 Thank you for the introduction. So, block ciphers are building block for many cryptographic constructions such as hash functions, encryption schemes, max etcetera. Block ciphers take an input a key k and another input x and output say an n bit output y. Block ciphers are keyed permutations. So, on a key k a block cipher would induce a permutation. So, throughout this talk I will be considering n bit keys, n bit inputs and outputs. There are two popular approaches to designing block ciphers. One is the Faisal network, the other which is the focus of the stock is key alternating ciphers. AES which is the current block cipher standard is a key alternating cipher. Key alternating ciphers consist of repeated applications of public ground permutations and I will discuss them in more detail in a bit. So, consider this fire on key alternating cipher that is shown. It is an iterated structure that takes in a key k, a master key k and from that we can derive round keys k 0 through k 5 as shown in the figure. And then on an input x we will xor each of these round keys in a particular round and then apply a round permutation that takes in an n bit input and produces an n bit output. More specifically for an input x compute x 1 as x xor k 0, k 0 is the 0th round key and then in the first round we compute the output of the round x 2 as p 1 of x 1 x odd with k 1 and so on and so forth up to round 5 and the output of this 5 round key alternating cipher is going to be x 6 the output of the 5th round. So, in this talk we will consider key alternating ciphers with trivial key schedule that is all the round keys are going to be identical. So, just k and we will also consider the round permutations p 1 through p r to be uniform random permutations independent also independent random permutations. So, in particular this is known as the iterated even mansour construction with trivial key schedule and this is because you can think of this as just an R round version of the even mansour cipher which is shown here for a trivial key schedule. So, the security of block ciphers is traditionally considered under the notion of indistinguishability. In indistinguishability in the ideal world the distinguisher D interacts with a random permutation p for which it can ask both forward and backward queries although I do not depict that explicitly in the picture. And in the real world the distinguisher D interacts with a block cipher keyed with a fixed key k that is uniformly chosen from its key space. So, the security of the IEM the iterated even mansour construction can also be studied under the notion of indistinguishability. Again here the distinguisher D in the ideal world interacts with a random permutation p and the real world interacts with the iterated even mansour construction under a fixed key k. Since, the round permutations of the iterated even mansour construction is public we can also consider that the distinguisher D has access to these public round permutations that are denoted as p 1 through p r. However, one can consider the security of block ciphers under a stronger notion a notion called indistinguishability proposed by Maurer, Renner and Hollenstein. In this notion one can ask whether an R round block cipher behaves as an ideal cipher under appropriate assumptions on the underlying primitives. So, what is an ideal cipher? An ideal cipher is a block cipher such that for each key k the block cipher under key k induces a uniform random permutation. So, this is an idealized notion of a block cipher. And why is this useful? Block ciphers can be used in construction for the distinguisher can have access to the key k. For example, imagine a block cipher based hash function here the distinguisher can actually influence the choice of the key k. So, for such notions it is useful to consider whether a block cipher can behave as an ideal cipher under appropriate assumptions. So, let us look at the definition of indistinguishability particularly in the context of iterated even mansour construction. So, in the rest of the talk when I say IEM I mean iterated even mansour construction with the trivial key schedule that is all the round keys are identical. So, in indifference stability in the real world distinguisher D interacts with the iterated even mansour construction the IEM and the round permutations p 1 through p r that I will collectively denote by p. And in the ideal world the distinguisher D interacts with an ideal cipher and an algorithm S known as a simulator that simulates these round permutations with access to the ideal cipher. So, if the distinguisher D cannot tell with high probability which world it is in whether it is in the real world or in the ideal world then we say that the IEM construction is indifferenceable from an ideal cipher. In addition it is important to note that in order to show this we need to show an efficient simulator S. So, the IEM construction is indifferenceable from an ideal cipher I C if an efficient simulator S exists such that no