 Hello, I am Avijit Dutta from IAI TCG Christ and today I am going to present our paper Permutation-Based EDM and Inverse-Free Beyond-Birding Bomb Secure PRF. It is a giant work which Mithul Nandi and Supritathagnikar. In 1988, Lubey and Rakoff in their seminal paper showed how to construct a pseudo-random permutation from pseudo-random functions. Since then, many practical block ciphers, for example Camelia, Ghost, etc., have been designed under the Lubey-Rakoff framework. However, block ciphers are designed to work on fixed-land strings. Therefore, to process variable-land strings, we generally use different modes of operations, which are built on top of block ciphers. From the security perspective, we seek for the PRF security from these modes of operations. Therefore, at one extreme, we have a mode of operation, which are based on block ciphers, and at the other end, we require its PRF security. To bridge this gap, one can think of to build mode of operations out of PRFs instead of block ciphers. But PRF is rarely available in practice, compared to the block ciphers, because building non-invertible round functions, which are iterated over multiple rounds to construct PRF, is basically harder to design than designing invertible round functions. Moreover, most of the modes of operations, although they are built on top of block ciphers, but they never evaluate the block cipher in the inverse direction. Therefore, summarizing above, we can conclude that pseudo-random function as a primitive is a better choice over pseudo-random permutation. In fact, if we instantiate the counter mode of encryption with a PRF instead of a PRP, then it will give the optimal security. Nevertheless, due to the PRP-PRF switching lemma, one can argue that the block cipher itself is a good PRF, and hence, one can consider block cipher as a PRF in block cipher-based modes of operation. But this solution comes at the cost of birth amount security, which may not be adequate when the block size of the underlying block cipher is small, for example, of 64-bit block cipher. Therefore, we see that we have plenty of practical block ciphers, but we require practical candidates of PRF that can be used as primitives in modes of operation. We have seen that using block ciphers as primitive is not always a good solution. Therefore, we require to construct PRF out of block ciphers with beyond the birth amount security. Over the years, many such constructions have been proposed. To start with, the first construction, which we call the sum of permutation construction, is a very popular construction, which is block cipher-based PRF that takes an n-bit input, and it gives an n-bit output, which is nothing but the sum of two permutations evaluated at the input x. And it has been shown that this construction is optimal security construction. The other construction, which we call the EDMD construction, it is again based on two independent permutation, but it's a sequential construction. And this construction was proposed in crypto 17 by many candidates, and they have shown that this construction achieves optimal security. The sum of some PIP construction, this construction is again kind of a sum of permutation construction, but instead of two independent permutation, it is the sum of permutation P and its inverse, which is evaluated at a point x. So, x is an n-bit input, and the sum of the outputs of this permutation is considered to be the output of the construction, which is y. And again, this construction has been shown to be secure up to 2 power 2n by 3-bit queries. In crypto 16, Kognitian Syurian has proposed, have proposed their construction, which we call encryptor-device-mere construction. So, this is similar to the EDMD construction. And this construction is again based on two independent permutations P1 and P2. And this construction has been proven to be secure up to 2 power 3n by 4 queries. In fact, the single-kit variant of the EDM construction, it achieves 2n by 3-bit security. Single-kit EDMD construction achieves 2n by 3-bit security. The other construction, which has recently been proposed by Konsing and Manning, which we call the summation-translation hybrid technique. And in this construction, it takes an n-bit input and it truncates the leftmost a-bits of the output of the permutation, which is evaluated at x concatenate 0 and x concatenate 1. And then it sums the remaining discarded inputs, that is, n-a-bit outputs of the permutation, which is evaluated at x equal to 0 and x equals to 1. And eventually, it reduces n plus a-bit output. And this construction has been shown to be secure up to n minus a by 2-bit security, where n minus a is the number of discarded bits of the permutation P. So, block-cell filter is basically considered to be a workhorse of symmetric cryptography. And it is a very good primitive of different kinds of modes of operation. But beside that, we have another cryptographic object, which is considered to be as good as block-cell filter as a primitive in different types of modes of operation, which we call as a permutation or a public permutation. So, block-cell filters, as a primitive, are designed to be efficient in both directions. Whereas, public permutations are particularly designed to be fast in the forward direction, but not necessarily in the inverse direction. For example, KJI, Kimli, Spongenet, etc. One of the important distinguishing characteristics between the block-cell filter and the public permutation is that, when we employ a block-cell filter in a mode of operation and at each time of invocation of the block-cell filter, the underlying key scheduling algorithm of the block-cell filter needs to be evaluated. Whereas, for a permutation-based design, we do not need to invoke the key scheduling algorithm of the permutation because permutation does not employ the key scheduling algorithm at all. Moreover, all the block-cell filter-based PRFs that we know of, they evaluate the block-cell filter in only in the forward direction. They do not evaluate the block-cell filter in the inverse direction. So, from this perspective, we can say that block-cell