 A small universal deterministic authenticated encryption for the IOT. It's a paper by Superdip Anik, Andrei Bogdanov, Atul Leugs and Elmar Tischhauser, and Superdip will give the talk. Thank you for the introduction. So I'll be talking about this deterministic block cipher-based authenticated encryption mode called Sunday. Block ciphers have traditionally been very, very popular primitives for implementing or constructing authenticated encryption modes. Often it may so happen that block cipher when considered in isolation is ideal for a given environment, but when it is used in a mode of operation, quite often it may so happen that the mode of operation kind of erases the benefits that the block cipher brings in isolation. This is the case with, for example, SIV that requires two independent keys, as in the case of COPA or LMD, that requires internal state size of at least thrice the block size of the underlying block cipher, or the case of EAX, which requires multiple calls to the block cipher before any data can be processed. Another example is this GCMS-IV that was proposed in CCS in 2015, although it achieves quite competitive performance in software on recent Intel-based architectures. The mode employs full multiplication in this 128-bit finite field, which makes it an unattractive proposition for implementation in hardware and resource constrained platforms. Okay, so we propose a mode of operation called Sunday that is efficient with respect to short messages and is competitive with modes like clock and jumbo in this respect. It has a short state size. It is flexible in so much as it offers good performance characteristics over both resource constrained and high-end platforms, and additionally it also provides robustness if the device in which it is implemented does not have sufficient and reliable sources of randomness. So our mode of encryption is completely deterministic. The specifications currently do not explicitly mention a nonce, but if a nonce is required, the first X-bits or so of the associated data can be used for this purpose. So it is a SIV mode optimized for lightweight settings. It uses a single key and a bunch of block cipher calls. The only additional operations that the mode uses are all linear. The first is an XOR, and the second is multiplication by a constant over a finite field. Both of which can be achieved by only XOR gates. It also has a short state size. If the underlying block cipher has block size n, then Sunday also requires a size of n, which is an improvement over some of the recent modes of operations proposed in literature. So our performance is limited by fundamentally the fact that it is a rate-half mode, so that it requires two block cipher calls per message block. Such the ideal use case for our mode of operation is for short messages, for which it achieves competitive performance with respect to other modes of operation. For example, consider a dataset consisting of one block of nonce, AD, and plain text. In such an event, Sunday would require five calls to the underlying block cipher, which would reduce to four if you allow one block cipher call to be pre-computed. So as such, the ideal use case is settings in which there is more cost to the communication rather than computational resources, and settings like repetition of through data or plain text, etc. So this is an algorithmic description of the encryption and decryption. I think it would be much better if I moved to a pictorial representation. So the initial input to the mode of operation is this value called IV, which can take four values depending on whether the associated data or plain text is empty or not. Every block cipher call, the associated data and the message is absorbed by means of an XOR function. The domain separation is provided by these two multiplication operations over the finite field. The multiplication is with the constant two or four depending on whether the final block is complete or not. As can be seen that after absorbing the associated data and plain text, Sunday executes one additional block cipher call and produces the tag for this associated data and message pair, which also serves as a kind of a synthetic IV to this sort of this erosion point here, which also serves as the input synthetic IV to this OFV mode of encryption, OFV type, stream cipher mode of encryption, which produces key stream at this XOR to the message to provide the cipher text, to produce the cipher text. I come to the main security statement of Sunday. So we have shown in the paper that, and in fact, we have proven in the paper that the DAE advantage of Sunday reduces to this huge expression over here, where NE is the total different, total distinct blocks, block cipher calls, and the mode makes at least Q encryption and QV decryption queries, and total length cost of sigma i, sigma p and sigma c. The security has shown up to about the bound. The entire proof is around 10 to 12 pages long, but what I will do in this presentation is give you a broad overview of how we came to get this expression. So step one is quite natural. After replacing the block cipher calls with a uniform random function row, it can be shown that the DAE advantage of Sunday, it can be shown that the DAE advantage of Sunday by using some sort of a triangular inequality, it can be shown that this advantage can be written as a sum of three terms. So this term comes from the PRP-PRF switch, and this is the PRP advantage of the underlying block cipher. And this is the DAE advantage of Sunday when operating on uniform random functions. Although we compute the DAE advantage of Sunday directly, we can also separately argue for the authenticity and confidentiality of the mode. For