 Hi, welcome to my talk about tight security for key out-and-in cyphers with coordinated subkeys. I'm Xu Huzhang, and this is joint work with Stefan of Tessaro. A T-round key out-and-in cypher construction is built on T-public permutations, Pi1 to PiT, and consists of T plus 1 unbiased subkeys, S0 to SD. The KAC has received considerable tensions because it captures the design of substitution permutation network, with the most prominent candidate being AES. Previously, the theoretical analysis of key out-and-in cypher were on the two independence assumptions, that is, the subkeys S0 to SD are independent and sampled uniformly at random. And round permutations Pi1 to PiT are also independent and sampled uniformly at random. After the line of work studying KAC, it was proven that under the two independence assumptions, KAC achieves the optimal security, tolerating any other theory that makes at most 2 to the nT over T plus 1 queries, counting both the queries to the cypher construction and the queries to the public permutations Pi1 to PiT. However, the independence assumption is not necessarily realistic in practical cypher constructions. In particular, practical cypher generate all subkeys for a short master key, and they use a single permutation for every round instead of independent permutations. Currently, the KAC security without independence assumptions still remains not well understood. There is still a large gap between the theoretical study of KAC and practical cypher constructions. Bridging the gap turns out to be not easy. Since the last decade, limited progress has been made towards removing independence assumptions while maintaining the optimal security. The first result was by document at all, where they considered minimizing even master cypher, which is a one round case for KAC. They reduced the master key length from two embed to embed. Later, Chen at all successfully minimized two round KAC in both the key length and the number of permutations used. Then, until very recently, a three round case has been addressed by all at all. They reduced the number of permutations used by three round KAC to a single permutation. On the assumption that all subkeys are independent and uniform. However, for any round larger than three, nothing was understood in terms of either reducing the master key length or the number of permutations. The practical cypress have large rounds. For example, AES has at least 10 rounds and present as up to 31 rounds. In this work, we focus on the key schedules. In particular, we make the first step towards reducing the master key length and understanding the security of KAC with coordinated subkeys for large rounds. On the assumption that the permutations are independent. We focus on studying linear key schedules over field F2 to N. Our first result provides a T-MAS one-wise key schedule that saves two embed master key for arbitrary round T. We also move one step further by showing a T-MAS two-wise key schedule that saves three embed master key for the KACs having at least eight rounds while maintaining optimal security. To prove the results, we propose generalizations over the sum capture theorem by Chen et al. We also improve the subkey dependency in the good transcript analysis by Huang and Tessaro from T-wise to T-MAS two-wise. In the rest of the talk, I will first describe the classical KAC analysis framework. The framework is based on transcript analysis. Where we have the transcripts, we call the behavior of the adolescent. And we partition all the transcripts into either bad transcripts or good transcripts. We will primarily focus on the bad transcript analysis. Where we first revisit how the sum capture quantity is used for bad transcript in two-round case by Chen et al. Then we propose to generalize some capture quantities with either one or two constraints and present their upper bounds. For the good transcript analysis, due to the time limit, I will only provide the NEMA statement. To model security of KAC, we consider another theory that tries to distinguish two worlds. In the real world, the other theory has access to the public random permutations i1 to pi t and the KAC construction, which is built on the permutations. In the ideal world, the other theory can access the public permutations and additionally a random permutation p, which is independent from all the permutations. In both worlds, the other theory can query any permutations in both forward and backward directions. The security of KAC against the other theory A is defined as the advantage of the other theory, distinguishing these two worlds. To prove an indistinguishability result, we follow the framework used in previous works and operate on the transcript level. Given other theory A that interacts in either the real world or the ideal world, we connect all the queries submitted to the site construction or the independent random permutation into a set QE. And we connect all the queries to the public random permutations pi i into a set QI. Then, we put the query record sets QE, Q1 to QT and the randomly sampled master key together as a transcript tau generated by A during the interaction. After defining the transcripts, the classical approach is to partition them into bad transcripts and good transcripts. For the part of bad transcript analysis, our goal is to upper bound the probability of random transcripts x ideal being bad, where x ideal is generated from the other theory A when interacting in the ideal world. For the good transcript, we follow the expectation method opposed by one and two several to pick a function G that is defined over all transcripts. We need G to satisfy two requirements. First, G must be non-negative. Second, for any good transcript tau, the quantity one minus G tau should provide a lower bound for the ratio of the probability for obtaining tau in the real world to the probability of obtaining tau in the ideal world. Having G satisfied the above two requirements, we further want to pick a good G that gives an optimal overbound on the expectation of G x ideal. The final bound of near-advantage directly follows from some in the two upper bounds together. Here, we also use the bad transcript definition from previous works. For any transcript tau, we can represent it into a layered graph that resembles the construction of KAC. For neighboring layers inside the public permutations pi, the vertices are connected by edges determined by the Queer reach record set QI. And the edges between permutations represent the generated sub-keys. Now, we move to identify the set of transcripts that is very easy to distinguish between the real world and the ideal world. Here, we look at a pair of vertices x, y in QE, which corresponds to a recorded query from the other theory to a cyber construction. The goal is to check whether the pair of cyberquery x, y is consistent to the underlying permutation queries and the generated sub-keys. We start at the cyber input vertex x and move to the rightmost reach for layer from x, giving us a path. From the corresponding cyber output vertex y, we also obtain a path by moving to y's leftmost reach for layer. If it happens that the index of the rightmost reach for layer from x is no less than the index of the leftmost reach for layer from y for some pair of x, y in QE, then such transcript