filter is somehow an over-engineering primitive for those modes of operation that do not invoke the inverse of the block-cell filter. And in those situations, we can think that public permutation is a better choice over block-cell filter as a primitive. So, next the question that arises that can we design permutation-based PRF? So, the use of public permutation has been noted in the design of sponge type of construction and the sponge type of construction has had a different motto of designing authenticated encryption and hash function because the way the sponge function evaluates, it takes a less amount of, you know, hardware area or less amount of size, state size. So, however, that one can easily tweak that sponge construction to convert it to a PRF. For example, if you just imply a key to the sponge construction, then different type of keyed sponge construction and this fall-fall construction, these are the two prominent examples of a permutation-based PRF. But an inherent drawback of this permutation-based PRF is that they are of variable length and their security is only up to the birth-bound of the capacity of the underlying permutation. That means the security of the resulting PRF does not exploit the entire state size of the permutation. It is only up to the capacity part birth-bound of the capacity part of the permutation. Well, this solution may be adequate enough when the underlying permutation is of moderate size. Say for example, if it's a sharp permutation which is of 1600 bits, then the solution is enough. But it is not useful with lightweight permutation, for example, photon or sponge net. Therefore, can be designed as pseudonym function based on public permutation that achieves beyond the birth-bound security. So, this line of research has started with the work of Chen and Menink, Chen et al. with their popular construction which we call the sum of even-managed construction and some of key alternating cipher. So, these two constructions were proposed in crypto 19. So, sum of even-managed construction is taking two independent permutations and two independent nbit keys and it is just out taking the zorg of the output of P1 and P2. So, this construction achieves 2n by 3bit security pound and that pound is essentially tied because they have given a corresponding matching attack. However, if you make these two permutations identical or these two keys identical, then the resulting construction can only give you the birth-bound security. The other constructions proposed in the same paper is known as the sum of key alternating ciphers. So, sum of key alternating ciphers is somewhat sequential based construction. So, when this P1 and P2 are same or identical, then they term it as a SOKC1 and when the underlying keys are same, then they term it as a SOKC21. It has been shown that SOKC21 is 2n by 3bit secure and that security bound is tied and Chen et al. in the same paper have shown that there is a birth-bound attack on SOKC1. However, later in Euroquip 20, Nandi has shown a birth-bound distinguishing attack on SOKC21 and Chakraborty et al. in FSE 2020, shown a distinguishing attack on SOKC1 with query complexity 2n by 3. Most importantly, Chakraborty et al. have pointed out some kind of dispute in the attacking algorithm of SOKC1 and they have shown that the attack still works with 2n by 3 query complexity. But again, the bound has not been proven to be tied. So, proving the security bound of SOKC1 up to 2n by 3 many queries remains open. So, these two constructions, so what we have seen that SOKC21 when these keys are same, so that is a birth-bound secure constructions, fine. So, we have only the SOKC1 that means this P1 and P2, these two are identical and that construction is achieving the attack complexity of 2n by 3 but that has not been proven to be secure up to 2n by 3 many query complexity. So, therefore, now we ask the question that can we design a permutation-based pseudonym function with a single key? To this end, Chakraborty et al in FSE 2020 have proposed their construction which we call the PDM map and they have shown that this construction achieve a tied 2n by 3 bit security bound. And one can easily turn this construction to a non-space map and they call it as a PDM star map and that also achieves the similar security bound. However, their construction employs a permutation P and its inverse and that employs two permutation calls. So, in the paper, they have proposed an open problem that can be designed a BBBCQRPRM with one permutation and two forward calls. So, here they have employed a forward call and an inverse call. So, what remains open that can be designed a BBBCQRPRM with two permutations, with one permutation but with two forward calls. Here is our construction that actually solves that open problem and we proposed our construction which we call permutation-based in cryptotubism construction. We have shown that this construction requires two independent nbit keys but it is based on a single permutation and it requires only the forward calls, no inverse calls and we have shown a tied 2n by 3 bit security bound of this construction. It does not require the inverse of the permutation and we believe that if we make all the underlying round keys to be the same, that means if k1 equals to k2 then also this construction will hold the BBBCQRPRM but well that may require some strong variance of some advanced results of some capture. Here is a brief comparison chart between different type of permutation-based PRF construction. So, the constructions which are highlighted in blue, so these constructions are parallel construction and the remaining constructions are the sequential constructions. So, out of this sequential construction we can see that PDMAC is one such construction that does not require the inverse call of the permutation whereas other construction does not require the inverse call of the permutation but this SoKSE1 or SoKSE2 or PDM they require say for example SoKSE21, so we will obsolete this SoKSE21 because it is actually giving you the but the bound security but for SoKSE1 it is having the one permutation and two keys