 So welcome to the first session of this afternoon. So this is a session on provable security. We'll have free talks in this session. And the first talk is an attacks and security proofs on EAX Prime. And so the paper is by Kazuriko Minematsu, Stefan Lux, Arifu Morita, and Tetsui Watar, and Kazuriko Minematsu. And thanks for the introduction. And this is a joint work by Stefan Lux, and Miyako Morita, and Tetsui Watar. So the topic is authenticated encryption. And it is a symmetric key function that combines the authentication and encryption. And it prevents for arbitrary use of the plaintiffs and forgery attacks. Actually, as we discussed with the invited talk done by the brush line, it has been widely used in practice. We have many protocols operated in the internet, and many examples of storage and mobile satellite communication using AE. So in this talk, I'd like to study the security of EAX Prime, which is an AE based on the standard block cycle, AES. It is defined as ANSI-C12.22, which is designed as a communication protocol for the smart grid and smart meter. And the specification also, the same specification also appears at several standards. And finally, it was proposed to list a positional session to the inclusion of the special publication in 2011. And we already see some real products implementing ANSI-C12, some smart meters, and their management systems. And as the internet suggests, the EAX Prime is derived from the EAX mode of operation, which was developed by Belalde, Roaway, and Wagner at SSE 2004. And the original EAX has a proof of security based on the standard assumption of the internet block cycle. For EAX Prime, it is a modified version of EAX. And the design of the EAX Prime claims that there are some optimizations to reduce the number of block cycles and memory consumptions. However, there is no published formal security analysis today. So in this talk, I'd like to describe that the security of EAX Prime is sharply separated with respect to the length of an input variable called clear text. The first result is that when the clear text is only one block, I mean that it is at the most 128 bits in the standard setting. And then we can mount the effective outcomes to perform the forgery and plain text distribution. And even the plain text recovery in some special scenario. The positive side, we also showed that the clear text is more than one block, more than 128 bits. It recovers the proof of security based on the standard assumption of the internet block cycle. So the original EAX encryption is here. As you can see, there are three input variables. n means the noun, and m means the plain text, and h means the header. And the global structure is encryption and authentication, where the encryption is performed by the counter mode encryption, and authentication is done by the CMAC. And as you can see, there are three CMAC variables, CMAC 0 and CMAC 1 and CMAC 3. So to generate this variance, the CMAC is actually tweaked. And in the case of the EAX prime, there are things here. As you can see, now there are only two input variables. And the noun n is renamed to the clear text, which combines the noun and the header. So it must be unique, and it conveys some header information. There are also some differences. For example, the counter mode is renamed to the CTR prime mode encryption feature. In this mode, some bits of the initial counter variables are set to 0 to suppress the carry-mit propagation of the implementation. And also the most important thing is that there are only two variants of the CMAC, tweaked CMAC, and the different method of tweaking. Different tweaking method of CMAC is upright. And the different tweaking method of CMAC is two versions, CMAC D and CMAC Q. And they are slightly, actually slightly more ancient than the original version of tweaked CMAC in original EAX. However, this makes our task possible. So let me describe briefly the original CMAC, which is a NIST standard. It is a CVC mark with additional last masking using 2L or 4L bars, where L means the encryption of all the N bits, and 2L means the W of L in GF2 over N, and 4L means the twice W. And they are used here, and depending on the range of the last block. And in case of EAX, the tweaking method is quite simple. We need three variants. So we prepare three tweaked bars in N bits, meaning L1, L1, and 2. And the tweak is prepared to the message and the performance of CMAC. So this thing is here. And you can see that this bar can be pre-computed and used as an initial masking bar. So for EAX prime, the tweaking method is different. And we already need two variants. And the tweak is called the D and Q, and the D means the 2L and Q means the 4L. And we use these bars depending on the tweak as the initial masking. As you can see, the D means the 2L, the Q and the 4L. So the set of the initial masking bars and the set of the final masking bars are the same. This makes it easier to mount some attacks and to allow us to distinguish the D and 2 functions from the independence of the functions. So if the input is only one block, for example, the CMAC D accepting the input block of N bits, then the initial masking and the final masking bars are the same, so that the cancel, the output is EK of M1, M1. In case of CMAC Q and the input is shorter than N bits, then it applies some padding and initial masking and the final masking bars are again the same. So the cancel, the output is Q. So rating M1 and M2 to satisfy this condition, the D's output are the same, so which were quite unlikely if these 2 functions were independent BLS. So based on this fact, we can mount various attacks. The part is a 4G attack, which is quite simple. We first prepare the N and the C and the D satisfying this relationship, just the same as the previous example, and set the fake target being the O0 value. And I forgot to mention that there are finally final target location to 32 bits, so the target is 32 bits, all the value. This attack, if we mount this attack, the value, these values are the same, so cancel, the target are always O0, so they're always accepted as value. And this attack, of course, requires no encryption query, so it is quite practical. And as a result, the decryption oracle are forced to see the random predicts. With that, even if it was random, so may not fit in the real protocol or not, so it is valid. So this may give a great speculation for future attack, possible attack. And we can question some barriers of attack having different range for N and C. Well, considering the distribution attack, the situation is almost the same. We first perform my encryption query, having N bit clear head is, and the empty string empty grand heads. Let's set the C if the response here is O0 value or not. This attack again almost always successful, unless the random oracle accidentally returns the same O0 value. And we can extend this attack slightly, even if the message is not empty, but has quite short range. And finally, the attack can be extended to the great extra recovery in some restricted scenario. It is the RSI above, shares the secret key, and even if it stops the encrypted communication and get the Nster shister tster. And we assume that you can ask the other N triplet of N16 to the bottom, seeing it as a big rupture oracle. So here we turn the encrypted message over about message. And the goal is to find a part of partial information of