 Hello, and welcome to my talk about the summation truncation hybrid. My name is Aldo Gunsing, and this is a joint work with Bart Menning. So when we look at symmetric cryptographic schemes, we see that a lot of them are using PRPs or pseudo-random functions like AES, for example. But a lot of them only use them in the forward directions, and do not use the invertibility of them. And in a lot of cases, actually using pseudo-random functions or PRFs that do not have the invertibility property are often more secure. So a prominent example of this is counter mode. If we use a PRP, we get a birthday bound security of n over 2 bits. But if we use a PRF instead, we get full n-bit security. So here we, of course, assume that we have a perfect PRF, but it still shows that PRFs are much more suitable to this construction than the PRP is. So we could design a dedicated PRF for these modes. However, we have very little understanding in how to do that well, because we are a lot more used to building primitives based on invertible primitives and not on non-invertible ones. So instead, we could look at the PRP to PRF conversion, where we build a PRF using PRPs as a building block. So the most straightforward way to do this is simply using a PRP directly as a PRF, and this is known as PRP-PRF switch. And we know that a PRP behaves like PRF up to the birthday bound. But if we want beyond birthday bound security, we can also do some more sophisticated stuff like summation or truncation. And it turns out that these constructions also achieve beyond birthday bound security. So when we first look at summation, construction simply takes two calls of PRP and sums them together using an XOR. And this construction achieves the full n-bit security. And we also have the truncation construction. This construction truncates the output, and it keeps the first a-bit of the output, and it discards the other n-bit. So we have some variably, we can choose the construction variably based on our a. And this construction is also used in the wild in, for example, the key derivation function of GCMSIV. And this construction has n minus a of 2-bit security. So the security level depends a bit on how many bits you keep and how many bits you discard. However, the truncation discards some bits that still may contain some variable entropy. So we can look what happens when we reuse those bits using summation. And this leads to the summation truncation hybrid, or SDH. In this construction, we have two consecutive calls to the PRP. And we first apply truncation to them. So we keep the first a-bit of the first call and the first a-bit of the second call. But instead of discarding the other bits, we extra them together to get some extra output W. So this means that we get n minus a extra bits compared to just the truncation construction. But we actually show that this construction has equal security to the truncation construction. So this means that we basically get those extra output bits for free because we do not trade the security for those extra bits. And also in extreme case, we see that it is equal to summation construction when a is equal to zero. So when we do not truncate anything, we just sum everything and this equal to the summation. So now I want to sketch a part of the proof because I think it's a very interesting part and simplifies the construction a lot. So because we're dealing with a hybrid construction of the truncation and the summation parts, it's very complicated to analyze the both parts together. So what we would like to do is that we separate the truncation and the summation parts. So that is what we try to do. And we will apply a lot of transformations to the constructions in order to achieve that. So as a first approach, we might just write the two parts separately. However, this creates a problem because two parts both use the secret PRP. And this means that the constructions do not behave independently, which means that we cannot analyze them separately. So what we would like to do instead is that we re-choose our permutation P' for our summation part. But we want to do it in such a way that we keep the same construction as before. So we cannot just choose it from all possible permutations because that would give a completely new distribution for the outputted values. And as you saw before, we cannot reference our secret value P because that means that we have a dependence between our two constructions. So what we do instead is that we choose from a set of compatible permutations. And this is the set of all permutations that would behave the same as our P under the truncation part. So it is the set of all permutations that would also output our U and V if we put them in the truncation part. And this does keep the same distribution as we do not really care about our specific P but only care about its behavior in the truncation. And as we sample everything uniformly, it doesn't really matter what permutation exactly we choose as they are all equally likely anime. So this actually keeps the construction the same. And it doesn't matter because our definition only depends on U and V and not on our P. We do not have any shared secret and only depends on public values which means that the constructions do behave independently. So we can analyze them individually. So that is what we do now is that we first look at the truncation part. As it is just normal truncation, we can replace it by a random function. And as we know truncation behaves pretty well like a PRP-PRF conversion. So we can do this without too much security loss. And for our summation construction, we see that it doesn't really matter that we have replaced our truncation because our definition only depends on the U and V. And although those are now generated by a random function instead of truncation, our definition is still well defined so we can still look at this construction. So now we will look at the modified summation. So we first modified the construction bit to also have some