 Can I use this one? Yeah, okay, thank you. So, I'm going to talk about GCM. Gala account mode is an authenticated encryption mode of 128-bit block servers designed by Macru and Vega in 2004. It was selected as the NIST recommended authenticated encryption mode in 2007. And it is widely used in practice. So, this is an overview of the encryption algorithm of GCM. So, it takes a block cipher QK, announce N, associated data, A, and a plaintext M as inputs, and outputs a cipher text C and a text C. It uses a block cipher, EK, whose block size is N bits, which is 128. So, we first compute the initial counter value for this counter mode, which is N concatenated with constant when the non-th length is 96 bits. Otherwise, we can, we use this G hash function to obtain this initial counter value. Where this G hash function is a universal hash function, and L is a key, which is the encryption of zero bits. And this epsilon is an empty stream. And then we use this counter mode to generate this key stream, which is extropped with the plaintext to obtain the cipher text. Then we compute the G hash value for this A and C and take the extra of these two values to obtain the tag. So, the designers proved the security of GCM. They analyzed privacy and authenticity against chosen cipher text attacks. And this is their privacy bound. And this roughly says that cipher texts of GCM are indistinguishable from random streams. And this is their authenticity bound. And this roughly says that GCM is unforeseeable. There have been several attacks. Ferguson showed that for the attacks are possible when the tag is short. And you showed key recovery attacks on GCM by reusing nonce. And showed for the attacks on the draft missed version of GCM. Hanshwin Preniel pointed out there is a wiki in GCM. And Sarin pointed out that there are many wikis in GCM. Still, it is widely considered that the provable security results of GCM are sound. In the sense that these attacks do not contradict the claim this security bounds and that no flow and the flow has been identified. So some of these attacks show the tightness of the security bounds. And others are outside the security model. For instance, announced is reused. Now I'd like to consider an equation over GF to do 128 defined by this irreducible polynomial which is the one used in GCM. The multiplicative identity element is eight followed by zero bits. And this is the equation UL squared XOR VL XOR one equals U prime L squared XOR VL. Where U, U prime and V are these sparse constants where we see two here, six here and four here. And I'm interested in the number of solutions in this equation. And this is very easy to see that this equation has at most two solutions. Because the degree of this polynomial is two. Now I'd like to introduce an increment function used in GCM. So it takes a 128 bit string where X is 96 bits and Y is 32 bits. And the most significant 96 bits are not changed. And we increment the least significant 32 bits by one modulo to do the 32. So for example, the increment of one is two. And I replace this XOR by one by this increment function. And that's the same question. And I'd like to note that the left-hand side may not be a degree two polynomial over GF to the one to the eight. And this is not as simple as the previous one, but we can verify that these are the solutions. And there are 32 solutions. Now I'd like to explain why this observation is relevant. So in analyzing the security of GCM, we have to consider a county collision. So suppose that we have two noses, N and N prime, which are not 96 bits. Then we use this G hash to obtain the initial county values. And these strings are x-word with a plain text to obtain a ciphertext. And these strings are x-word with another plain text to obtain a ciphertext. And the county collision is a bad event. So for example, if we have a collision between I1 and I prime one, then the x-word of two ciphertexts is identical to the x-word of two plain texts. So if this happens, the formation about plain texts is leaked. So we need to show that the probability of a county collision called LRN and N prime is small. And this is the event that's the R times applications of increment function on G hash of N is equal to G hash of N prime. So I'd like to explain the details of G hash. It's a universal hash function. And we first bat with zero bits so that it becomes multiple N bits. Then we concatenate an N bit representation of the length of N. And we break it into blocks. And the G hash value is the result of evaluation of this polynomial. So for instance, if N is this one, which is 72 bits, then it is parted with zero bits and multiplied with N squared. X-word for H times L, where for H is 72 in hex. So this is LUL squared X-word VL that we have seen before. Similarly, if N prime is this value, then the hash value of N prime is U prime L squared X-word VL. So as I mentioned, we have to show that the probability of a county collision is small. And there is a lemma in the original paper saying that the probability of the collision is at most the maximum of D and D prime divided by two to the N, where D is the degree of G hash of N and D prime is the degree of G hash of N prime. And it covers a general case, but if we substitute parameters, then the lemma says that this equation has at most two solutions. But we have seen that this equation has 32 solutions. So this lemma is not correct. And this is an important lemma that is used in both the privacy proof and the authenticity proof. And both proofs