 Hi, I'm Sokoil Mazahiri and I'm presenting the paper towards defeating backdoor random oracles in differentiability with bounded adaptivity. This is joint work with Yfkine Dodis, Huya Farashim and Stefano Tesoro. Thanks for tuning in and I hope you enjoy the talk. A cryptographic hash function is quite simply a function which takes an arbitrary input and computes a usually shorter output. From a good hash function, we often expect security properties such as one-wayness, collision resistance, or maybe that the outputs look random. Hash functions are very useful in versatile. They are used in realizing many applications such as message authentication, key derivation, protecting passwords, providing proofs of work, and so on. But now imagine a scenario where no hash function can really be trusted. They may all have weaknesses that we're not aware of yet, or what is worse is that they may secretly be backdoored. In other words, suppose all hash functions are designed in a way that they can be covertly broken by their malicious designers, a big brother adversary. So this thread is modeled by backdoor random oracles, or BROS, a model which was recently introduced by Buir, Farashim, and myself in a paper called Combiners for Backdoor Random Oracles. Our new results in this paper also rely on the BROS model. So let me tell you a little bit more about it first. In the BROS model, a hash function is basically a random oracle, which means a perfectly random function. But to capture backdoors, we assume that such a hash function, H, is designed by a malicious authority together with another interface, which is an adversarial interface called the backdoor oracle. This backdoor oracle can be queried on functions f, and it returns the output of f on the entire description of the hash function h. In the BROS model, the adversaries have adaptive and unrestricted access to both of these interfaces. So the adversary can queried a random oracle h, and also its backdoor oracle bdh. Let's take a closer look at this backdoor oracle to see how it can be used to break the hash function. Well, it can be used, for instance, to compute collisions, where the adversary can hardcode some value y in the query and have the backdoor oracle find some preimage for it. The adversary can even ask for a special kind of preimage, for instance, one that starts with a bunch of zeros. But now, if we don't want to make any kind of assumption about the type of backdoor capabilities that the adversary has, we can pessimistically assume that this backdoor oracle can be queried on basically any function f, upon which it would output f of the entire hash function table h. But then we have a problem on our hands, namely that no security is going to be possible if all we have is a hash function that is backward in such a very strong sense. It was observed in the 2018 paper that security can be reestablished by combining backdoor hash functions. So suppose we don't have just one backdoor random oracle, h, but also a second one, g, which is backward but independently from h. The original paper included an analysis of the xor combiner, which simply computes h of x, xor g of x, on any input x. There, the security of the xor combiner was analyzed in a setting where adversaries have access to not just one of the backdoor oracles, but actually to both of the backdoor oracles. A bit more precisely, what the original paper proved for the xor combiner was that it is one-way, pseudo-random, and also conjecturally collision-resistant, even against adversaries that can access both backdoor oracles. Just to give you an idea about their proofs, for one-wayness, it turns out that finding a pre-image under the combiner is as hard as solving the set intersection problem. We know that the set intersection problem is hard, meaning that it has a high communication complexity for large random sets. So we obtain that the xor combiner is one-way. Now, coming to the contributions of our paper here, what if we want security that goes beyond one-wayness, pseudo-randomness, and collision-resistance? So we take a different and a more general path and ask the following question. Can the combination of two bros, for instance with the xor combiner, actually behave like a backdoor free random oracle? What we strive after here is the notion of indifferentiability, which could actually imply other single-stage games such as one-wayness, purity, and collision-resistance. Let me give a more precise definition of indifferentiability. We ultimately want our combiner to look like a backdoor free random oracle, but in the real setting the adversary of course has access to the underlying honest interfaces, not just that, but also to the backdoor oracles. So on the right-hand side, clearly we're missing some interfaces. So indifferentiability therefore requires the existence of a simulator such that with the help of the random oracle or O, the simulator can simulate the extra interfaces for the adversary. The goal for us was then to show the existence of a simulator such that the adversary's interaction with the interfaces on the left-hand side look like an interaction with the interfaces on the right-hand side. Achieving this goal however is very challenging and we could only prove this with some restriction on the adaptivity of the queries that the adversaries allowed to make, which was as long as the adversary's queries do not switch back and forth between the backdoor oracles more than a logarithmic number of times. Logarithmic in the size of the inputs to the combiner. An important observation that we made was that this restriction still captures the setting where the adversary makes in the very beginning one query to the backdoor oracle of H and another to the backdoor oracle of G, which can also be understood as independent auxiliary input about the two bros. This means that the XOR combiner is indifferenceable with independent auxiliary input. I skip details here and refer you to the paper for our definition and results for auxiliary input and differentiability. Okay now let's look at the proof of indifferenceability of XOR with bounded adaptivity and see what our simulator looks like. Let's start simple and consider simulating H for now without the backdoor