 Welcome to our presentation of highly secure non-spaced mechs from the sum of tweakable block ciphers. This is a joint work by Wonsec Joy, Pyeonghak Lee and Jo Yong Lee from the South Korean Kaised, Akiko Inua and Kazuegou Minamatsu from NEC and Yusk Naito from Mitsubishi Electric. Message authentication codes are symmetric key algorithms to provide authenticity for messages. For this purpose, high efficiency, high security and non-smuse resistance are desirable. High efficiency, of course, helps reduce the computational effort. High security guarantees allow designers to lower the primitive size. Moreover, if nonsense are present, they are an easy and effective means to extend the security guarantees. However, nonsense may repeat accidentally during the use. Then, the study of the security degradation when nonsense is repeat becomes important. The combination of universal hashing with a few calls to a block cipher for producing a pseudo-random output is well known for its high efficiency. This construction includes, for example, a well-known hashed and PRF construction or the Wegman-Karteschup. Trigger block ciphers are also well suited for achieving these goals. Even small tweaks can already help designers to achieve independent calls to different permutations. Even small tweaks already help to achieve independence of the different permutations that are used in the scheme. This can provide clean designs with easy domain separation. Larger tweaks can be used additionally to process either more message input or to take the nonsense for higher security. At FSE 2017, Coyatti et al. presented four elegant non-spaced mechs from universal hashing and a single block cipher call. Two constructions possessed high security and employed a tweakable block cipher with an n-bit tweak. Those were called nonsense tweak and hashed tweak. NAT, nonsense tweak, simply used the message hash as an input to the block cipher call and the nonsense tweak. Therefore, it achieved optimal security if no nonsense repeat it. However, its security degenerated to n-half bits when nonsense repeat up to two-to-one-half times. On the other hand, hashed tweak was stateless deterministic. It replaced the nonsense by a second independent hash of the message and therefore provided n-plus-t-half-bit security independent of nonsense. Nevertheless, it also did not have any security benefit from the use of nonsense. NAT and HAT pose interesting research questions of how one could strengthen them with minimal changes. Our goal would have been optimal security for non-respecting adversaries and as high as possible security if nonsense would repeat. We wanted to extend the security of nonsense tweak when nonsense are ignored. For hashed tweak, our goal was higher security guarantees when nonsense are respected. We identified a few design principles that helped us on our way to achieve our goal. In general, n-bit tags limit the security of max to n-bits since the adversary can always simply guess the tag. Moreover, the sum of independent permutations is well known for providing up to n-bits, so this construction would help us on our way. When nonsense are respected, using the nonsense as a tweak in a TPC helps us since it transforms a tweak with block cipher into a PRF. When nonsense repeat, on the other hand, there will be hash collisions after 2.5 queries for an ideal single hash. Moreover, given two parameters, the nonce and the message, both of them must be input to the hash function. Finally, in many cases, the tweak size will not be larger than the block size. Since we will need two hashes to overcome the birthday bound from the collision of a single hash, we will also need two tweak block cipher calls to process the hash and the nonce. In conclusion, we propose two constructions for our purpose, not two, an extended hash as tweak. Both will be variants of the double block hashed and sum construction. However, we will have a nonce that can be used to extend the security. Our first instance will be nonce as tweak 2. It sums two instances of nonce as tweak under independent keys. The nonce is therefore used as a tweak input to both tweakable block cipher calls. As a result, nonce as tweak 2 preserves the optimal security of NAT when nonce is our expected. We can illustrate this as follows. Here, the light graphs represent the security of NAT and the bold graphs that of our construction. For simplicity, we assume ideal primitives here and that the tweak size is equal to the block size and n is 64 just for an example. When respecting nonces, the security of both construction is roughly identical and limited by the number of verification queries. In the middle, there are a few nonce repeating queries in the order of square root of the number of total authentication queries. Then our construction provides n instead of 2n by 3 bits security and even higher security for fewer verification queries. When all MAC queries finally use the same nonce, our construction still provides 2n by 3bit security compared to n half for NAT. Moreover, given at most 2 to the n half verification queries, we showed even a bound of 3n by 4bit security. Our second proposal is called extended hash as tweak. It adds the result of processing the nonce with an independent tweak with block cipher call to hash as tweak. Furthermore, it concatenates in hash as the nonce and the message instead of only the message. For generalized tweak length, our construction will be stronger than HLT when nonces are not always misused. So, whenever u is smaller than q. For hash as tweak, the bound is limited by 2n plus t half queries and does not profit from nonces at all. The security of extended HAT depends on the number of nonce repeating mac queries and on the number of verification queries. For 2 to n verification queries, it provides also n bit security. For fewer verification queries, its security exceeds that of the original hash as tweak construction. When nonce repeating mac queries become more, our construction slowly approaches the original hash as tweak construction. This means it still preserves its original security but has benefits if the nonce doesn't repeat too often. Our constructions both need more operations than the original nonce as tweak and hash as tweak designs. Both need two tweak block cipher calls instead of one. Note that this call may be performed in parallel to the first tweak block cipher call. Nonce as tweak 2 needs twice the number of operations in addition in the hash functions compared to the original HAT. Extended HAT needs to additionally possess the nonce in the hash functions. Nevertheless, as we showed before, we believe our constructions are close to the