 So this talk is about building secure Macs. So in this work we propose a new Wegman-Carter style Mac, which is called the Ugly Aquanimies for Encrypted Wegman-Carter with Davis Mayer. And this new Mac is based on a XOR universal hash function and a block cipher, and it has the following properties. So first it is quite efficient. It requires only two block cipher codes, one of which can be computed in parallel to the hash function. And it is secure beyond the birthday bound when nonces are not repeated, and it retains security up to the birthday bound when nonces are reused. So as you can see, there are some similarities with what we've done in the previous mode that I presented in the previous talk. And actually it's kind of a follow-up on the SCT mode. So again, the rationale behind that is that we want this new Mac to be very secure when nonces do not repeat, which should be the nominal usage. And we want security not to be completely destroyed when nonces are inadvertently repeated. So the outline of the talk will be as follows. So first I will give some background on Wegman-Carter Macs. Then I will describe the new construction and I will give a very quick sketch of the proof. So first, so what are Macs, message authentication codes? So as usual, we have Alice and Bob who wants to communicate over an insecure channel, which is potentially controlled by the attacker here. And they want to send messages, and they want to detect the attacker and modifies the messages which are transmitted. So what do they do? They share a secret key, K, and they compute some function of the message. And so in this talk, we consider nonce-based Mac, which means that they also include in the computation a value which should not repeat a nonce. And they compute a tag, T, which is transmitted with the message. And so we don't want the adversary to be able to forge tags, which means to compute tags for new messages that it hasn't seen before. So how do we define formally security for this primitive? So we have an adversary which has two oracles, a Mac oracle and a verification oracle. And it can make QM Mac queries to the Mac oracle. And it can make QV verification queries. You can see this as forgery attempts to the verification oracle. And the adversary is successful if one of the verification queries passes. And of course, if this query has not been obtained from the Mac oracle, which would be a trivial win. And we say that the adversary is, so I did in the previous talk, that it is non-respecting if it does not repeat nonces in the Mac oracle. So for verification queries, it can do whatever it wants. But we disallow him to repeat nonces in Mac queries. So one of the oldest ways to build such a primitive is what is called Wegman-Kater-Max, which has been proposed by Wegman and Kater in the previous work by Gidber, Maculance and Sloane. So how does it work? So you use what is called an almost-exhaught universal hash function. So what is it? This is a hash function which a keyed hash function, such that for any two inputs, m and m prime and any value y, the probability when you draw a random key that the draw of the two outputs is equal to y is less than some small value, et cetera. So in other words, it's a small differential probability. So you use such a universal hash function, you hash your message and you simply encrypt it or mask it with a one-dipad. So for each message, you have to use a one-dipad. So the key for this Mac is the hashing key and as many one-dipads as you need to authenticate your messages. So it's not very practical to share a large number of one-dipads. So what we do in practice is that we replace the one-dipad by an absurd random function computed on a nonce. So really the word of the nonce here is to act as an absurd random byte. So what is interesting with this construction is that first, if you really use it with one-dipads, security is information theoretic. So once you replace one-dipads with an absurd random function, security is as good as the security of your absurd random function, but it's still very good if you use a good absurd random function. What is interesting also is that this primitive here can be implemented very efficiently. For example, if you can use polynomial evaluation as in GCM or as in Poly 1305. So as I said, it has information theoretic security, so kind of optimal security, and in particular the bound is given by epsilon times the number of forgery atoms for verification queries plus a term which reflects the security of the absurd random function. So with as many queries as the sum of MAC queries and verification queries. So this is a standard bound for Wegman-Carter-Max. So in principle it's very good, but in practice there are two problems. The first problem is that usually you will implement your absurd random function with a block cipher. In many situations you don't want to implement a MAC or a hash function or something. You just have a block cipher, so the basic idea would be to replace the function here with a block cipher. And the problem is that the nice provable security bound that we had drops to something which is much weaker, namely the burst bound, because of the PRF-PRP switching lemma. So here the PRF advantage of a block cipher because of this PRF-PRP switching lemma will be the number of queries squared over 2 to the n. And this term here will usually dominate this one. So you lose a lot from a provable security point of view when you do this. There is a better bound than this one by Bernstein, but it's still of birth data. So let me mention right now that there is a solution which is to use a beyond burst bound secure PRP to PRF conversion, and I will come back on this later. So this is the first problem. How do you implement your PRF if you only have a block cipher? The second problem is the non-smith use problem. So Wegman-Catermax are actually very brittle in the sense that