 Can you hear me all right? Yeah, I think it's on. Yeah, I have the pleasure to talk to you about PRFODH today That's a relatively new assumption and we did a systematic study of this assumption and this is joint work with Mark Fishley and Felix Gunther and Christian Jansson So PRFODH is short for pseudo-random function or a codiffy helman and as was already mentioned PRFODH is also a variant of the ODH assumption which was introduced back in 2001 by Abdallah Belar in Rockaway and PRFODH appears naturally in the context of diffie helman-based key exchanges As we will see in a bit and it was first introduced in 2012 here at Crypto actually in the TLS 1.2 security analyses by Yaga et al And since then it has been frequently used in different analyses of key exchange protocols Let's dive right into it. So what is this PRFODH? So informally PRFODH Guarantees that an adversary cannot distinguish a PRF that is keyed with a diffie helman value from random Even if the adversary knows the diffie helman shares that went into the key as well as the PRF values and the related diffie helman keys So more precisely The adversaries asked to distinguish the PRF that is keyed with some G to the UV from random Even if it knows G, G to the U, G to the V and it learns related PRF values under related diffie helman keys So and this learning of PRF values is modeled by these ODH oracles So for example the adversary may query DOU oracle on some tuple SX prime and will then receive the PRF keyed under S to the U and with label X prime and the OV oracle works just the same Except for that the key then is not S to the U, but S to the V. So this models the learning of the related PRF values We did a first systematic study of this assumption because because although it's been used quite a bit There were some open questions. We will see that actually there's been a bunch of PRFODH values PRFODH assumptions around and we established the relationships between those assumptions Then we asked ourselves the question whether this PRFODH actually Relates to some more well-studied diffie helman assumption that we know of and we answered this question by giving instantiations of PRFODH and our third result is in providing an impossibility result and Basically our impossibility result says that PRFODH is most likely not the standard model assumption And this is especially interesting because initially PRFODH was introduced or was considered to be standard model as there is no immediate Reference to a random oracle in the definition and our impossibility result now states that this is most likely not the case But before we come to our Contributions, I would like to show you how PRFODH comes up in diffie helman-based key exchange So let's look at a simplified execution of a diffie helman-based key exchange We have our server bob here and bob holds a say static key gtv So gtv is bob's public key and v is the corresponding secret key and static means that it's a long-term key So bob will reuse this key whenever he is talking to clients So for example Alice could initiate a key exchange with bob and send over her Public key g to the u will receive g to the v from bob and then they both derive a session key by First computing the shared diffie helman value So g to the uv and then keying up here F with this on some label X Which may for example be the transcript of the key exchange or something like that Okay, and then they have a session key which they can use to encrypt communications But nothing Hinders our adversary from doing the same right so our adversary if also indicates a key exchange with bob and derives a k prime value Which is keyed with g to the w uv now traditional key exchange security asks From our adversary to distinguish some session key say this one from random However, we're in the setting where there are related PRF values around Related in the sense that the key that went goes into the PRF Has a common diffie helman chair with our so-called tested session key. So this K over here As it turns out just assuming DDH and the PRF security is not enough in this setting But we find ourselves in the setting of PRF for the H Our adversary is asked to distinguish a PRF value that is keyed with a diffie helman value While knowing the diffie helman chairs that went into the computation as well as related PRF value So this is exactly PRF for the H as we've seen it before Now I already indicated that there are different variants of the PRF for the H assumption out there And this is due to the fact that these key shares have kind of lifespan So there may be a femoral that means whenever a session is initiated this value is generated freshly or there may be Semistatic that's kind of a medium left notion where these keys are reused in a kind of smaller number of sessions or their static or long-term and Used hands in a large number of session and these lifespans then directly determine how many related values the adversary can learn So let's look at this in a bit more detail with our example So we had our key exchange between Alice and Bob and the resulting session key is supposed to be distinguished by the adversary from random For the sake of the argument right now, let's assume that both Alice and Bob have static keys So they reuse these keys whenever they're talking to other parties. So the situation is something like this, right? so on the one side we have The Values Where Alice is talking to someone and she always uses the G to the E and on the other side We have the situation where someone is talking to Bob and Bob always uses the G to the V so on both sides We have related PRF values Yeah, so this is the situation that can come up very easily and We model this when we talk about the PRF with each assumption We model the situation by giving the adversary access to these ODH oracles So one for the OU oracle for the G to the U Case and the OV oracle for the G to the V case, right? So this models the situation that the adversary can learn these related keys Okay, so there are different handshake modes in in key exchange that means The combination of secrets is different across key exchanges For example, they may combine an ephemeral with a static key or they might combine two ephemeral keys So we have different variants that appear in the literature depending on which handshake mode they they analyzed and In the literature, they all just called them PRF or DH And we we thought okay We kind of want to give a unified definition To capture all these notions and this notion we turned it LR PRF or DH where the L Indicates how many queries can be made to the left oracle Which will was in our case the OU oracle and the R indicates how many queries can be made to the right oracle Which was the OV oracle and L and R may take up one of three values So either N, which means no queries allowed So the adversary may learn no related values as which means a single query is allowed and M Which means multiple queries are allowed where multiple is to be understood as polynomial in the security parameter So we have this unified notion of LR PRF or DH And if one writes down all the possible combinations of L and R taking up either NS or M When ends up with these nine different nations For your navigation we color-coded them. So here these notions here in blue These are the ones where the right oracle is set to N So there are no queries to the right oracle but queries to the left oracle So they are one sided on this with this notation and here in yellow We have the ones where only the right oracle may be query but not the