 Hello everyone, my name is Yao Bin Sen, a final year PhD student in SETU. Today, our talk is On Beyond Birth to Brown Security, leveraging the development of ISO-IC 97971 marks. This is the joint work with Professor Wang. Our talk is divided into four parts. The first one is the instruction of ISO-IC 97971 standard. The second one is the description of our contributions. The sixth one is some details about text and proof for pages. The final one is the conclusion. Message Authenticity Core is the symmetric key primitive to provide integrity and authenticity of messages between two parties. There are many three ways to build a mark. The first one is block-side-for-base. The second one is universal hash function-based. The third one is hash function-based. For block-side-for-base marks, there are some more examples including CBC mark, C mark, P mark, MAC mark. The figure is the extraction of CBC mark. It rest the block-side-for-to produce the final talk. Our focus is the ISO-IC 97971 standard. This is the intentional standard for block-side-for-base marks. There are two versions for this standard. The other one is published in 1999, and the color one is published in 2011. This standard specifies six different variants of CBC marks. It also provides for painting skins. As you can see in this figure, they all use the CBC mark structure. The difference appears at the encryption of the first block or the encryption at the final block. There are four painting skins. For painting skin one, we simply right-painted with several zero to make the lens upstream to be a positive multiple of n. This painting skin is in secure because it allows a trivial feature to attack. For painting skin two, we need to right-painted with a single one and then several zero to make the lens of the string to be a positive multiple of n. For the painting skin three, we need to put the binary representation of the lens upstream at the first block, and then right-painted with several zero to make the new string to be a positive multiple of n. For the painting skin four, if the lens upstream is already a positive multiple of n, then we do nothing. Otherwise, we need to right-painted with a single one and several zero to make the lens upstream to be a positive multiple of n. The painting four is only used in mark algorithm five. As you can see, the six marks in this standard all share a single-part CBC black mark structure. They suffer this kind of structure suffer from burst-a-bong attacks. So the security of the marks in this standard all kept at the burst-a-bong security. However, in practical burst-a-bong security is not always enough, especially in resources constrained environment led with block cycle and pre-e or in legacy application such as financial sector, the triple days are still in usage. For this block cycle, the input size is only 64 bits and the burst-a-bong become 2232, which is somewhat small. There are also two practical attacks by the game and lower net exploit the creation on short block cycle to break the security of TLS and open VPN to achieve a higher-level security less beyond burst-a-bong. It is written in ISO IC 97971-2011 that if a mark algorithm with a higher security level is needed, it is recommended to perform to mark calculation with independent keys and concatenate the results while exploring them. This figure is the illustration of two concatenation combined of two marks. We simply concatenate the result of two marks, which is suggested in this international standard. For our contribution, we present further attack on the concatenation combined. We show burst-a-bong further attack on the concatenation combined of any two marks in ISO IC 97971-2011. In particular, our attacks for the concatenation combined of two marks ex-111 with printing 2 only require three queries. Our attacks thus invented the suggestion in ISO IC 97971-2011 that the concatenation combined cannot be skewed beyond burst-a-bong. We learn root for patches. We revisit the development of ISO IC 97971. In the older version that is published in 1999, you use the EXO combiner into algorithm mark ex-1.5 and mark ex-1.6 to potentially go beyond burst-a-bong. But unfortunately, Zhong et al. proposed a burst-a-bong attack on mark ex-1.5 with printing 2. On the positive side, Yasuda proved that mark ex-1.6 can achieve beyond burst-a-bong security if required 60. But the probable security analysis for mark ex-1.5 is still absent either with printing 3 or even with printing 2. This figure is the illustration of the ISO combiner in the older version which simply accelerates the two attacks to produce a final attack. For our patches, we revisit the impact of the EXO combiner of two marks on ISO IC 97971-2011. Here we only focus on the single key marks in this standard. We show that the EXO combiner of two mark ex-1 is beyond burst-a-bong security with printing 3. The EXO combiner of two mark 1 is also the mark ex-5 in the older version. We then prove that the EXO combiner of two mark 5 is beyond burst-a-bong secure. We also prove that the EXO combiner of two mark ex-1 is beyond burst-a-bong secure with printing 2. Note for the concatenation of two mark ex-1 with printing 2, it can be broken with just three queries. The table is the comparison between the ex-mark 1, ex-mark 5 and other CBC landmarks with beyond burst-a-bong security. For previous mark to achieve beyond burst-a-bong security, it requires ADS 3 keys and for ex-mark 1 and ex-mark 5, it only requires two keys. We then describe some details about tech techs and prove for our patches. For the attack on the concatenation of two mark ex-1 with printing 2, it only requires three queries. Here is the attack procedure. The adversary for the query a single block message M to the concatenation combiner to obtain the tag T1 and T2. It learned query M EXO T2 to obtain the left half