 Hi everyone, my name is Tetsui Iwata, and I will present our work on beyond Bruce Lee bound secure cryptographic permutations from IEL ciphers with long keys. This is a joint work with Ryota Akamichi. So this talk is about cryptographic permutation, or CP. This is a non-kid public permutation, and this is designed to behave like a public random permutation. This is a core primitive of permutation-based crypto, used in sponge constructions, and used as a primitive to construct hash functions, encryption schemes, message authentication goals, and authenticated encryption schemes. We will write NCP for cryptographic permutation over NBITS. So NCP is just a permutation with NBIT input and NBIT output. We want to have secure and efficient constructions, and in practice, we have a lot of proposals of dedicated designs as a primitive. We have the permutation of share 3, there is a 3, 4-bit permutation dimly, and there are many other proposals. In this work, we are interested in provably secure designs. There are constructions by Koloma et al, and by Goan Lim, and both constructions use ideal ciphers. So an ideal cipher is an ideally secure block cipher. An ideal cipher P is a mapping from KBIT keys and NBIT plaintexts into NBIT ciphertexts. And if we fix K, then PK is a random permutation over NBITS. We will write this as KNIC, but we are more interested in the case where the key length is kappa NBITS for some kappa, at least one, like in this figure that has kappa lines of NBITS as the key. This is a construction of Koloma et al, and this is a 2NCP that uses NNICs. The ciphers are un-keyed because this is one of the inputs, and the entire construction is a non-keyed permutation. The security was analyzed in the Indifferentiability Framework of Maura et al, and it was shown that with two rounds, the construction is insecure, and with three rounds, the construction has the Bruce Lee bound security, where Q is the number of calories. We also can see that a more general case of a domain extender for the ideal cipher, where the construction takes KBIT key as input, which is used as part of the input in ideal ciphers. The construction is a keyed permutation, but in this work we focus on constructing a cryptographic permutation. So we consider the case that K is equal to zero. This is a construction of Go and Ling, and this is a DNCP that uses kappa NNICs. So there are kappa lines here, where D is kappa plus one. So here we consider ideal ciphers with long keys. The security was analyzed in the Indifferentiability Framework, and it was shown that with two D minus two rounds, the construction is insecure, and with two D minus one rounds, the construction has Bruce Lee bound security. And again, they also consider the domain extender, but in this work we focus on constructing a cryptographic permutation. This table summarizes the previous results of Go and Ling, and in both results, Q should be at most two to the N over two. And this is called a Bruce Lee bound security. The question we ask in this work is whether we have a construction with stronger security, namely if we have a construction with beyond Bruce Lee bound security. In this work, we showed it for two NCP. By adding two more rounds to Conventor's construction, we have the full enemy security. In the general case of two D plus two L minus one rounds, where L is a parameter between one and D minus one, we have the security bounds, but we need the assumption that Q is at most two to the N. These two results are actually special to Bruce Lee bound security, but we need the assumption that Q is at most two to the N. These two results are actually special cases of this general case, because this one corresponds to these parameters, and this one corresponds to the case that L is equal to one. As far as we know, our result is the first cryptographic permutation that is built from N with hydrocyphers and has a full N with indifference ability security bound. Now let me present implication with practical parameters. We fix N as 128, and if we have an N, NIC, this parameter corresponds to AS128, for instance, we obtain a 256 CP, and we have 128 PIT security with five rounds. If we start from two N, NIC, AS256 could be an example. We obtain 384 CP, and we have 128 PIT security with seven rounds. And with nine rounds, we have a stronger security bound, but we still need the assumption that Q is at most two to the 128. If we start from three N, NIC, like skinny 128, 384, we obtain a 512 CP, and we have these security bounds. We remarked that block cycles have to be somehow tweaked so that we have independent ideal cycles, and we also would like to remark that we are not proposing these instantiations, but we use them to illustrate the practical parameters. They are not efficient, and for instance, it is known that AS256 doesn't behave like an ideal cycle. Here let me clarify the relation to the previous work. Minematsu and we analyzed related construction in this figure. This is very similar to the construction we study in this work. And in the previous work, the primitive is a keyed, tweakable block cycle, so the adversary does not have access to the primitive. And the security was analyzed in the indistinguishability framework. In this paper, the primitive is an ideal cycle, so the adversary has Oracle access to it, and we analyze the security in the indistinguishability framework. So we analyze the security in the indistinguishability framework of Maura et al. In the real world, the adversary has a construction Oracle and primitive Oracle. The adversary can make construction queries and primitive queries, and