 Good morning everyone. This is joint work with the Afghani dollars in Siogu and so let's start by so suppose Alice and Bob Go for a trip to New York City and Alice is very excited and Bob still kind of has a hangover from a Party the night before but at some point they walk up to the Museum of Modern Cryptography And Alice is all excited. It's like let's go see some cryptography and Bob's like You know if we have to let's do it. So they they pay an admission fee and they enter the Museum of Modern Cryptography and they come to like this Directory and they see all the all the cool exhibits and Then after staring at it for a while Alice decides, okay I want to see some practical crypto and and Bob agrees so they end up going to the crypto and practice exhibition and They come by a couple of cool things. So the first exhibit they stop that is like the Miracle Damgar construction With the Davis Myers compression function, which is basically you take the top input here You use it as a key for a block cipher and then the lower part here It it's the input to the block cipher But then it's also X or to the output and this is the design paradigm that underlies the shout to hash function so they stared it for a moment and Then they go on to the next item in the exhibit and they come by like the sponge construction Which is so there is a message block is X sort into the top part here and then a permutation is applied to the entire Input and then the next message block is again next sort to the top part and so on and so on and they can read here So somewhere on it on a caption that you know, this is widely used. It's used for collision resistance It's used to build max for PRFs and so on and so on to the random number generation So this is very impressive They stare at it for a moment that they go on they come to like key alternating ciphers, which is a way to abstract AES So in a yes, basically So first the key x or to the message then a permutation is applied then another keys x or then another permutation is applied and of course a special case of this is the well-known evenman source after which is simply like one round of this of this thing here yeah, so they look at it for a moment and Then they go on and they come to like a public key cryptos section and they see like the discrete logarithm problem So that you know, it's like there's an attacker and the challenger the challenger chooses a random exponent applies Computes g to the x sends that to the attacker the attacker tries to find the discrete log so They stare at it for a moment and then Alice is like, but you know, how do you assess security of these things? and Bob has no idea, but he has a you know, he just they get an audio guide So the audio guide says well in some in cryptography in symmetric cryptography What what often happens if you try to derive security bounds for for such primitives is that? You you replace your your your basic primitive by by something ideal so in the case whenever there is a permutation involved usually it's replaced by a public random permutation that is chosen unit from a random from the set of all permutations and That can be queried by everyone in the forward and the backward direction If there is some some block cipher involved like here with Merkel downward It's common to consider the ideal cipher models, which is a block cipher chosen unit from and random from from all block ciphers And again for every key can be queried in the forward and the backward direction So You know and then they just next to this they see this idealized model methodology which which Which claims that you know for natural applications Whatever you prove in the idealized model you you hope that in the standard model You get similar security if you use a good instantiation for your For your idealized primitive So you don't always like everything you see at a museum So here is a here is a toy example How can you so suppose for for for a moment that you know here you can only make forward queries to your random permutation So this model's the smallest like the security of one way permutations in the random permutation model So basically the challenger chooses a random x computes pi of x sends that to y and that the job of the attackers to find Is to find x and So this is super easy to analyze in the random permutation model Right so basically At some point the attack is gonna make a bunch of like forward queries here And you know bad thing that can happen is if at some point the attacker queries the actual x and if he doesn't query the actual x Then he has like he can only guess what what x is in the random permutation model and the probability by a simple Union bound that he queries the the actual x is t divided by n so You know conclusion in the random permutation model Sort of inverting a permutation is secure up to to to n queries to to the permutation Okay, so here's another example. Here's the evenman source cipher So here the attacker is trying to distinguish real from ideal. So in the real world He can make queries to the actual evenman sort construction forward or backward And he can make queries to the underlying primitive forward or backward And of course the same in the ideal world except in the ideal world instead of the construction We have an independent uniform random permutation and the job of the attackers trying to tell the support and again It's in it's not difficult to analyze this So basically there's some bad event that says roughly says that if the attacker makes a primitive query that corresponds to it to a construction query that he made then we give up and otherwise if that doesn't happen he can't tell these two things apart and Again by a simple union bound you can derive this bound here construct number of construction queries times number of primitive queries divided by n So what do you conject or what do we see here? Well in the random permutation model? we conjecture security of evenman sort up to the birthday bound and And Well similarly so for discrete logarithms We can we can use the generic group model to at least rule out generic attacks So the generic group model simply