a single non-sweepetition can completely break security, especially for polynomial-based hashing. Which means that the hash function here is a polynomial which depends on the message evaluated on the secret key. It's quite easy to see that if you repeat a nonce a single time when computing a Mac, the adversary will be able to compute a polynomial and the key will be a root of this polynomial. So this gives a lot of information to the adversary. And in fact, it has been a recurrent criticism against GCM, this nonce misuse problem. And the solution to this problem is also known, which is just to add an extra PRF call to the output here. And in fact, in this case, it's okay to use, you don't lose security if you encrypt rather than using a PRF. And if you do this, then this nonce misuse problem disappears because in particular, this kind of attack doesn't apply anymore. Okay, so I will now explain the new construction that we proposed. So the goal here, as I explained at the beginning, is to design an efficient Wegman-Carter-like Mac, which is based only on a block cipher, which is secure beyond the burst-debound when nonces are not repeated, and which retains nonce misuse-resistant at least up to the burst-debound. And so if you want to do this with... So the state of our solution to design a Mac with all these properties is to use this construction here that I just explained, which we called encrypted Wegman-Carter, because we have a Wegman-Carter here and an extra call to a block cipher to encrypt this value here to our nonce misuse problem. So you can start from this and simply use what is called a PRP-to-PRF conversion method to implement your pseudo-random function. So what is PRP-to-PRF conversion? Also called in a similar paper, Ljubljarkov-Bakwat. It's simply the question, how do you construct from a block cipher something which is indistinguishable from a random function with ideally up to the end queries? So you can use the block cipher itself, but it's only a secure PRF up to the end of our two queries. So you can use truncation. You can take your block cipher and truncate the output. This works, but you have to start from a very large block cipher to have good bounds. So the standard way to do this is what is called the XOR construction, which has been investigated by Lux and Patara. And you simply compute the encrypt, your input with two different keys, and you XOR the outputs. Or you can also truncate your output and append a zero and one and encrypt with the same key and XOR the outputs. This is called the TrunConstruction, and it has also been investigated by Lux. And these two constructions here have very good security. It's a nearly secure PRF, and it's secure up to two to the end queries, close to two to the end queries. So kind of optimal security for PRP to PRF conversion meta. So if you do this, you start from this encrypted Vekman-Kata construction and you instantiate your pseudo-random functions here using PRP to PRF construction. And your problem is solved. You have a Vekman-Kata Mac, which is beyond the secure when non-seize do not repeat, and which is non-seize resistant, thanks to the outer encryption layer. But only up to the birthday bound. But these requires at least three block cipher calls. And the question is, is it possible to do better? So actually, this kind of design is exactly what we used in the SCT mode that I talked about before. And at this time, we didn't know how to make it more efficient. So we used exactly this sum of two PRP's construction to achieve beyond birthday bound security. So the question is, can we do better than three block cipher calls? And the answer is yes. And this is what we call now the encrypted Vekman-Kata construction with Davis-Mayer. And the simple idea is just to instantiate here this pseudo-random function with what we call the Davis-Mayer construction, which is the easiest way to turn a permutation into a function, which is depicted here. So you just encrypt your nodes and you explore the nodes to the output. So this destroys the ejectivity. It's not a permutation anymore. It's a function. But the problem is that this is not a beyond birthday secure PRF. It's quite easy to see that this construction, this Davis-Mayer construction here, there is a distinguishing attack with birthday complexity. If I give you an hour call and I ask you to distinguish between a purely random function and the Davis-Mayer mode, you just ask queries to your hour call and you explore the input and you look for collisions in these values. And if there is collisions, then it was truly random function. If you don't find collisions, you guess it's a Davis-Mayer construction. So this is not beyond birthday secure. So how could this give beyond birthday security when nodes do not repeat? But in fact, here, this attack here is not... You cannot apply it because of the outer encryption layer. You should try. You really need to do this attack, this distinguishing attack on Davis-Mayer. You really need to have access to the outputs of the Davis-Mayer construction and here you don't have access because of the outer encryption layer. So maybe there is hope that this construction here gives beyond birthday security when nodes do not repeat. And this is actually what we proved. So let me first give you the security result that we proved in the paper. So here N is the block length of the block cipher and it's also the tag length. L-max is the maximal message length in N-bitbox. And what we proved is security up to the important term here that we improve over the basic Legman-Cata is QM to the 3 over 2 to the N. So this means that this is secure up to 2 to the 2N over 3. So you have also this term here, which gives you this term here and up to epsilon minus 1 for the number of verification queries. So epsilon here is the parameter of your universal hash function. So this gives us beyond birthday