 Hi, I am Avijit Dutta, I am going to present our work Improved Security Bound of EWCADM and DWCADM. It is a joint work with Nilanjan Dutta and Kushankur Dutta, we are all from Institute for Advancing Intelligence, TCG Christ. This paper mainly studies different kind of non-space mac constructions. Therefore, we begin our talk with the popular non-space mac construction, which is known as Wegman-Carter mac. So Wegman-Carter mac was proposed by Wegman and Carter. This mac takes the message N, which is hashed through a hash function hk, and the hash value is then randomly masked to generate the tag. To generate the random string, we apply a pseudo-random function on distinct non-n. This mac gives optimal security bound. In particular, when all the nonces are distinct across different queries, then it achieves epsilon times qv security bound, where epsilon is the almost non-universal probability of the underlying k-dash function, and qv is the number of verification attempts that an adversary can make. However, an inherent drawback of this construction is that if the nonce is reused for once, then the construction does not give any security. So security of this construction is completely lost in the nonce misuse scenario. To solve this problem, one natural solution was to encrypt the output of the Wegman-Carter mac, and thus the resulting construction is known as encrypted Wegman-Carter mac. The security bound of this encrypted Wegman-Carter mac is as good as the Wegman-Carter. In particular, it gives the optimal security bound in the nonce-respecting setting, and additionally it gives beyond-bound security in the nonce misuse setting. However, the pseudo-random function is rarely available in practice. So therefore, one can think of to replace this pseudo-random function with a pseudo-random permutation. Now, if you replace this pseudo-random function with a pseudo-random permutation, then the resulting construction will not give adequate security. In particular, if you replace this fk with an rock cipher ek, then in the nonce-respecting setting, the security of the resulting construction will drop down to the birthday bound. Because if you replace this fk with ek, then an adversary can make too many queries where all the nonces in these queries will be distinct and the message will be same. Therefore, all the queue inputs to the second block cipher call will be distinct. And as a result of that, all the tags that he will obtain will also be distinct. Therefore, all the queue distinct tags can be distinguished from the uniform random tags if the adversary can make at least 2 power n by 2 queries. Therefore, the PRF security of the construction will only give the birthday bound security. As a possible remedy of the solution, one can think of to instantiate this pseudo-random function with a popular sum of pseudo-random permutation. And we know that the sum of pseudo-random permutation is a very good PRF. In particular, it gives the optimal security bound. So, therefore, if you replace the pseudo-random function fk with the sum of PRP construction, then the resulting construction will give optimal security bound. But this construction requires 3 block cipher calls. Therefore, we ask that can we reduce the number of block cipher calls? To answer this question, Encrypted 2016, Cognitive and Seorin proposed their construction which is known as Encrypted Wegman Carter with David Mayer construction, in which the pseudo-random function of EWC MAC is instantiated by the key David Mayer construction as follows. This MAC gives 2n by 3-bit MAC security in the non-respecting setting and n by 2-bit security in the non-specific setting. In this paper, Cognitive and Seorin have conjectured that their construction is secure even if the adversary can make up to 2 power n many queries in the non-respecting setting. They have also conjectured that if the 2 block cipher keys become identical, then also the construction will retain the same security in the non-respecting setting. That means, that the single-kit EWCDM construction will retain 2n by 3-bit security in the non-respecting setting. Encrypted 2017, Mayer and Naves, they proved the optimal PRF security of EWCDM construction in the non-respecting setting. However, their security proof was essentially relied on Pattern's general middle theory technique. However, the proof of general middle theory technique by Betarein for 2 power n bound is still a matter of debate. In DCC 18, Cognitive and Seorin, they acknowledged that proving the security of single-kit EWCDM is very hard. Therefore, we ask that can we design a non-based BBB secure MAC with a single block cipher? In Crip 2018, Dr. Atoll proposed their construction which is known as Decrypted Wegman Carter with Travis Mayer. In this construction, notice that the second block cipher call of the EWCDM is now replaced with the inverse of EK. Therefore, the construction essentially boils down to having a single block cipher key. The authors have proved that their construction is 2n by 3-bit MAC secure in the non-respecting setting and n by 2-bit MAC secure in the non-smissive setting. However, their construction can take 2n by 3-bit NONs. That means the non-space of the EWCDM construction was only restricted to 2 power 2n by 3-many possibilities. However, the security proof of the construction was essentially reliant on couple of assumptions of the underline hash function. In particular, the underline hash function needs to be 2 power minus n regular, 2 power minus n 3-way regular and it has to be 2 power minus n almost all universal. In this paper, we ask that can we improve the security bound of EWCDM and EWCDM? Because till now, what we have seen that these two constructions are secure only about 2n by 3-bit secure in the non-respecting setting. Therefore, we study that if it is possible to improve the security bound of these two constructions. To analyze the security bound to having the improved security bound of these