 And we move to the next talk, which is called Efficient Publicly Distance Bonding Protocol by Andan Kilianj and Serge Vaudnet. And Andan is giving the talk. Thank you, everyone. Today, I'm going to present you our new Distance Bonding Protocol, as you see from the title. First of all, I want to give a quick introduction about Distance Bonding. So all of the applications that you see on the slide are actually in our daily lives. And the common feature of all of them is that they let us authenticate without contact. Unfortunately, all these applications are one before relay attacks. I want to explain it with this following scenario. Here we have butters, our victim. And also we have our adversary, Cartman, here. And Butter has the credit card. And Cartman just comes close to our victim. And then he has also his phone. And we have also Cartman's friends in this firm market, which waits the signal from Cartman. And after they pay the phone and credit card and also this phone and the payment terminal, Cartman received a signal from Butters' credit card. And then just he lays it to his friend's phone. And his friend's phone lays it to the payment terminal. And the same happens in the reverse order as well. Like that, in the end, Cartman is able to do payment with Butters' credit card without his permission. So the most promising solution for this is distance-bounding protocol. And it was introduced by Brans and Sean. And this has a very simple idea. We have two parties, Verifier and Prover. And in distance-bounding, Prover authenticates himself and also proves his proximity. And we have two types of distance-bounding, public key distance-bounding and symmetric key distance-bounding. In symmetric case, the Verifier and the Prover share a secret. And in the public key case, the Prover and the Verifier know each other's public key. And in most of the application, it is more feasible to use public key distance-bounding because we cannot always assume that the two parties share a secret. However, public key distance-bounding, sorry, public key, Crypto has some problems. It is slower than symmetric key operations. And also, the devices that we use distance-bounding has limited resources. Therefore, it is very important to construct efficient public key distance-bounding. So we want to have less public key operation while preserving the security. And this is the outline of my presentation. First, I will give formal definitions about public key distance-bounding. Then I will explain our new weak authenticated key agreement model, which we use in our protocol. And then I will describe our constructions, new protocols, APKD, and its private variant. And I will finalize my presentation with a conclusion. OK, first, let's define what is public key distance-bounding more formally. So we have a B. It is a distance-bound, which is known by all the algorithms in the protocol. And we have two key generation algorithms, KV and KP. They generate secret key public key pair for the verifier and the prover. And also, we have other algorithms, verifier, algorithm, and prover algorithm. In the end of the execution of verifier algorithm, verifier outputs a bit out V, and the private output PKP. And out V means that either reject or accept. Now I will describe the security model of the distance-bounding. We consider several security issues here. The first one is man in the middle. So what's basically we want here, that we want to protect, understand far away prover from the adversary. And it is defined with the game. So in the game, we first generate the secret key public key of the prover and the verifier, and send the public key to the adversary. And in this scheme, we consider all of the instances of verifier and the provers. What I mean from the instance is that it is each new execution of the prover algorithm and the verifier algorithm. For example, it is an instance where the prover algorithm is run when prover is far away from the verifier, and here is the adversary. And this is another instance where the prover is just close to the verifier, and so on. And between all of these instances, we consider one of them as a distinguished one under the condition that there is no close and honest prover to the verifier. And in the end of the game, if the distinguished verifier accepts the prover and outputs its public key, then adversary wins. And if a distance-bounding protocol is made in the middle secure, the success probability of adversary should be negligible. And the other security model is distance fraud. In distance fraud, we want to prevent malicious and far-away prover to authenticate himself. And again, we define it with the game. Here, we first generate the verifier's key and send the public key of the verifier to the adversary. Here, our adversary is the prover. And then prover just generates his secret key and public key with an arbitrary algorithm. Again, we consider all of the instances of verifier and prover. For example, here, he is far away, and here, he is close, and so on. And between all of them, one of them is the distinguished one, and where we look at the output of this distinguished verifier. And in this distinguished one, there shouldn't be any close prover to the verifier. And in the end, if the verifier, the