 Thanks for the introduction, Gregor. So this is a joint work with Ancanto from Inria in Paris, and colleagues of mine, Virginia, Gregor, and Patrick. And I talk about the white and swap or not construction. So this construction is about building block ciphers. So we will talk about how to build block ciphers. And actually, I want to talk about two parts from our paper. And the first one is, why do we need so many encryption rounds in our block cipher? And you will later see that compared to other block ciphers, we really need a lot of rounds. But I think this is a nice start into the construction and also quite easy to understand argument. So to getting started this should be a good way. And then the second one is that I want to tell you about our arguments against differential crypt analysis, because this really seems to be the strengths of our block cipher. OK, but let's start easy. So what is a block cipher? A block cipher is basically an encryption scheme that takes as an input blocks of n-bit length, the plaintext, and then encrypts these plaintexts under for simplicity, say also n-bit master key. And then we get an output block, the ciphertext C also of n-bit. Now, if you want to encrypt more data than only n-bits, then we need a mode of operation to chain these blocks and to make this all secure. But this is not what I want to talk about. Instead, what I want to talk about is how we can insensiate this black box here. And a very typical approach for this is to have a structure like this, so in a substitution permutation network where we have a round function consisting of a substitution layer consisting of single small S boxes and then combined with a permutation layer, a linear layer, which in this case just shuffles the bits. And then this round function is iterated several times and interleaved with the addition of round keys. And this construction is used in many block ciphers and also well researched and well understood. So we have some feeling for what security with this construction means and what we can get. And I think that we can also get really secure block ciphers from this. But still, there are some problems when we have structures like this. And for example, for differential crypt analysis, there are effects like the differential that appears that makes it hard to really argue about the concrete security against differential crypt analysis and to give really proofs of the security. So we might be interested in looking at other constructions of building block ciphers. And as I already said, the white and swap or not construction is one possibility. And it was published by Tesarro at Asia Crypt four years ago. And it's also an iterated structure. So we have a round function, which is iterated over several rounds. And in this case, the round function looks a bit different, but still quite simple. So what we get is as an input, the state x, which is our n-bit block. And then we apply a Boolean function f on this state. And this Boolean function either outputs 1 or 0. And in the case that it outputs 1, we add the round key to the state. And then output the new state. Or in the case that it outputs 0, we don't add anything. So more formally, we compute the output y as x plus k in the case that fk of x equals 1 and as just x if fk of x equals 0. And the nice thing about this construction is that Tesarro was able to show really strong security property of it, namely that for theta of n rounds, this construction is basically full domain secure. And so whatever full domain secure means, I don't want to go into detail here. Instead, what I want to look at is how we can get from this construction for a practical block cipher. So, OK, believing that this security notion is really nice, we can, from a practitioner's side, say, OK, let's have an implementation of this. But then we have a big problem because we actually don't know what this Boolean function looks like and what the key schedule looks like. So how can we derive the round keys? And also, for an implementator, it's quite hard to implement theta of n rounds. So we have to specify all these things. And that's basically the thing for a theoretical construction versus a practical construction. So this is what we want to do in our talk here. And for this, we have to do some more cryptanalysis and some more observations. So let's start with this and let's have a look again at the encryption function. So again, we get, as an input, the value x. And then in each round, we either add the round key or we don't add the round key. So this, in the end, leads to some binary structure of possible output states. And then for a specific input x and some specific sets of round keys, we get such a path and end up with a cipher text, which is basically the input x plus some linear combinations of the input. And we can also now deduce our first observation from this, namely that when we look at the difference between the cipher text and the plain text, that this x plus y is actually an element contained in the space spent by the round keys. So what does this mean? This has a direct implication on the number of rounds we have to use, because if used less than n rounds, where n is the dimension of the space where the round keys are contained in, then we can give an easy distinguishing attack on this encryption function. Because we can always find an element u in this case, such that the inner product of u and the plain text equals the inner product of u and the cipher text, which we can see when we just plug in here the formula for the encryption and then use the bilinearity of the scalar product. And then this means we have to find an element u such that the inner product of this element and any linear combination of the round keys is 0. And this is basically an element u from the dual space spent by the round keys. And as the space spent by the round keys is not full-dimensional for less than n rounds, this always contains a non-zero element, so we can find such an u. And this also gives us our first rationale for any instance, namely that we have at least iterate n rounds. So meaning that if we have a 128-bit block cipher, we have to iterate 128 rounds at least. And this is quite a lot of rounds, like 10 times more than what we have typically maybe. And it's also beneficial if these round keys are linearly