good for the bright graduate students, but not for your everyday student and a long discussion with Springer Led to a totally amazing price $30 and you can chase any raccoon away with this book Okay, so hi everyone So this is a joint work with hotek our chair and my fellow phd students Florianne Raphael who are right there say hi guys So this paper will appear at crypto this year So the problem that we focus on is the fact that when homomorphically evaluating a function F The output ciphertext leaks information about this function This is what we want to avoid in fact our goal is circuit privacy, which means that we want to hide the function F This problem has already been studied in previous works But our work is the first one to simultaneously rely just on standard LWE Achieve polynomial hardness a multi hop evaluation and circuit privacy and It is almost for free because we basically take the GSW encryption scheme with sub-sex of improvements and we With we add a small noise so the The difference is that we have a new approach which means that we analyze the noise distribution carefully Instead of just giving a bound on its norm So this is a glimpse at our core lemma. So we take the error in the output ciphertext We sum a polynomial noise and We claim that this is indistinguishable from a fresh Gaussian term This means that V is hidden and F is hidden and I would like to stress that we have two sources of randomness One is from the randomized g-1 algorithm and the other one is from the additive noise y So this is what I had for you the paper is only print if you want to have a look Thank you for your attention and good night everyone. So this is the end of our ramp session this year Come on come on guys So thanks to my co-chair lovely co-chair. Please applause Even more applause to our technician. He's sitting there very humbly in the in the corner this This is philix soya from the Rooney Bochum team and he is a love of raccoons apparently So so the two of us I Do thank all the speakers in particular our performance performance today of the karaoke Enjoy your time. Have a good night