Events Add an event Speakers Talks Collections
 
Crypto 2020
August 18, 2021, Online, USA
Crypto 2020
Request Q&A
Crypto 2020
From the conference
Crypto 2020
Request Q&A
Video
s-130: Test of Time Award Ceremony + Cryptanalysis 1
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
436
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About the talk

About speaker

Michel Abdalla
Senior Researcher at CNRS
Share

On YouTube, Michelle, you can start. So Welcome to the jcr test of time award ceremony. I am Isabella, Deja Preston. so first Did just let me give you say a few words about the ISAT test of time Awards. This is Zen a word that has been created recently by Desi are too. And we give, please give in yearly for each one of the main ice Guard, general conferences, mini area, Crypt, crypt, to niasia Crypt, and the goal is to identify papers that have that the papers that have had a lasting impact on the field. A cheat code away is being implemented, not worded a conference

at a year, y for a Sensei a crypto 2020. It's it's it's showing a paper that has been published at crypto 15 years prior and this is actually. I know what that is elected independently of the board. But if you have a separate Committee in which two of the members appointed by the board + 3 + 1, + 3 Program chairs of the year the current year. So in this particular case, so if you would like more information and can just go to aclj.org test of time, but in this particular year, the chair was a professor at

that truck, you're okay Moto. And the other appointed member was eating more who will become picture of the next year's festive time award committee. This 3:00 program chairs were in control from your credit, Daniela mochacho from Cryptid 2020 and she almost died from a script. So at this point I would like to best one to Danielle Machado as the representative for the test of time award committee to actually announce the winners of the of the L word for crypto. Daniela. Sofia. Hello, and that

it work at the paper and that's all building block in. Taiwan is been the standard algorithm for a single since 1995. When it was issued by an Easter that what your daughter, then deployed, the product produced in a 160 beats digested, it requires two to go to 160 operations in The Brute Force, the brain attack and a to do the 80s on stew in a bird egg on these on finding the Brute Force attack. What's up? Daedelus that worker of the Italian one leaves again and humble you. So their worker use the techniques for finding and combining the

near-collision Monday, canceled them all straight to bed. One function could be broken in time less than through a 69 faster than the theoretical left to do, the IT band, and they also has a 2-0 of the times from the Battle of the fans on a 2017, S10, axle Collision sartuche. I wanna wear a demonstrated there in the abuse. Work Market fundamentals, typing in that return, addresses of hash functions to in China. Why am I receiving mattress to 2000? Citation, Circle and nesting light in the mattress

on the market analysis of half the time. So it is with great pleasure that the only house of the test of time selection committee. I present this award to the auditorium China, One that leaves again. And how about you? And I responded like that Mumbai to one of the authors in the audience. If they want to come here. If you were about the at work, I believe there are there. Beautiful. Now, should I stop sharing now? So that yes, okay. Holy Cross and a friend,.

But these are very special price on behalf of all about you home were Lisa and a measure of a c s x to under-appreciation to the evaluation team and the program Committee of a 2020. Toyota and a recognition of our work looking back at the water tower of cool. We are City are very hard to find. Some other hash, she recognized by the International Community, over the past, two years of education. And the mister tree, you can. I have received that many people

whom they took a professor at, you cannot rest area. Do you want to be Don't Mess. Are you interested? You need to process you? Yeah, you and be the man that sees the other research. I would like information that I found us up for Modine. Cryptography is a better day Professor Edition and Leonardo edema, right. Eye feel dirty feet, and the many more contributions. There is a pair of them to understand a watery the security and how to mathematical problems. Are they calling for the information security?

We are studied at Hodge Park machines that you can eat to cure. And the to study you for fighting the community, as haircut is a Honda mathematical problem. I want to do some coke Professor,. You are the other Holy Cross, the other friend for their haircut and a Joy to the World Cup after the announcement. I was a professor of an Uber ride for free because 42 worker at a university as a nice teacher with her for a divorce custody. And yet, he'd seen a 25-yard. Oh, cool. Either. The preliminary study of

matter that timer in China or the, to print out badly as the foremost of which happened to me. Other than that pizza, place de clichy answer, every timer to come here, nearly half a day to buy the computer. Laser printer, all the Family Savings. I also agree with masturbation time cuz it to my family member. I said to my husband for her support for research to my lovely daughter. We are thinking about her at home. Finally. I also stopped at 2 to call laboratory

