 Hello everyone, I am Srimanth Bhattacharya and I am going to present our work titled Lubee Rack of Backwards with more users and more security. This is a joint work with Mridhu Nandi. This talk is broadly divided into three parts. I will start by motivating PRS and their multi user security. Then I will cover some technical background and state our results and finally I will give a brief sketch of the proof of one of our main results. Primary motivation of our work comes from the importance of pseudo random functions. They are quite important cryptographic primitives and are used for quite a lot of cryptographic tasks. Now, a pertinent question is how do we get them? How do we get good PRS? In the domain of symmetric cryptography, it is known that there are good block ciphers. There are good block cipher constructions which are modeled as pseudo random permutations. Now, can we use them as PRS? Can we use a PRP as a PRF? It is known that an in-bit PRF can be distinguished from an in-bit PRP with order of 2 to the n over 2 queries. This is known as bird rebound. Now, is it possible to go beyond this bird rebound? What is it possible to use PRPs to come up with a construction that requires a large number of queries, ideally order of 2 to the n many queries to distinguish it from a pseudo random function. This question is practically important and theoretically challenging and it was treated for the first time formally by Bellarie and others and they termed this problem Lubey-Rakoff backwards because Lubey and Rakoff in their seminal work considered the converts problem. They considered the problem of converting PRPs into PRPs. Some of permutations is a well-known construction in the literature which converts a PRP into a PRF. To describe the construction, let RP be a random permutation on 0, 1 to the n. The basic version of the construction denoted by XRP, it takes an input of length n-1 and it maps it to distinct inputs to the random permutation and where is the random permutation RP at those 2 inputs and takes the sum of the corresponding outputs. So, XRP is a mapping from 0, 1 to the n-1 to 0, 1 to the n. A series of works led to this result that XRP is secured up to order of 2 to the n-mini queries. That is at least order of 2 to the n-mini queries is required to distinguish XRP from a pseudo random function. Now, this simple construction can be generalized in various ways. XRP 3 in this construction, this random permutation is queried at 3 distinct points and the output is the sum of the corresponding outputs. So, XRP 3 is a mapping from 0, 1 to the n-2 to 0, 1 to the n and there are few works that implies that XRP 3x is secured up to order of 2 to the n-mini queries. Also be generalized into an efficient version denoted by XRP-3 which requires 5 calls to the random permutation to produce twin bit output. So, it is efficient because it requires one less block cipher call for twin bit output. Now, there is a series of works that shows that this construction is also secured up to order of 2 to the n-mini queries. Now, in general one can think of XRP k and XRP dash k for arbitrary value of k. In fact, some of the results that we have cited earlier were derived for general value of k. But in this work our focus will be for the case k equal to 3 and this sum of permutations construction has been practically used in CN, CP, MAC plus and ZMAC. Now, these results look satisfactory because in each case the construction is secured up to order of 2 to the n-mini queries. However, when the construction is used in a multi-user scenario where each user has an independent copy of the construction and the adversary can query the users possibly adaptively. So, if there are u users and the adversary can make q max miniquaries per user then by a standard hybrid reaction it can be argued that XRP k is secure when the number of users is of the order of 2 to the n over 2 and the number of queries per user is also of the same order. Now, for the specific case of AES which has block length 128 bit it can be argued that it is secure when the product q into q max is of the order 2 to the 96 assuming that the advantages of the order 1 over 2 to the 32. Now, with the rapid growth of internet and other relevant technologies this margin looks pretty vulnerable. So, a possible fix that comes to mind is increasing the block length of the cipher but block ciphers like AES which are which is widely available it comes with a fixed block link. So, we cannot increase the block length of the cipher. So, in such a state one of our results implies that XRP 3 is secure even when the number of users is of the order 2 to the n and q max is also of the same order. Now, this is a substantial improvement over the order of 2 to the n over 2 bound that we have discussed previously. In the single user setting this result implies that the adversaries advantage is negligible even after making order of 2 to the n many queries and to the best of our knowledge this result is novel in the literature. What we have also shown is that the efficient version XRP dash 3 provides same level of security. So, to discuss or to state our results in more precise terms we require some technical background and we start with the notion of indistinguishability in the single user setting. So, to describe this notion let funk in with a set of all functions from 0 1 to the n minus 2 to 0 1 to the n and permanent with a set of all permutations from 0 1 to the n to 0 1 to the n. So, we will restrict our discussion to the construction XRP 3. So, in the security game the adversary interacts either with the construction XRP 3 when it is constructed using the random permutation RP or it interacts with the random function drawn from the set funk in. When the adversary queries with an X in 0 1 to the n minus 2 in the real world it receives the output of the construction XRP 3 and in the ideal world it gets a random element of 0 1 to the n and at the end of the entire interaction it outputs a single bit. So, we quantify the security of the construction by the advantage of the adversary which is the absolute difference between the probabilities that the adversary outputs 1 when it is interacting with the construction and the probability that it outputs 1 when