 So that's okay. Okay, so thanks for the introduction, Dario. And so this talk is once again a talk about pseudo-random function. And this is a joint work with Michelabbe Data and Fabrice Benhamouda. So pseudo-random function were introduced by Gerard Gaudvasser and Mikali in 1986. And so this is one of the most fundamental primitive in cryptography and probably also one of the simplest. So pseudo-random function is simply a keyed function from a domain D to a range R, which is efficiently computable and which is indistinguishable from a random function from D to R. So the construction by the first construction given by Gerard Gaudvasser et al was very elegant but was a bit inefficient and not very efficient. And in 1997, Naren Grigl proposed the first number of theoretic pseudo-random function based on the DH assumption. And the construction is the following. So you have a key space which is Zp to the N, an input which is a bit string of range N and the range is a cyclic primordial group of order P. And the output of the total-random function with the key A and an input X is simply the exponentization of a random generator to the product of the A i subject X i is equal to one. So to ease the notation a bit, I'm gonna use the following notation. So when I write something into bracket, this means that this is a random generator G raised to the power of what is in the bracket. So if we look a bit more carefully to the Naren Grigl pseudo-random function, what we can see actually is that this is just the evaluation of multivariate polynomials which depends on the input X and on the points which is the key A. So actually, if you look a bit at the construction also, the fact that we can see is that this family of polynomials is a family of independent polynomials. And the other fact is that actually if we look at order construction, so that's the bonnet or construction and also the decorator's construction for instance, then these constructions have also the same kind of structure. So the question we address in this paper is the following. Given a function which is defined as, whose outputs are defined as the evaluation of multivariate polynomials on the key A, then is this function a pseudo-random function if and only if the family of multivariate polynomials is a family of linearly independent multivariate polynomials? A multivariate polynomial, sorry. So this is a question and of course the question is on which assumption do we base the security because this is clearly true in the generic group model so what we want to show is that this is actually true under standard assumption. So this is the question we address and so I'm gonna explain a bit why we are interesting in such kind of equivalence and I'm gonna explain the high-level idea of the proof and after I'm gonna give some application and also show a new algebraic framework for reticule security. Okay, so let's start with the motivations. So the first motivation, which is pretty obvious and which is already what I said almost, is that if we define a function which as I already explained, then this is a pseudo-random function if and only if the family of polynomials which is associated to the outputs of the function is a family of linearly independent polynomials. So for instance, if we look at the narrow angle PRF to prove the security, it's sufficient to just that the corresponding family of polynomials are linearly independent. So this is very, very, very simple, this is just one line. So this is the first motivation but I think the more interesting motivation is the following, this is for reticule security and so reticule security are an extension of the standard security notion, security model, where the adversary is a bit more powerful in the sense that the adversary can not only query the pseudo-random function with adaptive inputs queries but also can modify the key by applying function to the key. And so it was formalized by Bellara and Kono in 2003 and in 2003 they also, in the same papers, they also proved that it's impossible to build pseudo-random function that are secure against an adversary that can apply any function to the key. So the goal in reticule security is the following. We want to build constructions that are secure for the adversary which is the most powerful possible, so for the largest possible classes but we know that it's not possible for any class, for any function. So why is this equivalence is now interesting for proving reticule security for pseudo-random function? If we consider pseudo-random function which is defined as already introduced by a family of multivariate polynomials and if the function that the adversary can apply to the key are also multivariate polynomials, then the outputs of these queries with reticule keys and input chosen by the adversary are just the group element with this critical algorithm is the evaluation of px composed with phi on the key a. And what happens is that this value is indistinguishable from a random group element if and only if the corresponding family of multivariate polynomials is a family of linearly independent multivariate polynomials. Okay, so using this we can prove some new results. I'm gonna go back on this later but we can not only just obtain all the results that was obtained before in reticule security for this kind of pseudo-random function but also we can create new construction for new classes. For instance, the classes where the adversary is able to permute component of the key. Okay, so this was for the motivation and now let's go back to this equivalence. So the first thing I'm gonna show is maybe the most simple way of this equivalence is that for having an pseudo-random function defined as follows, it is necessary that the polynomials are linearly independent. So we can do this by contradiction. This is pretty simple. Let's let us assume that there is a relation between the polynomials that define the output of the pseudo-random function. Then this relation carries on in the real world while it does not in the random world. So this is clearly a necessary condition. So the sense that is maybe more interesting and more surprising is the fact that this is actually a sufficient condition to obtain a pseudo-random function and the standard assumption. So how do we prove this in the paper? We introduce the following new security notion which we call leap security notion which well, leap stands for linearly independent polynomial security. And the this security notion is defined by the two following words. In both worlds, the adversary is able to query an oracle with a linearly independent multivariate polynomials. And in the real world, the adversary gets the group element with discreet algorithm is the evaluation of the multivariate polynomial in A while in the random world, the adversary just gets from the group elements. And so what we prove in the paper is actually that these two words are computationally indistinguishable under standard assumption. So for this talk, I'm gonna focus on the simplest case, I'd say, so I'm gonna assume that the adversary makes linearly independent multivariate polynomial query but the polynomials are multilinear so they are the degree at most one in each determinant. And what I'm gonna prove is that these two words in this case are indistinguishable under the DDH assumption. Okay, so I'm gonna start with a very simple case. I'm gonna assume that the number of the key length is three so there is a three in the terminates and I'm gonna just assume that the adversary makes queries which are monomials so this is actually exactly the family of polynomials which define the