 Hi, this is Ashwin from Indian Statistical Institute, Kolkata. The title of my talk is From Combined to Hybrid, Making Feedback-Based AI Even Smaller. This is a joint work with Awik Chakrabarty, Nilanjan Datta, Snehal Mitra Ghotri and Mridhul Nandi. The motivation of this work is quite simple. So, we want to design a block cipher-based lightweight AIAD with the following properties. We want full rate, so the rate should be 1. We want that the state share should be minimal, so apart from the block cipher state, the additional auxiliary state should be as small as possible. And we want that apart from block cipher invocations, the additional operations like constant multiplication or XORing, all these things should be minimal. A typical design choice for these goals is the feedback-based mode, where what we do is we first encrypt the norms to get an initial value, so here it is Y0. And then we absorb the input data, the intermediate output and an auxiliary state to construct a new or next input. So, this absorption function is called the feedback function, so gamma and rho are these are feedback functions. Apart from generating the next input, we can also generate the current output data through this feedback function. So, in context of a feedback-based mode, the state size comprises of two things. So, first thing is the block cipher state and the second thing is the auxiliary state S. So, here the state size is the size of Y or X plus the size of S. Classically, feedback functions were defined for encryption schemes like the plaintext feedback function, where the plaintext is fed as the next input, the ciphertext feedback function where the ciphertext is fed as the next input and output feedback function where the output is fed as the next input. But what you can easily see is that these functions are not secure as it is. So, not secured in terms of A as it is. So, for example, if you consider the ciphertext feedback, so in this case the adversary can easily force attack by fixing the last ciphertext block and changing anything intermediate in the intermediate ciphertext and it will get a collision at the last block and hence it will get a forgery. So, we need an additional state. So, basically we need an additional n bit masking state for security as an A mode. So, natural question here is how small can we go in terms of masking state? So, suppose we want a birthday bound security or 2 to the n by 2 query security, then how small can this masking state be? So, Chakraborty et al tackled this question and they gave a new feedback function called combined feedback or COFB that seems to that uses only n by 2 bit masking and achieves n by 2 bit security. So, this figure is for the encryption scheme based on COFB. So, what you do is you apply a linear function g over the current output and then you accept the message to get the new input. So, there is a combination of both the output and the message to get the next input. That's why this name is there, the combined feedback. So, this reduces the state size to n by 2 bit, the masking state size to n by 2 bit but what about the minimum state? Is it the minimum or can we go even further? Can we go even further loop? So, the first contribution of our work is a lower bound on the state size. So, what we show is that for any rate 1 feedback based e-mode with an additional state of size tau bit, there exists an adversity that breaks the construction with approximately 2 power tau queries. So, in a way if you have n by 2 bit additional states then that most you can have is true to the n by 2 query security. Hence, COFB is optimal in terms of masking state size. So, another question is can we optimize it further? Can we optimize this design of COFB further? A possible area of optimization is the XORing. So, here you can see that it requires n bit XORing for ciphertext generation and n bit XORing for next input. So, in total this requires 2n bit XORs for the feedback function. So, the question that will tackle in this work is can we go even smaller in terms of the XOR count? So, we propose to study the hybrid feedback function. So, what hybrid feedback function means is that we give a feedback based on the hybrid of 2 different feedback functions. So, for example, we can use plaintext feedback and ciphertext feedback. So, half of the input is the plaintext and half of the input is the ciphertext. Similarly, you can have output feedback and ciphertext feedback where half of the input is output and half of the input is ciphertext. Similarly, you can have based on plaintext and output. So, all these schemes you can see that they require only n bit of n bit of XORing to generate the ciphertext. But of course, these are not secure as it is. And in fact, when you look for the security of this construction, you can easily see that even if you include any masking, the last two hybrids that is OFP, CFP and PFP, OFP, these are not secure. For example, you consider the PFP, OFP, you consider the OFP, CFP mode where the output is, where the upper half is the output. So, this ceiling function represents the upper half of the input and floor function represents the lower half of the input. So, the upper half is simply the output and lower half is the lower half of the ciphertext. So, what the adversary can do is it can fix the lower half of the