 on state-separating proofs of reduction methodology for real-world protocols. Oh wow, thanks for reading out the title. So, that's a more serious talk. So, sometimes I suffer. So this talk is about easing my suffering. So more in detail. Key exchange researchers more generally sometimes suffer. And so this is a self-help talk for key exchange researchers. So I want to share my experience as a key exchange researcher and tell you a little bit of how I hope to overcome some of the obstacles of key exchange researchers. So once upon a time, I was a PhD student and I worked on key exchange. And at night, when I wrote proofs, I suffered. Because there were tons of work. Because key exchange protocols were super, super complicated, especially real-world protocols like TLS. They had many, so the proofs, many see me in these simple steps. But once I had done the proof, I wasn't even sure it's right. So it was not possible for me to verify where it's right. It was not human verifiable. So one of the worst proofs that I proved was that Larago and key exchange protocols are composable with symmetric key protocols. So those are actually very simple. So you have a key exchange protocol that outputs symmetric keys that look random. And then you use them in an application protocol that is secure with random keys. So this should be straightforward, even without using universal composability. So what I was really concerned about is the theorem seems very simple. So why is the proof so hard? So I tried to see the aspect where I tried the nice things. My colleague tried the nice things. And each time the proof looked really, really happy. So one of the difficulties is that there's state between the key exchange and the application protocol, namely the keys. And this is a multi-session and multi-instance game. So in more detail, how do we prove things? So we would prove things by saying, okay, replace those key real keys with random keys and then reduce the security of the application protocol when you use random keys here. And so in each of these steps, you have to maintain lists in the reduction, pass on keys to the right sessions, etc. It's boring. Yeah, it's boring, but it's very complicated, and you have to do it. And in this religious step, you also have to do it, so it's very annoying. So the first idea is to say, okay, if we share state between those packages, maybe we can move the state to a key package and have the shared state in the one-year version. And then you have rules to specify those packages. So then you get the reduction automatically. So the idea is that when you reduce to the application protocol, this is your reduction automatically. And so the idea is to define operators that allow you to come to those packages. So one is a regular operator that allows you to parallel composition, and if they use a package in a circle or a rotor, and this allows you to do proofs in a very simple way. So then we define some algebraic rules, which, so for example, for the hybrid argument, you can plug in an ID, and this is still the same package, and now you can do a hybrid proof in a very simple way. So this becomes your reduction to the simple assumption. So let's start from the beginning. You want to swap out this package 0 to 1. We do this by moving this package here, this is the reduction, then we can reduce to this single session assumption, and then we can move it back. And this is automatic, and what doesn't need to do anything for it. So this is just some example. So those simple steps, they're a little work, they're precise, they're human, they're very viable, and so a little bit of the notation. So Mike Roosevelt uses some of those ideas, and especially a very similar notation, in the draft of his book, The Joy of Cryptography, which is very, very nice, and he has been using this in his undergraduate classes for many years. So I think this makes this type of notation very usable for making complicated proofs as simple as possible, and I think it's a very useful thing. So our hope that we can use this method to prove TLS 103, to use this method for material reductions, to make key exchange tables readable again, and most of all to suffer less, and to hopefully understand more. So my request and my suggestion is that if you suffer from writing seemingly good simple proof steps or from making them accessible to readers, check whether our notation can help, and if you have the same struggle in teaching, check whether Mike's book can help you. So many of those conceptual ideas are, of course, new. Some of them are from the universal composability framework, some of them are from the random system, some are from Crypto, constructive Crypto, some are from the METLS work by Mike's research in New York, Paris, some are from PyCode, and we put those ideas together with a focus on proofs. We're not trying to find the right model, we're just trying to simplify proofs as much as we can. So it's now in the different states of writing proofs, the reduction methodology for real particles and maybe help you too. Thank you.