 Hi everyone, I'm a second author from the Shandong University. This work is called the Bai Zhenzhen Jiananilin. We propose a new approach to reliable take-able block cybers. First, we cut a block cybers into three chunks and then we add a take-twice between these chunks. See this example. If we have a block cybers with N1 plus N2 plus N31 as in this picture, we will cut it into three chunks with N1 runs, N2 runs, and N3 runs. So by this, here we have two gaps and then we dissolve the tweak between the three chunks into the two gaps. There is no tweak schedule function here. We just dissolve the original tweak so it will be efficient. Let's see this picture. The method can be viewed as an operation mode with three computations, Pi1, Pi2, and Pi3. We call this mode tweak and tweak because it can be seen as we tweak the computation twice. Tweak and then tweak. The mode is, as we prove, beyond both the CQ, up to 2N, the added Pi3 powers. This might be the add-to-sumption mode with both the education and teaching method because there are multiple schedule functions that we mentioned before. There is the RAS. We propose an instance named TNTAS. See this picture. In this instance, the three computations are instantiated by six ground AS functions. Its performance as we evaluate is one of the best both hardware and software. And they also, as I think, I mean in general, this is probably the best. Let's see the details. My talk will follow this one. Let's first record and look at the TNTAS. So, TNTAS is a TNTAS. It has a TNTAS. So, it has a TNTAS. The first one is TNTAS. The second one is TNTAS. The third one is FNTAS. And the fourth one is Y. By using lambda-different TNTAS, we will have lambda-different block surface from such a single clickable block surface. So, this is the motivation of this, the function of the clickable block surface. About the motivation of the clickable block surface, it is from the need of some modes of communication. Because some modes want to have multiple block surface instances. So, for example, let's see this figure. This picture is a famous ECB encryption mode, and we know it is bad. It is insecure because it preserves the plaintext pattern. For example, in this L message block, if M1 equals M2, then the ciphertext block C1 equals the ciphertext block C2, and we could notice this relation from the ciphertext. But if the L-different message blocks are encrypted by L-different block surface, E1, E2 to EL, rather than a single block surface E, then it would be secure even if M1 equals M2, we cannot expect C1 equals C2 because they are encrypted by two different block surface. But of course, we cannot have so many ciphers in practice to instantiate such a mode. But if we have a clickable block surface, we can use L-different click inputs, click value 1, click value 2, and click value L as a click input to the clickable block surface to get L-different block surface, as we mentioned. So we could instantiate such a mode, such a ECB mode. Actually, this ECB mode variant could be, is the core of the AE mode, Theta-CB3 or OCB. AE authentically encryption is not our topic, so we won't talk too much about this because I'll just check the references. We now recall the notion in birthday and beyond the birthday security. When we are using block surface or clickable block surface with n-bit block size, birthday-bound security means the crypto system is secured up to 2 to n divided by 2 queries or 2 to n divided by 2 complexities. Typically, this means the mode, maybe the clickable block surface mode or the encryption mode or something else, some other crypto system mode, is secure when the number of processed data blocks is less than 2 to n divided by 2. This is not a huge number. When we are using all the block surface with 64-bit blocks, for example, triple desks or something like this, the mode can only process less than 2 to 32 blocks, and this is actually practically vulnerable. See this reference. Even if when we are using AES with 128-bit block, birthday-bound security means less data can be securely processed and a more frequent key update is needed. For the detailed discussion, we refer to the CCS best of purpose for reference. No clickable block surface necessary and beyond the birthday bound is desirable. So, how can we have clickable block surface? The first method is the modular approach. We will use most of block surface to turn classical block surface into clickable block surface. This method is good because we have better understanding of its security by mathematical reduction. The shortage is that the result is usually less efficient than well-designed algorithms. Actually, such claims apply to not only clickable block surface but also AES and other systems in general. So, for this approach, we already have these modes. For birthday security, we have LRW1, LRW2, XCES, and something else. And for beyond the birthday secure modes, we have cascaded LRW2 and some others. We will see them later. Here, we don't spend so much time on this approach. Another method to have clickable block surface is just to design block surface with a tweaking code. This is what we call a dedicated approach. For this, we have some early designs such as Mercy and something else. And later, it is... Later is an important development, the TT framework in Asia Group 14. See this picture of a