 Hi everyone, my name is Tetsu Iwata and I will present our work on ZOCD and ZOTR. This is a joint work with Chen Chen Mao, Jiangou, and Kazuhiko Minematsu. This is an overview and we will present ZOCD and ZOTR. These are non-spaced authenticated encryption with associated Tera, and they use a tweakable box cipher as the underlying preemptive. They fully utilize the input of the TBC to process a plaintext and associated Tera. This property is often called full absorption and they reduce the number of primitive calls of TETA-CV3 and OTR. We will see that they have a unique design feature that an authentication tag is independent of a part of AD. This is the outline of this presentation. We start with the background and we will present our schemes ZOCD and ZOTR. Then we will discuss instantiation and implementation. In the instantiation, we will propose a tweakable box cipher called TAS. And then we will conclude. So let's start with the background. This talk is about non-spaced authenticated encryption with associated TETA, or AAD. And this is used for privacy and authenticity of plaintexts and for authenticity of associated TETA, or AD. So the encryption takes announce N, ADA, and the plaintext M as input, and returns a ciphertext C and attack T. The encryption takes N, A, C, and T as input, and returns the plaintext M or the reject symbol. There are various design approaches. There are dedicated designs. One can design based on a block cipher, or a tweakable block cipher, or a cryptographic implementation, or a pseudonym function. And we are interested in the design based on a tweakable block cipher. Now, TETA-CB3 is probably the most well-known AAD scheme based on a tweakable block cipher. This is not proposed as a standalone AAD mode of tweakable block ciphers, but it was introduced as an abstraction of OCB3 for security proof. But it is employed in many proposals for its strong features. For instance, it has a strong probable security result. And it is fully parallelizable, meaning that all the tweakable block ciphers can be caused in parallel. So let's see how it works. EK is a tweakable block cipher, and it takes a counter and denounced as the tweak input. S is the checksum of the plaintext, and there is a separate process for AAD. This authentication data is explored into here to produce the final tag. So we see that the process for plaintext and that for AAD are separated. And the question we ask is whether we can efficiently integrate these processes. This is a natural question, because it was explored for sponge-based and pseudonym function-based schemes. The ice plaintext block in Theta CB3 is processed in this way. And the natural idea is to use a tweak input to process the ice AAD block in this way to fully utilize the input of the tweakable block cipher and to achieve a full absorption. However, if we do this, there is no place to maintain a counter, and we lose the dependency of the nonce. To overcome these issues, we rely on masks for the counter and nonce, as in this figure. Alpha and beta are obtained by encrypting the nonce, and the counter is realized with a doubling operation. Now this can be abstracted, like this figure, where this big tweakable block cipher tube E takes a nonce, counter, and the ice AAD block as the tweak input. With this big tweakable block cipher tube E, we can design an AAD scheme that we call IZO CB. Tube E takes a nonce, counter, and the AAD block as the tweak input. And we also have domain separation. This illustrates the case for a plaintext of three blocks and AAD of less than three blocks. S is the checksum, which is the extra of all the plaintext blocks. We see that there is no separate process for AAD. We hope that IZO CB secure, and in fact, the privacy is fine from the uniqueness of the nonce and counter. However, for authenticity, we see that this S only depends on the plaintext, and the check is independent of A1 and A2. So changing A1 and A2 doesn't contribute to the tag. So at first glance, it doesn't seem to provide authenticity. However, when we decrypt N, A, C, and T, the computed tag that is compared with the received tag depends on the entire AAD. For instance, when we decrypt C1 by using A1, this M1 depends on A1, and we see that the checksum also depends on A1. We can make a similar observation for other blocks, and we can in fact show that IZO CB works, and it provides authenticity. IZO CB is obtained from IZO CB by instantiating the big trickable block cipher T and E with a trickable block cipher E. Then we obtain ZO CB. Alpha is used as input and output masks, and beta is used as the input mask for the trick. They are obtained by encrypting the nonce, and we keep doubling the masks in order to realize the counter. This illustrates the case for a plaintext of three blocks and AAD of less than three blocks. And we see that there is no separate process for AAD, and the process of AAD is fully integrated into the process of a plaintext. But if AAD is long and cannot be absorbed into the process of a plaintext, then we will need a separate process for it. About the proof of security results, we follow the standard security notions of nonce-based AAD schemes. For privacy, we consider indistinguishability from random bits and the chosen plaintext attacks. And for authenticity, we consider untruthability and the chosen cipher text attacks. In both cases, we consider nonce-respecting adversaries only. So let's assume that we use trickable block cipher with TB tricks and N-bit blocks. Then we can prove these theorems on privacy and authenticity. We will not explain the details of the parameters here, but these results show that ZO CB has the full N-bit security