worker for Shabbat today. Enjoy the benefits of Rikishi, off of everyday drama. Tour remote app stuck at 3. Almost to my tomato. Has it ever connected? And we are also facing more security at any days that they ever before heavy applications of a coffee table for the emerging Technologies, Avicii the original Treaty of Rome Akash Ganga. Shuffle Groove top, all the rappers. Are you at all? Because I never could use a filter. I also cool book, Cartoon Network and a cheat because because

you are the type to tell Rusty under the authority of a community. We are crippled work you in. All these areas have finally all for you and your family to stay safe. If you are not happy with the caliber of collaboration of Versace sister. The property at approximately 3. Thank you so much for such a long. No. With this, I would like to hand over to. Dude, it's who you water and Christian High School, who will be handling the next session. Thank you so much for

participating this test of time Awards. And let's move on to the next question. Thank you. All. so, when you come to me about, We're going to have 60 bucks in this session. And so will be about 10 minutes including that you are and see if you have questions. So what are you? Can find a link on the from the Crypt to 2020 main program web page. And I think we can start a session. So the first talk is about Crypt of the lifted and balanced oil vinegar, signature skin. By Jing tidy.

Joshua Kurtz mix. And I believe so she will not get to talk to start the presentation. So, can y'all see the screen? So Jose Aldo has shown for sufficiently powerful quanta computer in August 8th, August 28th. Now listen, I'm about to a vinegar which is this scheme, but we attacked in the paper was around to Canada designed by Woodlands at all in 2017 Elementary. So multiplayer games are one of the potential around Tooele bounce. In the Multiverse signature, the public

ep, the messages of vectors into the main in the in the rain, in the signature of those Baptists verification. The secret, she is knowledge of how to invert the. Witch musing, means finding free images of the spectrum. App 70s, put Jabet with easy to compute. S s e y w. A w e s Among other findings to U of H e l l v using a list of structure to increase efficiency oil and vinegar private key over a small field unless it's an extension Fields aren't roughly. I love you too. With all the coefficient of both its maps fmt to be

annexed to the prime filled with Thrones is open extension field. F e r. I'm lifting my vacation. We see the public ep0fo. Satie also asked efficient only has to match after we got to the end, we go bowling on music called lifted. So now we're going to start our attack against logs in the Rain from you. Look for second shift some small subset. We choose the fat ass to the BPM + x Prime Quest, Tuesday, the sub doing that to the yard and it's Prime this just some random element. An f2b are to be an image that we're looking for is going to be in the shape of a

time element. So we'll see how that works. L u v public E and F to the except field of that to be, are we rarely slept the differential. It's fine. And we let X bar get in the time that the best way to find a new map. And we use the quotient ring representation of the extension activity are to rewrite the equation. T. Bar is equal to Y and its but that happens is split in attic equation x - 1 * the Y. Now by definition which is taking those symptoms, the band MX Prime, Suspects bar, X

Change, but we'll have plenty of time. Who are random degree. So we can meet like this again just to be that is two components is sum sum of money a polynomial x, 30 x 1 plus a quadratic polynomial on both the minion all over that small field. So we've gained Linnea polynomials for all the powers of tea. But we haven't spread in the car drives around. Best you can salty bars equally. Why I first saw them all those Linnea polynomials and then forgot solution space.

And what type of ability will just lose as many variables. As we have many Apple notes to self. So that's the basic form of the SBA attack. Now, I'm happy about this, is the only works if it's appropriate subfield. We can use the frame disease with l u v. So what we did is we just argued that he respectfully pbar access a random that and we looked at the smallest subfield effort to get the deed, which a random map would more than likely have a solution. And when you did that recorded battery dies in this table, and the appointed thing

to see is that Vee is often much. It's always much smaller than our shows. Probably a success is essentially one every time. So inconvenient in the paper, and I won't go over that too much. And we just approximated the complexity of solving the final quadratic system. And I won't go over this because this is not really quite, as the gays is just solving quadratic systems, but this would be ours. And I'm shooting the complexity. We saw that it was less than this requirement every time. It's a Kelly views, proposed.

and, But finally mentioned that our attack did not work against games, which do not have this lift structure, because it's the original coefficients, the alphas to the random element, the best qbr. Then we would have heard Raonic times for all the different powers of tea and that we won't be getting any efficiency. In conclusion. Aerial view of an interesting development, that you would be the public key size. How's it going? What's new in? This we have found the

competition is based on. Just tell me what your position representation but feel extensions and that's how we feel. Has more potential for development. Sfda lights on lifx. Thank you, and we like to think that. Thanks. Thank you. I did not spot any questions. Post yet in the Forum or in the check, and I'm so maybe I have one free phone and then for later, I'm still have to follow up with them after. What's of course. I'm wondering about whether this is the end of the story and I think some of your Coronavirus.