two constructions, we first discuss the extended mirror theory technique. So in extended mirror theory technique, we deal with a system of equations and a non-equations. So in the left hand side of this figure, we can see that there is a system of bifariate affine equations and in the right hand side, there is a system of bifariate affine non-equations and this system of equations and non-equations are defined over say many variables. The goal of this extended mirror theory is to lower bound the number of solutions to the system of equations and non-equations such that all the variables, all these are variables they will be distinct. We can view the system of equations and non-equations in terms of graph, where we represent the set of variables as a set of vertices that means all the variables can be casted to a set of vertices. If two variables are associated to an equation say p1 plus p2 equals to lambda, then we give a solid red edge and that edge should be undirected between the corresponding two vertices. Similarly, if the two variables are associated to a non-equation say p1 plus p2 is not equals to lambda prime, then we put a dashed blue edge which is obviously leveled and that should be undirected between the corresponding two vertices. So for example here the equation, if we have an equation say p1 plus p2 equals to lambda, then we put a solid red edge between the corresponding vertices say v1 and v2 with a level say lambda. And if we have a non-equation say p1 plus p2 not equals to lambda prime, then we put a dashed blue edge between v1 and v2 with a corresponding level lambda prime. As an example we can see that we have a system of equations that p1 plus p2 equals to lambda 1 and as a result of that we put a solid red edge between the vertices v1 and v2 with the corresponding level lambda 1 and we have another equation p1 plus p3 equals to lambda 2. Therefore we put another edge between the vertices v1 and v3 and the corresponding level lambda 2. Similarly, we have a system of equations and non-equations say p1 plus p2 equals to lambda 1 and therefore we have put an edge between vertex v1 and v2 with the level lambda 1. We have an equation p3 plus p4 equals to lambda 2 therefore we have put an edge between v3 and v4 with the edge with the level lambda 2 and we have a non-equation say p2 plus p3 which is not equals to lambda 3 and therefore we have put an edge between the vertex v2 and v3 and that is a dashed blue edge with the corresponding level lambda 3. So in this way we can cast a system of equations and non-equations to an equivalent graph. We say that a graph is bad if it satisfies either of these following three conditions. The conditions are the following if the graph contains a cycle, if you take any path in the graph let the path be p and if you sum up the edge level of the edges which are involved in the path and if the sum is zero then we say that the graph is bad and finally if there is a cycle in the graph say c that involves exactly one non-equation edge and we denote this non-equation edge with a blue dashed edge. So if the cycle involves a non-equation edge say e then we will consider that graph to be bad only if the level of that non-equation edge is the sum of the levels of the path p where p is basically c-e. So c is the cycle and e is the non-equation edge. So if you consider the path p which is c-e then and if you take the sum of the edges some of the levels of the edges which are involved in the path p and that thing is assigned as the level of the non-equation edge then we will call that graph is bad. In these people we have shown this extended middle theory result for two types of graph. The first type is for a general graph and the second type is for a bipartite graph. We have shown that for a fixed good general graph the number of solutions to the associated system of equation and non-equation is at least 2 power n falling factorial s over 2 power n qm times 1 minus some error term where s is the number of vertices and qm is the total number of edges. Here qc is the total number of edges of the sub graph of the graph g which is generated if we just remove the non-equation edges from the graph g. So the sub graph the generated sub graph say g prime is generated out of the graph g by deleting only the non-equation edges from the graph g. Similarly we have shown the following result of the extended middle theory for a bipartite graph that for a fixed good bipartite graph the number of solutions to the associated system of equation and non-equation is at least 2 power n falling factorial sl times 2 power n falling factorial s over 2 power n qm times 1 minus some error term where sl is the number of vertices of the left partition and sl is the number of vertices in the right partition of the bipartite graph and qm is the total number of edges. Similarly qc is the number of edges of the sub graph which is generated out of the graph g by deleting the non-equation edges and here obviously this qv is the total number of non-equation edges which are present in the graph g. Now we discuss briefly what is the H coefficient technique. So H coefficient technique is a very powerful combinatorial tool which is used to bound the distinguishing advantage of two random systems. So here we are assuming that these two random systems is basically these two algorithms this signing algorithm and the verification algorithm which are present in the real world and in the ideal world we have two random systems say the first one is the random function and the second one is the reject symbol or the about oracle. So here is an adversary that adversary is interacting with the pair of oracles either in the real world or in the ideal world. So if the adversary is interacting with the real world then it has access to the signing oracle and the verification oracle and these two oracles are basically the keyed oracles and the adversary does not have access to this key and if the adversary is interacting