 Yes we can hear you. Just a second so that you appear on the screen. Great. You're sharing your screen so everything's good. Okay so the floor is yours. Thank you. Okay thank you Pasco for the introduction. So every day when we read emails browse Facebook or have a talk with colleagues via Zoom. Our security is insured by authenticated encryption or AE, a tool that delivers both privacy and authenticity. The conception of AE emerged in the year 2000 as a way to add authenticity to classical encryption and it then quickly moved from theory to practice. Since then there have been a number of efforts in strengthening the original notion such as unique nonce AE or misuse resistant AE. These efforts have led into widely used schemes in the TOS IPsec and many other network protocols. Still despite the huge volume on AE works, essentially everything still falls under the umbrella of privacy and authenticity and have been a long helped believe that these notions are enough for practical purposes. Surprisingly in a recent attack known as the partitioning oracle attack, land, grubs and distant past shatter this common belief. They demonstrate a break of standard encryption in the context of password based encryption. So in this setting the adversary tries to exploit a server as an execution oracle to recover passwords. Strangely the attack has nothing to do with authenticity or privacy of the encryption scheme. Instead the adversary tries to find some form of multi-collisions on the server text of passwords in a dictionary. If we can find an S-way multi-collision it can speed up by a factor of S compared to a brute force attack and for standard encryption schemes S can be as big as thousands making the attack practical. So the partitioning oracle attack demonstrate that in contrary to common belief privacy and authenticity are not enough and it's not the only place where things go wrong. Consider Facebook message franking. So Alice and Bob have an encrypted conversation via Facebook messenger. Now thanks to you and inclusion Facebook doesn't know your key anymore. Still it allows you to report abuse but you have to send the decryption key for verification. Unfortunately there's a way to practice mechanism by sending a fake key and associated data. It can turn Alice's deny message into a malicious one and she would be wrongly penalized for that. Again this has nothing to do with privacy or authenticity because the adversary Bob in this case knows the key. Instead what we need here is a new notion known as committing security. In formal latest means that the server type should be a commitment of the key and for some applications such as message franking you want to commit the message as well. Although committing security is new it captures what practitioners intuitively think about encryption schemes. Unfortunately this intuition is not supported by any standard day schemes yet it is urgently demanded by many applications such as subscribe with Google or the OPEC password based exchange. There have been a couple of works on formalizing committing security but if you look closely anybody speak a slightly different dialects. Some wants to commit just the key. Some wants to commit everything. Some work deals with the old-fashioned probabilistic AI. Some deals with the standard the unique nonce AI. Although even defies a new type of AI with a different syntax there's currently a lack of a unified systematic treatment for committing security and partly because of this current solutions are somewhat frustrating. Earlier schemes tend to be pretty slow as slow as hashing the message. Recent schemes are faster but you consume more bandwidth than necessary say two additional blocks per message. In addition why unique nonce AI schemes like GCM receive a lot of attention from both industry and academia. There has been no effort in fixing misuse resistant AI schemes like AES, TCMS, IP. Since this work we give a systematic treatment for committing notions and based on that we build direct transforms UTC and RTC for unique nonce and misuse resistant AI. The UTC transform is a generalization of a prior work by Albertini at all but it allows a more efficient instantiation. Now while UTC and RTC works generically they still demand one additional block per cybertext and overhead for small messages is still large. To bridge the performance gap we view committing variants of a CCM and AES-TCM-SIB. Compared to the original schemes these variants introduce very tiny changes there's no subject expansion and the overhead is very little. Moreover let me mention that prior work on committing security only provide analysis in a single user setting. In contrast here we provide strong multi-user analysis for all schemes in our paper. Now let me give you a visual comparison on the performance of our unique nonce schemes CUC1 and UTC with a prior work of Albertini at all that is deployed on Amazon cloud. Now as illustrated by the picture our schemes are a lot more efficient than the prior work and for CUC1 the overhead is negligible even for small messages and the same trend continues for our misuse resistant schemes. Now in today's talk I'll introduce the framework of committing notions and I'll show you how to achieve that in the context of CCM. But before we get into that let me begin by briefly reviewing the syntax of AES schemes. So syntactically an AES scheme consists of an encryption algorithm and a decryption one both deterministic. Encryption text as input of key K, a message M, a nonce N to produce a cell taxi. Conversely decryption text the key a cell text the nonce to produce either a message M or a symbol integrating invalidity. They also take an additional argument known as associated data or AD. It is a string that for some reason cannot be encrypted but still should be authenticated. For example if you encrypt neural packages then you cannot encrypt the headers because routers need to see that to move to the next hop. So in that context your message would be the payload and your AD would be the headers. In practice the AD is often short. For example happy headers at most 60 bytes. Now let me give you an overview on the committing definitions. It turns out that there's no one size three all notion but a hierarchy of definitions. At the bottom we have the commit once notion that commits just the key K and that's enough for the partitioning protocol attack. At the very top we have the commit for a notion that commits every for all the four components in a couple KNAM and that is demanded by message franking. In between we define an intermediate notion commit three that commits the three components KNA. Now it turns out that the commit three and commit four notions are equivalent. In formally once you can commit KNA the message M is automatically committed thanks to the correctness of the description but there's a definitional separation between commit one and commit three and this matters not just for security but also for efficiency because it turns out that the top two notions require hashing the AD but the bottom one doesn't. Luckily in practice AD is short so we can realize commit for security in a cheaper way than hashing the message and the AD as many