 Hi, I am Avicit Dutta, I am a postdoctoral researcher at Institute for Advancing Intelligence TCKS called Kata. Today, I am here to present our work, release of unverified plaintext, tight unified model and application to any day. It is a joint work with Donghun, Ranjan, Bart, Medhul, Samithra and Ferdinand. So, the outline of the talk is as follows, we will begin with the definitions of A E and its later security notion. Then we will talk about the release unverified plaintext security. Followed by I will explain inter-UP attack on Sunday and then I will talk about inter secure variant of Sunday which we call as Monday and followed by that I will talk about a generic inter-UP design which we call as any day, followed by its optimal instantiation which we call as Tuesday. So, in any symmetric cryptographic scheme, we basically look for two things. One is the privacy or the data privacy and the other thing is the data integrity. So, data privacy is ensured by a secure encryption scheme and data integrity is ensured by a max scheme. But if we want to ensure both, I mean the data privacy and the data integrity simultaneously, then A E scheme provides the two things together. So, an authenticated encryption scheme provides data privacy as well as the data integrity. Now, there are broadly there are two types of authenticated encryption scheme. One is the stateful authenticated encryption scheme and another is a stateless authenticated encryption scheme. So, in a stateful A E, we generally use a nonce or a random IV or IB3 IV as a state of the algorithm and a stateful authenticated encryption algorithm is comprised of a pair of algorithms which is the encryption and the decryption algorithm. So, the encryption algorithm takes a message N and assesses the data A and some kind of a state which we call as a nonce which is denoted as N and produce the output C the ciphertext C which is transmitted to the receiving end. In the receiving end upon receiving the ciphertext C, the receiver will decrypt the ciphertext using a decryption algorithm which again takes an associated data A, the received ciphertext C and the same state N and produce some message or some garbage stuff right. For the stateless authenticated encryption scheme, we do not require any kind of a state or we do not require any kind of a nonce ok. So, as you can see from this slide that this is communicated via two parties or in between two parties, but in between there is a malicious adversary who can actually listen to the traffic in the network right and this malicious adversary can potentially change the ciphertext to some new ciphertext right ok. So, now when we call an authenticated encryption scheme is secure. So, basically there are two requirements or two notions of authenticated the two notions of sequence of authenticated encryption scheme. One is the privacy requirement or what or in other words we call is that in CPA requirement. So, in CPA game an adversary is basically given access to some oracle right. So, the adversary actually interacts with some oracle in the either in the real world or in the ideal world. In the real world the adversary is given access to the encryption function to the actual encryption function and in the ideal world the adversary is given access to some random function. Now, adversary does not know that which oracle it is interacting to right. So, adversary can make query to its accessed oracle and correspondingly it gets back its response. So, upon making a finite number of queries the adversary has to distinguish or adversary has to tell that whether he has talked or he has interacted to the encryption function which is the oracle for the real world or to the random function which is the oracle for the ideal world. Now, if the adversary does not distinguish or cannot distinguish that the between these two scenario then we will say that the authenticated encryption scheme is a secure authenticated encryption scheme. So, for a secure authenticated encryption scheme this distinguishing advantage should be negligible ok. Now, the other requirement for a secure authenticated encryption scheme is the integrated requirement or in other words we call is at in CTXT. So, in in CTXT game the adversary is given access to the encryption and the decryption oracle and the adversary can make query to these two oracles. Upon making a finite number of queries adversary has to produce a non trivial non authentic non trivials triplet namely the non-authenticated data A star and the ciphertext C star such that this tuple is a valid tuple in the sense that upon decryption it gives that a certain or a or a or a or a or a or a valid message M star right. If the adversary cannot produce such non trivial tuple then we will say that the authenticated encryption scheme is in secure. So, for a sorry is secure. So, for a secure authenticated encryption scheme this forging advantage should be negligible ok. So, basically or in in summary an authenticated encryption scheme is secure in a conventional sense if it achieves both the in CPS security and the in CTXT security. Now, you might have noticed that in a conventional authenticated encryption scheme when the ciphertext reaches to the decryption end then the then in the plaintext I mean upon decryption