with this ideal world then it is actually interacting with this random oracle and the about oracle. So if the adversary is interacting with the real world then if it queries with the message m then the signing oracle will get back will return the corresponding tag and if it is interacting with the verification oracle then the verification oracle will either say yes or no depending on whether the tag message tag pair is a valid or not. In contrast if it is interacting with the ideal world then if it queries to the random oracle with say message m then the random oracle will randomly sample the tag and if it interacts with this about oracle with say message tag pair m comma t then the idea this about oracle will always return about and distinguishing advantage of this adversary a to distinguish the real world from the ideal world is defined something like this and to upper bound this advantage using the age coefficient technique one needs to do this following three things first of all they have to identify the back transcript then we need to we need to upper bound the probability of the back transcripts in the ideal world and then if we fix a good transcript then we have to lower bound the ratio of the real to ideal interpolation probability for that good transcript. So in detail so we denote this x re which is the probability distribution of the transcript induced in the real world x id is the probability of distribution of transcript in the ideal world and matcal v which is denoted as the district union of these two sets a good t and bad t. So bad t is basically the set of all bad transcript and good t is the set of all good transcript. So what is transcript? So transcript is basically the summarization of the summary of the interaction between the adversary and the oracle. So having defined this we now state the main theorem of the age coefficient technique which says that there exists a positive number positive real numbers epsilon ratio such that the ratio of the internet of the of the interpolation probability in the real world and the ideal world is lower bounded by one minus epsilon ratio and there exists another positive real numbers epsilon bad such that this probability that x id belongs to the set of back transcript is upper bounded by epsilon bad. Then we can upper bound the advantage of distinguishing these two random systems real and ideal which is upper bounded by the sum of these two quantities epsilon ratio and epsilon bad. Okay now using this age coefficient technique we will prove the we will prove the security bound of EWCDM. So one can cast the system or one can cast the evaluation of EWCDM to a system of equations and non equations. So in particular if you have we have this system of QM many MAC equation and QV many verification equations and one can naturally cast the system of equation and non equation to a corresponding graph when this lambda i is basically the sum of non and the hash value of the message similarly lambda i prime is the sum of the non and the hash value of the message where n i prime and the m i prime is the quality non and the message in the verification query. Okay now after this interaction is over the trans the transcript will be generated and we then we will partition this transcript into two sets the bad set and the good set. We say that the transcript is bad if you take any two queries such that they are t value collides and the lambda value collides. Look at this equation that if you cast this equation in terms of graph then we will not get any cycle because this n1 and n2 so these are all distinct right. So if you take any two equations and for these two equations if their t value matches and the corresponding lambda value matches then since p1 is a permutation then therefore this n value will be matched but since we are proving this security in the non respecting setting so this situation cannot arise in the real world. So this situation can only occur in the ideal world therefore that event will distinguish it from the random system or from the ideal world. So therefore we take this we take this event to be bad. Number two is that once we cast this equation in terms of graph it will basically leads to different components and we bound the size of the component. In particular we say that if the size of the generated component is at least qm to the power 2 by 3 then we call the transcript is bad. And finally if we have a forgery attempt such that the corresponding nonce and the tag collides and also the hash value collides that means suppose an adversary queries which say n prime t prime and m prime such that m prime is matched to some previous query nonce t prime matched with the corresponding obtained tag and eventually the hash value of the message which is queried with the message m prime that has also been collided. If these three things happens then we will say that the transcript is bad. So if the transcript is not bad that means for a good transcript and if we have a good transcript then we can also generate a good graph I mean we can also generate a graph and that graph will be good graph. So one can easily identify that the structure of good graph will be something like this that means it will be a cyclic and the size of the components will be at most qm to the power 2 by 3 and therefore we can apply the mirror theory for this good graph and obviously one should note that these graphs are actually the bipartite graphs. So therefore we can apply this mirror theory for the bipartite graph to lower bound the real interpolation probability. Next we come to the overview of the security proof of dwcdm. So as we have written down the MAC equation and the verification equation for dwcdm we can similarly write down the MAC equation and the verification equation for the dwcdm. So again we have this qm mini MAC equation and a qv mini verification equations and generally one can cast this system of MAC equation and the verification equation in terms