 Okay, the work is titled block cypher-based max beyond the birth data without message language by Yusuke Naito from the Mitsubishi Electric Corporation. Thank you all for the talk. This talk is about design of block cypher-based max. Thus, it uses the birthday box security and the security box message language. So, we will start by explaining the max. The max is the message security that accepts the request key and the bio-range message. And we done the fix-range variable tag that authenticates the input message. And the max is used for integrity check. And many of us have been designed to satisfy PRF security. So, it is indistinguishable between the real-world and higher-world. In the real-world, it is indistinguishable with a max function for a random decay. And in the higher-world, it is indistinguishable with a random function. And after the introduction, it is indistinguishable with a decision-based. So, in this evaluation, the point advantage function is evaluated. This is the initial one in the real-world. This is the quality of the initial one in the higher-world. And regarding the max design, a max basically designed by UDB is printed. And this talk focuses on the block-cypher-based design. And here, the block-cypher is denoted like this. Here is security, and the block-cypher is enemy. So, block-cypher-based max is mainly categorized into two types of max. The first is series-type max. In this max, a block-cypher is intentionally applied. For example, this is e-max. And chapter n is a message block. In this max, a block-cypher is literally like this here. Another type is p-max type max. In this max, a block-cypher is probably applied. So, a block-cypher is e-max. And as we can see, a block-cypher is called powering. And regarding the security proof of the block-cypher-based max, partly, p-block-cypher is assumed to be through random foundation. So, in the security proof, p-block-cypher is replaced with random foundation. Then, for the max fraction using random foundation, that is, in this case, implementation series setting, the advantage function is upper-bounded. So, in this evaluation, these parameters are used. Q is the number of QA's made by distinction. L is the message length. Mark precisely the number of block-cypher poles in one max evaluation. And M is the block-cypher. So, many block-cypher-based max have been designed to satisfy birthday bound security. That means the advantage function is half-bounded by destroy the healthcare sphere of the chain. So, roughly speaking, if bound comes from a distinguishing attack, attack using these three cases. So, here I explain these cases using this sphere. This is P-mark using random foundation. And the first case, almost the original input to P. So, in P-mark case, these inputs are considered. And so, for this case, let's consider this example. This is the two P-mark evaluation. And the first two blocks are these things. And if these into collisions occur, then since the outputs are extra, so these collisions with these collisions on these points. And as a result, this is the solution over the output. So, in the real world, the input collision over the output collision. And, on the other hand, in the ideal world, this is the interaction with the random factor. And the random factor is a one-or-six. So, this project has to occur in the ideal world. So, by using the difference, this is the real and ideal world. So, out of this example, this collision event over the difference. So, for the collision probability, since there are almost LQ inputs here, and these inputs are matched with this random bar L, this is defined by this. So, by the bus analysis for the LQ input, this collision probability is half a value by this point. And for the second case, this case is considered collision in internal states. So, in this period, this function in this point is considered. And collision in this point is over the output collision. So, similar to the first case, using this collision, this collision over the difference. And since there are almost LQ inputs, Q bar here for, by the bus analysis for the LQ inputs, this collision probability is provided by this point. And the last case is random, considered a randomness of the hashtag for this point. And in this case, this value is defined by using a random function. And on the other hand, in the ideal world, the output is defined by a random function. So, by the difference of a random function and a random function, this probability is overburdened by this point. This comes from the periodic switch. So, by combining these overburdened, this one can be obtained. Security bounds usually define the right bound of a key. So, when the security bound reaches some threshold such as this quality, then a key is changed. For example, for the birthday bound, for the case, and the threshold is quality, then this is birthday bound. So, by this equation, when the number of keys reaches this value, then the key is changed. However, by the recent result, we've seen a CCS procedure, which is a strategy to attack. Birthday bound security is not enough. For example, when large amounts of data are processed, in this case, everything is right. So, this value becomes small. Or when large number of connections need to be kept secure. So, in this case, the key is rapidly increased. Or when the drop-side end is small, for example, 64-bit drop-side. So, in this case, this value becomes small. So, in this case, birthday bound security amount calls a probability update. So, this is problematic in security plan itself. So, defining birthday bound security amount is important in substoiling. So far, similar birthday bound amount has been proposed. P amount plus was proposed by Yoshida. It is a variant of P amount, Like PMAQ, it uses double masking here. It appears in PMAQ. Single mask is employed. And PMAQ plus has a two-in-bit internal state here, so double lines. But where in PMAQ, the internal state side is end. And in PMAQ plus, the output is defined by using the extra construction to heat the side part. So, regarding these distribution attacks, since to these two constructions, this question probably can be improved to this quality. And regarding the south case, since a physical randomness of the output term, since to the extra construction or to heat the side part, this quality, since to the extra construction, this quality equals to this quality. So, by