 Okay, thanks for the introduction. I'm going to talk about this heavy hammer that Stefano was talking about and So we've seen a bit already, but I will nevertheless introduce it in my own terminology To basic primitives in symmetric crypto are pseudo random permutations like block ciphers and pseudo random functions and historically It is a topic in symmetric crypto to relate these two Primitives this dates back to the to the loopy rack of construction the Faisal networks who use a PRF and design a PRP on top of this However, if you look at it it makes more sense to do the other way around this because people know how to build a PRP and don't know how to natively built an efficient PRF So in this work, we look at the other way around and a very famous construction in this direction Was the one that Stefano showed two slides ago was the sum of permutations or the XR of permutations So quickly go over it. We have two block ciphers calls calling it with a secret key P1 and P2 This the input goes into both and the output gets exored the scheme dates back to Balara and France in 1998 I'm various results including the one from two slides back. I didn't add it. I'm sorry Proof optimal security of the scheme. There's many applications. There is also a variant with a single key Primitives who use one block cipher evaluation and the input gets just prepended with a bit to do the main separation and At crypto last year But I call the audience around introduced encrypted Davis Meyer and encrypted Davis Meyer also uses two block cipher calls With a secret key P1 and P2 the input value goes into the first block cipher call And then it gets fed forward over the first call and then the resulting value gets encrypted again Colette answer improved security up to two to the two and over three queries and conjectured that this construction is in fact optimally secure And they actually had EDM as a side result. Namely they focused on encrypted Wakeman Carter Davis Meyer conveniently abbreviated to EWC DM and Essentially, it's a non-space Mac function it gets its input the nonce The nonce goes through EDM and in the middle you X or universal hash function called evaluated on the message And also this Mac function was proven secure up to two to the two and over three and conjectured to be optimal security to be optimally secure and in this work we prove optimal security up to some small loss and more data will prove that encrypted Davis Meyer and encrypted Davis Meyer dual are secure up to two to the end divided by and so two to the end and Divided by a small logarithm class in In addition, we look at encrypted Davis Meyer So forget about the dashed line and we thought well it makes more sense to do the feed forward over the second block Cypher call. So if you look at the dual So this is what we call encrypted Davis Meyer dual. It's the same construction But then the feed forward goes over the second block cypher call We proved that encrypted Davis Meyer dual, which is equally efficient is optimally secure and those are the main contributions of our work In an earlier version, we also had a dual of the Mac function But Marie-Doul found I pointed out that we made a very stupid mistake in the proof So we removed at the scheme Sort of foot but the main focus is encrypted Davis Meyer and encrypted Davis Meyer a dual and the backbone of the analysis is that this Heavy hammer is a mirror theory And I think the mirror theory is a very powerful approach in achieving optimal security At a high level the idea is essentially combinatorials combinatorial a problem So suppose we have in this case are equate our unknowns So this beautiful p get a graphic p denotes are Distinct unknowns so we know that they're distinct, but they are unknown and we have q equations over these are unknowns of this form So PAI plus PBI is left eye and the lab does of course know So we have our unknowns and q equations and there is some implicit surjection so and if for instance 5 a 1 as 5 a 2 and These are the same unknowns so there is an implicit Surjection here, but essentially the problem is we have q equations over our unknowns And the goal is to derive a lower bound on the number of solutions to the unknowns Such that they are all distinct. It's a very combinatorial problem, right? But it has many applications And pow pattern derived an extremely lower for extremely powerful lower bound on this number of solutions But for some reason it has remained unnoticed in the field of crypto for a long time So it was introduced back in 2003 And it has been used by some in some articles, but not many and to give you an impression How unknown it has remained since the introduction 14 years ago? I added a list of all results that use Patras mere theory So it starts of course with the original publication. It was still in suboptimal bound in 2003 Later Patrae used it in 2004 Patrae used it in 2005 optimal security Which next Patrae and Montreux proved it in 2005 Patrae proved it used it in 2008 Patrae used it in 2008 again Patrae in 2010 Patrae used it for the sum of permutations a concrete bound finally Patrae used it in 2010 for the feist of construction. I guess you see the pattern, right? Patrae used it in 2013 