 Hi everyone, I'm Joseph, and I'm going to talk to you about joint work with Stefano Tassaro in which we provide techniques for giving concrete security bounds for expected time adversaries in information theoretic settings and apply these techniques to proving the soundness of proof systems. Let's start by recalling the purpose of concrete security. Broadly speaking, we define security notions via advantage functions, which map a scheme pi and adversary a to a number between 0 and 1, representing how successful a is in breaking the security of pi. In this typical asymptotic formalism, security is a binary property. Schemes and attackers are parameterized by security parameter lambda, and a scheme is considered secure if all poly time attackers have negligible advantage. A limitation of this formalism is that it does not provide any guidance or guarantees when we actually need to instantiate a scheme, thereby fixing the security parameter. This limitation is addressed by taking on a concrete security formalism. Here a scheme is fixed, and we quantitatively bound the advantage of attackers as a function of the resources they use. Thus, by estimating the resources we expect an attacker to have access to, we gain a more precise understanding of how secure a scheme is. So in concrete security, we give precise trade-offs between an attacker's resources and how successful they are. We refer to the resources needed to achieve advantage around 1 as the security level of the scheme. The most commonly considered resource is worst case computation time of the attacker. As an example, consider the collision persistence of a hash function modeled as a random oracle with output length n. Standard analysis tells us that the advantage of any attacker is bounded by q squared over 2 to the n, where q is an upper bound on the number of oracle queries the attacker makes. In this work, we consider the question of whether we can prove bounds when instead we know the average case behavior of the attacker. This is a natural measure, which commonly arises in crypt analysis and certain types of security proofs based on simulators or abstractors. Unfortunately, many of our common analysis techniques fail in this setting. However, one might note that we can pretty genetically derive results using Markov's inequality. For any little q, we bound the advantage of a by the probability that it makes more than little q queries plus the advantage it achieves with at most q queries. Then we apply Markov's inequality to the former term and maximize over all choices of little q to attain a bound, the cube root of the expected runtime squared over 2 to the n. On the positive side, this is a very generic proof technique, which can be applied to pretty much any information theoretic application. It suffices for asymptotic analysis, and it preserves the security level. Whether the worst case or the average case, we had that the runtime equaling 2 to the n over 2 was our security level. That raises a question, however, of whether this bound is tight, and in particular, is the cube root really necessary? What we'll show in our work is, no, this is not tight, and the correct bound would be a square root. While this does not change the security level for the scheme in isolation, it can change the security level when the scheme is used within some higher level protocol. So our goal in this book is to try to generically extend the igniting analysis for information theoretic settings with tight bounds to the expected time setting. Partly speaking, the form we expect our bounds to take is that if in the worst case setting, we had a bound q to the d over n, where d and n are some constants, then in the expected time setting, we get a bound of the same form using the expected runtime instead of the worst case runtime, except now the whole thing is taken to the dth root. What we'll show is generic proof techniques, when the original proof was of some particular forms, and this again suffices for asymptotic analysis that preserves the security level. And now when we ask ourselves whether this new bound is tight, is the dth root correct? The answer is yes. In particular, we can show tightness of the bound by given explicit attacks. So let's assume we have a matching attack for the worst case bound, meaning an adversary b with advantage around 1 and worst case runtime of the dth root of n. And then for any expected runtime mu, we can construct an adversary matching our expected runtime advantage bound. In particular, this adversary would just flip a coin where the probability of heads is the dth root of mu to the d over n. It obtains tails, the adversary abort and gives up. Otherwise, if it gets heads, the adversary runs this attack b. If we analyze this attack, we can see its runtime as the probability of heads times the runtime of b, which is just mu. And the advantage of the attack is the probability of heads times the advantage of b, which gives us this dth root of the expected runtime to the d over n, as desired. Establishing that our upper bound is tight. In particular, if we apply this in this collision resistance setting we were talking about, we know that we can get constant advantage with the bound 2 to the n of two queries. So this gives us a tight attack using our form that matches the square root of the expected runtime squared over 2 to the n. Taking a step back, our contributions in this work are twofold. First, we provide generic techniques for bounding the advantage of adversaries based on their expected runtime. To do so, we extend two typical techniques used in the worst case setting to the expected case setting. These are bad flag analysis for identical and toe-bad games and point-wise proximity, which is a special case of the H coefficient method. For both of these, our techniques will transform the bounds in the way we've been discussing, adding the dth root. Some applications we show for this include the collision resistance at a p of f security of a random oracle, the discrete log security in the generic group model, the typical PRP-PRF switching lemma, and the security of key alternating ciphers. Then, using our tools, we show a more interesting application by applying it to the soundness of PRP systems. In particular, we'll be looking at PRP systems, which were proven secure based on a brutal et al. 14 lemma framework for multivound public coin protocols. And as a special case of this, our results get the first quantitative bound for the soundness of the