efficient distinguisher can distinguish between real and ideal with high probability. Note here that the distinguisher D is information theoretic in particular this means that it is computationally unbounded, but we restrict the number of queries of the distinguisher D can make to its oracles. I would also like to emphasize the distinguisher D can make both forward and inverse queries to its oracles to the ideal cipher and to the round permutations right. Before I mention how phi round iterated Riemann So, cipher is indifferenceable from an ideal cipher let me mention prior work. So, it is known that 12 rounds of iterated Riemann So, construction with trivial key schedule is sufficient to build an ideal cipher this was worked by Lamp and Sorong. They also showed that 3 rounds are insufficient in that scenario. So, in this work we show that phi rounds are necessary and sufficient in order to do this we show a phi round proof we show a proof for the phi round iterated Riemann So, construction's indifference ability and we show an attack on the 4 round construction. So, in this talk I will not be able to get into details on the attack, but I would like to mention that our attack differs from previous attacks in that the oracles are not accessed in sequence in our attack. Also the indifference ability of IEM has been considered in another setting in particular in the idealized key derivation setting. So, what we mean here is that the round keys are derived through a cryptographic primitive which is modeled as an ideal primitive and hence this is known as idealized key derivation. So, in that setting it is known that 5 rounds are sufficient to build an ideal cipher from the IEM construction this was worked by Andreeva, Bogdano, Dodis, Menink and Steinberger. And in recent work by Goa and Lin it is shown that 3 rounds are in fact necessary and sufficient to build an ideal cipher from the IEM construction with idealized key derivation right. So, let us look at the proof of indifference ability for the phi round IEM construction with trivial key schedule. So, recall there is a distinguisher D that in the ideal world will interact with the ideal cipher IC and an algorithm S that simulates the round permutations with access to the IC. And in the real world D interacts with the IEM construction with the trivial key schedule and the underlying round permutations. And in order to show indifference ability of the phi round IEM from an ideal cipher it is sufficient to show an efficient simulator S such that no distinguisher D that is computationally unbounded, but can make limited number of queries to its oracles can distinguish between the real and ideal worlds with high probability right. In order to see how to build a simulator S for such a setting let us start with a naive simulator strategy. So, the role of the simulator is to simulate these round permutations. So, let us consider naive simulator that on query p i of x i. So, by p i of x i I mean that the ith round permutation p i is queried on an n bit input x i. Say this naive simulator just returns a uniform n bit value as its output. So, that is depicted in this picture the distinguisher D queries a simulator S on p i of x i. The simulator chooses a uniform n bit value and returns that as p i of x i. So, let us consider a distinguisher strategy against this naive simulator. So, what the simulator is doing is just returning a uniform n bit value on queries it has not seen before. So, again in the real world the distinguisher D interacts with the IEM and the underlying round permutations. And in the ideal world it interacts with the ideal cipher and this naive simulator S that is simulating the round permutations. However, all the distinguisher D can see is that it is interacting with a green box and a blue box, where it does not actually know whether the green box and the blue box are the IEM and the round permutations or the ideal cipher and this naive simulator. So, let us consider the following distinguishing strategy. The distinguisher D picks an arbitrary n bit key k and an arbitrary input x queries the green box on k comma x and obtains some input some output y. Then what the distinguisher D does is essentially runs the iterative event monso constructions computation on this key k comma x using the outputs provided by the blue box. In particular the distinguisher D first computes x 1 as x x or k, then for i equals 1 to 5 queries the blue box on p i of x i, obtains some output p i of x i computes the IEM's ith round output using this equation shown here x i plus 1 equals p i of x i x or k and so on and so forth till the 5 rounds. Then what the distinguisher does is it checks if this x 6 that it obtained by performing the IEM computation using the blue box matches the output of the green box matches y it checks if x 6 equals y. So, what is going to happen is that in the real world when the distinguisher D is interacting with IEM construction and it is underlying round permutations this is going to