the construction Oracle also makes primitive queries. In the ideal world, the adversary has Oracle access to random permutation and the simulator. The goal of the simulator is to mimic the primitive oracles, and the simulator can make queries to the random permutation Oracle. The goal of the adversary is to distinguish the two worlds, and we measure the successful ability with this advantage function. And we say that the construction phi is Qc, Qp, epsilon indifferentiable from a random permutation. If there exists a simulator S such that for any adversary A, the advantage is at most epsilon, where the adversary makes at most Qc construction queries and at most Qp primitive queries. We use Patterns Coefficient Edge Technique and its refinement by Cheyenne Steinberg in our security proof. With partition, all the transcripts that have no zero probability in the ideal world into good transcripts and bad transcripts, we then compute epsilon 1 from the ratio of the interpolation probabilities of a good transcript and epsilon 2 from the upper bound on the probability of having bad transcripts in the ideal world. Then we obtain the upper bound on the advantage. So I would like to present an overview of our security proof. We will use an example of D equals 3 and L equals 1, in which case we consider a seven round construction. So here is the seven round construction. And we also have seven ideal cycles as primitive oracles. Our approach is to give all the internal variables of the construction to the adversary through primitive queries. And we force the adversary to make a primitive query immediately after a construction query. We show the theorem against adversaries that make these extra primitive queries. And during the proof, we formalize the concepts of upper and lower queries to complete the proof. So let's first see how we define the oracles in the real world. I think that the adversary makes a primitive query plus p4 x456, which is a shorthand for x4 x5 x6. So the adversary is requesting a value of x7. We compute x3 x2 x1 with the backward direction of p3 p2 and p1. We also compute x7 to x10 with forward direction of p4 to p7. And we give everything to the adversary. Here is another example where the adversary makes a primitive query plus p1 x123. Requesting a value of x4. But we compute all the values of x4 to x10 and give all of them to the adversary. If the adversary makes a construction query plus x123, meaning that the adversary is requesting a value of x8 910, the construction oracle makes this primitive query. And returns x8 910, which is a part of answer for the primitive query. Right after this, the adversary makes this primitive query. And this is how we define the oracles in the real world. Next, let's see how we defined oracles in the ideal world. Assuming that the adversary makes a primitive query plus p4 x456, requesting a value of x7. And we have to define a simulator to simulate the primitive oracles. Here we compute x3, x2 and x1 with the backward direction of p3, p2 and p1. We also compute x7 with p4 in the forward direction. Now the simulator makes a query to the random permutation to compute x8 910. And returns everything to the adversary. We say that the primitive query is an upper query if it contains one of these values regardless of the query direction. And for those queries, the simulation is similar to this case, where we use the forward direction of the random permutation to compute x8 910. On the other hand, we say that the primitive query is a lower query if it contains one of these values regardless of the query direction. For those queries, the simulator uses the backward direction of the random permutation to compute x123. Now a transcript can be summarized as all the values of x1 to x10 from the first query to the last query. In the little world, we see that these inequalities hold, because this corresponds to the input, this corresponds to the state here, this corresponds to here and so on. And because the construction is a permutation, the collisions are impossible. However, in the ideal world, we may have these blue collisions if the ice query is an upper query, and we may have these red collisions if the ice query is a lower query. So we define that the transcript is bad if we have one of these collisions. We will not discuss the general case, but these are the high-level ideas in our proof, and with all these definitions of the simulator and the bad transcripts, we can complete the security proof. We can show that's the upper bounds on the probability of having bad transcripts is given by this, where we use this assumption to derive the bounds. We can also show the lower bounds on the ratio of the interpolation probabilities for any good transcript. And we obtain the final bound from the coefficient edge technique. Now let me conclude this presentation. In this work, we showed that with 2D plus 2L minus 1 rounds, we have this security bound, provided that the number of queries is at most 2DL. There are several open questions. The tightness is not known. For instance, we do not know if there is a 2DN attack against the 2N bit construction with five rounds. We also do not know if the condition on the number of queries can be removed. And the tightness on the number of rounds is also not known. For instance, we do not know the security of the 2N bit construction with four rounds. Finally, this paper and previous results assume independent idle cycles. And the security of the construction obtained from one idle cycle is left as an open question. This is the end of this presentation, and thank you for your attention.