for the sum of permutations and improved bound Ah, yes, Coliati lamp and pattern and proved it used it to prove a sort of multiple permutations So what's next fault in a chef and Mariette used it beginning a previous year for a feist on that work So this is the first article that does not include Patrae But some people among you may recognize these names. So it's for close authors and students of Patrae So only in the end of last year we applied it and so That's who me and Damian were we are not We have we don't have any relation with Patrae And But we found out that this result actually proved security of C-ank optimal security of the C-ank encryption scheme from 2006 in fact the result from 2005 Proved that C-ank of 2006 was optimally secure and it has remained rather unknown even though it is a powerful technique And I'm gonna explain you the technique at a high Level and to think about the technique to get the intuition it makes sense to think of the system of equations as a graph So recall we have our unknowns and Q equations and We can visualize this in terms of a graph So this graph consists of our notes and Q edges in this case for instance PA1 plus PB1 is lambda 1 This means that we add this edge labeled by lambda 1 into this graph in this case also PA1 equals PA2 which Effectively means that the phi of a1 is the phi of a2 So we can transform the system of our equate a Q equations with our unknowns into a graph with our notes and Q edges and Now we're going to lower bound the number of solutions But let's first look at three silly examples three toy examples And the first one is rather simple. We have three equations and two unknowns Three unknowns and two equations. I'm sorry PA plus PB is lambda 1, PB plus PC is lambda 2 We have this nice graph associated with it and now we're going to lower bound the number of solutions to the unknowns But it's obvious that if lambda 1 is 0 for instance And the first equation reads PA equals PB and that's impossible That's a contradiction because the unknown should be distinct. So in this case, we have zero solutions And we call the scheme degenerate Also if lambda 2 is 0 it is degenerate. If lambda 1 equals lambda 2 We can sum the two equations and we see that PA should be equal to PC Which is also a contradiction and we call on either of these cases. We call the scheme degenerate Briefly looking forward degeneracy means that there is a path in this graph of which the sum of the labels is zero Now suppose it's not degenerate. So the lambda i's are non-zero and they are the same Now we're just going to fix the some solutions So we first fix 2 to the n well p the unknowns are n bit values You have 2 to the n possible choices for PA But once PA is fixed this fixes PB Because PB is lambda 1 X or PA and PB is of course different from PA because lambda 1 is non-zero This in turn fixes PC because PC is lambda 2 plus PB So in total we have 2 to the n solutions to the system a More complicated example is this more come is actually more complicated even though it looks simpler We have two equations and four unknowns so PA plus PB is lambda 1 PC plus PD is lambda 2 Again, we have degeneracy if lambda 1 or lambda 2 is 0 for the same reason as before So suppose we have different non-zero lambda 1 and lambda 2 Again just going to count the number of solutions you have 2 to the n possible choices for PA this fixes PA and it hence fixes PB And but now the question is how many choices do we have for PC and PD? Well, we require that PC is not equal to PA and PB Because unknowns are distinct PD which is defined as lambda 2 plus PC should also be unequal to PA and PB Essentially this means that we have at least 2 to the n minus 4 choices for PC And the total number of solutions is at least 2 to the n times 2 to the n minus 4 Could be more but we have at least this and this is how the lower bound technique works Third example is when we have a circle So we have three equations three unknowns and we have a beautiful circle For simplicity assume we have non-degeneracy so the lambda i's are non-zero lambda i is not equal to lambda j Suppose now that lambda 1 plus lambda 2 plus lambda 3 is not equal to 0 in this case If we sum the three equations we see that we should actually have lambda 1 plus lambda 2 plus lambda 3 is 0 So if this is the case we have zero solutions and we call that we say that the scheme contains a circle For obvious reasons because it contains a circle And if the lab does some to zero We don't have a contradiction, but essentially we have a redundant equation We can get rid of the last equation without loss of generality and we're back at example 1 And this is a little bit the technique behind the mirth theory and more generally we see two types of problems So problem one is when there is a circle of size at least two a problem two is when there is a degeneracy Meaning that there is a path of length at least one of which the labels sum to zero And but right now proves the following powerful result He proves that if the system of equations is circle-free and non-degenerate Then the number of solutions to the unknowns is at least 2 to the n falling factorial r divided by 2 to the n q So to be clear this 2 to the