contain a flow. I'd like to introduce you one more observation regarding this country's example. We have seen this equation A has 32 solutions. And if we increment one more time, once more, then this B has 31 solutions. If we increment twice more, then this C has 30 solutions. And if we don't increment, then it has one solution. And these 94 solutions are all distinct, meaning that the probability of the event, A or B or C or D is at least 94 divided by 20128. And this observation can be translated into a distinguishing attack on GCM run N, which is GCM where we use a random function instead of the block cipher. By simply observing if the event implied by the event in the previous slide occurs in ciphertexts. And we can show that the privacy advantage is at least 94 divided by 20128. And this attack does not contradict the overall privacy bounds, but it invalidates a part of it. So this is the original security bounds. And the second term corresponds to the advantage, the privacy advantage of GCM run N. And if we substitute parameters, then it says that this advantage is at most 80 over 20128. So I have several remarks. The attack does not break GCM because our attack does not contradict the overall privacy bounds and it invalidates only a part of it. And I also like to remark that the attack also invalidates a part of the authenticity proof. The accessibility of the attack is small. So the attack practical implication is limited. And the attack does not work if the nonce length is restricted to 96 bits. And this is actually required or recommended by many standards. Now I'd like to see if we can repair the proofs without modifying the original specification. And for this we have to derive the app around on the probability of account collision. And for this I will introduce a combinatorial problem. And then I will discuss the relation to the proofs and approaches to solve the problem. And finally I will present our new privacy and authenticity bounds. So this is the problem. So let this YR be a set of Y plus R module to the 32 XOR Y. Where Y is in the set of 32 bit strings. And we set alpha R to be the catnality of YR. And the problem is to determine alpha max which is the maximum value of alpha R where R is between zero and to the 32 minus one. So we have Y value here. And Y plus R module to the 32 here. And we are interested in the XOR difference of these two values. And this alpha R is the maximum, is the alpha R is the number of possible nonzero XOR differences of these two values when Y ranges over the set of 32 bit strings. Now I would like to recall that a collision, account collision is this event. And if we can replace this left hand side by G hash of N XOR C for some constant C then we can derive the upper bound on the probability because this one becomes this one. And this is a polynomial over GF 228. But this constant C depends on the values of R and G hash. And if we think of this Y as the least significant 32 bits of this G hash of N, then this alpha R represents number of possibilities of C. And for each C, we know the number of solutions for this equation. So to use a new version of lemma three, we can show that the lemma, which says that for each R, the probabilities at most alpha R times the maximum degree divided by two to the N. And if we can derive the maximum value alpha max, then for any R, the probabilities at most alpha max times the maximum degree divided by two to the N. So there are several possible approaches to solve the problem. And one example is to make use of tools for the analysis of functions called S functions, developed by Mohr and others and by Logan. So there are approaches and our solution is to show a recursive formula to compute the value of alpha R. So in the paper, we have shown this recursive formula. I will not explain the details, but this result can be used to efficiently compute alpha R. And based on this result, we can draw a graph showing the relation between R and alpha R. And we see that the maximum value is slightly less than 22. And the actual value is about 3.5 million. And the equality is achieved when R is one of these four values. And this is our new version of lemma three. For any R, the probability of a counter collision is most to the 22 times the maximum degree divided by two to the N. And we can use this result to obtain this new privacy theorem. And this is essentially the same as the original privacy bounds. But we are dealing with chosen plain text attacks instead of chosen surface text attacks. And the main difference is that we have this two to the 22 here. And we also have shown that if the nonce length is restricted to 96 bits, then DCM has a stronger security band. This is our new authenticity theorem. And this is again essentially the same as the original authenticity bounds. And the main difference is that we have this constant here. And again, if the nonce length is restricted to 96 bits, then we have this stronger security band. And to conclude, we have shown that lemma three is not correct. And the probability of a counter collision is higher than claimed. We showed that proofs can be repaired. We presented a new version of lemma three, a new privacy theorem, and a new authenticity theorem. Our bounds are worse than the original bounds, but DCM maintains the provable security. And we have also shown that it has better bounds if the nonce length is restricted to 96 bits. And the open question is whether we can improve our security bounds. Thank you very much. Thank you. Any questions?