 Today, I'll be talking about new results about reset and differentiability to motivate things, consider the following. Bob goes to Alice saying, look at my great new hash function. Alice is skeptical, as any cryptographer would be. She therefore asked Bob to prove security under a widely believed mathematical assumption, the gold standard of modern cryptography. Bob points out that for much of practical symmetric crypto, the community does not have such proofs, and in particular we don't have any proofs for the Shaw family of hash functions. Alice therefore acquiesces and decides to look at Bob's construction. Let's say that Bob's hash function starts out by building some complex permutation P, and then truncates the output to get a hash function. Alice agrees with Bob that P itself seems like a pretty good permutation. But she points out that the resulting hash function is trivially insecure nevertheless. Basically you can invert the hash function on any output, just by arbitrarily selecting the values for the discarded bits, and then inverting P. This violates one-wayness and also allows for finding collisions. All right, so Bob goes back to the drawing board. Bob proposes first padding the input with several zeros, applying the permutation, and then truncating the output. Now Alice can't find any issues with the hash function. She's willing to accept that P is a fantastic permutation, but still wants to be sure that she didn't just miss some trivial tack on the resulting hash function, so she asked Bob to prove that there's no such trivial tax. And so what Bob does is proposing to use the concept of indifferenceability. So what is indifferenceability? Proposed by Maurer, Renner, and Hollenstein, it's a strengthening of indistinguishability, which is used when trying to build one idealized object from another. In our case, we are willing to accept that P is a good permutation, so we are going to model it as a truly random permutation and its inverse, which is also called an ideal cipher. Our goal is to justify that the resulting instruction, which we will call C, is in some sense as good as an ideal hash function, which are often called random oracles. Indifferenceability is a way to formalize this goal of justifying a construction is as good as a random oracle. Indifferenceability is defined by the picture here. The adversary is given two interfaces. One corresponds to the building block in our case an ideal permutation inverse depict here. The second corresponds to the desired object we're trying to construct in our case a hash function, which is depicted on the bottom here. Indifferenceability then defines two worlds, real and ideal. The real is depicted on the left, where the building block oracle is the ideal cipher and the hash function is set to be the construction, which makes queries to the building block. The real world is given on the right, where the hash function is set to be a truly random oracle. And queries to the cipher are answered via a simulator, which can make queries to the random oracle in order to help it answer the queries. Importantly for this talk, the simulator will be allowed to keep state between the queries. It requires that for every adversary, there exists a simulator that causes these two worlds to be indistinguishable. So indifferenceability can be seen as a form of universal composability for idealized objects, and indeed, now or at all show that indifferenceability composes well. We can construct one indifferenceable object from another indifferenceable object, the final object is affected indifferenceable. And they also show that indifferenceability implies security for what are called single stage games. These are games making up the most of cartography where a single adversary interacts with the challenger. And people call this result the MRH composition theorem. Because of these nice properties of indifferenceability, and because many hash functions are built from lower level building blocks. Proof of indifferenceability have become a popular way to justify that a new construction at least doesn't have trivial attacks, and many popular constructions have indifferenceability proofs, such as Merkel Damguard and the sponge construction. But that I will discuss in a moment in indifferenceability proof shows that the hash function might as well be treated as a random oracle provided we are willing to treat the underlying building block as an ideal object. So what this work is about is exploring a strengthening of indifferenceability called reset indifferenceability, which is needed to overcome a significant limitation in plain indifferenceability. And concretely, as observed by wrist and part shot some and tripped in indifferenceability is insufficient for what are called multi stage games. These are games where they're actually two or more different adversaries, each interacting with the challenger. Importantly, the adversaries are not allowed arbitrary communication between them. Maybe they're fully isolated or perhaps a minimal communication is allowed. Examples of games that are multi stage include deterministic encryption, key dependent message security, leakage resilience and others. As risk and part at all observe the fact that the plane indifferenceability simulator is a lot is allowed state causes problems for indifferenceability and multi stage setting. Since both adversaries will clear the same simulator. And that simulator is keeping states between its queries, the state of the simulator breaks the isolation between the adversaries. And what this means is that the MRH composition theorem actually fails for multi stage games. To remedy this issue, wrist and part at all propose a notion called reset indifferenceability. And this is exactly identical to plane indifferenceability except that the simulator now is required to be stateless. They then prove what I'll call it the RSS composition theorem showing that reset indifferenceability composes an imply security for general potentially multi stage games. The reason that this characterization is tight, namely that if you don't have reset indifferenceability, then there must exist some game where security fails. Unfortunately, reset indifferenceability itself has a major limitation with some part at all proven impossibility which is later refined and strengthened by several follow up works showing that domain extension is impossible under reset indifferenceability. And this is just taking any small domain ideal objects like a small random oracle and constructing a large domain objects such as a as a big random oracle or even a random oracle with an unbounded domain, which is what you would do with Merkle Damguard or the sponge construction. So what this shows is that Merkle Damguard on the sponge construction for