 Good afternoon, ladies and gentlemen. I'll be talking today about the non-spaced, enhanced hashten mask construction, which I've worked on jointly with Middlelandi and Obhijit Datta. As we all know, both the receiver and the sender share the same secret key for sharing message authentication codes in the symmetric key setting. Here, Alice wants to send the message I accept to Bob. And Eve is an active adversary who might change the message before it reaches Bob. However, Alice appends a tag T to the message, which she computes using the secret key that she and Bob share. And Bob will only read the message if he can verify the tag using his copy of the key. If Eve still changes the message, then the new message may not match the old tag. And Bob will not read it. In order to carry out a successful forgery, Eve will play a game with Alice and Bob. She will make QM authentication queries to Alice. And she'll get back the corresponding tags for each message. And she will also make a QV verification queries to Bob. And he will respond by telling her whether or not each message tag pair is valid. If Eve can then make a new and valid message tag pair that she sends to Bob, then Bob will not know that this message was tampered with. And he will read it. So such a forgery, we can see an example of such a forgery on a bird debound secure Mac here. So we have ECBC as an example. And this Mac has the expansion property. So if the tags for two messages collide, then the tags for any other two messages, which have the previous two messages as prefixes, will also collide. So Eve can use this property of ECBC and make a successful forgery. If she finds out that the tag for the messages I accept and I reject are the same, then she can add the phrase your paper to her message and carry out a successful forgery. And Bob will read the message. Such collisions can be found with high probability within the bird debound. So if it's an n-bit message, then approximately two per n by two queries. However, for smaller message blocks, like, say, 64 bits, which is generally used in lightweight cryptography, this is not sufficient. Because as we can see, ECBC is secure only up to 2 power 25 queries. And PMAC can be attacked in just 2 power 18 queries. So this is a serious data constraint. And we need higher security. Wegman-Carter Mac is a Mac that gives quite a better security as compared to ECBC. It uses a nonce input along with the message to compute the tag. And as we can see, it is secure up to approximately 2 power 54 queries. So that's quite an improvement. However, if the nonce is misused even once, I mean if the nonce is repeated even once, then it is completely insecure. This construction is completely insecure. So we need in cases where such repetitions cannot be controlled. For example, if the size of the nonce space is small, or if the nonce is reset for some reason, then we need at least some security. So we need constructions that not only give beyond-bird-de-bond security in the nonce respecting setting, but also some security in the nonce misusing setting. For example, the encrypted Wegman-Carter with Davis-Mayer construction that was proposed by Kogliati and Sirin is a Mac. It is again a non-space Mac, and it has beyond-bird-de-bond security when the nonce is respected and bird-de-bond security when the nonce is misused. The decrypted Wegman-Carter with Davis-Mayer, which was proposed by Dutta et al., is another construction that has a similar security situation. But again, these two Macs also suffer from bird-de-bond security when the nonce is misused. And for similar reasons, as in the non-suspecting settings that I mentioned, we do need beyond-bird-de-bond security at least up to a certain level even when the nonce is misused. So we have proposed a construction that not only gives beyond-bird-de-bond security when nonce is respected, but also gives gracefully degrading security when the nonce is misused. This means that just a few instances of nonce misuse would not really cause the security to go down to the bird-de-bond, maybe after a lot of reputations are made, but not immediately. For this, we introduce a concept which is similar to multi-collision in nonces, but it's slightly weaker than that, which we call faulty nonces. And we use two tools, a theorem on the multi-collision of hash values of messages and an extended version of mirror theory for which we give a proof, albeit for a weaker bound than the one provided by Paterin. And we also have demonstrated an application of our Mac in an authenticated encryption scheme, which is based on the CWCA. So this is our construction, which we call nonce-based enhanced hashed-in mask. As we can see, it is very similar to the enhanced hashed-in mask construction proposed by Minematsu. The only differences are that ours is a single-keyed version. It is nonce-based instead of using random sorts, and it has a domain separation involved. As I have already mentioned, NEHTM is secure roughly up to 2 power n by 3 authentication queries and 2 power n verification queries when the nonce is respected. And its security degrades gracefully when the nonce is misused. In fact, this degradation is linear. So when the number of faulty nonces, which here we are denoting by mu, becomes pretty much equal to the number of authentication queries, QM, only then does the security fall down to the bird deval. But if, let's say, a constant number of faulty nonces are present, then it won't affect the security that much. Also, this is the definition of faulty nonces. So if we have a nonce that, if we have a query that has a nonce value, which is equal to the value of a nonce that has already been queried earlier, then that nonce is called a faulty nonce. So for example, in this case, oh, sorry. So in this case, all the five nonce values, n1, n2, n3, n4, n5, they count as five multi-collision in nonces. However, if we count faulty nonces, then n1 is not a faulty nonce, since it is a fresh value. Whereas n2, n3, n4, and n5, they are all faulty nonces. In this case, n1 and n3 do not count as faulty nonces, whereas they're included in multi-collisions. Another point, another difference of faulty nonces from multi-collisions is that this constitutes a two multi-collision and this constitutes a four multi-collision, whereas we count all the faulty nonces together. And so n2, n4, n5, and n6 together constitute four faulty nonces. We prove the security of our construction using the expectation method that was introduced by Huang and Tessaro, and this is a generalization of the coefficient's edge technique. And we use the two tools that I have already mentioned. We