 Hello, this is Pyonghak, and I'm going to talk about the tight PR security of DoubleBlock Hashtags on Macs. This is joint work with Seongguang and my advisor, Ju Young. Let's start with the introduction. Message authentication code, Mac, is a symmetric key algorithm that protects the integrity of the message. If Alice wants to send a message to Bob, and also wants to make sure that the message hasn't been modified, Alice and Bob first share the secret key key by a secure key exchange protocol. Before sending the message, Alice computes the tag T by applying the Mac on the shared key key and the message M. Then she sends the message and tag pair to Bob. To ensure the integrity, Bob verifies the received tag by recomputing the tag value using his copy of the key. If there is an active attacker if, and he intercepted the message and modified it, then the new tag may not match the original tag. So, Bob can notice that the message was not sent by Alice and rejected the message. To capture this situation, a Mac should have unforgeability to be secure. If a Mac has unforgeability, it is infeasible to generate a new valid message and tag pair even after looking at sufficient number of valid samples. We also use another security notion called PRF security. To be PRF secure, it should be infeasible to distinguish from a random variable input length function. Since we can prove that a secure variable input length PRF has also unforgeability, PRF security is a stronger security notion than unforgeability. Therefore, if we want to prove the security of a Mac algorithm, it is enough to prove that the algorithm is actually a secure PRF. To precisely formulate the PRF security of a function, we are going to introduce the distinguishing game. In this game, the adversary is interacting either with the real world and the ideal world. The real world comprises the Mac function, while the ideal world comprises a random variable input length function named F. The adversary tries to distinguish two worlds by making QR codes with lengths and most L blocks. At the end of the game, the adversary should determine the interacting world from the transcript, which is the record of queries and answers. The distinguishing advantage of the adversary is defined as the probability of correctly determining the interacting world minus 1 over 2. The 1 over 2 is confirmed the probability of reading by simple random guessing. There are a lot of proposed Macs with security proof, but most of them only provide birthday bound security. However, in some cases, we need beyond birthday bound security. For example, in lightweight cryptography, we're likely to use blocks of a smaller block size such as 64-bit or 80-bit. However, when we use these small block size, birthday bound security becomes insufficient. In the table, you can see that if we use 64-bit block sizes, the number of allowed queries on ECBC is up to 22D25, while the number of allowed queries on PMAG is 22D18. These are too small to use in practice, so beyond birthday bound security is needed. Fortunately, there are some Macs provides VBB security. ZMac, ZMac Plus, HAT and HAK are the Macs based on 3-qual block ciphers or ideal ciphers. They all have MB security where the N denotes the block size, but this high security could be achieved by using small, strong primitives. However, for the block supper-based Macs, it seems hard to achieve VBB security since any UHF and PR style with MB to internal state provides only birthday bound security. To settle this problem, there was an idea to use double state size, and later this idea is abstracted to double block hashed in some paradigm. Some ECBC, 3KF9, PMAG Plus and LiteMG Plus are the Macs based on this idea, and their security has been proved up to 22D2N over 3 queries. Now, let us see the construction of double block hashed in some Macs briefly. Some ECBC, which is the sum of two independent instances of ECBC, is proposed by YASTA at CTRSA 2010. As we know, it is the first proven VBB secure Mac algorithm. In the next year, YASTA proposed another VBB secure Mac called PMAG Plus. PMAG Plus is based on PMAG algorithm, and it has merged on its performance since it is parallelizable and also RATON algorithm. Later, there were studies to make efficient VBB secure Macs. Zhang Edel proposed 3KF9, which is the combination of 3GPP Mac and ECBC. 3KF9 is the only RATON algorithm, which provides VBB security without using any of field operation. Finally, NITO proposed LiteMG Plus, which is variant of LiteMG. LiteMG Plus is not a RATON algorithm since it uses counter-embedding on message, but it achieves message length independent security. Recall that all of the VBBs are proven to have 2N over 3B security. On the other side, Robert Edel suggested generate attacks on all of these VBBs with 2, 2D, 3N over 4 queries. The core idea of the attack was to exploit the difference between XOR permutations, XOP, and the ideal 2N bit function. In the following system of vacation, let us assume that the hashed messages are collided if they have the same color. Then, all of the unknowns appear exactly twice and cancel out each other, so we can derive a new condition that some of the attack values should equal to 0. This property is a significant difference from the ideal function. So, generic attack could be done by making this specific form of hash collisions within 2 to 3N over 4 queries. Now, you can see that there exists a gap between the best known attacks and their provable security. Now, let us move on to the contribution of our study. In this study, we proved 3N over 4B security of all the VBBs on max, so close the gap between the generic attacks and provable security. Since we have unified security framework, one can identify the required properties of the underlying hash functions. You can see the simplified security bound in the table, and if we consider the maximum length of each