 Hi, this is Mithun Dandee from Interstate Legal Institute and I will talk about but-the-bound attacks on two recent constructions, EWC-DMD and HOKC-C21. So here is the outline of the talk. I will first describe my attack model by which we show our attacks on the constructions. And then I will describe some direct constructions. In particular, we consider the compositions of ideal primitives. And then we'll show attacks on two existing constructions, and then the EWC-DMD, which is accepted in KEPR 17, and HOKC-C21, which was published in KEPR 19. Then I will describe where it went wrong and finally I conclude with some important future works. Okay, so what is the attack model? It's really like every distinguishes, every distinguishes has two worlds, the real world or the ideal world. In the real world, we actually implement the real constructions are concerned in our topic. So what it does, it computes attack using the key functions, the real functions fk. On the other hand, ideal worlds, the tags which is output are generated randomly. So this is what pictorial, pictorial looks like. The adversary A is interacting with either real world or the ideal world. And after that, it has to distinguish whether it is interacting with the real world or from the ideal world. So for that, what the measurement of the distinguishing event is, you have to consider the event where the A outputs one, and you have to complete the two probabilities, one in the real world and ideal world, and we have to have difference between these two probabilities. So now we move to the compositions of ideal communities. This is the basic paradigm we will consider when we analyze our attacks. Composition is a very simple but useful principle in cryptography. For example, when you design the block ciphers or hash functions, we use our own functions or our own permutations which are composed iteratively. It is also used in designing modes. For example, has then PRP, A or has then PRP. And here we will be interested in the compositions of ideal permutations. So what are the ideal permutations we are interested in? We will consider random functions which will be denoted as gamma and random permutations is denoted as pi. We also consider two models of the adversary. Which are also popularly used. The one model is the public model and the secret model. In public model, adversary does not have, sorry, in public model, adversary has a direct access of the primitive whereas in secret model, adversary cannot have a direct access of that primitive but, however, it can get some information through the modes because that secret primitive is used to design a mode. So as the adversary can observe the output of the modes, he can infer something about the internal primitive which is secret. Okay, so operations of two functions f and g that is our main target for our analysis where the f and g can be any one of these three primitives. Either it is random functions but secret or random functions but public or secret random permutations. There is no point to consider public random permutations because mostly considering symmetric efficiently invertible permutations. So one can easily unfold the permutations so there is no point of considering the public permutations. So there are some known easy cases for all possible computations. You can see there are nine possible computations out of nine. There are some easy to analyze cases like if one of them is secret random permutations then you can, and both are secret, then you can say that the computations will behave like ideal either functions or big permutations. There are some other computations which has been already analyzed. For example, if you consider the computations of two secret random permutations it is not exactly again a secret random permutations because here I consider the computations of two secret random permutations but both are same. So like when you have a round permutation you directly use the same round permutations. So this case has been analyzed by Maynard Ethel in 2015 and they have shown that it has almost n big security. And there are similar analysis but for the random functions by Bohm E. Ethel in 2017 and here it has part the bound security because of the collision and nature of the functions. In particular, in this talk I will consider a special case where or a case where we have two independent random functions gamma 1 and gamma 2 and you can post that and we want to see what is the pure PC random function security of these computations. And in fact it is very easy to see that it cannot have beyond but the bound security because of the collision nature of these computations. What do I mean by the collision nature? The computation has higher chance of collisions compared to the random functions because the collision can happen for the computation. If either the secret random functions the first secret random functions has the collisions or even if it does not have the collisions then the second layer secret random functions could happen. So you can see it has almost double chance of probability of getting collisions. That can be used to distinguish in random functions and this similar attack works for some other simple variants where one of them is public random functions. So using these principles but the bound attacks on the constructions which was submitted which was in EWCDMD. So what was that constructions? It is actually dual versions of EWCDM proposed by Cochlear et al. in 2016 and this version is proposed by Menek et al. in 2017 but I just want to note here that this version is not this not was presented in the crypto or it was actually presented in the pre-proceeding versions just after the paper got accepted I communicated with the authors and he came to see these constructions and I found some weakness of these constructions. So later on the authors communicated with the editors and removed that portion of the designs because this has some problems. So coming back to my talk so this is what the EWCDM looked like if you see there are two type inputs one is a new which is a nonce and another is the hash of message. So nonce it cannot repeat but the message can repeat and we have two secret random permutations pi 1 and pi 2. If you see closely this can be actually viewed as a composition of two random functions but not exactly random function, Poise random function. You can distinguish that from random functions by the bound attack but it is a Poise random function. So how we can view that in the next slide you can see that we have a first component is this one and the second component is this one. So this is actually the compositions of two Poise random functions. So the attack will be similar like the compositions of the true random functions will compute the attack for different messages and of 2 for n by 2 messages we will expect higher collisions higher number of collisions compared to random functions. But you note that our composition attacks works as both component functions but because they are not true random functions you have to do a little bit involved calculations to calculate what is the exact collision probability for these constructions but this is not that much different. Now I come to our next and most interesting compositions which is first apply the secret random permutations followed by the public random functions. Here you note that you don't get higher collisions like before because the secret random permutations produce distinct inputs for the public random functions and in fact distinct random inputs. So the