 Hello everyone, my name is Xiao Bin Sheng. Today our talk is the visiting the security of DBHDMarkz beyond both the bound in the multi-user setting. This is the joint work with Lei Wang, Dao Wu Gu, and Jian Weng. Our talk is divided into four parts. The first one is the background about DBHDMarkz. The second one is the multi-user security results of DBHDMarkz. The third one is our tag on 2KF9. The final one is the conclusion. Message Authentic Calls is one of the symmetric key primitives to provide integrity and authenticity of messages. A sender and the receiver will firstly share a secret key and then use these algorithms to authenticate messages. There are many two ways to build Markz. One is using a block-side for real-long example including CBCMarkz or Markz. The second one is using the hash function for real-long example including HMarkz and Markz. Most of these marks flow in the hash LMPI paradigm. A message will first be made by a universal hash function to produce a fixed-length string that strictly is ambient and this ambient string will be proceed by a fixed-length input PRF to produce the final tag. One drawback of this product is that when the internal output of this hash function collide, then the output tags will also collide and this collision will usually result in a virtual attack for this construction. The complexity to find this collision is the birthday bound that is 2 to the power half n and is also called the birthday bound security. But the birthday bound security is not always enough in practice, especially when the Markz is instantiated with lightweight block-side for such as high present or gift or the legacy block-side for triple death. This block-side for has a short block size that is 64 bits and so the birthday bound security will become that 2 to the power 32 which is somewhat small and vulnerable in some applications. For example, but Gavin and Lauren have demonstrated a practical attack that exploit collision short block-side for to break the security of TLS and open VPN protocols. So to overcome the birthday bound barrier, a class of Markz has been successively proposed including some ECBC, Pima Plus, CKF9 and Dynama Plus. Interestingly, this Markz follows a similar structure less called double block hash than some. This structure is actuated out by data at all in 2019. Instead of using a n-bit block hash function, this paradigm, these constructions use a 2n-bit hash function and an image you will make by this 2n-bit hash function to produce a 2n-bit input to the block-side for and then the two encrypted values will be solved some to produce the final tag. So the previous attack on the internal collision requires a capacity less being the birthday bound. Let's briefly recall the recent results for the DPH months. Data out at all proved that this generic framework can achieve the birthday bound security less Q to the power 3 over 2 to the power 2n. And Lauren at all proposed the four jewelry attack on this Markz with a capacity 2 to the power 3n4. So there is a gap between the probable bounds and the attack capacity. Listen to the keynet all across this gap and prove a tight-secret bound for this class DPH Markz. There is Q to the power for cells over 2 to the power n. At this stage, it seems the story of the DPH Markz is reasonably complete. But however, the above beyond the standard security only consider a single user. Ladies, they only consider the anniversary only tax only tax a single user. But in practice, the adversary can attack multiple users. Adaptive or Distributing is Unissociate. This is particularly true for Markz, which is one of the most commonly used cryptography algorithms in practice. Markz is the core element of the real-world security protocol such as SSL, SSH, IPsec, and it has billion of daily active users in major websites. So the question is how the number of users will affect the security of Markz? And more concretely, can DPH Markz still achieve beyond-based bound security in the multi-user setting? If we use the step-by-step action reproduction for Markz from a single user security to the multi-user security, let's simply multiply the single user bound by the number of users. Then the multi-user security of DPH Markz will become something like u2 to the power 3 over 2 to the power 2n, or u2 power four-thirds over 2 to the power n. Here u is the number of users, q is the number of queries. And if the adversary uses one query per user, then the bound will become the q to the power 4 over 2 to the 2n, or q to the power seven-thirds over 2 to the power n. Then the q is at most 2 to the power half n of 2 to the power 3n summits, which is still kept at the birthday bound or even worse than the birthday bound. So the security loss of these generally reduction is large. So direct analysis of the music security of DPH Markz is much designed. And our contributions are many for it. We first proposed a generic security framework in the multi-user setting for DPH Markz. There are two properties