 Hello, my name is Alder Gunsing and this is my presentation about block-cypher-based tree-ashing. So a hash function is a function that mobs maps an input of arbitrary length to a fixed length output. And there are multiple security notions for hash functions. So common one is the notion of collision resistance, which means that it should be difficult to find two different inputs that map to the same output. But there are also stronger notion required. So one is that it should basically behave like a random oracle so that all outputs are uniformly random and also independent from each other. And this notion is formalized as indifferentiability by Maurer and others, and also specified for hashing by Koron and others. And hashing modes are always built on top of a smaller compression function F, which is often assumed to be ideal. However, such ideal compression functions cannot be built directly. So they have to be built on top of another building block. And the common one is a block-cypher. And there's a popular Dave's Maya construction, which transforms a block-cypher to a compression function using a feed-forward. However, this construction is not indifferentiable from an ideal compression function. So we need dedicated analysis using the block-cypher as an assumption. And this is what Damon and others did for hashing, where they tried to find sufficient conditions for such constructions and also some other. However, it turns out that the paper contains an error and also proves some faulty constructions secure, as was pointed out by Samuel Neves. And in an errata, I provide a quick fix by having an additional condition, which requires also sufficient truncation. However, a more slow look reveals that the error is actually some more fundamental about the indifferentiability setting. It's actually a more fundamental flaw that ignores a major part between the interaction between the construction and primitive oracles in the indifferentiability setting. And this same reasoning is actually present in also many other indifferentiability papers. So two others are also based on hashing, and also four are about the sum of permutations. And this is actually also all the papers that are about the indifferentiability of the sum of permutations. But the flawed reasoning does hold in the sequential indifferentiability setting, where the primitive queries have to be made before the construction queries. So the results can be downgraded to this weaker setting, so we still have some positive results. And in the case of hashing, we had the errata that requires sufficient truncation. But this is not that great of a fix as not all modes can apply this. So in this work, we consider three other finalization options. So the first one is truncation again, but then also with some interesting variations. The second one is an enveloped finalization, which is a generalization from enveloped mercredonkart. And the third one is a feedforward. And the major application is the Blake-3, which is a recent block-cypher-based through hashing mode. And that's an interesting, some interesting properties. One is that the extendable output uses a counter. So for the first output block, the counter is equal to zero. For the second one, it sets counter to one and so on. And it turns out that it has an interesting property, namely that if you know a message and a hash output, but not the offset T, that you can actually compute that offset directly or ideally, that would only be possible by brute force. And that's a consequence. You cannot really rely on the accuracy of this offset T, which is not ideal behavior. But in practice, it's not that big of a problem. So that's the end of my presentation. Thank you for your attention.