 Hello, my name is Youngmin Lee. I am going to talk about improved security analysis for non-spaced enhanced Hashtag mask masks. This is joint work with Won Seok Choi, Byung Hwang Lee, and my advisor, Ju Young Lee. Let's start with the introduction. As everyone knows, MAC is a symmetric-key algorithm generating a tag for assuring authenticity of the message. For example, Alice and Bob share a secret key at the beginning of communication. Alice computes the tag of a message and sends it to Bob. Bob also computes the tag of a given message. Then Bob thinks the given message is valid if the two tags are same. And we call non-spaced MAC if the MAC receives a unique value known with the message. What is MAC security? Assume that an adversary if which can intercept and manipulate the message. Then the new message and tag pair may not be consistent with the MAC algorithm. So Bob can notice the message does not sent by Alice. To capture this situation, make sure to have unforeseeability to be secure. If a MAC has unforeseeability, it is impeachable to generate a new valid message and tag pairs. The possibility can be modeled as forging game. In forging game, you can ask Alice a valid tag or message M, which called authentication query. And can ask Bob whether M prime and T prime is valid or not, which called verification query. The forging advantage is defined as the probability that it forges. To evaluate the upper bound of forging advantage, you can think the following distinguishing game. The distinction is interacting with either real world or ideal world. The real world comprises the MAC function. And the ideal world comprises a random variable input length function for authentication queries and a function which always return rejects more verification queries. Then the distinction tries to distinguish the two worlds by making key authentication queries and V verification queries. While making verification queries, if the distinction can generate valid message and tag pairs, it can easily distinguish the two worlds. Therefore, the forging advantage is always less than or equal to the distinction advantage. The distinction advantage of the adversary is defined as a probability of correctly defined the interacting worlds minus a half, which is a probability of winning by simple random guessing. There are two security notions for non-space MAC. One is non-respecting setting, which non-scan be asked once in authentication queries. Another is non-smithing setting, which non-scan be repeated. Before discussing about the construction we proved, let's briefly introduce well-known non-space MAC constructions. For rest, the most famous construction is Megaman-Cutter MAC, which uses an almost extra universal hash function and a random function. Because of this null input, Megaman-Cutter MAC enjoys full security as long as nodes are not repeated. Later, Victor should replace the random function into a random foundation, which can be instantiated with ds or as. However, using a random foundation instead of a random function degrades the security to the birthday bound. In many cases, the birthday bound is enough. But both constructions are vulnerable when a single node is repeated, since the repeated nodes reveal an extra value of two hash chips message. To redeem the weakness of those constructions, one can use one more encryption to encrypt the output value. The resulting construction is called encrypted Megaman-Cutter soup, and secure up to the birthday bound in both non-scan-respecting and non-smithing setting. In non-smithing setting, Megaman-Cutter construction is set with fully secure, since we assume FK is a fully random function. Hence, we may expect that if we replace EK to more secure PRF, the security bound could be improved in non-smithing setting. With this idea, in Crypto 2016, Cogliatti and Surin proposed a new construction code encrypted Megaman-Cutter with Davis Mayor or briefly EWC-DM. The only change is adding the nodes in the middle of the construction. However, this modification significantly improved the security bound. As a result, it is secure beyond the birthday bound when nodes are not revealed. In addition, this construction returns secure up to the birthday bound in case of non-smiths. In Crypto 2018, that title proposed another variant of Megaman-Cutter Mac code, Decreated Megaman-Cutter with Davis Mayor or EWC-DM. Again, a change from EWC-DM seems small, but this change makes EWC-DM to use only a single block Cypher key K. A hash key KH also can be derived from a block Cypher BK by increasing our constant. Hence, EWC-DM can be regarded as a beyond birthday bound secure Mac with a single key. Let me summarize the previous pages. This table shows security bound of nodes-based Mac we discussed. You can see that this line of research has been continued very recently. And not surprisingly, improvement of nodes-based Mac is still continuing. One of the main issues in nodes-miths setting is that, ideally, security should degrade graspfully in case nodes are repeated. So let me introduce another nodes-based Mac construction with graspful degradation in the nodes-miths model. Nodes-based Inness-Hash-Dame-Mask-Mac, the NH-DM, is the construction in this slide. It is proposed by Dutta Edder in Euroquate 2019. NH-DM seems to have similar security bound to EWC-DM or DWC-DM, but actually have better security since it achieved graspful degradation in the nodes-miths model. When we consider graspful degradation, we denote mu as a number of repeated nodes, which are also called as protein nodes. The actual proposed security bound is shown like this. The graph shows the thresholds number of authentication queries according to the number of protein nodes. Before 2 to the n over 3 protein nodes queries, one can observe that the security bound is per job up to the 2 to the n over 3 authentication queries, and then it degrades graspfully. The security bound of NH-DM was obtained via mirror-sharing. The mirror-sharing was proposed by Patarin in 2010, which evaluates the number of solutions of a bind system. Mirror-sharing sometimes understands a system of equations as a graph by identifying its equation as an etching and each on nodes as a vertex. Generally, an opine system identified with an arbitrary graph may have contradiction. Therefore, we define a property called nice, which guarantees no contradiction, then it makes possible to count on more solutions. We will talk about this theory more specifically in overview of the proof. NH-DM is always shown to secure up to 2 to the n over 3 authentication queries. However, there are no known matching attacks. Actually, we will show that NH-DM has better security bound. Then why the first proposed proof only showed 2 to the n over 3 