Make make a photo paper on you. Bring me paper. So we have the belt on a pension is SBA. And in that will fit me, trolls, that differential to be all the positive random, right? But for Anastasia instead of like a different show me Rose up, the powers of tea step-by-step, the first stoplight be e to the power 10 temp system and then we looked at like that in the terminant X bar again, and that would put it into. It is a power one, empty Square Taps and we saw

the kids about 1 will be just Linnea and then we did another one that we continue this until we Good at solving equations, but we found out, we were able to break fully half of this midget. Breaking means breaking practice, right? So you really did decapitation ever. All right, we're running out of time and said there was also questioned on the text and said we are when you have time. So we will move on to the next song. Do you want me to do? Electric techniques against symmetric Primitives by Tim bang, bang control.

Thank you. Can you see my screen? Yes. Okay, so well, this word is that on the security of some hash functions, which are optimized for integrity, proof sisters because for some reason to propose Integrity proof system slides that kissed or Oxnard sore, but it's obvious Integrity proof system, use hash functions. And for optimizing performance, this hash functions needs to be designed in such a way that the size of the polynomial relations representing. The

execution phrase is minimized. And so, please call me. Normal relations are expressed over finite fields. And for Visa applications. The best choice for the final details is to use large, find a tails, and also find a field of Earth characteristics, especially Prime feels. So this is something, which is very different from what we have usually into Metro service means that bees hatch from This can be expressed by simple algebraic rotations over large primer over a large fields and Sylvia, same price that you are, of course. Vulnerable. They may be

vulnerable to bring the baby to text. Of course, needs to guarantee that ever has. No other type of attacks for breakfast hash functions in this is that what we did here in this world. So to be more concrete with Pakistan. Some hashtag since optimized for zip kit. Start and especially hash functions defiant in the soccer challenges. Sophie's, hash functions. Where are my father, was a sponge construction and they use as an interpretation to Bargains of Nancy GMC, which is a Faisal Cipher Define overprime field and had this Mincey,

which is an Espeon. And both in both cases versus permutation that typically operate on 12 animals in a field of size, q word askew. Close to choose a 64. So we have two volumes 1, responding to a prime field and one person into a binary Shield. So for gym is a price of a cipher wave 12 branches, each has 100 rounds and the run time. She needs an expanded function which corresponds to the cube melting over you work. You is close to 2264. Paper is to generalize some classical attacks to the case of fields of Earth,

until as an example with eat rats for integral attacks in this, over a binary field after to be an integral tax, use the fact that ass the song, while the values of the images of a function, f of x some 201x berries in the Subspace, whose size exceeds. The degree of the function of the problem is, This does not hold any more if we considered Prime field, but instead what we did is what we found a more general property which holds for any field and which involves the multiplicative Sub Sub sub shells do in

dudes. What if we proved is that if we consider a multiplicative, subgroups, whose size exceeds the rear of the function them, the sum of a g o f. F x is equal to a constant switch. Only depends on a 50. So we use twist relation. For instance, for exhibiting, some integral distinguish reasons. You are some distinct features, Auntie Mame super mutation. So I still can see here for almost all parameters. Used inzer, challenges are some distinguished recover as a number almost over round off of super mutations. And for what is important and interesting

here is vet visits distinguish result. Very flexible Victoza Prime. Find in these challenges or are have a size Q, which is such that Q - 1 is divisible by a large for us too. So, we have many multiplicative, subgroups of the precise because I bet. So, let me know say a few words on a S type of new attacks that we presented that we called algebraically control, differential it. So you ain't hear of this attack, is to find some inputs of the permutation that satisfy a given,

differential characteristic, because we wants to find collisions Forza, hash function, but the problem here is that this finding such input, it. It's very expensive because the cube mapping has very good difference of properties. And especially because we are using we are operating on a very large Financial Field. So, or ID, for finding such inputs instead is to find By solving some other break relations. And this is possible because the round function has a very simple algebraic form and so we can represent the condition of