current solutions. Now let me describe the definitions in more details. So here the adversary needs to produce two tuples K1 N1 A1 M1 and K2 N2 A2 M2. Its goal is to produce a collision while we equip these tuples. Now to avoid trivial wins the commit one notion requires that the keys be distinct. Commit for is more relaxed it requires that the two tuples are different. Now here the adversary wants to produce a collision we can sterilize the definition a little bit requiring that the adversary needs to produce an S-way multi collision instead of a mere collision but now let's take a step backward and think about that notion it seems that somehow the sterilization is redundant in fact if the adversary cannot produce a collision surely it cannot produce a multi collision so the special definition already implies the general one so why bother to sterilize so it turns out that the sterilization gives us a trade-off for resisting auditioning Oracle attack. Now let's say that you if there's no collision whatsoever then our schemes can only deliver the standard birthday bow in committing security but if your applications can tolerate a little speed up in the password guessing then we can deliver much better security say 96-bit security now remember that there are two main notions commit for a commit one once you commit just the key the other ones you commit everything now it turns out that once you can commit the key it's easy to commit everything else and we achieve that via a genetic transform chemical hash then encrypts in particular here we have a base A scheme that is commit one secure and we want to leverage it somehow to come to obtain commit for security now remember that commit form is that you need to commit k and a once you can do that the message m is automatically committed so our first step is to hash k and a to derive a synthetic key we then use that synthetic key to include the message m not because the base A scheme commits the synthetic key so the cell attacks is a commitment of k and a if the hash function is collision resistant and as a result the overall construction has commit for security now let me stress that here the ad is processed only once because in the encryption we encrypt with an empty ad so the hash the encrypt transform has no cell text expansion and actually its overhead is optimal remember that commit for demands hashing the ad whereas commit one doesn't so here the hashing cost of k and a is somehow unavoidable security wise if the hash function is a good pf then the transform preserves both unique nonce and misuse resistant security for the a scheme and as i mentioned earlier if the hash function is collision resistant then the transform promotes commit to one security to commit for so now we have a nice way to obtain commit for if we know how to get commit one so now what's left is to see how to get commit one in a clean way and i will show you how to do that in the context of gcm so remember that commit one means that you need to commit the key somehow so the intuition is that you need to hash the key probably with something else and then include the image in the same text but how long should the hash output be the conventions would tell you that you need something like 256-bit output to prevent offline attacks why here we don't want an adversary to spend a lot of pre-computation to get a collision and then attack the committing security with anybody with constant cost per user but if you look at the applications of committing security more closely then typically one key is random sample and that rules out the offline attacks so actually here you only need 128-bit output moreover here you only deal with a very short input the key k so you actually don't need a fully flashed cryptographic hash function to now paper we instead use the davis mayer construction on a yes davis mayer is known to provide good collision resistance in the idl cipher motor and in our work we show that it continues to provide good multi collision resistance even better that's the best you can hope for from a one-to-date-bit output hash function so you have a good way to hash the key but how would you include the hash image without expanding the same text in order to answer that question let me now give you a bird eyes view of gcm so remember that gcm is basically encrypt and match so here the inclusion scheme is counter mode and the map follows the catwalkman paradigm in particular in the map you first use a universal hash function known as ch to process the seven x car c and the ad and you then use a one-time path to increase the ch output to derive tactic now let's zoom in the markers just a little bit further and the one-time path is produced by making a call to the block cipher so in our scheme chc1 instead of using a one-time path we directly use the block cipher to include the chs output it is also a very common variant of the catwalkman it has authenticity but itself doesn't have committing security to make it committing we add an extra xr turning the block cipher code into davis maya construction another tactic becomes a commitment of the key k as a result the commits one security of cuc1 can be reduced to the multi collision resistance of the davis maya construction for unique non-security cuc1 retains the security of gcm actually for short tax the situation is even better gcm is known to be very poor if the tax is short but cuc1 does that and it's an issue so even if the applications don't need committing security there may be a good reason to switch from gcm to cuc1 summing up given urgent demands from many applications we believe that it's time to upgrade encryption standards to committing ones the variance in our work allows us to do that with tiny changes there would be no server tech expansion and nowhere is little and the transition for astc cms ivy is particularly attractive because the scheme is new there's not much legacy issue and what you need here is just an extra xr thank you for listening to my talk and i'm happy to take questions now vietong yes no no i'm just asking in the room if there are questions for you so i'm like okay yeah good all right uh germy blocky Purdue University uh so uh you mentioned uh that you don't need 256 bit uh hash outputs for 128 bit security i was curious uh is this inherent if we require s equals one or is this just a feature that we can exploit when the number of multi collisions is larger than larger than two okay so uh for the actually for the base case where s is two namely a mere automated collision then we can only provide birthday bow security but if you look at the base schemes gcm or so they only provide birthday bow so in the basic setting where s is two then you have birthday by security but as i visualize in the slides let me see where it is here do you see the screen so if you allow a bigger x say at is far so then you have 96 bit of security and the bigger the s is uh the better security about you have okay okay so um i guess if we want no speed up though in password guessing we still have to go back to 256 bits um if if you want uh one today bit security then probably so okay but yeah okay thanks any other questions if not then uh let's thank uh viet Tong again