but it has been shown to have the attack complexity of order to power 2n by 3. But we have not been able to prove the upper bound of the security of this construction. So, PDM is the only such construction till now which achieves a tight security bound of 2 power 2n by 3 and it requires one permutation and two keys. So, let us see briefly the rationale of the attack on our construction. So, the main thing of the attack on our construction is the following that if we make a construction query with say x and the output is y and if there are two primitive queries such that the first permutation the first call the input to the first permutation call collides with some input of the primitive query and the corresponding output of the construction query the corresponding output of the second permutation call collides with the output of some another primitive query that means what we will do that for each key value k1 we will check whether this conditions or this equation satisfies that means x plus u1 equals to k1 and y plus k1 equals to some v2. So, we will we will find out or we will we will construct a set sk1 for each k1 and in this set sk1 we will we will keep the record of the strip net ij and k that means xi plus uj equals to some k1 and yi equals to yi plus vk. Then for each k1 such that that the cardinality of the set sk1 is at least 2 we will check this following condition whether it holds or not if it holds then we say that the k1 is a potentially true candidate key and that candidate key we will add towards set which is called a matcal k okay and our claim is that if k1 star and k2 star are the pair of true keys then the probability that k1 star belong to this set k is at least 0.687 which is at least rather than half and the probability of the cardinality of k is at least 128 is at most 0.5 we have shown that the time complexity of our attack is ordered up to power 4 when so it is not a computationally very efficient attack it's kind of an information theoretic attack and the number of construction and for that information theoretic attack the number of construction queries that we require is 2 power 2n by 3 plus 1 and the number of primitive queries that we require is to power 2n by 3 plus 2 so we briefly go to the sequence model and h coefficient technique so h coefficient technique is a combinatorial tool to distinguish to bound the distinguishing advantage of two random systems so here a is an adversary who is interacting in either of the two worlds in real world or in the ideal world so in real world comprised of two oracles fpk and the permutation p and the ideal world is comprised of again two oracles a random function and the permutation p so this adversary is so if the adversary is interacting with a real world then it will it can interact with the pair of these oracles similarly if it interacts with the ideal world then it will interact with this pair of oracles and finally after interacting with the oracle the adversary has to distinguish that whether he has interacted with the real world or the ideal world and in this way we will define the advantage of the adversary a in distinguishing the real world from the ideal world as the sum of as the difference of these two probability and to to upper bound this advantage of this adversary a by using the H coefficient technique we require to identify or we require to do this following three things first of all we require to identify the back transcript then we require to upper bound the probability of back transcripts in the ideal world and then if we take any good transcript then we will need to lower bound the ratio of the real to ideal interpolation probability for that good transcript okay so what is the transcript transcript is nothing but a summary of the interaction between the adversary and the oracle okay so in order to prove the security of the of our construction we require a sum capture lemma so sum capture lemma is a very old result proposed by babai in 2002 which roughly says that if is a random subset of zero one power n then for any bc where b and c are again two two subsets of zero one power n this cardinality of this set that means the cardinality of this triplet abc such that a equals to b plus c that is less than this term the the product of the cardinality of ab and c over two power n is is very small okay so at this this result sum capture lemma which is proposed by chain and all it's just a quick version of the original sum capture lemma and this was used in 2014 by the result of chain et al which says that this a this random subset of zero one power n it arises from the interaction of an adversary with a random permutation p namely a is the sum of x plus y where x is the input and y is the output of a trans of our interaction then for any subset b and c of zero one power n this the the cardinality of this set that means x plus y and b and c such that x plus y equal to b b plus c it is at most q times b the cardinality of b and the product of the b and c over two power n is very is very low okay now we briefly go to the stage of the security proof where we will identify the bad events so the first bad event says that if we have a construction query say x comma y such that the input to the first permutation called collides with the input of a primitive query and the output to the second permutation called collides with the output of any other primitive query see if this happens then actually the middle part is known to the adversary similarly bad 2 says that if we have two construction query such that for the first construction query say x and y so this the for the first construction query the input to the first permutation call collides with the input of some primitive query and the output collides with the output of some other construction query the third bad event says that if there is a construction query such that the input to the first permutation call collides with the input of some primitive query therefore this output is determined so that will be v okay and therefore the input to the second permutation call that means v plus u plus k2 that again collides with the