 OK, welcome to my talk on message authentication revisited, which is joint work with Yevgeny Dodis, I.K. Kiltz, and Daniel Wicks. So I think you all know what message authentication means. And the goal to achieve it in the secret key setting is by the use of message authentication codes. So these MACs are fundamental cryptographic primitives defined by a triple of algorithms, a key generation algorithm that simply outputs a secret key and an algorithm, a tagging algorithm that takes the secret key, a message M, and outputs a tag phi, and the verification algorithm that takes the message, the tag, and the key, and then either accepts or rejects. And of course, if everything was correctly generated, it should always accept, and we will see the security definition in a minute. Historically, message authentication codes have not been constructed directly, but people just use pseudorandom function as message authentication code. So if you have a pseudorandom function, just using the pseudorandom function to compute the tags and verification is simply, you know, check if this phi is really the output of the PRF on key K message M will be a secure MAC if the range of this pseudorandom function is large enough. So if it's such a PRF, then you have a MAC. Maybe if you need larger domain for your larger message domain, you can use some of the domain extension techniques for PRFs like CBC or HMAC or, you know, Hashtag encrypt. And to instantiate your pseudorandom function, you have several options. You can use, like, one of this standard secret key, heuristic construction, IS or SHA. Or maybe you want to use something, an algebraic construction, for example, the now wrangled PRF based on the DDH assumption, or the assumption from LWE that we will see later in this conference. Of course, so these constructions are much less efficient than the standard construction. So why would you use them? Maybe, you know, you're crazy about theory to want a provable security proof. But more importantly, these algebraic PRFs are zero-knowledge friendly. So it's much easier to come with correctness proofs that, you know, as used, for example, in eCache. OK. So let's see what the state of the artist in constructing such algebraic PRFs. So I mentioned before, this is the now wrangled PRF. The only important thing is that the key is roughly as a linear number of elements. So the bit length, bit size of the key is going to be at least quadratic in some security parameter. Another option would be to use an algebraic pseudorandom generator. So if I'm for DDH, you get a very efficient pseudorandom generator. And then you can use a generic construction, like go-to-ice-gold-wassen-me-call-it to get the full-blown PRF. Very nice, very short keys, but you need like a linear number of exponentiations in the security parameter. Or other constructions have been proposed of PRFs that, you know, have short key, one exponentiation or constant number of exponentiations, but rely on very exotic assumptions. For example, this is Dodie Sianpolsky PRF from QDDHI. So summing up, this is like the state of the art for PRFs. And nothing better is actually known for max. You know, max PRFs are max on the other way around. But people don't know any best of our knowledge. People don't know anything better for max. And in particular, previous to our work, it has not even been known if there exists, say, a max from DDH with the constant key size and the constant number of exponentiations. So stay tuned to see such constructions in a few minutes. So the kind of one motivation for this work was to say, you know, max are actually much weaker primitives than PRFs, and maybe we can do much better. So why are max weaker? So one reason is that max only have to be unpredictable, whereas PRFs have to be indistinguishable. And we don't know of any efficient generic transformations at least to go from unpredictability to indistinguishability. So maybe this can be used somehow. For example, maybe using the fact that we just need unpredictability, we can start from search assumption like computational Diffie-Hellman instead of decisional Diffie-Hellman. And you will see such a construction later. And another important difference between PRFs and max is that max can be probabilistic in general, whereas PRFs should be deterministic. Or if you were at the workshop Bellagio, so they should produce the same output always on the same input. And if you want to construct the max from an assumption, for example, like the linear parity with noise assumption, which is inherently randomized, lots of randomization, this random vectors, this random errors, it seems actually natural to shoot for a probabilistic construction where you get this randomness from somewhere. OK. So how about max? OK, so now I've told you what the goal of this work is. We will look at direct constructions of max avoiding this detour over pseudo-random functions. So what is the max? I showed you the definition. Now let me give you the security definition. So we will say that the max is secure, unforgeable on the chosen message and verification queries. If no efficient adversary exists, who can win the following game, the adversary can make tag queries to the tagging algorithm and verification queries to the verification algorithm. And we say he wins. If at some