tweaking framework. In brief, this framework reveals the tweak and the key as of equal role in the computation and calls them tweaking. This tweaking key K is scheduled by some function into round keys. The schedule function, we call the schedule function as tweaking schedule function. The tweaking will be derived as several sub-tweets keys and sub-tweets keys are then used as round keys in key alternating ciphers. Or maybe you could use them as round keys in faster ciphers depending on the context. So if well designed, this can be very efficient giving a secure tweakable block cipher or a secure block cipher in the related key setting. We refer to the reference for the details. On the downside, security is only guaranteed by comprehensive cryptanalytic results. There is no reliable probable result. So the tweaking framework gives rise to a number of instances such as the OCSBC, Spinney and so on. On the other hand, let's have more guns on this tweaking framework. Since the tweaking will affect the execution, it will affect the computation of the tweaking schedule function. If we retweak or if we change the tweak, the tweaking schedule function will be exact again. So retweaking costs some. Maybe not so much. Maybe the tweaking schedule function is efficient, but still retweaking costs some. And we ask if we could have even simpler retweaking method. This was one of the main motivation of this work. So from now on, we talk about our contributions. As we mentioned before, our main contribution is a new approach to dedicating the tweakable block cipher to see this figure again. In the first step, with a iterative block cipher into three chunks. In the second step, we add the tweak twice between the chunks. So we have very efficient tweaking method without any tweak schedule function. So about the gain of this method, first of all, this seems the most efficient tweaking method simply because we have no tweak schedule function. So unsurprisingly, our instance algorithm achieves the best performance in the retweaking scenario. And the set, we remark, actually retweaking is necessary in many modes, many scenarios. And second, our method is partly supported by a security reduction. So security might be more reliable than totally dedicating the block cipher. Actually, this is a proven approach from Eurocarp 15. We could reveal the method as we prove security for the TNT mode. And then we instantiate the mode with scaled down primitive or wrongly reduce the block ciphers. So it joins partial security, partial probable security supports and also this efficient. Consider the construction. I mean the third one. We could idealize the three chunks as three independent permutations Pi 1, Pi 2, and Pi 3. By this, we have idealized the TNT modes of operation. This new mode can be viewed as cascading the LRW1 for this necessary cause, the context. LRW1 is given in the initial tickable block cipher paper. It adjusts the tweak between two permutations Pi 1 and Pi 2. Now if we consider we cascade two such constructions and then the two middle permutations Pi 2 and Pi 1 pro can be merged as a single one Pi 2. So by this, we have TNT. So TNT is actually cascading LRW1 mode. So for the security the LRW1 tickable block cipher mode is only CPA secure up to birthday bound 2 to N divided by two queries and both the birthday bound and CPA security are tight and cannot be improved. I mean LRW1 is not CTA secure. So the question is is the TNT or cascaded LRW1 secure in the CTA setting and up to the beyond the birthday security bounds. As a main contribution we show it is a case TNT or cascaded LRW1 is beyond the birthday secure. As a first record the security goal for a tickable block cipher mode the goal is to establish indistinguishability from a tickable random permutation Pi or you could view the tickable random permutation Pi as multiple independent random permutations just as you can view a tickable block cipher as multiple block ciphers indexed by the tick. For beyond the birthday security to establish such a result we have to show that when the distinguisher D makes the queue queries to either the TNT mode or the tickable random permutation the difference showed in this equation is small enough at such a small level queue to 1 divided queue to 1.5 queue to 1.5 divided by 2 to n we have to show such a result to prove we use the resonant chi-squared method we prove when intermediate result as this one technically it means conditioned on I L minus 1 query and responses queue I L minus 1 the condition of T1 X1 Y1 to T L minus 1 X L minus 1 Y L minus 1 the following two probabilities to obtain a certain new query and response from the TNT mode and from the tickable random permutation is at such a small level meaning that I L divided by 2 to 2n or queue divided by 2 to 2n they are of the same level with such a small bound by the relevant lemma the code lemma of the chi-squared method the final bound would be the desired queue to 1.5 divided by 2 to n here we don't have for the details please see our paper but we will for our analysis of this result to reach the to reach the bound we analyze the we analyze each queries in the system in turn we will first consider the case the else query the forward query meaning we query the TNT mode with T L X L and we consider probability obtain a response while we will further consider several