 Hello everybody, my name is Itai and I would like to tell you about my paper on the streaming indistinguishability of a random permutation and a random function. So I will start with the classical problem. An adversary tries to distinguish a random permutation from a random function. And the permutation and the function think of them as having input and input domain of size n. And the adversary has a budget of q queries. So it's kind of querying the permutation or function oracle getting back answers and he's trying to decide whether is interacting with the random permutation oracle or a random function oracle. And the switching and lemma says that the adversary has advantage which is bounded by q squared divided by n. And this is basically how it's written formally. And this switching lemma is is important in cryptography because it allows us to establish some concrete security bounds for crypto systems. Basically up to what is known as the birthday bound q equals the square root n because that's when the advantage is roughly constant. And in particular it allows us to establish security of some modes of operations like the counter mode. And this switching lemma is basically tight and how do you show it? You show it by a matching algorithm. So a matching algorithm is basically an attack. So how do you distinguish between a random permutation and a function with q queries basically you store the answers and then you try to find the collision among the answers. So if there is a collision, if you gather enough elements, then you're likely to find a collision if you're interacting with the function. So that's how you distinguish. However, this algorithm that I showed you requires q bits of memory. An interesting question would be what happens if your memory is restricted. It turns out that you can actually achieve about the same advantage with restricted memory by running some cycle detection algorithm. And the cycle, such cycle detection algorithms typically require a very small amount of memory and they achieve basically the same advantage. However, such algorithms require adaptive queries to the AuraCon. And what if you cannot issue adaptive queries? For example, you just eavesropping to communication. In particular, what if your memory is restricted to s bits and you're given just a stream of q elements that are produced from either a random function or a random permutation. What happens in this case? So you can think about it in the following way. So you're just getting replies from the oracle which correspond either to a random function stream or a random permutation stream. And you have a limited amount of memory and you're trying to distinguish. And this problem was first considered by Jager and Tessaro at Eurocrypt 2019. And what they proved is what I'm going to call a streaming switching lemma, which states that an adversary with s bits of memory and access to a stream of q elements that are drawn either from a random permutation or a random function has a distinguishing advantage, which is bounded by the q times s divided by n and square root of that. This is actually kind of useful because it allows you to obtain better security bounds against memory restricted adversaries for some modes of operation. Okay, for example, if you consider AS based counter mode, then you can actually prove based on the security of the AS and the streaming switching lemma, you can actually prove that if the memory of the algorithm is limited then counter mode is secure beyond the birthday bell. And you do this by essentially applying the streaming switching lemma and the details of how you actually do this can be found in the JT19 paper. However, this lemma has two limitations. The first limitation is that its proof is based on some unproven combinatorial conjecture. And the second limitation is that this bound is actually not tight when q times s is smaller than m. And so just as an example, assume that you have basically s equals q, meaning that you can roughly store all the q responses, all the q elements of the stream. Then what you expect to get is essentially the original switching lemma, q squared divided by n because you essentially have no restriction on the memory. However, this bound, if you plug in here q times s, you get the square root here. So it seems like it shouldn't be there. So what I do in this work, basically I overcome these limitations. These limitations and I prove a new switching lemma where the bound on the advantage is q times s divided by n and this bound is actually tied up to this logarithmic factors. And how do you show that it is tight? Well, you consider an attack. And the attack is actually trivial, kind of very simple. So you assume you have a memory of s bits, maybe a bit more than what you do is actually store, say, the first s elements in the stream. And then you try to look for a collision between your memory and the stream. And so that's the attack. And if you analyze it, then you see that this is roughly the advantage that you get. And this shows that this bound is tight up to logarithmic factors. Another kind of way to see that, not to see, but maybe to an intuition of why this bound is tight is that when you plug in s equals q, here you get roughly the original switching lemma. So this is kind of what you expect. Okay, so in the remainder of the talk, I'm going to discuss on how I prove this switching lemma. And I'm going to use a classical technique. I'm going to reduce the streaming problem from a communication complexity or CC problem. Okay, and this is done using kind of a generic framework. So I'll explain roughly how this framework works. So Alison, Bob are trying to solve some communication complexity problem, and they are given access to some streaming algorithm. So the way they do it is as follows, Alice has her input, Bob has his input, and they kind of view their concatenated inputs as a stream. And now Alice simulates the streaming algorithm on her input and passes its state to Bob, which continues the simulation and then outputs the results. And now how many bits have to be communicated? Well, because the state of the algorithm is bounded by aspects, then Alice basically has to communicate aspects. This shows you that the streaming algorithm with the memory of s gives a one way communication protocol with communication cost of s and the same distinguishing advantage. However, the way it is actually used almost all of the time is to obtain lower bounds on streaming. And this statement is actually equivalent to the following statement, the lower bound on the cost of the communication protocol. So if the communication protocol is hard, this gives you a lower bound on the memory of the streaming algorithm. So this means also that the kind of the streaming problem is hard. You have to use a lot of memory. Okay, so now we'll kind of go back to our problem of distinguishing a random permutation stream from a random function stream. So let's kind of try to use just the framework that I presented to solve this problem. So here's an attempt. So each player is going to get half of the elements of the stream chosen either from a random permutation or a random function. And they're going to kind of try to distinguish between these two cases. However, it turns out that this reduction is useless because the communication problem is easy. Why it is easy because, well, I think for example that if the stream contains more than square and elements then the players can trivially distinguish between a random permutation and a random function without any communication. Just by looking for example locally for collision. Okay, why is that because the players are have unlimited resources. They have unlimited time and unlimited space and the only way that we're charging them is just by their communication. So kind of a