 ಡಕಗ್ಮಲಿಲ್ sext ස්වතිදුර් මෙදාිකට්තිය්ක්තින් මෙදාින්ටයක්ක්. අපය්තාස් එක්න්ගක් පය්තාවේපක්නිතිය්. eveningshighme neither lonely we submitted this paper to escalip 2021. And it have been published. It has been accepted yet to be published. Okay, so first we start with a short introduction to Like Mac. First of all, Like Mac is a parallelizable construction and it is a block-cypher-based message authentication code also. It was first introduced by Louis and others in 2016 and it was in 2019 it was announced as one of the ISO-IC standard lightweight max. The standardization number is given here. The most important features of this construction are the following. It uses two independent block-cypher keys and it is based on a counter-based encoding. Let us look at this pictorial overview of lightmax. We see that there are two kinds of inputs. These inputs are called initial inputs and this is the final input. For the initial inputs are fed into a block-cypher which is instantiated by the key K and the final one is block-cypher instantiated by the key K prime. The initial inputs are the message are first to add the messages and then we take n minus s bit block and each block is concatenated with a binary encoding and then they are fed into the initial block-cypher ek. Then we collect all the outputs, sort them and the final message block is now sorted with the initial outputs and the final input is fed into the ek prime. For single key lightmax the last one is not ek prime the last one is final block-cypher is just same as the initial block-cypher it is just ek and the l is the number of blocks present in the padded message m. Now the main advantages of the lightmax construction that it is very simple, its construction is very simple it requires a lower amount of memory to be stored so it has a low overhead also and it is also flexible kind of construction we can have lightweight implementation as well as high computing implementation can also be done using the parallel structure. Now let us revisit the schema of the proof of lightmax if we see the construction of the lightmax we can see it as this part we can see that this is a hash part and this is the PRP part we name it as light hash and this light hash is only dependent on the key k this key so this construction can be seen as hash then PRP construction and if we write it in functional expression then this is the functional expression of lightmax depending on the key k and k prime proof of the original lightmax used the hash then PRP structure and it guaranteed that the fresh inputs always give random outputs since the keys are independent but for single key lightmax that is one key lightmax we cannot exploit the above fact because these keys are not independent now they are the same key so we have to try a different way to get the result our contributions in the paper in this paper are twofold first of all we show a security bound of order q square by 2 over n 2 to 2 over n for one key lightmax for certain range of the value of l and secondly we propose a variant of single key lightmax which we denote as lightmax ds ds means domain separation here and we also show that this achieves the security bound of birthday bound order for some range of l so in both cases we have got rid of the l term in the security bound and we get a birthday bound order if we compare these two results with the existing results of these kinds of construction that is PMAC type constructions this table represents a comparative summary these two entries which are colored red here these entries are our contributions so we see that it is certainly achievement, betterment of the existing results for example if we consider the number of block cipher keys it is both of them are single key and if we consider the prf bound both of them are l free bounds for certain range of l okay so this table shows us our contributions in a comparative way this is the inside view of the one key lightmax what does it show if we take any arbitrary initial input xij first we are defining it we are showing it for a message mi okay so for a message mi any xij is fed into this block cipher and we get yij and these all yijs are resolved together with the last block of the padded message and we get yij yij is the final input of this computation and at last we get ti here is the ith tag okay so this represents the input output apples for a message mi okay so what are the bottlenecks for proof proving the security bounds of one key lightmax so this kinds of collision this picture shows two kinds of collisions which are very important to understand the proof the idea behind the proof first of all the first picture this one this picture represents a collision where an initial input of a message is collided with the final input of another message and it is we have denoted it using the red colour circle and similarly this picture represents a kind of collision where an internal output of a message is collided with a final output of another message this kind of collision is denoted by blue circle this kind of the first kind of collision is called icol that is input call collision and the second kind of collision is called o call that is output call we see that for the original lightmax construction there were no issues with icol and o call because this the final block cipher was always different from the initial block cipher so whatever may be the initial whatever may be the status of the icol it doesn't have any impact on the status of the o call that is it may have that for some ia this ia colliding with some j that is this ia it may happen that the icol happens for some iaj tuple o call does not happen for iaj tuple and vice versa but in case of one ke lightmax this never happens because this final block cipher is always same as the initial block cipher so if icol happens then o call must happen so how to