 Hello everyone, I am Vishwajit and today I will talk about the security of spawn type encryption. Since its inception in 2007 by Bartoni et al, the spawn mode has turned out as a very popular encryption mode. The spawn mode here takes a message n and divides it into blocks of size r, we call r as the rate. It starts with the b bit of zeros and sort the first message block of r bits with the upper part of the input 0 and then sends the resulting output as the first primitive input. On getting the primitive output, it sorts the upper r bit of the primitive output with the next message block of r bits and sends the resulting b bits to the next primitive, continuing in this way, all the messages process. If the size of m is not digital by r, then it is made digital by r by padding it appropriately. After the whole message is absorbed, it continues to call the primitives and takes appropriate upper parts to generate z. The popularity of spawn mode is evident from the fact that the Nisha competition had several spawns back and forth. In fact, J.H. and K.Chak were among the five finalists where K.Chak became the eventual winner. The sponge-based AE is known as the buplex mode. There were more than a dozen submissions in the scissor competition depending on the sponge. Ascon is also a sponge-type construction and was the winner of the lightweight application for the resource consent. In the lightweight cases, the sponge is also getting extraction and it can be evident from the popularity of hash functions such as quark, photons, sponge nets, please. They are all sponge-based constructions. The A-skins such as Ascon, Betel, Spock are also sponge-based. In fact, the majority of niche submissions for the lightweight cryptographic competition are based on the sponge paradigm. Let B be the permutation that is the primitive state size and split it into C-bit in a state called the capacity and orbit outer state, that is the rate. Then the dominating term presenting all the existing analysis of buplex-authentical encryptions can be bounded by dt by 2 to the power c, where d is the data complexity and t is the time complexity. Now, in the niche LWC call of submission, it is mentioned that the primary AE version should have data complexity of 2 to the power 50 minus 1 bytes, that is nearly 2 to the power 53 minus 1 bits, and time complexity of 2 to the power 112. So, to achieve the required security, any traditional duplex type scheme must have capacity greater than 160 bits. All sponge-based submission to list LWC standardization process uses 192-bit capacity, except CLX, but there is no existing known proof for the scheme. The beetle mode of AEAD is a sponge type mode, which uses the feedback similar to the COFP mode, that is the absorption and the squeezing part is similar to the COFP mode, combined feedback mode. The existing security results on beetle got rid of the dt by 2 to the power c term. However, the most recent results provided integrity security up to dt less than 2 to the power b, when t is much less than the minimum of 2 to the power c minus log r, 2 to the power r and 2 to the power b by 2. So, when c is equal to r, equal to half the state size, then close to c minus log r, which security has been achieved. Now, according to list LWC requirements, we require close to 120-bit capacity and 120-bit rate to achieve this security. However, the secondary version of photon beetle submission has a rate of 30, so the existing security does not provide the required result for the secondary version of the photon beetle submission. The SPOC mode is also a submission for the list lightweight competition and there is no existing security analysis on the SPOC mode. Now, we construct a general strike encryption mode, which is called the transform and promote construction. We show that this transform and promote construction of the TTP construction encompasses many constructions such as beetles, bogs, to flecks, etc. So, let le and l-dash eddy be linear functions. We define the LDI function in the following manner. With these definitions and some suitable encode function, we look at the TTP feedback function. Here, we call the primitive with the input x-old and the output is same as the input of le. The le output is then zored with the encoding of m and delta to get the new x-old. The applications of the delta and encode are to secure the construction from prefix-based attacks. Exact definitions can be found in our paper. With this feedback function, we define the transform and promote AED mode as follows. So, on receiving nonce n, associate data A and message m, we first divide the associate data A into small m many blocks A1, A2, A3. Similarly, we divide the m, message m into m many blocks m1 up to mm. We set k concatenate n as the initial input to the primitive. And to that output, we run this l-eddy function to process the associate data. And to that output, we call the primitive again. And to the primitive output, now we start processing the message data with the help of l-eddy function. And after processing all the messages, we run the primitive once again and output the top tau bits of the primitive output as the tag. Now, we discuss about the security of the QTP model in the ideal cipher model. The detail analysis can be found in the paper. Here we concentrate on the bad events due to the decryption query. So, consider a decryption query n i, a i, c star i, c star i. Let this query matches up to p i many blocks with some previous encryption query so that the