 Hello, this is Ashwin and I will present the talk on how to build optimally secure PRF using block ciphers This is a joint work with Benoit Kogliati and Mridul Nandi So in this work, we propose a new paradigm to build block cipher based PRF with optimal security So in the talk, I will talk about PRFs Basically, I will give you a quick revisit to the definition and security notion of PRF I will give some examples of block cipher based PRFs An existing method to achieve optimal N-bit security So N is the block size of the block cipher Then I'll give you a new paradigm of hashed and modified banners Instantiated with PMAC plus like hash function So the instantiation is called MPMAC plus And similarly, I will instantiate it with the light Mac plus like hash and call it M light Mac plus And finally the in the paper we also give some refinements So I won't talk about the refinements in the in the talk, but I will just mention them here Okay, pseudo random functions are simply a collection of functions from zero one two star to zero one to the N index by key K from zero one to the K And the security goal of a pseudo random function is simply that the function should behave as an independent uniform random function for independently sampled secret key K And one of the most important applications of PRFs are message authentication codes, which are Symmetric key primitives that achieve integrity and authenticity And it's well known that any good PRF is a good Mac. At least a good deterministic Mac. So Basically any PRF you can apply it as a message authentication code So how do we define the security? So we define the security using this indistinguishability game So in this game, you have two different worlds the real world and the ideal world and there is an adversary a that interacts with the keyed function fk in the real world and with the uniform with a uniform random function in the ideal world So it can make Q many queries and get Q many outputs and after that it returns single bit as its output And we define the advantage of the adversary As the probability that it returns one when it is in the real world minus the probability that it returns one in the in the ideal world some examples of PRF based block ciphers include PMAC, which is one of the most popular Mac constructions This construction is by black and rogue away So PMAC plus is a Parallel Parallelizable Mac Where the message is first message blocks are first masked with Masking value which which is generated by This gamma code multiplied by the encryption of zero For each position. So the position one is multiplied by the gamma code for one Position two is multiplied with a gamma code for two and so on And then this masked value is encrypted and finally we accumulate all these values into a hash value Which is encrypted again to get the final output It has been shown that PMAC is secure as long as This term q square l max is much less than 2 to the n where q is the number of queries and l max is The size of the maximum permissible message length So it's the maximum number of blocks that you can query and And there is an implicit assumption in all this Construction that l max is much less than 2 to the n by 2 And you can see that this construction is at most birthday security In fact, this is not even birthday security in terms of the number of queries But we can consider it it as birthday secure When you consider all the or total number of all the query blocks Then there is light mac by luke satal Which is a refinement of PMAC in terms of a cleaner security bound So in light mac instead of masking what we do is we Uh We encode the message block along with counter values which are dependent upon the position So for the first position we encode it with the counter value one Second position we encode it with counter value two and so on And then we do the same Processing as done in PMAC So we encrypt the values and then we sum them together to get a hash value, which is again encrypted to get the output And light mac has been shown to be secured as long as q is at most 2 to the n by 2 A popular example for beyond birthday security is PMAC plus Which is again an extension of PMAC So how it is extended is that we add another hash layer here Which is a linear combination Based on multiplication by 2 So the first output is multiplied by 2 to the l and the last output is multiplied by 2 to the 0 Or rather the first output is multiplied by 2 to the l minus 1 and the last output is multiplied by 2 to the 0 and And they are summed together And these final two sums are encrypted and the outputs are summed to get the final output of the PMAC plus And PMAC plus is shown to be secured as long as Basically the number of queries is at most 2 to the 3 n by 4 Assuming that the length is some constant value Similarly light mac has been extended to light mac plus by naito So this construction is again similar to PMAC plus You do the same kind of linear combination based The accumulation in the lower layer and then we Encrypted and summed to get the final output And light mac as in case of Light mac plus as in case of light mac has a very clean security bound. So we have the Condition that the the construction is secured as long as q is at most 2 to the 3 n by 4 most of the PRF based Most of the prf constructions are actually based on this classical paradigm called the hash then prf paradigm This is very classical. We are building a variable input length prf where we have two components hash function h Which is required to be universal so the Universal mean that the output should not should collide with very low probability Given that the inputs are distinct And and the assumption that either this key k is chosen uniformly at random And there is a finalization function which is of which is a fixed input length prf so f is this prf And what