minimum number of computations necessary to achieve our design goals. In the following, we provide a few preliminaries for our later security analysis. We use mac security as the distinguishing advantage of telling apart two worlds. The real world consists of two oracles that wrap the real authentication and verification algorithms. The oracles of the ideal world always return random tags or always return the inbuilt symbol. The adversary can ask at most Q none's respecting and view nonce repeating queries to the authentication oracle and at most V queries to the verification oracle. The proof of NAT2 builds on Pataran's mirror theory. We build also upon the extensions of mirror theory by Kim et al. whose work had added inequalities to Pataran's theory. This work extends theirs to show a 3N by 4 bit security bound instead of 2N by 3. Moreover, we employ the expectation method, a generalization of Pataran's H-coefficient technique. Mirror theory tries to derive a bound for the minimum number of solutions for an equation system. Such a system models all outputs from the sum of independent permutations. Here, the equalities represent the authentication queries. Given that an adversary shall also not be able to forge, the inequalities of such a system represent the relations that must not hold so that the worlds remain indistinguishable. Those relations of values can also be represented as a transcript graph. The nodes are the outputs of the two independent permutations collected into sets. The edges are connections of outputs and a trail is then a sequence of edges. Labels are two builds where the first values map two subsequent values and the sign indicates if it's an equality or inequality mapping. The sum of all edge label values of a trail is then defined as the label of the trail. Nice graphs will later represent a good transcript without bad events. We call a transcript graph of cake components nice if it is cycle-free, non-degenerate, that is, the sum of labels in a trail is not zero and if edges are connected by inequality, they are not simultaneously connected by inequality. Given a nice graph, the extended mirror theory allows us to lower bound the number of solutions for a random choice of variable assignments. In detail, the graph will be decomposed into such components of at least two gis of single edge trails and of isolated vertices. In conclusion, the paper will arrive at a bound in the order of q by 4 by 2 to the 3n. The details of the proof of that theorem can then be found in our paper. Let's come to the security analysis of N82. For both constructions, we use the edge coefficient method and here in particular the expectation method. This means we introduce a number of bad events and upper bound the probabilities to occur. Then, we consider the expectation of the ratio between real and ideal world probabilities of transcripts that have no bad events. In the following, we study bad events where the distinguisher wins whenever these occur. For the bound of good transcripts, we will make use of nice transcript graphs. The graph is used to model the outputs of the permutations and their relations. In particular, the edges model the solutions under a fixed nonce value, w. We consider four sets of bad events. First, collisions between nonce repeating macraries. There, for example, simultaneous collisions between both hash outputs or so-called alternating hash collisions. In sum, we arrive at the following bounds for those events where we make use of a lemma by Nandi et al. for alternating hash collisions. Moreover, we consider partial collisions between nonce repeating macraries where the tag is involved and get a second bound on those where the 2 to the n results since we are in the ideal world and there is a probability of 2 to the minus n to collide in the tag. Third, we consider collisions between nonce repeating macraries and verification queries. And finally, we introduce a parameter L and up about the probability that we arrive at too many partial collisions in either you or we, that is, in the hash values. For good transcripts, we can now use the OEM1 on the ratio of the probability to ideal nice transcript graphs. The proof details are a little involved and we refer the interested reader to the details in our paper. Finally, choosing an appropriate parameter of L, we arrive at a useful bound that we have seen already in the diagrams before. Quickly also a few notes on the analysis of extended hashes tweak. This analysis was a little easier than that of NAT2 but still needed careful attention. We follow a similar strategy by applying the H coefficient technique. Though, we could use two proofs, once if nonce are respected all the time and a proof if they are not. For the former, we could apply a simpler proof for the Wegmann-Karterschub construction and arrived at a bound that upper bounded the probability that A forges and the probability of a simultaneous collision in both hashes. Under nonce misuse, we considered six bad events in total that were collisions between macraries, collisions between a mac and verification queries in hashes or the tag, and an upper bound that too many values we occurred. Therefore, we arrived at the following bound that is in the order of N bit security, depending on ideal hashing and ideal primitives of course. The good transcripts could then be bounded by taking mostly the number of verification queries into account and adding this to our previously known bound for bad transcripts. In total, instantiating the maximal number of collisions for value v with a practical and appropriate value, we arrive at the following bound. In summary, we proposed two highly secure nonce based macs. Those took nonce's tweak and hashes' tweak by Coyati et al. as a baseline and introduced conceptually simple changes. They possess almost full security in the nonce respecting and beyond birthday bound security in the nonce repeating model. Neither nonce's tweak nor hashes' tweak could achieve both properties simultaneously. With nonce's are guaranteed, the security levels of our constructions are comparable to those for nonce's tweak and hashes' tweak respectively. Moreover, for repeated nonces, the bounds of our constructions can be strictly stronger. NET2 improves it from n-half to 2n by 3 bits and even to 3n by 4 bits if not too many verification queries are asked. Extended hashes' tweak can extend the security from n plus t-half to n-bits. Future work can be to study the security of the constructions in the IDS cipher model, the search for matching distinguishes or to consider further mixed constructions. That was it. We thank you and are looking forward to your questions.