 Unfortunately last night my computer broke down, so luckily I had some backup of my slides otherwise I guess I would have had to use a whiteboard here. But hopefully there won't be any glitches. So okay, so and this is joint work with Manuel Barbosa, who is also here in the audience, so if you'd like to come afterwards and talk to any of us about the rebels or just say hi, he's also right. Okay, so let me start with a topic that should be familiar to everyone here in the audience. If you don't know about hash functions you probably should not be here at crypto. So other hash functions are functions that take a long and arbitrary text like this book from the medieval ages and then applies a hash function, applies a function to it and outputs a short and random looking string. So as you know there are many protocols out there that use hash functions, however, provable security for these protocols are not always possible. And one reason for this is that when designers have implemented these protocols they have actually assumed that these hash functions behave like random functions. So what they have assumed is that this hash function here actually behaves like a random function which is more commonly known as a random oracle. And a random oracle is basically a function that outputs independent and uniform outputs on inputs that it gets. And this methodology to design protocols have been very successful. So we can use the random oracle methodology to study the security of public encryption schemes, signature schemes, as far as I know parts of the TLS protocol still use the random oracle, symmetric schemes, etc. So what these random oracles actually model is an ideal hash function. Hash functions just output independent random outputs. So what is this talk about? So in this talk we are giving a random oracle and our task is to build an encryption scheme. So you might say that well surely this is a problem that has been studied in cryptography in the last 40 years, you know, how can we build an encryption scheme from a hash function? Well but the difference in this talk is that as I mentioned a random oracle is an ideal hash function and what we want to do is that we want to inherit all the strengths that are built into this hash function into our encryption scheme. That is we want to build an ideal encryption scheme. Now I told you that an ideal hash function is a random function and that just raises the question what is the appropriate reference object for an ideal encryption scheme? Okay, so with that let me tell you what an authenticated encryption scheme is and here is a syntax for authenticated encryption. It basically consists of three algorithms, a key generation which outputs a key k, an encryption algorithm which takes a key k and nouns n, associate data a, a message m, an expansion parameter tau, and outputs a ciphertext which is tau bits longer than the message. And decryption takes key, nouns, associate data, ciphertext, tau, and outputs message or purp. And the intuitive security properties that we need are confidentiality and authenticity in the sense that nothing about the messages are leaked under a randomly chosen and unknown key and also on authenticity in the sense that an adversary cannot forge new ciphertext without knowing the key. So let me simplify this even further and look at just a very simple version of AE where I have just got rid of the nouns and associate data. So we have key generation, encryption and decryption. And if you think about it for a second you'll see that this is basically a keyed injection. Why injection? Because we want different messages to go to different ciphertexts so we can actually uniquely decrypt these ciphertexts. So it injectively maps messages to ciphertexts. Okay, so what is ideal encryption? So hash functions are just functions and as I told an ideal hash function is a random function. What are ciphers or block ciphers? These are keyed permutations. So what is an ideal cipher? It's a random keyed permutation. Encryption, well we just discussed that it's a keyed injection. So what's an ideal encryption? It's a very easy exercise that you can just fill in randomly. It's a random keyed injection. Okay. And this actually gives rise to a new model of computation. Which is somewhere in between the random oracle model corresponding to random functions and the ideal cipher model corresponding to the random keyed permutation. So it's somewhere in between. Because injections have more structured than functions but less structured than permutations. Okay, so let's go back to this picture. So what is the object that the random keyed injection and then the question becomes how can we go from random functions to random injections? And there's a beautiful framework out there formalizing what it means to go from different systems called indifferenceability. So let me just briefly talk about what the indifferenceability definition says. So indifferenceability basically says that it basically tries to define what it means for a construction c with access to random oracle to be as good as another random system here, an ideal encryption scheme. So one attempt in doing this would be to basically say that the construction with access to the random oracle is indistinguishable from ideal encryption. But you might say that, well, this is not everything that the adversary has access to. The adversary also has access to the underlying random oracle in trying to distinguish these two systems. So we can say that, well, how about we look at this setting. But a minute of thought reveals that this is actually never going to be the case because these are dependent random variables, whereas here you have independent random variables. This is an independently chosen random injection from this random function here. So actually, the approach is wrong. So what we need to do is actually we need to try to define this in terms of simulation based security from the UC framework, et cetera. And it takes 10 minutes, 15 minutes to develop the definition. But it turns out the right definition is that you say that basically this system here, the construction with random oracles, is indistinguishable from ideal encryption. And a simulator which cooks up random oracle values as if they are coming from this ideal encryption scheme. So in terms of pictures, I'm not a big fan of this picture. It appears everywhere. So I thought I'll put it up as well. So the distinguisher gets access to construction random oracle, which goes around the oracle, and here the simulator is going. I think it's kind of confusing that the arrows go in the opposite directions. But the important thing about this definition is that it actually provides a unified attack surface to the adversary in the sense that the adversary can actually control all the inputs to the encryption scheme. So it's not the case that there is a random key chosen and it's not under the control of the adversary. Everything is under the adversarial control. The key denounce the message associate data, et cetera. And I want to emphasize that, oops, that keys can be, for example, chosen in a correlated way or messages could depend on the keys, completely arbitrary correlations, as you would. And that is the power of indifferenceability. So you might say, well, why consider indifferenceability? So there is a fundamental theorem of Mauro Renel Hollenstein from TCC 2004, which won the test of time award a few years ago, showing that if a construction is indifferenceable from an ideal encryption scheme, then this construction is secure in many adversarial environments. So these adversarial environments include the standard AE notion of security or misuse resilient AE security or robust AE security. These are recent notions