confidentiality, we can observe that the ciphertext is essentially produced by a stream cipher like OFV mode of operation, and hence confidentiality is intuitively guaranteed if the input to the OFV mode that is the stag over here is unpredictable to the adversary. It's slightly tricky to do so because the associate data and claim text are processed similarly, and the only mode of domain separation are these very, very simple functions that we employ. So a bulk of the security argument goes to prove the fact that this domain separation, however simple, actually works for our purpose. For authenticity, it is important to observe that if an adversary forforges a message ciphertext tag per CT, then what it essentially means is that the MAC of the decryption algorithm when run on C, T outputs the tag T. By definition, C is assumed not to be part of any previous transcript or assumed not to have been output by any previous encryption call. And under such circumstances, it is easy to show that forging is equivalent to finding the preimage or the second preimage of this underlying MAC. Part of the security argument also goes behind proving that it is difficult for the adversary to do so. Now, for ease of representation, what I will do is label some parts of the operation so that it is easier to express. For example, this set of operations from here to here, which produces the key stream, given the message input, we will call ink stream. And this set of sub-operations, which when given T produces the key stream, we will call simply stream. And the encryption algorithm of Sunday which produces the tag and the ciphertext can be shown to be equivalent to applying the ink stream algorithm, producing the key stream, and then applying this chop XOR algorithm which is essentially taking the key stream, chopping it first to make it of same size as plain text and then XORing. Hence the name chop XOR. So the encryption part of Sunday is essentially the composition of these two operations, chop XOR and extreme. And we can similarly describe a deck stream algorithm which proceeds in this roundabout manner. So given an input TC, it first computes stream, produces key stream, then applies chop XOR with the ciphertext to get some message M prime. And then it comes back over here, then it again runs the ink stream algorithm for A comma M prime. And then it looks at the output T prime that it has produced. If T equals to T prime, then the tag has verified in such an event, it releases the output stream T as it releases nothing. So the decryption algorithm is also kind of deck stream composed with this chop XOR algorithm. So given this description of Sunday, we have an encryption algorithm with this chop XOR times extreme and the decryption algorithm which is chop XOR times the extreme. So the next step is to remove this chop XOR from this ink and deck to make things easier. So what we can do is define another adversity, each chop XOR that interacts with either the encryption decryption with the uniform random function or dollar bottom. And for every query that A makes, each chop XOR simply forwards it to its oracle and then chops in XORs with the message of the ciphertext and returns it to A. After doing this, it can be shown that the DE advantage of each chop XOR is more than the advantage of the DE advantage of the actual Sunday mode of encryption on running on uniform random functions. And so we kind of concentrate on proving the bounds on this term. The next step is kind of natural too. So we define two additional routines called stream star and deck of stream star. Stream star simply ignores the OFV mode and outputs completely random values of the required length. And deck stream star does the required bookkeeping. If the input T equals to some TI previously present in the transcript, it outputs stream star of TI. Otherwise, it simply outputs bottom. And by applying triangular inequality, it can be shown that this DE advantage can be written as a sum of this and this. So concentrate on the term at the bottom. So the term at the bottom is the advantage of this adversary when interacting with deck stream star and bottom. So this is essentially, bounding this term is essentially bounding the probability that deck stream star produces non-bottom output. And it has been shown in the paper that this is same as finding the second pre-image of the underlying first 10 bits of dollar, which is basically the MAC algorithm. And so it can be argued that this term is actually bounded by this expression over here where Q is the total encryption and Q is the total number of decryption queries. So we are only left with this term in the expression which we haven't found a bound for yet. And the next part of the paper is dedicated to finding the bound on this advantage. And we have used the edge coefficient technique to bound this advantage term. For those who are familiar with the edge coefficient technique, it involves taking the set of all transcripts and partitioning the set of transcripts into T good and T bad so that certain properties are satisfied. So in order to do so, we will start with a few definitions in order to explain the partition of the transcripts better. So the first step is to convert the transcript from a set of values to a graph. And we do it as follows. So we split the associated data and the message into individual blocks. And after splitting it, we prepend a single bit with every block to indicate whether it is a final block or not. For example, since this is the final block, we prepend the bit one, otherwise we prepend zero. And then we transform this set of values into a set of functions defined as follows. So for every block, for every extended