cases the first case is the plant X L is not new means it has appeared in the past L minus 1 queries and also the response while is not new means it has appeared in the past L minus 1 query responses in this case we could show the upper bound of the conditional probabilities 4L divided by 2 to n plus 1 divided by 2 to n minus L we could show such an upper bound on the probability and we could also show such a lower bound on the probability 1 minus 2L divided by 2n times 1 divided by 2n minus mu L where mu L is a parameter in a system with this we could in the ideal world when you are interacting with the tickable random permutation the probability is always 2n the probability is always 1 divided by 2n minus mu L so with this we could have such an upper bound on this difference it is 2 it is 8L divided by 2 to 2n so this is the first case the second case is the query the query the plaintext XL is is not new it appeared in the past queries but the alternate responses new means it did not appear in the past responses we use similar analysis we use some combined networks result and we could obtain a similar and we could obtain a similar bound on the difference and then the third case means the plaintext is new but the response is not new and we use similar analysis and finally the third case both the plaintext XL and the response YL are new and we use the same analysis please see our paper for the details of the analysis for back world queries the analysis is similar by symmetry and gives the same bound so with this bound we could have the bound on the different and have the matching bound now we could have a comparison with existing modes as mentioned TNT can be seen as the cascaded LRW1 mode and of course the most relevant reference is LRW2 and cascaded LRW2 so we'll see the picture at the bottom of this page LRW2 use a single random permutation Pi1 but it uses an almost XL universal hash function to hash the tweak and they use and take the digest of the tweak as something like widening keys used at the two sides of the permutation LRW1 can also be cascaded see the right see the right right part of the figure at the bottom but this needs more hashing cause almost XL universal hashing could be built from field multiplications but this might be costly especially in the retaking setting because if you change the tweak you have to run the hash again so this could be disadvantage here is a comparison of TNT and existing modes regarding security and cost we refer to our paper for details the most promising advantage of TNT is that there is no tweak schedule function as we mentioned so it is particularly efficient in retake settings we finally pulled forward our instance you may think the situation as we first extend AS 128 from the original 10 runs to 18 runs and then divided into three chunks of equal number of runs means 666 AS runs and then we add the tweaks between the three chunks so by this quick analysis and all the implementations can be just based on previous works on AS we have made some preliminary analysis open to exciting or chosen to exciting we consider a differential attack, linear attack impossible differential attacks and so on and then we found no shortcut key recovery attack TNT AS we then evaluate the performance it should be noted that here we consider retaking setting and so we consider both plain types and tweaks as data and we obtain this software comparison with the tricky framework instances skinny and deoxys and so on it can be seen TNT AS is competitive in the software performance setting we also evaluate hardware performance for hardware performance we estimate with minimizing area with optimization target on the basis of a state of art result of GIN about the hardware performance we have this comparison from this table it can be seen when the tweak has to be stored locally the hardware performance of TNT AS is slightly inferior but on the other hand if the tweak has if the tweak does not need to be stored locally the hardware performance of TNT AS can be super now the time to conclude it is important to discuss potential applications of our of our new tweaking method the question is test-coded LRW2 uses almost the XOR universal hashing and as we mentioned it might be costly but at the same time such a hash function supports arbitrary length tweak and it might be promising but TNT just supports ampere tweak and it will be bad but we should note ampere tweak is already enough for many applications for example there are many for the Bionibus they secure take-able block cypher based on max the tuning by tweak mode and the max of cobalutated L and for such max the ampere tweak of take-able block cypher TNT will be already enough and also it is also sufficient for the Bionibus to secure a variable length domain to tenders or something like this double length block cypher is also possible for manufacturing in different schemes and also it can be used to instance the CTA-CB and OTRR to obtain the Bionibus-based secure variant of OCD and OTRR performance and the security remains to be verified for the last application case as a final note we have proven the security lower bound 2 to 2N divided by 3 and the achievable security upper bound is 2 to N so there remains a gap this is an open question we refer to our paper for detail discussion it's over, thank you for your attention