 I was the general chair of Azure Crypt last year, so I'm assuming that I was asked to do this as punishment for not warning the organizers how much work it is. But I do want to thank the organizers. They've done a great job, and I think we're all having an excellent time. So the excellent time is, I'm sure, going to continue during this short but very sweet rump session. To the rump session speakers, I hope you remember more or less which order you're speaking, which is Xavier Forrest, Miranda, Chitty and Soup, Song, and so on. I can't quite remember the order myself. Anyway, while the speakers are speaking, if you're the next speaker, if you can go up and get your microphone on so that we can keep the slides going around. I've got the slide thing which I'll hand on to the speaker. I've got the clicker, so I'll hand them to the speaker and then bring them back. Two, two, two, testing. Two, two, two, two, one, two. Do you realize that it's roadies for bands? They can't count past two. It's always one, two, two. What comes next? Two. You happy? That's right. Computer science is a good joke. Computer science roadies count zero, one. So it doesn't test the microphone. Two, two. All right. You guys happy? I can talk louder if necessary. All right, so there's breaking news. I don't know if any of you realize this, but I've recently learned of a very surprising announcement. Some of you may well be aware that recently Peter Shaw announced a quantum algorithm that might potentially kill lattice cryptography. Oded Regev quickly came to the rescue and informed this that I can't read this, but that there's some security issue and there's nothing to worry about. But just moments ago I saw on Twitter a tweet which you can't read, but that Peter Shaw has announced that he's fixed the problem in his preprint, and I'm going to keep you informed with updates on this important situation as the rump session continues. But next we have Xavier Boyan. All right. Sorry? Okay. I brought the clock. So I am going to talk to you about human. Human is a state-of-the-art Republican encryption, and this is actually just a hook, although it might well be. So as we know, we all like to do centers in cryptography where Alice and Bob will engage into a protocol. The protocol here doesn't matter, but they engage in a protocol, and magically they perform operations and things happen, right? Well, in reality, it's a little bit different. Alice uses a device, Bob uses a device, and the device is going to happen every half, right? Well, actually not quite, because in reality it's more like this, because the device comes with nice, you know, ugly eyes, and the evil eye of so on, as we all know since 2013, and who knows even what Alice and Bob may even have to say about the protocol anymore. So the question in that, what do we do about that? Well... Yes? Should I rewind? Yeah, yeah, you have more time, this one doesn't seem to work very well. Alright. So just use this one, it's also pretty nice. Okay, you made... Testing. Testing. Alright. No, that doesn't work, does it? Can you hear me? Alright, so we are trying to... So is that a yes or a no? No. No. I'll try to shout, alright? Hello? Okay, that sounds better. Okay, so we like to do cryptography, and... Okay, maybe like this? If I stick it to my mod. Okay, so we like to do cryptography in idealized models, Alice and Bob do things, right? In reality they actually use devices to engage in the protocol, and actually we know that the devices actually cannot really be trusted anymore, because they don't really belong to you, they don't do all and exactly what you instruct them to do. So that is the sad reality of computing these days. So what can we do about that? One possibility is to try to do cryptography without the devices, and that sounds a bit difficult, but I am trying, I will be suggesting one way to perhaps attack this problem. So what I'm proposing is a strong public key encryption system, because it sounds strong, so it is actually secure, it will be secure under some assumptions at the level that we will be needed for cryptography, that is entirely decipherable by a human. Now of course, don't expect miracles, the bandwidth is going to be very slow, and we will need to remember an 80-bit at least key in order to achieve any kind of usable security, because we're talking about public key cryptography, right? Okay, so how does it work? There are a bunch of little programs that we can run, and the ciphertext will be shown to the user as something like that. I'm going to skip about key generation and encryption, but the encryption, the ciphertext looks like something like that. And so the secret key, I assume that the secret key is here, we have essentially, this is the calendar, but we have days over here, we have months over here, so my secret key is July 4th and December 25th, plus January 1st, we always add that, but how do I equipped? I find July 4th over here, I find December 25th over here, and I have January 1st, I add all the angles together, and what do I have? So I have a little to the left, I have a big one to the right, and I have something half like a square, sorry, right angle to the left. When you add them together, it's about zero. The message would be zero if you get a given angle, and one if you get a given angle. We can also do better, we can do structs, where now we can