 10, 5. That's a good start. I think I know a lot. It's a break dancing for 10 minutes. I think you're doing a box drive for five. And also you go to get stuff. Because yesterday, they needed a, what works with iPod, he was always getting dark. I'll wait for the call. If everyone can come in and get settled, we're going to get started here in about 30 seconds. It's really bad with that staircase, like people taking their time getting out. I'll give you the full time even though. All right. Why don't we get started here? So welcome to the first session of technical talks. This is the pseudo-randomist session. And we'll have two very nice talks. The first will be by Stefano Tassaro and Peter Gatzie. Peter's giving the talk. And I'll let him take it away. Good work. Thank you. So good morning, everyone. Welcome to the talk. And what I will be telling you about in the next 25 minutes is about our recent joint project with Stefano Tassaro, where we looked at how to build pseudo-random number generators and key derivation functions from sponges. So first, let me summarize quickly what our main contribution is. So we give the first efficient and probably robust sponge-based PRNG. And the techniques that we use to get towards this goal actually turn out to be useful for also beyond the analysis of PRNGs, and they also allow us to propose and analyze the construction of a key derivation function. So let me start by saying what the sponge construction is, the underlying building block that we will be using. So the whole sponge paradigm that is due to Bertoni, Damon, Peters, and Fanache, in its simplest form, it's a way how to build hash functions from a permutation from a fixed invertible permutation on n-bit strings. So if you have a message that you want to hash with a sponge-based hash function, what you do is you parse it into r-bit long blocks, and then you start with a state that consists of n-0 bits, and we will always be looking at this state as having two parts, the upper part that consists of r-bits and the lower part which consists of c-bits. And what you do is you take the first block of the message, you XOR it to the upper part of the state, and you apply the permutation, and then you do this for the second block and so on until you process the whole message. And in the end, you truncate the output by throwing away the lower part of the state and you only keep the upper part, and this is the output of your hash function. And this is the paradigm that is underlying also the SHA-3 winner catch-up. But sponges go well beyond hashing. I'll just mention message authentication codes, stream ciphers, authenticated encryption as several further applications, and the idea or the main building blocks when you are using a sponge paradigm are always these two blocks. So it's an absorption into the state of the sponge and squeezing some data out of the sponge by taking the upper part of the state. Okay, so this was a quick intro to sponges and let's now talk about pseudo-random number generators, which are the objects that we are trying to construct now. So a pseudo-random number generator, as you know, is an algorithm you can imagine as sitting in your operating system and collecting some entropy from system events and then producing pseudo-random bits whenever an application asks for them. And these objects were formalized in a work by Dodis et al. in 2013 and before, but this is a formalization that we will be using where the PRNG is seen as having two important procedures, the refresh procedure that is involved whenever the PRNG gets some weekly random input. These are the, let's say, from various system events, and this leads to updating the state of the PRNG, and so obviously PRNG is stateful, and the other procedure that is important for us is the next procedure, which is used whenever we want to produce these pseudo-random bits, and this again leads to an update of the state of the PRNG. But on top of that, the formalization also considers a procedure called setup that is only involved at the beginning of the using of the PRNG, and this procedure produces a random seed that is then given as an input to both the refresh and the next procedures. And the reason for this is similar to the situation with extractors, and I will get to this later. And of course, it is very appealing to try to build to the random number generators from sponges due to the anticipated support that we expect for Kechak to appear, both software and Harvard support in the future. And indeed, there have been proposals of how to build PRNGs from sponges, namely the same set of authors that proposed the sponge paradigm also proposed how to use it for building a PRNG. And you can see the construction here where basically the refresh procedure consists of absorbing the weekly random input into the state of the sponge, and the next procedure consists of simply squeezing the sponge. The advantage of this is that it is very simple, and elegant. It uses the basic structure of a sponge, and it has already been empirically validated in some further work. But the question we will be looking at now is what can we say about the provable security of this construction? And for that, we first, of course, need a security notion. Luckily, there is already one, which is due to Dotys et al. from the same paper that I already told you about. And it's called robustness. So it's a game-based security notion where we have a two-stage or two-parts adversity, which consists of a distribution sampler and an attacker. Where the distribution sampler, that we will denote, its task is to generate the inputs to the PRNG. So we are assuming that the inputs to the PRNG are also adversely generated with the only restriction that