exactly match because that is how the IEM computation even construction even proceeds with its computation. However, in the ideal world when the distinguisher D is interacting with the ideal cipher and this naive simulator is that just returns uniform n bit outputs on its queries this is not going to hold the equation is not going to hold with high probability. So, this shows a distinguishing attack against this naive simulator. So, what can the simulator do? What can the simulator do to fix this particular distinguishing strategy? The simulator can do the following. The simulator can try to make the x 6 that the distinguisher D obtained by performing the IEM computation on k comma x match the ideal ciphers output on k comma x. How can the simulator do that? Notice that the simulator has access to access to IC the ideal cipher in the setting. So, simulator can query the ideal cipher IC on this input k comma x, learn the output y that the ideal cipher would have returned and then somehow choose the round permutations outputs that it returns to the distinguisher such that the calculation performed by the distinguisher would lead to x 6 being equal to y. However, note that the simulator does not have does not know what k comma x is. In particular the simulator does not get to see the interactions between the distinguisher and the ideal cipher. So, how can the simulator learn k comma x? If the simulator can learn k comma x, maybe as I mentioned it can query the ideal cipher obtain y and choose its round permutation outputs such that the distinguishing strategy does not work anymore. So, how can the simulator learn k comma x? In order to see how let us sort of unpack the distinguishing step. So, the distinguisher first picked an arbitrary key k input x queried IC on k comma x obtain y then it computed x 1 equals x x or k and then query the simulator on p 1 of x 1. So, the bubble on the left just indicates that the simulator notes that it has been queried on p 1 of x 1. It still returns say picks a uniform n bit value y 1 assigns p 1 of x 1 as y 1 and returns that to the distinguisher. The distinguisher then computes x 2 as p 1 of x 1 x or k and queries the simulator on p 2 of x 2. The simulator again sees that it has been queried on the round permutation p 2 on input x 2 again chooses a uniform n bit value y 2 as its output assigns p 2 of x 2 as y 2 and returns that to the distinguisher. Then the distinguisher computes x 3 as p 2 of x 2 x or k and then queries a simulator on p 3 of x 3. At this point say the simulator stops it does not actually pick a uniform n bit value and at this point the simulator checks if x 1, x 2 and x 3 can be intermediate values of an IEM computation. So, how can the simulator check if these can be intermediate values in particular round function round a round output of the IEM construction. The simulator can do that by checking if y 1 which was p 1 of x 1 x or x 2 equals y 2 which is p 2 of x 2 x or x 3. This is going to exactly hold because this comes from this equation and these two are going to match the value k the distinguisher d used to compute the output of the of the ith round. So, by this manner the simulator can check if x 1 through x 3 are intermediate values of an IEM computation. This part of the process is known as partial chain detection. So, now that the simulator has detected this partial chain on a key k sorry partial chain comprising x 1 through x 3. What the simulator can do is now compute what this k is. The simulator can set k to be to be p 1 of x 1 x or x 2 notice that the simulator knows all these values either because it has been queried on those values or because it actually set those values and then set k as this value and then set x to be x 1 x or k. Now, the simulator has actually learnt k comma x the distinguisher used. So, what the simulator can now do is to take the chain starting at x with key k as I mentioned query the ideal cipher on k comma x learn y and somehow choose the round permutation output such that p i of x i leads to the distinguisher's computation of the IEM on k comma x matching the ideal ciphers output on k comma x. So, let me briefly mention how the simulator can choose this p i of x i such that the equation holds. So, again at this point the distinguisher D has query the simulator on p 3 of x 3. The simulator has not yet returned the value of p 3 of x 3 say the simulator still chooses a uniform n bit value y 3 as its output, but does not return this to the distinguisher. Instead it holds it within itself and then performs the IEM computation to compute x 4 and stops there. And now it sets x 6 equals y on its own compute y 5 equals x 6 x or k just by rearranging this equation here chooses a uniform n bit value x 5 as its output for p 5 inverse of y 5 and stops again at that point. Notice that at this point in the chain every value at p 1 p 2 p 3 and p 5 have been set apart from p 4. What the simulator can do now is adapt the value of p 4 on input x 4 such that this is equal