 Hello everyone, this is Supreeta Dalnekar and I shall be speaking on the use of permutations as primitives for constructing message authentication codes with emphasis on viewing them as compositions of tweakable instances of existing constructions. Let us quickly recall what we mean by symmetric key-based message authentication codes. Suppose Alice wants to send Bob a message without letting Eve manipulate it. She can do this by adding a tag to her message using a secret key that she shares with Bob and Bob can verify that the message he received was indeed from Alice using the same key. Since each tag is computed using the corresponding message, if Eve changes the message, the tag may show an error letting Bob know this message wasn't from Alice. If Alice keeps sending messages to Bob, Eve can try to change each message and see if Bob is fooled by any message tag pairs. Why is Beyond Birthday security required? Apart from the fact that the computing power of adversaries is always increasing, the flourishing part that lightweight cryptography now plays in our daily lives necessitates a need for security beyond the bird debound. Constructions like ECBC and PMAC that were commonly considered secure fail to make these new requirements as we can see here. Bird debound security is usually referred to as BBB security for short. In fact, constructions that possess BBB security naturally allow for the processing of a comparatively larger number of blocks without having to change the secret key. This is another advantage of higher security. Let us see how permutation based MACs differ from block cipher based MACs. The main difference as we can see is due to the adversary interaction with the oracus and the oracus provided to the adversary for the interaction. So, in addition to the authentication and verification oracus and adversary interacting with the permutation based MAC also has access to the permutations that are used as primitives in the construction and these permutations are therefore called public primitives or public permutations because of this reason. And due to this the MAC advantage now also depends upon the outcomes of the adversaries forward and backward queries to the primitives. Thus, a block cipher based MAC may not necessarily possess the same security when converted into a permutation based MAC and this is the reason why we need to look at the security of such new constructions separately. Let us now examine some existing constructions. The even mensur construction represented here by the equation pi of m plus k1 plus k2 is a construction that was proposed by even in Mansur in the Journal of Cryptology in June 1997. Kogliatti and others replaced the round keys k1 and k2 by functions fi of the tweaks t resulting in the tweakable even mensur construction. This construction is shown also as a figure in this slide. The sum of even mensur construction was proposed by Chen language and many in crypto 2019 and it has been called SOEM1, SOEM21 or SOEM22 depending upon the equality of the two keys k1 and k2 and the two permutations pi1 and pi2. Chen et al have also provided key recovery attacks on these constructions in their paper. In particular, their attack on SOEM22 which we can see here makes around 2 power 2n by 3 queries to match inputs to the permutations in the construction with the inputs to the permutations as primitive queries and verifies the keys by repeatedly checking whether the equation c plus c prime where c and c prime are the construction outputs is equal to v plus v prime plus y plus y prime where v and v prime are the outputs of the first permutation pi1 and y and y prime are the outputs of the second permutation pi2 is satisfied. Some of key alternating ciphers is another construction that was also proposed by Chen language and many in the same paper in crypto 2019 and this construction has been called SOKSC1, SOKSC21 or SOKSC22 again depending upon the equality of the two keys k1 and k2 and the two permutations pi1 and pi2. Chen et al have claimed a bird-bound attack on SOKSC1 which is supposed to be similar to the attack on SOEM. However, the principle behind the attack on SOEM was the parallel construction which forced the value of the input of one of the permutations to a particular value when the input of the other was fixed. This is not the case for the sequential construction of SOKSC which we believe to be secured up to an order of 2 power 2n by 3 queries and we provide an attack for this bound. This attack can be seen here. The idea of the attack is to match the input of the first permutation and the output of the second permutation with primitive queries and repeatedly check for each key value whether this equation is satisfied. The equation being v plus x plus v prime plus x prime should be equal to 0 where v and v prime are the outputs of the first instance of the permutation pi or the primitive permutation and x and x prime are the inputs to the second instance of the permutation pi or the primitive permutation. This is a matching attack on SOKSC21 and it can be found in the work of Nandi published in Eurocrypt 2020. This table describes structures of several well-known constructions in terms of the primitives they use and other design properties. The first three of these are the constructions that we have proposed in our paper. These constructions that we have proposed are duct, the PDM MAC or the