n with a subscript r means 2 to the n 2 to the n minus 1 2 to the n minus 2 up to 2 to the n minus r plus 1 Divided by 2 to the n q where q is the number of equations are the unknowns and that's what patreon proof provided that the maximum three size XI satisfies XI minus 1 squared times r is at most 2 to the n divided by the magical number 67 So that's a technical condition for the proof And and to see the power of this mirror theory, let's look at this sum of permutations And and I will focus on the single permutation variant So we have one permutation with the main separation in front of it So the main separation in front of it and consider an asterizary a fursary that gets a transcript Consisting of q evaluations of the scheme every evaluation Kind of defines two inputs to the permutation, right? So we have XI goes to p of zero concatenated with XI and of one concatenated with XI And if you define these values as PAI and PBI Every tuple every query that the attacker mays corresponds to an equation So we have q equations of this form PAI plus PBI is YI by design We have two q unknowns because the inputs to the permutations are always different So we have two q unknowns and q equations if you draw the graph you just have a few lines So the this is essentially the graph Q queries they are disconnected It's clear that the scheme has no circle So there is no circle in the picture. It is non degenerate provided that there is no path of Which the label sum to zero essentially this means that there is this is Non degenerate as long as the y i's are not equal to zero for all i's In addition the maximum tree size is 2 and if you apply the mirror theory We see that if 2q is at most 2 to the power n divided by 67 We have at least 2 to the n falling factorial 2q divided by 2 to the nq solutions to the unknowns That's the mirror theory The question now is how to use this I will quickly go over it because of time and it's a very simple approach is using the HCO efficient technique and HCO efficient technique consists of looking at all possible transcripts So everything the attacker can see is all possible transcripts and to divide these transcripts into good ones and bad ones And then the goal is for good ones prove that the probability that you get a good transcript in the real for the real construction Divided by the probability that you get a bad transcript transcript in the ideal construction is close to one and then the security Bound is upper bounded by this epsilon plus the probability that you actually get a bad transcript in the random world So this is a very famous proof technique In our case we say that a transcript is bad if the corresponding graph is Degenerate because in that case we cannot apply the mirror theory So saying that the transcript is bad if the if the graph is degenerate means that the transcript is bad if there is a y that is zero and Recall if you go back to the construction quickly y can never be zero in this case, so it makes sense in The random world y can be zero in the real world It cannot be zero the probability that you get a bad transcript is about q over 2 to the n and Then for the analysis of good transcript what it pulls down to how quickly go over it It's a bit technical, but essentially what it means is you have to Compute the number of permutations That's fit to a certain transcript. So given the transcript Drive a lower bound on the number of compute permutations that fit this transcript And this is what mirror theory does because here we see the bound from the mirror theory This is the number of solutions the probability that you get any of these solutions is This term times the probability that you get one of these For the random one you just get 2 to the nq and if you do the math you will find epsilon is zero and you get q over 2 to the n Security and that's how the mirror theory use it works for the sum of permutations This is not my proof. So this was all from pattern And but now encrypted Divis Meyer Encrypted Divis Meyer is different because it's sequential. It's not a sum of permutations, right? Well if you look at it a bit closer It is because if the attacker gets the transcript and if you fix the transcript it boils down to a computation of the number of permutations that fit the transcript now I look at the picture. So the X goes that forward to the middle. We just put it from the top as the same screen, right? But if the transcript is fixed the arrows in the scheme don't matter that much anymore So we are just going to swap the arrows for P2 So the EMD encrypted Divis Meyer is essentially a sum of permutations in the middle and Now we can apply the the mirror theory The more detail if you have one query it corresponds to two evaluations namely P1 of Xi which I define as PAI P2 inverse of Yi which I define as PBI and then we have a system of q equations of the form PAI plus PBI is XY It is a bit different from the mirror theory from the sum of permutations because in this case the Y values can collide So the X values are always unique the Y values can collide and this means that the PBIs may collide If you're not draw the graph you don't have just edges. Well, you also have edges, but the edges can collide So