The conference was split in 9 sessions.
Session 1: Operating Modes
This session was on operating modes and the following three papers were presented:
- New Bounds for Keyed Sponges with Extendable Output: Independence between Capacity and Message Length
Session 2: Stream-Cipher Cryptanalysis
The paper "Cryptanalysis of the Full Spritz Stream Cipher" was presented by Subhadeep Banik where he presented an improved state recovery attack that takes advantage of a special state, that when entered all even values in the permutation are mapped to even values and all odd values to odd values.
Session 3: Components
- Lightweight MDS Generalized Circulant Matrices
- On the Construction of Lightweight Circulant Involutory MDS Matrices
- Optimizing S-box Implementations for Several Criteria using SAT Solvers
Session 4: Side-Channels and Implementations
- Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC
- White-Box Cryptography in the Gray Box - A Hardware Implementation and its Side Channels
- Detecting flawed masking schemes with leakage detection tests
- There is Wisdom in Harnessing the Strengths of your Enemy: Customized Encoding to Thwart Side-Channel Attacks
Session 5: Automated Tools for Cryptanalysis
- Automatic Search for Key-Bridging Technique: Applications to LBlock and TWINE
- MILP-Based Automatic Search Algorithms for Differential and Linear Trails for Speck
- Automatic Search for the Best Trails in ARX: Application to Block Cipher Speck
Session 6: Designs
- Stream ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression
- Efficient Design Strategies Based on the AES Round Function
Invited Talk: On White-Box Cryptography
Session 7: Block-Cipher Cryptanalysis
- Bit-Based Division Property and Application to Simon Family
- Algebraic Insights into the Secret Feistel Network
- Integrals go Statistical: Cryptanalysis of Full Skipjack Variants
- Note on Impossible Differential Attacks
- Improved Linear Hull Attack on Round-Reduced Simon with Dynamic Key-guessing Techniques
Christian Rechberger presented the FHEMPCZK-Cipher Zoo where one could compare ciphers for Fully Hommomorphic Encryption (FHE), Multi Party Computation (MPC) and Zero Knowledge (ZK).
Session 8: Foundations and Theory
This session was on foundations and theory and the following four papers were presented:
- Modeling Random Oracles under Unpredictable Queries
- Practical Order-Revealing Encryption with Limited Leakage
- Strengthening the Known-Key Security Notion for Block Ciphers
- Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications
Session 9: Authenticated-Encryption and Hash Function Cryptanalysis
This session was on authenticated-encryption and hash function cryptanalysis and the following three papers were presented:
- Key Recovery Attack against 2.5-round $\pi$-Cipher
- Cryptanalysis of Reduced NORX
- Analysis of the Kupyna-256 Hash Function
After FSE, the Directions in Symmetric Cryptography (DISC) workshop for PhD students and young post-docs took place at the Ruhr University Bochum.
The workshop was divided into 5 working groups of 5 to 9 participants, who got the opportunity to work together for one and a half day on a specific topic. Furthermore, the goal was to meet some other people that are working in the same area and to build some research collaborations.
Topic 1: How to design a bad key scheduleThe goal of this topic was to approach key schedule design from the opposite direction: Can we design a key schedule -- seemingly harmless -- that has a decremental effect on the block cipher's security. Is it even possible to hide back doors in the key schedule only?
Topic 2: The TWEAKEY framework - New Designs and Cryptanalysis of STKThe TWEAKEY framework was introduced at ASIACRYPT 2014 as a more general design idea for a tweak/key (tweakey) scheduling. In this framework, one does not to separate between key and tweak material. The authors proposed a specific instance called superposition TWEAKEY (STK) and designed three tweakable block ciphers Joltik-BC, Deoxys-BC and Kiasu-BC based on this idea. This topic was both about cryptanalysis of the STK construction and thinking about design alternatives.
TOPIC 3: Distinguishing block ciphers: Is the attack space covered?Block cipher cryptanalysis relies to a large degree on the existence of efficient distinguishers. In this topic, we want to discuss and explore possible directions where novel cryptanalytic techniques might be found or alternatively find arguments why new techniques are unlikely to be found.
TOPIC 4: How reliable are our assumption in statistical attacks?In symmetric cryptanalysis, statistical attacks such as differential and linear cryptanalysis, boomerang attacks or differential-linear attacks, play an important role in the security evaluations of block ciphers. These attack inherently rely on varying independence or randomization assumptions that are necessary to estimate their success probability. Is it possible to determine criteria when these assumptions will fail or hold? Can we sometimes remove the assumptions or substitute them with
weaker variants? Can we give heuristic arguments for their validity to increase our faith in them?
TOPIC 5: Resistance against cryptanalytic attacks: What can we prove?Unlike algorithms in public-key schemes, block ciphers are usually not based on hard-problems. To estimate the security, block ciphers are instead evaluated against the range of known attack vectors. Both from the designers and evaluators perspective it would be desirable to have proofs against larger classes of attacks. Even finding good heuristic formulas that determine the number of rounds
needed for security would be large step forward. In this topic, we would like to discuss design, evaluation and proof strategies that might help us to move towards this goal.