long messages actually can't be reset indifferenceable, which is in contrast to the plane indifferenceability setting where we have such proofs. Now the strong impossibility seems to have basically led to indifference to reset indifferenceability being abandoned and there have been a few subsequent works in the area. So the starting point for this work is two observations. First, we observe that domain extension is not always necessary. For example, sometimes we use random oracles for deriving the coins for a public encryption scheme. As an example, consider building CCA secure encryption using the Fujisaki Okamoto transform, or building deterministic encryption from general public key encryption. The terministic encryption example is more relevant to us since it's a multi-stage game and we need and therefore need reset indifferenceability. If our messages are a fixed size, then we actually don't necessarily care about domain extension as long as the building block we're starting from has a sufficiently large domain. So for example, if we are building our hash function from a random permutation, say using the sponge construction, we might be interested in the reset indifferenceability for very small messages. Secondly, we observe that basically nothing is known about reset indifferenceability beyond the impossibilities. Prior work didn't even establish the possibility of domain shrinkage, building a small random oracle from a big one. This might seem crazy because it seems intuitively obvious that we should be able to just pad the input to get a smaller domain. But it was not clear that this was possible. And in fact, some work has even demonstrated some barriers to doing this and has left it as an explicit open problem. Another question is whether we can build small random oracles from ideal ciphers. In particular, is the sponge construction for sufficiently small messages reset indifferenceability. This wouldn't contradict the domain extension impossibility since the domain remains small. And finally, what about the other direction can we build ideal ciphers from random oracles. This finally leads us to our work where we give several new results for reset indifferenceability. First, we try to shed more light on what can be ascertained from the techniques of prior work. And concretely, we show that the prior possibility is actually extraordinarily strong. The impossibility for domain extension actually holds even if you let the simulator have an unbounded number of queries. On the other hand, we prove a general theorem showing how to achieve indifferenceability for unbounded simulators for a variety of tasks, including domain shrinkage ideal ciphers random oracles. Sorry, ideal ciphers for random oracles and vice versa. And indifferenceability with an unbounded simulator is rather useless on its own. The unbounded simulator would would break pretty much any application. But what these two results together shows that domain extension is really quite different from other natural goals you might want to achieve. So there, the impossibility of domain extension really doesn't seem to apply elsewhere, and there may be hope as hope of achieving these other tasks. Or alternatively, if we wanted to actually prove these tasks impossible, it would seem to require branding ideas. Next, we move on to our actual meaningful results. First, we prove that domain shrinkage is in fact possible to reset indifferenceability using the obvious padding construction, the difficulty is going to be in actually proving that this works. Then we investigate the natural approach to building a random oracle from a random permutation by padding the input and truncating the output. This can also be seen as the sponge construction for a single message block. We show that as long as the input and output size of the derived hash function satisfy a certain constraint that this actually does give a reset indifferenceable hash function. So what are the, what is the constraint. Basically we need that the input size of the hash function plus the output size of the hash function can't exceed the block size of the ideal cipher. Now, you may look at this restriction on the input and output size and it may seem unexpected, but we show that this is actually the right answer and it's actually inherent for this particular construction. If we have the sum of input and output size exceed the block size of the permutation, then there's actually an explicit attack breaking the reset indifferenceability of the construction. Now note that this is in contrast to the plain indifference ability setting, where the padding and truncating just need to each be independently larger than the security parameter. We show that all of our results lift the quantum setting for the purposes of this talk I won't discuss this too much, but basically stateful simulation techniques are particularly challenging in the quantum setting where a stateless simulation is much easier though still often non trivial. So reset indifference ability is particularly amenable to lifting the quantum. The point is that even if you don't care about reset indifference ability and all you care about is plain indifference ability. In the quantum setting it was previously open to construct a random oracle from an ideal cipher in the quantum setting. What this work shows is that by going through reset indifference ability we actually are able to achieve such a result, and in a way that is pretty accessible without knowing too much about quantum, because all of our results lift straightforwardly to the quantum setting. I'll note that there's a concurrent and independent work that also proves that ideal ciphers imply random oracles in the quantum setting, and in particular this work proves the quantum indifference ability of the full sponge construction, however the work uses completely different more sophisticated quantum techniques. So due to lack of time I won't talk about all the results, but I want to discuss what could be seen as the main results which is building a reset indifference oracle from an ideal cipher. And in order to motivate our proof, I'll actually give the lower bound, since it'll actually sort of hint at our solution. So suppose we are trying to build a random oracle from an ideal cipher by padding the input and truncating the output, and suppose the input size and output size sum together to be more than the block length. Our goal is to show that this is not reset indifference ability. The way we do this is we actually just give an explicit adversary, which is pretty simple. The adversary first queries the hash function. The hash function oracle on a random input x. Here I'm depicting what happens in the real world where the hash function is instantiated with the ideal cipher. In