encrypt mode 12 or maybe even mode 24, I can might put July 4th, July 4th guy, December 25th is guy, and first is that guy, we'll add the times together, the microphone in my hand is a little difficult. All right, let's try. All right, so we start at 9 o'clock, January 1st. Thank you, Stephen. All right, we start here, we add July 4th, which is about 10.30, now 1.5, over here, which is about 4.5, so I add 4.5, and 1, 2, 3, 8 midnight, so midnight, or noon, whatever, would mean the letter A, like the table, but displayed as part of the visualization, the map, and apologised all your plug-ins that are in the room, so the X and Z make it, and just drop it. Doesn't bother, right? So, we'll have to use that, we can use pin numbers, four-digit pin numbers, so my computer, but I'm not too sure, so if the key is 1, 2, 3, 4, but here, so 1,230, 1, 2, 0, 1, 2, 3, 4, it's the digital wedge over here, I will add that to that, and I get, again, in this case, okay, so is this for real? Yes, it is, practical, and if you want 18, 30, 5 random engines for this, I'm not going to put it in this example, but paper, or we can use 17s, whatever, and it's lattice-based, oh, I have to bad-use it today, and it's a reduction from an assumption that halfway between CIS and LWE is a bit different than CIS or LWE because we are working with very, very low entropy and secret, much lower than the system normally do, so we have to add more noise to compensate for that, but there are no non-attacks other than generic, and what you get, humans, we already use that for humans, universally we use a remote encryption, authentication, right, and so, give la révolution, cryptography for the people, strong, public key, one good password to remember, your device does not learn your secret, no dex of card, no capture as no gimmick, and the security is based on the LWE-like assumption, CIS-like assumption, and the best non-attack is meet in the middle, generic attack, and I also have certain strategies hot in the moment, twice as high as in the old days. Thanks, Xavier. Is Amir here? You're Amir. So I announced that Peter Shaw has fixed his paper. You'll be happy to know that Oded Ragev has very quickly... No, no, I can't do far. I do this. Oded Ragev has quickly come to the fore. I don't know if you can read what he says. I don't quite understand it, double TTF. I said it's wrong, it's still wrong. So I'll have more to follow on this in the near future. Gave me the microphone. Still not. Yeah, it's working, I believe. Okay. Probably you don't see much here. Yeah, it's about... You see now? Okay. A couple of you probably know that the skinny Cypher is out since crypto 2016 this year, and actually we are pretty a large team from Germany, Denmark, France, Japan, and also Singapore. And the specification of the work, the results updates will be all available in the Google website of the skinny. And actually what I'm trying to motivate here and say here is about the crypto analysis of a skinny. And then we are definitely appreciating the extent of analysis which can be done by the community. Some information about the skinny, very little. It has two versions, let's say two main versions, 64-bit and 128-bit. And then we have three different versions of the block size which is tweakable with the size of, let's say, 64-bit or 128-bit or 256 for the 64-bit version and then also so on for the other version. For example here, skinny 64 with 128 has 36 rounds and skinny 128 with a tweak of 120 has 40 rounds, which is here. The attack that we have performed till now reached 18 rounds by the designer. I mean the team could reach up to 18 rounds to perform successful attacks. And then this is actually the point that we are trying to motivate the extent of analysis based on the skinny by announcing a competition on very reduced version of a skinny. Some examples are some categories that we have defined. We have defined five categories. The first we have if you could reach 26 rounds of a skinny 64, 128 or 30 rounds of the other version. I mean I hope that you see here 30 rounds for this version which has 40 rounds in general and an original one and then 26 for the other version which has 36 rounds. Or the other category if you reach 28 rounds and 24 rounds on this side. For each of them we have defined some bonds for the number of rounds, the radio strong version. And then if you could actually get to the first category you get five presents from each country. Of course we will decide what you get. But you will get one present up. It's much better. One present from Germany, one from Denmark, one from Japan, France and on Singapore. And for each of the other categories that you reach we reduce one of the presents. Of course you can decide from which countries you want to have the present. Good. Some rules. The designer team will decide about the best attacks submitted after the deadline. But main criteria is actually the final complexity, computation, data complexity, memory complexity and application to the skinny variations or variants and also novelty and then the model of the attack and so on. We try to somehow consider any type of the attacks but of course it's not possible. For instance we are not as sure about whether we are going to consider big click attacks as an accelerated brute force or not. But we should decide about this later if the attack is very sophisticated