 Hello everyone, my name is Yutian Xia, my topic today is entitled with modular design of raw symmetric or syndicated key exchange protocols. This work is collaborated with Rijia and Huima. In our work, we focus on the specific type of AKE, means raw symmetric AKE. In such AKE, two parties Alice and Bob, they send their own messages without waiting the other side, and upon receiving the message from the other side, each party can conclude with a session key or bot. Here is an adversary between them. It can control the communication channels, craft some party slantrum keys, review some real session keys, and review some secrets like session states and ephemeral keys. The security goal includes correctness and session key indistinguishability. In the literature, mainly security models for AKE have been put forward. The first one is a BR model. It captures the first three attacks. After it, the second, second plus and eighth second models were proposed to capture the fourth condition. There are also exist models improving them to capture perfect forward security. Notice that the second and second plus models capture session state review queries, while the second model captures ephemeral key reviews. They are different. Today, few work compares these models. The only one stated that the second plus and second models are incompatible. In fact, the most reason for this is that these models allowed different reviews and used matching notions in different ways. Thus, trivial cases raise when changing the model from one to another. However, put all models into the same setting. There is no need to insist some minor differences between these models. Thus, we may have a better understanding of these models. Today, many construction have been proposed in different models, including efficient concrete protocols like HMQV, Nexus, and some useful transforms. But there is almost no work considering security in multiple models simultaneously. In their works, a model is fixed first. Whether their technique can be reused in another model or not, we have no clear answer before. In this research field, we lack a systematic understanding of the pre-request for constructing secure AKEs. Both of the two questions motivate us. Our essential goal is to give better systematic understandings of AKEs, more specific in the raw symmetric setting. The most important parts of our work are a succinct and comprehensible implication of the existing models and modular construction in the existing models. Next, I will introduce the two parts respectively. In the Part 1, I will give understanding of the system model and the security models. In the system, there exist n-parties. Any two can communicate multiple times, and each interaction establishes a station key or board. Taking an execution instance between two parties PI and PJ as an example, we can give a generic description of raw symmetric AKEs like in this picture. For the party PI, it will take its own secret key SKI and the public key of other party PKJ as input. First, it will sample the ephemeral key RI, then it will compute MSG I and SI using the function F, then it will send out the message MSG I. After receiving the message from PJ, MSG, it will compute SJ and SIJ using the function F bar, FC bar. This function can also be submitted into F bar and FC to compute SJ and SIJ respectively. Finally, it will derive the session key use the three key materials SI, SJ, and SIJ. There exist two types of important keys, long-term key like SI, SJ, SKI, SKJ, and ephemeral key like RI and RJ. Each protocol instance will yield two sessions to identify a session for the variables are used as sector, as peer, as center, as receive to denote the owner, the intended peer, the message center, and the message received respectively. For example, in such an instance, the session on PI is identified as PI, PJ, MSG, I, MSGJ. While the session on PJ is identified as PJ, PI, MSGJ, and MSG I. Accordingly, two notions were also defined here for any two sessions S and SC bar, S and S prime. If their owners are the peers of each other and the messages they received are the messages sent by other, they are called matching sessions of each other. This notion is used to identify two sessions involved in the same protocol in execution instance. While for session S, if the message it received is sent by S prime, the S prime is called its origin session. Note that this notion is used to distinguish passive adversaries from active adversaries in a more straight manner. You can imagine that message replay attack is different from message modification attack in some cases. Here we also notice that matching session exists imply origin session exists, but not vice versa. Before introducing the secret models, we also introduced several important secret notions, the first perfect forward secrecy, PFS. It states that the compromise of long-term keys of both sides do not fit the secrecy of older session keys. The second is weak perfect forward secrecy, WPFS. It's a weak variant of PFS. The adversary should be passive when generating the older session keys. The third is key compromise impersonation, KCI. In this attack, the adversary craved the long-term key of some party PI and then tried to authenticate itself as some other party PJ. The last is maximal exposure mix. In this attack, the adversary can get keys on both sides, but at most one on each side. Now we introduce the security models. The adversary may launch active attacks via send query, unimproved session, and a message. It will response as a proto-description. The adversary can also learn some secrets via a crap query to learn a party's long-term key, via ephemeral key review query to learn a session's ephemeral key, or via session state review query to learn a session's intermediate or via session key review query to learn a session's session key. Here, the output of the session state review query will be specified later. Like other game-based definitions, the security is defined via experiments between the challenger and the adversary, whereas the adversary can adaptively make allowed queries and test on the target