here the PAIs they correspond to the input to the first permutation. Those are always distinct But we could have collisions at the Y side. So in this case, we have a various trees This is a tree with Xi one edges. So this means you have a Xi one fold collision on the Y So this is how the intuitively the graph looks like now again We're gonna apply the mirror theory but now a small relaxation because we use different permutations It is circle-free, right? It's obviously circle-free you can see it from the picture It is non-degenerate and I need to note here that we use different permutations So if for instance X one is zero it doesn't matter because we use different permutations But if you have a path of length two of which it labels some to zero then you have a problem But the X's are all distinct. So you never have a problem The maximum tree size is Xi plus one provided. There is no Xi plus one fold collision in the Y value And then you do the you apply milk and patron as mirror theory And you find that if Xi squared times Q is at most two to the n divided by 67 You have at most this number of solutions to the unknowns and I'm gonna Make a shortcut to the conclusion and we find that the security of encrypted Davis Meyer is At most the Q over two to the n which comes from the loss using the relaxation of the mirror theory Plus Q choose Xi plus one divided by two to the n Xi which is a probability that you have a multi-collation Enhanced a violation of the tree size And that's the technique used for encrypted Davis Meyer. You can do the same thing for encrypted wakeman Carter Davis Meyer And so we call that in an encrypted wakeman Carter Davis Meyer the nonce is always unique But you have a message of which the hash value goes in here And so we again swap the errors we have some permutations in the middle Two evaluations so the X I goes to PAI Y I goes to PB I we have a system of Q equations of the form PAI plus PB I is and in this case we get the new I plus the age of MI So as before the X's are you the nonsense are unique that then This should be new and this should be T the nonsense are always unique the T's could collide But in addition these values could collide So the graph now looks essentially the same, but you have a problem if you have degeneracy again We have no circle the degeneracy happens if you have two edges in the same graph With the same label so if in the same tree you have two edges with the same label you have a problem and This corresponds essentially to the remaining term because this one we saw for encrypted Davis Meyer This one we saw for encrypted Davis Meyer. This is the probability that within one tree You get To the same labels so Q choose two times epsilon where epsilon is the quality of the universal hash function divided by 2 to the end Now for encrypted Davis Meyer dual and we can also prove it using merit theory But we did it in a simpler way and the proof is essentially by picture. It's really a simple proof Because this is encrypted Davis Meyer. We can redraw it. This is same scheme So instead of feet doing the feet forward here We doing the feet forward from the beginning, but we permuted. It's the same picture. Is it was a different picture, but the same scheme But the permutations P1 and P2 are independent random permutations So why don't we just replace this by a random permutation say P3 and these are probabilistically equivalent and This is the sum of permutations, which is optimally secure So encrypted Davis Meyer dual is at least a secure as a sum of permutations And we get optimal security which is better security than encrypted Davis Meyer. I Quickly want to go to future research and one interesting question is what happens if the permutations are the same For encrypted Davis Meyer and encrypted Wakeman got the Davis Meyer The trick doesn't work anymore because the trick we used in the proof is to is is that we invert P2 so the trick is that we keep P1 as it is between invert P2 But if the permutations are the same you cannot just invert one And the trick really fails and we don't see any way to prove it For EDMD, we also don't see a way to prove it because there is a difficulty That looks like there could be some issues in some kind of sliding issues, but a bit more advanced If the permutations are the same and nevertheless, we don't see any attacks So we expect that these schemes achieve optimal security or asymptotically optimal security To conclude, I think merit theory is a very powerful technique And I don't think it's better or worse than the guys square technique. It's different both have their advantages and disadvantages It allows for approving optimal security or almost optimal security for various constructions And interesting question are the single key variants a dual of encrypted Davis And cruelted wake MacArthur Davis Meyer I think this is also interesting because what we saw for EDM versus EDMD EDM and EDMD the schemes are equally efficient But encrypted Davis Meyer dual is way more secure Or it's a bit more secure and maybe the same could happen for the Mac functions And I expect there should be plenty of further applications for the merit theory And that concludes my presentation Thank you