point he makes a verification query that accepts, and that contains a message m, that he did not explicitly ask the tagging algorithm before. So quantitatively we say, no, t is the size of the adversary, epsilon the advantage, number of tag queries allowed, and number of verification queries allowed. OK. So note that if you have this unforgeability on the chosen message attacks for signature schemes, for example, there are no verification queries, simply because verification is public anyway. And maybe also if you've seen definitions for secret key max, you haven't seen this explicit mention of the verification queries simply because if you have a deterministic max, which moreover has canonical verification, like this PRF-based max I showed you before. So deterministic means the tagging algorithm is deterministic. Canonical verification means verification just evaluates the tagging algorithm and checks if this tag here is correct. In this case, it actually doesn't make much of a difference if you have one verification query or many. There is a simple reduction showing if the max is secure against one verification query, it's secure against QV verification queries, and you lose something linear in QV in the distinguishing advantage. But besides that, this doesn't make a difference. But for probabilistic max, it makes a huge difference if the max is probabilistic or not. So there are no, you will see natural constructions of max, which are secure against one verification query. But if the adversary can make many verification queries, in particular, he can get like a max and the tag and twiggle with the tag a little bit and see if it still verifies and make enough such queries. And from this, actually, recover the key completely. So before I come to the results of our paper, let me give you two more simple definitions. So if we have a max that is simply unfordrable under chosen message verification attacks with just one single verification query, so it only has like one shot for a forgery, it will be something called this UFCMA, unfordrable under chosen message attacks. Moreover, we will consider a weakened notion called selective security. So selective CMA or CMVA is defined exactly like unfordrability under CM chosen message attacks, except that now the adversary has to commit to the message that he wants later to forge before making any queries to its oracles. So it's a weaker notion. And then comes a completely unrelated notion, apparently, the indistinguishability notion. So we say that the max is in CMA. If the following is true, if it is hard to distinguish the outputs of the tag algorithm for a secret key, so you can ask the tagging algorithm and it gives you the tags for a message M. From a tagging algorithm, it simply ignores your input and always gives you the tag for some fixed message, say 0. Note that, first of all, this notion can only be achieved, oh no. First note that this notion by itself is completely useless, because a tagging algorithm that outputs the constant 0 is perfectly indistinguishable. But this notion will be interesting in conjunction together with this standard unforgeability notion. And also note that if a max is unforgeable and indistinguishable, it has to be inherently probabilistic, because if it weren't, I could just ask two tags for two different queries. Here I would get two different answers. Here I would get two times the same answer and I could distinguish. OK, so let's come to the results that we have. We have two batches of results. The first is about transformations. The second is about constructions. So our main result about constructions and transformations is the following. We give a very efficient, very simple transformation that takes any map that is secure without verification queries. And on top of that, it has to be indistinguishable and show how to transform it into this full blown notion unforgeability with verification queries. OK, this is the main result. Like two minor observations that we will use, but which are really trivial, is we show that you can use universal hash functions for domain extension if you have a map that is in CMA and also like that if the map has very small range and the selective security is already securing the standard sense, losing security exponential in the domain. But these are known things and basically, and we will just use them. OK, let's come to the second batch of our results. This will be constructions of algebraic maps. So we will give some general templates how to use existing tools and constructions, for example, of many different objects and get algebraic maps from them. For example, we'll show that you can start from any CCA securing public key encryption scheme or more concretely from hash proof systems and get these algebraic maps. Now, this might seem completely stupid. CCA secure public is a huge powerful object. But even if we start from this object, the max that we get, for example, based on DDA, it will have a constant size stack and a constant size secret key, which, as I mentioned before, hasn't been known before. Maybe a bit more interesting, we will show constructions based on things that are called key homomorphic PRFs, which are trivially implied, for example, by DDA. And this will give us very simple constructions, just to expose in the secret key