differential transition as bright equations that are quite easy to Salt. So using that Technique, we were able to find into it which satisfies the differential characteristic of a 40 - 24 round of the permutation. Where is the number of branches of the Fiserv Network? Please can be extended to more rounds in a probabilistic way. And for instance, we can also use the differential characteristic for exhibiting collisions on forty rounds of hash function, and this takes only a few minutes. So to conclude into gives you a favor of what is in the paper. This is

a table at which summarizes some of her attacks on GMC and on had the swimsuits, but Wells are probably the most important. Conclusion of this word is that have no basis or not. The only threat against such a primitive and maybe some of her a text but finding them require some new tools for analyzing symmetric Primitives. Over fields of authority, rests text with their lives. For instance, for Enterprise attacks, but there are still men, you open issues that need to be solved on this topic. Thank you for your intention. Thanks.

Love them. 15 one question from nice land in the checks. And he asks if his methods applied to schemes such as rescue. Well, score for risky to, it's more complicated. We try to do something similar with what it, what is, much more complicated in which is that we have as a successive, layers of ice boxes, are difference refers to apply a letter with the cube mapping. So this is easy and exactly as we would be having all these variants of music, but the problem is that the following layers of

Xboxes uses the inverse of the cube mapping and inverse of the Q mapping. It has a higher degree. So so because we have like this excessive layers of Xboxes with difference as boxes, then we didn't find so far. Any any way to text via switch with the same kind of attacks. What's the moments? Well, to be more concrete at the moment. We we have no, we have found no weakness on Rescue, but it's it's rather difficult to make claims on on the security of of The Cypher. Because as I say it

it's it's uses a lot trying to fields of athenry terroristic and I think we still do not have the right tools for attacking these kind of primitive. A 6 running on that last point. A bit more. So you had sent calitex, as an example of why you made that kind of a mapping to receive divorce. Papers. What kind of problems do you see? What I said, was interesting at a picnic that should could be a pic of her and see if she'll think of is leaner attacks for different in the

context of alpha characteristics. You can think of all this work call not in Dorian Subspace that we could use also multiplicative, subgroups and see how these things can be chained or somewhere. A lot of attacks for, which is a binary case. We are using subfield, soror then we can, we are not able to do that in the case of a prime field. Bet that it, it's interesting to see whether we can use some of her algebra structure like, most a ticket to do that.

That's well. We need some more. Okay, thanks. A lots of friends. I proposed to move on this results on spook, drinking for round. Shuttle, 5:12 to the lights, the authors B bicycle in the mall. Thank you for the introduction. Can you all see my screen? So sorry, just moved this. All right. So spook is one of the 32 remaining proposals in the end is like way cryptography. Standardization efforts. It has attracted features such as resistance against I Channel, 9 oz and low energy. Implementations, it provides authentic encryption

with Associated data, and it uses 32 components which r d s when P mode of operation, a tweaker blockcypher Clyde 128 and the shadow permutation which comes in two versions do either Shadow by 12 or Shadow 38. Say to you summarize artwork with we did is that we found practical distinguishes. So there is one on the full six Dead version of Shadow 5:12, and we have a second one for 384 that only covers five steps instead of 6, and we also found an attack against the Integrity of spook

using a version of Shadow Ridge. He's too. Don't start by providing some details regarding our distinguisher. When so first, we rewrote Shadow as an S&P end using surprise boxes acting on bundles of 128 B. Saudi surprise boxes are very similar. They only differ by a round constant Edition. And between each layer of surprise boxes. We have a linear permutation d. That's operating on the full stacked, Super Shadow 512. We have four bundles, and the dealer updates each bundle

with the exit door of three other bundles. And what this representation allows us to do is that we can very easily study the differences and similarities between the bundles of the more precisely. We can consider a truncated differentials you specify. Whether a difference is zero are not I so now for the actual distinguisher Silver Shadow fights. Well, we can build pair of States, XX Prime that are equal on the last bundle such dead. After encryption. This results in states are

still equal on the last bundle. Now for a random permutation. This would require about 2, ^ 64 fairies and an arcade. We only need 2 ^, 16 Rusty realized on the propagation of three identical States. So what we call I identify what state is a shadow state in, which I burn those are equal in values. And what we observe was that such States could be preserved after one step with some probabilities that our dependence on the around Constance. I'm so in this case, at step, three. We're propagating these three identical State and this distinguisher could be extended

to an extra step. So if we were to add a seven-step to Shadow by 12, we would still have the same properties at no extra cost. I'm very similar observations can be made for shadow 384 so I won't give it to him too. Much details in our paper. If you want to hear, we need to propagate two identical. I said to finish off a quick word on our for tree attacked. So, we target the s1p mode of operation is the last Wednesday is a sponge basemode that uses Shadow. When it's underlined permutation.