is easy to distinguish between real and the ideal. Because in the real world, the two paths of x and y must connect to be a chain. While in the ideal world, with high probability, the two paths are disjoint. Implanting a cyberquery is inconsistent to non-deny permutation queries and the generated sub-keys. Hence, we call such transcript as a bad transcript. Given we have defined what a bad transcript is, we move to review how to derive the probability of a bound of obtaining a bad transcript in the ideal world on the independent sub-key assumption. For T-round KAC, we can categorize chains into two plus one types, with each type determined by the layer index of the rightmost reach for vertex from x. The solid black arrow denotes that the corresponding sub-key connects the two queried input output tubal between two public permutations on the cypher construction. While the dotted red arrow denotes the position where the path may fail to connect. You fix a pair of x, y from the cypher query set QE as starts from x to go rightward and y to go leftward. Each time we sample sub-key edge. It has probability at most q over 2 to the n to hit at a queried tubal, the next permutation. In this case, we have T sub-keys edges to go, and we ended up to have the probability being q over q to the n to the power of t. Taking a union bound over all pairs of x, y, we obtain the upper bound of q to the t plus one over 2 to the nt, which matches optimal concrete security of KAC. However, such analysis can be performed only in the case when the sub-keys are at least T-wise independent and uniform. So we need techniques to go beyond this barrier. The first step that go beyond the T-wise independence barrier was proposed by Chen at all when I studied the two round KAC. Here we look at the two round KAC construction, built over two independent random permutations. With all three sub-keys being identical to the n-bit master key. In two round KAC, there are three types of chains for a batch transcript. Here we focus on third type, where the cyber query input x can reach to the output point v2 of a second permutation. We are going through the edges. We want to count how many master key k can lead to such type of batch chain. In particular, you have fixed the query records Qe, Q1, Q2. In this case, we say a master key k is bad if a generous sub-keys that connects some query cyber input x to some query input output pair u1 v1 of permutation pi1, then to some u2 v2 of permutation pi2. Given all sub-keys being identical to master key k, the condition implies that x xo u1 equals v1 xo u2. However, it is unwieldy to directly count the number of batch keys. Instead, Chen at all considered the quantity mu that counts all two posts satisfying x xo u1 equals v1 xo u2. Here, mu x as an upper bound over the number of batch keys, since all batch keys should have the corresponding two posts satisfy the equality. And this equality is exactly the capture sum of the two posts. In quantity mu, we have up to two cube two posts. However, given the capture sum constraint, what we would expect is that roughly one over two to the n fraction of the two posts satisfy the equality. And if this is true, then it implies that the probability of getting batch transcripts should match an optimal security upper bound for two round KAC. So our first result can be considered as a direct generalization of the result by Chen at all. Here we consider T minus one wise key schedule, where the master key can be interpreted as a vector which consists of T minus one field elements, if F2 to the n. The key schedule algorithm is to directly apply a metric say to a master key vector and obtain the sub-keys, which can also be viewed as a vector of T plus one field elements in F2 to the n. The requirement that we impose on the metric say is that it must give T minus one wise independent and uniform sub-keys. Or in other words, and T minus one rows of metric say form a sub-metrics of rank T minus one. To perform the batch transcript analysis for T minus one wise linear key schedule, we can similarly define a sum capture quantity that counts the two posts that have key sub-keys involved. Here the sum capture quantity contains query records for T minus one permutations and two additional sets, with all of them having size Q. The quality constraint involves all the involved T sub-keys with these coefficients CIs determined by key schedule matrix A. It essentially says that any subset of T minus one sub-keys uniquely fix the remaining one sub-keys. For the defined sum capture quantity, we show that if the vector of coefficient C comes from the T minus one wise linear key schedule, then for moderately large Q, with high probability, we have the quantity upper bounded by Q to the T plus one over 2 to the n. Which implies an optimal upper bound for obtaining a batch transcript in ideal world. And the number is proved by Fourier analysis. Our second result studies the T minus two wise key schedule, where the master key has been shortened to T minus two times n bit. The key schedule matrix A now has one fewer column. And now we require A to give T minus two wise independent and uniform sub-keys. We still have some capture quantity that gets deep sub-keys involved. However, now we have two equality constraints. Both constraints are again determined by the key schedule matrix A. Essentially, the constraints are saying that any subset of T minus two sub-keys uniquely fix the remaining two sub-keys. However, the proof of the two constraints sum capture quantity turns out to be much more involved. And we were able to prove only a sub-optimum bound represented by two terms. Using the sum capture quantity bound, we can derive an upper bound for the probability of obtaining a batch transcript in ideal world. We can observe that term one over base gives optimal security for Q for any round T. However, term two is the bottleneck, and it applies optimal security only when the KAC has at least eight rounds. After performing the batch transcript analysis of the T minus one wise and T minus two wise key schedules, what is left now is a good transcript analysis. Here we directly state the number that applies to both key schedules. The number is very similar to what was stated by Juan and Cero. This optimal bound is still maintained. The only difference here is that the requirement for sub-key dependency has been weakened from T-wise to T minus two wise. Finally, by putting both analysis together, we conclude the optimal securities for both T minus one wise and T minus two wise key schedules. In conclusion, we studied the security of KAC on independent round permutations and correlated sub-keys. We showed that the T minus one wise key schedules can save two embeds in the master key, and the T minus two wise key schedules save three embeds when the round T is at least eight. However, there are still many open problems in starting KAC security with reduced independence. One problem that still remains open is to minimize a three round KAC. Since our T minus two wise key schedule tightness result does not apply to the case when T equals three. Another aspect is to see whether tightness result can be extended to beyond T minus two wise key schedule for not T. For more details, please check out our paper. And that's all for this talk. Thank you.