independent, because otherwise we could just extend this distinguishing attack easily. And we also have a second rationale, but this is a bit harder to explain, and I want to cover some more interesting stuff. So I hope you just believe me when I say that, for this Boolean function, we also have to have it depend on basically all of the bits of the state. And that this probability here should hold for any input difference of this Boolean function. So assuming these two rationals, what we have for any instance of the white and silver knot construction that a secure instance has to fulfill is that we have to have at least n iterations of the round function. And this round function has to depend on basically all bits. And also this probability here, which basically implies that this Boolean function should be bent because these bent functions then fulfill this probability with equality. And this is also why we call this B zone, because it's bent, white and silver knot instance. Not so nice thing about this is that iterating at least n rounds for a round function that depends on all bits will be slow in practice anyway. So no matter how much you will optimize this, I will bet that the resulting implementation will be quite slow compared to other designs. But OK, there should be an advantage. Otherwise, I guess I won't be standing here. And the advantage is the security for differential crypt analysis. So let's have a look at this. And I also want to start basically here. So what is differential crypt analysis about? Gattin already told a bit about it. But for block ciphers, we have a look at the parallel encryption of two plaintext p and p prime. And these two differ by an input difference alpha. And then we are interested in the probability that this alpha propagates through the encryption function to an output difference beta. And if we found a pair of alpha and beta that propagates with a good enough probability, we can then use this for a distinguishing attack. Now the question is, how can we do this in practice? Because just looking at this black box encryption again makes it really hard to compute the probability for this. So what we typically do is we look at the inner workings of such a construction. And then we can, for example, follow such an SPN construction, we are then interested in, for example, that this bit in the input difference goes to this bit in the output difference. And we are looking for the probability that this transition happens. But in general, this is quite easy to quite hard to compute. So what we do instead, what we can do instead is just look at one single differential trail and then compute the probability of this trail here by just computing the transition probabilities over the single components of the round function. And then under some standard assumptions, we can, for the probability, we can multiply them to get the overall probability of this differential trail. And then for the overall probability that this bit goes to this bit here, so that's what we want to compute, actually. We then have to sum over all the possible differential trails that are possible in this structure. So we get the sum over all these theta's for the probability of this trail theta. And now this is what is called a differential in differential cryptanalysis. And the main problem here is that this sum tends to grow really huge. So there are a lot of possible differential trails that we have to encounter to really get a tight estimate on the probability of a differential. And this is where it's getting really hard to get tight estimates on the probability. So now what we want to do is we want to see what the situation with Bison is here. So we first look at one round of encryption for Bison. And there we can give the probabilities with these three cases here. And to understand these three cases, we have to again look at how one round of encryption look like. And remember that this is just the input x plus the Boolean function of x times k. So if this Boolean function outputs one, then we add the k. And if it's output zero, we don't add anything. And then we have also an input with a difference alpha. And this means for the output difference, basically this x here cancels out. And we just have as possible output differences as alpha. And alpha plus k, where this plus k depends on the output of the Boolean function. And this also means that if we are looking for the probability of a different transition other than these possible ones, then we get these zero probability here. And to understand the other two cases, we have to remember the properties of these Boolean functions. The first one here I did not yet tell you about, but we need this probability for being able to decrypt again. So for being able to decrypt, we need that fk of x and fk of x plus k actually outputting the same value. So this means that the kernel of this Boolean function contains zero and the key k. And now if we plug in for alpha k here, then we can see that these two Boolean functions output the same value. So they cancel out. And we just get k as an output difference. And this also does not depend anymore on the input x. So we get this transition with probability 1 here. And we get the same probability when this alpha is actually zero because then these two again cancel out as they compute on the same value. And this does not depend on x anymore. And then for this last case I did not yet covered, let's remember this probability property we have for this Boolean function. And this basically translates to the propagation of this differential. So it's somewhat easy to understand the run-round case. Now let's have a look at more rounds where the problems should show up. And there we can also, for the differences, we can also get some binary tree-like transitions as for the encryption. So in each round, we can either have to the difference either the round key can be added or it cannot be added. And then we have always these two possible branches. And in the end we get this binary tree-like structure. And then for this example where we assume that alpha equals k1 plus k2, we see that in this case here when we go for the right branch, then the second right branch is not possible anymore because in this case, we would have that from a non-zero input difference, we would here have a zero output difference. And