 Okay, thank you for the introduction. Hash functions based on permutations, what do we essentially mean by this? Well, traditionally, hash functions are based on block ciphers. The idea is that one builds a compression function on a block cipher and then this compression function is iterated. This approach is well established. There are many compression functions following this design, like the Davis-Mayer compression function, the BGV class of functions, and also many widely used hash functions like the ones of the Shah family follow this approach. However, building a compression function from a block cipher has some disadvantages. Most importantly, every new compression function evaluation usually results in a different key input to the block cipher, and hence you need related key security of the block cipher in order to get a secure construction. Additionally, as every new evaluation results in a different key, you need to evaluate the key derivation function every time which results in some efficiency loss. As an alternative, people started to look at compression functions based on fixed key block ciphers or permutations. This indeed gives some efficiency profit, but on the other hand, this also has a disadvantage. Indeed, unlike block ciphers, permutations do not allow for compression. And in particular, it has been proven by black at all that this construction cannot be secure. More detail, black at all proved that if you want to construct a two-and-two-and-one-and bits compression function based on one-and-bit permutation, you can find collisions in at most two queries. This result has been generalized, has been generalized by Rogwein-Steinberger, by Stamm-Steinberger, and actually, if I'm correct, a couple of presentations from now there is another generalization. And what we know by now is that if you want to construct an mn to an rn bits compression function using kn bit permutation calls, you can find collisions in, well, in this many number of queries. This bound is usually known as Stamm's bound due to the second generalization, and it's proven to hold for almost all choices of m, k, and r. In the table, I listed some example values of this bound. The focus in our work is on the simplest type of compression functions, namely those that map two-and-to-one-and-bit. And now the bound states that if you want to get optimal collision security, you need to have at least three permutation calls. And this is the focus of our work. So we look at two-and-to-one-and-bit compression functions, making three calls to an underlying permutation. So the goal is collision resistance. Let me quickly revisit the, explain the model. We consider the ideal permutation model. So this means that we consider permutations to be randomly drawn from the set of all permutations. And then we consider an information theoretic adversary. This adversary has unbounded computational power, and its complexity is then measured by the number of queries the adversary makes to its oracles. And then the goal of the adversary is to find a collision. So a more detailed goal of the adversary is to find queries to the permutations that allow him to construct two input tuples, x1, x2, and x1 prime, x2 prime, that collide. And then the collision security is defined as the maximum success probability over all adversaries. In the work, we also look at pre-image security. In the case of pre-image security, we consider the adversary to be given a range value z. And his goal is to find a pre-image, a pre-image tuple x1, x2. And a pre-image security is then defined as the maximum success probability over all adversaries and over all range values. So let's go back to two-and-to-one-and-compression functions. Several works already appeared in literature. One construction is by Schrimt and Stamm. Schrimt and Stamm looked at the following design. It takes two n-bit inputs, x1, x2, and n-bit output z. And it uses three one-way functions, f1, f2, and f3. And it's proven to be optimally collision secure if TFI's are random one-way functions. By an automated analysis, it has been shown that this result still holds if you replace the one-way functions by permutations with a feed forward. Another construction is by Rogwe and Steinberger, essentially consider this design. It's also a two-and-to-one-and-bit compression function. And at first sight, it looks a bit complicated, but in fact, it's not. So what happens here is that the input to pi1 is a11 times x1 plus a12 times x2, where additional multiplication is done over the finite field of two-to-the-n elements. And the aij's here are constants. And they essentially define this compression function. So for different constants, you have a different function. And Rogwe and Steinberger proved that this construction, that this construction achieves optimal correlation and pre-image security if the aij satisfies some technical independence criterion. And while this is an interesting result, in my opinion, this also rules out some interesting compression functions. In particular, this rules out the functions where all the aij's are binary values, as well as, for instance, the case in the Schrimtens-Stamm compression function. And I really think that this compression function design with binary values is the most interesting type of design. Those are simpler, more intuitive, and they also result in a slight efficiency improvement. And this brings me to our contribution. We essentially look at this design. So we look at the