and the result is very good why not. But if it's going to reduce the complexity half a bit or a bit less than a half a bit we are not actually currently sure that we can see the big click attacks. We for sure consider single key and related key attacks. Related software attacks will not be quantified and also it should be known that tweak is also allowed for up to 64 bit for a skinny 64 128 for example. But in this case the security is bonded to 2 to the K where the key is the key size. Of course the attacks from the skinny document which we have already published in the website can't have already existing attacks and of course it cannot be qualified and if some attacks are similar of course the first one which is stopping it has the priority. Of course the government agencies can also participate in the competition. Of course the designers of those two popular Lloyd with block suffers are actually pushed somehow. They have also allowed to participate in the competition and the last slide is that we already have it started. This is the second announcement of this competition. We have already four papers in e-print about the skinny since Crypto this year and then it seems that the maximum number of rounds that it could be reached up to now is 22 rounds. We are actually happy about this because it's better than what we have already considered and the deadline for the submission is 1st of March 2017 which allows us actually to have the final results and announcement in the next FSE. The attacks should be submitted to this email address. Of course this email address is available to each of the skinny software as well and we should be considered that it is of missions with which countries you want to get the gift. Of course your attack qualifies one of these categories. Okay that was all. Thank you. Thank you. Thanks Amir. I'm very pleased with this. This is a name I can pronounce. The next talk is by Chichunook Cheng... Damn! Chichunook Cheng Setty himself. Here's your thing. Is it working? No. I can't hold it. Is it working? I'm kind of shy being in front of a lot of people also. I prefer standing here. Is it okay? Okay. I would say my name again. My name is Chichunook Cheng Setty himself. And quite close. Well thank you for your attempt. And this is Joy's work with Dan Bernstein and Chan Yalang Ge. First I would like to show you a timeline of the speed of scalar multiplication and in this case I focus on single scalar multiplication. That's in for example in key exchange. And blue dots here show scalar multiplication using double base chain and black dots is for single base chain. And around 2007 and 2008 here is the speed around... Well, either single base or double base has about the same speed. But later on there is an improvement to single base scalar multiplication and scalar multiplication cost has dropped to only 1,950. And in Azure Crip 2014 there was a paper presenting optimal... near optimal control using double base chain. And in that case they didn't consider pre-computation. So the set here is for pre-computation and the cost of using double base is not that good. But I have a new result which speeding up scalar multiplication using double base chain. And I also have a new result for single base as well by using different set of pre-computation. And I obtained this result by using new tripling formulas and also DAG or directed cyclic graph search for optimal chain. So the method is as follows. We propose a new... with our faster point tripling formulas and these formulas are for twisted adverse curve. And we reduce one squaring. So from previous cost using nine field multiplication and for field squaring we reduce to only nine field multiplication and three field squaring. And for information about these formulas you can find it on the website Exquisite Formula Database. And we also improve the way of how to find the chain for representing scalar. And instead of using three we use a graph specifically we use directed cyclic graph and we also speed up by working instead of working with a full size scalar where we work with residual classes. And at each step. So in previous algorithm they just factor out all two and three and so they're trying to really reduce the number of addition but in our algorithm we do the opposite. We always perform addition. But I will tell you later why by doing so at the end we can improve the overall performance of scalar multiplication. So I would like to show you this picture because it's kind of cool. So instead of using three we use graph and we actually use three dimensional graph and here is example of graph for finding a chain for representing number 17. And now I would like to say about extra addition. Why algorithm does not always completely factor out two and three. Is it really useful to consider addition every single step? Of course the answer is yes. For example the number 28. If we always factor out two and three then first we would factor out four and then we will left with seven and the chain would be two times three plus one. And in this case I showed cost here and the total cost for factor out completely factor out would be 44.6 But if we consider extra addition at the beginning the cost is only 43.4 And you may wonder because the extra addition at each step is it really useful for the computation of generating the chain. Even though the evaluation is