 Welcome to the presentation that herization of 40 laws with use-resistant message authentication. I am the speaker to Lung Chen. This paper was co-authored with Baixianning and Baixianning. The story of North Space Macalpher to start with work of Weihma at Carter in 1981, where they process the message with universal hash function and the input modes with the function F. And then they export the output of the universal hash function with the output of the function F and to generate the output tag of the construction. Their work is built on the early work of Gilbert, Macbillans and so on in 1974. We can show that if F is a secure PRF, then the resulting construction achieves ambit security. However, there are two concerns about these constructions. The first one is that there are not so many well-analyzed dedicated PRFs in the world. So usually we choose to implement F as a block cycle. In that case, the resulting construction is called the Weihma Carter Superconstruction, which achieves antify-by-two-bit birth and bond security. The second concern is that the construction strictly depends on the input modes. In the case of a single non-superstition, the construction is totally broken. In order to solve the above-mentioned problem, Buhliadi and Saria introduced in 2016 the construction encrypted its Weihma Carter with Davis-Main. They showed that the construction achieves two antify-by-three-bit security in the North's respecting setting and still birth-a-bond security in the case of North with CO-setting. One year later, Brandinghead neighbors showed that EWCDM actually achieved ambit security in the North's respecting setting, that their proof is based on an unverified version of the new theme. Again, one year later, Nata et al. proposed the following construction BWCDM, the deep means for decrypt it. Instead of using an independent key in the second BWCDM, DWCDM uses the inverse of the BWCDM, but it's based on the same key as the first one. Both CWCDM and DWCDM has the property that, in the case of a North-superstition, the security drops through the birth-a-bond. In order to improve the security, Nata et al. introduced the following construction in 2019. This construction is the North-space ferent of EHTM and Minematsu in 2010. In order to improve the security of this construction, Nata et al. introduced a faulty North model, where they call a very faulty, if it's a Mac, ferry that uses the repeated North. What's interesting about the construction is the construction achieves actually something that we call graceful security degradation. That means that in the case of North's repetition, the security of this construction will not immediately drop through the birth-a-bond. However, the construction will drop with the function that depends on the number of faulty queries. So, the authors show that the different construction achieves two Nd5 by three with security if the number of faulty queries is below two to the power Nd5 by three. They later try to improve the security and show that actually this construction achieves three Nd5 by four with security if the number of faulty queries is below two to the power three Nd5 by eight. We see that both EWCDM and this non-spaced EHTM construction uses two block cipher costs and one universal hash function FI. We wonder whether we can build construction with the same cost but achieve a similar or better security. Before we give an answer to this question, we first want to define the security definition that was used in this work. We focus on PRF security, so we define an attack game. At the beginning of the game, one of the two worlds is chosen. The real world on the left side and the ideal world on the right side. The construction oracle in the real world is an oracle section which is fx while the ideal world oracle is a random function. So the Atifesary A makes Q queries to the given oracle and we ask that A will not repeat its queries since by asking the same inputs it will get the same output. And after A's communication with the oracle, it should state which of the two worlds it was given access to. If A cannot do so, then we can deduce that the different cost section is a secure PRF. We will first start with the simple results. We want to build all end-to-end bits PRFs with just using two block cipher calls. The framework shows in the slides we can see there are total Q2 power 6 constructions that can be built. However, many of those are just trivially insecure. The 4 in 4 requirements are needed to guarantee the security of the construction. For example, if A1-1 is not equal to 1, then there are no inputs to the first block cipher. If A3-3 is not equal to 1, then the output of the second block cipher doesn't have influence on the cost section. If the sum of A2-2 and A3-2 must be at least 1, then the output of the first block cipher doesn't have influence on the cost section. Same as before, A2-1 plus A2-2 must be at least 1, because otherwise there are no inputs to the second block cipher. So, keep in mind that we are only interested in beyond-perceptive and secure PRFs. With those information in mind, we are able to drive the following lots of surprisingly results. The only construction that we can build on 2 block cipher costs are the soft permutation construction by Bellalee et al. in 1998, the encrypted Davies-Mayer construction by Kohiadi et Sarai in 2016, and the encrypted Davies-Mayer drill construction by many of the neighbors in 2017. Those are the constructions that we already know in the previous work, and they are actually shown to achieve rapid security. Besides those constructions, there are natural drill variants, which we can obtain by exploring the inputs to the outputs, also achieve the same amount of security. Now, based on those information, we are able to get one step farther and go to the design of North-based MAC algorithms. Now, we try to build MAC algorithms using 2 block cipher costs into