these problems, the other problems of the advantage function can be improved by this. So, the next one is a write map by Luce Edel. It is a counter-based, it has a counter-based construction. So, in each short side part, counter is directly in these two hours. So, regarding these distribution attacks, for the first case, by the presence of counter, no issue, no heat distortion, because in each loop, it heats by inputting. So, as a result, this quality becomes zero. And another problem, we are saying as PMAQ, because the internal state side is end-width, which is equal to PMAQ, and it could be defined by using the input side. So, this bound is the upper one. For the chance in this bound, is the recipient B. It sounds to the presence of counter. So, the last map is FD. T is the parameter of this map. This map proposed by it has extra construction of the right map. So, in this map, right map is called D-time here, and D-outputs are XORs. So, regarding the distribution attacks, it's near to the right map, thanks to the presence of counter, this quality is zero. And, regarding the second case, since the internal state side is end-width, so, the quality in the internal state is improved to this quality. And for the health test, the output is defined by the extra construction of T, T cross-cycle. So, this construction ensures this input upper bound. So, by the upper bound, this upper bound can be obtained. So, we can see this message very quickly. And, increasing the parameter T, this bound is improved. So, this is comparison. Or, in this same map, this line shows the speed bound. And, this line shows the number of grades, where the speed bound equal to constant. And, this line shows the right bound over T under this setting. So, the threshold in this quality, and 64 bits of cyber is used. And, this issue can make 2900 grades per second, and not the message length is overriding. The last three points come from a three-study-view setting. So, we can see that using FD, pre-made T updates can be avoided. However, there is a program of FD that is the FCC, and besides, it depends on the parameter D. So, in FD, right mark is called D-cycle. So, for each message log, log-cyclic is called D-time, and the key-cyclic is 2 times D. So, increasing the parameter, the security level is increased. But, the FCC is increased, and the key-cyclic is increased. So, for this program, first, I consider the improvement of FD4. In this case, the parameter D is 2. So, I propose right mark plus that has better FTC and shorter key-cyclic than FD2 by keeping the same level of security of FD2 for different right mark graph in combination of right mark here and right mark, P mark, right here. So, this name is in combination of P mark. So, we can see for each message log-cyclic is called 1. On the other hand, log-cyclic is called 2 for the FCC is increased, and the key-cyclic of right mark plus is here and here, and pair of the key-cyclic of FD4 for the key-cyclic also increased. And we now need to keep the same attack similar to right mark by the presence of counter, the version where it comes there, this is the Internet-based site is 2A so, the quality in Internet-based here becomes this quality. And regarding the sound test, this is the randomness of the output but thanks to the extra construction of 2D, etc. this quality becomes this quality. So, other than that this upper bound can be opened which is same as F2. So, in this case the parameter T is 2 so the next step is to consider the improvement to the version of FD where the T is equal to greater than C. So, in this case I propose right mark plus 2 that has better efficiency and shorter size than FD quality being the same level of activity as FD. So, for the efficiency of right mark plus 2 right mark plus 2 is designed so that for each method row both side one is called 1 so, this is still the right mark plus so, I employ the same construction as the right mark plus here and regarding the security level as I explained before the security goal is the same level of security but the security afterness is about greater. So, in this case we need to suppose that we are using machine attacks and regarding the security similar to right mark plus this security is called this quality we both come here and the other side clearly and regarding the third case which is the randomness of the output time and so in order to achieve the same level of security as FD I employ the same construction as FD that means that it's a construction or T, T are both side one. So, this construction will ensure this one however, there is a gap between this output and this output this is 2MH and DMH So, in order to use these without we need to combine we need to combine we need to new construction that combines output and this input So, this is new mark construction and since this construction we can use these without and without this above one can be obtained from this above one and note that this above one is satisfied when T is equal to or less than same Okay, this is last slide Today I propose 2MH right mark plus and right mark plus This right should be D-bound this right should be the number of queries D-bound becomes constant and this right should be the number of block cycle for each message block and this right should be D-side So, right mark plus is the input value of F2 and as you can see it's achieved the same level of security as F2 and the efficiency and the D-side are improved like this and then I propose right mark plus 2 which is the input value of F2 where F2 is equal to or greater than 3 and as you can see right mark plus 2 achieve the same level of security as F2 and the efficiency and the D-side are improved Okay, that's all, thank you very much This right mark plus 2 is the kind of sponge The last mark you propose is the kind of sponge It looks like there is not solving a squeezing phase This is different from the one from Fluxon The one from Fluxon has an egalitarian foundation In other words, if Fluxon has a heart for maybe if Fluxon he might know cannot it be mapped to a sponge construction? Cannot Cannot be mapped to a sponge construction? Represented, please If Fluxon can be not be replaced, can be shown, can be represented by a sponge construction? Sponge is not parallelizable This is purely parallelizable Can I get the marker from you? Okay, thank you very much for the question Everybody is hungry? Thank you so much