we require this distribution sampler to be legitimate, which means that it has to provide some truthful estimates of the amount of entropy that is present in the outputs that serve as inputs to the PRNG. And then the second stage of the adversary is the attacker, who can actually interact with the PRNG and can ask for a real or random challenge. So in a slightly greater detail, let's take a look at the robustness notion. So here are the, this is our PRNG. It's three procedures. And the game goes as follows. So first, we initialize by generating the seed using the setup procedure and initializing the state and choosing the challenge bit. And then the second part of the adversary A to the attacker. And the attacker is allowed to query both the refresh and the next procedures of our PRNG. And whenever it queries the refresh procedure, remember that this is the procedure that needs to take some weekly random inputs. Then these inputs are generated by the second part of the adversary. So by the distribution sampler, that we are assuming to be legitimate in the sense that I told you. But on top of this, A is also allowed to do more. It can also compromise the state of the PRNG. It can either read the whole state or override it with arbitrary values. And it can also ask for a challenge, for a real or random challenge. So when it asks for a challenge, it gets either an actual real output of the PRNG or a random bit string. But it only gets a meaningful challenge if enough entropy has been processed by the PRNG since the last state compromise. And this is where the estimates from the legitimate distribution sampler come into play. So they are used to evaluate whether enough entropy has been processed already. And then A is at some point expected to output a single bit, representing its guess whether the challenge that it got was real or random. And the advantage of this distinguisher is defined or this adversary is defined in the usual way for a distinguishing game. So this is the robustness notion due to Dodis et al. And unfortunately, this notion was not around by the time when the proposal of a sponge-based PRNG that I showed you came to exist. And this proposal also doesn't satisfy this notion for at least two different reasons that I will walk you through now. So the first reason is that this construction doesn't achieve any forward secrecy. So forward secrecy is a property that is implied by robustness. And in very broad terms, it means that compromise of PRNG should not mean a compromise of the previous values that were outputted by the PRNG. And this is clearly not true for this construction. Just imagine a simple attack where the attacker asks for a challenge. So in the real case, it would be this output that it gets and then compromises this state and simply inverts the permutation because remember this is a public permutation to check whether the challenge he got was actually real or random. And this problem was recognized by the developer that proposed this PRNG and they also proposed a patch for it which was to zero the upper bits of the state after each invocation of the procedure next. However, this proposal was only mentioned in passing and was not analyzed in that paper. And the second reason why this construction is not robust is that it is unseated. It doesn't contain any setup procedure. So again, you can come up with a simple attack that shows that this violates the robustness of the generator. You can simply consider a distribution sampler that samples uniformly over the distribution of all inputs that after processing by the PRNG result in an output that gives you a zero that gives you an output that starts with a zero bit. This will still be a high entropy distribution and it can be a legitimate high entropy source that has to have access to the permutation pi and it makes it trivial for the attacker to distinguish because it just looks at the first bit. And this is an analogy of a very well-known situation with extractors and the widely accepted solution there is seeding and this is the solution that is also taken in the PRNG world. So knowing this I can show you which is called SPRG and I can also highlight the differences where we differ from the previous construction that I showed you before. So the first difference is obviously that we do introduce this setup procedure that samples a random seed that consists of S sub-seeds where each of them is an orbit-long random bit string and then in the refresh procedure we use the seed to widen the inputs before they are being absorbed into the permutation as you can see here and we cycle through all the seeds as we are going to further through the inputs. So this is the modification to the refresh procedure and for the next procedure we implement this upper-state zeroing and namely we implement it in a repeated fashion so we apply the permutation and zero out the upper part of the state T times where T is the parameter of this construction and also we add an additional call to the permutation pi at the beginning of the next procedure. So this is our construction. It's parameterized by the number of these sub-seeds which we denote S and the number of repetitions which we denote T. And the main result of our paper is proving that this construction is indeed robust in the random permutation model and to be able to do that what we first have to do is actually to adapt the robustness notion into the random permutation model because it was not formulated in this model and there is also a technical contribution there that turns out to be important and so I will talk about that first how to adapt the model to the actual permutation model and to the actual result and slightly sketch the proof. So if we want