It has a rate of size 256, b, and a capacity of the same size. So cutie pie is four steps of shadow pack 12, which matches aggressive parameters, which was, which were designed by the author's in this book specification. So our first step is going to be a shifted version. So we're going to start at step. And what we're going to do here. Is that, by using the same number three times. We're going to build two different. Same size that the old, the same time, and this has a

probability of success of about 2, ^ - 24. But just to give a quick applying of the attack, but we can do that. We can build two pairs of states that satisfy. A truncated. Director is sick and this allows us to find a collision on the capacity part. Now for the right parts using three queries, we can recover the value of the report after a cr80r one, which we can cancel out. And we had our Collision on the time. I'm so this forgery and our distinguished writers. Let the the authors of spoon to change their design. And as a

result, they proposed to me too. And I think this, this shows that round Constance need to be chosen carefully. I'm so not on mute to prevent any bargain Subspace attacks, but the designers also need to make sure that there cannot be cancelled out in the internal symmetry. Thank you. Thanks for the nice talk. I don't see any immediate questions The Forum. So I have just a refund. What is this new criteria for choosing from from stunts? Can you say there's an exact

rule Define? But in this case, we need to be careful about how they interact with the internal State actually in the horse poop. There was a bad interaction with the dealer sold around Constance. We're pretty sparse and the dealer used had some Set alarm to eat bottles. So that was too much similarity. No, there was a similar attack on Russia free candidates from 10 years ago. Too few differences between constants in the neighboring, competitions, if you've seen that but it sounds like Alan at 4 that were causing a

problem. I haven't seen it, but I will. What happened to talk about cryptanalysis of the crypt? Bi rain. Angela Robinson and Palo Santo. Near me. I'm having trouble dancing with slides. Under View at the top under your menu, You may wish to enter presenter mode if that's an option. Okay. So yeah. Need to see load supposed to be at all and it was submitted to the second postpartum competition. So our tax was resulted in a tweet that made it quite similar to its competitor bike, which is

based on Ultimate leaks out. This week was too big. So describe Lita crab, it's actually pretty similar even before this week to quasi cyclic moderate. It has a private key, which is a sparse binary quasi to Quick Chek Matrix with and 0 blocks. The public key is just the systematic form of the parity, check Matrix for the same code and the blocks are in. The rain is equivalent to 6 with matrices. And if you don't cover any row of this private Matrix out, which is sparse, then you can break the steam. It says the key workout

right now what you need about the unpatch version, bleeder crap, is that this park party check, make her to tell factors into to even scarcer. Major Seas. H&q nuts. What are tactics lights? So basic idea of the attack is to start with the standard information, set decoding attack. And in this attack, you basically are just trying to guess he missed a roll Val. And you can literally solve for the rest. So instead we are clever about how we decide which p b, we're going to gas.

so, The idea of gas with you B. Is that Ellis far? So you're going to try to guess pretty much all zeros. But hopefully you can think of the bits, you guess the information that you want the compliment to that, they contain all the 90 bit of the world end tomorrow. What kind of distributions nonzero, B, you're likely to get, we create a kind of? A structure equivalent to the private key. Instead of being over being a jerk, want to just over and we make a block wall structures,

exactly the same but make the blocks a little less sparse and if the support of the cell Prime Bose model BL batanes the support of albon complement of this Portobello has set, you guess, almost all zeros there and You can recover the kitty. So, honest, I'm just a pack isn't all that good. I will see you later fast and probably pretty good, but the Concrete complexities kind of bad unless you're very clever about how you choose a crime to Crime. So you want a to find a coupon to be not very far. So the probability that they

can transport is high. But if a product is too high weight, then you don't have enough 0bits to gas. so, in order to balance that We want polynomial that don't obey, the usual rule for how polynomial, weights, most usually expect the weight of the product polynomial, to be the product of the way to the field with a lot of consecutive coefficients, like the ones over here on the slide. You're going to be, I'm only adding the weights. And so this results in a much better Plexi for the attack. so,