one universal hash function evaluation. We see the framework in the slides that we evaluate the message using universal hash function and puts the output of the universal hash function, and the outputs can be explored at any moment of the construction. There are in total two to power nine constructions that can be built. However, as before, many of those constructions are trivially insecure. Besides the previously mentioned four conditions, we also required that at least one of those B values must be one, because otherwise, the outputs of the universal hash is not explored through the construction. So after our analysis, it seems that there are in total ten interesting constructions left. There are five of those are based on EDM, three are based on SOP, and two of those are based on EDM. In these slides, I will show you the tree of those ten constructions, where the trees are the special Rehman-Carter constructions that are based on SOP, EDM, and EDMD respectively. As mentioned before, Rehman-Carter constructions have NB security in the case of mouse respecting setting, but they're totally broken in the case of single mouse reuse. So what remains over are the seven constructions where four are based on EDM, two are based on SOP, and the last one is based on EDMD. We will first start with the constructions based on EDM. Those two constructions based on EDM are EWCDM and a ferrant of EWCDM. We can show that those two constructions achieve three edified by four bit security in mouse respecting setting. And this time, we can prove the security with a complete verifiable proof. Unfortunately, the constructions do not enjoy risk for security degradation. That means that in the case of a single mouse repetition, the security of the constructions drops to NB by two bit per se. The following two constructions based on EDM, which is much more interesting because they achieve three NB by four bit security as long as the number of four dequeries is below two to power NB by two, which actually means that the constructions do enjoy risk for security degradation. The following two constructions based on SOP are the NB ferrants of EHDM and the ferrants of this. We can show that those constructions achieve three NB by four bit security as long as the number of four dequeries is below two to power three NB by eight. The both also enjoy risk for security degradation. The last construction is one based on EDMB. This is a very special construction since the output of the first block cipher is not known because of this reason it makes the outputs of the second block cipher also unknown since the output of the second block cipher is equal to the XOR of the output of the first block cipher with an output tweak T and to only know the value of T. Because of those reasons it makes it impossible to apply currently known techniques such as MEO theory to prove the beyond birth about security of the construction in the most respected setting. That's the reason why we will leave it for as an open question for the future research. I still want to say something about our security analysis. In this work we use the BATRAS MEO and BATRAS H coefficient technique. The technique is actually formalized in the slide I'm not going to explain in detail but I just want to say in this work we use the BATRAS MEO theory to obtain this epsilon and we can apply BATRAS MEO theory by transforming the query transcripts into a transcript graph where the graph should satisfy the following properties. The first one is that the graph shouldn't contain any circles and the graph shouldn't contain any cerebral path labels while using up of two major properties we are able to define the bad events and then we can multiply the probability that the bad events happen in the ideal world. In the following slides you see a table that summarizes the four and ten constructions and we can see that the most interesting one are the six constructions with three and defined by four of its security. The first two constructions based on EDM, let's B2 and B3 constructions and for the previous work we already know that those constructions can be optimal and bit secure. The main reason that we only have three and five by four of its security is because of the limitation of the MEO theory so we hope that the security of those two constructions can be improved in the future using an improved version of MEO theory or by using some other stronger proof theory. The other four constructions are the most interesting ones since they all enjoy wasteful security degradation. Those constructions are and also show in this slide where the first two are based on EDM and are serial constructions and related to actually parallel constructions based on SOP. Those four constructions all achieve three and five by four bit security. We are not aware whether this three and five by four bit security is tight or not. That's because of the presence of the alternating and alternating paths of longer length in the transcript graph. So I would just leave it as an open question for the future research. For conclusion in this work we perform an exhaustive search of all PRFs that can be built by two bulk type of cars. Based on this result we perform an exhaustive search for MAC algorithms that can be built by one universal hash fibrations and two bulk type of cars. After that we perform a beyond-perceive bond PRF security analysis of the constructions in the 40 nodes model. For the future, as already mentioned before, it will be very interesting to look at the tightness of the security bond. One of the research topics that can be done is to prove the beyond-perceive bond security of that smack algorithm that was based on EDM-D in the North Swiss MacBase. Since our analysis was done for the PRF security on me, it will also be very interesting to look at the MAC security of the given constructions. So this is the end of my presentation. I want to thank you for your attention.