it will it it it it it produces the plaintext and the plaintext the whole plaintext needs to be stored in some buffer so, that it can be verified right. So, for a valid decryption or a for a for a valid yeah for a valid decryption the entire plaintext needs to be stored in the decryption end, but this is sometimes not possible while you are you are you are dealing with some resource constraint devices right. So, in in in that scenario you are not allowed or you are you are not given an access to a much much much storage space. So, in that case you might have to release the plaintext blocks before you before you store the entire plaintext. So, the plaintext blocks can be released only after the successful verification in the receiver end for a conventional A scheme, but the buffer size in the receiving end might be limited and as a result of that it might not be able to hold the entire plaintext at once and in that case receiver might have to release the plaintext before verification and therefore, therefore, that situation might you know might give some kind of an attack to to the encryption to the to the authenticated encryption scheme. For example, in this slide as you can see that Alice sends a 5 5 block of ciphertext to the receiver Bob, but the Bob only has only has a storage to store 3 blocks at a time. So, in that case Bob has to release some kind some some plaintext blocks before the entire verification gets done ok. So, in that case or in that situation we need some kind of a different security model for an authenticated encryption scheme which we called as RUP security model or released unverified plaintext security model. So, in this security model the encryption algorithm remain as it is, but the decryption algorithm is split it up into two parts one is the code decryption algorithm which takes the non associated data and the ciphertext c and produces some message in and the other part is the verification algorithm which takes the non associated data and the ciphertext template and returns either either accept or reject ok and accordingly the decryption algorithm will will output whether the whether it accepts the ciphertext or not ok. So, this RUP security model was formalized by Andrew at all in Ishakar 2014 and basically it that that that paper introduces two kind of a security notion one is the PA1 or PA2 notion and another is the interrupt notion. So, in the PA1 notion the adversary is given access to a pair of oracles either in the real world or in the ideal world. So, real world is comprised of a of of the encryption and the decryption algorithm and the ideal world is comprised of the encryption algorithm and a simulator ok. This is the simulator is a basically a probabilistic polynomial algorithm which whose main task is to simulate the decryption behavior of the real world. Now, in PA1 notion the simulator has additional access to the encryption history. Now, what is the encryption history? Now, when the adversary makes query to the encryption oracle of the ideal world then the that the query response pattern is accessed by the simulator ok. So, at this the simulator gets to see the query response of the of the adversary while it is interacting to the encryption algorithm of the ideal world. But in the PA2 notion the simulator does not have access to the encryption history. So, in that case in in in that way you can imagine or you can you can probably understand that the PA2 notion is a stronger notion than the PA1 ok. And we say that this authenticated encryption scheme is REP secure or a released unverified pentake secure if it achieves both the in-CPA security and the PA1 security and the interrupt security ok. Now, followed by this work there have been different variants of rough security model. So, Huang et al introduced the robust authenticated encryption notion in Eurocrypt 2015. So, it basically covers the non-smissives notion and it reaches the gap between the authenticated encryption and the SPRP security through a ciphertext expanding parameter. Basically AZ algorithm it follows the robust authenticated encryption notion. And in the same paper they have also introduced the PA2 notion actually right. And they in fact they consider a variant of a robust authenticated encryption scheme but the decryption leakage is allowed in which a simulator simulates the decryption leakage without having access to the query history. So, note that this is a stronger model than PA1 right. So, where the simulator sees the communication between the encryption and the simulator between the adversary right. So, in 2015 in IMEK Barwell et al they have proposed a subtle authenticated encryption notion which is basically a refinement of robust authenticated encryption notion for a non-spaced AE. And it covers several types of security definition by varying the decryption oracle choices in the ideal world. Okay, so in crypto 2017 I should at all they have introduced RUP AE notion rough authenticated encryption notion. It basically focuses on the non-spaced AE. And it says that an authenticated encryption scheme is RUP AE secure if it is PA1 secure as well as the interrupt secure. At the ideal model decryption being a random function. Okay, well it is well known that this encode then SPRP is known to achieve