 Thanks for the introduction. So I'm Kazihiko Minematsu from NSC Corporation and this is the joint work with Tetsui Wata from Nagoya University and Tomapera from NTU and Yannick Suramp from ANSI. So let me start with the very basic things, the MAC function. This is the symmetric key crypto for tampering detection and the main component is the MAC function taking the key here and oh. Key here and message, which are the variable links and to produce a tag of the fixed links. In the typical usage scenario, I send the computer, I compute the tag as an output to the MAC function taking key and M here and send the pair of the MAC message and the tag to the both. And the both checks if this pair is correct or not by computing the tag locally and if the receive tag is compliant with the send tag here. And it is known that if MAC function, this is a variable input length through the random function, this MAC protocol is secure. So the main component of our construction is a tweakable block cipher, TBC, which has an extension of the ordinary block cipher introduced by the RISC of et al in 2002. And a difference from the ordinary block cipher is that there is an additional input called the tweak which is a public, which can be public and the pair of the key and the tweaks specify the function set over the message space. And this talk I assume that the message is of N bits and the tweak is always T bits, but here we also implicitly assume that there's additional small tweak represent as a small positive integer i mainly used for the domain separation. I mean, we need to produce some independent instance of the TBC and write as here this question for necessarily. So how to build a TBC? So there are some well-known block cipher modes such as LLW and XCX and they are relatively efficient because it only requires one block cipher code to perform one TBC encryption, but security is also up to the birthday bound with respect to the block length. Therefore, if the AES used only a data complexity of the two to the 64 attack, is we can break with this complexity. There are some modes that achieve the stronger security guarantee, meaning that beyond the birthday bound security is possible with some modes, but they are not really efficient. At least it's not as efficient as the XC or LLW. So the other direction is to design it from scratch. So starting it from the Hasti padding five cipher designed by Schroeper in 1998. There are many tweakable, dedicated tweakable block cipher. The three phishing skein hash function and there are the multiple instance of the TBC designed for other main component in the CIDA submission. And more recent ones, the skinny and the calmer. So for the security notion of TBC, it is indistinguishability from the set of independent uniform random permutation the indexed by tweak, which I also call the tweakable uniform random permutation, TULP, denoted by two to P. And if the adversary here cannot distinguish these two words even if they're chosen cipher text attack, where the tweak is also chosen, it is called the TSPRP. And if it is difficult to distinguish these two words, the underlying TBC is called the TPRP, okay? So let me show the several constructions for Mac using TBC. The first one is the PMAC-1 introduced by Logaway in the proof of the PMAC. The scheme is here. As you can see, this is free parallelizable except the final one. But the security is also up to the birthday bound with respect to the block size again. So the maximum advantage of the PMAC-1 from the distinction from the suit random function is up to this term, where the sigma denotes the maximum number of total query blocks. So therefore this have the half of NBIT security. The another one is the PMAC-TBC-1K introduced by Naito in 2015, which is mostly similar, yeah, quite similar to the PMAC-1, but applies a different changing scheme, having the two NBITs changing scheme here. So we need, this shows the message has been part of the PMAC-TBC-1K, and there's another finalization step, which is essentially a two NBIT input suit random function built from the TBC. A new feature of this scheme is it has a beyond birthday bound security. That is, it improves the security of PMAC-2 NBITs while keeping the same computation cost as PMAC-1. Okay? But these TBC-based schemes are not optimally efficient, because they process NBIT input power one TBC call. So the internal, yes, in these schemes, the internal typical block cipher is invoked like this one. However, that this TBC week, so does not process message, just it is reserved for computing for the block index. So the simple question is here is how to build an optimal reaction to TBC-based MAC. So in this talk, I'd like to propose two proposals, the first one, Z-MAC, yeah, and the second one is ZAE. ZAE MAC is the first optimally efficient TBC-based MAC, namely, it's processed N plus TBIT input for one TBC call. And it is also parallel and has a beyond birthday bound security. The more specifically the security, this security is this form, minimum of N and half of N plus TBIT, that is, if the T-week length is not smaller than N, it has the NBIT