has been shown is that this construction is secured up to hash collision. So the security is bounded by the universal property of the hash function h That is for optimal security. You must have 2 n bit of hash output That is this part should have should be 2 n bits long because I mean using the birthday bond our birthday game argument what you can What what you have is that if you have 2 n bits of hash output then The number of queries is bounded by 2 to the n so you can go till 2 to the n If you have at least 2 n bit of hash output And because the hash output is now increased we need f function which is Kind of domain extending. So we need length doubling prf At the input end. So we need a 2 n bit 2 n bit prf in finalization Let's see some examples of fixed input length contracting prf So the first example that I will give is a truncation of five round Feistel So a five round Feistel is actually a secure prp as long as q is much less than 2 to the n So And what you can do is you can actually truncate the last call And if we release this t value then we can again show that this truncation of five round Feistel is as secure as A prf as long as q is much less than 2 to the n so Basically, we want a block cipher based construction. So We have to replace this fki functions with some block cipher based construction if you directly replace it with the block cipher Then actually this security result does not hold as of now So there is no result on five round Feistel with the with the block cipher That proves it to be optimally secure or n bit secured So what we can do at the best is we can replace it with xor of permutations So that the resulting resulting construction will again be a prf Uh But in that case we have to apply four pairs of independent permutations and that will result in eight calls to the block cipher Instead of that what we can use another transformation another set of transformations called the butterfly transformation But the problem with butterfly transformation is that it's securing kps at So the inputs l and r are assumed to be Chosen uniformly at random. So they are not in the hand of adversity Okay, just a point about the notation here. So if from l to x there is a Arrow and there is an edge and if f1 is a label then that means that this is f1 of l Is mapping to this This xor So basically x is f1 of l plus r and y is f3 of l plus r Sorry x is f1 of l plus f2 of r and y is f3 of l plus f4 of r okay, so Based on this butterfly transformation. We get this bennis transformation which is just two layers of a butterfly transformation And this construction has been shown to be secured as long as q is much less than 2 to the n And here we have no assumptions on l and r So basically l and r that was he has complete control over l and r Again f these f5 functions are prs So we can replace them by xor of pr of independent permutations Which will result in 16 blocks of a call But because we need just The s output so we can drop Four calls you're pertaining to f7 and f8, but still we'll need at least 12 calls here Another Modification of the bennis construction is the modified bennis where we drop f2 and f3 in the upper layer So instead of f2 and f3 we have identity functions here But this construction is only secure as long as q is much less than 2 to the n into 1 minus epsilon For any epsilon which is greater than zero so the adversity so we have the control over epsilon We can choose some small epsilon, but still it won't be optimally secure. So we still have we'll still have something Less than 2 to the n When we replace it with the Block ciphers so here I've ignored the Other part of the output because we are more interested in 2 and 2 n bit functions So basically, uh If we replace the functions with the with the block ciphers Then the security has been shown to be up to 2 to 3 and by 4 When this all these block ciphers are keyed independently But there is no result on The n bit security or close to n bit security for this block cypher based construction And in fact, there is a non trivial bottleneck in the proof of optimal security which is Which has been shown in Which has been discussed in several paper. In fact in our paper. We have discussed this So I won't go into the details here, but you can look into the paper to Get an idea about the bottleneck Okay, now I'll present the Our main contribution of this paper, which is the hashed and modified benes paradigm what we do is we We apply a preprocessing layer here On the hash functions On the on the message to get Fixed input l and r of the modified benes So this lower layer is the modified benes and in the upper layer we apply a preprocessing And So we add a hash preprocessing layer before m benes to Get this hashed and m benes And this minus f notation is because we only use functions here. So we only use random functions here. So this is the Random function flavor of the htmb Similarly, what we can we have a permutation based construction where we Replace the upper layer functions with directly with permutations. So pi 1 and pi 2 replace gamma 1 and gamma 2 And in the lower layer we use some of permutations to replace This random functions gamma 3 and gamma 4 Another set of Refinement gives us htmb p2 Which simply replaces pi 3 plus pi 4 by pi 3 and pi 5 plus pi 6 by pi 4 So this is kind of A mirror image of htmb f Where gamma 1 gamma 2 gamma 3 gamma 4 are replaced with pi 1 pi 2 pi 3 and pi 4 And as we'll show these Constructions avoid the previous bottleneck as was present in the case of m benes And they actually achieve security close to to the end With some restrictions on the query, okay, just a note on the security notion required from the hash function. So we need a uh Basically we define a new notion of A universality for hash functions that we called a die block acu cube So basically a hash function