### Cryptanalysis of Kravatte and NORX v2.0

In this talk we will describe key-recovery attacks on early versions of two permutation-based cryptographic functions, NORX and Kravatte. NORX is an authenticated encryption algorithm that was selected for the third round of the CAESAR competition, whereas Kravatte is a pseudo-random function defined as an instantiation of the Farfalle construction with a reduced version of the Keccak permutation.

Both cryptanalyses rely on the transposition of previously known properties of their main internal component into an attack against the full algorithm. NORX uses a permutation with strong symmetries, while Kravatte relies on a permutation with a low algebraic degree. In both cases these properties enable an adversary to recover the secret key faster than exhaustive search.

### Key-Recovery Attacks on Keccak-based Constructions

Keccak was selected as the Secure Hash Algorithm-3 (SHA-3) of NIST in 2012. Apart from the keyless hash function, Keccak can be used under keyed modes, such as message authentication codes, stream ciphers, etc. What's more, the Keccak permutation or its variant has been employed in many designs, such as authenticated encryptions Keyak, Ketje and the pseudorandom function Kravatte. This talk gives an overview of key-recovery attacks on reduced versions of Keccak-based constructions and presents some recent results obtained with automatic tools.

### On Ascon and Isap

This talk is about two permutation-based authenticated encryption schemes. The first one is Ascon, a finalist of CAESAR, and the second one is Isap, a scheme focusing on protection against DPA. We give insight into their designs, also covering resistance against side-channel attacks.

### Trail Bound Techniques in Primitives with Weak Alignment

In this talk we will present a method to efficiently scan the space of high-probability differential trails in bit-oriented ciphers. We will see how this technique can be applied to Keccak-f permutations, for which we are able to scan the space of trails with weight per round of 15. As a result, we provide new and improved bounds for the minimum weight of its differential trails on 3, 4, 5 and 6 rounds.

### Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations

Invariant attacks on cryptographic permutations (resp. block ciphers) exploit the existence of a non-trivial partition of the input space that is preserved under the particular permutation. Several lightweight schemes were already broken with those kind of attacks. In this talk, we discuss the impact of the choice of the round constants on the applicability of invariant attacks and explain a simple way how a designer can choose the round constants in order to guarantee resistance against a large class of invariant attacks.

We also discuss how the invariant factors of the linear layer have a major impact on the resistance against those attacks. Most notably, if the number of invariant factors of the linear layer is small (e.g., if its minimal polynomial has a high degree), we can easily find round constants which guarantee the resistance against a large class of invariant attacks, independently of the choice of the S-box layer.

### Gimli: A Cross-Platform Permutation

Gimli is a 384-bit permutation designed to achieve high security with high performance across a broad range of platforms, including 64-bit Intel/AMD server CPUs, 64-bit and 32-bit ARM smartphone CPUs, 32-bit ARM microcontrollers, 8-bit AVR microcontrollers, FPGAs, ASICs without side-channel protection, and ASICs with side-channel protection.

In this talk we will present the Gimli permutation, from its design and goals. We will also briefly demonstrate how Gimli assembly code has been optimize to run efficiently on cortex-M4 and some other implementations tricks on other platforms.

### On Xoodoo

In this talk, we present Xoodoo, a 384-bit permutation similar to Keccak-p but with the dimension of Gimli. We apply the unit-based tree search for bounding the weight of differential and linear trails to Xoodoo. We show the bounds obtained on Xoodoo and explain how the definition of units differs from those in Keccak-p. Finally, we conclude with applications of Xoodoo and how the bounds are useful in them.

### Provable Security of the Sponge: from Indifferentiability to Full-State

Absorption

The Sponge construction and its derivatives are so-called modes of operation for a cryptographic permutation. I.e., they implement high-level cryptographic algorithms, such as hash functions, message authentication codes, or authentication encryption schemes using the given permutation as a black-box. The security of such modular algorithms then depends on two main ingredients: the security of the used permutation, and the security of the mode itself. The analysis of the latter usually consists in mathematically proving that, whenever used with a secure permutations, the likelihood that an attacker can successfully disrupt the mode in question is upper-bounded by a "very small" function of his/her resources, so-called security bound.

This is also the topic of this talk. We first motivate and explain the basic concepts of the toolbox of provable security. Then, we take an excursion through the results on the security of various variants of the Sponge, focusing on the evolution of the security bounds and giving intuition on the security proofs whenever possible. We start with the original keyless Sponge construction for cryptographic hashing, and finish with the recent Full-state Keyed Sponge and Full-state Keyed Duplex constructions.

### Modern Session Encryption

Today, SSL/TLS is the de-facto standard for encrypting communication. While its last version (1.3) is soon to be released, new actors in the field are introducing more modern and better designed protocols. This talk is about the past, the present and the future of session encryption. We will see how TLS led the way, how the Noise protocol framework allowed the standardization of more modern and targeted protocols and how the duplex construction helped change the status quo.