to x 5 x or k. So, that it respects this IEM equation that the distinguisher would use. So, this process is known as preemptive completion, where the simulator is preemptively completing the chain such that it can answer the distinguisher queries such that the distinguisher's computation the IEM computation using the simulator will match the ideal ciphers output on k comma x. So, what the simulator should do is detect the chain starting at x with k k and preemptively complete the chain such that x 6 equals y. So, this high level strategy that what is that particular distinguishing strategy is in fact the high level strategy for an arbitrary distinguisher. The high level strategy is to perform partial chain detection and preemptive completion. So, note here that the simulator that I showed worked against that particular distinguishing strategy for a distinguisher asking those queries x 1 through x 3 in sequence. However, an arbitrary distinguisher can interleave queries can ask whatever it wants. In order to work against an arbitrary distinguisher what the simulator would do is detect all partial chains of length 3 that is detects paths a comprising of any 3 consecutive round permutations. For example, if the simulator is queried on p 3 the simulator checks against all p 2 of x 2 value set it has assigned and p 1 of x 1 value set it has assigned and sees if those form a partial chain. However, if the simulator detects on any 3 consecutive round permutations the simulator's efficiency is affected and an important part of the differentiability proof is to show that the simulator is sufficient and this is directly related to the number of partial chains detected. So, let us separate the sets of 3 into 2 parts 1 known as the wraparound which consists of rounds 4, 5, 1 and 5, 1, 2. These are exactly those that wraparound the key all the iterated elements of construction and these and detection of such partial chains require a query to the ideal cipher and these partial chains that do not wraparound can be detected by the simulator on its own without querying the IC. So, how can we prove the efficiency of the simulator? Let me just give a high level overview of that proof. So, notice as I mentioned for the wraparound partial chains these require an ideal cipher query. So, such ideal cipher queries can in fact, be charged to the distinguisher D. I will not mention how, but since the distinguisher D is limited in the number of queries that it can make to its ideal cipher. We claim that at most q such chains can be detected using these 3 using these 2 sets of 3 consecutive rounds. However, if you look at these inner partial chain detections, these do not require an IC query. So, let us see how to bound those. So, these detections would require the queries at rounds 1, 2 and 3 to be defined and a query at a particular round can be defined only due to a direct distinguisher query. So, distinguisher explicitly querying say P1 or due to preemptive completion of the simulator. So, the simulator does preemptive completion when it detects partial chains and there are 2 categories of partial chain detections as I mentioned. One is the wraparound chain and the other is the inner partial chain detection. So, notice for the 1, 2, 3 partial chain it can be detected either due to a wraparound partial chain or due to a 3, 4, 5 chain. So, at this point we have a bound on the number of D queries by just by assumption that the distinguisher is limited in the number of queries it can make to its oracles. And we have a bound on the number of wraparound chains by the argument I mentioned earlier. However, we do not have a bound on the 3, 4, 5 chains and this seems circular because in order to bound and inner detect inner partial chain we need to bound another inner partial chain. However, there is something that comes to our aid which is that the all of the inner partial chains have the round 3 in common. So, instead of arguing about the entire set of 3 rounds in a particular partial chain detection we can just argue about the number of queries that get defined in this particular round in particular in round 3. So, again for a query at round 3 to be defined it can either be due to a distinguisher query or due to preemptive completion of a wraparound chain and it cannot be due to an inner partial chain. Given that we argue that a chain detected at 3, 4, 5 can be uniquely mapped to a p3 query which we have a bound for and a distinguisher query or to a pair of p3 queries. So, using this high level idea we can bound the efficiency of the simulator. So, let me conclude we show that the 5 round iterated evenment sort with trivial key schedule is indifferenceable from an ideal cipher. In order to show that we show an efficient simulator S using the strategy outline just now such that no efficient distinguisher making at most q queries can distinguish between real and ideal with probability q to the 12 over 2 to the n where n is the round permutations input output size. Thank you.