it is interacting with the random function. The probabilities are taken over the randomness in the real and the ideal world and any randomness used by the adversary. Now, since our focus is on the information theoretic security we assume that the adversary is computationally unbounded. So, without loss of generality we can assume that it runs with the best coins so we assume that it is deterministic. The only restriction we place on the adversary is that we restrict it to making Q many queries and so without loss of generality we assume that it does not repeat any query because it when it repeats a query it will get back the same reply and these conditions when the transcript in the real world is given by this tuple P1 to PQ and that in the ideal world is given by the tuple R1 to RQ which follows the distributions PRP and PRR then the adversary is advantage can be shown to be upper bounded by the statistical distance between the these two distributions, a t user indistinguishability. So, for this let fun Qn be the set of all functions from box u cross 0 1 to the n minus 2 to 0 1 to the n and Rf is a randomly chosen member of from this set and also Rp1 to Rpu are drawn uniformly at random from the set Parmin. So, Parmin is a set of all permutations over 0 1 to the n and Rp1 to Rpu are independently drawn. So, in the security game in the real world we have this construction XRP3 u this is this is this is XRP3 in the multi user setting where there are there are you many users and in the ideal world we have this random function drawn from the set fun Qn when the adversary makes a query ix in the real world it receives the output of XRP3 when the underlying random permutation is Rpi and in the in the ideal world it receives a random element of 0 1 to the n and in the end of the entire interaction it outputs a bit. So, like in the single user setting we quantify the security of the construction by adversaries advantage which is the absolute difference between the probabilities when the adversary is interacting with the construction and when it is interacting with the random function means similar to the single user setting the probabilities are taken over the randomness in the real and ideal world as well as any randomness used by the adversary. So, here in this multi user setting we allow A to make Q max many queries to each user. So, so our assumption was that A makes at most Q max many queries to each user now we are allowing it to make exactly Q max many queries to each user. So, we are giving more advantage to the adversary and all it will do is that the bound we will get will be will be worst case bound. So, now the total number of queries is given by Q max into U. We also assume that A's queries to the same user are distinct because if it repeats the query it will get back the same reply and we also assume that each user holds an independent copy of the random permutation. So, reply given by each user will be independent. So, under these conditions if the real world transcript is given by P1 to PQ and the ideal world transcript is given by R1 to RQ then the multi user advantage multi user PRF advantage of the adversary can be shown to be upper bounded by the statistical distance between the these two distributions PRP and PRR. Now we state our main results formally. So, our first result is multi user PRF advantage of the construction XRP3 it upper bounds the advantage by this quantity which is 20 into square root of U into Q max over 2 to the n when Q max is upper bounded by 2 to the n over 12. So, what this result implies is that XRP3 can be used simultaneously and independently by order of 2 to the n many users when the adversary is allowed to make order of 2 to the n many queries per user. In the single user setting when we plug in the value U equal to 1 it shows that the adversary's advantage is of the order 1 over 2 to the n over 2 even after making order of 2 to the n many queries. Our second result is the single user PRF advantage of this efficient version XRP3 and it is upper bounded by this quantity. We have not given multi user analysis of this construction but it can be done in a manner similar to this one and we would get similar type of bound as that of this construction XRP3. Now to compare our first result with the one obtained by Wang and Chen recently for the construction XRP2 in their case the multi user PRF advantage is upper bounded by a quantity which is of the order square root of n into Q over 2 to the n here Q is the total number of queries made by the adversary. So, our result is a substantial improvement over this one also for this efficient version the one obtained by Cogdy at E for XRP dash 2. In that case the multi user PRF advantage is upper bounded by quantity which is of the order Q over 2 to the n. So, in this case also we obtain substantial improvement. So, our results justify the title of our work we have applied our result to counter mode encryption without going into technical details. I just state that the multi user security of the construction I mean counter mode encryption is similar to that of XRP3 when the encryption scheme is instantiated with a good block cipher. And this can be compared with parity method encryption proposed by Bellar and others which achieves similar level of security but requires additional randomness. The main technique that we have employed in our probes is the chi-square method. It is a tool for bounding the statistical distance between two joint distributions. So, in order to describe it let X to the Q be this QT people of random variables sampled as per this distribution and Z to the Q be this QT people of random variables sampled as per this distribution. Both the tuples takes take their values over this domain. Now we can define this conditional distribution. So, X i minus 1 is the this X to the X to the i minus 1 is the tuple X 1 to X i minus 1. So, these are fixed values. So, we have these conditional distributions these two conditional distributions. Now we can define their chi-square distance and then the chi-square method states that the statistical distance between these two joint distributions is upper bounded by this quantity. Now this is the expected chi-square distance where the expectation is taken