input of the ciphertext and fix all the ciphertext block as same and change the upper half of the ciphertext at the last block and we will get a collision and hence a forgery. So, these two modes are not secure. So, in the rest of the talk, we will consider this PFP, CFP hybrid. Based on this hybrid function, we define this A mode called HINA, which is working like this. So, this X0 is simply generated using the nonce with zero padding if required. So, R is the size of the nonce and B0, B1 are just used to domain separate the empty and non-empty associated data case. This delta value or the masking value is just the upper part of the initial value, Y0. So, in this figure, this figure is simply the instantiation of a general feedback base mode where we have to define this high FP. So, a disclaimer here, this version of HINA is actually slightly different from the NIST lightweight submitted version. It has a different masking in the final associated data. This modification actually ensures that the ADN message processing are identical and as a result, it will result in a better hardware performance. Choice of high FP functions. So, basically, as I said, we'll use PFP and CFP based hybrid. So, the high FP plus means the hybrid function in or the feedback function in encryption algorithm. So, there what we do is we first take the upper part of the message. We XOR it with the upper part of the output to get the upper part of the next input and this same as the upper part of the ciphertext. The lower part of the message is XORed with the lower part of the output to get the lower part of the ciphertext and the lower part of the message is XORed with the current masking value to get the lower part of the input. So, this lower part is kind of the PFB contribution and the upper part is the CFB contribution. You can similarly define the decryption module high FB minus which is quite symmetrical to the encryption one. So, another thing to note here is that the number of XORing is just 3N by 2. So, each line is just N by 2 bit and we need, we have three XORs. So, we have in total 3N by 2XORs which is less than COFB which requires 2N bit XOR. For partial data it's quite similar to the full data case but slightly different. So, suppose we only have the upper part of the message and that too just it's not full it's partial. So, what we do is we first pad it and then XOR it to the upper part of the output to get the upper part of the input and truncate it as required to get the ciphertext, upper part of the ciphertext. In the lower part because there is no message as we started with just the upper part of the message. So, in the lower part what we do is we pad, we XOR the lower part of the output with one followed by sufficient number of zeros and we XOR it with the current masking value to get the lower part of the input. A similar method can be used for the decryption algorithm. In terms of security we show that the AEAD advantage of HINA is bounded by sigmaE by 2 to the N by 2 plus NQE plus QV by 2 to the N by 2. So this construction is birthday bound secure plus there is a PRP advantage term for the block cipher EK. Okay, so this Q is sigmaE, these are just the number of queries and total number of block cipher calls for encryption queries, QV and sigmaE represent the same thing for decryption queries and Q prime is just the sum of all these things, T and T prime are the usual time parameters. Okay, let's have a quick look in the proof approach. So we'll prove the thing using edge coefficient technique. So basically what we do is we have a set of views where view is simply the set of variables arising from the interaction between an adversary A and its oracle. So in edge coefficient what we do is we first divide the views into a set of good views and set of bad views and we'll be interested in the probability to realize the view tau when the adversary is interacting in the real oracle or in the ideal world. So the edge coefficient technique says that if you have the following two conditions, so the first one is that the ideal oracle, in the ideal oracle the probability of getting a view in a bad view is at most epsilon bad and the probability for any good view can be realized in the real world is at least one minus epsilon ratio, the probability that the same view can be realized in the ideal world or in the other words the ratio of the interpolation probability between the real and the ideal world is at least one minus epsilon ratio then the AAD advantage is simply the sum of these two epsilon values, so epsilon bad plus epsilon ratio. So here we'll quickly look into the analysis of epsilon bad, epsilon ratio is actually quite simple given the bad views that we define. Just a quick look at the notation, so i-nit will represent the initial state which can be either x i0 or y i0, i-s represents the intermediate state which can be either x ij or y ij, of course j lies between the initial and the final value and the final state is simply the last input or last output, plus represents the encryption query and minus represents the forgery query, so the first bad event that we identify is the collision event over the intermediate state of the encryption query. So any intermediate state in an encryption query collides with another intermediate state or say a final encryption final