better but for generating the chain is it really better? And we answer this by using residue classes. Like I said previously instead of computing on the full scale we compute on residue classes. For example in this case we want to find a chain for 1357 which is 11 bits. But we don't work with that 11 bits. We do, we modulo two square times three square. So the number that we work with is 25 which is only five bits. And you can imagine if we have 56 bit integer we modulo something and we work on smaller, much smaller number. And here is graph for 25 and to compute the whole full number we just repeatedly compute the subgraph. For example in this case we compute first subgraph and move to next subgraph and so on until we really find the whole chain to represent that number. And I would like to show you the result. And the result that I show here I separate into the case of precomputation using precomputation and no precomputation. And comparison also between using double base chain and single base chain. And this is the result for single scalar multiplication. And I highlighted in Boo is our new result. And I also would like to say that our algorithm can extend to computation of double scalar multiplication. For example, computation in signature verification. And in this table we compare to previous result of using tree and also using single base of sliding window. And our other is our new result videos rectangular base directed at big graph. And as you can see we really reduce the cost of scalar multiplication a lot. So thank you very much. Song, song here. Okay, so I've also just learned there is a further update in the ongoing battle between giants. And Peter Shaw has in fact just updated his archive paper. The title has now changed to a total break of Regev's learning with errors. And the abstract is a bit strange. He's accusing Ode Regev of being so smart he never makes any errors. And if you do learning with errors and you don't make any errors then it's not secure. So we can only hope that Peter Shaw's mental health will improve very soon. Okay. So now Yongsoo Song is going to tell us about Lizards. Okay. Hi everyone, good evening. My name is Yongsoo Song and I'm from Korea. South Korea. Yeah, please don't be confused with North Korea. We don't have nuclear weapon and we don't urge you. Can you hear me? Everyone can hear me? Okay. And everyone can see me? Right. Yeah. This talk is about post-contum practical PKE. And it's a brief summarization of invited talk that was done by program chair Jong Itzong. That was done in post-contum Asia forum in South Korea. And I believe that all of you have seen these kinds of slides hundreds of times so I skipped the definition of running the errors problem, but I just want to point out that Reddit's cryptography is a very strong candidate of post-contum cryptography because of its powerful security. We have something called the worst-case-to-average-case reductions and yeah, its speed is very fast, but the problem is its size. Okay. So the first construction was done by Regev in 2005 by combining running the errors and leftover HLMR. So the public key is just many, many, many instances of running the errors problem and we just compute the subsystem of many random subsystem of instances so we just sample binary string R. But the problem is the to use of leftover HLMR the M should be very large to achieve enough entropy for randomization so the next try was done by the organization of LW and LW again. That means based on this public information we make encryption by the same subsystem but additionally we add some error, E prime and E double prime. Then this ciphertext forms again running the error sample together with the public information so we can reduce the number of samples R a little but still we have some problem with Gaussian sampling because in this case encryption process requires discrete Gaussian sampling and it takes comparably expensive like you need a long random binary string for example or it cannot be written in very few lines of code so our approach is here so the name is Lizard because because we can cut the tail of Lizard that means after we some adding many LW instances instead of adding more error we just cut the least significant bit so for example here the modulus Q has 9 bits for example but the resulting polynomial has 7 bits for its modulus so maybe I should talk about the security of this scheme but this scheme is based on the running with rounding problem that is instead of we just remove this significant bit so one LWR sample is something like this but for a long time we didn't have any efficient reduction but recently in the paper will be published in TCC so the running with rounding problem is no easier than LW problem when the large were the number of samples or small and the second result is exactly one we need so we just publish very few number of samples so to sum up our scheme is based on both LW and LWR but thanks to the reduction we only need the running error problem and we analyze the security of the scheme following the framework of some nice post quantum cryptography research including Frodo and New Hope of our key exchange and we extended their analysis to running the rounding problem you can convert our scheme into the in the CPCA version using quantum random oracle model by modified Fujisaka Okamoto conversion ok so this is