over the random choice of X 1 to X i minus 1. So, here this X 1 small x 1 to small x i minus 1 these are fixed values. Now we make them random and sample them as per this distribution. So, then we get this expected value of this chi-square distance. This method was introduced in the cryptography literature by Dai and others in 2017 and since then it has been effectively used in quite a few recent works and in this work also we have found this method to be fairly effective in bounding the statistical distance between joint distributions. Now I am going to discuss the main steps of the proof of our first result that is multi-user PRF security of XRP 3. So, as we discussed earlier the advantage of adversary is upper bounded by the statistical difference between these two distributions. So, the goal is to upper bound this statistical distance and there we want to apply the chi-square method. It turns out that there is a certain issue around the adversaries choice of the user of the i-query which we denote here by U i adaptively. So, U i can potentially depend on all the previous replies and not only on the replies previous replies given by U i and that creates a problem for application of the chi-square method. So, is there a way around this problem a possible solution lies in reordering the transcripts. So, we try. So, we reorder the transcript P to a transcript S and we reorder the transcript R to a transcript U. We do it in such a way that the replies given by the same user are clubbed together. So, in the original transcripts P and R that might not have been the case, but in the reorder transcripts or the permuted transcripts we ensure that this happens and that somehow makes it possible for chi-square method to be applied on this transcripts S and U. So, how do we reorder transcripts U and S can be thought of to be generated by this two random experiments. Now, for transcript U the Q tuple is is sampled with replacement manner from the set G which is nothing, but the set 0 1 to the N. And for random experiment S what we do is that for each user we sample 3 into Q max many elements with in a without replacement manner from the set 0 1 to the N and then we we divide this 3 into Q max many elements into Q max many triples. Then finally, what we do is that for each L in Q we take these triples one by one and take their sum and generate the corresponding element of the Q tuple. Now, it is not difficult to see that the transcripts R and U are the same. Both are Q tuples sampled with replacement from the set 0 1 to the N. What we have achieved by reordering P to S is that we have created a transcript where the replies from the same user are grouped together. So, the first Q max replies belong to user 1, the second Q max replies belong to user 2 and in this manner the entire transcript is built. Now, we make two important observations. First one is that the distribution of output is independent of input in both words that is for the construction XRP 3 as well as for the random function and second one is that the adversary makes same number of queries to each user. In fact, the second one is an assumption that we have made while defining the notion of multi user security. So, what these two facts allows us is first it makes it possible to reorder the transcripts. Secondly, now in the transcript S, the user for the ith query denoted by U i is uniquely determined by the index i. So, U i equal to that unique J such that i equal to J minus 1 into Q max plus K, where K is between 1 to Q max. So, in particular we have that this conditional probability is exactly equal to this conditional probability. So, if the user for the ith query is J then probability S i given all the previous replies by all the users is exactly equal to the conditional probability of S i given the previous replies by user J only. This follows because the random permutation sampled by user J for the construction XRP is independent of all the other random permutations sampled by the other users. Now this makes it possible to apply the chi square method to bound the statistical distance between the distributions corresponding to transcript S and transcript U. Another important thing to notice is that the statistical distance between the original distributions is exactly equal to the statistical distance between the distributions corresponding to the reorder transcripts. This is because reordering being a permutation preserves the statistical distance. So, now it is enough to upper bound the statistical distance corresponding to the reorder transcripts. Now can we apply chi square method to for these two distributions? Here we need to ensure that support of S is contained in support of U that is that is one of the conditions that has to be made in order to apply the chi square method. How do we ensure that? We ensure that by extending the transcripts S and U to the transcripts X and Y respectively. So, here S and U becomes marginals of X and Y. How do we extend this? For each i in Q we make X i equal to this triple T i 1 T i 2 S i, where S i as we have made it is exactly equal to T i 1 plus T i 2 plus T i 3 and Y i equal to V i 1 V i 2 U. Now due to this extension this collection of V i is corresponding to each user behave like a W or sample. This V i for each user this collection of V i's kind of simulate the collection of T i's. So, if you remember the random experiment for S this T i's are sampled without replacement from the set 0 1 to the N. Now here it should be noted that V i 3 is given by this expression. So, K takes the value from the set 1 to 3 and V i 3 is given by V i 1 plus V i 2 plus U i. Now the question is what are V i 1 and V i 2? We have not defined them so far. In order to see what V i 1 V i 2 are let i be given by this expression. So, ith query is Jth user's Kth query. So, the user for the Ith query is J and we consider the set of all tuples V 1 V 2 such that V 1 V 2 and U i plus V 1 plus V 2 belong to this set. So, G is the set 0 1 to the N and we are discarding all the V i's that belong to the Jth user. So, for Jth users there has been K minus 1 queries because this query is Jth user's Kth query. So, this V i's correspond to those K minus 1 queries. So, we are discarding those V i's and we also require that