 I start this talk with the outline of what cybertext fragmentation is. Then I'll go on to say how we formulate fragmentation. I'll describe some security notions that we introduce. And then I'll conclude with the comparison of our constructions. So I have to say that here I have made a lot of details about, especially, parts 3 and 4. So I will mostly focus on the motivation for this work and leave the details in the paper. So I'll just give you a small flavor of what we do. So what is cyphertext fragmentation about? So we have the usual setting where Alice and Bob want to communicate securely over a secure channel. So Alice will use an encryption scheme. It will take some messages and encrypt them. Then she will send these cyphertexts over the channel. And the channel now will behave in a different behavior that we normally assume. So it will deliver the cyphertext in a sequence of chunks, which we call cyphertext fragments. And now this imposes some further requirements on Bob. It requires some extra functionality for Bob in order to be able to parse these cyphertext fragments correctly and have correct decryption. So what we assume about the channel is that under normal operation, that is when there is no interference from the adversary, the fragmentation pattern can be arbitrary that is applied by the channel. But the order of the fragments is preserved. This is only for correctness. When we come to define security notions, we relax the second notion. We don't care about the order of the fragments. So the adversary is able to change the patterns he likes. So why is it important and what should we care about cyphertext fragmentation? So this setting emerges in practice. And we have encryption schemes where they have to operate over such channels. And one such example is that of secure network protocols, like SSL and SSH. And the problem is that in cryptographic theory, the security models that we use don't ever capture this. And in ancient years, cyphertext fragmentation has given rise to certain attacks which were able to break certain schemes which were proven secure before. So we have schemes that are proven to be secure, but when used over a fragmented channel, they are no longer secure. And this, of course, has left a gap between theory and practice. So here are two examples of cyphertext fragmentation attacks. So the first case was SSH, where a proof of security was first given by Bellarico and Namprampra in 2004. And yet, in 2009, Albert Patterson and Watson presented a tech that was able to recover plain text from SSH. The second example was an IPsec when configured in Mac than Encrypt using CBC mode encryption. So Mac than Encrypt with CBC mode encryption was first proven secure by Kraftcheck in 2001. A stronger result that built on this result was later given by Maura and Tuckman in 2010. And yet, in the same year, there was an attack by Ken in myself that showed how cyphertext fragmentation can be used to break IPsec in such configurations. So to give you an idea of how cyphertext fragmentation can be abused by an adversary in order to break a scheme, I'll give you an idea of how the SSH attack works. So basically, this is how SSH encrypts a message. It's a bit complicated, but the main thing to notice here is that this packet-length field here, this is how SSH uses to handle cyphertext fragmentation. So encryption is done in an Encrypt and Mac manner. So a Mac is computed over the encoded plain text. Then the plain text is encrypted, and the Mac is appended to the cyphertext. So then the encryption works as follows. As soon as SSH has received a complete block, the first cyphertext block, it will decrypt this block and inspect the packet-length field. Then from this, it will know how much cyphertext it needs to wait for in order to be able to decrypt and verify the Mac. So SSH commonly uses CBC modes for encryption. And when this is done, then the following attack works. So the adversary can intercept a cyphertext and say he wants to recover partial plain text from the cyphertext block CI star. And because in CBC mode, we can swap easily cyphertext around, he can take the cyphertext block and send it as the first block for decryption. So then, as I said before, in decryption, what SSH does, it decrypts this block and it will interpret the first 32 bits of this plain text as the length field. So then, what the adversary does is that it will start sending a sequence of random bytes of cyphertext one by one until eventually it will observe a Mac failure error. Once this happens, it knows that the amount of cyphertext bytes that it has sent corresponds to the value of this length field here. So in this way, the amount of cyphertext bytes that can send leaks the first 32 bits of the plain text block. So this is the main idea behind the SSH attack. So the first work to analyze cyphertext documentation was the first done by Pedersen and Watson in 2010. The main result there was to show that if in SSH we replace CBC mode with a stateful counter mode, then the scheme becomes secure in the presence of cyphertext