 Okay, thank you So let's start by recalling our structure of a Python network. So this is a round Python network and Each wire The wire length is n and we will use XI to represent the intermediate values So each value SI is n bit long and they satisfy This relationship here Okay, and we will call it by a round function now recall that Each round is a permutation. No matter whether the round function is or it's not a permutation and The Python network is a two amp bit permutation with input x 0 x 1 and output x 8 x 9 And in this talk, we will assume the round functions are independent random functions And the question is to what extent is such a network like a random permutation So let's take a look at the classic indistinguishability experiment We have a distinguisher and it's interacting with one of the two worlds It's advantage is defined as the difference of the distinguisher outputting one in the two worlds In and we assume the distinguisher is information Theoretic meaning that it has unbounded computational power. It just has a limited number of queries to its oracles in the real world interacts with the phystone network and In the ideal world Interacts with a random permutation and in both worlds it has two side queries to look the oracle so you can query backwards The Seminole Ruby Rack of theorem says for a Python network is Distinguishable from a random permutation. So the advantage is negligible for any distinguisher But in this talk, we will use a stronger notion on In differential ability introduced by Maura, Renner and Hollenstein in 2004 So in this case when we give the distinguisher Access to the round functions so we can query these small round functions as well in the real world However in the ideal world, there is no round function. So we will have to construct a simulator That will behave Try to behave like the round functions so that a distinguisher cannot distinguish between the two worlds and We require the simulator to be efficient and it has oracle access to P so our goal is to construct a simulator and In differential ability means for so many rounds and with such a simulator no distinguisher can distinguish using so many queries So also we require its advantage in the two worlds to be negligible So the first work on Differential ability of Python networks is done by Coran, Tethering and Suran in 2008 So they prove that five round five stone is not indifferenceable and they also proved six round is Indifferenceable from random permutation Then in 2009 Suran gave a simple ten round simulator in his PhD thesis so However in 2011 Holenstein, Kuntler and Tassaro found some flaw in the previous proofs and They showed 14 round five stone is indifferenceable Therefore whether ten round five stone is indifferenceable remains open at this point So concurrent and dependent of our work document so Kat and to rule Van Gogh then Prove that ten round five stone is indifferenceable and Disappeared in this year's Euro crib So our result is eight round five stone is indifferenceable. So We will first Give a natural and simple ten round simulator and from this simulator we will obtain an eight round simulator, which is also natural and simple Well, not that simple actually So the so this is our The comparison of our results So we achieve slightly better security than the previous work But it's still a very enormous advantage for the distinguisher. So not very good balance and Oh, and Q is the number of queries of the distinguisher and N is the wild land Okay, and now let's recall the is in differential beauty experiment So the question here is what can the distinguisher do to distinguish between these two worlds? As we can see in the real world the round functions must be consistent with the permutation in the fisto sense therefore the distinguisher can Well, you can like choose x 0 x 1 and make query all the way to obtain x 8 and x 9 And we will call this a path. So a path consists of x 0 through x 9 this 10 values and You can check if the path is consistent with the permutation like this And it can also start from other positions like from the back and all the way to front or start from the middle and to both sides and it can also go around so you can query through to f1 and Make the permutation query going to x 8 x 9 and then go to To obtain x 5 and see if the value of f5 x 5 is Consistent, but there are a lot of ways to complete a path and Moreover, you can do something more tricky Like you can use the same query in different path and you can also interleave queries in different path to confuse the simulator and So what can the simulator do? The basic strategy is already sampling and preemptive a path completion. So how to complete a path? Suppose it the simulator decides to complete this path So the green queries are already defined and the white ones are not so The simulator can lady sample some of the queries by lady sample we mean it chooses a Random value for the query. So it's randomly selected from all and bit strings and However, at this point the remaining two queries cannot be sampled anymore because the values are actually fixed by the other queries in the path and Generally in each part two queries have to be adapted regardless of how the other queries are defined and Therefore So the simulator has to complete a path early enough so that it has still has room to adapt Because you cannot adapt a query that has already been defined On the other hand, if you choose to complete them part complete too many parts Since when you are completing a part you will make more queries And this may create a out-of-control chain reaction and the simulator may never terminate and So the box in the previous simulator slides in the first First condition so it has no Room to adapt we will see it later So by adapting a path we mean assigning these two queries the values like this So so that you can be consistent with the permutation Okay, so now we start by introducing some 10-round simulator which is the basis of all the subsequent simulators so His simulator preemptively completes a path when one of the two detect zones become filled So it has a middle detect zone which consists of only two rounds meaning that for every pair of X F five and F six Every pair of queries to these two rounds a path should be completed and it also has an outer detect zone a consisting of four rounds So it's for every quadruple of queries to these four rounds that are Compatible with the permutation so not for all quadruple, but only for a small set of them a path should be completed and The position to adapt record that we have to adapt two queries in each path the position to adapt Depends on the last query that that feels a detect zone And we say the query triggers the detect zone so If a path is triggered at x2 or x5 it will be adapted here And if it's triggered at f6 or f9 It's adapted here Moreover if multiple path are triggered They will be completed in a 5-4 order. So the path tactic first will be completed first So let's demonstrate using an example. So say a query is issued here that triggers the outer detect zone of this path and First the query will be lazy sample. It's given a random value and We will adapt here So we will need to sample the other undefined queries in this path So these four queries will be lazy sampled and Moreover the queries to f5 and f6 are in the middle