security. And the ZAE is a byproduct of the Z-MAC, which is an application of the Z-MAC to the deterministic authenticated encryption introduced by Rogaway and Schrimpter in 2006. And it has a better security and a better efficiency and the security down SCT mode of operation presented at the crypto 2016. And both are using TBC as a sole prime game, so there are no other components like the large field variable multiplication and the Rogaway Secure, if TBC is a TPRP. So let me explain the structure of Z-MAC. This is a simple composition of the message hashing and finalization where the message hashing is called Z hash and the finalization is called Z thing. And the output of the Z hash is always N plus TBITs and the Z thing's output is two N bits here. And if we need a short output, we can simply cut the output, final output of the Z thing. And we provide a unified specification for any T. I mean, the T can be equal to the N or larger than smaller than N, okay? And this talk will focus on Z hash because this is the most innovative part of Z-MAC. So then design the Z hash, the first observation is that to achieve the optimal efficiency, we somehow need to extend the tweak space of the underlying tweakable block cipher because otherwise there's no way to incorporate the information of the block index inside this computational hash function. And this can be done by a tweak extension scheme called XTX which was introduced by Iwata and myself in 2015 and this is an extension of LLW and XCX. So this is the XTX. So you can see the G here which shows the global tweak which has space larger than two to the T. And there's a key to function, HL takes G and outputs the N plus TBIT outputs here. The first NBIT output is used as a mask to the input and output of the underlying TBC. And the second remaining TBIT output is used for the tweak for the internal TBC. And this XTX is a provably secure if H has a property called the Y-prochal AXU, P-AXU, short, short. And the difference here which shows that only the first NBIT part is required to be differential uniform and the remaining TBIT part has a small, should have a small collision probability. And in your case, this global G, tweak G, consists of the two parts. The first part is a message information of TBITs and the second one is the block index represented by a positive integer. And of course, block index is a counter because we receive the first block and the second block and so on. So then with this observation, the XTX can be instantiated by using the doubling trick as they're provided by and popularized by XTX. And optimized by cutting the outer masks to Y here because we do not need a decryption in the MAC computation. So the resulting scheme, tweak extension scheme which we call the XT is using the HL defined by this formula using the two NBIT keys L, L and L, R. So here you can see that two to the I minus one times L, L and two to the I minus one times L, R which they're a successful, successive application of the field doubling namely the multiplication by two over the field of G2 to the N for I minus one times here. And if we need a two to the I times X, the computation is easy by caching their value, previous value of the two to the I minus one times X as was done in XTX. And for defining a unified specification, we also introduced the variant of the XOR operation, XOR T here, which is just a simple XOR operation, but the first argument is chopped or padded before taking some when T is not equal to N. So the scheme is here. And we can show that this XT is also a secure tweakable rock cipher. If the underling tweakable rock cipher is also a secure tweakable rock cipher of the T, of TB cheek. More formally, if the underling TBC is perfect and the FH is shown Paxu, then the security advantage is bounded by this quantity Q squared times E over two. And we observed that our H function is one over two to the N plus minimum N T Paxu. So combining these two facts, we get that this security bound which shows that essentially XT has a minimum of N, N plus half of N plus T bit security, which is beyond the brass debound security if T is a positive integer. So then after we get the XT extension, it's easy to apply the PMAC like single chaining hashing scheme like this one. So message is divided into N plus T bit blocks and given to the TBC with the block index. And we get the changing value as an XOR of the all output XOR of the output of the XT. So this is apparently optimally efficient, but the security is only up to the brass debound because we can easily detect a corrosion here, the corrosion of the XT outputs using the two to the half of N queries fixing the second block and so on and only changing the first block here. So we naturally need a larger chaining value, but if we naively used two and a bit chaining scheme adapted by Naito and Yasuda, the scheme would look like this one, but this also doesn't work because we can still detect the corrosion here no matter how large is the chaining scheme is. So the key observation here is to avoid these corrosion attacks. So we need a beyond the brass debound security, we