sub-values big U and big V. So the first block outputs the small U as the first A bits of its output and the big U as the remaining bits. And the second goal first outputs a small V than the big V. And because we choose our permutation from all the ones that were compatible, we do know that the first goal outputs the small U as its first bits and the second goal outputs the small V as its first bits. But the big U and the big V still can be multiple choices so we do have some distribution on those. And we will take a look at what those distributions are. So first we look at U and it turns out it has just uniform distribution because it doesn't have any restrictions and everything is uniformly sampled. It has a uniform distribution as well. However for the big V it depends. If our small V is different from our small U, it also doesn't have any restrictions so it's also just uniformly sampled from all possible values. However if our small V is equal to our small U, we do have a restriction as it cannot be equal to our big U as that would mean that we have a collision in the output of our PRP and that is not possible. So in that case it cannot be equal to our big U but that is also the only restriction. So it is still uniformly sampled but not from all values but from all possible values except for our big U. So now I give an alternative description for this construction but we want to get rid of that complicated set of all compatible permutations because it is difficult to reason about. So now I will base construction on a family of permutations. So instead of choosing just one random permutation, we choose a whole family of random permutations and we use our small U and our small V as the index for choosing what permutation we want to have. And it turns out that this also gives the same distribution as the previous one so that we are actually looking at the same construction under a different lens. Because if we first look at our big U, we see that it's just the output of some randomly chosen permutation so its distribution is also uniform from all possible values. But for our big V, again it depends. If our small V is different from our small U, we are dealing with a new random permutation so our V is also uniformly random chosen from all possible values. However, if our small V is equal to our small U, we are dealing with the same permutation which means that our big V cannot be equal to our big U but has to be different. But again, it doesn't have any further restrictions so it is still uniformly sampled from all possible values except for our big U. So we might as well look at this construction. And if we reapply the summation part, we can see that this is actually a generalization of summation as we're just dealing with a family of permutations instead of a single one. So we can actually prove that it is secure by modifying the proof of the normal summation. So we still have to do a bit of work in modifying the proof and making sure that it works. But it is a lot easier because we're just dealing with one construction. This definition isn't that complicated instead of the hybrid construction that we had in the beginning where we have two different parts that are not independent and that makes analyzing very difficult. So we do still have to do some work but it is way easier. For those interesting in it, the proof uses the Chi-square technique which is more often used for proving these kinds of stuff because it is a statistical tool to do that. So now I want to compare the summation hybrid to the summation and truncation. So on the left we have a graph with the security plotted against its efficiency. So the security is denoted in bits, ranging from n over 2 which applies for the normal parity bound up to the full security n. And the efficiency is denoted in the rate. This is the number of input bits needed for an output bit on average. So lower the rate, the more efficient the construction is. When we first look at the summation, we see that it has the full security of n bits. And its rate is 2. That's because we need two blocks, two calls to the PRP to get one block of output. And for the truncation, we see that its security varies because we have our variable a that we can choose. And if we do not discard anything and just keep all the outputs, we are in the bottom left, which is just a normal PRP-PRF conversion. So it has the birthday bound security and its rate is 1. That's very efficient. And if we discard more and more bits, our security level increases, but our efficiency decreases even more. So theoretically, it will get arbitrarily close to the full n bits security, but it will take a long time and it's not that efficient. And if we look at the summation truncation hybrid, we see that it has the same security as the truncation construction, but because we have some extra output bits for free without compromising the security, we see that it's always on the left of truncation. So it is way more efficient. And here we also see that again, it starts in a normal PRP-PRF conversion, and it draws a nice line up to the summation, because in the other extreme case, it is equal to the summation, so it has also the same place in the graph. So concluding, we've seen that a lot of symmetric graphic constructions use PRFs basically. But building PRFs is not conventional and block ciphers are more commonly built. So we might as well take a look at PRP to PRF conversions. One such established conversion is truncation. However, it discards some valuable PRP outputs that still contain some entropy. So we may want to look at reusing it using summation and turns out that we can do that without any security rules, leading to the SDH construction. And for future work, it might also be interesting to generalize the SDH construction and look at multiple calls at the same time. So now we just look at two calls, but you might might be possible to look at more than that at the same time. So that's the end of my talk. Thank you for your attention.