 So the title of this presentation is how to build pseudo-random functions from public random permutations. So it's a joint work by Eran Laboji and Bachmaning. So pseudo-random permutation or PRP and pseudo-random function, PRF, are the two most fundamental primitives in cryptography. So in the similar work of Ruby and Tragov, they introduced a way to design a PRP from PRFs. So their work was actually motivated by the desk block cipher which consists out of an R-rand of the phasor network. So it can be shown that for a round is sufficient to get burst-able on security. But people soon realized that actually we need the opposite constructions, which means we want to build a PRF from PRPs. In the past years, various approaches of turning a PRP into a PRF was introduced. For example, the sound of permutations by Berare et al. in 1998. The encrypted Stavis-Mayer by Koshyadi and Saran in 2016. And the encrypted Stavis-Mayer dual by Menning as Nevers in 2017. Actually, so if you look at those constructions, you will see that all those constructions only use the block ciphers in the forward direction. But the block cipher is usually designed to be both efficient in the forward and in the first direction. So which will make block cipher actually over-engineered primitive for the PRF design. But now spagot by the SHA-3 competition which is announced in 2007. With its winner in 2012 and its winner K-check, it's a permutation-based hash function. So it's actually lead to increasing interest in constructions built on public random permutations. So those permutations, not like block ciphers, is usually very fast in the forward direction but not necessary very fast in the in first direction. Now actually this should be the complete picture where we have the PRPs, PRFs, and public random permutations, RPs, and public random functions. So we already discussed about the conversion between the PRP and PRFs. Now the conversion between the public random permutations and public random functions can actually be done in the similar way. The resulting function is usually keyless and we assume that the underlying primitives are ideal. Then we can prove the security in the indifferenceability framework. So the conversion between RP and 2RF is done by the indifferenceability of the sum of permutations and the conversion between RF and RT is by indifferenceability of phase-all networks. So I think it's quite clear why it's not so interesting to build RPs and RFs from PRP and PRF. So which means the only interesting thing is how we can how can we build PRP and PRFs using RPs and RFs. So the first case is building PRP from RP, which is already considered by the Eva Mansour construction or the key alternating ciphers. So it was introduced in 1991 by Eva Mansour and then in 2012, the concept of key alternating ciphers was introduced, which is actually the traded Eva Mansour cipher. So in 2016, Juan and Desaro showed the tight security balance of the key alternating ciphers. The next case is the conversion from RF to PRF, which is done by the key alternating phase-all cipher, which was introduced in 2004 by Gentry and Sramson, where they combined the idea of phase-all network with the Eva Mansour construction and they showed that the resulting construction will be perceived on secure if we have four rounds of it. The next problem is conversion from RF to PRF, which is considered by Gauss and Desaro. And in 2015, they have a similar construction like this, where they can turn RF into a PRF. So which makes the only problem which is still open is how can we design a pseudo-random function from public random permutations, which is actually the title of this work. So to formulate the security definitions precisely, we are going to introduce an attack game. So at the beginning of the game, one of the two worlds is chosen. So here is the real world and the ideal world on the right side. And this adversary A will get Q-construction queries to the construction oracle, this one and this. And the adversary will also get P-primitive oracles to each of the primitive oracles. In the real world, the construction oracle is actually our proposed pseudo-random function and in the ideal world, it's actually a perfectly random function. Now, the primitive oracles are the same in the both worlds. So we assume that A never makes the same query because the both worlds will just return the same results by asking the same queries. So after communicating with the oracle, A should state which world it was given. If A cannot do so, then we can deduce that the given construction is actually a good pseudo-random function. We see that at the advantage of the adversary to distinguish the two worlds and increases if the number of the queries that the adversary can ask to the oracle increases. So, of course, we are going to start to try to build a pseudo-random function from one public random permutation call. So in our work, we actually analyze the general construction where we also use a linear pre-processing function and linear both-processing function, L1 and L2. So we actually show that there can... So we cannot build a pseudo-random function with beyond the birthday bond security with just one single permutation call. So because in our work, we actually analyze all the variants of the linear functions and for each of the variants, we give an attack to show the scheme can be broken in the birthday bonds or even faster. But here, I'm only going to explain the most general function where all the inputs, so all those five inputs, have inference on the construction. So the idea is actually, as long as we can find a collision between the inputs M of the construction oracle, the construction query, so the construction query is in red and the primitive query is in blue. So as long as we can find a collision between the construction query and the input X of the primitive query, then there will be a relation between the output Y of the primitive query with the output C of the construction query. Then in that case, we can prove that the construction can be distinguished from random in the birthday bond. So of course, the next step is try to build pseudo-random functions with two permutation calls. So instead of directly building a pseudo-random function from random permutations, a natural way is of course, to first design a PRP from RPs and then the next step is to build the PRF from PRPs. So for example, we can first use the RPs to build the