oracle. Simulating G is analogous. On the left hand side on an input X the output of the underlying hash functions are simply given as H of X and G of X. The combiner's output is of course consistent with them. Its outputs on X, H of X, XOR, G of X. On the right hand side the situation is a bit more complex and we have to actively ensure this kind of consistency with the random oracle. If the simulated H returns some value Y on X and a random oracle which is simply a random function returns RO of X then the simulated G on input X has to be set to Y XOR RO of X in order to ensure consistency with the hash function H and the random oracle RO. In other words in the list of assignments that define the simulated H and the simulated G images are lazily sampled in a way that always aligned values are fixed. If say H of 8 is set to some value Y then G of 8 is immediately set to Y XOR RO of 8. Let's take a look at simulating the backdoor oracle for H now. The case of G is again analogous. The real backdoor oracle on the left can simply output F of H on input a function F. How does the simulation work? Very roughly speaking this is how. A function H is first sampled in a way that it is consistent with past queries and then the queried function F is computed on the entire hash function H. Then the simulator basically needs to figure out which points in H are effectively revealed to the adversary because of this backdoor response. Then for all such points X Y they are fixed in H and also for G they are set to Y XOR random oracle of X. Then we update the distribution of H given the backdoor response in order to be able to answer future backdoor queries. So it remains to figure out which points are revealed and how to update the distribution of H. So consider again the long list of assignments in each simulated hash function. We rely on a lemma which tells us that the I've backdoor response F of H makes a lot of information only about a limited number of points in H. This tells us that the min entropy of a bunch of points drops by a lot and the simulator has to fix say PI points which we do for H and then for G we XOR images of H with those of the random oracle RO. But another thing that the lemma tells us is that also a little bit of information is leaked through the backdoor response about the rest of H. So the rest of H is not completely unknown. Notice the light blue color and the remaining cells. More formally we have that the min entropy of the remaining cells the light blue ones and basically any combination of them drops by some delta I compared to the full entropy which is the length of such images. This property is referred to as one minus delta I density of a distribution. And this is important that we don't just assume that these points are uniformly random instead of one minus delta since future backdoor queries can potentially see the entire hash function and would notice a change. This lemma that we used is a refined variant of an existing lemma from communication complexity by Goose et al. The number of points that need to be fixed after a backdoor query are potentially very large they can even be exponentially large Especially if the starting distribution is one minus delta I dense and not uniform which may already be the case after first backdoor query. So let me emphasize that improving this lemma could considerably improve our security bounds. So as I mentioned we get indifferentiability with bounded adaptivity and I'm going to give an intuition of why that is. Suppose a bunch of backdoor queries are made and this is the distribution of the simulated h that we ended up with. Now we want to fix the same points for g but notice that the distribution of g may not be uniform. So when we fix these points for g by setting them to the image of hx or oavx we are setting p i new points to uniformly random in a distribution that is not uniformly random. It is one minus some delta i minus one dense. And roughly speaking each time we do this this adds to the advantage of the adversary some term p i times delta i minus one which is the distance of p i dense points from uniform. And of course we want the advantage to be small to get security and with the inequality that you see here on the right side between deltas and pis and the values of capital a and b are not important here. So after solving some system of linear equations and on the other side assuming a non-trivial number of queries that the simulator is allowed to make which of course has to be smaller than n which is the entire domain of the random oracles we end up getting bounded at activity. So overall this is again the theorem that we obtain for xor which shows the existence of a simulator such that the real setting on the left and the simulated setting on the right are indistinguishable to those adversaries that make up to a logarithmic number of switches between the backdoor oracles. To summarize the talk we studied the question of providing random oracle in differentiability by means of combiners and in a world where all hash functions are coversely backdoored. We provide positive results in the backdoor random oracle model and in particular proved in differentiability of xor with respect to adversaries with logarithmic adaptivity and when combining two backdoor random oracles. What we also have in the paper is a study of a different improved combiner of three backdoor random oracles. This combiner is a two out of three source extractor and can interestingly tolerate up to a linear number of switches between the backdoor oracles. So this shows that the type of combiner and also the number of available rows can have a significant effect on the security we get in this setting. Also since auxiliary input is captured by a single initial backdoor query, indifferential ability in the row model implies indifferential ability with independent auxiliary input. I refer you to the paper for definitions and feasibility results for xor and also a salted variant. An obvious open question is then to study unbounded adaptivity. This can be potentially achieved by improving the lemma that I talked about such that the simulator would fix considerably less points or by maybe considering different kinds of combiners. Thank you very much for listening.