 Thank you for the introduction IK and thank you to everyone for being here. Today I'm going to be talking about a new definitional framework called public seed pseudo random permutations and this is joint work with Stefano Tassaro at UCSP. The traditional approach to build cryptographic schemes more so in symmetric cryptography is to base them on generic building blocks. These blocks are block ciphers like AS or hash functions like SHA-3 and this paradigm has been very successful in practice and hence applied cryptographers recently have started asking the following question does there exist a simple building block that suffices for all symmetric cryptography and the recent trend has been to use a seedless permutation as the basic building block. To cite a few examples there are constructions of hash functions like catch-act a variant of which is the SHA-3 standard of authenticated encryption schemes of prfs of compression functions that use this permutation pi as its core primitive. Why? This permutation pi is nothing but an efficiently computable efficiently invertible one-to-one function. These permutations in recent times have seen a lot of applications and prominent cryptographers like Joan Damon have even gone on to call them as the Swiss Army Knives of cryptography. These permutations arise in practice in one of two forms one is via ad hoc constructions which are designed to withstand crypt analysis this is the approach taken in constructions like catch-act nor X. Another one is to use an existing block cipher like AES and fix its key to say zero. This approach has been used to construct faster hash functions even fast garbling schemes. So permutations are great in practice but what about their theoretical foundations? In theory for a construction permutation based construction C we ideally want to prove a theorem like this that if pi satisfies some security notion X then C of pi satisfies some security notion Y. So the question is what is the notion X that suffices to prove something non-trivial like collision resistance for a permutation based constructions like catch-act. Sadly there are no known standard model proofs for permutation based constructions. The only known approach is hence to use the random permutation model where pi is modeled as a random permutation and the adversary is given only oracle axis to both pi and pi inverse. However random permutations are ideal objects and they cannot even be instantiated. Moreover random permutation model proofs only give security against generic attacks where we hope that the adversary is not going to exploit implementation specific vulnerabilities and this case is in stark contrast to that of hash functions where even though the random oracle model is popular we have a sound understanding of what standard model assumptions or properties good hash functions can satisfy. When we come to permutations we do not know of any such properties. So the question therefore is what kind of hardness can you expect from a permutation? Note that we cannot expect one wayness compression or even pseudo randomness from a permutation. So in this work we propose the first plausible standard model security assumption that you can make on permutations and show that this assumption is useful. More concretely we give a new definitional framework called public seed pseudo random permutations or PSPRPs for short. In addition we address two fundamental questions that any new framework like ours should address. First can we have PSPRPs at all and second are they even useful? Note that our definitions are just a conceptual contribution and they can be easily adopted from the use CE framework for seeded hash functions. However proving that this the notion of PSPRP makes sense and it's useful is what we show in this work which is where our main technical contributions lie. So before moving forward I want to give you a teaser of how we resolve these two fundamental questions. So we show in the paper that PSPRP implies a lot of applications. We recover a few of these applications by constructing use CE hash functions which are known to imply them from previous work. In particular we construct use CEs via existing practical constructions like sponges. We also investigate what applications can be directly instantiated from PSPRPs and for that we study efficient garbling from fixed key block ciphers and use CEs via the fiscal construction also imply PSPRPs giving some validity of the existence of PSPRPs. Okay so the plan of my talk is to give the PSPRP notion first then give constructions of PSPRPs and discuss a few of its applications and finally I'll conclude with a few. In fact many open questions. Okay so the first observation is is as same as in the complexity theoretic analysis of hash functions which is that we need to extend any primitive to have a seed to define non-trivial security notions. So now our basic object is going to be that P which is a couple of three algorithms gen, pi and pi inverse all of them are efficient such that gen takes in a security parameter and outputs a seed. Pi is the forward evaluation algorithm that takes in an input x and a seed s and outputs y. Pi inverse is the backward evaluation algorithm and I'm going to just assume pi with the seed s as pi s throughout the stock. So when the seed is kept secret the traditional security notion that we all know of is that of a pseudo random permutation where an efficient distinguisher cannot distinguish if it's been given access to a permutation p under a seed s or to a random permutation and it's inverse. But here the seed is kept secret. If you give the seed to the distinguisher the notion of PRP completely breaks down. So informally the way we define security in the public seed case which is what we care about is we tear the distinguisher into two stages. The first stage adversary still pays the PRP game that is with oracle access to one of these oracles and the seed is kept secret and the second stage adversary learns the seed but has no oracle access and we allow some information flow between these two stages. This paradigm for defining security was first seen in UC framework for seeded hash functions. So UCE is a two state security notion for hash functions where the first stage adversary called the source is given access to a hash function or to a truly random function. Source makes multiple queries to its oracle and outputs a leakage to the second stage adversary which we are going to call a distinguisher which