informal through constructions and then turn the informal through constructions into a PRF using, for example, the solve permutations. But the problem is we know that the solve permutation is optimal secure as long as the underlying block ciphers are secure. But the informal through construction is only birthday bond secure, which means if we just plug in the informal through constructions into the solve permutations, then the resulting PRF will only be birthday bond secure. Of course, we can use two rounds of informal through constructions because two rounds of informal through is two n divided by three bits secure. Then the resulting PRF will also be beyond birthday bond secure with the same security. But then the resulting construction will be twice as expensive as before because here we need four permutation calls to get two n divided by three bits security. So which means we need to dedicate it security proof. So the main contribution of this work is the introduction and the security analysis of the sum of informal through construction. We look at all the different variants of the sum of informal through construction and prove their security. So the first variant is sum of informal through with two identical permutations and one single key. So I think it's quite clear why this thing cannot work because we have the same y here and then those just cancel out and the c will always be the same which is equal to the unused key. So the second construction is when we use same permutation but with two different keys. However, in this case we can prove that it's security is actually only secure to the birthday bond. So the attack idea is actually very simple. If we have this construction then in the birthday bond queries we can find two construction queries. The m and m star where m and m star will collide. So as long as this equation happened then we can show that the outward c is equal to the outward c star. Then again we can distinguish the construction from random. So the third construction where we use two independent permutations and one single key. So in this case we can again show that it can be broken in the birthday bond because the idea is to find a collision of the input m of the construction query with the two input x of the two primitive queries. So as long as this happened then we can find the relation between the output y1 of the first primitive query, the output y2 of the second primitive query with the output c of the construction query. Then again with this relation we can prove that the real construction can be distinguished from the ideal world construction. So now the last variant is the sum of even month rule construction while using two independent permutations and two independent keys. So this construction is the only construction that we can prove that can be secure beyond the birthday bond. Here we have two n divided by three bits security and we also provide attack to show the tightness of this security bond. So the idea of the attack is actually as long as we can find a collision between the input m of the construction query with the input u of the first primitive query and at the same time this input m should also collide with input x of the second primitive query. So as long as we can find these two then we can prove that the security and then we can prove that we can distinguish the real world construction from the ideal world construction. So of course those equations happen in two n divided by three queries. So the security proof of this construction is actually performed with the Patarance edge coefficients technique. It's a little bit too complex to explain the proof in detail here but the idea of the proof is the first iteration of Patarance Mio theory. However here the adversary a has query access to the on the line primitive the two on the line primitives. So this makes accounting more difficult but anyway the resulting construction will have two n divided by three bits security. So in this work we consider the problem of designing a pseudo-random function from public random permutations by introducing the sum of Iwamansu construction. So in the previous version of this work we also consider one of our site resources actually introduce another construction which has the same security bond but it was removed after the observation by Rito Nandi because we make a very stupid mistake in the proof but yeah this is just a site result the main contribution of this work is a sum of Iwamansu construction. So the conclusion so in this work we first show that there cannot be beyond per se bond secure PRFs from and using one single permutation call and then we show that we propose the PRF sum of Iwamansu construction and we show that the construction can only be per se bond secure if we use one key or two permutation calls but with the same permutation and we also prove that the same construction can be two n divided by three bits secure as long as we use two independent keys and two independent permutation calls. So for the future it will be interesting to study if we can get the same security by using just one key or two permutation calls to the same query and if there will be a construction with the same security and build on using one key and two permutations and two permutation calls to the same permutation and it will also be interesting to study the security of some Iwamansu construction but multiple Iwamansu so then we can see if the security increases with the number of permutation calls. So this end of my presentation thank you for your attention. Is there any questions thank you then I would have one please namely I guess this is not in your paper but can you remind me or us about the best construction with beyond per se bond security with only one permutation like if you can make multiple calls. You can make as long as you can you mean you make multiple calls but to the same permutation. Yes there's only one permutation that you have. Yeah I think but what about the keys can we use multiple keys. Yes in that case I'm actually not really sure because I think the sum of permutation and the sum of multiple permutations can be very efficient because you can evaluate permutations at the same time. Yeah but I'm not sure if we just use one permutation what the security point will be so yeah I'm not really sure about that. Thank you. Standing more question. Okay then I guess we all get and enjoy these chocolates and coffee that they announced. Thank you.