permutation-based Davis-Mayer MAC which is a construction that accepts only fixed length message inputs and has a tight security of about 2 power 2n by 3 queries in the random permutation model. The nonce-based PDM STAR MAC that uses an additional keyed hash allowing for variable length messages again with a tight security of 2 power 2n by 3 query complexity in the non-respecting scenario and the 1k PDM STAR MAC which is a single keyed instance of PDM STAR MAC that instantiates the hash key by passing the construction key through the primitive permutation. Its security is the same as that of PDM STAR MAC. A similar key recovery attack as the one proposed for SOK-C1 of around 2 power 2n by 3 queries works on PDM STAR MAC which matches the inputs and outputs of the two permutations in the construction with primitive queries and checks whether the equation given on the screen is satisfied for each value. In this equation the values n and n prime are the nonces for different queries of the adversary. v and v prime denote the outputs of the permutation pi either in the first instance of the construction or as a primitive and y and y prime denote the outputs of the second instance of the permutation pi used as pi inverse in the construction or as a primitive. We now talk about the design rationale that motivated us to design these constructions. So, the DDM construction or the decrypted Davis-Mayer construction is the motivation behind constructing PDM MAC. It can be viewed as a sum of two instances of the tweakable even mensur construction which tweaks 0 and 1 as shown here. The DWCDM construction proposed by that at all is the motivation behind PDM STAR MAC. This construction can also be viewed as a sum of two instances of the tweakable even mensur along with an extra hash input. We now present an idea of the proof of security for PDM STAR MAC using the coefficient search technique by Paterin. We define different types of bad events for this purpose a few of which are shown in this and the following slides and for any transcript obtained by an adversary interacting with PDM STAR MAC we view it as induced by a graph where distant input values of the permutation queried by the adversary make up the vertices of the graph continuous edges represent the sum of two permutation inputs from authentication queries to or responses from the construction dotted edges represent the sum of two permutation outputs from various queries to the construction and an edge label function usually represented as lander gives the sum of the two permutation outputs. So, there are bad events like B1 and B5 where collision occurs only amongst construction queries B8 and B11 where there is a collision between values of authentication of verification queries to the construction and queries to the primitive the circuit vertices represent collisions with primitive query values and B12 and B13 where collisions occur between permutation inputs of authentication and verification construction queries in particular we necessarily require the label sum to be zero for bad events like B13 one can observe from the bad transcript graphs that any good transcript must necessarily be induced by a graph that has no cycle of the equation inducing edges no path of equation edges whose labels sum to zero and no cycles with exactly one non-equation edge whose labels sum to zero it may perhaps contain some circled edges which can be easily removed by transferring the relevant authentication queries to primitive queries what remains is a good graph as defined by the title in Eurocrypt 2019 and this result from that paper can be used to bound the total number of solutions to such a graph however it only gives an n by 2 query bound on the security of pdm star mac because of the term c alpha in the numerator of the last fraction probability results from the et al published in crypto 2018 can be used to compute a stronger bound these two corollaries of those results give the desired bound of order to power 2 n by 3 for our construction this first corollary gives a bound on a sequence of two or three tuples of distant random variables that are drawn without replacement with restrictions on sums of two pairs in each tuple the second corollary uses the previous result to give a stronger bound on the number of solutions allowed by a good graph since some values are restricted due to collisions with queries to the primitive permutations this result allows for solutions from a subset of zero and power n in particular we can compare the terms involving qv which is the number of verification queries in this and the previous result this allows for the desired security bound of 2 power 2 n by 3 for pdm star mac the security of the other two constructions proposed in our paper can be similarly shown to also have a tight bound of order to power 2 n by 3 to summarize we started this discussion with a description of message authentication codes and forgery games took a look at why we need better than bird debound security introduced permutations as primitives for building message authentication codes and took a look at some existing constructions that do this like the even mensur the tweakable even mensur the sum of even mensur some of key alternating ciphers etc we then introduced our constructions that is the pdm mac and its variants and gave an idea of how we computed the security bounds using extended middle theory thank you