 Hi everyone, my name is Tetsu Iwata and I will present our work on iterative block ciphers from twinkable block ciphers with long twigs. This is a joint work with Ryota Nakamichi. A block cipher E is a mapping from a key space and an n-bit space into an n-bit space and n is called the block length. We will write this as nbc and if we fix a key k, then ek is a permutation of n-bits. Construction of a secure and efficient block cipher is one of the most important problems in symmetric key crypto, and in this work we continue studying this problem. More precisely, we are interested in the plububly secure construction. A standard security notion is the strong pseudo random permutation notion, or SPRP notion. In the real world, the adversary has access to the encryption oracle and decryption oracle of a block cipher. And in the ideal world, the adversary has access to a random permutation pi at its inverse permutation. The goal of the adversary is to distinguish the two cases and we measure the success probability with this advantage function. Ruby and Rakov showed that for round-fice of cipher with n-bit pseudo random functions is a strong pseudo random permutation. This shows two round-fice of cipher and they showed that for any adversary that makes key glories, the advantage is at most key squared divided by two to the n. This is called a bursty bound with respect to the input and output lengths of the underlying primitive. This bound requires q to be smaller than two to the n over two, and it is natural to ask if there was a construction with a better security belt. And beyond bursty bound secure construction refers to a block cipher that remains secure, even if the number of queries is greater than two to the n over two. Previous analysis showed that if we increase the number of rounds in fice of cipher, then the construction has beyond bursty bound security. A different approach of using trickable block cipher as a building block to construct a block cipher was initiated by Minemats. Trickable block ciphers are generalization of block ciphers and they take an additional input code at week. So a tbc tilde e has a trick space t and if t is a tbit space, then t is the trick length. And we will write this as mt tbc. If we fix a key k under trick t, then this becomes a permutation over n bits. tbcs are useful as they can be used to obtain encryption schemes, max and authenticated encryption schemes. There are many constructions of a tbc based on block ciphers, including lrw1 and lrw2 constructions and xcx construction. As Minemats did, we consider the opposite direction of constructing block ciphers from trickable block ciphers. This makes sense as there are a number of recent proposals of tbcs as a primitive and some of them are listed here and we can obtain a block cipher with a large block length. There are several block cipher constructions from tbcs. Minemats in 2009 constructed two nbc from nn tbcs and universal hash functions. In 2010, Koron et al constructed two nbc from nn tbcs only. And in 2015, Minemats constructed the nbc from nn tbcs, where d is tau plus one and tau is at least one. In this work, we focus on iterative constructions of block ciphers, namely we focus on fixed input length key permutation and we do not consider valuable input length constructions. Also, we only consider the case that the block lengths of the obtained block cipher is a multiple of n bits. This shows the construction by Koron et al. This is two nbc and it uses nn tbcs, where tailed PI is the key tbc. They showed that with two rounds, it has birthday bound security and with three rounds it has beyond birthday bound security. I'd like to remark that they also considered the domain extender for the ideal cipher and presented the analysis in terms of indifferenceability setting in the ideal cipher model. They also considered a more general setting of constructing trickable block ciphers rather than block ciphers. This shows Minemats' construction. It is dnbc and uses n tau ntbc. Where d is tau plus one and tau is at least one. So it uses a tbc with long tricks and this figure shows the case where the trick lengths is two n bits, which gives three nbc. The middle part has d rounds and g1 and g2 are keyed permutations that satisfy certain combinatorial requirements. They can be non-cryptographic permutations like pairwise independent permutations or they can also be cryptographic permutations and d rounds can be used. Namely we have d rounds in the middle and we can use d rounds as g1 and g2 can also be the d round construction. So we have d rounds here, d rounds in the middle and d rounds here. So this gives us three d round construction in total. Minemats proved that the construction is secure if we use good g1 and g2. This table shows the summary so far. And in this work we have three results. In theorem one, we show that the security remains the same even if we reduce the number of rounds by two from Minemats' construction. In theorem two, this l is a parameter between one and d minus one. And this shows that if the number of queries is at most two to the n, then beyond birthday bound security is achieved as lowest d plus one rounds when l equals one. And the security exponentially improves by adding rounds up to two d minus one rounds. In theorem three, it shows the birthday bound security with d rounds and there is a matching attack. So this bound is tight. Let me illustrate the implication with practical parameters. Assume that we use skinny with 128 bit