left oracle and If you mix up blue and yellow you end up with green And these notions are the ones where both oracles are involved and up there we have an NPRF or the H in orange Which means no query to either oracle is allowed for the adversary In the literature we've seen only a sub part of this. So these four notions down here for example The SNPRF or the H here was used so single query to the left oracle no query to the right oracle Is used when analyzing if I'm well Diffie-Hellman handshakes Both in TLS 1.2 and 1.3 it was used and if you go down you have the MNPRF NPRF or the H this is then for static Diffie-Hellman and also if you analyze We had some Some analysis on low latency key exchange modes And then you have these kind of where both oracles are are in there So let's let's look at some examples one from each each level kind of and start with SNPRF or the H to really Really get a feel for the definition So SNPRF or the H single query to the OU oracle no query to the OV oracle In our key exchange of situations like this So we have the session which is supposed to be distinguished and the adversary learns a single related value Then MNPRF or the H means the adversary There's multiple related values which we indicate by this error here So this oracle may then be queried multiple times and if we go to MNPRF or the HM Actually, this is the situation that we've had before That we have static keys on both sides. So the adversary may learn multiple values from both oracles right So we have all these different Notions Right here, but what are the relations like and We started off with a trivial implication. So nothing really interesting is here You simply establish these by restricting the adversaries capabilities Inquiring the oracle. So for example, if you want to go from MNPRF or the H to SNPRF or the H You simply restrict the adversary by not allowing multiple queries to the left oracle But just a single one. So nothing really interesting is happening here But the question is which of these implications is strict. So Which of these notions is strictly stronger than other notions and for this we were giving separations and Some of the separations we were able to achieve In the standard model for some we had to rely on the random oracle model. Let's just have a brief look These are the standard model separations that we were able to achieve. So they're kind of up in the in the upper part of the of the picture and These are the two separations where we had to rely on the random oracle model And although for some of you it might have been late yesterday But I'm sure you spot like I can't hide from you that this picture doesn't look complete and it isn't because actually for these two Implications here, we were not able to give Separations and I might wonder how stat looks pretty symmetrical all all over This is because I was hiding something in the definition of pure for the H So we didn't discuss in detail what it looks like and actually There's an asymmetry in the definition of pure for the H So one of the oracles the left oracle is given to the adversary at the outset of the game While the other one is only received with the challenge and this asymmetry we also have here in our separations and we were not Able yet in this case to achieve the separation Also, because a PRF is kind of a memory list thing So we would have somehow to find a way to encode information in the PRF that one oracle could exploit But the other one could not so all other Implications are strict except for these two where we don't know yet whether they are strict All right So let's get to the instantiations Here for the H seems like a strange thing, but somehow it's a different helmet assumption And we wondered like how can we instantiate here for the H from more well-known assumptions that we know and Actually in the case of NN PRF or the H so up here where you have no query to either oracle We were able to instantiate that one in the standard model and the DDH and just usual PRF security in a group G On the other end of the spectrum We were able to instantiate it with a strong defi helmet in the programmable random oracle model What do I mean by instantiate just to make it clear? So if you take a function for example for the NN PRF or the H case that is PRF secure and the DDH assumption also holds in the group then we showed that the F is also NN PRF or the H secure and This is similarly for the MN PRF or the H instantiation This kind of brings us naturally to our impossibility result, which is the last result. I want to talk to you about today We see that up here. We have a standard model instantiation Well, then here we're in the programmable random oracle model and Our impossibility result now shows that as soon as you give the adversary just a single access to one of the oracles You will no longer have a standard model algebraic black box reduction So soon as we go from NN PRF or the H to SN or NS PRF or the H We no longer have standard model algebraic black box reductions More precisely so the theorem states that if we assume Decisional squared defi helmet problem to be hot Which means to distinguish G to the A squared from G to the B for random AB Given G to the A we assume this to be hot Then we show it that there exists no efficient Algebraic black box reduction from the weakest one-sided PRF or the H assumption to a DDH Augmented problem. There's some something to explain here. So algebraic reductions Most reductions that we know are algebraic That just means that the reduction knows the representation of group elements and it makes use of them and DDH augmented problems are a very wide and general class of cryptographic problems where the adversary is either asked to To solve DDH or some abstract and independent hot cryptographic problem And the adversary can decide on the fly whether it wants to solve DDH or this instance of a general cryptographic problem that it was handed This impossibility so maybe you've noticed I've always said like period for the H is likely not to stand that model assumption This is because we have restrictions in our impossibility result. So first restriction is Which may allow to bypass the result that the decision of square defi helmet problem is hard We know that the computational square defi helmet problem is equivalent to CDH But it is not clear whether The decision aversion follows from DDH So this is one restriction and the other one is on the black box reduction to be algebraic So the impossibility result may be pay bypassed But this is the best challenging to do And with that I'd like to summarize what we've learned today So I hope you've seen that PRF or the H appears naturally in defi helmet base key exchange And we did a systematic study of this assumption where we gave a unified definition and then Establish a relations between the different variants and we gave instantiations of PRF or the H Our impossibility result then gave a strong indication that PRF or the H is not a standard model Assumption somewhat contradicting what we've been thinking before However for everyone who's working on key exchange security I believe or we believe PRF or the H to be very useful because it gets you to simpler more modular proofs Usually you have a rather complex reduction to get defi helmet or strong defi helmet in the programmable random oracle model But by using PRF or the H This is just a straightforward reduction that makes the proof much more easier and with that I'd like to conclude and I'm very happy to take any questions you might have. Thank you