bounders? Here are two bottlenecks of the proof. The first bottleneck comes from imitation of mirror-sharing. The mirror-sharing used in the previous proof assumed the following condition, which is related to maximum-compensized cosine-max and the number of hsq. When q is ingrained, it is natural that cosine-max would be ingrained together. Thus, we can easily expect that q would be bounded far apart from the 2 to the n with this condition. The second bottleneck comes from estimating condition for an ice scrap. To obtain a better security bound, we need to estimate the probability of having ice scrap more carefully than before. And sometimes it becomes the most challenging work among our whole proof. We organized the improvement of mirror-sharing in a table in this slide. In this work, we improved mirror-sharing to fully the condition of compound size and include non-equations. As always, enjoy high security bound. Your red line is new security bound of NHTN. As you can see, our new bound improved the security of NHTN for any number of 14 ounces up to 2 to the n over 2. Let's introduce the brief overview of our security proof. At first, we replaced the block-cypher ek by your random permutation pi. And this adds negligible advantage up to the pseudo-randomness of the block-cypher. Next, we assume that the hash key kh is revealed to the adversary at the end of the interaction. So the adversary can calculate the intermediate value x, which is XOR of the hash sheet message and nodes. Since it is pretty to ignore this additional information, this nodes are decreased the advantage. The difference made by this setting is presented as a red colored variable and line in the figure. We used the expectation method, which can be viewed as a generalization of patales coefficient h technique, which up over on the distinction advantage. Red TID and TRE are the probability distribution of a transcript tau in the ideal world and the real world respectively. Then informally, expectation method tells us if the probability to have a bad transcript is small in the ideal world, the ratio of ideal world and real world is expected to be close to one, one cannot distinguish the two worlds. I will not cover this presently, but the important part is to define a proper set of bad transcripts and then find out corresponding issue-run ratio. Also, the probability of getting a good transcript in the real world is the most challenging part in the proof. To find out the probability to get a transcript in the real world, we construct a system of equations and count the number of solutions of the system. Let's first focus on authentication queries. Since we have hash key, we know all of input to permutation pi. Then as you can see here, the output of pi can be viewed as an unknown, and each query generates an equation of two unknowns. Through this process, one can find out the corresponding system of equations and non-incations from a transcript. To easily represent the system, we visualize the system by a transcript graph G. Each unknown in the system becomes a vertex, and each equation and non-incation becomes an edge. More precisely, authentication queries are represented by solid edges, and verification queries are represented by dashed edges. Note that if there are 14 noses or hash collisions, hash binds be connected to each other. The figure shows the example of transcript graph which represents two authentication queries and two verification queries. The next step is to define the bad transcript. Some transcript graph might lead to a contradiction. Let's denote G equal or partial graph of G consists of vertex-like V and set of solid edges. If the G equal contains the cycle, then the system of equations may become inconsistent. And if G equal contains the past-hoods text sum is equal to 0, one will get the equality of two different unknowns for this read contradiction, because different inputs should be mapped into different outputs through commutations. Although the cycle in G equal with 0 text sum does not have contradiction, but for the simplicity, we will identify this as a bad case. Finally, if G contains the cycle with exactly one dashed edge whose text sum is 0, one will derive both equality and non-equality for the same equation. Now let's find the detailed bad events. Bad one-holders if it are bad one-a-holders or bad one-b-holders. Bad one-a is the event which have less to cycle. And bad one-b is the event which have one direction of less for trail. Since our graph is always bipartite, our cycle should have even length, and G equal is always a cyclic without a bad one. Bad two-holders if at least one of bad two-a-two, bad two-e-holders. If sub-event represent different shape of paths with zero text sum, and without having bad two, you can avoid paths of zero text sum in G equal. Finally, bad three-holders if either bad three-a or bad three-b-holders. Each represent a different case to have a cycle in G with exactly one dashed edge whose text sum is 0. To sum up, without having bad one, bad two, and bad three, the graph does not have contradiction. And the probability to get a bad transcript is very small, as you can see in the inequality. What is left is to analyze good transcripts by applying mirror theory. For a good transcript, one can observe that the partial graph G equal consists of three group of components. G3 is the group of components that contains length three trace so that there should be both of 14 non-scorries and hash collisions. G2 is the group of components that contains length two trace, so each component just have either 14 non-scorries or hash collisions. Therefore, we figure out that the number of components in G3 is much smaller than those in G2. And the number of components in G2 is much smaller than those in G1. So to get a sharp estimation of each one ratio, we try to make a specialized mirror theory that uses the previous observation. And here is our result. Therefore, we could find sufficiently sharp estimation of epsilon ratio. Finally, after applying the expectation method, you get the security bound of NHTM. The equation is quite complicated. The important dominant term is the overall two lines. Here is the conclusion. We prove the 3n overall base security of NHTM using specialized mirror theory. A security bound graphically degraded this when mu is less than 2 to the n over 2 in non-scorries setting. There are some future workers. I said we prove the EPRub security bound, however, there are no matching attacks. So the security could be better than that. Another interesting problem is constructing an authenticated encryption in high security bounds based on this analysis. Thank you for listening. And if you have any question, please send it to me to the following email.