Abstracts and slides of invited talks
 Joan Daemen (STMicroelectronics, Belgium)
Permutationbased encryption, authentication and authenticated encryption
slides.
In the last few years, Guido Bertoni, Michaël Peeters, Gilles Van Assche and I have proposed modes for encryption, MAC and authenticated encryption based on fixedwidth permutations by means of the sponge and duplex constructions. Our permutationbased approach is scalable and suitable for highend CPUs as well as resourceconstrained platforms. The latter is illustrated by the small Keccak instances and the sponge functions Quark, Photon and Spongent, all addressing lightweight applications.
The sponge and duplex constructions split the width b of the permutation in a capacity c and a rate r: b = r + c. They process r bits per call to the permutation and their generic security strength level in unkeyed mode is c/2. A desired security strength level of k bits limits the rate to at most b  2k. For keyed modes and bounded data complexity, a security strength level above c/2 can be proven. For MAC computation, encryption and even authenticated encryption with a passive adversary, it comes very close to c. This allows increasing the rate to almost b  k. Moreover, for most use cases the requirements on the underlying permutation can be relaxed, allowing to increase the efficiency even further.
Clearly permutationbased constructions are not new. Concrete examples that are older than the sponge construction include the hash functions Snefru, FFTHash and SMASH, the EvenMansour block cipher construction, stream ciphers Salsa and ChaCha and even PelicanMAC. In my talk I will present our permutationbased approach in this context and will try to convince you that it is quite competitive with block cipher based modes.
 David McGrew (Cisco Systems, USA)
Authenticated Encryption in Practice
slides.
Over the last decade, authenticated encryption has become accepted as
the appropriate way to provide symmetric confidentiality services. It
has been adopted into many standards, though in many cases it is
currently an option that is not typically exercised. This talk
reviews issues that have arisen in the use of authenticated encryption
in practice, and considers the role of authenticated encryption in
cryptographic architectures.

Phillip Rogaway (University of California, Davis, USA)
The Evolution of Authenticated Encryption
slides
Nowhere has the promise of practiceoriented provable security
been more successful than in the area of authenticated encryption.
In this talk I will look back and and survey how the provablesecurity approach has led not just to highassurance blockcipherbased AE schemes, but, also, how it has led to a blossoming of security notions, attacks, design goals, and designs.
 Palash Sarkar
(Indian Statistical Institute, Kolkata, India)
On Some Constructions for Authenticated Encryption with Associated Data
slides
Two approaches to achieving authenticated encryption with associated
data (AEAD) will be considered.
The first approach is to use certain block cipher modes of operations
which make a single pass over the message. For this approach, both
tweakable block cipher based constructions and direct constructions
will be described. Both types of constructions yield families of AEAD
functionalities which offer high efficiency along with other desirable
features such as easy reconfigurability.
In the second approach, a stream cipher supporing an initialisation
vector is used in conjunction with a hash function with provably low
differential probabilities. Several possibilities will be outlined,
both with and without the requirement of authenticating associated
data. This approach gives efficient solutions for stream ciphers which
are either very fast in software or have very low hardware
footprint.
Security of the constructions are derived using the `provable
security' methodology for the singleuser setting. Issues related to
security in the multiuser setting will be briefly mentioned.
Panel discussion: Requirements for Authenticated Encryption
Bart Preneel (moderator)
Panelists are
David McGrew,
Mats Näslund,
Kaisa Nyberg,
Phil Rogaway
The links go to their slides, if provided.
Abstracts and slides of contributed talks
 Title: Stronger Security Guarantees for Authenticated Encryption Schemes
slides
Authors: Alexandra Boldyreva, Jean Paul Degabriele, Kenneth G. Paterson, and Martijn Stam
Affiliations: Georgia Institute of Technology; Royal Holloway, University of London; University of Bristol
We here refer to recent and upcoming research that is relevant to
Authenticated Encryption (AE) schemes
as used in practice. This research leads directly to novel design
criteria for authenticated encryption schemes.
The first piece of research considers the security of symmetric
encryption in the presence of ciphertext
fragmentation, which is a setting that commonly arises in practice.
Recent attacks have shown that provably
secure AE schemes may become insecure when used in this setting. We
propose a theoretical framework
for the analysis of AE schemes in the presence of ciphertext
fragmentation. This framework enables us to
study the relationship between confidentiality, the ability to hide
boundaries between ciphertexts, and the
resistance of schemes to Denial of Service attacks. It also leads to
new designs for AE schemes. The second
piece of research relates to distinguishable decryption failures. Most
security proofs implicitly assume that
an adversary is unable to distinguish distinct failure events that
occur during the decryption of a ciphertext.
Practice has shown that this assumption is not well justified:
implementations often leak information that
allows an adversary to distinguish among decryption failures, either
through error messages or timing, thereby
opening up avenues of attack. Our upcoming work analyses the security
of AE schemes in the setting where
failure events are distinguishable, providing new models and security
relations for this setting. From this work,
we can extract design criteria which protect implementations against
such errorbased side channel attacks.