message as a constant value, all the VBBs on max are secured up to 2 to 3N over 4 queries. Note that for Pmec Plus and 3K F9, new bound does not always dominate the old bound, especially for the long messages. Here is the graph representing upper bounds on distinguishing advantage for Pmec and Pmec Plus. The left one is the graph for the 64-bit block size, and the right one is that for the 128-bit block size. As you can see in the graph, our new bound omits the security of Pmec Plus for short messages. Let us introduce our brief overview of our security problem. And this is the main lemma of the hash question technique. If the probability to have a bad transcript is small, and the difference between the ideal world and the real world is negligible without having the bad transcripts, hash question lemma says that the distinguishing advantage is also negligible. I will not cover this precisely, but the important point is we should define a proper set of bad transcripts that upper bound two values, epsilon-bat and epsilon-ratio. Also, the probability of getting a transcript in the real world is the most challenging one in the proof. Let us start to see the proof steps. For the first step, we represent the transcript by a graph. As you can see in the figure, each query, uv and t, is mapped into the edge which connects the vertices x and y. The vertex x represents the p of u, and the vertex y represents the q of v. Also, let us have each label t to represent the x, y of x and y. Since each query makes an affine equation between two variables t, p of u and q of v, the transcript graph can be viewed as another representation of system of affine equations made by adversaries' queries. Note that since we target beyond birthday bound security, there exists hash collisions of messages, so the edges might be connected each other. The next step is to identify the bad graphs. Some of the transcript graphs might lead to a contraction itself. If the graph contains a cycle, then the system of equations can be inconsistent. Here, you can see that the system is inconsistent if t is not equal to t prime. If the graph contains a path of even length whose taxam is equal to 0, one will get the equality of two different unknowns, like the q of v and q of v prime in the system of equations. But this leads contradiction because through permutations, different inputs should be mapped into different outputs. This type of the bad graph condition is sometimes called degeneracy. Also, although a cycle with degeneracy is not lead to contradiction, but to be simple, we still identify this as a kind of bad case. One can also note that the generic attack on the double block hash tensor max used lengths of four cycles. The third step is to upper bound the probability of obtaining bad graphs. Instead of finding a probability to have cycles or degeneracy, we define following five bad events. Bad one is the event to have lengths to cycle, and bad two or bad three are the events to have lengths to degeneracy. Bad four is the event to have one direction of length for degeneracy. And finally, bad five is the event to have another direction of length for trail, not degeneracy. So, without bad five, there cannot exist a length for cycle, and also lengths five or longer trails. As a result, without the events bad one and bad five, there cannot exist cycles and without bad two to bad five, there cannot exist even lengths passed with zero text sum. So, after we find the probability to have these bad events, we can upper bound the value epsilon bad. The last remaining step is to upper bound the epsilon ratio. Here, we apply the pattern's mirror theory, which evaluates the number of solutions of a fine system, and this is identical to find the probability to get a transcript in the real world. However, we could not apply the plane mirror theory since the plane mirror theory can be applied only when the maximum component size is bounded. However, in double block hashed and sum, the expected maximum component size is too large so the refinement of the mirror theory is required. Our refined mirror theory allows arbitrary component size, but the ratio of the number of connected edges to the number of all edges should be bounded. This is the brief history of the applications of patterns mirror theory. After the first version of the mirror theory suggested at 2010s, many variants of the mirror theory has been proposed and also have been applied on various constructions. Here, we want to emphasize that this is the first refinement of mirror theory that allows a component of an arbitrary size and can be used to prove 3N over 4B security. Although this work is, there is a concord work done by Esrinja and Murudunandi. Finally, after applying h-question lemma, we can obtain the bound of adversaries' distinguishing advantage. Here are our two major results, and one is the security of double block hashed and sum max with two independent universal hash functions f and g. The security of polymac and the sum ucbc can be obtained from this bound. Also, when f and g is not independent, like pmac plus or 3kf9, dedicated analysis is required. The most challenging one was the security of pmac plus, and here you can see the simplified result where the epsilon is the sum of all of non-dominating terms. For conclusion, we proved the tight security bounds for double block hashed and sum max, including polymac, sum ucbc, 3kf9, pmac plus, and litemac plus. All of them are PR secure up to 2-3N over 4 queries. Also, all the security bounds are tight in terms of the threshold number of queries. And for the future works, it will be interesting to find the better security bounds considering the influence of message length l, especially for the pmac plus and 3kf9, or find the tight security of key reduced variance of double block hashed and sum max. Now this is the end of the presentation, and thank you for listening.