Nster. So if the Nster is N bit, and the shister is shorter than N bits, then we first do the forgery attack described before with these values and setting all the value. So as I described, the forgery attack is always successful. The technician work returns the F-childer, which allows us to derive the key stream used for this createx value. And as this createx value is used for the wiretap instruct communication, we can recover the Nster by computing this formula, taking the summation. And I would like to mention that this attack, even if the shister has more N bits, not shorter than N bits, this attack still recover the first N bits of Nster whose range is a shister, as she used by the attack, which means that in Africa, at the most one block granted, the first one block of the Nster can be recovered. And this attack always works. So there are our attacks, we find. So a natural question might be, right, that if these attacks can be applicable to the real protocol, real device is operating the ANSI-C12.32. But unfortunately, we have no clear answer for now. We searched some as the document and but no clear answer. In fact, I asked my company's engineering to have some ANSI-C12 devices that using this protocol, but they are not. Unfortunately, my company have no such product. But what that shows that the clear text range check is in any way and whether the ANSI-C12 allows the one block clear text run out and for both encryption, the encryption query is a science thing. So there are another natural question. Is ES priming secure if the clear text is always more than N bits? And in the following, I'd like to describe this is true. So the problem setting is here, which is quite standard, the adversary can query to the encryption oracle and the decryption oracle. And the important thing is that in both queries, the clear text has to reach two blocks, means that the another is more than N bits, always more than N bits. And any encryption queries are allowed, provided the clear text is unique, which means announced by spending a lot of time. But the encryption query, we have no limitation on the decryption query. So any clear text used in the decryption oracle can be used in the decryption oracle. So the security notion is here, which is again quite standard. We consider two standard security notions, privacy, means that the cyber tech has to distinguish from random. And authenticity, which means that a successful ordering is found. And the results are here. We obtain the security bounds, and these security bounds are considering the maximum advantage of the adversary when the internal rock-sci-fi is a random foundation. And the final term is parameterized by tau, so tau is tau bit. And so in EX prime, the tau becomes 32. As you can see that these bounds are quite standard-looking, so versed in bound with respect to the amount of queries used by the adversary and the rock-sci-fi. So the proof strategy is here. First, we redefine the EX prime as a mode of OMAC extension, which is a pair of functions noted by the OMAC E of zero and the OMAC E of one. And we then prove that the OMAC E is a pair of computationally-independent random functions, which is most technical. And the final proof is that the security of EX prime with perfect OMAC extension, which means that the pair of random functions. The OMAC proof follows the original EX proof by Verlale, Verlale, Verlale, and Verlale, with some extensions taken from the OMAC proof by Iwata and Kurosawa. So the OMAC E of zero is here, which uses an N-bit random permutation and an additional random masking value, U. And it computes the CMAC D-threaded version and key string computation of the CTR and prime, which is here. And the important thing is that all the input is always more than N-bits. For OMAC E of one, it computes the CMAC Q. But we, again, use the same masking value U as in the OMAC E of zero. And it is easy to observe that this function pair, OMAC E, can simulate EX prime for both encryption and the decryption. As you can see, this U value is not specified, appeared in the original EX prime computation, but in the TAO computation, we already need the sum of this value and this value, so the U is always canceled, so not for the problem. And I would like to mention that this user of U is missing in the current pre-proceding version of the proof, so it contains a bug. We already fixed, so pre-proceding version and the forthcoming proof version will appear as a corrected proof. And we need to prove that the OMAC extension is indistinguishable from a pair of random functions. So to do this, we introduce some helper random variables which is always canceled in the re-enactment of the OMAC extension computation. And decompose it as a pair, some set of 10, actually 10, set of 10 functions, Q1 to Q10, which improves helper random variables in its computation. And we then prove that these functions are indistinguishable from the set of random functions, even if they are independently accessed. This is a proof technique, appear that the OMAC proof. So the finalization is here, which is quite standard and unincorrected by practice kit. And finally, we have to discuss how to fix the flow of EX prime. So to do so, we do not want to change the algorithm of EX prime as we have already layout working modules. But the first method, the simple estimate, is to prepare the end-bit constant to clear text, use it as a new clear text. The second method is two block cyber keys, K and K prime. And EK is used for the clear text of more than one block. And otherwise, we use the EK prime with preventing the end. So these two keys can be basically should be invented, but if we pay some enough attention to avoid the related key attacks, K prime can maybe generated from K works with some constant. And the other method, which is almost the same as the second method, we use a three-carve block cyber using additional independent end-bit key L. So EK is used for the clear text of more than one block. And the other case that we use is the EK shoulder L, each shoulder K some K L, which is here, for with preventing the end. So each method has related back points with respect to the efficient security model. So it's hard to determine which is the best in all situations, may depend on the real process. So I would like to finish my talk with the lessons learned from this study. So the first, a seemingly small change can result in fatal consequences. I guess this is a repeated problem in real world cryptography, but again. And the second point is that there's stress out that CMAP is one PLX. So generating multiple PLX from one CMAP function is sometimes dangerous and we need to care. In that respect, the ES prime is a simple and secure method. And the third thing with that, the important security rules, in that our proof shows that we are taking strength check in suction for secure implementation of ES prime, which might be too much about security. So that's end of my talk, so I'll wrap it with my some funny thank you. Thanks very much. Any questions or comments? Is it possible to define some general properties of the tweaking methods for CMAP? Yes, it is, it may be possible, but first we first define which class of tweaking methods are wrong. And then we define in these classes what properties are required in the masking values. So it is next time possible again. Okay, if not, let's thank the speaker again.