to adapt the robustness notion to the random permutation model the first and simple part is just considering this oracle that is a random uniformly random chosen permutation and it's available to everyone. So we just sample such a permutation at the beginning of the init procedure and then we give access to pi rng and also to both parts of the adversary. So this is the easy part but now a tricky question comes up what does it mean for the distribution sampler to be legitimate. Remember that before this meant that the distribution sampler provides some honest estimates of the entropy that is contained in the inputs that it produces for the PRNG and the presence of this huge pool of randomness which is the function table of the permutation pi that is accessible to everyone. So now I will sketch how we define legitimate distribution samplers in the presence of a random permutation pi that can depend on pi but to do that let me compare by first showing you how pi independent legitimate samplers were defined in the work of Dodis et al. So there is a distribution sampler simply output it upon each invocation it output it triple where the last and important part of it is the output i which will turn out to be the input for the PRNG then some auxiliary information and then an entropy estimate gamma that is supposed to estimate the amount of entropy that is in this input and this happens upon every invocation and the legitimate condition is defined as follows. So for every index so for every row in this table let's say we look at this index ii we require that the probability that this ii takes some fixed value x conditioned on all the values that are highlighted in yellow here so all the other inputs and all the entropy estimates and all the auxiliary information for all the values that these random variables are provided by 2 to the minus gamma i where gamma i is this entropy estimate so if this is true for every row in the table then we say that the distribution sampler is legitimate and this was the definition without considering the the publicly available random permutation oracle and now we have to adapt this to a situation where d actually does have access to pi so how do we do this we consider d again outputting a triple which again contains an entropy estimate and some auxiliary information but apart from that it also contains a source s which is an inputless algorithm that is only invoked once it has access to the permutation pi and it outputs the actual random variable i which will be used as the input of the prng and again this happens upon every invocation and now we need to define the legitimate condition so for that it gets a bit more complicated now so we consider another algorithm which let's call it a predictor that is given all these highlighted values and is given an access to the permutation pi and so it's allowed to derive any values that would use the permutation pi and would need the highlighted values and it produces some view v and then what we require from a legitimate sampler is the probability that again for every index so let's take a look at this ii the probability that this ii takes a fixed value x conditioned on all the all the yellow highlighted values and on the view of the predictor and on the query response pairs to the permutation pi of all the other sources and of the actual distribution sampler d this probability has to be upper bounded by the entropy estimate gamma so this is the condition that we require from the distribution sampler to call it legitimate in an environment where it can depend on the permutation pi and this is what we require here in the definition of robustness from d okay so this is our this is how we adapt the robustness notion into the random permutation model and now we can get to the main contribution where we show that our SPRG is actually robust in the random permutation model so this is the construction that I already showed you and the theorem that we prove is that SPRG is robust or the advantage of the adversary is small as long as these set of inequalities are satisfied where on the left side you can see the number of queries that it asks or L which denotes the total length of the inputs that are given to the PRNG and you can see terms that are parameterized by the parameters of the construction so c and r are parameters of the sponge s and t are the number of seeds and the number of repetitions respectively and gamma star is a threshold that is used to evaluate whether enough entropy has been processed already this is part of the robustness notion as I told you okay so and I will state the obvious and you can find the actual ones in the paper okay so I will not talk about the whole proof of this statement I will just give you a sketch of two building blocks of it that we believe are of independent interest and the first one that I will mention is a lemma that we call sponge extraction lemma because we look at how the sponge can act as an constructor in the random permutation model in the sense of the following adaptive extraction game so we consider a legitimate distribution sampler in the sense that I told you about that generates a sequence of inputs and then we consider an attacker that is allowed to choose a subsequence of these inputs without actually seeing these inputs only seeing the auxiliary information and the entropy estimates and then the attacker is also initialization value and then the set of these inputs are processed using this construction that you can see here and then the adversary gets either the real output out that is produced in this way or it gets a random string y star and its role is of course to figure out which of the two cases happened and we prove that winning this game