 Hi, my name is Mikhail Kudinov, and I'm going to present a joint work with Andreas Hülsing on recovering the tight security proof of Sphinx Plus. In the talk, we are going to discuss Sphinx Plus, which is a hash-based signature scheme. The scheme was recently chosen by NIST for standardization as a post-quantum alternative for signatures. One of the arguments was that Sphinx Plus is a conservative and a safe choice. During the NIST process, a flaw in the proof of security was found, so in this talk, we will focus on recovering the security proof of Sphinx Plus. The problem was in the part that proved what's security. What's is a one-time signature scheme that is used as a building block for Sphinx Plus. The flaw didn't lead to an attack, there was a non-tight proof that was still applicable. Using that proof would lead to less efficient scheme, since around 60 bits of security would have been lost for the proposed set of parameters. In Sphinx Plus, what's is used to sign some internal parts of the scheme, so the key observation that helps to fix the proof is that the adversary has no control over those internal parts. So we could prove the security of what's in a weaker model. This model forces the adversary to make signature queries before he gets the public key. In our work, we get a new proof for what's signature scheme and show how to integrate this new proof in the security proof of Sphinx Plus. This way, we obtain a new tight proof for Sphinx Plus without changing the scheme. The proof for other parts of Sphinx Plus did not change. In Sphinx Plus, the hashing is done with so-called tweakable hash functions. They take three inputs, public parameter, at week, and a message and output at digest. The public parameter is a bit string that is a part of Sphinx Plus public key. This input is the same for every tweakable hash function call in the scheme and helps to obtain multi-user security. The second input, tweak, is different for every hash function call in the scheme. Anyone can determine the tweak that is needed for particular function evaluation, but the main point is that all of the tweaks are different. This can be viewed as a nonce. This is done to mitigate multi-target attacks. We have a lot of hash function calls in Sphinx Plus, and if we did all of that with one function, finding a preimage for at least one target would be much easier in this case. Having tweaks allows us to separate these calls from each other. In our paper, we also update the status of two security properties of the tweakable hash functions. To justify using non-standard properties, one should analyze how hard would it be to break those properties for a random function. We analyze this case against quantum adversaries for multi-target target collision resistance and multi-target undetectability. This is then used to evaluate concrete parameters for the scheme. Another important thing to look at is how to construct tweakable hash functions from the keyed hash functions. Sphinx Plus proposes two constructions which are presented on this slide and analyzed what are the requirements for the keyed hash functions so that the resulting tweakable function will have the needed properties. Since Sphinx Plus original proof didn't require preimage resistance or undetectability, we complete this part in our paper. In the full talk, we give a brief explanation of Sphinx Plus signature scheme and provide more details about the flow and how we fixed it. We also discuss the analysis of hash function properties and state the possibilities for future research. We will wait you at our talk.