when the trick length is at least the block length. Let's move on to ZOTR. OTR is an AAD scheme based on a block cipher with all the features of OCB-3. And it does not use decryption of the block cipher by making use of two-round FISO network. This OTR with a nice font is the key VC-based counterpart of OTR. It has a separate process of AAD and it makes the same number of primitive calls as data CB-3. And we can integrate the process of AAD into the process of a plaintext. This figure describes IZ OTR. I will not explain the details, but it uses a two-round FISO network with a large trickable block cipher to E. And A1 is here, A2 is here, A3 is here and so on. And we see that the process of AAD is integrated into the process of a plaintext. This figure shows ZOTR, which is obtained from IZ OTR by instantiating the big trickable block cipher to E with trickable block cipher E. The instantiation is slightly simpler than the case of ZOT OCB because the decryption of the trickable block cipher is not involved. The provable security result is similar to the result of ZOTB. And we can prove these theorems, which say that ZOTR also has the full end-bit security when the trick length is at least the block length. Now let me compare ZOTB and ZOTR to most relevant schemes. This shows the primitive and this column shows the number of primitive calls. This shows if the inverse of the primitives needed and this shows the parallelizability. The number of primitive calls is for AT-bit AD and MN-bit plaintext, where we assume that the block length is the same as the trick length. And we ignore the constant number of primitive calls. We see that in ZOTB and ZOTR, we can entirely remove the primitive calls needed to process AD if A is less than M. And even if A is greater than M, we can reduce the number of primitive calls. The number of primitive calls was not reduced without cost. The use of a mask requires a doubling operation and the trick doesn't behave like a counter and updating the trick can add a computational cost. So if AD is short, then ZOTB and ZOTR can be slower if the cost for doubling is larger than the efficiency. In order to see the practical efficiency gain, we instantiate it and implement it ZOTB and ZOTR. So we'll present our instantiation and implementation results. For instantiation, we propose tweakable AS or TAS, which is a tweakable block cipher with a 128-bit block, 128-bit keys and 128-bit tricks. This is obtained from AS256, where the concatenation of the key and tweak is used as the AS256 key. We have AS256 here, where it takes a 256-bit key as the input, and we place the TAS key in the first part of the AS256 key. And the remaining part is used as the tweak so that the key is used as the whitening key. This is a simple tweakable block cipher, and we claim 128-bit security of TAS in the single key setting. We remarked that the previously related key attacks against AS256 cannot be directly applied, and we use TAS as the underlying plaintiff. So this is one of our implementation results showing results of ETA-CB3 and ZOCB, where TAS is used as the underlying TBC, and we used this Skylake family of CPU in our implementation. This graph shows the absolute speed of ZOCB in cycles per byte, and this axis shows the length of AD, and this axis shows the length of Pentax. From the graph, we can see that in the fastest case, ZOCB reaches the speed of about 1.46 cycles per byte. This graph shows the ratio of the speed between ZOCB and TAS-CB3. The blue area here shows the area where ZOCB is faster than TAS-CB3, and we see that if the input length is long and the Pentax length is longer than the AD length, then ZOCB performs better than TAS-CB3. These graphs show the result of ETA-CB3 and ZOTR, where we again use TAS as the underlying TBC, and this time we use this Haswell family of CPU in our implementation. This graph shows the absolute speed of ZOTR, and in the fastest case, ZOTR reaches the speed of about 2.33 cycles per byte. And from this graph, we have a similar observation to before, meaning that if the input length is long and the plaintext length is longer than the AD length, then ZOTR performs better than TAS-CB3. We also use Skinny as the underlying TBC, and implemented Skinny ZOCB, Skinny ZOTR, and Skinny TAS-CB3. The source code, raw data, and the graphs are all available from this URL. The observation we make here is that for short input data, where the AD length is at most about 500 bytes, or the AD length is less than 12% of the plaintext length, then ZOCB and ZOTR do not perform better than TAS-CB3. On the other hand, if the AD length is long enough and the AD length is longer than 12% of the plaintext length, then ZOCB and ZOTR are faster than TAS-CB3. With sufficiently long input, with the AD lengths longer than 12% of the plaintext length, the performance gain is about 40% meaning that they are about 1.7 times faster than TAS-CB3. And similar observations holds if we use Skinny as the underlying TBC. Now let me conclude. In this work, we designed ZOCB and ZOTR, and they reduced the number of primitive cores of TAS-CB3 and OTL. We presented provable security results and software implementation results. As future directions and open questions, designing a dedicated tweakable block cipher with large tweak space and with efficient tweak update is useful in many applications including ZOCB and ZOTR. A detailed security analysis of TAS remains open. And we think applying the design approach here to other TBC-based constructions would be interesting. Including tweakable and ciphering schemes, or robust A schemes, or online A schemes. This is the end of this presentation, and thank you for watching.