Title: Lightweight AESBased Authenticated Encryption
Authors: Andrey Bogdanov, Florian Mendel, Francesco Regazzoni and Vincent Rijmen
Affiliations: KU Leuven, Belgium, ALaRI  USI, Switzerland, TU Graz, Austria
In this paper, we propose an Authenticated Lightweight Encryption algorithm coined ALE. The basic operation of ALE is the AES round transformation and the AES128 key schedule. ALE is an online singlepass authenticated encryption algorithm that supports optional associated data. Its security relies on using nonces.
We provide an optimized lowarea implementation of ALE in ASIC hardware and demonstrate that its area is about 2.5 kGE which is almost two times smaller than that of the lightweight implementations for AESOCB and ASC1 using the same lightweight AES engine. At the same time, it is at least 2.5 times more performant than the alternatives by requiring only about 4 AES rounds to both encrypt and authenticate a 128bit data block.

Title: HashCFB
slides
Authors: Christian Forler and David McGrew and Stefan Lucks and Jakob Wenzel
Affiliations: BauhausUniversity Weimar and Cisco Systems, USA
This paper presents a mode of operation for authenticated encryption  with
the very unusual property of employing a hash function as the underlying
primitive, rather than a block cipher, used in so many authenticated
encryption modes. This research has been motivated by the challenge to fit
secure cryptography into constrained devices ~some of these devices have
to use a hash function, anyway, and the challenge is to avoid the usage of
an additional block cipher. Beyond that, our mode has some unique security
features, namely some form of resistance against sidechannel attacks, and a
misuseresistant and failurefriendly authentication.

Title: Suggestions for Hardware Evaluation of Cryptographic Algorithms
slides
Authors: Frank K. Gurkaynak
Affiliations: Microelectronics Design Center, ETH Zurich, Switzerland
Public competitions to determine new cryptographic standards such as the search for AES, SASC, SHA3 have been very successful. Many researchers contribute to such competitions to evaluate different aspects of the candidates among others also the performance of hardware and software implementations. While significant effort has been put into hardware evaluations, somehow the result of these studies could not reliable be tabulated, at least not with the same efficiency as it was done for software evaluations. This paper investigates different shortcomings of current hardware evaluations and proposes changes to future calls, so that the results of hardware evaluators can be combined and compared more reliably.

Title: AEGIS: A Fast Authenticated Encryption Algorithm
slides
Authors: Hongjun Wu, Bart Preneel
Affiliations: Nanyang Technological University, Katholieke Universiteit Leuven
This paper introduces a dedicated authenticated encryption algorithm AEGIS,
which is efficient for protecting internet packets. AEGIS128 uses five AES
round functions to process a 16byte message block (one step); AES256 uses six
AES round functions. On the Intel Sandy Bridge Core i5 processor, the speeds of
AEGIS128, AEGIS256 are around 0.64 cycles/byte (cpb) and 0.71 cpb,
respectively. Our analysis shows that AEGIS offers a very high security level.

Title: Authenticated encryption in civilian space missions: context and requirements
slides
Authors: Ignacio Aguilar Sanchez, Daniel Fischer
Affiliations: European Space Agency
This white paper discusses issues, concerns, constraints and
requirements for future authenticated encryption concepts in the context of
space missions and spacecraft in particular. Following an introduction a
brief description of the approach to securing space missions is given. The
two fundamental security problems in protecting space mission operations
affecting the endtoend radio and data communications between spacecraft and
ground systems are explained. Typical security function implementations in
spacecraft are recalled. Finally, a brief discussion of each of the
identified issues, concerns, constraints and requirements suggested to be
considered for future authenticated encryption is provided.

Title: SipHash: a fast shortinput PRF
slides
Authors: JeanPhilippe Aumasson and Daniel J. Bernstein
Affiliations: NAGRA, Switzerland and University of Illinois at Chicago, IL, USA
SipHash is a family of pseudorandom functions optimized for short
inputs. Target applications include network traffic authentication
and hashtable lookups protected against hashflooding
denialofservice attacks. SipHash is simpler than MACs based on
universal hashing, and faster on short inputs. Compared to dedicated
designs for hashtable lookup, SipHash has welldefined security
goals and competitive performance. For example, SipHash processes a
16byte input with a fresh key in 140 cycles on an AMD FX8150
processor, which is much faster than stateoftheart MACs. We
propose that hash tables switch to SipHash as a hash function.

