 র র রর রর রররররর 08参 রর রর 08参 রর armour the paper which he submitted and which was accepted in two AC in 2019 and he proposed construction of variant of PMAC and we identified a flaw in the proof, security proof of the construction and we also posed an equivalent problem which is to be solved in order to solve the claim in the paper. Secondly, we have shown a length independent security bound for simplified PMAC or SPMAC with a weaker notion of security for the hash function and thirdly we have proposed a variant of PMAC one we name it as PMAC 2 and we show that it achieves a length free security so to begin with let us see the comparison table the comparative table here we we can see that there is something called PMAC 3 there is something called NPMAC NPMAC is nothing but the variant of PMAC which we have just mentioned it is called NPMAC and PMAC 3 is the new variant of PMAC which after we pointed out the flaw in the NPMAC and I thought proposed another construction called PMAC 3 but if we consider the number of masking keys sorry if we consider the number of masking keys we see that our construction PMAC 2 in this paper it is an improvement over PMAC 3 or PMAC 1 also because it achieves a length free security bound as well as the number of masking keys is minimal here so this this is the table of comparison now this is the pictorial view of the simplified PMAC or SPMAC here the message blocks are solved with the tau in the tau outputs so tau outputs are are just the masking values so mi ith message block is solved with the ith masking values and it is fed in the block cipher here pi the permutation pi and after we collect all the output outputs of the you know of these block ciphers we just sort them and the last block is also solved here and this is just fed into the last block cipher pi prime and we get the tag output so pi and pi prime are random permutations here and tau is the masking function so let us see what what are the popular PMAC variants that we get from SPMAC first of all the original PMAC is where the gray code based masking is used next PMAC 1 where the power of 2 is used as masking and in case of n PMAC or the PMAC construction that's nitro proposed here something called 2 powering up masking is used as the mask masking function so precisely mathematically this is the expression of the masking values the tau y is just 2 to the power i times pi of 0 and this is the masking for PMAC 1 and for n PMAC this is the 2 powering up masking and why we see the reason behind the name this is one power of 2 and this is another power of 2 and these 2 powers are first multiplied with l1 and l2 fixed values and then they are solved to get the masking value final masking values so let us come to the analysis of n PMAC here the most important claim that nitro has used in the paper is this claim he claims that this this system of equations are this or the these two equations are linearly independent given this a a comma b this set is not equal to c comma d this set what is alpha beta gamma delta alpha is just 2 to the power a beta is 2 to the power b gamma is 2 to the power c and delta is 2 to the power d so if we consider these two equations the these are linearly independent as nitro claims but we show that this claim is wrong why this slide explains it the condition of linear dependence it is equivalent to this condition as stated in the green box but according to nitro he says that this is the fact stated in the red box this is the equivalent condition of linear dependence but this is not true okay for it is true if only c2 is equal to c1 what is c2 let us just see this is c1 and this is c2 okay so if c2 is equal to c1 then nitro's claim is okay otherwise it is wrong so now we see that from the green box we get this this equation also so let us just see one more time this green box from here we can arrive from the condition of linear dependence we can arrive at this equation so we show a counter example here for the galler field of order 16 we first define the multiplication by this polynomial and if we take a b c d as these values we see that this satisfies this equation that that means these two equations generated by a b c d are linearly dependent but if we calculate the c2 value and the c1 value we see that c2 is not equal to c1 so this this is this does not happen a equal to b equal to c equal to d we can see just directly from here that e is not equal to b or b is not equal to c okay so this is a counter example to the claim in the paper in nitro's paper for of np mac as we name it np mac so now what is the equivalent problem that we pose here we pose that to solve the difficulty or what we need to solve in order to fix the error in the proof we have to bound this a b c d number of a b c d such that this happens just recall that alpha is nothing but 2 to the power a beta is nothing but 2 to the power b gamma is nothing but 2 to the power c and delta is nothing but 2 to the power d so we have to bound with the number of a b c d such that this happens and this is the crux problem of the paper if we want to show the security but the bound security of the construction this is the crux problem this is the equivalent form of the crux problem so now let us come to esp mac here we define a concept of 2 is almost our universal hash function how is it defined first we define an event called a a is just this this event and then we define another event b this this row is just used for defining the events and this is the actual definition of 2 y is a x u so what it means it means that probability of a the probability is considered for probability is calculated for the number of keys over the key over k so probability of a is less than equal to epsilon and probability of a and b is less than equal to epsilon square so is this b is this probability of a is less than equal to epsilon probability of a and b this joint event is less than equal to epsilon square probability is considered over k. So, this is if the hash function satisfies this equation, then the hash is called epsilon twice axu hash. So, this is an interesting observation about the security notion we have just defined. We see that first of all this is a weaker definition than