input of some other primitive query that means it's a simultaneous collision to the primitive query so similarly so bad 4 is basically again the asymmetric or a mirror image of the event back three that means if there's a construction query x comma y and the output of the output of the second permutation call collides with the output of some primitive query and therefore this input is determined and therefore the output of the first permutation call again collides with the output of some other primitive query so bad 5 says that if the input of the first permutation call so we have again another two construction query so the input of the first permutation call collides with the input of some primitive query and the input to the second permutation call for this construction query x y that collides with x prime so that collides with the input of the first permutation call for the another construction query so bat 6 is again a mirror image of the bat 5 which says that we have two construction query x y and x prime y prime such that the input to the sorry the output to the second permutation call collides with the output to the primitive the output of the primitive query and therefore the output of the first permutation call for this first construction query collides with the output of the second permutation call of the other construction query so bat 7 says that we have two primitive two construction queries such that see the first construct the input to the first permutation call of the first construction query collides with the the input to some primitive query and for the other construction query, the input to the first permutation called collides with the input to some other primitive query, say u1 prime and there and for those two construction queries, the input to the second permutation called collides. That means we have these two construction queries x, y and x prime y prime such that x plus k1 which is the input to the first permutation call that collides with the input to some primitive query which is u1. Similarly, we have the input to the first permutation call for the other construction query which is x prime plus k1 that collides with the input of some other primitive query say u1 prime and therefore the corresponding input to the second permutation call which is say v1 plus u1 plus k2 that collides with v1 prime plus u1 prime plus k2. Again, bad 8 is just a mirror image of bad 7. So here is a bad 9. This says that the number of construction and primitive query such that the input to the first permutation call collides with the input to some primitive query, this set should not be too much. So the cardinality of this set should if it is at least greater than square root of q then it is bad. Similarly, bad 10 is the mirror image of bad 9 where it is the restriction imposed on the output set. So bad 11 says that the number of colliding queries such that y equals to y prime so the number of colliding queries should not be too much. So if it is like greater than square root of q then we will call that the event is bad. This requires some additional bad events and these bad events will be required to lower bound the real interpolation probability for good transcripts. So the most difficult part of this paper is the analysis of the good transcript and we will not go into the detail of it but we will try to give a very high level overview of the proof technique that we have used here. So first of all we will partition the set of transcripts into three sets and this set of transcript so we will partition it into three sets. The first type says that the set of transcript whose input collides with the input of some primitive queries. The second one says the set of transcript whose output collides with the output of some primitive queries and the third one is the set of transcript whose input and output are fresh. So the analysis of the first two cases is easy more or less but the analysis of the third case is the most difficult one. So in order to analyze the third one so we again subdivided into two parts. So in case A we will partition this set of transcripts whose input and output are fresh. We will partition it in case A and case B where in case A it says there are set of transcripts where the input to the second permutation collides with the input to the first one. That means we have say for example so we have say suppose this x, y and x prime y prime suppose for the time being we will assume that the input and output of this two permutation are fresh right but here it may so happen that this input to the first permutation call that means x plus k1 so px1 so sorry so input to the second permutation call for this construction query that means this this part so this collides with this okay so that means p of x plus k1 plus k2 plus x plus k1 that collides with x prime plus k1 if this happens then the output we cannot sample the output the output is determined and case B we will analyze with the remaining set of transcripts. So analysis for case A that means where the there's a dependency between the permutation calls so for analysis of case we will count for the number of transcript that satisfies this case A and that will fix a t many input output pairs for the permutation where t is the number of pairs that satisfying this this this equation and for the analysis of case B we will identify this intermediate value z and we will we will identify that this z should be valid and we will count the number of such valid or good set and for a fixed good set we will count the number of permutation that realizes this given transmit so in order to conclude this paper so in this paper we have shown that we have proposed an inverse free public public permutation base prf in more or less sequential mode and it achieves type security bound roughly of the order of 2 power 2 n by 3 many queries and we believe that the beyond that the bound security of this construction will remain whole even if the round keys are identical that means even if k1 equals to k2. So thank you for listening this talk and if you have any query you can send an email to any one of us. Thank you.