blocks, 256 bit tricks, and 128 bit keys, or 384 bit tricky. With r rounds and assume that it is perfectly secure. Then we obtain 384 BC with 128 times r bit keys. If r is nine, then Minemats' shows this bound. And theorem one shows that the bound remains the same with seven rounds. The theorem two shows that if we have the same security bound with five rounds, provide that q is at most two to the 128. The theorem two also shows that with four rounds, this still has beyond birthday bound security. And theorem three shows birthday bound security with three rounds. We use Pattern's coefficient edge technique and its refinement by Tien and Steinberg in our security proofs. What we do is to partition all the transcripts that have non-zero probability in the ideal world into good transcripts and bad transcripts. Then we derive epsilon one from the ratio of the interpolation probabilities and epsilon two from the upper bounds of the probability to have a bad transcript in the ideal world. Then we retain the upper bounds of the advantage function. So let's look at theorem one and when D is three, we consider seven rounds. We have the first two rounds here, the next three rounds here, and the last two rounds here. We have S one, S two, S three, and S four, and these are internal variables. In the real world, we just compute the answer for a query following this figure, but we also leave these S one through S four to the adversary after making all the queries. In the ideal world, we use pi and its English to answer a query. So for encryption query, we use pi to compute a ciphertext and for decryption query, we use the English of pi to compute a plaintext. To generate S one through S four, we prepare dummy to a couple block ciphers. S one and S two are computed by using tilde P one and tilde P two, just as in the real world. And we compute S three and S four by using tilde P six and tilde P seven. In the ideal world, we define that transcript is best if S one, S two, S three, collides with the previous values of S one, S two, S three. Or if F two, F three, F four collides. These collisions cannot happen in the real world because this corresponds to these states and this corresponds to these states. And since the construction is a permutation, we cannot have a collision. However, these collisions can happen in the ideal world. And we see that the bat event involves randomness of three and bits. In general case, we have these two D minus two internal variables. And we define that the transcript is best if we have one of these D minus one collisions. The bat event involves randomness of D and bits. And so we can show that the probability is at most this one. Where two to the DN uses the fact that we have randomness of DN bits. We can also derive the lower bounds on the ratio between the interpolation probabilities if the transcript is not bad. And we have this final bound from the coefficient H technique. Now let's do theorem two, when D equals three and L equals one. Then we have this four round construction and S one is the only internal variable. In the ideal world, we can put S one with dummy till P one, if the ice query is an encryption query. And with dummy till P four, if the ice query is a decryption query. So we switch the way to compute S one depending on the direction of the query. In the ideal world, we define that the transcript is bad if we have one of these three collisions. This one corresponds to the states and this one corresponds to here and this one corresponds to here. We can check that this one is impossible if the ice query is an encryption query. And we can also check that the back event involves randomness of two and bits. In the general case, I will not describe the details, but the back event involves randomness of L plus one and bits. With this, we will obtain this by bounds on the probability of a back transcripts where we rely on the conditions. Then we can show the lower bounds on the ratio between the interpolation probabilities and we obtain this bound from the coefficient H technique. Now, theorem three, it shows that we with the equals three, it has plus the bound security with three rounds. In this case, we have the probability of a back transcripts where we rely on the condition that skew is at most two to the N to the right this bound. Then we can show the lower bounds on the ratio between the interpolation probabilities and we obtain this bound from the coefficient H technique. In this case, there is no internal variable and the proof is simpler than other theorems. For the matching attack, we just make encryption queries with distinct M1 and fixed M2 and M3. So we fix M2 and M3 and we have differences in M1. And we see that C1 always takes distinct values in the real world, but it can collide in the ideal world. So there is a simple birthday attack. Now, let me conclude this presentation. We studied the security of the iterative block-cypher constructions that use twiccable block ciphers with long twigs and showed these three results. As open questions, we do not know if the condition on the number of queries can be removed from theorem two. The tightness of theorems one and two is open, and we think generalization to a ciphering schemes is an interesting question. Finally, the analysis in the differentiability framework would be interesting. And for this problem, we made some progress in this paper that will be presented in this FSC 2020. So please check it, and this is the end of this presentation. Thank you for watching.