robust authenticated encryption scheme and the RUP AE security. And this such construction is too passed in both the encryption and the decryption algorithm. And this security notions hold for a non-spaced AE. Well when there is misuse of nonce then security is void. So that requires a security model in RUP scenario which allows two things. One is the nonce misuse and another is the signal pass decryption feature. So to this end we have proposed our security notion which we call as the AE rough security notion. In this security notion well the adversary is given access to triplet of oracles in either of the real world or in the ideal world. So the real world is comprised of a triplet of algorithms which are encryption algorithm, decryption algorithm and the verification algorithm. Whereas the ideal counter part of these algorithms are the random function which is denoted as dollar, the simulator, script S and the project oracle. And we have shown that if a scheme is AE secure, I mean in a conventional sense, as well as PA1 secure and interrupt secure, then that scheme is basically the AE rough secure. And these security notions they are equivalent because it's a bi-directional right? Because if you can prove that a scheme is AE rough secure, that means that the scheme gives you the AE security, the PA1 security, as well as the interrupt security. Okay, now in FSA 2019, Bernick et al. they have proposed a deterministic authenticated encryption scheme which they call as a Sunday. So it is basically kind of a Mac then encrypt scheme where the Mac part is followed by a CBC type of algorithms and the encryption part is designed using the OFB mode. Okay, so it's a deterministic authenticated encryption scheme and it makes total A plus 2M plus 1 many block cipher calls where A is the number of associated data blocks, AM is the number of message blocks. And it is one of the authenticated encryption candidates in the recent like NIST like cryptographic competition. This scheme is particularly efficient for processing short messages. And its state size is as small as the block size as you can see. It's a block cipher based authenticated encryption scheme and its state size is basically the state size of the block cipher, which is essentially n bits, the state sizes. And it offers good implementation characteristics both on the lightweight and the high performance platforms. But these are bad news that the scheme is not RUP secure. I mean, you cannot use this scheme if you are dealing with a lesser amount of storage space in the decryption end. So it is not RUP secure and we have shown the inter-UP attack on this scheme. So what is the attack? The attack is as follows. The adversary first makes a decryption query with the empty associated data. The tag is T1, where T1 is essentially 110 to the n minus 2. And some arbitrary cipher text blocks is C1. And it obtains m1. Now, how does this decryption algorithm helps the adversary to gain any kind of knowledge? So you see that by making this decryption query, adversary learns the output of encryption output of 110 to the n minus 2, which is nothing but the sum of the message block and the cipher text block, which is m11 plus c11. Now the adversary makes another decryption query again with the empty associated data, which the tag T2 and arbitrary cipher text blocks C21, where now T2 is set to the first message block and the cipher, the sum of the first message block and the cipher text block and the first associated data block A1. And it obtains some message block m2. Now, again using this query, the adversary learns the second output of the block cipher, which is nothing but e k of 110 to the n minus 2 plus a1 encrypt. And this is followed by another encryption layer. And this is nothing but m21 plus e21, I mean the current cipher text block and the message block. Adversity makes another query, decryption query, again with the empty associated data block, with the new tag T3 and arbitrary cipher text block C31. But now the tag T3 is set to the say to say m31 plus C31 ok. So, it would be yeah m31 plus C31 plus a prime 1, where a prime 1 is a new associated data block and it obtains some m31. So, it would be m21 ok right right. So, yeah it would be m21 plus e21 plus a prime 1 and if it would give a new cipher text block, a new plain text block m31. And by this, the adversary learns again the output at the same point, but now with a different associated data block ok. Now adversary makes encryption query, where the first associated data block is set to the a prime 1 and the second associated data is set to a2 plus delta, where delta is m21 plus c21 plus m31 plus c31 and followed by some arbitrary associated data blocks, some message m and it obtains some cipher text blocks and the tag T. Now adversary will forge with that associated data block a, associated data a the tag T, which is obtained as a result of the encryption query and the cipher text C right. So, that says that this Sunday is basically not entirely to secure authenticated encryption scheme. But ok, so now we will show that if we make a slight change on the construction of Sunday, then we will get inter-up secure variant, inter-up secure design, which we call as a Monday. So, let us first investigate that what is the reason