need to avoid these attacks. The process of each message blocks you know shown by this box must be a permutation. And we also need some other technical conditions about this is the most important observation and we found that this face-like round of the one round permutation using the only one XT core inside the box works, actually works. The resulting scheme, which I showed a lot of the Z hash in the mass board fonts has a good corrosion probability. Namely, it is an optional almost universal for optional equal to the 4 over 2 to the N plus minimum of NT. So it has a beyond the brass debound corrosion probability. So based on these observations, the Fruity hash is here. So as you can see that each message is divided into N plus T bit blocks and you can see here that this is a XT, tweak extension using this to the E as an underling TBC. And this shows the one round face-like foundation and here is a larger chaining scheme of having N plus T bit, okay. And this is the G hash. So, and we need to finalize this value to produce the Mac-tan and the Z-fin works just simply encrypts the U and V, where U and V denotes the final output of the Z hash here. U is N bit and V is T bit. And yeah, Z hash encrypts U with tweak V twice to produce each N bit output, so the scheme is here. And this peer security of Z-fin is easily proved by pretty best works on the, because this is essentially a sum of two random permutations. Using a very recent result by Diet, our future is a fifth of this year, D-fin is proved to have the N bit security, the security bound is shown here. So combining all lemurs, the here is a security bound of the Z Mac. And this shows that the Z Mac is actually minimum of N and half of N plus T bit secure. Okay, so in the remaining, I would like to describe ZAE, Deterministic Authenticated Encryption. So, as actually already described, the ZAE is a class of Authenticated Encryption has some strong security features under normal AE. So it's guaranteed the standard Nance-based AE security when the associated data contains a distinct Nance at the encryption, but even if Nance is repeated or there is even no Nance, the best possible D-AE security is guaranteed. So only the repetition of the plain text is leaked. And from this feature, it is also called a misuse-registered AE. So for building the ZAE, as following the previous works, we follow the generic SIB construction, which requires the PRF taking the associated data and plain text M to produce the tag here. And the other, we also need a randomly based encryption taking the tag as an IB to perform the encryption. And the scheme is here. We instantiate the PRF by Z Mac with input encoding for the vector input of A and M, associate data and message. And the IB-based encryption is instantiated by a variant of the encryption mode called IBCTRT introduced by Ferrand in 2016. The scheme is like this one. And the security proof of the ZAE is easy to get from the previous security bound of the Z Mac and the SIB and IBCTRT. The bound is here. Which is better than SCT mode of operation, which has a half of N-bit DAE security. So for example, the ZAE with tweak length equal to the N has N-bit DAE security. Okay, for the efficiency of the ZAE, so I mean how many input bits can be processed bound Y TBC call inside the ZAE is N times N plus T divided by two N plus T. So some looks strange, but this is because the IBCTRT mode of operation process N-bit input for one TBC call. And this figure is always better than SCT use for the extension is half of N bits because this SCT use the PMAC one for Mac function. For example, the efficiency of the DAE is two and over three bits for Fenty equals the N and Fenty equals the two N, it is four and over three. So we also instantiate Z Mac and ZAE using dedicated existing TBC. And we choose the deoxys BC and the skinny rather deoxys BC and the TBC and the CIDA candidate deoxys, which is essentially AS based and the ASNA can be used to have a very fast implementation on the modem, internal and AMD platforms. And the skinny as an lightweight variant of the 64 or 128 bit block TBC introduced at Crypto last year and we have already the TBC performance and the random tweaks and estimated the performance of the Z Mac and ZAE with this performance of variation of the underlink TBC. For example, on Intel Skylake using ASNA deoxys BC 206 Z Mac runs at 1.61 and the DAE runs at 1.48 cycle per byte and it shows some 20 to 30 percent gain from the Mac or DAE mod using the same TBC. So see the paper for my details. So performance question, I would like to skip this one. So the one critically max in this talk we proposed the Z Mac and the highly secure and fast to the Mac and the DAE based on TBC. And this shows the power of the XCX like masking. We already see it in the many block cipher modes like the PMAC and the OCB, but the Z Mac shows it is also powerful in TBC modes. So as on the future topics, we would like to consider other applications such as the NASBest DAE and even stronger security achieving even trust security design with also an interesting direction. Okay, that is thanks for attention.