 Welcome to the presentation about the security for permutation-based tweak or correlation robust hashing. I'm the speaker Yu Longchen, and this paper was co-authored with Stefan Obezalo. Secure mutiparticle computation is one of all these topics in photography currently. Protocols such as OD extension schemes and Galboxergrid actually make heavy use of symmetric keyframes. A common denominator that is used in those protocols is the special form of hash functions. This type of hash functions is often modeled as a random oracle, and is usually used to hash 128 bit streams. Therefore, a SHA-3 hash function is not really a right solution for this problem since SHA-3 has a too large state size which will lead to low performance. Currently, constructions based on fixed key areas are used to improve performance. However, the problem is that many of the existing protocols just use inefficient or sometimes even insecure hash functions. The fact that several motions are needed for different protocols, we need to decide different constructions in order to satisfy the stronger version of the notions. Before I continue with the solution for this problem, I first want to explain why designing this type of hash functions is hard. Keep in mind that what we want here is something that's called correlation robustness, which means I'm going to explain it in the next slide. So we are dealing with a hash function here. That means there's no designated secret key inputs. The only randomness part is actually XORed with the message input, and there's nothing we can change about. That means we cannot just obtain this type of hash functions by, for example, using a Twitter book cipher. This problem is however related to the related key security for XOR. As promised before, in this slide, I'm going to explain correlation robustness security notion. In order to do that, I first need to define an attack game. So at the beginning of the game, one of the two worlds is chosen. The real world on the left side and the ideal world on the right side. Yet, C8 is getting query access to construction queries. So A is all to make Q construction queries. Where the construction query, the construction oracle in the real world uses a randomness R and it's defined by the hash function H. So we can see that this hash function takes as inputs W, XOR the randomness R. Now in the ideal world, the construction oracle is just an end-to-end with random function. XOR A is also all to make P primitive queries to each of the primitive oracles. And after its communication, A should state which of the two worlds it was interacting with. If I cannot do so, then we can deduce that a different construction is a good correlation with a hash function. So an example of correlation with a hash function is proposed by Goethe in 2020. The different construction makes one call to the underlying permutation and it's called the MMO construction. The main reason for this is because it resembles the idea of the classical MMO compression function. So we can see that this construction achieves a typical birthday type of security. The next notion that I'm going to explain here is actually the circular variant of the correlation with master's notion. As before, the adversary gets Q construction queries to the construction oracle. This time in the real world, the construction query takes two inputs where the second one is a single bit B. We can see that when B is equal to zero, then we are actually back to the case of correlation with master's. And in the ideal world, the construction oracle is n plus one to n bits random function. As before, A is allowed to make P primitive queries to each of the primitive oracles. And after the communication, A should state which of the two worlds it was interacting with. If A cannot do so, then we can deduce that the different construction is a good circular correlation with master's hash function. So it also shows that the previous MMO construction can be modified such that the different construction is also secure against the circular notion. They did it by applying a linear automorphism on the inputs before applying the hash function on it. So this special function, sigma, need to satisfy the following property where both sigma of inputs X and sigma X are all permutations. So we can see that by applying this sigma on the inputs before applying the hash function, we are able to achieve the similar type of burst event, burst event of security. But this time against the circular correlation with master's notion. The last notion that I want to explain here is the people circular correlation with master's notion. But I'm going to explain the notion in the muted instance setting. So this time that's a a it's cute construction queries to you of those oracles. This means that the adversary is allowed to make arbitrary amounts of construction queries per oracle as long as the sum of the construction queries made in those you oracles together is equal to Q. So each construction oracle use their independent randomness R i. And we can see that each construction oracle takes now an additional inputs, the tweak T. So as can be seen from the slide, this tweak is actually process inside the hash function self. That means that we need a hash function that can handle the additional tweak. Now, in the ideal world, those you construction oracles actually defines us and plus T plus one times and it's random functions. Again, that's three a is allowed to make P primitive queries to each of the primitive oracles. And after communication, I should say it's which of the two words. It was interactive. If I can do so, then we can deduce that the different projection is a good T and three or circular correlation with a hash function. Example of DCC hash function was given by a goal at home. So we can see that this construction makes two calls to the underlying presentation and this calls the T MMO construction, the tweak MMO. We see that the construction actually the same security bounds as MMO construction before. But just because there's one additional tweak inputs, there's one extra permutation called needed in order to handle this tweak inputs and to achieve the same amount of security as before. However, unfortunately, in the flow of work by the same authors, they show that the T MMO construction doesn't provide enough security when the mute user setting is considered. In the same work, they propose a following construction, which makes just one call to the underlying ideas, ideas cipher. Here, the tweak input serves as a key to the idea of cipher. Hence, the following security bounds is achieved. We can see that the security points depends on factor B. And B is actually equal to the number of construction queries per tweak. This number is usually a very small number in the case of OD extension schemes or double circuits. This improvement of the security bits makes the construction suitable for mute user setting. However, the problem is that the construction here makes a very strong assumption, namely that underlying from cipher is the idea of cipher. So as explained before, it's different notions are needed for different protocols and different applications. For example, the general correlation with the notion is for the same on the security of all the extension protocols. The circular motion is needed to prove the security of free export technique. Now the trickle notion is used for the malicious setting of OT extension protocols. In this work, we want to highlight importance for the OT extension for the first time. And as already shown by going down by using symmetry key building blocks, we can get a huge performance improvement, which is significant for practical and which has significant impact on the efficiency of MPC. I still want to say something about the security of a two-party computation protocol. So a typical two-party hybrid protocol that has access to functionality with three interfaces. A simple S, a receiver, and an adversary A. We do require that at least one of the two parties is uncorrupted. So as before in the real world, the adversary just runs the protocol. Now in the ideal world, it's interactivity simulator S. After communication, I should state which of the two worlds it was given. If