for mounting an inter-up attack on Sunday. So, the main reason of mount, the main reason of this is that adversary can learn the encryption output of the tag for any value of the tag that the adversary can choose by himself or herself right. So, then there is a question like can we make a small change to the construction and make it REP secure? So, one potential or one possible answer is to just you know just invoke another block cipher before the encryption starts right, but you know that basically caused one extra block cipher called. So, instead of that what we have done, we have introduced a fix one function. So, what is the fix one function? It basically takes an in bit value and it chops or it truncates the last bit of that in bit value and happens there bit one ok. So, that is the fix one function. So, if we introduce a fix one function before the T gets to the next block cipher block cipher in the encryption phase, then we will get REP secure design which we call the Monday. So, the construction of Monday is exactly similar to the Sunday construction except that there is a fix one function ok in between the tag generation and the encryption phase ok. So, apart from this we have also observed that we can actually generalize this design ok. So, we have come up with a new generic REP secure design which we call as any day. So, here we need a format function which takes a assisted data and the message and it produces a sequence of blocks ok. So, block is nothing, but in bit binary string. So, b 1 delta 1 times up to b l minus 1 delta l minus 1. So, it basically produces l many blocks and delta 1 to delta l minus 1 these are in bit strings and we need a function rho 1 function which takes block b i and a value delta i and it gives in bit value. We need to another functions rho 2 and rho 3 which is a in bit to in bit functions ok. Now, we need certain kind of assumptions on this format function rho 1 function and rho 2 and rho 3 functions to make this scheme secure. So, the question is any day secure for any choice of format rho 1 rho 2 and rho 3 function certainly not we need some kind of assumptions on this function. So, let us assume that f 1 script f 1 is a set of first block outputs of the format function. Now is we say that if the format function is injective and a prefix free function ok. If rho 1 is epsilon 1 differential uniform and the gamma 1 regular function if rho 2 is the gamma 2 regular and rho 3 is gamma 3 regular function. If this script f 1 is the disjoint from the range of rho 2 and if the cardinality of f 1 and the range of rho 3 is omega. Then the advantage of I mean the rough advantage of any day can be bounded by sigma square over 2 to the n plus omega times sigma times gamma 3 plus q d over 2 to the n. Where q d is the number of decryption query ok ok. So, now let me just clarify that what is the differential uniform and the regular function. So, so as you can see that this rho 1 is basically you know takes 2 n bit string ok. Now if you take say so if you take say delta and delta prime ok. Now so for any choice of delta and delta prime and for any choice of y the probability of rho 1 that takes b comma delta 1 or b comma delta plus rho b comma delta prime equals to some y. This probability if this probability is negligible over the random choice of b. Then we will say that this rho 1 is a epsilon 1 differential uniform right and what is the regular function. So, the regular function says that for any choice of delta and for any choice of y if the probability that rho 1 b delta equals to y for a random choice of b. Then we will say that this is a regular function ok. So, this is the definition is more or less similar with the you know the a x u probability of the hash function or the regular probability of the hash function. But there the probability was actually was defined over the randomness of the underline key space k right. But here this rho 1 or this rho 1 function is basically a deterministic function, but here this this b. So, we calculate the probability over the randomness of the block b ok ok. So, that is the secretive result of the advantage of any day. Now now it is pretty clear that our scheme Monday this is basically an instantiation of the any day scheme where your rho 2 is a fix one function. We have also proposed another another concrete authenticated encryption scheme which is RUP secure and we call it as a twist day. And it is a in bit state deterministic authentication scheme and it is basically an optimal instantiation of any day. And we have shown that this Monday and the Tuesday these are inter RUP secure. But twist day unlike Monday this construction makes an optimal number of block ciphers ok. And but this optimality comes at the cost of some additional multiplexer which could significantly I mean the slightly increase the hardware area. Because in the design of Tuesday we essentially considered many cases ok. And depending on the cases there are different choices and that basically you know introduces kind of a multiplexers while you are going to implement it in hardware. And that potentially may increase the hardware area and so that is it. So, if you have any further queries you can drop a mail to any one of us and we will try to give you the answers. Thank you.