distinguished verifier accepts prover, then the adversary wins. And we want that the success probability of this, in this game, the success probability of the adversary in this game is negligible. And the last security model is distance hijacking. Actually, this is the more generalized version of the distance fraud. Here, we want to prevent far away and malicious prover to authenticate himself by getting advantage of close and honest prover. And again, we define a game for this model. So, we generate the public key and secret key pair of the verifier and the honest prover. Honest prover is represented by P prime here, and then sends the public key to the adversary here. Adversity is P. Then, adversary, the prover generates his secret key public key pair by an arbitrary algorithm. And as in the previous games, we again considered all the instances. For example, here, honest prover is close to verifier and malicious one is far away. And here, both of them are close and so on. And between all of them, we consider one of them is a distinguished one under the condition that there is no close and malicious prover to verifier. And in the end, if the distinguished verifier accepts the malicious prover, then this prover means. And as in the previous games, we want that the success probability of adversary is negligible in this game to have distance eye checking security. Okay, lastly, I want to define the privacy very briefly. So we use HPVP model here. And basically what happens here, we have many provers and adversary. And adversary can corrupt any provers, which means that he can learn their secret key. And in some moments, he just picks two provers and sends them as a challenge. And challenger simulates one of them. And in the end of the game, if the adversary can recognize who is simulated by the challenger, then he wins. And if a distance spawning is strong private, the adversary, the advantage of adversary in this game should be negligible. And before proceeding the next section, I would like to give the overview of our protocol. So in our protocol, what we do is that the first verifier and the prover agree on a secret S by a key agreement protocol. And then they run a symmetric key distance spawning protocol with the agreed key S. So the part we need public key operation is this key agreement part. And we wonder that what do we really need from this key agreement protocol to achieve MIM security, DF security and DH security? When we look at the previous key agreement protocol security models, CK and ECK, and also the protocols here which achieves these level of security, we see that efficiency actually is not good. Here efficiency shows that number of exponentiation is done. And we wonder do we really need that level of security from this key agreement protocol? And the answer is no. Therefore we define weak authenticated key agreement. In weak authenticated key agreement, we have only one message which is sent by the party B. And this message is picked from the distribution D. And after receiving this N, they both compute secret S by running the algorithms A and B. So this is the framework of one pass key agreement protocol. And also we define a security model for that by defining a game. And the name of our game is the A-K-A game, decision authenticated key agreement. Here the challenger first generates the keys for the party A and B. And then also we have oracle B and oracle A. So oracle B is inputted by secret key and secret key and public key of the party B. And oracle A is inputted by secret key and public key of party A. And we have these oracles which runs the algorithm B and A. After the challenger just sends PKA to the oracle B and oracle B sends N and S0. So N is picked from this distribution and S0 is the output of B. And also he randomly picks a secret S1. Then he just picks a bit B. And then sends this SB and PKB and PK to the adversary. So here SB is either randomly picked or it is generated by the algorithm B. An adversary can access all these oracle except that he cannot input PKB and N to the oracle A. In the end of the game, he outputs a bit B prime and if B prime equals B, he wins. So if a one pass key agreement protocol is DAK secure, the advantage of adversary should be negligible in this game. And also we define DAK privacy for one pass key agreement protocol. Here we want to protect the privacy of the party B. So here challenger generates the keys for A and B. And we have only oracle A. After the challenger sends PKA and also secret key and public key of party B to the adversary. Adversary also generates secret key and public key payer for the party B and sends them to the challenger. After that challenger picks a bit B and computes the message N from the distribution D and runs the algorithm B, either from the secret key that he generated or the secret key public key payer that adversary generated. And then sends the S, the output of B to the adversary. Adversary can access oracle A and the anti-outputs a bit B prime. If B prime equals B, then he wins. If a key agreement protocol is DAK private, the advantage of the adversary in this game should be negligible. So basically here adversary knows the secret keys but he shouldn't able to distinguish which secret key is used. Okay. And