unfortunately, these information sets are not very flexible is if you're too greedy about it, and if you're greedy as possible you Wiki attack and A Ouija attack can be considered a real Attack. If the probability that something you can recover is chosen by keygens to the money stacks and the problem and the number of operations to recover. It is Hawaii. Find x + y, is less security level. Soartech is most effective when targeting the highest security levels. And when the number of blocks in the

public key is, And so here we have claimed 256, get some security but our X + Y for the two parameters sets that we actually did. The detailed rigorous calculation for was either, or 97 or seller. 110. So, which is significantly less, even if we look at the largest values, been zero in the smallest value Springs. Purity Prime. We're still showing some kind of a Ouija attack here. We just ask them x + y was about ninety, if you look at the category 1 / 4,

but yeah, also we have If you're not quite so greedy about making your coefficients in the eh crime, and True Crime, all consecutive to one another then. We can. We can attack pretty much all the key is and it's fairly easy to show that asymptotic Lee. This is better than the standard attack or its equivalent to but probably completely better than some attacks considered by the back where you just, yes, we we think that's the crossover point where it becomes too difficult, a more effective than the standard tack

does happen within the parameters are submitted the category 5. From the attacks even when not attacking you. Thank you. Let's thanks. Thanks rate. My stock identification. Sorry. I don't see anything. In the checks you could have used to raise your hands, featuring install, Michigan to speak directly to the crowd. I have one hell of a question for you, perhaps. So, is there any ldpc skinless? Ldpc scheme, but I mean so you can see West in the in round 3. There

you would replace Matrix chew with an identity Matrix and just mates H have all the way to battle, which is what the leader of Team proposed for their tweet metal work. Are you probably do some kind of rejection sampling but it would be quite difficult as there is Kind of a continual mug of attacks ranging from the extreme wikis to trying to attack all the keys in the average case. You'll be at the advantages of ldtc over mdpc are fairly small bows. Yeah, I miss it's

I don't know. It's not clear that there's I need such a thing. Question. Thank you for the discussion and we move on to the next door. So the next step will be about 6 by 16 ft b, a r Xbox featuring tracks and T-rex the author's, the Hughley Alex vehicle. I do so to Santos, girlfriend, change one, and Lil Will. Thank you. Can you hear me? Okay, so as you work with the rest of the sparkle team. What is this paper about? In the beginning? We had our nearest LifeWay trip to submission Sparkle, where we have hash functions called at and how

contagious is a cold shrimp. All of these algorithms are based on the same family of permutations. For more details on the higher-level, construction site, you refer you to our task paper. Today. I'm going to talk about as it, which is a key component of a sparkle permutations. So one of the goals of this paper was to analyze our in submission. We are also going to use as it to design new block ciphers. So if I'm in love with your ex and the family of blocks, I first called cracks. What

is anisette Suites River in Luxembourg, which actually go through Luxembourg City and the City of Ash where the University of Luxembourg is now located. It's a 64-bit artspace Xbox. So why does it operate on? 64? Bits is a bit unusual because his boxes are usually designed over much smaller spaces. And why is it Arts based, which is also very unusual for both of these characteristics are consequences of our scope statement. So we want your dad's it to be a software oriented. So, very efficient means of which is why we allowed ourselves

to use on the tradition. We wanted it to be efficient on Old microcontrollers, which implied using 32-bit registers. Every sense, if we had used to 16 beat ones, you couldn't have been more, efficient anxiety, to beat ones. We want you two to have strong and well understood cryptographic properties. We wanted to be able to make a very strong claims about its different roles properties, Etc. Which means that even though large what size, we use of 64 bits. We have to rely on techniques that were designed for blockcypher and us as it is round base, and we wanted to have a

very fast diffusion. So To achieve this. We have used different rounds. The rounds that have a similar structure but are different from one another. This is what we ended up with. So on the left, you can see the structure of asset. So, the wrong constant in. This is the same in each of its four rounds with the rotations have different amounts. As you can see. This is to speed up the shooting. So what are the cryptographic properties of jet? So we have looked at all the properties we care about including Isis. So for the differential in Europe, what is

interesting is that has that has properties, that are kind of similar to the Xbox. When you have just one iteration and yes, super is box when you have to either Asians. So you can see the numbers on the screen. We did not stop at the differential oil in your analysis. Of course. We also looked at the property across the Ring of differential trace and offering your house. We could do some experiments given to the block size is not too large and we also looked at in variance with linear and nonlinear, and the