of this framework. The first one is it has a good usability. One only need to prove that hash pass is if the one regular and if the two are most universal. Here if the one regular implies that the hash value collide to a given string is small, the property of the hash value equals to a given string is small. And it's on two almost universal implies that the probability of the two hash value of two different string collides is small. The second property is that it can achieve a high security loss beyond the birthday bound. We also show the usability of the framework with the application to key-reduced value of DPH Markz, including 2k some ECBC, 2k PMP Markz, and 2k Latin Markz and prove this mask can still achieve the beyond birthday bound in the multi-user setting. There is a remaining one DPH Markz that is called the 2k F9, but for this one we cannot prove its security. Instead, we find a critical flaw in it. This question is proved by data in the FSC 2019. They can achieve the beyond birthday bound security, but unfortunately we find that one query is enough to forge a tag. And we also show a birthday attack on several variants of 2k F9. This is the main theory in our paper. Here, for simplicity, we assume H is 1 over 2 to the power n regular and 1 over 2 to the power n almost universal, and also a mean of all the tens and small constant vectors. And here Q is the number of Mark queries, P is the number of the same queries, n is the length of block size, k is the length of keys. As can be seen in in our theory that this bound is beyond birthday bound with respect to both Q and P, and moreover this bound is independent of the number of users, which can be as large as Q. If we compare our bound with the generic reduction, for the generic reduction that is Q to the power 4 over the 2 to the power n, when Q reaches the birthday bound at 2 to the half n, it will become vanish. While for our bound, when Q equals to the birthday bound at 2 to the power half n, it is still reasonably small, more concrete. For the most likely block size, the block size is 64 bits, and the key length can be 128 bits. And the birthday bound becomes 2 to the power 32, then the user will need to query 32 GB only data, and yet the tens relating the local commutation of the user's theory, less captured by the number of ideas of query become the PLO over 2 to the 160 plus Q, P over 2 to the power 192 plus P square over 2 to the power 224, which is small. This is the security model in our proof. We want to mention here that our proof is down in the ideal cycle model. There are two main reasons why we choose this model. The first one is that in the multi-user setting, we are particularly concerned how the local commutation of the adversary will affect the security bound, which is captured by the number of ideas of query. And the standard model does not help here. The second one is that in the standard model, we usually model the block cycle as PRP, and which will incur security loss. And this isolated security loss will be problematic in multi-user setting. To go beyond the birthday bound, it requires the key to be longer than ambient in the standard model. While in the ideal cycle, using ambient keys is enough to go beyond the birthday bound for the DPHD marks. Let's give an overview of our proof. Our proof relies on the edge coefficient techniques. We define two classes of bad events that are called good events and bad events respectively. For bad event, the goal is to guarantee that for each user, at least one of the hash key and block cycle key is fresh, and also to guarantee that for queries to the same user. And this is one of the two inputs to the block cycle is fresh, and also guarantee that for queries to different users, if the block cycle key connect with other keys, then the input to this block cycle should be fresh. After that, the analysis for the bad events is relatively easy, and we do full of detail proof to our paper. We show the usability of our proof framework to three key-reduced variants of DPHD marks. As mentioned in the previous slide, we only need to prove that hash parts satisfy two properties, epsom 1 regular and epsom 2 almost universal. Our list is the figure of 2k sum eCPC. You use the two independent keys for each hash part, and the hash function is the combination of two cpc marks. So we simply need to prove the cpc marks. Yeah, the first part satisfies epsom 1 regular and epsom 2 almost universal, and also prove the second part similarly. We can also prove the second part also satisfies epsom 1 regular and epsom 2 almost universal. After that, we can apply our methodology to this construction and obtain the beyond-based bound security of this construction in the multi-user setting. This is our result in the paper. For 2k LATMA plus, the hash function is a bit more complicated. The hash part is parallelizable, and we also use the field multiplication on the second part of the hash function. But again, we can prove that the first part of the