in addition as promised is going to learn the seed S and output a bit P. And UC expects that these two worlds be indistinguishable. To define the PRP security we are going to adopt the same paradigm except that now source is going to get access to a permutation a seeded permutation and hence we need to take care of both forward and backward queries respectively in the other world it's going to get access to a random permutation row and its inverse. The second stage proceeds as before, D gets the leakage and the seed outputs a bit P. We say that P is PSPRP secure if for all efficient sources and distinguishers these two worlds are indistinguishable. Unfortunately we cannot have security against all sources and distinguishers because there exists this source that makes a forward query on zero to the end of fixed input to its oracle gets the response y sets its as leakage and now distinguisher getting this leakage seed is going to output one if and only if y is the image of zero to the end under pi s. So in the left case it's always going to output one in the right case why because of this row is going to be a uniformly random string independent of the seed so it's going to output one with probability at most one by two to the end. Therefore S and D can distinguish these two worlds and we cannot have PSPRP security against all sources. So to define non-trivial security notions we need to restrict sources. So now we say PSPRP is PSPRP calligraphic S secure if for all sources in this class calligraphic S and all distinguishers these two worlds are indistinguishable. Okay so that's our definition. In particular in this work we are going to introduce two new source classes, two source classes which are adopted from the UCE framework one of unpredictable sources one of reset secure sources and both of these restrictions captured in some way that the distinguisher cannot predict the queries by the source which is what in the previous case led to the attack because distinguisher knew that source was querying on zero to the end. Moreover the set of unpredictable sources as you can see is a subset of reset secure sources and hence PSPRP for reset sources is the stronger assumption. Okay so let me define unpredictability first a source having access to a random permutation row and its inverse is said to be unpredictable. If a predictor A given the leakage from the source and access to row and row inverse cannot predict any queries by the source or its inverse. Okay which is what is captured by this game. Moreover if A is computationally unbounded or computationally bounded will give you two different notions statistical unpredictability, computational unpredictability where statistical unpredictability is clearly the stronger restriction. Moreover we can show that a technique by Bruce Koff, Arsham and Mittelberg that the computational notion of PSPRP security does not make sense if IO exists. So for the rest of the talk I'm only going to focus on PSPRP security for statistically unpredictable sources. Next reset security it's a two-stage it's an indistinguishability based notion where in the first world source and the reset adversary they are interacting with the same random permutation row and row inverse and in the other case source and reset adversary are interacting with independent random permutations row and row one. And we say that S is reset secure if these two worlds are indistinguishable in the eyes of R. And as before there are going to be two notions when R is bounded and unbounded and since computationally unpredictable sources are a subset of computationally reset secure sources the computation notion does not make sense and hence for the rest of the talk I'm going to focus on PSPRP security for statistically reset sources. So just for recap if I have lost you on the way we have defined two new assumptions and permutations called PSPRP for reset sources and PSPRP for unpredictable sources. These are in fact where reset security is the stronger notion or stronger assumption. These are in fact mirror images of the UCE notions for reset secure sources and unpredictable sources and this UCE notions have played a central role in the UCE theory and a lot of applications are followed from them. So a natural question is can these two also play a central role? And in fact they do and that is what we are going to show next. So construction and applications. So we come back to the two fundamental questions that I was talking about. We've defined PSPRP security. Can we have them and are they even useful? To address the first question we are going to give constructions of PSPRPs from UCEs and also we are going to give heuristic constructions which we validate in ideal models. To answer the second question we are going to construct UCEs which will allow us to recover all applications of the UCE framework now from PSPRPs and as a direct application we're going to study gobbling from fixkey block ciphers. And in particular I'm going to start with these two because this reduction between PSPRPs and UCEs have a common technical denominator which is a new restricted notion of indifferenceability called CP sequential indifferenceability. So indifferenceability in the traditional sense for the special case considers a construction C that uses a random permutation RP as its primitive and we want the C to behave like a random oracle and we want this in a setting where the adversary can make queries to the construction as well as to the primitive. However this does not make sense because there is no primitive on the right hand side. So indifferenceability asks that there exists a simulator that makes these two worlds indistinguishable. So this is a traditional notion. We restrict the notion even further by asking the adversary to make all its construction queries first and then move on to primitive queries and this notion we define as CP sequential indifferenceability. We say that a construction C is CP sequentially indifferenceable from a random oracle if these two worlds are indistinguishable and clearly full indifferenceability implies CP sequential indifferenceability and if you consider the reverse ordering where you allow the adversary to query the primitive primitive first and then ask A1 to query the construction later that notion is called sequential indifferenceability which is incompatible to our work. So now let's address the question of how do you construct UCEs from PSPRPs. Why are this new notion that we have defined? So if