conclusion is that it's fine from a security perspective. Why I said that is at the core of oranges candidates. We also show that it could be used to build a block ciphers. So we have the cracks family of love ciphers and one of its main members is the cracks S10 which has a key size of 128 B and the block size of 64 bits. It's a lightweight block, Cipher is very, very light, this machine software. It's all rather be the lightest. We are aware of and at the other end of the spectrum, we have also designed to hear the T-Rex family of Tweety Bird. Block

ciphers hands dirty. And its main member is T-Rex 72-56. We make my security claims for a query complexity, which is above to the 128 blocks because no one is going to encrypt more than to 3128 blocks with a single master key. When I say that cracks Israelites, this is the full implementation or you can come by to get with work of cracks S10. So what we have here is the key component of Sparkle and it has properties that are both are well understood and good.

It can be used to do more than just an hour in this candidate. So we have shown how to build block Cipher life with bauxite, for, which is at least a slight, right? Just offered at the stage specs. We can also build the White Street, or block Cipher, which can be nice. If you want to better leverage. Their Vector instructions speakers to be cold outside. First can be used in modes that are easy parlor lights, and you can also be interesting if she wants to spend time with separation. And also you're more than welcome to do so. And before finishing invite you to

watch that talks by piece of paper in his quarters, which is also about dark space Primitives. And with that I finish my talk. Thank you. What's thanks Leah for the net duck? Then I didn't see any questions vintage. So you claim light with us because it makes sense intuitively. Yes. I can. I will try and show them. So you have some more results in an hour. I can you see table 11. So this is a full, the full results, which I need the full version of a paper on it prints. And so we have a sense with the specs of a process that sours Simon, rectangle, Sparks and height, and what's over? There are two

things. Sorry. First given the way as it was built. We don't need any rum drink encryption. We that's why you are so so low compared to the others. And when you look at the code, I wish would be somewhere here. As far as assets, we have Pro secrets are equal to Excedrin and since we don't have a proper even months or so, we had a 128 and will you stay here? Okay, 10K, 10K, one consequence, of course store. So, we are very efficient because of that, we save or so the cost of the course. So

as far as he's concerned, it's not like it's the same. Basically you have the one with radiation at two rotations wants, or it's very similar in that, respect back to the rest of the of a cipher that makes it lighter. There's my two questions in the chat that suppose one from the end. He's asking about money. You could get a baby. Even fewer constant additions. Do you have any idea? Which would be nice because right now on microcontrollers, we have 12 instructions and four of them are constant

editions. What I wouldn't like about using constant Edition sees that then we would have changed of Molly registrants. I got. And then we need to worry about differential attacks where the difference is not exert difference at all, your graduation difference. So it's a protection against that and also as shown by the previous previous previous talk by Paul. You want to have heavier around Constance to prevent because what we have with Princeton said trx250

6, we have four blocks with a huge ass books on each of them, which is just what they haven't spoke. And what happened in Spooky's, that's the wrong Constance were too similar between the blocks. How to prevent attacks. So, by having a heavier use of the wrong Constance, we can have more a difference between the branches of the internal State and just be more conservative for this kind of attacks. But so yeah, it's a measure to ensure difference exists between I mean within the internal state that only internal state is not processed in its first

thing and second thing against the differential attacks for all the difference mother. A different difference. Does another question by 10, but I would like to ask you the other 200. Mystics application to reduce to give away the office of food. Can you talk on Elizabeth and willing buyer? And you can't be seriously and start to presentation? I will talk about automatic verification of depression of characteristics and its application to reduce the game with. So the first

night holding a lightweight cryptography, a competition and Gimli is a second of all candidates. And in addition automatic message to find the facial characteristics become popular in recent years and I treated us independence such an assumption does not hold for a public competition out. There is no one key. So it's natural to question the morality of the differential of turn away. Such a mess. IMDb, we have also learned some lessons from the literature. So some

characteristic of shot to Blake and skin are weird to being consistent and to deal with. To deal with the conditions at Katy, the 13 lb drums are developed. So we wonder whether it is possible to use some of the chefs hours to deal with such a problem. Are we are we are inspired from Mendo at work on Saturday. Correct eristic, so we tried to construct a modo to capture both the different conditions and weather conditions at Tustin Park. I don't be texting me as a Target. The first team leads a second, one candidate.