detect zone So these two queries will trigger more path and these triggered path are in queue and will be dealt with that later and So after this path is completed The simulator dequeues the next path in a queue and starts completing the path so Okay, so this is sounds 10-round simulator and its problem is there is a strategy for the simulator That causes the up. Sorry. There is a strategy for the distinguisher that causes the simulator to always adapt some Already defined query So this is sounds attack against his own simulator, which is quite complicated, but The idea is to so the randomness that Determines this adaptive query is sampled a long time ago before the query is actually sampled the query is adapted therefore Some other path has already used the same randomness and defined this query before so that's the problem basically and So how to fix the simulator? Hohlenstein et al Did this by adding buffer rounds around each adapt zone And moreover they prove that on the buffer rounds are adept are sampled right before the adaptation occurs So as you can see if these two values are newly sampled the values of x4 and x5 Will be Independently random and therefore they are very unlikely to Clyde with some existing query So we will use the same idea here, but instead of adding new rounds we will just use existing rounds as the buffer and If the left adapt zone is used we will call these two rounds the endpoints and if the right adapt zone Is used we call these two rounds the endpoints So there are the rounds around the adapt zone and our goal is to keep endpoints Unsampled until the path is ready to be adapted. So it's the same as Hohlenstein's idea and so In other words, we will require these four queries to remain unsampled until the path is completed Okay, so how to achieve this goal we will use the same example as before so When this query is issued We note that the triggering query of a path is always one of the endpoint queries. So Since this query is an endpoint query and the other endpoint queries are known we cannot complete this path yet So instead of lazy sampling one The triggering query we can only mark it as pending and not sample it and Then we we can issue these three queries and these queries will be Answered using the simulator's own interface just like a normal query from the distinguisher and and So again the query to f6 is in the middle detect zone so it may trigger other path and Since this query is an endpoint query of this newly triggered path and our goal should be Achieved also for this new path so the query to f6 cannot be sampled until the new path is completed and But the old path cannot continue until the query to f6 is Defined therefore the new path should be completed before the old one and this resulting In a life of order so the path detected later is actually completed first So this is the maybe the only difference between the two simulators So after this query is defined We have another the other endpoint query and this query is marked pending as well And we say the path is ready when both endpoint queries are pending So this part is ready to be completed. But why don't we complete it? I mean right away so You may have seen this The query can be the endpoint query of multiple paths And since our goal should be kept for all these parts these two parts should be Adapted at the same time after the query at x5 is defined So this is the batch adaptation idea from a work from Dodis Leo stem and Steinberger so the path that share an endpoint query should be adapted at the same time that's so that's the idea and this so the all these path will form a very nice tree structure and This will make our proof much easier and So This is Summary of our 10 round simulator. It has the same simple structure as the Hans simulator, but we change the convention order to Lifal and we delay the lazy sampling To ensure the freshness of the randomness and know that this is only a conceptual change because one way or another The endpoint queries are sampled randomly But as we have seen in the example this conceptual change actually lead us to the life or order of path completion Okay, and since we have the same structure as the Hans simulator We can use the exact same termination argument. So the outer detect zone cannot be Well, it's very unlikely to be triggered unless the distinguisher has a query the permutation query and so the number the number of path triggered by the author detect zone is at most Q in most executions and The number of queries in these two rounds Are not increased by path triggered by the middle detect zone. So they are only increased by either a distinguisher query whose number is at most Q or Increased by a path that is triggered by the outer detect zone Which which number is also upper bounded by Q and therefore they are at most two Q defined queries in positions five and six So at most for Q squared path can be triggered by the middle detect zone So this is the termination argument of our simulator So how to get down to eight rounds? To do this we have to rearrange the detect and adapt zones So we can see the other detect zone has four rounds, which is obviously very wasteful So we spread it into two other detect zones each consisting of three rounds and This makes triggering a path easier, but this does not ruin our termination argument since it is still hard to trigger the other detect zone without knowing the permutation query and We also have to move our adapt zones. So one of them is moved to The middle which overlaps the middle detect zone and this will create a problem that the adaptive queries are actually very likely to trigger a new path if the middle detect zone is still length two and Well, we don't want this I mean in the 10 round simulator the adapt zone is disjoint with Detect zone so adaptive queries are not triggering any path So to keep this probably we will extend the middle detect zone into two three round middle detect zones and this will prevent That from happening So this is what the simulator looks like The red ones are the adapt zones and the green ones are these detect zones. So as we can see in this graph it's very symmetric and Each position triggers exactly one type of path and moreover We can see here the middle Adapt zone is actually surrounded by two queries and we claim that these two queries will be undefined when these two queries are adapted So this will prevent Well, this will prevent the two adaptive queries to form To fill the middle detect zone of some path Okay, so Summarize of our a round simulator It uses the same life order as the 10 round simulator and it has four detect zones and it uses the same termination argument So what to do next So we only have an attack against five round Faisal and we now we have a proof for eight round Faisal So to close the gap we there are still two rounds And can we do More rounds to improve concrete security as we mentioned our proof achieves very bad security bound and This is because we are aiming at reducing the number of rounds so Can we prove a better bound if we use more rounds or even better prove the birthday bound for saying? 20 round Faisal and more of us we can consider alternative constructions like a soft shuffle Can we prove in differential ability bounds and better bounds for these constructions? Okay, that's it. Thank you. Thank you very much