 Thank you for the introduction and we're going to talk about the iterated random permutation problem There will be a small application to cascading encryption, so The same as the previous talk, so it is straightforward It's basically I'm going to say what the iterated problem is and then Basically solve it and there will be a main theorem and a matching attack So let's start with a simple question So assume that you are a slightly paranoid and you don't want to use a yes as is So you would like to increase the security in perhaps the simplest way possible By composing it with itself with the same key So we are assuming assuming you don't want to actually use more entropy So it's just a single key and these are black box things of course so you don't need to worry about changing key schedule and the effect that would have and Simple question I was mentioning is assuming a yes is secure by itself. Is this actually secure? So you would expect that it is but can you prove it and have a bound and actually host site secure that would be so First of all, I have to say what I mean by secure so by security We mean the standard definition of strong to the randomness so you have a distinguisher that is trying to distinguish your construction from a random permutation and This adversary is adaptive and also to side it so adaptive means Every query he makes can depend on the output of previous queries So the adaptive part is actually important because if the adversary is not adaptive this problem becomes trivial. It's not interesting and This problem is Naturally related to cascade encryption So cascade encryption is the case where you would iterate the cipher, but you would actually use independent keys for each cipher In this case, there are these well studied and it's a really interesting because actually in this case you can amplify the security This means that the security of the Whole construction would actually be better than a single block cipher and this is a really really interesting topic And this has been proven actually in several settings. So not just Information theoretic, but also computational But what we are interested here is the case where the key would be the same Every time and in this case as far as I know there is basically nothing that is known and Well, you would expect quite naturally that in this setting you would you can't hope that this is going to increase security that there will be a Security amplification because this would be a bit magical and indeed there is a Simple contrary example if you take the function that you iterate the block cipher as being just even months or So even months or you've heard about it yesterday It's a you would you take a random permutation and then you put You absorb in a fixed key on each side and if you do that then the square, of course would have the middle part here console out and so you end up with the same construction except we have a squared permutation in the middle and Actually the best attack against the event months or construction doesn't really use the fact that it's a random permutation in the middle You don't really need that so if the renders permutation is random and the best attack is generic then the same attack would work here and so the Advantage of the other three would be the same in both cases. So in this case there is no security amplification So we can't hope to prove security amplification But what we're going to show is much more modest. We're just going to show that There is basically no loss. So there is a very little loss of security when you do this construction So heuristically you hope that he's going to control a lot of attack that it's going to make a lot of attacks more difficult But in the theory of thinking what you can show is that the security loss is very small. So in general here We're going to think as are the number of rounds as being constants and Well any is the message space and curious the number of queries so you can see that basically a security loss is Proportional to the portion of the input space that you have of the message space that you have queried and Well, the two terms here can be explained very naturally because when you measure the advantage of the adversary here, you are basically measuring the distance statistical distance between the your your Well block cypher say and a random permutation if you forget the time components and when this term is actually the distance between the earth power of your block cypher and a random permutation so it's this distance and Since you know well this distance can be expressed very naturally in terms of this one since when you have access to E you have access as well to e to the R because you're adaptive So of course if you want to query e to the R You would query E R time along a chain and that would give you the answer of e to the R so any Adversary who is trying to attack this Can be lifted to an adversary who attacks this at the cost of multiplying the queries by R so of course this is bounded by This advantage At the cost of multiplying the number of queries by are and so if you want to bound this distance Then you have this term here and then the other term would be the distance between a permutation and the earth power of a random permutation Which is the other term that you see here And this is actually what we decided to call the iterated random permutation problem So basically how many queries do you need to distinguish a random permutation from the earth power of a random permutation? So this is a very natural problem. It's perhaps surprising that it wasn't really Tackled as is before and It does show up in several places actually it was asked that there's no problem in the event token even most a mentor by Chen So how and Steinbeiger at crypto here last year? and it was also studied previously and in a few other places So for example that this paper they try to lower bound it so they take from the other side they Present an attack that distinguishes P from P to the R and No, just to give you a little more idea about what his problem is like You have to think of it as a problem about the cycle structure of the permutation because he actually the the name of the points Not matter all that matters When you try to make which P to P to the R are the lengths of the cycles So for instance if you're trying to compare P and P squared The effect that squaring P would have on the length of the cycles would be that an odd cycle Remains on the right because if you have an odd cycle and you're making jumps by two in that cycle You still have a cycle of the same length whereas if the cycle is Even as an event length then it's going to be split into two smaller cycles of equal size So this is what the effect of squaring has and so the problem that we're really asking is well, you have these two distributions of length cycles basically and How many queries do you need to distinguish that and as was already as you could already deduce from From what I said before we show as all main results that the advantage here can be bounded by a simple expression and Again, we consider R to be constant basically so this says that it's really hard to distinguish as you would expect permutation R spore of a random permutation from a random permutation And actually we also have a matching attack So matching here is again for constant R This is proportional to the proportion of the message space you have queried and this as well this term is negligible so what we really show here is that The advantage of the best adversary trying to distinguish P to from P to the R is a sitar of q over n and To make it a little bit more concrete If you were interested in the case as well as in