## FSE 2016

The conference was split in 9 sessions.

### Session 1: Operating Modes

This session was on operating modes and the following three papers were presented:

### Session 2: Stream-Cipher Cryptanalysis

The paper "Cryptanalysis of the Full Spritz Stream Cipher" was presented by Subhadeep Banik where he presented an improved state recovery attack that takes advantage of a special state, that when entered all even values in the permutation are mapped to even values and all odd values to odd values.

### Session 3: Components

- Lightweight MDS Generalized Circulant Matrices
- On the Construction of Lightweight Circulant Involutory MDS Matrices
- Optimizing S-box Implementations for Several Criteria using SAT Solvers

### Session 4: Side-Channels and Implementations

- Verifiable side-channel security of cryptographic implementations: constant-time MEE-CBC
- White-Box Cryptography in the Gray Box - A Hardware Implementation and its Side Channels
- Detecting flawed masking schemes with leakage detection tests
- There is Wisdom in Harnessing the Strengths of your Enemy: Customized Encoding to Thwart Side-Channel Attacks

### Session 5: Automated Tools for Cryptanalysis

- Automatic Search for Key-Bridging Technique: Applications to LBlock and TWINE
- MILP-Based Automatic Search Algorithms for Differential and Linear Trails for Speck
- Automatic Search for the Best Trails in ARX: Application to Block Cipher Speck

### Session 6: Designs

- Stream ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression
- Efficient Design Strategies Based on the AES Round Function

### Invited Talk: On White-Box Cryptography

### Session 7: Block-Cipher Cryptanalysis

- Bit-Based Division Property and Application to Simon Family
- Algebraic Insights into the Secret Feistel Network
- Integrals go Statistical: Cryptanalysis of Full Skipjack Variants
- Note on Impossible Differential Attacks
- Improved Linear Hull Attack on Round-Reduced Simon with Dynamic Key-guessing Techniques

### Rump Session

Christian Rechberger presented the FHEMPCZK-Cipher Zoo where one could compare ciphers for Fully Hommomorphic Encryption (FHE), Multi Party Computation (MPC) and Zero Knowledge (ZK).

### Session 8: Foundations and Theory

This session was on foundations and theory and the following four papers were presented:

- Modeling Random Oracles under Unpredictable Queries
- Practical Order-Revealing Encryption with Limited Leakage
- Strengthening the Known-Key Security Notion for Block Ciphers
- Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

### Session 9: Authenticated-Encryption and Hash Function Cryptanalysis

This session was on authenticated-encryption and hash function cryptanalysis and the following three papers were presented:

- Key Recovery Attack against 2.5-round $\pi$-Cipher
- Cryptanalysis of Reduced NORX
- Analysis of the Kupyna-256 Hash Function

## DISC workshop

After FSE, the Directions in Symmetric Cryptography (DISC) workshop for PhD students and young post-docs took place at the Ruhr University Bochum.

The workshop was divided into 5 working groups of 5 to 9 participants, who got the opportunity to work together for one and a half day on a specific topic. Furthermore, the goal was to meet some other people that are working in the same area and to build some research collaborations.

### Topic 1: How to design a bad key schedule

The goal of this topic was to approach key schedule design from the opposite direction: Can we design a key schedule -- seemingly harmless -- that has a decremental effect on the block cipher's security. Is it even possible to hide back doors in the key schedule only?### Topic 2: The TWEAKEY framework - New Designs and Cryptanalysis of STK

The TWEAKEY framework was introduced at ASIACRYPT 2014 as a more general design idea for a tweak/key (tweakey) scheduling. In this framework, one does not to separate between key and tweak material. The authors proposed a specific instance called superposition TWEAKEY (STK) and designed three tweakable block ciphers Joltik-BC, Deoxys-BC and Kiasu-BC based on this idea. This topic was both about cryptanalysis of the STK construction and thinking about design alternatives.### TOPIC 3: Distinguishing block ciphers: Is the attack space covered?

Block cipher cryptanalysis relies to a large degree on the existence of efficient distinguishers. In this topic, we want to discuss and explore possible directions where novel cryptanalytic techniques might be found or alternatively find arguments why new techniques are unlikely to be found.### TOPIC 4: How reliable are our assumption in statistical attacks?

In symmetric cryptanalysis, statistical attacks such as differential and linear cryptanalysis, boomerang attacks or differential-linear attacks, play an important role in the security evaluations of block ciphers. These attack inherently rely on varying independence or randomization assumptions that are necessary to estimate their success probability. Is it possible to determine criteria when these assumptions will fail or hold? Can we sometimes remove the assumptions or substitute them withweaker variants? Can we give heuristic arguments for their validity to increase our faith in them?

### TOPIC 5: Resistance against cryptanalytic attacks: What can we prove?

Unlike algorithms in public-key schemes, block ciphers are usually not based on hard-problems. To estimate the security, block ciphers are instead evaluated against the range of known attack vectors. Both from the designers and evaluators perspective it would be desirable to have proofs against larger classes of attacks. Even finding good heuristic formulas that determine the number of roundsneeded for security would be large step forward. In this topic, we would like to discuss design, evaluation and proof strategies that might help us to move towards this goal.