set of all compression functions, all two-and-two, one-and-bit compression functions that are solely based on three permutations and XOR operators. So here, the input to pi1 is, for instance, a11 times X1, XOR a12 times X2, where all the aij's are binary values. And we consider this design in two models. The first one is the multi-permutation setting where we assume that the three permutations are all different and randomly distributed. And the other setting is the single permutation setting where the three permutations are assumed to be the same. So we consider, so the main focus in the presentation is on the multi-permutation setting. We consider essentially all of these designs. So those are, we see 14 constants aij's, so two to the power 14 functions, that's quite a lot. But it turns out that there are some similarities among those functions. Indeed, consider, for instance, this design on the one hand. And now on the other hand, we consider a design where the first two rows, the aij's of the first two rows are swapped. So we just swapped the two rows aij's. While these two designs are essentially two different compression functions, from an adversary's perspective, those are not really different. The reason for this is that if the adversary can find a collision for this design, it can just swap X1 and X2 to get a collision for the other design. So while there are a lot of functions to be analyzed, there are some similarities. And this brings me to the definition of equivalence classes for the compression functions. And we say that two functions, F and F prime, are equivalent if for both collision and pre-image security, there is a tight bi-directional security reduction. What this intuitively means is that if F and F prime are equivalent, those are equally secure, and it only suffices to prove one of them secure to get security of the other one. And this definition turns out to be a very powerful trick to reduce the amount of work to be done. And I think this approach is also of independent interest. In the work, we define four security, four equivalence reductions. One is the one you saw on the previous slide, where you swapped the first two rows. The other three are rather similar. One can see there's linear operations on the constants. And we prove that these reductions really work. So the two examples, the example on the previous slide, those two compression functions are indeed equivalent. And in our work, we restrict the equivalence with respect to these four functions only. So let's now go to the main result for the multi-permutation setting. For the multi-permutation setting, we identify the following four functions. F1, F2, F3, and F4. Note that we restart the figures a bit, but there is a one-to-one correspondence between this picture and the one you saw a couple of slides back. And we identify these four functions, and now we prove that if you take any of the two, two power 14 compression functions, so any function, this function achieves optimal collision security if and only if it is equivalent to one of these four functions. So if it's not equivalent to one of the four functions, you can find collisions in less foster than the birthday bound. Additionally, we look at pre-image security, and we prove that there is only one of the four classes, namely the one defined by F2, that achieves optimal pre-image security. And the experts among you may recognize F3, because F3 is essentially the shrimp and stomp compression function with permutations and feed-forwards. And finally, in the table, we see a C here. The C means that there is a small part of the result that's based on a conjecture. I will come back to this conjecture later. So let me explain the ID of the proof. Recall that this is the generic design you're considering, two to the 14 functions. But first note that many of these functions are already trivially insecure. Indeed, consider for instance, the case where all constants, all AIJs are zero. Then you have a constant function, and it's not really hard to get collisions for that function. And this brings me to the definition of a valid compression function. And to this end, we identify eight green sets, well, five horizontal, three vertical, and we say that the compression is valid if in each of the green sets, there is a non-zero element. Suppose this was not the case. So suppose in this set, the first horizontal set, A11, A21, and A31, suppose these three are all zero. That would mean that X1 is never used as input to a permutation, and you can find collisions in a constant number of rounds. So this definition of validity of a compression function is essentially introduced to get rid of all the trivially insecure compression functions. And it suffices to consider valid compression functions only. So it suffices to consider compression functions of this form only. Now in the second part of the proof, using the idea of equivalence classes, we prove that if you take any compression function of this form, this function is either equivalent to a non-valid compression function, in which case we can completely forget about it, or it is equivalent to a function f prime with A11, A12 is one zero, and A21, A22, A23 is zero one zero. So this means that any compression function f is equivalent to some function f prime where the input to pi one is X1, and the input to pi two is X2. And now by the definition of equivalence classes, it suffices to consider such functions only. So this was step two of the