the simple question I asked at the beginning of P versus P squared then you have a pretty tight You have a bounded this pretty tightly because you know the advantage of the best adversary is going to be somewhere between half of q over n and Five times q over n. So it's it's a pretty tight So now I'm going to So here's the core result of course I'm going to give you an idea about how we prove this because actually the proof is nice. You don't need the Maybe it's like a trick of combining elementary results and the Well, I think it's really nice So the idea is the general idea is that we're going when we have two games Right, we have the game where you have access to the permutation and the game where you have access to the arse power of the permutation And now we are going to introduce two more games GC and GC are we are see I forgot to break it but C is a Permutation with a single cycle so C is taken from the set of permission with single cycle and C to the R Is the arse power of that right? So we introduce the two new games and the idea is that we're going to reduce the question of Measuring the distance between P and P to the R We're going to reduce that to the question of measuring distance between C and C to the R and The nice thing about that is that every distance here can be bounded very simply. So this is Less than Q to the N R Q to the N and R Q to the N and you can see from here that we get this term so Let's start with the first term here How do you get the distance from P so from a random permutation to permutation with a single cycle? so to see this you have to look at the lazy sampling version of This game so this means that Well, particularly when you have access to a game that gives you access to a permutation The what the oracle does would be a peak uniformly randomly permutation and then give you access to that But instead of doing that and equivalently You can just Compute the answer to each query on the fly so this would mean that if you this is the view of the person who is calling the oracle and The dots here are the the points of the permutation and assume you have made say three queries Which are represented here by the black arrows and you're querying a new points Then the oracle can compute the answer to that point on the fly simply by picking uniformly at random Among the points here except of course the points that are already answered to other queries and This in the end if the oracle does this it gives you a uniformly random permutation No, if you do the same thing with a single cycle, then it's actually exactly the same Except there is one unique extra point that is forbidden Which is the unique point that could create a cycle if you if it was the answer to that query and know what you can See when you compare these two situations is that the only difference is that there is one extra forbidden points Which means basically that this point has only chance essentially one over N of being picked here and So naturally here the distance is less than Q over N and then Okay, so we have the first term here Let's look at this one and this one can be deduced immediately from the previous one Because it's the same trick we said before you have access to either that gives you access to e to the R By multiplying the queries by R and he's exactly the same. We'll notice it is simply in PNC So we know the distance between where we can bound the distance between C to the R and P to the R Just by multiplying by R. And so we get this other term and so now we are done with the reduction, right? We have reduced our problem from P to P to the R But not really reduced because we just give upper bounds, but still we've reduced this problem to a distribution C and C to the R and know First of all So see that recall is it has a single cycle so Suppose that N on R are co-prime then of then C to the R also has a single cycle Okay, so under that hypothesis actually C to the R is the same thing as C same distribution And so actually in that case the advantage would be zero and so we're in that case. We already done, right? We already have the bound So in in the more general case C would have a single cycle and then if we let D be the GCD of N and R then C to the R would be we'd have D cycles, right? Because And so we are trying to bound the distance between these two things and Well, ideally we would want something that is close to that as a bound So there are several ways to do it, but if you do it right you get that bound and how do you do that? Well, let's take a single cycle Then we're going to pick D distinguished points that are at equal distance on that cycle So these red points here and we're going to redirect these points to form these cycles like this So when you see this, this is equal to this right and when you see this This is the same thing as this and what have we done? We just redirected D points and since D is the GCD of N and R then of course we have that D is less than R and so we We get that this is Less than R Q over N So there are a few things under the rug here, but really very little so it's a it's a very natural proof and Of course as a result of all that We get what we wanted, which is that the distance here is less than Two to the R plus one Q over N and so in the other direction We mentioned we have a matching attack so like I said, this was Considered already before in a prior article and what they did is that they counted a number of fixed points, which is natural since In P to the R you will have more fixed points For example in P squared Anything in P that was a fixed point is still a fixed point in P to the R But also cycles of lengths to become fixed points in P squared Okay, so you have more strictly more fixed points on average in P to the R so that's the most natural thing to do but if you do that you end up with a Really not nice expression because it's The advantage of that distinguisher is the nth term in some formal series So it's not convenient. So what we do instead is another distinguisher that is probably not better But has a really nice expression. It's it has a closed formula As an expression what we do is that we query along a cycle along a chain and If a cycle appears then we guess that we were in P to the R And if it does not then we guess we were in P. So we do quick Q queries along a chain And then we guess P to the R if there is a cycle and was P and the advantage of that distinguisher has Has this form and the constant here Is has a nice expression and you can lower burn it by one half and so naturally you get that this is more than Q to over to M and Basically that that concludes my talk. So what we have shown is that you have a really nice Bound on the distance between P and P to the R and Coming from the main theorem and a matching attack and There is a direct application to cascade and friction with the same key Well, you can show that if you compose the same block cipher with the same key then you actually lose very little security and And of course we can think of this as Perhaps the relatively easy part of a really hard problem which would be to To show a security amplification for For composing several block ciphers without increasing the entropy So using only a single key and maybe some some hypothesis on the block cipher or a ski schedule So proving that sort of thing would be a major break breakthrough. You can't hope to prove that in the Information theoretic model since you're not actually increasing the entropy. So you would have to do that in the computational model And and as far as I know there is a nothing in the in that direction. So that's a really interesting question So thank you for your attention and if you have any questions