And second the diffusion of the game. The competition is Aurora slow. So it is a good example to use kiinde to explain such a phenomena. I don't have too much time to describe game day. So we know that. When you folks on the motor on the SD Port Allen from the specification of the SSG box. We can find the Expressions can be divided into 4 * 2 * Alina and a 2019 Impala to time to clean. Your pipes are the different Transitions and the Very conditions are independent. So they're not related. However, now linear expression.

Okay, looks like we lost to come for tonight. Can you give me start? OK. And the defense position on a better transition are related us. Each man in different conditions, were imposed accounts, turn down the volume. So we won't be a gradual relations. So, we first, we can construct a truth table for the top of a zero on a 12-0 208. You and then, these trusts you stable can be described. With this equivalent now linear inequalities simile, simile for the operation. We can also find the equivalent of

the criminal Gina in colleges. Talk about the transition. Is it? Real simple? I don't have so we can skip it and then we can construct the model for the transmission, has the model for the top. One on the top two expressions are on a simple for the tapestry and expressions which introduced to s a v, a n n. A y represent the difference of the components. So we only need two more or such a linear expression. It is also very simple work. The technical The Technicolor contribution of our work is

that we chat with independently contract, has three components. So when company is used to describe the weather conditions when,, when is used to describe the relations between the difference and the value, the second or coming and is used to describe the relations between the Spanish. And so this way about companion, order linear inequalities. We can construct a model chapter in both the different Transitions, and a very conditions. Richard Hughes Automotive detective contradictions. So give me a specified. Differential characteristic, Silverado representing, a different outfits

representing the values is that such a system is invisible. We can find the kievan Rus aristocracy is invalid. If this'll work out put a solution for this inquiry system. We can find a conforming rarest benefit from a Moto Diva, a specified. Differential characteristics of the whole system is only in terms of the rebels representing the battery. So we only the only need to focus on the Valentine's Edition. I just the one by the transition. On the 2nd of benefit is that we can use it to find a compatible,

differential characteristics for the dance part of the clean generating to Patricia Frost. Arrested. We applied Indiana Furniture to existing racial characteristics of India inconsistent. We also use our mother to search for a very different approach eristic so you can find it here. So this is the available, differential tractor racing and azzy sister company values and responded in about 4 hours on standard PC. So I am also Ty. The conditions implied

in the refrigerator. After it's the probability of this is not, it is not reasonable to call number of the conditions of the different, transitions, all around and not independent. So our Master to calculate the probability of this is too numerous to all the solutions for this if I should Kraft arrested. So we used some sophisticated techniques to Auto Solutions in traffic. So I basically something your Technique stuff from the middle technique and the some properties of the S&P products. And I finally,

we can find the differential probability is 2 to the - 127.5. On the weekend. So we can convert the screen into a clean, waste time complexity and complex speech to to the 62 to 64. Stop when we won't tell why we need to chat later probability in this way. This is because the different translations of around and not independent. So we cannot simply counts the number of conditions. We also wonder why the dependencies influenced. I think there are three points first. There's no launch a second, the

diffusion of water beach and 3rd. Nice pricings of bsp box is also Rising postal company all of them together or we can know the dependency. So we can find the dependency or wrongs the dependency or rats. Cannot be ignored for the Kim D communication. So in conclusion, so the risk for different refractory. Okay, I think the connection is lost again. Send a message and thank you for the tokens. I think we're running. How to do time. So if you have questions, please continue to do it.

How do you sync? Two Wii. Now will close this session and thank you for waiting. Stave off conclusion, slide, so I think we finished the check now. I just think about that text, okay. Thank you for the next session. Does two of the three past papers, actually, cryptanalysis paper. So you maybe have an announcement about the next session? Black session is indeed. The best Paperwhite session will have to shorten the brake to make up the time. So we will start it in 5 minutes. Take the

five minute break and we'll start think everybody. We're done recording. Thank you.

Cackle comments for the website

Buy this talk

Access to the talk “s-130: Test of Time Award Ceremony + Cryptanalysis 1”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “Crypto 2020”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “Cryptocurrency”?

You might be interested in videos from this event

September 15 - 17, 2021
Denver, CO
16
58.73 K
dao , governance, investing, nft, token

Similar talks

Matthew Jagielski
Google at Northeastern University
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Srinath Setty
Principal Researcher at Microsoft Research
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Erica Blum
PhD student at University of Maryland
+ 2 speakers
Julian Loss
University of Maryland
+ 2 speakers
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video
Access to the talk “s-130: Test of Time Award Ceremony + Cryptanalysis 1”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
945 conferences
37654 speakers
14367 hours of content