 Good morning everybody and welcome to the first session of crypto. My name is Bart Brunel and I have the pleasure to share this session. We have five talks on symmetric crypto systems. And the first talk is entitled, an encycling scheme based on a card shuffle by Viet Tong Huang, Ben Morris and Phil Hogaway, and Ben will give the talk. Okay, so in block cipher construction and the related problem of constructing a pseudo random permutation from a pseudo random function, most current methods rely on either variants of FISEL networks or substitution permutation networks. Today I'm going to introduce a new method which we call swap or not for which we can prove stronger security results. So in the talk, first I'll talk about how to construct swap or not and then I'm going to demonstrate its appeal by turning to the problem of constructing a pseudo random permutation from a pseudo random function and show that with swap or not you can prove better bounds than what you can do with FISEL. We have some concrete numbers. If we do 1200 rounds of our cipher, then we can encypher 64 bit strings and give an advantage of less than 10 to the minus 10 even if the adversary queries half the domain. And for social security numbers and credit card numbers, 340 rounds and 500 rounds are enough to make the advantage small even if the number of queries is close to the size of the whole domain. So we're used to seeing security only up to about the square root of the domain size. A nice feature of our cipher is that it works directly on non-binary domains such as credit card numbers and social security numbers. Now the theoretical problem we're going to consider is the problem of constructing a pseudo random permutation from a pseudo random function and this is a problem that's received a lot of attention going back to the famous paper of Luby and Rakoff. Now let me state what's known for encyphering n-bit strings. Luby and Rakoff showed that three rounds of balanced FISEL or four rounds if you want CCA security will give security provided that the number of queries is around the fourth root of the size of the domain. This can be improved to about the square root of the size of the domain. But there's reason to believe that we're not going to be able to prove much better than that for balanced FISEL. For maximally unbalanced FISEL also known as the Thorpe Shuffle, you can improve the exponent to 1 minus epsilon times n. With swap or not, we can get security even if the adversary queries most of the domain. So for this reason, it's a good solution for the format preserving encryption problem which is as follows. Suppose you want to encypher social security numbers or credit card numbers, say their entry is in a database and you want the results to be of the same form, well it's not clear how to do this with something like AES because AES is a permutation but it's a permutation on blocks of 128 bits. It's not clear how to use that to handle these much smaller domains. A good example to consider is the case of social security numbers. So here the size is 10 to the ninth. So that's large enough so that we wouldn't want to have to construct a random permutation using brute force. But the square root, that's the unbalanced FISEL, is only around 30,000 which is not so big. So swap or not provides a good solution to format preserving encryption for these domains of troublesome size. Now our encyphering scheme is based on the card shuffle. So let me say a few words about how you can think of a card shuffle and encyphering scheme as corresponding to one another. So suppose we have a method of shuffling cards. Here I've drawn eight cards. Label the positions as binary numbers going from 0, 0, 0 to 1, 1, 1. Now I do a bunch of shuffles. If the card in position 1, 0, 0 is sent to position 1, 0, 1, then if the message is 0, 1, 0, the encoding is 1, 0, 1. If a card shuffle is going to make a good encyphering scheme then it needs to be what money neural called oblivious which means that you can trace the trajectory of a single card without worrying about what's happening with the other cards. Now here's the swap or not shuffle. At step t choose kt uniformly at random from the set of n-bit strings. Pair each position x with kt x or x and for each pair of positions flip a coin. If the coin lands heads swap the cards at those positions. So notice that kt induces a random matching. Here I've drawn the matching associated with kt equals 1, 0, 0. The way the shuffle works is for each edge in the matching you flip a coin. If the coin lands heads you swap the cards at the endpoints. Here's another way of looking at it. How do we encypher x? Well for each round if the current state is x we're going to pair that with kt x or x. Now choose some canonical representative from the pair say the max. You could use the min, doesn't matter. And call that x hat. Now apply ft to x hat giving a bit b. That's the coin flip. If b equals 1 then we replace x by kt x or x. And we do this for r rounds. How does decryption work? Well notice that each round is its own inverse. So to do decryption you do the same thing except you reverse the order of the rounds. An interesting feature of our cipher is that the result is always of the form x, x-ord with some subset of the ks. But note that it's not linear because this set is chosen nonadaptively in a complicated way. Now some theoretical setup. Suppose you have a random permutation pi and an adversary queries pi and pi inverse then outputs a bit b which is his guess as to whether the permutation is pi or a uniform permutation. His advantage is to find the probability that b is 1 if it's pi minus the probability if it's a uniform permutation. The ncpa advantage is when you limit to adversaries that ask nonadaptive queries and they can only query pi so that they can make only forward queries. With cca advantage there's no such restriction. Well we're going to use a nice theorem of Maurer Piedschak and Renner which says that if you have a cipher with good ncpa advantage if you run that and then you run an independent copy of the inverse then the result has good cca advantage. Now in our context swap or not has the same distribution as its inverse. So this says that we