response to x, the adversary gets a value called the product. The adversary also queries the permutation oracle on input x concatenated with zero, getting a string in response that we will parse as w concatenated with Z. And only it takes this w concatenated queries the p inverse oracle to get what we will call x prime cat y prime. The adversary then just simply checks that w equals w prime x equals x prime and y prime equals zero outputting one, if and only if all of these checks pass and otherwise up with zero. It will probably be clear that in the real world depicted here, the all of the checks will pass. And so the probability that the adversary outputs one is one. So to give just a little intuition for what the adversary is doing, basically the checks for x equals x prime and y prime equals zero are just needed to make sure that p and p inverse are indeed inverses of each other. Any simulator when we move to the ideal world isn't cheating us by setting a permutation oracle to be something trivial. And then the check that w equals w prime is just to make sure that the hash function oracle and the permutation oracle are consistent with each other. Okay, so why does the adversary break reset and differentiability. Well, let's consider moving to the ideal world where the hash function is a random oracle and the permutation oracles are being simulated by the simulator. Since we are in the reset in differentiability setting the two queries of the permutation oracle and its inverse are answered independently. And I'll call the algorithms that are used to answer them SIMP and SIMP inverse. The first thing to notice is that SIMP inverse is given w and must produce x, but w is a random oracle output and access the corresponding preimage. So it seems that SIMP inverse must be inverting h on w remember all that simply and simply inverse can do is query the oracle age. And since SIM must be query efficient. This would violate the known one wayness of random oracles. Now this doesn't quite work as a proof the sense SIMP inverse is also given the Z as an input, and Z could be side information which helps it invert h. Remember after all that Z was produced by SIMP. And simply actually got x as an input. And in fact depend on x. Therefore in order to justify that there's a problem, and that this attack actually works and need to be more careful. So to finish the proof. Basically what we're going to do is use SIMP inverse to construct an inverter for the random oracle h. And then just guess as a random Z and runs SIMP inverse forwarding all queries to age. Finally it outputs whatever SIMP inverse outputs. If Z is the correct value that would have been outputted by SIMP. And then we know that SIMP inverse must succeed. As in we know that x prime must equal x because this happens in the real world with probability one, it must therefore also happen in the ideal world. Condition on Z being correct. The Z is just random the probability it is correct is just one over the number of Z's, and that is equal to one half raised to the size of the block minus the size of the output. On the other hand we can bound the probability of success by the known one wayness of random oracles for any algorithm making Q queries, combining these together then gives us a lower bound on the number of queries. shown here. Notice that if the input and output sizes, some to somewhat larger than the block size, this quantity will be exponential implying an inefficient simulator, and therefore contradicting and differentiability. This gives a theorem. Now let's turn to our positive result. And the negative result actually strongly hints at how to prove reset indifference building in this case. Basically, the, the reason that the negative result didn't extend to all input and output sizes is because this Z value could encode information about X. So, to turn this into a positive result that's exactly what we're going to do. So we're going to have SMP have access to a, we're going to pretend for the moment that SMP has access to an ideal permutations inverse which will denote I and I inverse. Now, importantly, while this is going to actually be shared between P and P inverse SMP and SMP inverse. It's immutable and it cannot be used to store state adaptively. So what is SMP going to do, it's going to set P to be I of X, and it'll set the, this, the W value to be H of X, which it actually just gets by carrying the random article. And then the inverse then which also we're going to pretend knows I and I inverse just uses I to decode what what access and output X without having to break any one wayness of the random oracle. Now there are some lingering issues here. The most obvious problem is how to actually simulate I without having any state at all. You know, at least it's not sort of adaptive states, but it is still states and we can't have any state if we're going to do reset a different ability. And basically we show how to overcome this issue by using the randomness and H itself in order to simulate the random permutation and its inverse. And this requires care in order to make sure that I and I, I, I inverse and H, don't share any correlations that could be detected by the adversary. The other issue is, well, we basically only explained how to handle the queries made by our particular tack, we need to handle queries for all attacks. And in particular, we need to define what SMP does on inputs that don't have the form x and cat zero. And we show how to do this by additionally having more ideal ciphers and their inverses that SMP and SMP inverse have access to. So this concludes the overview of our work. And I briefly wanted to discuss some open questions. The main open question is that we were unable to answer whether you can build a recent indifferential ideal cipher from a random or if you could do this and this would prove the equivalence of ideal ciphers and small domain random intervals, somewhat mirroring what's known in the plane and differentiability setting. Another interesting question is whether there is a way to more efficiently construct a random oracle from an ideal cipher. Our the pattern truncate construction we use will lose much of the domain of the ideal cipher in order to achieve reset indifferentiality. And while we prove this is inherent to the particular construction maybe there's a better construction out there that doesn't suffer from such a limitation. The final question is to explore other indifferentiality results which don't involve domain extension, and see if they can be proved in the reset indifferentiality setting. As this one example would be indifferential encryption, both in the secret key and public key setting, which I've been explored in a couple recent works. With that, I conclude my talk. Thank you for listening.