bound the number of multi-collisions of hash values of messages using a theorem that I shall shortly be presenting. And we also give an extended version of mirror theory for which we provide a partial diluted proof. So our first tool is the multi-collision theorem, which gives a bound on the minimum probability of getting xi plus 1 multi-collisions in hash values amongst q messages where we have an epsilon universal hash function. And it can be proved, this theorem can be proved using the union bound and this counting lemma. Furthermore, this lemma can be proved by, the statement of this lemma is that if we are given a vertex set of a particular size and if we construct a graph by adding edges such that the number of edges is more than this value, ceiling of q square upon 2 xi, then we will certainly get at least one edge between two vertices in any collection of xi plus 1 vertices that we choose. So here, the proof is quite simple. We divide all the q vertices into xi sub-collections of q by xi, ceiling of q by xi vertices each. The last set may contain, last collection may contain lesser vertices. And we add edges such that each collection becomes a clique and no two vertices in different cliques share any edge. So if we choose one vertex out of each collection, then we have chosen a total of xi vertices. And since we want to choose xi plus 1 vertices, there has to be, we can choose vertices in any other way also, but that will certainly ensure an edge between two vertices. And even if we choose it in this way, so basically by the pigeonhole principle, we definitely have at least one pair of vertices that share an edge. So that's how we prove this lemma. The next tool that we have used is an extended version of mirror theory. So for that, we first define the system of equations induced by an edge-labeled graph. As we can see here, we have a graph that has labels on its edges. And we assume the vertices of the graph to denote the variables of the equations. And whenever a pair of vertices is connected by an edge, then it induces the equation in this way. So if y1 and y2 are vertices connected by an edge, then we have the equation y1 plus y2 is equal to lambda 1, 2. And then we define an injective solution to a system of equations that is induced by a graph in this way to basically be a solution for all these vertices such that the solution is consistent with all the equations. We can extend this concept to involve non-equations as well. For example, the vertices y5 and y6 induce a non-equation. y5 plus y6 is not equal to lambda 1, 3. And we can extend the definition of injective solutions to include these non-equations also. So it is pretty much clear that there can exist graphs that induce equations and non-equations that only have inconsistent solutions or that have equations that give redundant information and such things. So we need to define what are good graphs. So this is an example of a good graph. A good graph cannot have cycles that consist of edges that only induce equations because such a cycle will either give us an inconsistent solution or it will give us redundant information depending upon whatever the labels of its edges are. A good graph cannot have paths with edges that induce equations and whose edge labels sum to 0 because then such a path will basically become a cycle and the same problem will occur. A good graph can also not have cycles with exactly one edge inducing non-equations such that the sum of its edge labels is 0. So here, if lambda 2 prime were to become 0, then it would force the sum of these two vertices to be equal to lambda 2 prime, whereas this is a non-equation. So I don't want these two to sum to lambda 2 prime. So the two conditions for two requirements for a graph to be a good graph is that it should have consistent solutions and there should be no redundancy or degeneracy. This can be ensured by these three conditions that we abbreviate to NC, no cycle, NPL, non-zero part label, and NCL, non-zero cycle label. So if G is such a good graph with alpha vertices out of which QM vertices are involved in equations and QV vertices are involved in non-equations, then the minimum number of injective solutions to the systems of equations and non-equations that G induces, we have proved it to be this number. And we can see that this bound is actually weaker than the one provided by Paterin. His result was 2 power N permute alpha over 2 power N Q. And it only involved equations. We're now ready to prove the security of NEHDM. So we do that by bounding the number of injective solutions to the system of equations and non-equations that are obtained respectively through the authentication and verification queries that an adversary makes. And we use the two tools, multicollation theorem and mirror theory for bounding the probabilities of the good and bad transcripts. So this is how we get the authentication equations and verification non-equations. And we can certainly construct a graph to which induces these equations. And these are the bad events whose probabilities are bounded by these quantities. And in particular, the event B3 requires use of the multicollation theorem that we saw earlier. The remaining equations and non-equations can then be bounded using our version of the mirror theory result. Finally, we demonstrate our AE scheme, which is based on the CWC construction. This has a privacy, a beyond-bird-debound privacy. However, its authenticity is broken on non-smuse, whereas our construction, it has beyond-bird-debound privacy as well as beyond-bird-debound authenticity, which gracefully degrades on non-smuse. And to conclude, these are all the things that I have discussed. And thank you. Any questions? What do you need the domain separation for? Do you need it just for technical proof, or would there be an attack if you don't have domain separation? No, actually, we would like to have a single keyed version of EHTM, and that's where we use the domain separation. It wouldn't affect the proof so much. Any more questions? Yeah. So maybe I missed it, but can you say something about the tightness of the bound? Is it clear that they are tight, or? OK, we had a 2 power n by 3, so I'm not sure at the moment. Let me just check. So we use this for the non-smuse. I guess just if you know of a matching attack, so if you don't know, it's the. Oh, OK. So we have a clear bird-debound attack when the non-smuse is misused. Right. And I'm not so sure about the tightness right now. Maybe I would like to discuss with you. Yeah, I'd like to discuss with you. Sorry. Any more questions? OK, so if not, let's thank the speaker again. Thank you.