state collides with another final state. In both these cases what you can show is that we have two non-trivial linear equations one in the output of the block cipher, upper part of the output of the block cipher and another on the in delta values and since both of them are n by 2 bit long we can show that these two system of equations holds with about order of code d minus n probability and when combined with the number of pairs sigma h is 2 this probability is bounded by sigma e square by 2 to the n. A similar bad event is when the initial state collides with some intermediate state. Now in this case if the intermediate state query comes later than the initial query then the initial state query then that means that the analysis will be quite similar because the adversary has no idea how to collide these things but if the intermediate state query is coming before then the initial state query then the adversary has extra ability to fix the norms. It can fix the norms to match the upper part as required then there will be only one non-trivial equation which is in the delta value and which holds with at most order to the n minus 2 probability to the minus n by 2 probability and if we assume that the multicollision value, multicollision on the upper part of the cipher text this is less than n then the number of such pairs is simply n into qe and this probability is bounded by order of n qe by 2 to the n by 2 plus the probability that the multicollision is more than n which is simply sigma e by 2 to the n by 2. Another bad event is when the initial state collides with the final state. This again similar to the previous thing previous analysis if the initial state if the final state query comes later then the analysis is then the bound is simply sigma e square by 2 to the n and if it is coming earlier then the bound is n qe by 2 to the n by 2 plus sigma e by 2 to the n by 2. So, these were the cases where only encryption queries were present. Now, what are the bad events using the decryption query? So, the first bad event is simply the initial state that the intermediate state of a decryption query collides with some intermediate state or a final state of a encryption query. More importantly what we are interested in is this block xi p i plus 1 where p i is the first index where the decryption query differs from the encryption query. Of course, the encryption query should have same nonce as the decryption query. So, why this is important because till the point where the two queries will share the same prefix all the values all the xi values will trivially collide. So, we will have we will start looking from the point where the decryption query differs from the encryption query. Again, the adversary can actually fix the upper part, but there is a non-trivial equation on the delta value in the lower part which holds with order 1 over 2 to the n by 2. So, using again using the multi-collision bound we can get the bound as n qe by 2 to the n by 2 plus sigma e by 2 to the n by 2. Another bad event is or and the most trickier bad event is when you have an intermediate state in the decryption query collides with the initial state in the encryption query. Now, in this case the adversary can fix the upper part obviously and there is a non-trivial equation in the delta part in the lower part which holds with order 2 to the a minus n by 2. Now, the number of pairs is 2 to the n by 4 into qv assuming the non-size is 3n by 4 which is true in case of the Heiner submission in NIST. So, because the adversary can fix the upper n by 2 bit part, so out of the 3n by 4 bit of the non-s n by 2 bit part can be fixed freely. The remaining n by 4 bit the adversary has to guess. So, adversary has 2 to the n by 4 many choices for this one. So, the adversary has 2 to the n by 4 choices for this and 2 to the n by 4 choices for this. So, when you combine these things, when you combine this number with the probability for each such selection, the this bound is bad because this bound becomes qv by 2 to the n by 4 but we need at least birthday bound. So, this approach does not provide the desired bound. So, what we do is we consider freshness of successive blocks. So, instead of considering just one such collision, we will consider successive collision. So, what we see what we do is we consider a collision of pi plus 1 and then we also consider the collision of pi plus 2. So, in this case the adversary can again fix the upper part in both the cases but now there is there are 2 non-trivial equations on delta values. So, the system of equation will hold with all the 2 to the minus n probability. Again, using the multi collision bound what we can show is that this probability, the probability of this joint event is bounded by n qv by 2 to the 3 n by 4. So, when we combine all these cases we can we get order of sigma e by 2 to the n by 2 plus n into qe plus qv by 2 to the n by 2. Now, so these were all the bad events. So, in using coefficient edge, we have to now just bound the ratio of the interpolation probabilities and this can be easily bounded to this value qv by 2 to the n plus 2 n sigma v by 2 to the n by 2. So, when we combine the bad and the good analysis, this will give the result using the coefficient edge technique. So, this ends the talk here and I hope you like the paper and stay safe. Thank you.