h is a die block acu cube If for every q tuple of queries xq The probability that the two outputs collide two hash output collides is bounded by epsilon 2 And for any single lane for any lane h1 or h2 the number of colliding pairs is The probability that the number of colliding pairs is more than q. This is bounded by epsilon 1 So, uh, we we we bound both the universal property of the hash function Basically the joint universal property over the q tuple as well as the number of colliding pairs for the individual lanes A simple example for this hash function is a combination of two independently key hash functions h1 and h2 And what you can show is that h1 and h2 is epsilon almost universal hash function Then h is q sigma q epsilon q square epsilon square db acu cube This result is actually quite simple to observe and this comes directly from markov's inequality Okay, uh, let's have a quick look into the proof approach So the core idea is to avoid any circular relation between the x i's and y i's after the modified butterfly So, uh Basically what we mean by modified modified butterfly by the circular relation is that there is a system of equation in s right, so and What what we want is that The rank of this equation the system of equation it should be either it should be full or if it is low then the probability of getting certain kind of Certain kind of trivial equalities that should be small So, let's see how this circulation is defined. So basically, uh, the system equation for s is defined like this So, uh, uh, each s i value is defined as pi 3 of x i plus pi 4 of y i And where x i and y i's are defined like this And uh, as I said, we we want either the rank should be q because if the rank is q then we know that as has a unique solution And this solution will hold with very low probability because each equation will hold with some non-trivial which will give some non-trivial, uh Condition on the these gamma functions And when rank is less than q We know that there exists a minimal set of indices i 1 to i k such that sum of x i j is equal to 0 and sum of y i j is equal to 0 And what this actually shows is that, uh, all these x i j values and y i j values they appear in even number of times So, let's see, uh, how this Circular relation is defined for this rank less than q So, basically what we do is we reorder the the key queries pertaining to this minimal set of indices i 1 to i k Such that x i 1 equals x i 2 y i 2 equals y i 3 x i 3 equals x i 4 and so on x i k i minus 1 equals x i k. So there is a, uh, alternate, uh shift between the equalities and finally, uh And finally what we have is that The last output the y i k value it collides with y i 1 because The sum of all y values are is zero So, uh using this So basically what we want is we want to bound this the probability of such, uh events Or in other words, we want to bound the probability of getting such cycles So there are three possible cases. So first case is that all k equations are independent Which is actually quite easy because uh, we have k many indices here and we have k independent equations So the probability is bounded by q to the k by 2 to the kn Uh, the second case is that all k equations are independent except for the last one in this case, uh Because uh, the last one is dependent on the previous equation. So we must have h 2 m i k equals s 2 m i j And h 2 m i 1 equals h 2 m i j prime for some j and j prime Now using the db ac u cube property the this probability can be bounded by q to the k minus 2 by 2 to the k minus 1 into n That the denominator should be easy to Easy to verify because uh among the k equations, you know that only one equation is dependent So if you remove that then you have k k minus 1 independent equations, which will give you the denominator about the numerator So basically the db ac u cube property shows you that there can be at most q many choices for i k i j pair And q many choices for i 1 i j prime pair In other words these four indices can be chosen in q square ways And apart from these four equations the k minus four indices can be chosen in q to the k minus four ways So, uh in total they will be chosen in they can be chosen in at most q to the k minus two ways This gives you the this probability The third case is actually a generation of the second case where this where this independent Where this last independent equation it can occurs Earlier than the last equation of the cycle So there exists a sub trail of length k prime less than k Where the equations are independent except for the last one So again in this case the analysis is Similar to the second case and the probability is bounded by q to the k prime minus one by two to the k prime minus one in two n And when you combine all these things you get a bound of the order of q square by two to the two n a with appropriate bound for epsilon two and epsilon one And the informal theorem is something like this. So the advantage is bounded by q square by two to the two n Assuming epsilon two and epsilon one are of the same order and It can be easily verified. This is this is less than one for q less than two to the n Okay, uh a very quick look at the proof of htmbp one. So, uh, Basically, we have made two changes. So we have replaced the gamma one gamma two value functions with the Pi one and pi two permutations and in the lower layer we use sum of permutation So the sum of permutation can be replaced with uh independent functions gamma three and gamma four using The bound on the prf security of sum of permutation by thei et al And the upper layer, uh, actually the proof approach will be exactly similar Just there will be a slight change in the distribution and the probability distribution due to The change from random function to random permutation But otherwise the proof approach is exactly similar and what we get is a