can lift from ncpa security to cca security provided that we simply double the number of rounds. So now let me state our concrete bounds. Well I've given the formula here for the advantage. I just did that so you can see that the constants that we get aren't very big. The summary is down below and it says that if the number of queries is at most 1 minus epsilon times the size of the domain then the advantage is small provided that you do at least big O of n rounds. So here's a plot of the best known upper bounds on cca advantage versus the log of the number of queries for various ciphers. Here the domain is 0, 1 to the 64. So on the left we have 4 rounds of balanced feistel and then 6 rounds of balanced feistel. Next it's 8 passes of the Thorpe shuffle where a pass is defined as n rounds or 64 rounds. Then 20 passes of the Thorpe shuffle. And over on the right we have 8 passes of Swap or Not and 20 passes. Now let me give a sketch of the proof. So by the Maurer-Pietzschak and Renner result we can assume a non-adaptive adversary who makes forward queries. Now suppose for simplicity that he queries 0, 1, 2, 3 and so on. It's related to the following game. Do R Swap or Not shuffles. Now turn over the cards labeled 0, 1, 2, 3 and so on. Now before each step the adversary is going to guess at the location of the next card. If he guesses right he wins k dollars if there were k possibilities. But he pays 1 dollar each step to play. So notice that if this were a uniform permutation then it would be a fair game. I claim that if the adversary's expected net winnings is close to 0 then the adversary has small advantage in the sense I defined earlier. So it remains to show that the adversary's expected net winnings is small. Now I claim that this is true even if when we turn over a card we reveal its entire trajectory. So now suppose the adversary has made his guesses for 0, 1 and 2 so I've turned those over. But I've also shown the adversary where those cards were located at each intermediate stage. This is like turning over cards 0, 1 and 2 initially and then leaving those cards face up throughout the whole process. So the face up cards I'll call those uncovered. Now inside the covered cards, those blue numbers, I've written the expected net winnings if the adversary guesses there. So notice initially we know that the card 3 is in the third position. So he wins 4. It's 5 minus the 1 dollar he paid to play and the others are minus 1s. Now what happens after one step? Suppose that the first kt matches position 3 with the top position. So now we don't know if card 3 was swapped or not in that first step. So the expected winnings becomes the average of 4 and minus 1 in position 3 and also in the top position. The other three covered cards are still minus 1s. So let me write wi for the expected winnings if the adversary guesses i. The key variable is the max over iwi. It turns out it's easier to work with the variable I'll call w which is the sum of the squared wi. And I claim that if the number of queries is at most 1 minus epsilon times the size of the domain then the expected value of this thing at time t plus 1 is at most 1 minus epsilon over 2 times the expected value at time t. So we get this nice geometric decay in the expectation. So after sufficiently many rounds it's likely to be very small and hence so is the max. Now say that a covered card is good if it's matched to another covered card. So this situation is not good because we have a covered card that's matched with a zero. So based on what the zero does we know what the covered card does. So it doesn't change the value of wi. When two covered cards are good if the expected winnings are wi and wj then we replace both by the average which I'll call w bar. Now there's an identity that says if you have two numbers then twice this average squared is equal to a half the sum of squares plus the product. But the thing is these cross terms wi, wj have expectation zero. And that's because any covered card is equally likely to be matched with any other covered card and the sum of the wj is zero. So when we're computing expectations we can ignore these cross terms. And we see that good cards we expect to contribute half as much to the sum of squares after one step. So we're called w is the sum of squares. And we know that good cards we expect to contribute half as much to the sum of squares after one step. Not good cards contribute the full amount to the sum of squares after one step. Now if you work it out it follows that the expected sum of squares at time t plus one given the value at time t is the probability of a covered card being good times a half the value at time t plus the probability of being not good times the full value. Now since the probability of being good plus the probability of being not good equals one this is the same as one minus a half the probability of being good times the value at time t. But we're assuming that a proportion at least epsilon of the cards are not queried. Hence a proportion epsilon of the cards are covered which means the probability of being good is at least epsilon. So we get that the expected sum of squares at time t plus one is at most one minus epsilon over two times the value at time t. So this implies that the expectation decays geometrically as I claimed earlier. This completes the proof sketch. So in the last minute I want to talk about first how to use swap or not to construct a confusion diffusion slipper. So far in the talk I've been assuming the random functions are, I've been assuming that the f t are random functions. To make a confusion diffusion slipper we want to use an f t with a smaller description. What we propose in the paper is to specify f t by an n bit string l t and then define f t of x hat as the inner product of l t and x hat. We don't know how many rounds to suggest to make this into a good slipper. We'd love to hear from crypt analysts on this issue. And finally, how to handle a general domain, a non-binary domain. Suppose that the domain is a finite abelian group g, then the slipper works the same as before except now we choose k t uniformly at random from g and we pair each x with k t minus x. Okay, that's my talk. Thank you very much.