y star p i and as such x star p i plus 1 are known. Now, suppose with the help of primitive queries, we can extend this further to know x star p i dash plus 1 and then make a primitive query to know y star p i dash plus 1. Now, consider the following two bad events. First, p dash i is less than t i. But t i is the total number of associate data and message. And x star p i dash plus 1 is again in the primitive transcript or the encryption transcript. Then we can further extend this chain. We call this a bad event. Another bad event which we call m bad occurs. If suppose p i dash equal to t i, that is we reach at the end of the chain. Then if y star p dash i plus 1 is the tau upper bits is equal to t star i, then it is valid for z. Now, to bound this m bad, we define a new data structure which we call the multi-chains. We show that the probability of occurrence of m bad is bounded by the adversaries ability to constructing this multi-chains. So, let L be the set of p pair of u i v i where each u 1 u 2 up to u t and v 1 up to v t are debit inputs. And all u i's are different and all v i's are different. This is necessary that u 1 u 2 up to u t are all distinct and v 1 u 2 up to v t are distinct. So, we define the domain of L as the set u 1 up to u t and the range of L as v 1 up to v t. Now, we define another L, a linear function L from b bits to b bits. So, with this cursive L and small L, we define a graph where with the vertices the range of L that is v 1 up to v t. And edges where there exist an edge of level x from v i to v j. If an only L v i, this linear function L v i, z or x is equal to u j. To understand it better, consider the point v naught and v 1. So, since v naught L v naught z or x 1 equal to u 1 and then after the primitive call it goes to v 1. So, we say that there exist a leveled edge from v naught to v 1. Now, given a double k double x 1 up to x k where each x i are of b bits. We say that there exist a level work with level x if there exist v 1 up to p k minus 1 such that there exist an edge between v naught of v 1 of level x 1. v 1 to v 2 of level x 2 and continuing so v k minus 1 to v k of level x k. We call this level work, this x level work as v naught x level work v k and simply write it as v naught x v k. Now, consider all possible chains v naught i x v k i for a given x. Now, suppose those works are w 1 w 2 up to w p such that the most significant bit of u naught i is constant say some u for all the w 1 w 2 up to w p. And the most significant tau bit of p k i is some v that is they are also equal. So, given a level x of x 1 up to x k we define the multi-chain of length k to be all such k length chains which can be formed with all u's equal and all v's equal. Now, given the all the multi-chains for all level k let w k denote the maximum size of all possible multi-chains of length k. Notice that if w 1 up to w p is a multi-chain then any subset of w 1 up to w p is also a multi-chain. Now, consider the maximum possible size of the set w 1 up to w p for a given x and then we check for every possible k double x and the maximum multi-chain size is denoted by w k. Now, consider an anniversary a which interacts with the permutation pi t times. Let l denote the set of the transcript. So, if it makes a forward query u and this is v then denote the transcript as u 1 v 1 diar i 1 where diar i 1 is positive plus. It makes backward query of vt and gets ut then denoted by ut vt and minus where diar i is minus. Notice that given an l, a can form a chain in the following three ways. It makes only forward query starting from u0 v0 plus and adaptively queries up to uk minus one vk minus one plus and then it calculates uk by applying l to vk minus one and then zore by xk and then it hopes that uk vk and plus is in l. It can make the chain v0 x vk in another way which is the reverse of the forward query that is all backward queries. So, in this case it starts with uk vk minus proceeds backwards adaptively and gets v0 and then hopes that u0 v0 minus is in l. Finally, it can fix some i and makes adaptive forward query starting from u0 v0 plus to get vi minus one and backward query starting from uk vk minus to get ui and then it hopes that l vi minus one plus ui is equal to x i. So, in these three ways it can form the chain v0 x vk. Now, let mu t denote the maximum of the expected weighted size of all such possible multi chains that can be found by any adversary. Our next objective is to bound this mu t. So, we consider the case where l is invertible. So, in that case the mu t can be bounded by m called t to the power tau plus m called t to the power r plus m called s t squared to the power b where m called denotes the expectation of the number of multi collisions. So, this comes from the attacks by the adversary a of this and the m called dash comes from the adversary's ability to make both forward queries and backward queries and then the expected number of collisions. Between the sum of the forward and backward queries that is the number of possible collisions in the x i values. In the recent version of our paper which is uploaded in the if print, we have shown that we can bound mu t for the cases where the rank of l is not exactly equal to b that is l is not invertible. In fact, the transcript cursive l is collapse free. So, we define collapse as the probability of collision of the l y i and l y i y j for some distinct i j where the both calls are forward queries. So, and we say that the transcript set of transcript cursive l is collapse free if the