figuring this out is difficult as long as a similar set of conditions is satisfied and additionally as long as the adversary doesn't ask an inverse query to the permutation pi on the value y star that it gets in the ideal experiment now this condition might sound a bit unusual but there is one reason why we include it because it allows us to get much better bounds in particular it allows us to even say something meaningful if the input is only one block long which would not be possible without this condition that's not that hard to so it allows us for better bounds and on the other hand it will not be a problem for us because when we use this lemma later in the proof it turns out that we use it only for a restricted class of adversaries for which we can show that it would be difficult to ask such a question such a query so this is our sponge extraction lemma and the second part of the proof that I want to briefly sketch is the analysis of the next procedure of the PRNG remember that the next procedure looks like this and what we show is that if this state s from which we start has sufficient mean entropy then this pair the output of the next procedure and the new state together are indistinguishable from a random bit string and a random bit string that starts with a bunch of zeros also for a distinguisher who is given access to the permutation pi so this is the result that we get for the procedure next and and then I will just briefly tell you how from this we can actually get the whole result of robustness so we go through two notions that were already given in the paper by Dodis Adal which are recovering security and preserving security just very briefly these notions guarantee so recovering security means that the PRG even if its state is completely compromised if sufficient entropy is given to it in its inputs that are protected from the adversary it can recover full security and start producing random outputs again and preserving security means that on the other hand if the state is perfectly random then even if the inputs don't contain any randomness so if it's passive of the adversary then the PRNG can maintain this random state we had to adapt these two notions for the random permutation model and show that also in the random permutation model these two properties do together imply robustness and this is how we get to conclude that our PRNG is actually robust so to recap this is our sponge based PRNG and the main theorem and let me just spend the last minute to tell you also about a second that we look at in the paper because it turns out that the tools that we developed for the PRNG also turn out to be useful here so we look at this key derivation function that is also based on the sponge paradigm you can see that here comes the weekly random source material here comes the context variable that tells you something about the use of identifies the use of the key and here you get this output the actual key and we show that this key derivation function is a secure KDF also for sources also if the source material is generated adversarily by a Pi dependent distribution in the similar sense as for the PRNGs and as long as a similar set of conditions is satisfied so just to sum up we give the first efficient and probably robust sponge based to the random number generators and several of the techniques that we use turn out to have applications beyond the PRNGs and the ones that I would like to highlight is formalization of Pi dependent samplers distribution samplers and the analysis of the extraction properties of the sponge construction in the random permutation model so thank you very much and I'm happy to take questions so we have time for one or two quick questions hello, okay this is nice work, thank you for doing this I wanted to ask in the standard case that you would use a random number generator you don't actually have starting randomness that would let you do this seed can you reduce this down to just a computational assumption or an assumption because obviously if the distribution sampler doesn't know anything about the hash function you're using then you can just assume it can't choose values that will all collide is there some nice computational assumption or other assumption to analyze that case because it would be nice to have that case in your analysis so yes this introduction of the seed is more of a theoretical workaround to actually being able to achieve something for distributions that are dependent on the permutation Pi if you are not assuming the distribution might depend on the permutation Pi then you don't need this seeding I don't think well you cannot go around the need of the seed if you admit that the distributions might depend on the permutation and this seems to be a safer approach to assume that they might depend on it but if you are willing to assume that they don't then you are fine also without the seeding with the same construction okay great one quick question is the chair then can you just use the sponge as a hash function as a black box and then build a PRNG from it is that not going to be secure and then just rely on the properties of the sponge probably you could do something like that so one thing is that this is almost black box depending on how you see the interfaces of the sponge you can realize it with absorb and squeeze operations and the second thing probably you could do it on top of a hash function maybe you would need more of the calls to the pi permutation because it would be somehow bounded by the interface that you have to use to communicate you would have to hack it into doing what you want so maybe there would be an efficiency loss great thanks why don't we thank Peter again alright so on to our second talk