our implementation result because we are not so professional recording so this is not so optimized so this implementation result is still improving but it's already so fast super fast for example encryption just take 0.002 millisecond it means 7 microsecond for 128 bits of quantum security and for more information please report this and thank you for your attention so the next slide Takashi Koshiba I think you only have one slide ok my name is Takashi Koshiba and I'm from Saitama, Japan so this is just an announcement of the next IP idea so IPRTF 2017 the 10th conference on information security security so the conference will be held in Hong Kong just before the next Asia Crypt so the any other just before the Asia Crypt so the any result on the information security is welcome for submission also the personal result by using the information theoretic techniques are also welcome so and the the plan is around June this is just tentative but the tentative so the organizing by Kinichun and the presentation by Junji Shikata we are looking forward to your submission and joining the next IP idea is the crystal petite ok I don't have an update on Shor's algorithm I'm afraid ok so but we do have a lattice based spring school coming up in Oxford so I hope everybody here will be able to attend the schedule will be March 24 to 27 we especially targeting PhD students and early career researchers so please send us your students it's actually free for students location is amazing it's Mathematical Institute University of Oxford Andrew Wise Building and yes you might come across him we have an early registration deadline December 15 so hurry up we've booked some room in a nice college so if you want to take advantage of this you should register now and yeah that's our website thanks very much Christoph more news the plot thickens Oded Regev has now put up another blog post he has revisited Peter Shor's famous 1994 paper he's realized that this paper relies fundamentally on the QFT he's realized this is a quite false theorem and he's concluded that factoring in discrete logs are in fact okay they're still secure so that's good news so we'll get on to our wait well that's right it's all good anyway so our final talk in the room session is these two guys I will start with it so it's good news maybe that Shor's algorithm well actually no we rely on Shor's algorithm but still well yesterday we had an interesting discussion we came up with a nice result with you we're able somehow to attack a variant of LWE in a quantum model so whether this variant looks like exactly so it's LWE one point okay so this LWE variant is LWE in a medium characteristic so maybe it's not so well known well you start with your classical LWE parameters you have the dimension and importantly the prime model is p which we will call also the characteristic in this context then we get the volume q equals p to dn and medium characteristic is when these two p and q numbers are related with this nice exponential relation and so in this specific case for LWE we're able to somehow save the LDA Shor quantum LWE algorithm recently discussed and the thing is unfortunately well we also have a few more nice results about this but we needed quite more than the 10 slides limit for this ram session so not so much more but then we hope that Steven didn't cut too many things so first how do we solve this variant of LWE so we start with the rather elementary fact well known at least to the lattice community that if you take a Gaussian well you can add a point at infinity and this gives you a group low so well you get your Gaussian two points then you trace well you get a line through them it cuts the Gaussian through another point then you reflect back with the y axis and this gives you the addition so now because we have this point at infinity then the Gaussian cycles and because it cycles then well we can use a Shor's algorithm on this cycle to find the order the secret order of the cycle and basically that the intuition behind our algorithm and it will solve basically LWE in this context so we have some technical arguments too unfortunately only the last slide remains but I think that it's quite obvious what was behind so the last part of our fundamental lemma we have this nice so first we start we take the real part of this nice expression where in particular oh this pointer is not so nice I'm not sure I can jump but see so we have the secret with the estimate of the error that is taken to be 2.7 not so well a rough estimate of E and this we can bound upper bounded by this double sum over F1 not too complex and this we can also show that it's less than 2 pi r where r is the radius of the fundamental circle of the lattice so this solved the problem and actually we even get a very immediate corollary that it works for Gaussian varieties of higher genus so we have here a hyper elliptic function of gena 3 and actually we can still attack this system so now we'll let Jerome tell you about more exciting developments of these techniques so I'm sorry to bother you with the mathematical details but we are going to need a bit more computations here so we need to prove a simple but useful inequality so we give a simple proof so this is totally correct by the way so we need the first a short lemma which is at one fourth a strictly positive number so why is it true first it is positive