the group is represented by a random injection Which is a labeling function that simply assigns a random label to every possible discrete log and There is a group operation oracle that allows you to give to two labels and then you get back the label that corresponds to the to the group operation applied to the Things that are inside these two labels So if you look at discrete logarithms in the generic group model again There's a well-known result by Victor Schup that says Roughly what happens in here is that the attacker computes like degree one polynomials in some indeterminate x and the bad thing That can happen is like if to this that two polynomials collide at the actual x that you choose So you again get like security up to the birthday bound Even for discrete logarithms in the generic group model So after a while Bob wakes up from his hangover and asks the question. Well, what what happens with like pre-processing attacks? And so it's a good point In practice, of course, often the security parameter is fixed and you know dedicated attacker may perform some pre-computation To speed up its online attack And this we can capture by simply considering an unbounded like first stage attacker That you know does whatever it wants, but then it gives like as bits of advice to the main attacker That then tries to break whatever primitive in question And this kind of models non-uniformity. So here is a well-known Pre-processing attack is by helmet. It allows you to invert permutation. So what do you do? It's like, you know suppose the for simplicity the permutation is just a single cycle, so you you You go around the cycle in the pre-processing and you store like points at distance like and divided by s for some space parameter s and then these points you leak as advice and then when you get the actual challenge Here why you just simply apply the permutation until you hit one of those points Then you go to the preceding point you keep applying your permutation until you get back to the original y and the value immediately Before is the value that you're looking for so What is the what is the space complexity of this attack? Well, it's like it's s because we will leak roughly as points The time complexity is t because we have to do at most like n divided by s Steps so if you choose s and t to be squared of n This is an attack that runs in square root of n and like inverts your Invert your permutation except that in the random permutation model we conjectured security up to n queries So there seems to be some kind of mismatch here Similarly, there are a bunch of other pre-processing or many other pre-processing attacks so there we can break discrete logarithms with a better advantage than conjectured in the random permit sorry generic group model and also the this Similar thing holds for the even mature cypher. So it seems that our beautiful idealized models methodology is on fire, but luckily As in Bob they run into the curator of the museum who had some experience with this in the random oracle model so the curator In had like the following idea for the random oracle model, which now we generalize to like these other idealized models is that This you know standard format of a security game is simply extended by this this Pre-processing attacker here with who sees the entire function table and then based on the entire function table can simply compute some S bits of advice and leak this to the main attacker And now we can hope to update our idealized models methodology to say that if we prove something in this auxiliary input model then this corresponds to security in the standard model against Pre-processing attacks again assuming that you know you instantiate your ideal primitive with something something good so For example our toy example run one way permutations here now now you can see that it becomes really hard to analyze it However, because as soon as you like see the leakage value conditioned on this leakage value whatever it is in general the distribution of your of your idealized primitive becomes like Pretty messy and you don't know what is the distribution of the coordinates? How do the coordinates depend on each other so it seems really hard to to analyze this So Let's see what happened in the random oracle model with this with this setting So again, so under the arc curator he introduced what is known as the pre sampling technique Which we'll talk about in a moment And the pre sampling technique is is generally easy to analyze and allows to derive bound in this bounds in this model And it's generic, which means like you can apply to almost any application But unfortunately the bounds that come out are usually a little loose and also Yes, like limited applicability to two settings where you have additional computational Hardness assumptions. So not so long ago. There was a paper by You've got any Seattle and Jonathan where they used genera travisans compression paradigm to to analyze like specific primitives in in this auxiliary input model and So the thing is it's application specific So for every application you need to come up with a completely new proof And it's also generally kind of tricky to to make these compression proofs work But the the upside here is of course the the proofs are usually tight Maybe okay, also here. It's you it's not clear how you can apply this to like stuff with computational assumptions So recently Together with John Steinberger we came up with an improved pre pre sampling that you know it retains like easy generic Properties of the original one, but it also yields tight bounds in the random oracle model and also it's applicable to computational stuff All right, so what is the history in the? random permutation models Stefano like sort of extended Unruh's technique to the random permutation model But of course the bounds are still loose and then there is known compression results for example for for one-way permutations But again, it's application specific and hard And so in this paper we extend the pre sampling technique to improve pre sampling techniques to the random permutation model and to the ideal Cypher model and we