collapse event does not occur. So, in case of when the transcript set is collapse free, then we have that mu t is less than equal to mu called t to the power t to the power tau plus m call t to the power r plus m call widget is quite to the power b rank l. So, this m call widget is similar to the m call dash here. The only difference is that it takes the input rank l so that it so that it can find the collision probability in z i j where z i j is l of pi x i z or pi inverse of y. So, it like in case of m call dash the z i was the collision between the zore of forward query and backward query. Here the collision is zore over the l function of the forward query and backward query. So, when rank l is close to b then m call widget is close related to m call dash. For exact definitions and bounds please check our latest input version of the paper. Now, with this new multi chain security game and the bound on mu t, we go back to the event embed in case of our transform them for more construction. More specifically, when for the i-th encryption query the x star pi and as such y star pi is known and hence the upper r bits of x star pi plus 1 is known due to some common prefix with some earlier encryption query. And then with the help of the primitive transcripts we can extend the chain up to y star pi plus 1. That is we can complete the chain and the most significant bit of the y star pi plus 1 is actually the tag. That is we have a valid force. Clearly the chain y star pi plus 1 to y star pi plus 1 with the labels c star pi plus 1 up to c star mi belongs to this multi chain where the most significant r bits of each UI 0 is equal to the r most significant bit of x star pi plus 1. Similarly, the tau most significant bit of each vk is equal to actually t star i that is the tag. Hence, we can bound the probability of occurrence of embed by the ability of the adversary to form such multi chain. Now, since this length k can be anywhere between 1 and sigma d where sigma d is the total number of blocks in the decryption query, we have the size of this multi chain that is the number of chains in this multi chain is bounded by mu q p sigma d where q p is the size of the primitive transcript. Again, notice that if L is invertible, then starting at any V naught, there is exactly one unique chain in this multi chain. Since the r most significant bit of x star pi plus 1 and that is the r most significant bit of u naught i for each i is known. Hence, to get the exact change, we need to guess the least significant c bits of q naught i. Hence, we conclude that for L is invertible, when L is invertible, the probability of embed is bounded by mu q p sigma d by q p plus c. When L is non invertible, but omega p is coalescely, then we have probability of embed is bounded by the minimum of these two expressions. The details calculation of this can be found in the latest version of our imprint paper. Now, using this bound for the probability of occurrence of embed, we come to the following upper bound for the AAD advantage. The AAD advantage of any adversary A, which makes at most q p many primitive queries, at most q v many encryption queries with total number of blocks less than equal to sigma e and q d many decryption queries with total number of decryption blocks less than equal to sigma d. This is our main result for the AAD security of transform and promote construction in the case where le and ldi are both invertible. Using this, it can be seen when Spock is viewed as a TTP construction, then we have le's identity and le's defined by the mapping L x y goes to x comma x concatenate 0 to the power c minus r zore y, where x is a orbit input and y is a c bit input. As a corollary of our main theorem, we derived the following bounds for both the 64 bit version, the 64 bit red version and the 128 bit red version of Spock's. By plugging in the proper appropriate values, it can be seen that both the version of Spock are secured under the NIST prescribed security parameters. Now, when beetle is viewed as a TTP construction, then we have the following expression for the le and ldi functions, which are all linear and hence as a corollary of our theorem, we derived the following two bounds. This bound for the AAD security of beetle in the case when c is greater than r and this is the bound for the case when c is equal to r. In case of photon beetle, which is a slight variation of the original beetle proposal, we have the rank of ld is actually equal to b minus 1. So, ld is not invertible, but it has rank very close to b and as such we derived the following bound for the photon beetle version with the 128 red and 32 red using the proper bounds. And from these bounds, it can be seen that both the 32 bit red and 128 bit red versions of photon beetle satisfies the NIST prescribed security. In case of sponge, the rank of the ld function is actually equal to c, which is much less than the state size b. Hence, our mu estimate does not work in the case of sponge and hence we keep the security bound of sponge in this following manner in terms of mu qp. So, in conclusion, in this talk, we got rid of the restrictions on red, which was required in the previous analysis of beetle. We gave a new security analysis of Spock. We gave a sponge like unified construction, which encompasses many schemes such as beetle, Spock, in fact, sponge duplex. The understanding of tight security analysis of sponge is still open since there is no existing analysis on the proper estimate of mu qp. Thank you. Stay safe.