hash function satisfies epsom 1 regular and epsom 2 almost universal. And similarly, we can also prove the second part of the hash function satisfies epsom 1 regular, epsom 2 almost universal. But at this stage, we cannot directly apply our theory to this construction. The caveat here is that the first part of the second part of the hash function is the same key, this yellow. But in theory, it is assumed these two parts used two independent keys, so we need to additionally use the relationship between these two parts, and we will increase another 10, but it is still the beyond-based bound. After that, we can apply our main theory to this construction with the side multiplication and obtain the beyond-based bound security in the multi-user setting. We also show the application through 2k PMA plus. The hash function of 2k PMA plus is similar to the 2k LATMA plus. It is parallelizable, and we also prove that the first part of the hash function satisfies epsom 1 regular and epsom 2 almost universal. And similarly, we can prove that the second part of the hash function satisfies epsom 1 regular and epsom 2 almost universal. And similarly, the first part and the second part of the hash function used the same key, so we also need to analyze the relationship between these two parts. And after that, we can apply our main theory to this construction with the side multiplication, and through that, this construction is beyond-based bound in the multi-user setting. For the remaining one key-reduced variant dbhd-max, we can approve its security. This construction is proved to achieve beyond-based bound security in a single-user setting by data at all. But we find that a simple attack, that for any short mesh GM with the length less than ambient, and it will become a single block after pating. m and 0 is always a weighted forgery, and SAS invented that beyond-based bound security to resolve a previous paper. One can check it very quickly for a single block message. After the encryption of the first block cycle, the input to the first input to the last block cycle and the second input to the last block cycle are the same, so the corresponding output tag will be 0. So this attack will succeed with property d1, and it only requires one query. We then try to fix the 2kf9. Our first attempt is to use a 1-bit domain separation on the last block cycle. This domain separation will fix the most significant bit of string to be 1 to be 0, and this will fix the most significant bit of string to be 1. But we find this domain separation does no work for the 2kf9, that for any two mesh gm1 and m2 are both two block mesh gm1 and m2 are both two block mesh gm2, and if this relation should exist, then the output tag will collide, and find such a pair of x, y only requires the best bound complexity, so we can use this pair to construct a forgery. And if we use more complicated operation, there is multiplied by 2 before the 1-bit 1-bit domain operation, we find a similar birthday bound attack still works, and we use the more complicated operation, there is multiplied a constant in each block, just as in the case of 2kf9 plus or 2kf9 plus, we find a similar birthday bound attack still works. The reason behind this flaw is that we can always find a relationship between the first input to the last block cycle and the second input to the last block cycle, that is if the first input to the block cycle then also the second input to the last block cycle, and find this collision requires a birthday bound complexity, and will usually result in a forgery attack. But not that such a relation does not exist in 2kf9 plus or 2kf9 plus, the reason is that for 2kf9 plus, the two inputs of last block cycle are produced by using two independent block cycle keys, so they're being independent from each other, and for 2kf9 plus and 2kf9 plus, we can prove that the probability that such a relationship exists is very small. Here comes our conclusion, we propose a beyond birthday bound secure multi-user proof framework for dbhdmax and prove that 2kf9 is busy, 2kf9 plus 2kf9 plus still achieve the beyond birthday bound security in the multi-user framework, in the multi-user setting, and for the last one, the 2kf9, we find a critical flaw in it and also show a birthday bound attack on several variants of 2kf9. There are some interesting future work, the first one is that can we fix 2kf9 to go beyond a birthday bound? This question seems non-trivial, because as shown in our paper by using the simple trick, can not help to get f9 to go beyond a birthday bound. The second one is that whether can we improve the current user security of dbhdmax, or not let in a single user dbhdmax can achieve the 3n over 4b security, but currently our proof can only achieve the 2n over 3b security, so whether can we improve the security bound of dbhdmax in the multi-user setting is an interesting question. Okay, that's all, and thanks for your attention. If you have any questions, you can just send email to me. Thank you.