 Hello, I am Avijit Dutta and today I am going to present the work minimizing the two round tweakable eval monster cipher. So it is about designing a tweakable block cipher. So I will begin this talk with a brief background on tweakable block ciphers. Then I will talk about the contribution of this paper. Followed by that I will discuss a brief roadmap of the security proof of this construction and finally I will conclude the talk. So a tweakable block cipher is a variant of a block cipher in which the primitive takes a message M and input key K and also a public value called tweak T and this tweak is perhaps controlled by an adversary. So like block cipher, tweakable block cipher also process a fixed size data. Moreover for each pair of key K and the tweak T, this function ETK is basically a permutation over 01 to the N and for each key K, EK this is a family of permutations over 01 to the N. So in case of a block cipher, if you fix the key K, then the EK is basically a function from 01 to the N to 01 to the power N and that is the bijective function. But in case of a tweakable block cipher, if you fix the key K, then EK is basically a family of permutations over 01 to the N and that family is indexed by the tweak T. The application of tweakable block cipher was first observed in Hustry-Pudding cipher, Mercy cipher or a three-fifth cipher and they actually identified the need of this tweak for introducing the variability in their design specifications and they called the tweak a spice or a randomizer. They also include a basic security notion of the primitive but without giving any formal proof. In fact, the formal proof of tweakable block cipher or the formalization of tweakable block cipher was done by Liskov, Rivest and Wegner in 2002. So any design of a tweakable block cipher should be as efficient as possible and the change of the tweak should be less costly than changing the key. So if you change the key, then that basically invokes a key scheduling algorithm and invoking the key scheduling algorithm is basically a costly operation. So you need to keep in mind that while designing a tweakable block cipher the tweak change may occur frequently and the tweak change should pay a less cost than changing the key. And the security of this tweakable block cipher should hold even if the adversary has the power to control the tweak and for each fixed setting of the tweak T, it give rises to independent family of block cipher. So for each tweak it should give you the independent family of the block cipher. Note that that tweak is not meant to be kept secret. So the key is the only part that provides the uncertainty to the cipher. The purpose of the tweak is to provide the variability in the cipher but it does not provide any additional uncertainty or any additional you know secrecy. In order to model the security notion of tweakable block cipher. So here we consider an adversary A that has access to some oracle. So it has access to the tweakable block cipher. It has access to the oracle tweakable block cipher in the real world and the tweakable random permutation in the ideal world. So the adversary is given access to either of this oracle. Adversary does not know that and adversary is only allowed to make query to this oracle. So adversary makes query with the tweak T and the message M and it gives back some response. So after making a finite number of queries if the adversary is not able to distinguish that whether it has interacted to the tweakable block cipher or a random permutation. Then we will say that the tweakable block cipher is a secure tweakable block cipher. In particular we will say that the tweakable block cipher is a tweakable pseudo random permutation. Moreover if the adversary has additional access to the inverse function of the tweakable block cipher then and again the adversary is failed to distinguish between these two scenarios. Then we will say that the tweakable block cipher is a secure tweakable pseudo random permutation. The first secure design of tweakable block cipher was observed in LRW1 construction. This was proposed by again LISC of Reverson Wigner in 2002 in which the construction was built out of a block cipher. They actually invoke two block cipher calls where the tweak T is masked with the input message M and it gives you the cipher takes C. This construction was shown to be secured up to 2 power N by 2 queries where the assumption is that the block cipher is a secure block cipher. That means it is a secure pseudo random permutation and this attack is basically this security bound is basically tied because you can mount the bound attack with the same very complex city. In order to mitigate the double block cipher call in LRW1 construction they have also proposed another construction which they call as LRW2 construction in which the tweak is processed through some function which we call as a hash function and the output of the hash function is masked with the message N to provide the input of the block cipher E and then the output of the block cipher is masked with again the hash output of T to generate the cipher takes C. Again this construction was shown to be secured up to 2 power N by 2 queries but here the assumption is that E is a secure block cipher at the same time the hash function H should be almost universal hash function hash function ok. So, there have been couple of examples which are shown to be to have the birth bound security, birth bound secure tweakable block cipher. These are for examples ZOR encrypt ZOR construction proposed by Logaway in Ishiacrypt 2004 and the improved security analysis of ZOR encrypt ZOR and LRW construction was done by Menematsu in SAC 2006. There have been couple of other examples of tweakable block cipher which gives beyond birth bound security for example the ENR construction by Menematsu or CLRW RR cascading of CLRW construction by Lendry et al. There have been another constructions by many which like F1 and F2 constructions was proposed in FSA 2015. So, all these constructions are basically built out of a block cipher. So, the natural question arises that can we design a tweakable block cipher using some lower level primitive or in other words we say that can we open the hood and design a tweakable block cipher from sketch ok. So, not depending on the block cipher, but using some lower level primitive because block cipher is a rich structure right. So, can we design a tweakable block cipher from some primitive that is not that very rich ok. So, perhaps any public population can be designed that can be designed a tweakable block cipher. So, to answer the question let us see that is there any you know way to construct a block cipher out of some public permutation. So, this question was answered by Evan and Menematsu. So, the proposed and Evan Menematsu cipher in which the input x is masked with a