of security for authenticated encryption. But it goes well beyond these. It includes, for example, KDM security, where you can choose messages dependent of the keys, leakage resilience, where you can maybe obtain some leakage about the key, RKA security where keys could be correlated with each other, committing encryption. This is a notion which we saw in the previous talk, where the encryption should be basically collision resistant, deduplication schemes, et cetera. However, more is true in the sense that you can actually consider combined models where you, for example, have a supermodel where you combine RKA security and KDM security and you ask, is it the case that my ideal encryption scheme is secure in this model? And actually unforeseen security models, security models that we have not yet thought about, as long as they fall under this umbrella of gains which are called single stage. These are gains where there is a central adversary which basically orchestrates the attack on the ideal encryption scheme. So in the paper we give a slight extension of this composition result which contains the KDM and RKA for practical use cases. Okay, so you might ask, are there any authenticated encryption schemes out there? So we went in and we looked at some of the schemes out there in the literature. So we started with a paper of Lamper, Rogovay and Schripturm from 2014, which basically look at different ways to combine an encryption and a PRF to build an authenticated encryption scheme. For example, here this one is encrypt and MAC because you encrypt the message and then you kind of pass it to the PRF. So here's MAC and encrypt, you MAC and then you encrypt that, roughly speaking. And here's the synthetic IV model where you synthetically generate this IV from nonce message and associated date. So what we actually show in the paper is that none of these are indifferenceable, except A8, that all of these fall under indifference ability attack. And let me just give you an idea of what this is, a very simple observation about this one. So in this construction, by the way, there's a typo here, I should say. I could not change it because my laptop is not working anymore. So if you look at the construction, you see that this key L here only affects the tag T here. It does not affect the ciphertyx. So it's written the other way around here. However, if you consider an ideal encryption scheme, which is a totally random injection, then all inputs are going to affect all outputs. And then you can use that feature to actually differentiate these two. And if you try to practically interpret that, this actually can be interpreted as a related key attack on the scheme. So in the paper, we actually give a general template for composition of various schemes. And we show that if a scheme falls under this template, then you can attack it via two different differentiators. Details are in the paper. So it's just to simplify the analysis for all these schemes. What about the specific scheme? So we also looked at OCB, deoxys, which is a Caesar candidate, AEZ, which was a Caesar candidate. And these schemes also fall to differentiability attacks. And some of these are not surprising because these schemes are not supposed to be misused resilient. So they are not going to be indifferentiable either. But some of them are supposed to be misused resilient and be attacked with more specific attacks. So the conclusion of that part of the talk is that here's indifferentious, brutally stabbing the Caesar candidate. So I need indifferentiable schemes out there, you might just still ask. Well, we went back to what else? The five-still construction from the 70s. So here is the five-still construction, which takes a left and right part of the message and processes it to random oracles, as it is written here. So what do we know about this construction? Well, it was shown that at some point that five rounds of five-still are necessary to get a random-keet injection. Five rounds are not sufficient to get a random-keet injection. You can attack five rounds and six rounds onwards is actually secure. But then a bug was found in this proof and the number of rounds went all the way up to 14, then it was reduced to 10, and then to eight by many clever people, some of whom are on the audience. And one of which here is chairing the session. So what we show for injections is that if you just replace the left part with zeros, you just put some zeros there and you just put the message in the right part of the buyer. Then three rounds of five-still are necessary and sufficient to build random-keet injections. So in terms of the picture for injection, it looks something like this. Let me also mention that these proofs for permutations go for 80, 100 pages, whereas the proof for injection only goes for 13 game hops. So if you're interested in learning about indifferentiability, maybe you can look at the paper and try to see. So the bounds that we achieved, the actual concrete bounds for security that we achieve are also much better than the bounds for permutation. So it's like a birthday bound. Okay, so that actually gives us an offline authenticated encryption. And in the paper, we also study online authenticated encryption. So what's an online encryption or maybe streaming encryption? It's where we need to process these messages as they arrive. So we don't want to wait for the movie to end and then start watching it. We want to watch the movie as the packets arrive. So you can actually take this intuition and then tries to formalize it. And then you can take the syntax of a normal online authenticated encryption and then consider a random online authenticated encryption. Which then gives rise to the reference object for ideal online authenticated encryption. And what we show in the paper that chaining up an AEAD will indifferentiably turn it on. In the sense that you can, for example, start with your key and nonce, hash it to get some state value. And feed that state value to your hash function with the incoming associate data, pass it to the encryption as the key. Encrypt the message with this key, get your ciphertext. Then again, prepare a summary of everything so far by hashing everything and putting into state and then chaining onwards again. So we can show that this construction actually gives an ideal online authenticated encryption. So let me end by saying a couple of words about efficiency. So the final result of our paper is actually a negative result, which shows that any indifferentiable construction of a WN bit random injection from an N bit permutation must place 2W-2 queries to the random permutation. So it basically gives a lower bound on the number of queries that the construction should make to the underlying random permutation. And to prove this, we basically combine techniques used for lower bounds for collision resistant that Paul mentioned in his slide. With lower bounds for pseudo random generators from the work of Gennara and Treveson. So as far as I know, correct me if I'm wrong, this is the first indifferentiability lower bound that I know out there. But our final construction actually makes 3W queries because it has three random oracles. And then this leaves a gap that do we actually have does the lower bound extend all the way up to three, just under three? Or is it the case that we can have a more efficient construction coming down all the way to two queries? So it would be nice to resolve questions like this. I liked it. Okay, so that concludes the talk. So basically the talk was about a new way of viewing authenticated encryption as a random keyed injection. And this was motivated by the indifferentiability composition theorem, which gives security in all single stage environments. Thank you.