to group elements in the tag. And this assumption to this construction will be secure on the DDA. I will show you this construction in a minute. And we can also get every signature scheme is a Mac. But using ideas from signature schemes, we can get Macs that are much more efficient than the corresponding signature schemes. For example, we get a signature scheme that is constant size secret key, constant size stack. And what is interesting here is this assumption. So it's based on the computational assumption, computational Diffie-Hellman. And we say this. You will see this in a minute. OK. OK, so I have 10 minutes. Oh, yeah. And actually, the original motivation for this transformation was actually a paper by Ike, myself, Kashi and Venturi, last year on efficient authentication from learning problem where we showed how to construct efficient Macs. Actually, it was phrased as authentication protocols. But you can see them as Macs that do not allow verification queries from the LPN assumption. Now, using this new transformation that we have, we get a Mac that is only slightly less efficient than the authentication protocol. And it's a full Mac. And in particular, it gives you, for example, men in the middle secure protocol. So we had such a transformation already in the paper last year, but it was much less efficient using like a pairwise independent permutation on the entire tack. Now we get away with just like a pairwise independent hash function with very short output, which is much more efficient. OK, let's come to a transformation. So to our main transformation. And as I said before, what our main transformation does, it takes any Mac that is unforgeable, but does not allow verification queries. And if on top of that, our Mac is indistinguishable. So these tags for messages of your choice are indistinguishable from messages on a fixed message 0. Then this transformation here will take this Mac into a Mac that is unforgeable in the full sense with verification queries. So what does this transformation do? The key generation algorithm of the transform Mac basically runs the key generation of the underlying Mac to get some key k. And moreover, we pick a pairwise independent hash function h, which will be part of the secret key of the Mac. Now to tack, this is the tagging algorithm of our new transform construction. So we take the message, we sample some short random b. We concatenate it with m and compute a tag on this concatenated message. We output this z, which will be part of the tag. But moreover, we also hash this z with this pairwise independent hash function that has a very short output and use this h of z to blind this randomness used in this computation. And the verification is the natural thing. It gets this b back. XORing twice gives you the b, concatenates it, and looks if what it gets is the same as this output up here. And here's the theorem. If this is secure without verification queries, the entire thing is secure with verification queries. And let me spend one minute to give you an intuition how the proof works. So assume you have an adversary who is allowed to make verification queries and to kind of forge this tax. So we can make the verification algorithm accept for a message he has not seen before. If you have such an adversary, the adversary can be of two types. So what we look at is we run this adversary and we look at the first message that the adversary makes to the verification oracle. That accepts. Now we just accept. And now this message can be of two kinds. It can be fresh. Fresh in the sense that the input to this underlying verification queries has not been used as the input to a tagging algorithm before. Or it can be not fresh, which means this is not the case. Now, if our adversaries of the kind that most, you know, if it finds a forgery, then say, at least in half of the cases, this forgery, oh, sorry, if our adversary is of the kind that the first accepting verification query it makes is fresh, we can use this adversary directly to forge the underlying Mac. We simply guess which query this is going to be. We look what it is, and we output it as a forgery for the underlying Mac. But now it can be that the adversary always makes this verification queries, and these inputs are not fresh. In this case, this is not actually a forgery for the underlying Mac, even though it's an accepting query for this thing. But in this case, we use this indistinguishability property, and we show that if this tagging algorithm here is not the typical tagging algorithm, but something that is independent of the input, like a tag for some fixed message 0, then you cannot find collisions on this input here with the inputs that we have asked before for information theoretic reasons. So in this case, if the adversary finds collisions in this real setting, but can't find collision in this setting where this tagging algorithm is replaced with the tagging algorithm with the other oracle in this indistinguishability game, it means that we have a distinguisher for this indistinguishability property. So here are the other two transformations. I don't want to say much about this. So very simple observation that has been made in the context I think of IB and other things before. If you have a Mac that has small domain and is only secure against selective