fragmentation. However, the security notion, their work basically is mostly focused on SSH. And the notion is closely tied to SSH in that it assumes that the cyphertext is formatted for SSH. So their notion only applies for SSH. And also, at first glance, cyphertext fragmentation might show some resemblance to something which is another area, which is called online encryption. But we emphasize that the two are very distinct and disjoint. So the contribution of our work is the following. We start by giving a syntax, a new syntax for an encryption scheme that works over cyphertext over fragmented channels. We also introduce security notions. We then provide generic constructions of fragmented schemes that meet our security notions from normal atomic schemes. We then formalize other security goals that practical schemes normally try to achieve as well. And we call these boundary hiding and robustness against fragmentation-related denial of service attacks. And then finally, we present a scheme, a construction that achieves all three of our security notions. So in order to cater for fragmentation, we have to redefine the syntax of an encryption scheme. So we define a fragmented symmetric encryption scheme as a triple of our algorithms. As usual, we have the key generation algorithm, which outputs a key and an initial encryption state, sigma 0, and an initial encryption state, tau 0. Then encryption works as usual with a slight difference. Now it takes a message and a state, an encryption state, and it outputs a cyphertext and an updated state. And the encryption algorithm can be probabilistic, stateful, or both. And if we want to model a stateless scheme, we just let the state be the empty string. Then for the encryption, now the main difference is in the encryption actually, the encryption algorithm. So the encryption algorithm now takes a cyphertext fragment. It takes a decryption state. It will output a string m and the updated decryption state. And now the decryption state is required to be deterministic. And in order to cater for fragmentation, it inherently has to be stateful. And the output is actually a string now over the following alphabet, which is the union of the binary alphabet, the set of error symbols, sigma, or S-perp, and a special symbol here that we call the end-of-message symbol. The symbol will be used to indicate boundaries between messages. So now we also have to define correctness. So we define correctness formula in the paper, but here I will explain to you pictorially. So we require that for any message vector, so any vector of messages, in this case, three messages, if we encrypt these separately and then join the cyphertext, concatenate the cyphertext, and for any string that we can append at the end, and then apply an arbitrary fragmentation pattern to give us a sequence of cyphertext fragments, if we send the cyphertext fragments to the encryption algorithm one by one and we get the outputs, the requirement is that the concatenation of these outputs, M1 prime to M5 prime, is prefixed with the encoding of the original message vector. And the encoding is this one here. So it's a concatenation of the message vector separated with the special end-of-message symbol. So that is correctness. So you see that already it's a bit more complex to define correctness. So there's more challenges in the security notions as well. So our starting point for defining security now was the notion in the CFCA, introduced by Bilaliko and Namprempre. This is basically an extension, a stronger variant of NCCA, that additionally protects against three-player attacks and out of order delivery attacks. So we extend this notion to cater for cyphertext fragmentation. And we call this new notion in the CFCFA, where CFA sends for chosen fragment attack. And we then provide a generic construction for transforming the atomic scheme into a fragmented scheme. And this construction makes use of a prefix free encoding. And if the atomic scheme that we start from is in the CFCA, then the resulting construction, the resulting scheme is in the CFCFA. So basically this construction shows that it's not so hard to achieve security under chosen, to achieve security in the fragmented setting. But this is not the end of the story, because if you go back and look at this stage, we find that the design of SSH we're actually trying to achieve more than just confidentiality. And we identify two further goals that SSH tries to achieve. We call the first one boundary hiding, and the second one is robustness against fragmentation-related denial of service attacks. And now things get more interesting, because meeting such security goals without compromising confidentiality is more difficult. An example, if one looks at the details of the SSH attack, one finds that, for example, the counter-measure that SSH introduces to get boundary hiding is what actually makes the SSH attack possible. So because SSH tries to achieve boundary hiding, that's how it was a confidentiality. And actually the counter-measure that SSH takes to limit the denial of service