the four-wise independence of hash, independent hash function as gazi et al defined in their paper. We easily see that any four-wise independent hash function is epsilon 2 axu, where epsilon is 1 over 2 to the power n. So, this notion of two-wise axu is weaker than four-wise independent. But next we show that the converse is not true. That means that there is some function, for example, this tau y, where three powers of twos, three powers of two are used and this is actually called three-powering up mask and it is used in PMEK 2 paper by Naitho. So, for this masking function, this is two-wise axu but not four-wise independent. So, the concept of two-wise axu is strictly weaker than four-wise independent. So, what it means, we will see later, in the end we will show what it means actually that we gain, we just, there was previously a result for four-wise independence, independent hash function that SPMEK achieves a length three but the bound security. Here we show that for two-wise axu also that is for a strictly weaker version or weaker notion of than the four-wise independent hash function we get the similar bound. So, this is an improvement over the result. So, what is the here is a schema, a brief schema of the proof for SPMEK. First of all, we define an input collision graph for any two messages m and m prime and after defining the set of vertices, the set of vertices is just m comma 1 to m comma lm and together with the elements m prime comma 1 to m prime comma lm prime and the edge is formed between m comma a and m prime comma a prime if this happens that if the block cipher input in this position if the block cipher input collides then an edge is formed between these two vertices. So, this is the definition of the edge and the vertices of the graph and after that we define cross-cancelling masking. When the induced graph is evenly partitioned, it is called the masking for which it happens it calls it is called the cross-cancelling masking evenly partitioned bin means the components if you consider the components the every component has size even size. So, then we call that the graph is evenly partitioned okay after that we define a covering collection of edges and it is defined for evenly partitioned graphs and the main lemma that we prove here is actually gives a relation between the cross-cancelling masking and the covering edges actually it bounds the cross-cancellation probability by the probability of forming covering edges and we show that the finally show that the advantage is this and this is a L-free bound if we just look a bit deeper and calculate a bit you see that this is a this is an L-free bound a security bound okay so now for PMAC2 this is the pictorial view of PMAC2 first we get L L is just a pi output of zero and L is used as a this in the masking or an alpha this alpha value the alpha is just a primitive element of the field alpha is multiplied here in these places in the construction and we after getting all these all these things done we get the tag output t so we see that PMAC2 is actually has then PRP why because this part can be seen as a hash part and this is a PRP so the aim is is fade in the hash part and then the output of hash part is fed in the PRP and we get the final tag or the t so PMAC2 the problem is becomes simpler because PMAC2 here can be is dealt with in the hash then PRP so the proof idea of PMAC2 if we look at the proof idea first we define a generalization of the cross-cancelling pro cancellation probability for more than two messages the generation is defined as theta prime and for similarly for probability of collision for more than two hash outputs it defined as the call function call of m1 to mq and here we see the most important result here the call value is less than equal to theta prime value plus something where and also the advantage from the has then PRP result we can state that the advantage of the PMAC2 is less than equal to call plus something so here the advantage the together if we consider these two in equation equities together we can see that advantage is dependent only on the theta prime so the main task is to bound the theta prime part okay so so here okay so finally we get the collision probability is less than equal to q square plus sigma by 2 over n by 2 to the power n plus mu where mu is something which depends on the range of l we see here that mu is q over 2 to the power n by 2 if l is less than equal to 2 to the power n by 4 and mu is sigma 2 to the power 1.5 by 2 to the power n if l is greater than 2 to the power n by 4 and less than equal to 2 to the power n minus 2 and if we simplify this we see that the main gist of this inequality is that we get a length rebound for l get less than equal to 2 to the power n by 4 and we also get a length rebound for l greater than 2 to the power n by 4 and less than 2 to the power n minus 2 when sigma is less than 2 to the power 2 n by 3 so with this extra condition we maintain we retain the length freeness of the security bound for more than n to the power n by 4 length of messages so this is the final result for p mec 2 so this is a summary or conclusion of all the results that we have done in the paper first of all we have shown that the proof is wrong in nithos paper but we don't know whether there exist any proof or not so it's an open problem still now to prove or disprove the security bound as claimed in nithos paper in tosc 2019 and secondly for sp mec it had a length free by the bound security for four wise independent hash function but in this paper we show a similar result for a weaker notion of security for hash function this is called epsilon 2x2 hash function so this is an improvement in terms of the security bound the security notion of the hash function and lastly we propose a variant of p mec 1 we name it as p mec 2 and to show that it achieves the length free security bound whenever l is less than equal to 2 to the power the l is the length of the highest length of the message messages whenever the highest length of the messages is less than equal to 2 to the power n by 4 so these are all that we have done in the paper and thank we thank everyone for listening and watching the presentation thank you very much