narangal pseudonym function. And then we can see the evaluation of these polynomials, these monomials as a path through a binary tree where the root of the tree is a random generator and if xi is equal to i at level i, you go on the right and you raise the generator to ai and if xi is equal to zero, you don't change the value so you do this for each level and at the end you get the leaves which corresponds to the evaluation of all the monomials. Okay, so for instance for monomial t1 times t3 you go on the left, on the right at the beginning because xi is equal to one, on the left and on the right. Okay, so what I'm gonna show, what I want to show is that the leaves are indistinguishable from random group elements. So this is once again exactly what is done in the proof of security of narangal. So what we are going to do is we do some hybrid proof and we are going to change the level of this tree by random group elements. So the first level, the root and the first level are clearly indistinguishable from random value because the generator is random and a1 is random so I'm gonna put in orange the values which are random and in green which are the value which are computed as correctly. And so now we want to change the second level of the tree. So we get three values which are already completely random. The generator, the a2 and alpha and the only value which is not random is the last one which is alpha times a2 and this is actually exactly saying that this is indistinguishable from a random value is just the dh assumption. So clearly the second level is also indistinguishable from random and for the last level we do once again the same thing but now we have three dh tuple, beta times a3, alpha times a3 and gamma times a3 and this indistinguishable under the dh assumption using the random self-reducibility. So this perfectly works. So what we just show is that these evaluation of monomials are indistinguishable from random group elements under the dh assumption. So how do we use this to prove the general case? If we, to simulate a multinational polynomial now we just expand this multinational polynomial by just expand everything and we replace all the monomials by the corresponding monomial and this is indistinguishable under the dh assumption from the computation where everything is random and because the polynomial queried by the adversary are linearly independent the value are indistinguishable from true random value. So this works perfectly. The problem is that to expand and compute the polynomial, to simulate the polynomials, you have to simulate up to two to the n monomials because you have to put up to two to the n monomials for melting in our polynomials and then you get an exponential time reduction. So this is not how we do in the paper but I don't have the time to explain how do we do in the paper. The main idea is to be lazy, we use lazy simulation and I think this is the most interesting part of the paper but I don't have the time to present it. So what I just explained is that these two words are indistinguishable under the dh assumption if the polynomials queried are multiliner and actually in the paper we prove a bit more than this. We prove that much more than this actually. The polynomials don't have to be a multiliner, they can be any degree and we also prove this if the key is not only just a vector in zp to the n but a vector also of matrices which allows us to end the cases of pseudo-random function such that the d-in-based pseudo-random function or the k-in-based pseudo-random function. And once again we get a polynomial time proof. Okay, so what about the application of this statement? So once again we get the basic application to show very simple proofs for pseudo-random function and we get the application to prove the related key security for pseudo-random function. But so the equivalence I've written here is actually a very strong, the condition that px composed with phi is a family of finale independent polynomials is actually a very strong condition. Why is that? If we look for instance at the following very simple class of function where the adversary is able to add any constant to any component of the key and if we consider the narrow angle to the random function then this condition is actually not true. There is a relation with for instance just three queries. So actually this condition allows us to prove security for very simple classes but not for not so complicated classes already. So the idea to overcome this issue is to use the same kind of idea that was used by Blair and Cash in 2010 and the idea is that actually this pseudo-random function for this kind of classes is actually secure if the adversary is unique input meaning that if the adversary is not able to query twice the same input x even with different key deriving function then this construction is already secure. So the solution to build a retickey security to build a retickey secure pseudo-random function is to force the adversary to be unique input. So how do we do this? The interest shown to do this is the following instead of compute when the adversary queries an input x instead of computing the outputs using this input x we use a new input which is computed as the h value of a collision resistant hash function whose inputs are the key a and the input x and what does this change? The thing is that if the adversary makes a new input so is there the function change or the input change? So is there the key change or the input change so a or x will change? And so the output of the hash function will be different. So the values which are outputs are always computed using a different input. So the thing is that if we use directly this construction it's not really clear how to prove anything because a is not known so we don't really know how to compute the hash values because we don't know a. So this was already something that has been overcome in the paper about Bellar and Cache in 2010 and the idea was to use something called the key fingerprint which is a set of inputs such that the output of the observable function uniquely define the key but here we can do something which is much more simple instead of using the key a as input of the hash function what we can do is use the group elements with discreet logarithm are the component of the key so the group element with discreet logarithm is a one until the group element with discreet logarithm is a n and the thing which is really nice is that actually using this we can reduce the security directly to the leap security notion which is the new security we have introduced. So the proof is actually very simple. If we want to simulate a query to give to the adversary we just query all the polynomials t1 and tn to get the input of the hash function we compute the hash value then we query the polynomial corresponding to the output of the function and what happens now is that these outputs are indistinguishable from random outputs if and only if the corresponding polynomials are linearly independent but now the family is much smaller because the inputs are always distinct and this is actually very simple to design sort of random function which are now rated key secure using this framework. So let me conclude with this. So in this paper we define a new algebraic framework for pseudo-random function and for rated key secure pseudo-random function and it has the properties to unify most of the existing number of heuristic based constructions and it simplifies a lot the proof for pseudo-random function but also and especially for rated key security and using this we are able to design new construction and we obtain