conclusion from this, from this is that if we want the communication complexity problem to be hard then the joint distributions of Alice and Bob's input should have the same marginals. Essentially this means that Alice and Bob's would have the same local view and both of these distributions otherwise they can just distinguish locally without any communication. However, this restriction is kind of impossible in our problem of distinguishing a random permutation and random function because there's just no way to divide the output such that this restriction holds. And this is a problem and we're going to try to get around it. And the way we try to do it is by a hybrid argument. So what we're going to try to do is to consider intermediate hybrid distributions between random permutation and a random function and we're going to prove that distinguishing between neighboring hybrid distribution is hard and we're going to do it by a reduction from communication complexity. So let's see a first attempt at that. So in this attempt we're going to define Q hybrid games. And game I is going to be defined as follows so you have a stream of length Q and the first Q minus I elements are going to be chosen without replacement meaning from a random permutation. The remaining ones are going to be chosen from a random function. That's the first distribution and the second distribution. So you kind of consider consider a shorter prefix by one element here chosen from a random permutation and the remaining elements are going to be chosen from a random function. So the only difference here is here is this element. So this is a valid attempt. Unfortunately, it does not, if you kind of do the calculation, it does not give you a tight bound on the problem that we want to solve. Essentially, this is because there are Q hybrids and the distinguishing advantage that you get for each such game is as not as small as we want. If you want to think of an algorithm like with small memory that can distinguish between these two cases with reasonable probability, then think of just storing kind of the first bits of each element. Here, not sorry, not storing but storing a majority among the first beats, the first bits of these elements and comparing to the bit here. So this actually gives you a decent distinguishing advantage. And this means that this problem is not as hard as we wish it would. So we're going to try a different approach. The approach will be actually to break the stream into halves. So we'll denote the sequence by the first half of the sequence by X's the first the second half of the sequence by Y's. So the first distribution naturally will be a random permutation. Okay, so that's the first distribution that will consider in the in the game. And the first intermediate hybrid is going to be defined as follows. So the first half of the stream is going to be chosen from a random permutation. The second half of the stream is going to be chosen from a random permutation. However, these permutations will be independent. What does this mean basically the, for example, X1 cannot be equal to X2 because they are chosen from the same permutation and similarly Y1 cannot be equal to Y2. However, for example, X1 could be equal to Y2 because these permutations are independent. And the reduction from communication complexity basically is what you would imagine Alice gets the first half of the sequence Bob gets the second half and they want to decide whether they have the say that their inputs are drawn from the same or from independent permutations. And note that now the marginals are identical because basically the local locally in both of these cases each player just gets a q half elements drawn from a random permutation. Okay, so I'm going to call this problem a permutation dependence or p depth. In short, this is just an ad hoc problem that I just defined. And as I said, Alice and Bob just want to distinguish if their inputs were drawn from the same or random permutation and what the way we're going to use this is basically by a reduction to streaming using the framework that I've shown. So basically, there was basically nothing special about this reduction now. Okay, so I've defined the speed of problem but the question is, is the speed of problem really hard. Remember, we want hard communication problem. So is it really hard. So it turns out that it is hard and this is shown. I show this in the paper by a reduction from classical communication problem. Called this jointness, which has been studied for many, many years. And in this problem, each player, Alice and Bob receives a set of size M, and they want to decide where their sets are intersect or are this joint. And I use what I use as a as a problem is a theorem that states that this problem is basically hard in the sense that if Alice and Bob communicates the sea beds, then their advantages bounded by C divided by N. So this is what what I'm going to use. And how do I use it. Well, what I show is basically reduction that converts this jointness instance to an instance of PDEP. I'm not going to really discuss the parameters that everything is obviously proved in formally in a formal way in the paper. So what you get by applying this, this reduction and using the previous theorem about the hardness of the this jointness problem is you get that the advantage maximum advantage and solving the PDEP problem is q times s divided by N. Okay, so let's zoom out and see where we are. Let's zoom a random permutation to a random function. And now what we have is where we started with the stream of a random permutation and we've broken it into two independent paths. Okay, so how can you continue. Well, natural approach would be to kind of try to continue recursively now that we've broken the dependency between the two halves. We're going to consider each one of these two halves and we're going to break them into quarters. We're going to consider another instance kind of the PDEP communication problem here and here, and so forth. And finally in the last level, what do we have? Well, we have basically q elements that are divided into q independent permutations. We've broken the dependency between all the elements. So what we get is a random function and this is what we want. The advantage, so it turns out that the advantage advantage advantage at each level is bounded by q times s divided by N. I've shown you this for this level. It turns out that for each level, the advantage is bounded in a similar way. So if you sum up all the advantages, you get this log q factor because you have a log q levels. This essentially sums up the summary of the proof. Of course, more details are in the paper. So let me conclude. So I've approved the new streaming switching demo. And the bound that I get is this, which is essentially typed up to polylaborate with factors. And what I've used is a reduction from communication complexity to streaming, which uses a somewhat unconventional hybrid argument. So why is this somewhat unconventional? Because standard streaming problems are usually defined in a worst case setting, meaning that you're actually free to choose the hard distribution for the communication complexity problem. However, in our setting, and this is kind of a standard setting in cryptography, the streams are fixed. So we're not free to choose them. This is kind of why we have to define these hybrids in order to get around this difficulty. Of course, in the future, it would be kind of interesting to try to see whether similar hybrid arguments are applicable to more problems in cryptography and maybe in other domains. And the paper also prove some extension of this, this problem to multi pass algorithms. Okay, so details are found in the paper, and I encourage you to take a look. Okay, so that would be all. I thank you very much for your attention.