of graph. Again we identify the bad graph and the good graph. So we say that the graph is bad if any of these following conditions is satisfied. So the first condition says that the if the component size of the MAC graph is at least 5 if it contains a cycle or if it contains a path of length 3 such that their label sum is 0 and if there is a graph of if there is an age with a label 0 if there is an age in a MAC graph with label 0. There are some of the additional bad events. So for example if the MAC graph contains a cycle that includes a dashed blue age. There are other additional bad events that means say for example if we take two MAC queries such that their tag collides and the lambda value also collides or the nulls and the tag collides or and the lambda value collides. The number of pair of MAC queries such that the n and p collides or t the the two tag collides at least qm to the power 2 by 3 or there's a MAC query such that the tag is 0. If none of these bad events happen then the corresponding transcript will be good and if you cast this transcript in terms of graph then we will land up with these good graphs and therefore we can apply this Miller theory for the general graph to lower bound the real interpolation probability for such good graphs. Next we look at some of the glimpses of the bounding bad events. So we first say that there's a bound so there's a component of size at least 5. So if we have a component of at least 5 then we will we will have this many possibilities and we have shown that bounding of this event is to power qm over to power 3n by 4 where qn is the number of total ages of the of the corresponding graph. The second event is a bounding cycle in a MAC graph. So in order to bound cycle in a MAC graph we have these four possibilities. We will not have a cycle of length 5 because we have already bounded that the component size is of at least 5. So if we have a component of size 5 then that actually reduces to this first event and we have shown that the bound of this event is maximum of this. The third event is that the bounding MAC graph having a path of length 3 with level sum 0. So we have these two possibilities and for that again we have our desired bound. For bounding MAC graph that contains a cycle which actually includes a dashed blue age. That means we have a cycle but that cycle includes exactly one non-equation age or a dashed blue age and we have this so in this case we have categorized it into three steps. So first the bounding self-loop and parallel ages for this we have so self-loop is for one possibility for bounding parallel ages we have this following two possibilities and for each of these cases we have seen that this bound is in our desired range. Next we bound the triangles. So for triangles we have these three following possibilities and for each of them we have shown that this bound is again in our desired range. So in particular the bound is qv times epsilon 3 rate the maximum of qv times epsilon 3 rate and qm over 2 power 5 n by 4. Finally we have the we have this case of bounding the squares because again we are essentially bounding the MAC graph which will contain a cycle that includes a dashed blue age. So we will have a bounding we will have this structure of square and we have this following three possibilities and for that we have shown that our bound that we have obtained is in our desired range. Note that we will not go for we will not go beyond this because if we go beyond this then again that will include then that actually reduces to this possibilities to component of size at least 5. Okay so finally we want just to make a remark that how our proof is different from the original DWC-DM proof. Okay so in the original DWC-DM proof the authors have authors have considered the system of equations to a graph in a different terminology. So they have they have represented a vertex to be an equation and they put an age between two vertices if the corresponding equations share a variable. But in our setting what we have done that we we have represented a vertex as a variable in the corresponding system of equation and non-equation and we have put an age between two vertices if these two variables are associated by an equation. So if we cast their representation in terms of our terminology then the corresponding bad events that was generated in the original DWC-DM proof is at the following that the induced graph contains a cycle any components in the induced graph contains a path of length at least 3 and induced graph contains a cycle that includes a non-equation age. Whereas in our bad events we induced a graph that contains a cycle but the second condition is different that we are actually allowing the we are actually allowing the path of length at least 3 but not beyond 4. Okay so here we are actually allowing that the path can be 3 or more than 3 but it should not go beyond 4. Moreover the induced graph contains a cycle that includes a non-equation age. Okay so to conclude this talk we have shown the 3n by 4 bit security of EWC-DM and DWC-DM. In fact the optimal security of these two construction can be proven if you use the general result of Pattern's middle theory but again the the correctness of the general general result of middle theory is not established yet. Proof of this optimal security of DWC-DM requires underlying hash to be KY's regular. So for EWC-DM if you want to prove the optimal security of EWC-DM then the hash function I mean the almost all universal property of the underlying hash function is sufficient. But if you want to prove the optimal security of DWC-DM then you require this assumption that the underlying hash function should be KY's regular. And finally one can improve the security bound of 1k DWC-DM from 2n by 3 bits to 3n by 4 bits using the similar technique that we have employed in this paper. And thank you for listening to this talk and if you have any query you can directly send an email to any one of us. Thank you.