outputs of the public random functions will behave exactly like an output of a true random function. But it is public random functions. We will exploit that feature to have a distinct attack. So what we will do, we will first make the queries to the public permutations some x i's and y i's are the output of the public permutations. We make queries to the compositions functions and it doesn't matter what is the input as long as they are distinct. So let's call it 1 to q are all the inputs and c i's are the output of the compositions. So my distinguishing event will be to detect whether there is a matching between the y list and the c list. If there exists some i and j such that y i equal to c j we will return 1 otherwise 0. So why this attack works? So let's see how the composition works for the input j. So let's call it j j is the internal input then the final output c j can be viewed as a public random function output of j j. So do not know what is exactly the value of j j but we have these relations. On the other hand we have y i which is the public random function output of the x i so if x i matches with j j so x i is trying to 好try to guess the values of j j. So if x i is matches with some j j value then we have y i equal to c j that y i equal to c j. But even if it doesn't match there is a chance of equality because this y i is a random. So, even if x i is not equal to c j j, the output can match because the public will have a public random functions. So, that means we have a higher chance to have this matching probability compared to the matching probability with the public random functions with the random functions. So, this will give a distinguishing adder and this can be applied for the our next constructions which is Sokac21 proposed by Chen et al in Kepto 2019. It is very recent constructions. So, this is the construction Sokac21. It is a basically a block safer constructions. So, this is a pseudonym function constructions using public primitives. So, we have a two public primitives pi 1 and pi 2 and here we have one key. So, this two one these parameters actually depends on what how many keys we are using, how many public conditions we are using. So, there are different variants and this is one variant where we use two public primitives and one key and why it is called sum of k's. So, if you look at closely how the construction looks like. So, it is we have we have this ksq1 that is key alternating cipher also it is called the event monsoon. And then we have and we have another event monsoon or ksc key alternating cipher but applied to u which is defined as this. So, that means we have a two ksq alternating cipher and we add them. However, it can be rewritten as simply like this like if you call this we have already called this one as ksc1. So, the Sokac21 is nothing but the dead-ish mirror function dead-ish mirror output on ksc1. So, do not know the ksc1 value but the pi 2 is a public primitive. So, it is a public functions on some secret input which is ksc1. So, we can basically what we have done we can view this as a again a compositions of two things one is this one. Our attack does not exploit the public queries to the pi 1 pi. So, we can assume safely that this is a secret random permutations and we have a second component which is a functions public functions which is basically dead-ish mirror functions. So, executing Sokac21 is actually the composition of dm and the dead-ish mirror and the secret random permutations. So, that means we fall under the second composition category. So, we can actually use the same idea like what we showed for the generic case of the true random of secret random permutations followed by the public random functions but here you note that dm that dead-ish mirror is not perfectly random functions but here you do one trick if you choose the inputs of dm in a without replacement manner or it is close to the replacement manner or the without replacement manner exactly the output of dm can be viewed as a sum of two without replacement samples which is nothing but the sum of two random permutations in different random permutations and it is well known that this is very close to the informed distribution that means is very close to the true random functions. So, we can use this principle along with the completion attack strategy to get a path bound attack on Sokac21. So, this is pictorically it looks like that. So, we have we have to basically look for the collisions between the C list and the Y list. So, now I conclude what I have prescribed we have prescribed the path bound attacks for the Sokac21 but this attack does not work if the final output is passed by a different K. So, this is one variant another variant of Sokac. Beyond path bound security for such a mass Sokac is not yet proven. So, that would be an interesting problem open problem the path bound prf distinguishing attack prescribed for we have prescribed the path bound prf distinguishing attack for EWC-DMD and the distinguishing attack demonstrated on EWC-DMD does not work for EDM or EWC-DM or many other variants of this particular constructions because these are these cannot be viewed as a composition of two non-injective functions which is the pen criteria where to exploit our criteria which we exploit to get our data. Okay. So, what are the open problems the proving beyond path bound security of some other variants as I mentioned and also the the prf we have we have described the prf attack but it does not lead to the MAC attack. So, it would be interesting to see the MAC security of the EWC-DMD. Okay. So, okay. I forgot to talk about why it went wrong right. So, I should mention why it went wrong. Probably if the main flaw is mainly the patterns middle theory is not right. But this is not actually the main problem for this problem. I just want to spend some time on it. So, this is what I am to me it is it is the flaw is in the review system. For many reasons the reviewers cannot go details in the proof it may be the time constraint or the reviewers may not be expert in the domain or maybe due to the the non-appliability of the expert in that particular domain. So, as we are running for so many papers in the different conferences. So, we are getting higher and higher chances of getting flawed designs or flawed proofs and even the proofs can be very complex. So, that that can be another reasons for the reviewers not to go details in the proofs. But I have seen the later in many cases that even if the original proof was very complex but later on the simplified proofs comes maybe it is due to better understanding of the subject. But it may be due to not maybe the author didn't spend much time on the inside of the proof. So, if we if we spend more time on the construction before it publish on the proof before it publish then probably the best or the simple proof can present it in the beginning and that that actually reduces the chance of having some flaw in the proof. And that is my most important that's in my point the most important future work. So, how to get rid of these rising concepts and this is this and other points are actually considered by Neil Kubli's and Alfred Manages in recent papers the critical perspectives on probable security 15 years of another look papers. So, I would recommend to all viewers to go through these papers to get the flavors of what is the situations in the cryptography where so many papers with so many flaws so it should be we should take some steps maybe now to do something to get rid of these rising concepts. Thank you and be safe.