you are given a construction C that uses a random permutation which is sequentially indifferenceable from a random oracle, if you instantiate this permutation with a PSPRP what you get is this construction CP which is UCE reset CQR. This is what we prove. Similar result was proved by the UCE authors in the follow-up paper but they required full indifferenceability for this to go through and they stated it only for UCE domain extension. As an immediate corollary of our work every permutation based indifferenceable hash function now would be a good way to transform PSPRP into a UCE and one such construction is the sponge construction which is the basis of the char3 standard and a result by Bertoni et al already establishes the indifferenceability of this construction and hence as a corollary you get that sponge is CP sequentially indifferenceable from a random oracle and hence if you instantiate this row with a PSPRP you get that sponge is now a UCE and this is great because this validates the entire sponge paradigm for UCE applications. But since we are relying on CP sequentially indifferenceability we ask if simpler constructions exist and we show that indeed there is this construction called shop which takes in an n-bit input passes through the permutation row and outputs in r-bit output. We show that this construction is CP sequentially indifferenceable from a random function and however this is not completely indifferenceable if you instantiate row with pi s now which is a PSPRP what you get is shop is a UCE for a set sources however there is more to this construction this construction has a special property as we show in the paper that allows us to get UCE for unpredictable sources from PSPRP from unpredictable sources which is the weaker assumption. However we are getting something weaker in terms of UCEs but that also suffices for a lot of applications as shown by BHK. So and shop is a fixed input length function to get a variable input length UCE you can use domain extension techniques from previous works. So now the second question which is constructing UCEs from PSPRPs a similar reduction follows if you are given a random oracle based construction C which is CP sequentially indifferenceable from a random permutation if you instantiate this random oracle by a UCE for reset sources what you get is a PSPRP for reset sources okay and an immediate corollary is that if you have a hash function based indifferenceable permutation it's a good way to transform a UCE into a PSPRP and one such construction is that of FISIL. There is a long-standing work on FISIL which establishes the full indifferenceability. The state of the art we know that eight rounds suffices for full indifferenceability. So eight rounds suffices to transform a UCE into a PSPRP therefore PSPRP now exists in the standard model if UCEs do which is great but since we are relying only on CP sequential indifferenceability for this transformation we ask if a round number lower than eight suffices and we show in this work that five is indeed sufficient because CP sequential indifferenceability can be achieved at five rounds already so if you have a UCE for reset sources passes through a five round FISIL what you get is a PSPRP for reset sources okay our five round prune proof is the most technically involved result of the paper however i'm not going to go into the details because i think i'm running out of time so our simulator also relies on chain completion techniques from previous works and it heavily exploits the query ordering in the sense that adversary does not query the construction after making its primitive queries and we have to in the process introduce new chain completion techniques to get away with the low round number and that is this open question is that if do four rounds suffice for transforming a UCE into a PSPRP okay we showed PSPRPs can go through FISIL but that's not how you would want to come up with instantiation in practice in practice you may want to work with a block cipher and a natural way to get a PSPRP from a block cipher is to use the key of the block cipher as the seed we show that this is a good way to get a PSPRP in the idle cipher model another primitive is to start with the kechak permutation these permutations are very efficient in practice but they don't have a seed so we say that if you extend these permutations to have a seed via the even monsoil construction then that's a good way to get a PSPRP and we validate this in random permutation model note that we are validating everything in ideal models because we do not have standard model assumptions on block ciphers and permutations as a direct application we study the we study application of garbling which is known which is known to have applications as far as multi-party computation we study fast garbling from BHKR and which only makes fix key which only makes calls to fix key block ciphers and hence is very fast but they have a proven in random permutation model we show that if you replace that the fix key block cipher with a PSPRP for a random seed what you get is secure garbling in the standard model so we put that proof in random permutation model to standard model so this shows that PSPRPs are useful beyond just recovering applications of the UC framework okay so finally concluding we introduce the notion of PSPRPs which is the framework that introduces the first standard model assumption on permutations we discuss construction of PSPRPs and its applications there are a few open questions in this area one is that can PSPRPs enable other applications like PRNGs authenticated encryption another one is to resolve the round complexity of five still for PSPRPs we show that five is sufficient we don't know if four works public seed pseudo randomness is a general paradigm which allows us to give PSPRPs and UCs as special cases which this this is the paradigm that we define in the paper and as a special case one can consider now a public seed idle cipher but we do not know if it has any applications and finally we realize that PSPRPs are a strong notion so simpler assumptions on permutations that maybe allows you to prove collision resistance of the shatri hash function is another open question thank you okay any any question or comment okay that and no there is one question in the back so should we call QCEs public seed PRPs now so they are public seed hash functions yes they are public seed PRFs exactly so you're already getting familiar with that notion thank you