attacks makes the attack even more efficient. So you see here that there's an opposing conflict here going on, where all these security notions are pulling in different directions. So the first goal was boundary hiding. So in 13 Committee, normally we know that it is inevitable that the Cypher test will leak the message length. However, in practice it's a real problem. So we normally don't try to meet this goal, because we think we know it's impossible, or we consider it impossible. But in practice it's a real problem. And because the theoretical community hasn't provided any sound theoretically correct, theoretically sound way of protecting against this, what is normally done in practice is that people and practical schemes use heuristic techniques. And later there has been some work, which looked at these schemes in order to protect against traffic analysis. Of course the problem here is that leaking the length does give rise to traffic analysis attacks. That's why this is a problem in practice. And as we saw earlier, SSH tries to encrypt the length field. This does not by itself conceal the message length, but it does conceal Cypher text boundaries. So informally we define boundary hiding that given a computation of Cypher text, no adversary can determine what the Cypher text boundaries lie. And now immediately we can notice a conflict, because in the correctness requirement, intuitively you can see that the encryption algorithm needs to be able to determine where the Cypher text boundaries are in order to encrypt correctly. And now we want to be able to hide the Cypher text boundaries from the adversaries. So the only way we can accommodate these two is to make the Cypher text boundaries evident only to someone who knows the secret key. So with this intuition in mind, we can then go back and extend our original construction and replace the prefix free encodings scheme with a keyed prefix free encodings or a family of prefix free encodings if you want. And this gives us boundary hiding in the passive case. Then the notion can be extended to the active setting by giving the adversary access to an encryption oracle. But this is more challenging to achieve. And the only construction we have that achieves this is the interim construction, which I will mention at the end. Then if we all goes back and looks at the SSH standard, one finds a paragraph where it's described that certain or SSH standard warns against certain denial of service attacks. Basically, the idea is that an adversary can intercept a Cypher text, manipulate the length field, say by flipping the most significant bit of this length field, to change it into a huge value. So now a Cypher text, so that will be the first Cypher text. And when it's received by the encryption algorithm, it will interpret this as a fragment of a huge Cypher text. And then what happens is that every subsequent Cypher text is received will be interpreted as a fragment of this huge Cypher text. So look at a situation where Cypher texts are being fed into the encryption algorithm, and no message is coming out of the encryption algorithm. And the user experiences this as a connection hang. And the way SSH has, the only way SSH has to mitigate this attack is to limit the maximum message length. Now such denial of services attacks are not specific to SSH, but arise in general when we consider Cypher text fragmentation in general. And the way we define the denial of security against the denial of service is the following. We say that a scheme is end of secure. If no adversary can produce an unbit long sequence of Cypher text fragments, that was not previously output by the encryption algorithm, such that the encryption algorithm returns the empty string throughout. So now we can compare the constructions. So we have SSH CBC, which was the original mode used by SSH. Then we have SSH CTR, which was proved secure by Paterson and Watson. PF is the prefix reconstruction that we introduced first. KPF is the keyed variant of it, which also achieves boundary hiding in the passive case. And then we have InterMAC. And you see that InterMAC is able to achieve all of our four security notions. And in particular, you can note that InterMAC can achieve end of security without limiting the maximum message length to be N. So it can be achieved end of security for N smaller than the maximum size of the message. So I think I went very fast actually, so I left a lot of details out. You can have a look at the paper for more details. So final to conclude, in our work, we provide a general framework for analyzing security in the presence of Cypher text fragmentation. Then we describe practical constructions and use using standard primitives, showing that security in the presence of Cypher text fragmentation can be achieved using standard assumptions and both efficiently. However, InterMAC still incurs some overhead when compared to state-of-the-art authenticated encryption schemes. So there is still room for improvement there. And a full version of our paper will be available soon on E-print. Thank you very much.