U i plus V 1 plus V 2 and V 1 and V 2 they remain distinct now V i 1 V i 2 is sampled from this set. So, after extension it can be shown that support of x is exactly equal to support of y. So, that makes it possible to apply the chi square method to bound the statistical distance between these two distributions. And also since s and u are marginals of x and y then we have this relation the statistical distance between the distribution corresponding to these two transcripts s and u is upper bounded by the statistical distance between the distributions corresponding to the extended transcripts x and y. Then we are now we are in a position to apply the chi square method to bound this statistical distance. Now, we come to calculating this conditional probabilities under the distributions p r x and p r y. So, here x i is this triple. So, this part is slightly technical but what I want to highlight is that this conditional probability which is conditioned on the entire previous history and takes into account the replies from all the users can be reduced to this conditional probability where the history is limited to only the jth user. Now, this is possible due to reordering and we have discussed this reduction while we discuss the reordering of the transcripts. Now, due to this reduction it is possible to calculate this conditional probability and which is given by this expression. This three under bar stands for falling factorial. Similarly, we can calculate this conditional probability under this distribution and it turns out to be this quantity. Here this set is the same set eta i that we have discussed in the previous slide. After the conditional probabilities or the distributions have been calculated then we can calculate the chi square distance between the two conditional distributions and this turns out to be this expression where c and d are given by these two expressions and then we calculate the expected value of this chi square distance. Where the expectation is computed under the distribution here x and it turns out to be this expression. So, our final task is to compute this expectation. Now, the task of computing the expectation is taken care of by an important lemma which we termed core lemma in our paper. In order to discuss the lemma let us denote f 2 to the n by g. So, cardinality of g is denoted by capital N and let v r be a random r set in g. Then for each element u in g we define the set of tuples where u plus g 1 plus g 2 this belongs to the random r set and we also require that u g 1 g 2 be distinct. Now, this set is the same set that we discussed while discussing the conditional probability taken under the distribution p r y and let us denote. So, its size is a random variable since v r is a random set random r set. So, the size of this set is a random variable which we denote by capital N u r. Now, so the task of computing the expectation in the last slide boils down to computing this expectation. Now, the first step towards computing this expectation is to compute the expectation of this random variable N u r that we accomplished using indicator random variables. So, for the element u we define this set to be the set of all tuples g 1 g 2 such that they are not equal and both belong to this set g minus u and then we define this indicator random variable corresponding to each such tuple where its value is 1 if g 1 g 2 and u plus g 1 plus g 2 all this 3 belong to the set v r and we also require that all of them are distinct. So, g 1 and g 2 are already distinct and u is u is also distinct from g 1 and g 2 and its value is 0 if this condition is not met. Then this random variable can be expressed as the sum of this indicator random variables and then we can exploit the linearity of expectation to compute this expectation in a straight forward manner and it turns out to be this expectation turns out to be exactly equal to d. This is this d and then we have this then this expectation actually turns out to be variance of this random variable. So, computing this expectation is to compute this variance now the question is how do we compute this variance. So, to do that for each tuple g 1 g 2 we define this set as g u where g 1 g 2 and u plus g 1 plus g 2 I mean this triple consist of this elements g 1 g 2 and u plus g 1 plus g 2. Then we observe that cardinality of union of two such sets corresponding to two tuples g and g dash which may not be distinct can take three distinct values 3 5 and 6 which we denote by w. Now we come to computation of this variance where we employ the variance covariance formula for the variance part we employ this formula since i g is an indicator random variable we employ this formula and get this expression for the covariance part we employ this formula and we split the sum according to the value of w for w equal to 3 we get this expression when w takes value in this set 5 6 we get this expression and from these three expressions we get the we can compute the value of this variance which is given by this expression and once this variance is computed we can compute the expectation of this chi square distance between two distributions which is given by this expression and this finally leads to the upper bound on the statistical distance between these two distributions. This is what we set out to do and this is the result that we get. To conclude in this work we have shown strong PRF security of the construction XRP 3. In the multi user setting our result implies that XRP 3 can be used simultaneously and independently by order of 2 to the n many users while the adversary can make order of 2 to the n many queries per user. In the single user setting we have shown that the adversaries advantage is limited to is negligible precisely of the order 1 over 2 to the n over 2 even after making order of 2 to the n many queries. For the efficient version XRP dash 3 we have shown similar security guarantees. We have given the proof only for the single user case and the multi user security analysis can be carried out in the same manner as was done for the construction XRP 3. Thank you for your attention. Finally, I acknowledge the use of slide templates made available by Rafael Vieira western merger of Impa Brazil which is available at the overview website.