bulletproofs PRP system. I'll tackle these contributions one at a time, starting with our bad flag analysis. There have been various formalizations of this, including by Belavi-Rogway, Maurer, and Schupper. What we'll be thinking of is two games, G0 and G1. An adversary is going to interact with one of the two games and tries to figure out which game is interacting by outputting a bit B, guessing the bit of the game. Now suppose that both of these games store a variable called bad, and their outputs differ only if bad has already been set to equal true. In this case, we consider the games to be so-called identical until bad. And then we can apply the fundamental lemma, which tells us that the probability a, at which one in either of these games, can differ by most the probability that bad gets set to true. This gives us the following process for analyzing security notions. First, we rewrite the corresponding games to be identical until bad, then we balance the probability that an attacker can cause bad to be set to true by some function epsilon of their worst case runtime, and then we apply the fundamental lemma to obtain our result. As an example, consider the switching lemma. Here, G0 returns uniformly random values that were sampled without replacement, while G1 samples these values with replacement. Applying this process, we first need to rewrite the games, which we can do as follows. The games sample a value y of random every time they need to respond to a query from the attacker, then if y was previously picked by an earlier query, the flag bad is set true. In this case, only in G0, a fresh y is sampled that has not been previously sampled. Then the games return whatever value y they've sampled. It's fairly straightforward to see that this representation does indeed capture the two games we want and that they're identical until bad. Now, for bounding the probability of bad, we can use standard analysis to bound it by, say, Q squared over n. Then applying the fundamental lemma gives us our standard switching lemma. Now, what if we try to extend this to the expected time setting? The first issue we run into is that expected runtime might be different between the two games, so that it's not necessarily clear what we're even trying to bound things in terms of. What will typically be the case is one of the two games will correspond to a real world, as execution actually happens in practice, and the other is an ideal world. What this means is that what we really want is a bound in terms of the runtime in the real world, because that's the world that the attacker will actually run. Even after having decided this, we run into an issue that simple worst case techniques we typically use in this step, such as human bounding over all the queries the attacker has made, now fail because we have this variable number of queries it might make. The tool we provide starts with a somewhat technical assumption about the probability of bad. Particularly, we think of bounding the conditional probability of bad being set, conditioned on the fact that if the attacker is interacting with game G1, it makes little Q queries. If we can bound this probability by Q to the D over N, then we're able to show that the overall probability of bad is bounded by something of the form we desire. And in particular, we show this for both values of B, meaning for the expected runtime in either of the two games. This covers the fact that Q1 and some situations will be in the real world we care about, and in other situations maybe the ideal world. But either way, we're able to obtain a bound using this somewhat technical assumption about behavior in G1 for bounding the advantage by the runtime from either of the two games. The proof of this result consists mainly of somewhat technical calculations. I won't be going through them in detail, but I'm going to discuss just at a high level the main steps that we take. First, we use Markov's inequality to limit the runtime. Because of what we're doing in the rest of the proof, we get to limit the runtime at a better value than we did in our more generic use of Markov's inequality earlier. Next, we use our technical assumption together with this bound from Markov's inequality to show that the probability of bad is at most the expected value of the runtime raised to the D over N. Next, to be able to cover both G0 and G1, we use our technical assumption again together with the identical total bad property to show that the expected value of Q1 to the D and Q0 to the D, that is, the runtimes of both games raised to the D, cannot differ by too much. Finally, we perform further technical calculations to modify this bound of the expected value of the runtime to the D over N to give us a bound of this form we wanted. Now, this raises the question of how easy is it to show this somewhat technical assumption we need to apply our results in different settings. We get some example of applications, including the collision resistance and PRF security of a random variable, and the discrete log security in the generic group model. The core trick for showing all these applications is that we're going to rewrite the game G1 so that the view of the attacker is independent of whether bad has occurred or not. This rewriting allows us to use our various simple techniques from both case analysis for obtaining the bound on the conditional probability of bad that we needed in our technical assumption. That completes my discussion of the bad flag analysis. Now we're going to move on to our point-wise proximity work. Point-wise proximity is a special case of the H coefficient technique. Here again, we're going to think of an attacker that interacts with one of two different games, these are G1, but in the H coefficient technique, we really hone in and focus and think in terms of the transcripts generated by these interactions. The transcript consists of the first querying made by the attacker followed by the response, another query, and another response, and so on. We're going to separate these transcripts into two sets, a good set and a bad set, where these sets are kind of defined in terms of the probability that transcripts will be generated in one of the different games. In particular, when I say this probability, I'm referring to the probability if we fix the sequence of queries made by the attacker to match the transcript. Then what is the probability of the specified transcript in G1 or GV, respectively? The good set of transcripts will