also we propose one pass key agreement protocol which is DAK secure and DAK private. We call it as non-STH. In non-STH we have public parameter, a group, a prime order group and its generator G. And the parties picks their secret key from ZQ and the public key is just G to the secret key. After that the party B picks a message from L bit strings and sends it to the party A and then they compute this function H. So if you look at the input of the function H you will see that they are equal. And we prove that this protocol non-STH is DAK secure and DAK private in the random oracle model assuming that gap defilement problem is hard. And so now we can look at the previous pay protocols and our protocol. As you see we are much more efficient. We only need one exponentiation. We have bigger security but it's not problem. It is enough for our purposes too because our main purpose to construct secure distance bonding protocol. Okay. Now I can explain what is our protocol. The first one is FPK DB. Here prover just picks N from the distribution D and sends N and his public key to the verifier. And then verifier and the prover generate secret S using the algorithm A and B. After that they run a symmetric distance bonding protocol S using this S that they generated. And after verify just output his message which means it's either reject or accept. And we prove that FPK DB is the MIM secure, DF secure and DH secure under the conditions that you see here, the bold ones. For example, when we look at MIM security we need from SIM DB to modify one time MIM secure. And we want from the key agreement protocol to be DAK secure. So what I mean from one time MIM secure is that it is enough to have security, MIM security, even how can I explain? So if we run the SIM DB one time it is secure. So if we run second time it is not secure anymore which is weaker security notion than normal MIM security. So basically what we need from weaker distance bonding protocol, SIM DB, we can construct a fully secure MIM security. This is the private variant which is very simple. Here the prover's public key has two parts PKV1 and PKV2. So here is usual prover generate N and encrypts this N with his public key, with the public key of the verifier and sends it to the verifier. And then verifier decrypts and learn the messages then they generate the secret S and run symmetric key distance bonding protocol with this S. Here PKP is the private output of verifier. And we prove that the private variant of APKDB is strong private in HPRP model if the key agreement protocol DAK private and the crypto system is in CCH secure. So I gave you a framework about our protocol. What I said that we first need to use the key agreement protocol and then run a symmetric key distance bonding. So this is an instance of our framework for FPKDB. So for a key agreement protocol we can use non-STH, the pink part is non-STH, I explained already. And then for a symmetric key distance bonding we can use OTDB, which is a one-time secure distance bonding protocol. And how it works? Here first the verifier picks a non-STH and sends it to the prover. After that they exhort the secret S and non-STH and get A. And then challenge phase begins. In challenge phase the verifier sends the bit CI which is challenge and starts the timer. After receiving it, the prover computes the response is like that and sends the response to the verifier and the verifier stops the timer. After and runs like that, the verifier checks if all the responses arrived on time like that by checking if the round trip time is less than to be or not and checks if all the responses are correct. So if everything is okay, in that the verifier accepts the prover. And output his message. And I want to conclude my presentation by comparing our distance bonding protocol with the previous ones. So here you see column for security, privacy and the public key operations needed to compute this distance bonding protocol as number of competitions required. So for example, when we look at HPO and our private variant of FPKDB, we have a stronger security and stronger privacy and we have less, we need less operation on the prover side. And the pre-DV security is the same with our private variant of FPKDB and we are slightly more efficient than this. And also we have one more advantage against pre-DV which is that we have also non-private variant, FPKDB. Like that, since not all applications requires privacy, in this case it is feasible to use FPKDB instead of right variant of FPKDB. And this is the end of my presentation and I would like to conclude my presentation with an announcement. So our lab is searching for postdocs. We are at EPFL. So if you want to apply for it or if you will know someone who wants to apply, this is the contact me. Thank you for your attention. We have time for one question. Just if you consider to remove the gap assumption using the twin differential man tweak. Sorry, I don't hear it. Did you consider to remove the gap assumption from your protocol using the computational differential man assumption, for example? We couldn't prove it with computational differential. If it's right, it didn't work. Even with the cash kills shub technique? We didn't try that one. Okay, let's thank Andan again.