bound like this. So the Um, uh security order is still similar. We get uh security in the order of q to the 1.5 by 2 to the 1.5 into n uh about htmbp two the The overall strategy of the proof is similar But now we need a lower bound of the number of uh pairs of permutation pi three and pi four That will satisfy the system of equation So the first step is again to bound the probability of some getting some bad xi and yi values Using the randomness of the hashing key. So this is exactly similar to the previous case And then the second step is to handle the remaining cases. So what are the remaining cases the remaining cases pertain to the uh mirror theory results. So the mirror theory result fixes three conditions First one is that there is no alternating cycles. So basically, uh, if you remember, uh We discussed and we discussed a circulation that xi one equals xi two yi two equals yi three and so on So there was a cycle Earlier, so that kind of cycle is not allowed. So basically we can use reuse the same analysis as before No alternating trails such that the corresponding s i's xor to zero Again, similar analysis will give us this, uh, uh, we'll, uh, disallow this kind of this, uh, we'll, uh, satisfy this condition as well And the number of block of equations involving more than xi plus one variables Uh, uh, this this should be bounded as well and What you can show that this is again This can again be bounded using the same, uh, the analysis as used for the alternating cycles case So ultimately if you don't have these three conditions, then Mirror theory says that you have very good number of solutions And when we plug in these solutions, uh, we get the result for hdmbp two as well Uh, in terms of instantiations, we instantiate the hashtag modified banners with the mp mac plus like hash function So if you remember the mp mac plus construction, uh, this is the hash function for mp mac plus Except for one small change. So here we drop one block cipher call And this block cipher call can be dropped because the Because the hash requirement is Because the hash requirement is quite, uh Relaxed in case of hdmb. So we just need universal property on the full hash and, uh, Bound on the number of colliding pairs on individual layers But in case of P mac plus, there is another requirement, uh, something called cover free Which requires this extra block cipher call here So we can actually save one block cipher call here. So, uh, basically, uh, if you apply hdmbp two Then you have four blocks four calls in the finalization, but we save one call here. So we Effectively we need only three calls So in comparison to mp mac plus, we need only one extra call in, uh, In comparison to p mac plus, we need only one extra call in mp mac plus So the result that we prove for this hash function is that this is a good dbseu cube hash function, uh, Given that you take the, uh, you consider the security bond in terms of sigma where sigma is the total number of all query blocks, uh, across all queries Similarly, we define, uh, uh, light mac plus based instantiation, uh, where the hash function is called light hash again, we can drop the block cipher call and What we have shown is that this construction is again a good dbseu cube So in terms of the summary, uh, our contributions are, uh, like this. So we present a novel method of constructing vl prs, uh, with three different instances based on, uh, both functions and permutations Uh, all three instances achieve optimal security well up to a certain, uh, restriction on, uh, the number of queries in some cases And, uh, we instantiate them with the light mac plus and p mac plus based hash functions Uh, and we derive relevant bounds for light hash and ps, That when you combine them with the bounds for htmb, uh, they actually imply almost 2 to the n block security Additionally in the paper, what we have shown is, uh, we have shown some variants of htmb with reduced number of keys So for example, for htmbf, we have reduced the number of keys from 4 to 1 For htmbp1, we have reduced the number of keys from 6 to 3 keys And for htmbp2, we have reduced from 4 keys to 2 keys Finally, uh, I'll discuss, uh, two open problems. So the first one is, uh, Is can we further reduce the number of keys in case of htmbp1 and htmbp2? uh Basically, uh, the problem here is, uh, the type of results that we have for some of permutation and the mirror theory. All these results, they don't consider, uh, uh, I mean in terms of, uh, when you go for the optimal security, they don't consider the case where the permutation is already sampled on some points. So when we, when you consider the, uh, single key case, there will be a point where we have to consider results on mirror theory where, uh, the permutation is already sampled on some point. So there is already some input-output restrictions. And based on these additional constraints, we have to get the similar, uh, mirror theory result. So, uh, we don't yet know, uh, how this can be done, but, uh, I mean, this can be a, uh, interesting, uh, future work. Another direction can be, uh, to reduce the number of permutation calls. So, uh, with this work, we have shown that, uh, with, with one extra call, we can, uh, actually get n-bit security as compared to PMAG plus. So for PMAG plus, we have L plus too many calls, where L is the number of blocks in the message. And for MPMAG plus, we have made just one extra call. So MPMAG plus requires just L plus three calls. And it, it achieves n-bit security as compared to 3n by 4-bit security for PMAG plus. So, uh, this could be interesting to see whether you can actually reduce the number of calls to L plus two or whether this is, uh, actually, uh, the lower bound. So this can be another interesting problem to explore. With this, I will end the talk. Thank you for your attention. Thank you very much.