because it is a square of course it is a square of one half and then there is a small technical lemma which is so since this is a cardinality of a field this is not zero so this is invertible so one fourth is also not zero so since it is greater than zero and not zero this is a strictly positive number we know that this proof is not constructive but it is enough for us so since one fourth is positive one fourth to the square is also positive and so on so we can sum these geometric series and the sum is one third which is therefore also a positive number which is the lemma that we needed so one third is a strictly positive number so why is this very useful lemma well actually from this we can derive the gold bar theorem so the gold bar theorem sorry but now it is a theorem is that any even integer is the sum of two primes so up to now the best result was this which is that every even number is the sum of at most six primes now we take this we divide by three this means that one third of every even number is the sum of at most one third of six primes but now this was the longest step in the whole proof but one third of six is two or more precisely factorial two and this means that the probability for an even number of being the sum of two primes is greater than one third so at least we won in one third of all cases but it is not a big problem because if we did not win we can prove so I am going to show you the proof we can remind the proof and using a forking lemma we can always suppose that we are in a case where this is true so basically this is always the case and we just prove the gold bar theorem so now why does the forking lemma work Steven no not again ok so I think there is a lot of stuff missing so we ok I am going to skip this but we just solved the TWE problem in any dimension so I can ah we do not have even the definition of TWE that is too bad so that the teaching with errors problem which is a variant of fellow BVREs that we solve so we put together all these terms that promise we will be on the crypto mailing list we send them to regiff and show so we can prove this basically the easy case is where n is an even number so then we can write it as the sum of two prime number and we just saw in the slide that we missed that the theorem is true for a prime number and we can decompose so this is true for an even number and now there is a much harder case where n is a not number and then there is a trick in probabilistic polynomial time we can't find an even number that is greater than n and then we simply embed the problem into an even case problem which is solvable and therefore the theorem is always true and we have some quite exciting conclusion I am going to give the microphone back to Pierre for the end ok so now well unfortunately because Steven removed some of the fact you only have the main result but I think that's enough for you and also well we'll see what we get next ok well great we have at least the first half of the summary so well we first started by solving a learning with air in the mid characters case and this allowed through some connection to prove the gold bars strong theorem and back to TWE this allows us to solve it in both for both even and odd primes and actually any natural number and actually we think that this is a major result for computer science and mathematics not only for this century but probably the two and three following centuries as well and the thing that nice is that actually this very very nice important reason can be summarized in a single slide using in particular notation from slide number 278 that we didn't see so well that's not important I think you can see so this next slide is ok it was cut too that's too bad but the thing that's important you need to remember that TWE as we showed implies p equal np and so we just solved this major problem and we're now quite happy thank you so thank you so this is almost the end of the rump session so I think the next task on the menu is to decide who's the winner of the best rump session so I think we should have some applause for Xavier Boyen and his visual cryptography so that was the first talk ok and then vote number two is for Amir Miranda with the skinny analysis competition for her talk on double base chains number four I do have some very serious concerns about whether animal ethics was obtained for this research cutting off the tails of lizards but I think conference announcements are really unlikely to win the competition but anyway thank you to Takashi Koshiba and to Kristoff Petit and the final talk applause if you think this was the best talk to Pierre Cartman and Jerome van Voet if you didn't think I manipulated the election but I think the rump session winners this year are Pierre and Jerome I have no prize for you but I do have one last late announcement I believe that Peter Shaw has updated a new paper on archive it's entitled bad directions in cryptography he's been revising the famous 1976 paper of Diffie and Hellman I'll read it to you I've been evaluating its predictions and the present culture it turns out that Alice and Bob are not really friends they're just on Facebook they don't actually like each other and they're mostly sending pictures of cats cryptography is not necessary at the end of the rump session there is still one prize to be awarded which is to the best organizer of the rump session