this is not possible for permutation. So basically these two transitions here collapses into one with probability one. OK, now what can we understand from this picture where the most important observation basically is that if we fix any input difference alpha and any output difference beta, then we have only one path through this possible differences. So this means that for any differential alpha goes to beta, there's actually the sum over these probabilities of all these thetas is actually only one differential trail, only one possible theta here. So there's some collapses into only one possible pass. And this means that we don't have actually such a big branching effect that we have for SPNs, which I think quite nice. So this just makes it much more easier to give tight bounds on this differential then. OK, I still did not tell you how this Boolean functions actually has to look like and what the key schedule is and so on. So now let's have a look at the concrete species of this boson instance. And to fulfill rational one, what we basically do is we need actually three n rounds, which is due to some algebraic analysis I want to talk about later. And then these round keys, the key schedule is basically an LFSR where the round keys are states of this LFSR. And this has the nice property that n-consecutive states of any LFSR are linearly independent and also clocking an LFSR is quite cheap in software and in hardware. So that's, I think, easily implementable. And then to avoid structural attacks, we also add some round constants. And then for the rational two, so what Boolean functions and what Boolean function do we use? We actually pick the simplest bent function that is known. And this is just the function that splits its input into two halves and then compute the inner product of these two halves. And yeah, using bent functions is, I think, nice because these functions are really well studied and well understood. And the not-so-nice thing about this is that bent functions does not exist for every n. And this means that we cannot also insensiate our block cipher for every block size n. OK, now to answer the first question of my talk, how would an implementation of this cipher look like? I now told you about this inner working, this inner building blocks of our cipher. We can now implement it and compare it and to what should we compare it, I guess, to AES because to what else. So and beware, I told you this is going to be slow. So for IES, you can get implementations with less than one cycle per byte. And for Bison, our implementation roughly needs 4,000 times more cycles. So this is quite slow, I guess. I should say that this implementation is not also really optimized. But I guess it's also hard to do optimizations for a factor of 4,000. So due to this many rounds, it will be hard to get an implementation that is competitive to other ciphers. OK, I told you about other crypt analysis we did. So we covered linear crypt analysis, where we had to fall back to the standard approach to bound the correlation of a linear trail. And this is basically safe for more than n rounds. Invariants I take are also safe for n rounds. And zero correlation and impossible differentials are basically also ruled out. And the most interesting part here is this algebraic degree, because we were able to show that in contrast to SPNs, where the algebraic degree basically grows exponentially in the white and swap or not construction, the algebraic degree grows only linearly in the number of rounds. And this is somewhat bad. And for this, we did a conservative estimate that we need 3n rounds to be secure against algebraic attacks. OK, to conclude the talk, we gave a first instance of the white and swap or not construction. And I think we get really good results against differential crypt analysis. And I think it would be really interesting to find a construction that leads to similar good results against linear crypt analysis, being the basically second big attack on block ciphers. And our analysis of the algebraic degree also revealed that this white and swap or not construction is quite similar to maximally unbalanced feistal networks. So it might also be interesting to look at the differential properties of this maximally unbalanced feistal networks. And maybe we can find a similar good argument for this construction. OK, thank you for your attention. And I'm happy to answer questions. Thank you, Friedrich. Any questions? I'll give you the microphone. It's probably my misunderstanding, but you defined a particular F, which is the product of the first half times the second half. And you said that it shouldn't depend on whether you added the key or did not add the key. And they are incompatible. So you have to add more restrictions. Yeah, that's a good observation. I did this to simplify the talk and make it easier to understand. Of course, I have backup slides on this. So this construction looks a bit more involved. And it's basically, so what I give you was this Boolean function here. And this property I told you before is achieved by this function phi here. So this allows us to decrypt then. And we constructed a phi such that this bent function properties basically translate to the round function. I see. I want to suggest a variant, which would not require the condition that f of x and f of x plus k should be the same. If you think about a general function, when you decrypt, it doesn't allow you to uniquely decrypt. But you get a kind of backward binary tree of possibilities. But many of the paths are actually going to lead to contradictions very quickly. So the backward tree is actually going to have only order n possible plaintext. So the decryption from a ciphertext going backwards will have only a very small number of possible plaintext, not a unique one. So you might choose among them by having some redundancy in the plaintext. And then it's interesting to see if you can use this observation to eliminate this particular condition, which complicates. Yeah. Yeah, might be interesting. Actually, I think this condition is not so complicated. It's also just that we took the theoretical construct and then did an instance of this. So it would also be then we should also then look into the theoretical security properties of this variant. More questions? No, then let's sync free again.