session it chooses. The real session key or random session key will be returned. If the adversary correctly guesses the random coin the challenger used and the target session is kept fresh throughout the experiment, the adversary wins. In different models, different queries are allowed. Of course, to exclude trivial success, freshness should be carefully defined. So many details cannot be included in this topic, but they can be found in our paper. Here, we should notice that in the CK and CK plus models, session state review query is allowed, but in the ESEC model, only ephemeral key review is allowed. Next, we should clearly define the output of session state review to see their differences. Once again, we take one session as an example. Its lifetime can be viewed as the four steps some intermediates are passed from one to the next. Can this all be reviewed? In particular, in the last two slots, all session key materials are included. Of course, in all models, session state review is forbade on the target session and its matching session to avoid trivial success, but that's all. For other sessions related to the target session, this query is allowed. Something went wrong. Here we give an example. Three execution instances are given here. The adversary replays the message MJ star and MI star generated in the first two respectively activated new sessions on PI and PJ. There are four sessions and they can be identified as in this blue box. Assume the target session of the adversary is this session. According to the definition, its matching session is this one and its session key is determined by three key materials SI star, SJ star and SIJ star. Notice that in these two non-match sessions, SJ star and SI star appeared. If the adversary query session state review query on them and in addition to review the infomerate key of the target session, it can get SI star and SJ star and compute SIJ star by itself. Thus, it trivially succeeds. To avoid this, the session state review query is shut down in this slot, but we should notice that the session state review still lists more than infomerate key review because besides R, I, the ephemeral key, it also lists SI. To make these models more succinct and comprehensible, we formulated them as in these models. In the models on the left, secret leakages are strictly limited on the target session and its matching session. While in the models on the right, that are limited on the target session and its orange session. Due to a special case, the orange session exists, but the matching session doesn't exist. The models with PFS surface deal with much more complex situations. We also noticed that the each case in each model can be classified in the security notions we mentioned before. Thus, with such formulations, to achieve security in these models, the key is to achieve all these security goals. Next, I will introduce the highlight idea of our modular constructions. We call it generic description. Here, FC is used to negotiate a key material from both parties ephemeral keys. Giving a secure implementation for it is enough to achieve weak PFS. Then we take F and F bar as a function pair. The paradigm of what symmetry HK is can be this crafted as two times F F bar plus FC plus KDF. How to securely implement such function pair becomes our starting point. This motivates us to define a new function KRF. It's a function pair. If security corresponding keys are used, F bar can recover W from X, 1 and Y output by F. Two properties are required for it. The first one is private evaluation PE. Without AK, it cannot generate a pair of X, 1, Y such that F bar output is not bought. The second is private recoverability PR, means without RK, it cannot recover W from X, 1, Y. Even AK or X2 has been leaked. According to different cases, this property is divided into PR, L, E, K and PR, L, X. These three properties are important to achieve these security goals. Take a key string protocol to implement FC. We can get a construction like this for PI. It will generate a key pair PKI and SKI. Then it will take PKI as X1, around RISX2 to compute YIWI. PKI and YI will be sent out upon receiving PKJ and YJ. It first recover WJ and compute K from SKI and PKJ. Finally, it will derive the session key from WI, WJ and K. For PKI, it executes in a similar way. If the key string protocol is passively secure, assuming KRF has different properties held AKAs in different models as in this table. The simplified proof strategies of our modular construction can be abstracted as in this table. The detail of proof will not be introduced in this topic, but it can be found in our paper. Then I will introduce two enhanced versions. In the first one, the key point is that the output Y can be used as a public key PK. If so, the basic construction can be improved like this. Here PI doesn't generate and send PKI anymore, and PJ doesn't generate and send PKJ anymore. Thus, the computation and communication overheads on both sides decreased. In the second brain, a public key PK can be used as the output Y, and the computation of W is allowed to be delayed until some X1 is specified. By so, the basic construction can be improved like this. Here in the fifth one, there is no need to compute WI, while its computation is delayed into the second phase, and the X1 under the S1 is set as PKJ it received. Note that this enhanced construction requires some difference, requires some difference to KLF, and it must cannot be P secure. Because anyone can anyone include including the adversary can compute a public key. Apart from these modular constructions, we also get some other results. First, we use these modular constructions to explain some existing protocols in the CK, CK plus, ECK and ECK PFS models. Then according our results, securing the ECK PFS model implies securing the CK plus PFS models. Thus, we can get some new construction in the CK plus PFS model. Next, we also give a new construction according to our results, which is more efficient than directly applying a compiler on the protocol secure in the second model. That's all about our results. Thank you for your listening.