it cannot do so, then we can deduce that different protocol is a secure protocol. In our work, we also provide a special OT protocol. The main reason for this is because the hash function designed in this work is only secure for distinct message inputs. At least in the most case. I will show that in one of the following slides, the hash function can also be applied for arbitrary message inputs. But now keeping in mind for this case, we first want to solve this problem by applying the hash function only on the distinct message inputs. Therefore, we present this protocol. So the protocol in this slide is for the corrupted receiver where in the initial phase, the sender just samples M pairs of messages while the receiver samples M times the X-viles. So I'm not going to explain the protocol in detail, but you can see that here the B-viles are generated for the receiver while based on this B-viles we can generate those A-viles for the sender. The most important thing about this protocol is how those ciphertexts see and are generated. So you can see that the ciphertext is equal to the X-viles of the plaintext with the special evaluation of the hash function. So as we mentioned before, the TCR hash function is only secure for distinct message inputs. So we solve this problem by using the universal hash function and by using the outputs of the universal hash function and to the message inputs of the TCR hash function, we are allowed to solve this distinct input message problem. So let's talk a little bit about the security of the protocol. As already mentioned before, we focus only on the sender security, which is for the corrupted receiver, and we keep ourselves to the ideal model security. And we can show that the only difference between the real and the ideal world is actually how these ciphertexts are generated. So in the real world, this is the X-vile of the message with the special evaluation of the TCR hash function. Now in the ideal world, it's just a VR random bit scene. So we can show that the sender security can perform the TCR security of the hash function plus the X-vile of Q squared times of the epsilon. In order to satisfy this security, we need to fix a purely random set of 3x or size n. Hence, to choose the universal hash function with a very small epsilon. For example, epsilon equals to 1 over 2 to the power n. In that case, the sender security is dominated by the term square root m times p over 2 to the power n. Now finally to the constructions. So in this work, our main goal is actually to decide this is the hash functions that can beat all previous state-of-the-art constructions, both in terms of efficiency and security. We can do that by using public permutations and finance fields modifications. The main reason that we use permutations is because public permutations are much simpler objects than block ciphers. That means the assumption that underlying permutations are ideal is weaker than the assumptions that's underlying block cipher is ideal. Our first contribution, actually our first construction is the following one co-construction. This construction looks very similar to the MMO construction. As we can see that MMO construction is insecure in the case of the trick-of-circular correlation-reversence notion, our construction does provide this typical bursary type of security against the TCCR notion. The main reason is because instead of using the input message, we use a message multiplied with the tweak T. By this small modification, our construction improves the previous T-MMO construction, which is based on two permutation calls. Here we just need one permutation call and one financial notification. I still want to say something about the security bounds achieved here. We can see that the first term depends on PQ, while the second term only depends on Q. The first term can be seen as the correlation of a construction query with the definitive query in the following form. The second Q squared term is actually the probability that the correlation happens between two construction queries of the following form. Finally, we come to our main contribution of this work, our two-house construction, the fit forward permutation to each permutation construction, also called the FPDP construction. As you can see, this construction looks very similar to the T-MMO construction as before. The difference is that the T-MMO fits forward the outputs of the first permutation, while here we fit forward the input. We can see that this small modification leads to a big improvement in the security bounds. Now, the second term doesn't really change so much. The first term is really improved for a square root of Q factor. Here, the factor B is again the number of construction queries per same tweak, which is a very small number for all P and GALF circuits. In order to achieve this security, we need to choose the tweaks on a nice combinatorial subset, for example a random subset as mentioned in the case of OT extension protocols that we provide. We prove the security for distinct and uniform input messages, but even in the case for arbitrary input message, we are able to get the same amount of security. As long as we replace the input M by a multiplication of the input with the input tweak. So by introducing one XR and two to the multiplication, this construction achieves the same security bounds for arbitrary input messages. So we prove the security both for two independent permutations, so for the case when pi1 is independent of pi2, and for the case when pi1 is equal to pi2. For both cases, the construction achieves the security bounds provided in this slide. This improvement of square root Q in the first term, the different construction is sufficient for muti users. The main reason for that is because P is usually a very large number, so the first term will usually be the dominant term. And the improvements of square root Q make it sufficient for the muti user security. So C1 to say something about the technical overview of this construction, so how we can get those security bounds. So instead of looking at how we can prove the security, it's better to see how we can predict the construction. So this construction can be broken when we can find this type of chain, which is equal to the relation of construction query and primitive query to the first permutation and primitive query to the same permutation that solidified the form two equations. The construction can also be broken if we can find this type of double chain. So which is again the correlation between the construction query with the primitive query to the first permutation and the primitive query to the second permutation that solidified the form two equations. We can also predict construction by finding one of this type of merging chains, which can be seen as the correlation between two construction queries and two primitive queries to the first permutation that solidified the form three equations. And the probability that the first two types of chains happens and be bounded by some culture theorems, which are presented in previous work. And the probability that the merging chain happens can be found by a new type of balls into bins lemmas, which is presented in this work. So finally, for conclusion, in this work, we provide several new results where we present concrete security treatment for obvious transfer extension schemes. And we also present one call TCR hash function that's achieved a typical bursary type of security. We also present two call construction and two call TCR construction called FPDP, which is our main contribution. Which improves the first term of those typical bursary type of security by a factor of square root of Q. For future research, it will be interesting to look at whether we can improve the second term in the FPDP security part. For example, by improving this term to something in like Q to power three divided by Q to power two. And it will also be interesting to try to formalize the mutation of the three sets used in FPDP construction. And one extra direction for the future work is to extend the FPDP construction to multiple rounds and see how the security will increase with the number of rounds. So this is the end of my presentation. I want to thank you for your attention.