key k to generate the input of the permutation b and the output of the permutation is again masked with another n weight independent key k2 to generate the cipher text ok. The security of this construction was shown to have, but the bound security basically. And even if you consider the same key where the k1 and k2 are basically same again the resulting construction can be shown to have the, but the bound security. This construction was generalized and yield a iterated Evan Menematsu cipher where you have R mini random permutation ok and R plus 1 1 mini random keys independent keys. And you know you just iterate the Evan Menematsu cipher for R many times and you generate the cipher text c. The security of this construction was shown to have Rn by R plus 1 bit security and this security bound is a tight security bound. This was shown by Chen and Stenberger in Eurocript 2014. The only assumption of these constructions are that the PIs or the permutations are independent and the round keys Ki's have to be independent. Moreover, a follow up work of this construction was done by Chen et al in 50 2014 where they considered a two round iterated Evan Menematsu cipher, but in this time they considered the same permutation. And they actually considered in bit master key by which they derived three many round keys, but those round keys are not considered to be independent. So, they used good key scheduling function to derive the round keys from a in bit master key ok. So, now let us ask that can we tweak the design IEM or iterated Evan Menematsu cipher to make the resulting construction tweakable that can be somehow incorporate the tweak t into this iterated Evan Menematsu construction. So, a natural approach is to you know is to apply a function if on the key k and the tweak t and that is the output of the function is must in the internal state of the cipher. So, this idea was already you know considered by Chen et al in Asiacript 2014 in their tweaky framework setting where the tweak and the key was unified. But you know till now there has been no kind of strategy to prove the security of such kind of a constructions where tweak and key are unified ok. So, now let us instantiate the function if where which whose output are must in the internal state. So, let us first take a simple example that what if if I take all the functions to just to be a zore of the key k and the tweak t ok. So, if all the f i k t is basically a zore of key k and the tweak t then irrespective of the number of rounds this security of this construction is actually boiled down to have the bird the bound security. So, this was shown by Cognitive Ensuring in Euroclip 15 and independently Fulsion and Proctor shown this result in FSC 15 paper. Moreover a trivial observation is that if you take this key scheduling function to have only the zore of key and tweak t then the one round and two round constructions are not secure ok. Then Cognitive et al in 50 2015 came up with a construction there which they call as tweaking evenments of cipher which in which they used two round iterated evenments of cipher. But in this time the hash function is used to you know to process the tweak t. So, the hash value of the tweak t is masked to the input x to generate the input for the first permutation call and then the output is again masked with the h 1 t zore h 2 t where h 1 and h 2 are two independent hash function. And again the resulting state is becomes the input of the second permutation call and finally, the output of the second permutation call is masked with the h 2 of t to generate the cipher text y. So, here the assumptions are p 1 and p 2 these are two independent random permutation and the hash function h 1 and h 2 these are two independent hash functions moreover they have to be almost zore universal hash function. And this construction provides security up to the query complexity to power 2 n by 3 and they have also shown that if we cascade these constructions for r many rounds ok. So, where you take the independent instances of the permutations and all the hash functions are independent then that gives you the r n by r plus 2 bit security. So, naturally a couple of open problems comes up that can we analyze these constructions with a single permutation can we reduce the independence of the hash function and can we avoid the non-linear tweak and key mixing ok. So, in the same year Cogliate ensued in answer the question in particular the third questions that can we avoid the non-linear tweak and key mixing. So, they have shown that yes you can if you can take 2 n bit keys and n bit tweak then you just alternately you know alternately mask the key and tweak ok and if you can do that then the four independent with four independent n bit permutations you can show, but beyond but the bound security of the resulting construction. So, it provides a security up to the query complexity to power 2 n by 3, but the only limitation is that the the permutations are have to be independent and you know you need 2 n bit keys. Again a couple of open problems came up that can we reduce the number of permutations not the number of rounds and can we analyze it with n bit key and n bit tweak. So, instead of having 2 n bit key can we analyze the constructions if we only take the n bit key ok. So, now our contributions come. So, in this paper what we have done. So, we have in particular answer the questions posed by the Cogliate et al in productive paper. So, so we are we are we are using the tweaking even ones to cipher, but in this case instead of having independent permutations P 1 and P 2 we are making it a single permutations, but we all but but we need a two independent almost all universal hash functions, but we only need a single n bit permutation and that is basically a natural approach to design a tweakable block safer if you see. Because we we we actually use a same we actually use the same permutation and that permutation is rotated over the rounds ok. And we have shown that if you use this construction I mean if you make the two permutations identical, then the security bound does not degrade at all in particular it provides the same similar similar level of security. And a trivial observation is that if your hash functions are same or identical if h 1 equals to h 2 then that clearly leads to a birthday boundary tank. Then again so the hash function is basically you know a non-linear mixing because a trivial hash functions which is a secure hash function secure almost universal hash function is basically a multiplication multiplicative hash function right, but that multiplicative hash function is basically a non-linear mix of the key and the tweak t right. So, can we avoid a non-linear mixing. So, again we answered the question posed in the Cognitive Surin paper is a paper where can we reduce the number of number of permutations