be one such that the ratio of this probability in G1 or G0 is greater than 1 minus epsilon of Q, for some function epsilon, where Q is the worst-case number of queries the attacker makes. Then the bad set consists of all other transcripts, and we need to show that the probability in general that a bad transcript is generated is bounded by some function delta. If these conditions hold, then we automatically obtain a result that the difference in the probability that the attacker outputs 1 when interacting with either of the games is at most epsilon plus delta. Point wise proximity is a simplified special case of this in which all the transcripts are good. Then in this case, a bound on the ratio of the probability of the transcript in the two games gives us a bound just in terms of epsilon between the probability that 1 is output in the two games. Applications of this which have been shown in other works include the typical switching lemma, as well as security of key alternating ciphers, and of the XOR cascade. When we move this into the expected time setting, we're going to show a similar point wise proximity result. Now here for our assumption, we're going to assume that epsilon has a particular form of q to the d over n. If this holds for all transcripts, what we showed in our work is that we automatically obtain a bound on the difference in probabilities that 1 is output in the two games of the form that we expect. What this means is that worst case analysis immediately carries over without having to perform any additional analysis as long as the epsilon bound used previously for point wise proximity was of this q to the d over n form. Proof of this result, again, is mainly just technical calculations. In a high level, it combines the standard technique for proving the eight coefficient technique works, as well as our expected time bad flag analysis techniques we were discussing earlier. Now finally, our last contribution was applying our expected time results to obtain concrete security bounds for the soundness of proof systems. Here, we think of a prover interacting with the verifier, where the verifier is giving a statement to be claimed as and some public parameters pi, while the prover is additionally given a witness that the statement falls in some a priori specified language. After the interaction, the verifier outputs a decision bit on whether it believes that the statement was indeed in language. The typical properties that one considers for proof systems are soundness, completeness, and zero knowledge. Our focus is exclusively on soundness, which acts by the verifier can be convinced of false statements. For the systems we check about, soundness is proved via a proof of knowledge property, namely that for any cheating proof of p, there exists a witness extractor a of comparable efficiency, such that the probability the prover convinces the verifier of a statement is comparable to the probability that any can find a witness for that statement. Here, we're going to be implicitly thinking of the statement as being having been separate, according to some a priori specified distribution. Our results obtain concrete bounds for the soundness of systems proved secure using a paradigm of brutal at all. This paradigm is based on a floating lemma for multi-round public coin protocols. Our techniques are useful here because the paradigm makes use of a witness extractor for which the one time only has expected time guarantees. Moreover, in the process of our analysis, we'll be introducing a new definition framework, which helps to modularize and clarify the underlying proof. Let's start by discussing foreign lemmas. They were originally introduced for analyzing three message public coin protocols, that's sigma protocols, where the prover sends a message m, the verifier responds where the challenge c, and then the prover provides the response r. These often satisfy a special soundness property, which states that a witness can be extracted from two accepting transcripts with the same initial message, but different challenges. Momentarily, it will be useful to think of these transcripts as having a tree structure where the root node is labeled by the initial message, and then the children are labeled by the later challenges and responses. Given such a protocol, there's a kind of standard traditional extraction technique for finding a witness from a tuning pooper, which was originally used by points of all instance. Here, the attacker a will run the protocol once, obtaining a first transcript, and then it will rewind the protocol before the verifier has set its challenge, and then rerun it to obtain a second transcript with a new challenge and response. The forking lemma shown originally establishes a square root relationship between the probability that a succeeds in obtaining a witness and the probability that the cheating prover succeeds in convincing the verifier. This square root arises because we need two transcripts to both have been accepting transcripts. It's further straightforward to show that the runtime of this algorithm a is essentially just the time needed to run the protocol twice. Now, if we try to generalize this to multi-ground protocols, we instead are going to assume that the witness can be extracted from a large tree of transcripts of size n, where each path down the tree corresponds to a transcript of an interaction, and the height of the tree is the number of routes in the protocol. The generalization of the typical workplace extractor would then need to rewind n times, hoping that all of the transcripts it finds are accepting. This significantly degrades the success probability, giving now an input because there are so many transcripts. To address this, Bulldo et al. consider a new expected time extractor. It exceeds with roughly the same probability that the cheating prover does, and in expectation has a comparable runtime to the worst case algorithm. Looking at it in the two-message setting to see it more clearly, this extractor flows through the protocol once. If it gets a rejecting transcript, it just gives up. If it gets an accepting transcript, it continually runs the protocol over and over with the same initial message until it gets a second accepting transcript, because it will hence always get a complete transcript trait when the first transcript it looked at was accepting. This is what gives us that the advantage of the cheating prover and the advantage of algorithm A finding a witness are roughly