of the concatenation T3. He made the third query M EXO T1 to obtain the right half of the concatenation T4. Finally, the adversary can make a forgery. The forgery message is only two blocks. The first block is M, the second block is M EXO T1 EXO T2. And the forgery tag is T3 and T4. The T3 can be obtained from the second query. And the T4 is obtained from the third query. And this forgery tag succeeds with probability 1 and it only requires three queries. For the attack on the concatenation of only two marks with printing 2 or printing 4, we will adopt a multi-collision attack for iterated hash function by John. The main idea of this attack is as follows. If we can find one collision with complexity 2 to the half n, then we can find 2 to the power T messages connecting to one value with complexity T times 2 to the half n. This figure illustrates the main idea of the attack, not for each pass. They all cry to the same value YT. For attack, we first focus on the first pass. That is the left path of concatenation. By using the multi-collision attack, we can find 2 to the power T messages that cry to the same value T1 on the left half. And with the higher probability, among these 2 to the power T messages, there also exists a pair of messages that cry to the same value on the right half. We then can use this for collision to construct a forgery attack. The complexity of this attack is only a birthday bound. For attack on the concatenation of any 2 marks with pathing 3, we need to consider the impact of the length. Seeing the pathing 3, we need to put the boundary representation of the string at the first block and then repeat it with several zeros. To deal with the issue, we append several zeros to each of 2 to the power T messages so that they have some bit lengths at all. And then use the multi-collision attack to construct a forgery. The following procedure is effectively sent as the case with pathing 2 or pathing 4. We also prove that our patriot, the exocombiner, can be beyond birthday bound secure. We prove that the exocombiner of 2 marks every than 1 with pathing 3 can achieve beyond birthday bound security. Here is our theory. Here the queue is the number of queries, error is the largest block length, sigma is the total number of blocks. In our proof, we use the game-playing technique. This technique is developed by Blair and Lagerway. In our case, the adversary needs to distinguish the x-mark 1 from the written function. We use the game calls to simulate the target constructions. These two games are syntactic identical until a bad event happens. We then bound the probability of getting set. By using the fundamental limit of game-playing, the maximum advantage of the adversary can be bounded by the probability of the bad event happens. Here are some details. For some FormatGMI, we denote by x and mu the last input to the block-side for EK1 and block-side for EK2, and y and w the corresponding outputs of the block-side for. The bad event is defined when the output tag is from a random MPS string. The tag is produced by the xor of y and w. The bad event will appear in four cases, according to the freshness of the x and mu. The case A is defined when both x and mu are fresh. The case B is when mu is fresh, but x-clive is previous input to block-side for EK1. The case C is when x is fresh, but mu-clive is previous input to block-side for EK2. The case D is when both x and mu-clives are previous input to the block-side for us. It is easy to analyze the bad event in case A because we can rely on the randomness of y and w. To analyze the bad event in case B, we need to rely on the randomness of w and also the property of the event that x appears in previous input to the block-side for. To analyze the later time, we define by fcp the full collision property. The full collision property is the property of the event that the x, that for to match the MIMJ, the xi-clive is previous input to the block-side for. We will use the full collision name by Blair et al. For any 22 prefix match the MIMJ, the full collision name nicely bounded the collision of the x with a previous input to the block-side for. Then the collision event that x-clive with previous input to block-side for EK1 can be bounded by summing over previous i-1 messages. And then the bad event in case B can be bounded by this term. For the case C and case T, we also use the full collision name and here are our result. Finally, we can summing over the probability of the bad event in these four cases to obtain the PRF advantage of the adversary. This is the beyond-best day bound. We also prove that x so combined up to Mach 5 is beyond-best bound secure. The Mach 5 is also known as C mark in NIN standard. Here is our theory for the x mark 5. This advantage is also beyond-best bound. The PRF for x mark 5 is similar to that for x mark 1. Is that that we need to define additional bad event to include the influence of Machs at 1 and x2, which is produced by the block-side for. We also need to define bad event when Mi is the prefix of MJ. This is to guarantee that the messages are prefix free. Finally, it's our conclusion. In this work, we show a best-day bound fidgety attack on the concatenation combing of any two marks in ISO IAC 971-2011. In particular, our attack on the concatenation combing of two marks algorithm 1 with padding 2 only requires three queries. Our attacks are embedded as the suggestion in ISO IAC 97971-2011. That the concatenation combiner cannot be beyond-best bound secure. We also present a patches. We also show that our patches that the x o combiner can be beyond-best bound secure. We prove that the x o combiner up to Mach 1 in this standard is beyond-best bound secure with padding 3. We also show proof that the x o combiner up to Mach F-5 in this standard is beyond-best bound secure. That's all. Thanks for your listening.