proof. Now we already drastically reduce the amount of functions to be analyzed from two to the power 14 to slightly less than 256. Those are still quite some functions. Now in the third part of the proof, we derive four generic attacks. We derive four generic attacks. The first one, for instance, states that if A31 and A33 are zero, or A34 and A32 and A34 are zero, you can find collisions in at most two to the n over four queries. The other three statements are rather similar. I will not go in more detail. But while each of these attacks only turns out to cover a handful of applied to a handful of functions, it turns out that together they cover almost all functions. In fact, it turns out that there are only four functions that are resistant to these four attacks. And those are f one, f two, f three, and f four. So what the result so far means is that if you take any compression function, this function is optimally collision skewer only if it is equivalent to one of these four functions. So f is collision skewer only if it is equivalent to one of these four functions. This is a picture which contains all of them. What now of course remains is the if relation and the pre-image security. And this is really the hardest and most technical part of the proof. And I will not go into further detail, I will just mention the results. So for collision resistance, we prove that f one, f two, f three, and f four are indeed optimally collision secure up to two to the n over two queries in the limit. Then for pre-image security, we prove that f two achieves pre-image resistance up to two to the two n over three queries which is optimal due to the bound of Rogvain Steinberger from Eurocrypt 2008. Finally for f one, f three, and f four, we prove tight two to the n over two pre-image security. So I already mentioned that a part of the result is based on a conjecture. Let me quickly explain this conjecture. This is the variant of the conjecture for Q is at most two to the n over two. Suppose you're given a set capital Z of Q random n bit elements. And then your goal is to find two sets capital X and capital Y that maximize the number of tuples X, Y, Z satisfying X, X, or Y equals Z. Then the conjecture states that there are at most about Q log Q such tuples X, Y, Z except with a very small probability. And while it's not immediately clear, this conjecture is highly related to the area of extremal graph theory. And in fact, it turns out to show some similarities with a conjecture from 1951. In the full version of the paper, I give a detailed heuristic why this argument is likely, why this conjecture is likely to hold. And I also compare it to this 1951 conjecture. So this was it about the multi permutation setting. Now for the single permutation setting, we prove the following result. So we consider this design in a single permutation setting where the three permutations are the same. And we prove that for any compression function of this form, collisions can be found in at most two to the two n over five queries. In other words, there does not exist any compression function of this form that achieves optimal collision security. In the paper, we also generalize this to a construction where we have constant inputs extra to the permutations. So where the input to the permutation, the first permutation is a11 times x1, xor a12 times x2, xor b1 for a constant b1. And we prove that the result still holds for this generalized design. So that does not exist any compression function of this form that achieves optimal collision security. Note that this also rules out the customary approach of constructing three different permutations from a single one, where you use a constant as extra xor input to the permutation. So this was the main result for the multi permutation setting. To conclude, what we essentially did is we gave a complete classification of all two n to one n bit compression functions that are solely based on three permutations and xor operators. And the main part, the basis of the work is essentially the definition of equivalence classes. This definition turned out to reduce the amount of work to be done. And in fact, for instance, for the multi permutation setting, we analyzed two to the power of 14 functions. And with relatively little work, we proved 216 of them secure, optimally collision secure, and 48 of which we additionally proved optimally pre-image secure. And also for the single permutation setting with relatively little work, we proved an impossibility result. We proved that there does not exist any optimally collision secure compression function of the form you saw in the previous slide. The work leaves some interesting directions for some interesting future research directions. The first of them is to generalize this result. We can generalize it to larger compression functions with more inputs, more outputs, with more primitive calls. We can generalize it to a compression function that is based on two permutations rather than three or one, two different permutations rather than three or one. We can generalize it to compression functions with one-way functions, although the equivalence reductions then get a little bit harder. Another research direction is to reconsider the negative result in a single permutation setting to either generalize this or to come up with a positive result, for instance, if you use four permutation calls. And this final open problem is of course proving the conjecture. So thank you for your attention.