or can we reduce the number of keys. So, we have shown that yes we can reduce the number of permutations, but not number of keys. So, in particular we the our construction actually takes two n bit random permutations in your p 1 and p 2 and two n bit keys and n bit tweak ok. So, again if you make this construction or if you use this construction then you are not degrading the security of the construction. So, it provides the similar level of security. So, it gives you the 2 n by 2 power 2 n by 3 security and again the open problems of these two constructions is that can we use the n bit key and n bit tweak and can we make all the permutations identical. So, that is still open ok. So, now let us quickly go to the proof or structure of this of this construction. So, we basically prove the prove the security of this constructions in random permutation model. So, in random permutation model adversary is given access to the query is given access to the oracle. So, in the real world it it is given access to the real oracle in the ideal world it is given access to the ideal oracle. But addition in addition of this in addition of the access to this oracle the adversary is also given access to the internal primitive of the constructions in particular if it is the permutation based construction then the adversary is given access to the underlying permutations p and also its inverse p inverse ok. So, distinguisher is allowed to make oracle queries to the oracles, but in addition to that it is also allowed to make the forward or the inverse queries to the internal primitives. So, this model is basically a resemblance of the ideal cypher model or the random oracle, but these models are not relevant to our context ok. So, we will you have prove the security of this constructions in the random permutation model. And in order to prove the security of this construction H coefficient technique comes as a handy tool you know. So, in order to prove the security of the construction. So, in this technique adversary is interacting either with the real oracle or with the ideal oracle and after the interaction is over we basically you know collect the query and response in a transcript tau and we partition the set of all transcripts into the good and bad transcripts and then we compute the ratio of the real to ideal interpolation probability for a good transcript. And the H coefficient technique says that for any good transcript tau if the ratio of the real to ideal interpolation probability is very close to 1 modulo some negligible error term which we call epsilon 1. And if the probability that a transcript belongs to the bad transcript set this probability is very negligible which we denote as epsilon 2. Then the distinguishing advantage of the adversary in order to distinguish the real from the ideal can be upper bounded by epsilon 1 plus epsilon 2. So, the then the question comes that in order to apply the H coefficient technique in the security proof of our constructions how do we characterize the bad events. So, if you apply the H coefficient technique in order to prove the security of any symmetric ecosystem then you need to identify three things. First of all you need to identify the bad events then you need to upper bound the bad event in the ideal world and third for if you take any good transcript then you need to lower bound the ratio of the real to ideal interpolation probability the three things. So, let us take the first step of the characterizing bad events for our constructions. So, the main idea of characterizing bad event is to avoid the two fold collisions this is one and second of all that we need to identify the event for which they are finally, we are we are not getting any randomness of p ok. So, to avoid the two fold collisions you can consider the case that if you have a construction square e say T x which is an input to the permutation p and the you know that that becomes that become collides with some internal primitive with some internal primitive query then the output is determined and if the determined output is again determines the input of the second permutation call then you are you are you are you are losing the game because in that case you are not getting the out cipher of the output of the construction as a random right. Similarly, if there are two construction queries say T x and T prime x prime in which the collides at the input of the permutation p and if the then the output of the permutation is also collide, but again if that collision again makes a collision to the second input input of the second permutation call then again you are not supposed to get the randomness in the output of the resultings of the construction right. So, in particular there are 14 more bad cases of more cases of bad events. So, if you are interested you can see our e print paper and the basic idea of the bad event is to capture the randomness of p where the randomness of p is vanished ok and if this bad events do not happen then for each query each construction query it is ensured that at least for one permutation p its input and output is fresh ok and after characterizing all the bad events. So, we when we upper bound the bad events individually then the bad probability that we get is very close to is very negligible provided the number of construction query q is to power 2 n by 3 and the number of primitive query p is to power 2 n by 3 ok. So, and if the bad events do not happen then we calculate the ratio of the real to ideal interpolation probability and in that case we have shown that the ratio is very close to 1 modulo the error term which is q p square over 2 to the n plus p q square over 2 to the n and this is negligible if the number of queries is less than to power 2 n by 3 that includes the permutation query I mean the construction query and the primitive query and you know the core of this paper is the analysis of the good probability and that is a very hard combinatorial problem which is not possible to explain in this slide. So, now we conclude the paper that this paper we have shown that how to design a tweakable block cipher from sketch and we need to reduce the amount of independence as much as possible and our construction basically proposes a single permutation variant of the tweakable event monster cipher that are already in the literature and reducing the independence does not dig the security that is the main thing that we have shown and it is important to push this design beyond 2 n by 3 bit security that means can we you know push the security bound beyond the 2 power 2 n by 3 bound can we can we improve the security bound of these constructions for example, 2 power 3 n by 4 or 2 power 4 n by 5 something like that okay and so that is the end of my talk. So, if you have any queries you can drop me an email at avirocks.dutta13 at theregimal.com. Thank you.