messages, you also get standard security, losing a factor exponentially in the message domain simply by guessing. Slightly more interesting is the domain extension. So we know that if you have a pseudo random function, there is a very simple way to make domain extension. You just use a pairwise independent hash function, or even the almost universal hash function, a non-cryptographic hash function in particular, to hash the input down, then you apply the PRF. This does not work for Macs in general, because if you have a Mac, it leaks something about the input. And if you leak about the input, it leaks something about the function. And because the function is not cryptographic, you can find collisions once you have the description of this function. But if we make this additional requirement that the Mac has this indistinguishability property, this kind of captures what is necessary to make this domain extension work, even with the pairwise independent hash functions. OK. That's all I want to tell you about the constructions. So for the last few minutes of my talk, let me tell you a few words about the constructions that we have. So I will show you two constructions from key homomorphic PRFs. And the other construction will be from signature schemes. So what is a key homomorphic PRF? That's the definition. It's a keyed family of functions, which for one thing, it's a weak PRF. So for a random key, this function is indistinguishable from a random function if queried on random inputs. So it's a relaxed. It's not a PRF, because a PRF would be indistinguishable on chosen inputs. It only looks random if queried on random inputs, if you get random input-output pairs. And moreover, it's key homomorphic. So this is this property here. This is written using additive notation in groups. This is written using multiplicative notation. So basically, look at it for a second. I will not say it. It's key homomorphic. So if you multiply the key with some element a, you could also use the key k, and just multiply the entire thing with a, and so on. Maybe more intuitively to think about it is that the very simple function, so if you have a group, g, where the ddh assumption holds, that the following is a key homomorphic PRF. So the key is simply a random exponent, and it takes the group element x to x to the k. And this has all this homomorphic property, so here with multiplicatively that you would like. And you can actually prove that this is a weak PRF under the ddh assumption. So extremely simple construction. So how do we get the Mac from such key homomorphic PRFs? That's the construction, so this is the PRF. We sample two keys from this key homomorphic weak PRF. To compute the tag on the message m, we sample a random element x in the domain of the function, and output x evaluated on the key k2 plus our message times k1, and verification is canonical. So this is the instantiation that you get if you instantiate it with this ddh-based weak PRF that I showed you a few seconds ago, and the theorem that we have states the following. So if f is a key homomorphic PRF, then this Mac is secure. Secure in a very weak sense, only against selective, unforgeable, under-chosen message attacks, no verification queries. But then you throw out generic transformation on top of that, then you get a full-blown Mac. So let me come to the last construction. So the last construction I will show you is based on signatures. Now you can say a signature scheme immediately gives you a Mac. Just use a signature scheme as a public and a secret key. Just keep the declared symmetric secret key to be this public secret key pair, and don't publish anything. And of course, you have a Mac this way. But this might be actually overkill, because if you use a signature scheme as a Mac, this signature scheme has still this public verifiability property. So everyone who has a public key can verify a signature. We don't need that anymore. So the idea is maybe we can take signature schemes that are around there and kind of downgrade it. By downgrading, maybe we can make them much more efficient. And even if this downgrade kind of loses the property of being publicly verifiable, we don't care. We just want the Mac. So here's the construction that we get. If we apply this idea to a Bonnet-Boyen signatures. So the original Bonnet-Boyen signatures are in bilinear groups. But you can just downgrade them to prime order groups. So simplify everything like one step down. And what happens is we suddenly can't verify anymore, but we don't care. But we get this Mac here. And here's the theorem. This Mac can be proven secure. Now again, selective, unfortable, under-chose message no verification queries under the GAP CDH assumption. So if in this underlying group CDH is hard, even given a DDH or echo. OK, maybe you want now a security proof under the standard CDH assumption. This is possible. We can go from GAP CDH to CDH using the twinning technique of cache at all from Eurocrypt 08. And so this is the scheme you get. It's roughly a set of three elements. It has five because we kind of twin these two elements. And this scheme is secure under the standard CDH assumption. If you weren't here last year, this is the Mac based on LPN. I won't say anything about it. And thanks for your attention. And I'm happy to take any questions.