equal to each other. And the expected runtime guarantee we get is that in expectation it takes approximately two aggregations of the protocol for this algorithm to find its tree. Here, we can clearly see that we're looking at an expected runtime algorithm, and our techniques will be applicable to it in two different ways. First, something I kind of hand-waved away here is that we need to analyze the probability that challenges get repeated across different transcripts, which may make the extraction of a witness fail. And additionally, the protocols we looked at, rather than being proofs of knowledge, may actually be arguments of knowledge, which means, which corresponds to the fact that sometimes, rather than being able to extract a witness from our transcript tree, our algorithms will extract something that breaks an underlying problem that seemed to be hard, say the algorithm is able to find the discrete log of some problem correct. Now I'll discuss the general flow of the proof for proofing soundness, and how the new notions we introduce help to modernize this and elucidate the points where we can apply our expected time analysis for obtaining concrete bounds. We introduce the notion of predicate extended emulation, which is a generalization of witness extended emulation, originally introduced by Lindell. This property consists of two different notions. The first is emulation. For emulation, we're going to consider two worlds. In the first world, the attacker is given a transcript from a single interaction of a treating poover with the true verifier. In the second, the transcript given to the attacker is instead chosen by emulator. This emulator is given oracle access to the treating poover interacting with the verifier, and this oracle allows it to rewind this interaction whenever it wants and then continue running with threshold points. The goal of the attacker is tried to distinguish between whether the transcript is given is from which of these two worlds. Predicate extension is now a single game in which we run the emulator given the same access we saw before, and the emulator outputs in addition to this transcript some auxiliary string ox. The game is parameterized by some predicate pi, and the attackers are successful, meaning the emulator has failed. If the transcript is accepting, but the predicate rejects this auxiliary information. In isolation, either of these two properties is trivial to achieve. The goal is to achieve both of them simultaneously. As a specific example, witness extended emulation, the predicate checks if ox is a valid witness for the statement being proven. If we have emulation security, this implies that the transcript must be an accepting transcript with essentially the same probability as the success probability of the treating pooper, and then in following this predicate extension or witness extension will imply that with excess and the same probability, the output string ox is a valid witness. The proof of a poodle then consists roughly of three steps. First, the generic extractor is a expected time technique for extracting a tree of transcripts given this oracle access to the treating pooper and verifier. We can express the properties we want of the tree as a predicate, which tracks if each path of the tree is accepting, and there are no challenges between the different collisions of the tree. Next, in the extraction step, there needs to be some extractor which given such a tree can extract a witness for the statement. Though if it's an argument other than a proof of knowledge, this extractor may sometimes instead extract some string y, which satisfies a different property. We can express this as saying whenever ox satisfies the predicate pie tree, the ox output by the extractor must either satisfy one of two predicates, the first checking for a valid witness, the second checking for some breaking of a complication of property. Finally, the third step of the proof flow is to just observe that generically witness extended emulation, which follows from tree emulation extraction of the form we discussed, implies soundness. Steps one and three are generic steps which work for any proof system and step two is specific to the proof system that there exists such an extract. Breaking down these steps more formally, steps one and two consists of a forking lever in our framing of it, which says that if there is an extractor mapping from pie tree to pie width or pie star for some pie star, then there's an expected time emulator, which has perfect emulation security and whose probability of extracting a witness is bounded by the probability of extracting something breaking pie star plus a term of five mu n over the square root of two to the p. The latter term is bounding the probability of a collision in our tree of transcripts and the tier that we applied our expected time analysis techniques. Next, step three, witness extended emulation is just a generic statement which can be proven bounding the soundness in terms of these other terms. These steps that we showed in our work give concrete security bounds for protocols which follow the Poodle et al framework, in particular bullet proofs, high racks and supersonic, for some examples. We gave a more concrete bound for bullet proof in which this pie star checks from discrete logs of public parameters in the oxides here. Then we can apply our expected time bounds for discrete logarithms in the generic group model to get a concrete bound of the term q times m cubed over the square root of the group size, where q is the number of generic group models, which is made by the treating prooper, m is the number of multiplication gates in the circuit, and then we have the group size. Taking some somewhat typical parameters for the group and modest circuit size, what we obtain is the security level of two to 64 local computations of the group operation, which is not as high as we would necessarily hope it to be. This raises the question of whether the bound can be improved using a different proof law, perhaps giving better dependence on the size of the circuit. A partial answer was given by Gossel and Tessara in a recent e-print paper, where they did their analysis directly in the algebraic group model, as opposed to our analysis, which first extended model analysis and then applied a generic group bound, and obtained a better bound on the security of both proofs. With that, I've reached the end of my talk. Thank you for your attention, and have a nice day.