handle this kind of collision one straight forward approach is just to avoid this kind of collision icol and o call but get q square l many terms in the in this way in the numerator because the internal the internal input have q l many choices for internal inputs and q many choices for final input so there are q square l many choices for this kind of collisions so here we get a term which is not free of l q square l many terms but the denominator is always 2d per n so we cannot get rid of this l term so this straight forward approach does not work so we have to think in a different way so we have to show in the later slides for the general proof environment for the proof in case of one ke lightmax we will use the famous edge coefficient technique and let us recall that it requires 4 steps first of all we need to define a set of transcripts then we have to define what is that transcript then we have to do good transcript analysis and another part is remain it is called bad transcript analysis all together this comprises the whole proof technique but we will see what we what special kind of thing we do for proving the security bound of one ke lightmax for good transcript analysis we choose our bad events in such a way that we get permutation comparability between the tuples of all inputs and the tuple of all outputs for a good transcript that is the tuple of all inputs means all initial and final inputs so permutation comparability between two tuples means there is a permutation which when applied on the first tuple it gives the second tuple so for this inputs tuple and output tuple we get permutation comparability here by choice of our bad events in case of bad transcript analysis we employ a novel technique due to which we get bounds of q square by 2 to the power n order for any bad event what is the recent sampling strategy it is just we do not sample we do not restrict our sampling for the first in one stage first of all for any given tuple of messages we first sample t that is the tags from the space of n bit strings and z values also z values is sampled imitating the initial outputs of the real constructions so if some two values of the initial initial input are same then their output is also then the z value corresponding to them also sampled as same or if they are different then two different values are sampled for z that is it is kind of lazy sampling on the set of all input initial inputs so we do not impose any condition for this sampling except that it is a without replacement sampling now the second step is crucial it is called the research step and what we do here we identify all the tuple i comma a comma j these tuples are called full collision tuple what is a full collision tuple this is nothing but the i call if for some ia here this collides with some j for the simplicity of notation I am saying ia and j just if for some ia this collides with some j here then ia j is called full collision tuple and for any full collision tuple we reset the z values as we will see in the next slide this is the resetting technique if the collision happens it means x i a is equal z j zore then y ia is sampled as tj tj is already sampled so we just write y i a equals tj and for all other y for all other ia which are not full collision tuple we just rename the z to be y okay so this is the reset technique this is the research sampling or the resetting technique so what was the intuition behind the approach the basic intuition behind the approach that we might get some joint events for the bad events we might get some joint kind of events which will help us to get 2 to the power 2n in the denominator of the bounds okay so whatever l terms in the numerator we can get rid of them exploiting the extra 2 to the power n factor in the denominator so that was the basic intuition behind the reset sampling as an example let us consider one bad event in the proof this event is called bad y1 what is bad y1 here we see that x ia zj that is iaj is a full collision and for the final input of i final input of i is also collided with the initial input of some message okay so this joint event is a bad event which if we if we compute its probability we get qql squared terms in the numerator and 2 to the power 2n in the denominator so that this ratio qql squared by 2 to the power 2n is l free for a suitable range of l the l that we see in the final result that we will see in the final result okay so this is the this thing this kind of thing happens for all other bad okay so this is the final result of 1k lightmap we get here that this this bound is of the q squared 2 to the power 2n order for this range of l okay and this bound is actually l free for this range of l so this is the final result for 1k lightmap and here we are done with the first part of our paper the next part we will see this construction lightmap ds ds means domain separation here the initial inputs are made such that always it begins with a zero the most significant bit of any initial input here is zero and for the final input we fix now we use this fix one function it makes the final input the most significant bit of the final input forcefully to one what fix one does fix one forcefully sets the MSB of the final input to be one so we see that what is the advantage of this construction no initial input can collide with our final input because the MSB of any initial input is zero whereas the MSB of any final input is always one so no retool handle I call indices we see sampling is also not required here because there is no full collision as such here this has an easier proof than the 1k lightmap and it is given in a detailed way in our paper and this is the final advantage that we get for lightmap ds range of L so with this we conclude the second part of the paper also and we thank everyone for listening to the presentation and thank you very much okay