block, delta, comma x, where delta is a bit and x is from an element of the block size. So we define f of delta x as simply an xor if it is a non-final block. And we multiply with a constant and xor if it is a final block and it is complete slash incomplete. And so you can see that every transcript can be written as a sequence of functions. For example, if associated data and the message are both non-empty, then we can convert this transcript into a sequence of functions given by i of a comma m, which starts with the initial IV and lists the set of functions one by one. And any constant values in the sequence should be simply interpreted as a constant function. So given this set of functions x1 to xl, we can then define the sequence rho hat of x, which ultimately applies the uniform random function rho and elements of this sequence. And it is not very difficult to see that the Sunday algorithm is the encryption of the Sunday algorithm is essentially the stream hat algorithm applied on rho hat of i of a of m. And now the converting the transcript to a graph is very natural if you follow simple rules of prefix. For input messages or input functions that have a common prefix, we just make sure that if they have the same prefix, then they follow the same path from the root to the leaf. So we can define two such graphs. One in which the nodes are simply the values. We can define a similar graph in which the values are converted into function sequences. Under most conditions, the graphs are isomorphic, though not always. I'll come to the situation when they are not isomorphic. And of course the output key stream produced by the algorithm is expressed by these yellow nodes. They exist as independent unconnected nodes in the graph. So when we are implementing this as a function, it is easy to see that these edges represent calls to uniform random function. And each query to Sunday or each row of the transcript is essentially application of all the functions starting from the root node to the leaf node. And this being so, we can also label each of the nodes by these labels chi0, chi1. So a label would be defined as the intermediate value applied after applying the function f that is written inside the node. For example, chi0 would be applying the uniform random function IV, then applying the function fA0 and the output that you get. We can use that as a label to that node. Okay, so now we will define the partition of the transcripts. So we define the set of bad transcripts to be the transcripts that force the events one or two to occur. These are the events that allow the adversary to construct trivial fortresses. So the first bad event is if one of the key stream blocks has value equal to one of the four IV values that the mode starts with. And the second bad event is a collision between the key stream blocks themselves. So since this having been defined, we now concentrate on the set of transcripts in which these two events do not occur. So there are two more events of interest, the first of which we will call a structural collision. So this happens if two values, when two blocks, when they are converted into functions, when two unequal values, when they are converted into functions, they map the same function. Yeah. Okay. So the main part is that such a structural collision will never occur in Sunday when mapping from delta x to f of delta x is essentially injected. So this is the thing that we do not have to worry about in this mode of encryption. And the final level of interest is a row collision in which the labels of two nodes collide, which may occur due to randomness induced because of applying the uniform random functions represented by the edges. So in the paper we use graph theoretic arguments to prove or rather to bound the probability that collision occurs between the labels. And once we do that, the application of the edge coefficient technique is straightforward. So we can prove that the only term that was left behind, we can prove that this advantage bounds is bounded by this expression over here. And now since we have all the necessary terms, we can add all of them to get the bound in term one. So very quickly we do a brief overview of performance. So we implemented the modes in both a resource, both a low-end MV8 platform and also on an Intel CPU for message lengths from I think four 228 blocks. We found that on high-end architectures 3% slower than two passes of CBC and on the low-end architectures, the difference was around 7%. For all processes in general, for short messages it was only 11% worse than for longer messages. However, the performance penalty is far greater for modes like COFB, which were designed to be single pass. And for this we have a significant penalty for both low-end and high-end platforms. So this is a tabulation of the software performance. One minute maximum. So this is on both the high-end and low-end platforms. For ASIC, we kind of tweaked the doubling by replacing it with eight doublings on a smaller field, which we found very nicely fits into this byte-wise AS architecture and does not cause any problems to the security because this mapping from delta x to f of delta x is still injective. We implemented it on using this bytes-wise serial AS architecture and also nibble-wise present architecture and both architectures it compares very favorably with the existing modes that also make use of this byte-wise serial AS architecture. And that's it. Thank you. Okay, thank you. So if there are any questions, I would encourage you to ask them afterwards. But if there is a very important question, you can still ask it. We can make an exception. Okay, no one wants to ask a question. So let's say thanks, SuperDeep again.