Title: Heavy Quark for secure AEAD
slides
Authors: JeanPhilippe Aumasson and Simon Knellwolf and Willi Meier
Affiliations: NAGRA, Switzerland and FHNW, Switzerland, and FHNW, Switzerland
Lightweight primitives are generally limited to 80 or 128bit securit
y, because lightweight applications seldom need more than
this. However, nonlig htweight platforms like multimedia
systemsonchip would also greatly benefit fr om a smaller hardware
footprint, as it reduces development and integration costs , and
leaves more circuit area to another component, or to add another
functiona lity. Such systems sometimes need up to 256bit security,
for example to ensure a consistent security level across
primitives. This paper thus breaks with the t radition and proposes a
256bit authenticated encryption scheme with associated data (AEAD),
based on the lightweight design Quark. We create a new Quark instan ce
to use in a custom SpongeWrap mode, offering onepass AEAD supporting
arbitra ry interleaving of encrypted and associated data, as well as a
range of tradeof fs between security and usage limit. More than a new
primitive, this work provid es insights on the scalability of
lightweight designs to higher security levels: our new design cQuark
has internal state of 384 bits, and allows the implement ation of
256bit AEAD with in the order of 4000 GE.

Title: Cryptanalysis of EAXPrime
slides
Authors: Kazuhiko Minematsu, Stefan Lucks, Hiraku Morita, and Tetsu Iwata
Affiliations: NEC corporation (Minematsu), BauhausUniversitat Weimar (Lucks), Nagoya University (Morita and Iwata)
EAX' (EAXprime) is an authenticated encryption (AE) specified by ANSI
C12.22 as a standard security function used for a smart grid. EAX' is
based on EAX, a provably secure AE proposed by Bellare, Rogaway, and
Wagner.
This paper presents simple and efficient forgery attacks, distinguishers,
and message recovery attacks against EAX' using singleblock cleartext
and plaintext.

Title: How Fast Can a TwoPass Mode Go? A Parallel Deterministic Authenticated Encryption Mode for AESNI (Extended Abstract of Work in Progress)
slides
Authors: Kazumaro Aoki, Tetsu Iwata, Kan Yasuda
Affiliations: NTT, Nagoya University
We present a mode of operation for deterministic authenticated
encryption. Our design is entirely blockcipherbased, like SIV
from Eurocrypt 2006. Unlike SIV, however, our mode is fully parallelizable,
both in its authentication and encryption parts. The basic idea is
a combination of PMAC for authentication and the CTR mode for encryption.
Our implementation yields 2.047 cpb for Intel's Sandy Bridge
microarchitecture, which contrasts with 2.900 cpb of the GCM mode in
OpenSSL 1.0.1c.

Title: A DoItAllCipher for RFID: Design Requirements (Extended Abstract)
Authors: MarkkuJuhani O. Saarinen and Daniel Engels
Affiliations: Revere Security, United States of America
Recent years have seen significant progress in the development of
lightweight symmetric cryptoprimitives. The main concern of the
designers of these primitives has been to minimize the number of
gate equivalents (GEs) of the hardware implementation. However,
there are numerous additional requirements that are present in
reallife RFID systems. We give an overview of requirements
emerging or already present in the widely deployed EPCGlobal Gen2
and ISO / IEC 1800063 passive UHF RFID air interface standards.
Lightweight stateful authenticated encryption algorithms seem to
offer the most complete set of features for this purpose. In this
work we give a Gen2focused "lessons learned" overview of the
challenges and related developments in RFID cryptography and
propose what we see as appropriate design criteria for a cipher
(dubbed "DoItAllCipher" or DIAC) for the Internet of Things.
We also comment on the applicability of NSA's new SIMON and
SPECK proposals for this purpose.

Title: An Improved Hardware Implementation of the Grain128a Stream Cipher
slides.
The software
mentioned on the slides can be found at http://web.it.kth.se/~dubrova/fib2gal.html.
Authors: Shohreh Sharif Mansouri and Elena Dubrova
Affiliations: KTH
In this paper we study efficient hardware implementations of the
Grain128a family of stream ciphers. To achieve higher throughput compared to
the standard design, we apply four different techniques in combination:
isolation of the authentication section, FibonaccitoGalois transformation of
the feedback shift registers, multifrequency implementation and internal
pipelining. The combined effects of all these techniques, when a twolevel
pipeline is used, enable an average 52% increase in throughput among all the
ciphers. All techniques are standard cell techniques and are therefore easy to
apply. They introduce an average 9% area penalty and an average 5% power
overhead.