get like easy generic and Tried proofs and again, it's you can apply to two applications that rely on additional hardness assumptions And maybe it's worth pointing out that for like stuff for symmetric primitives So like sha one S or sure two sure three and and even mature and so on there were no like at least the best of our knowledge No known non uniform bounds. So no bounds that account for pre processing It's so here same thing in the generic group model at Eurycryptus here Corian Gibson Kogan that Showed how you can drive tight bounds using compression proofs And again also it turns out this pre sampling thing you can use it in the generic group model and you get again the The advantages of the of the pre sampling All right, so I've been talking about it So what is it so it basically is two steps So first you analyze something that in a much simpler model which we which is called the bit fixing model And then you use a generic connection between the bit fixing model and the auxiliary input model to derive your final back So here's the bit fixing model So instead of like leaking the entire function table to the first stage attacker What you do is you allow the first stage attacker to preset your idealized primitive So in this case, they're the random permutation at a bunch of coordinates So without collisions, so there's still a permutation But then you choose their main that the rest of the permutation Uniformly at random from all the permutations there that are consistent with the prefix coordinates But note that there is no leakage So the pre fixing is the only thing that we're allowed to do here and the same you can do for ideal cypress and generic groups And then there is this magic connection between the two worlds that That we show that so if if something has like epsilon security in this bit fixing model then it has epsilon prime security in the auxiliary input model and what you pay is this additive error of ST divided by the size of the list So now And the same connection holds for the other idealized models So as an example, we can go back to even Munser So this time only do the real world So, you know like this this first stage attacker He doesn't like he'd simply preset some points of the permutation So the permutation is twice here So it doesn't matter where but so these are the prefix coordinates and then he leaks some leakage But the leakage is not only going to depend on the points that are prefixed It's not going to depend on the rest of the permutation So what you can do is basically can repeat your original analysis and extend the bad event To incorporate stuff that that is in this list Okay, and when you do that you you get a new bound So this is like sort of the original bound here And then this is the bound that corresponds to the extended bad event Which is simply that one of the construction queries interferes with the the prefixed coordinates here so now what you can do is you take the bound in the bit fixing model and You use the generic theorem to and you get this error st divided by p and now you can choose p So that you know this part back here gets is minimized So in this case this would be the appropriate p and if you insert it this this is gonna be your final bound Okay, so and then similar things you can do for our here's our toy example the one way permutations So again, you prefix coordinates and you extend the bad event to like include these these prefix coordinates And you get a new you get a new bound And then here since this is an so-called unpredictability application We have a second version of of Of the pre sampling that says you basically only lose a factor of two Provided you choose p to be at least s times t. So in our case Okay, this should say this should say our p. I'm not ggm, but otherwise. So this was our bound here So if we said p equals to st, then we basically lose a factor of two so asymptotically it's the same and this will be our final bound and It matches a the compression base proof that was known before All right So the same you can do for discrete logarithms You update bad event you get a new bound You said p equals to st you get the final bound and this also matches the compression base proof that was known before Okay Okay, so let me sum up the balance that we have so The we analyze Some basic applications that like one way perpetrations even mature even like something as trivial as The ideal cipher used as a block cipher has never been analyzed with non-uniform bounds So this and we do this But then we also have like more complicated things. So we analyze show one and chat, too So we have Merkel down guard with Davis Myers and the sponges and we analyze them whether with respect to their collision resistance Whether they're good PRFs and max and so on and we look at a bunch of Primitives in the generic group model such as discrete logarithms Computational if you helmet and so on and so on and like For here, for example, all the bounds that we derived with the simple pre sampling method matched the more like involved bounds that or the bounds that you get by more involved proofs using Using a compression the compression techniques and then just to illustrate like That it also applies to two two applications that rely on additional hardness assumption We we analyze something that's called the full domain permutation encryption And and and derived bounds there as well So here may be some things that are interesting to Find out in the future. So for I listed two of our favorite applications One is the evenman source cipher So we we only know how to prove a bound of square root st Square over n and the best attack gets like st square divided by n So there is there's like a challenge of getting rid of the square root here and Similarly for decisional diffie helmet It's also still open. So this like the best bound That one can arrive with square root st square over n But the best attack only achieves st square divided by n okay, and Other things like we analyzed even when sir, but it would be interesting to have like non uniform bounds for like a full key Alternating ciphers and see what one can get there