security when nodes do not repeat and when nodes can be repeated, then we get back to birthday bound, classical birthday bound for Legman-Cata-max. So now let me sketch quickly how we proved this result. So first you can observe that we cannot start by replacing the database-mayor-construction here by a random function, right? Because if we do this, the addition will have a birthday bound which appears directly. So what we really need to do is to consider the PRF security of this part here. So forget for now about the hash of the message and consider just what happens to the nodes. So it is first encrypted but you first apply the database-mayor-construction and then you encrypt it. And what we need to do in the proof is to analyze the PRF security of this construction. So actually we call this construction here the encrypted database-mayor-construction because we have a database-mayor and we encrypt it. And what we prove actually in the paper, a large part of the proof is to prove that this is a PRP to PRF construction. So to the best of my knowledge it has never been considered before but I think it's interesting to have. And so a large part is to prove that this is secure. So we prove that this is secure due to the two and over three queries. And for this we use the hash coefficients technique that was mentioned in the first talk in this session. So I will not enter into the details but so this technique considers the transcript of the attack. So we have another cell which makes queries to an oracle and we consider the transcript of this attack and we have to separate the transcript between good and bad transcript. So in our proof a bad transcript will be a transcript which has too many collisions in the output. And actually it's quite easy that collisions are slightly more likely for the Davis-Mayer construction than for a random function. So in a second part of the proof we need to show that actually it's not too less likely than for a random function. So what we need to do is simply a counterargument for lower bounding the number of pair of permutations in the C prime piece again that yield a given good transcript. So I don't have time to enter into the details but it's just quite a simple counterargument. And doing this we prove security up to two and over three queries. So actually I'm not sure about what is the exact security of this construction. If we try to find an attack I can't see any attack which uses less than two to the end queries. In fact, if you look at all you could... I mean the statistics of the outputs of Davis-Mayer seems quite close to the statistics of a random function. And once you encrypt it you just simply cannot make the standard attack on Davis-Mayer and basically you cannot do much more. So maybe it's secure up to two to the end queries but we don't have a proof yet. Another problem now... This was just for the non-spot of the construction but we do have now to handle also the message part. And the problem is that the message and the encrypted Davis-Mayer construction are kind of intermingled which means that we cannot use the PRF security of this part and use it in a black box way to prove the security of the entire match. And actually this is what makes the security proof a bit painful. Actually the PRF security is quite easy to prove but once you need to take into account this message here it becomes a bit of a mess. And the full proof needs to handle in particular the verification queries directly but usually for Begman-Cater's Mac you can first kind of prove that the tags are random and then build on this to prove that verification queries will always fail. Here you cannot exactly do this because of this in the middle of the construction. And in fact to do this we recast the forgery... The easiest way is to recast the forgery experiment as a distinguishing experiment between the real oracles and a pair of oracles where the first one is always completely random and the second one is always reject. So actually we prove a bit more that it seems to be easier at least using the hash coefficients technique. So again we use the hash coefficients technique to prove the full result. So time to conclude. So we propose this new construction which is the interesting feature of this construction is that the auto encryption layer here turns that to be twice useful. First this is this encryption layer here which provides burst-debound non-special resistance and this is also this encryption layer here which provides non-respecting beyond burst-debound security when combined with this cheap feed-forward of the nonce. So maybe there is a lesson to learn here which is usually when you have a construction which is non-special resistance maybe you don't have to work too much to make it beyond burst-desecure when non-ceases do not repeat. Not sure it's a general rule but at least we have seen two examples this morning. And a final observation is that if you have an existing Wegman-Cattermark implementation which is just this part without the feed-forward this new construction is easy to implement in a black-backed way from your implementation you just have to XOR your nonce and re-encrypt it and that's it. And to finish some open problems so as I said we only prove security up to 2 to the 2n over 3 mac queries we don't have any matching attacks so maybe the security is even better than that. Another interesting problem is what happens if you use the same key for the two black cipher calls here. So for now we have analyzed only the security of the PRF which turns out to be also 2 to the 2n over 3 but we have problems with the message part for now. So the Mac is secure when you use the same keys here. And finally something which in practice is often used is what happens if you truncate your tag here what is the effect on security we haven't investigated this for now. That's it, thank you for listening. Thank you very much.