 It started with the first talk. It will be about the collision security of tandem DM in the ideal Cypher model. The paper is by Zhu Yang Li, Ma Chien-Shtam, and John Steinberger. And the speaker will be Zhu Yang Li. In this talk, I'm going to introduce, I'm going to present a new collision security proof of the tandem DM compression function in the ideal Cypher model. This is the joint work with Ma Chien-Shtam and John Steinberger. And this is the tandem DM compression function. Here, each wire carries N-bit information. So this compression function compresses an N-bit message block by making two cores to the underlying block cyphers using two N-bit keys. And this is on very old construction proposed by Ray and Messi in 1992 at the Eurocrypt workshop. However, its proof of the security has been elusive for many years, for about 20 years, until the first attempt was given at FSC 2009. And the next year, its extension was proposed at the proof of the security workshop. However, in this paper, we exhibited flows of the prior collision resistance proof. And we also presented the novel new security proof for the collision resistance of the tandem DM compression function in the ideal Cypher model. However, in this talk, we are going to focus only on our proof technique rather than discussing the flows of the prior proofs in detail. And we also note that our work was motivated by mostly historical interest rather than practical interest. Now our security proof is given in the ideal Cypher model. So let me briefly introduce this model. And in this model, an adversary is allowed two types of oracle query, an encryption query and a decryption query. And each oracle is usually simulated by lazy sampling. So in this example, the first query is an encryption query with a key K1 and the plain text X1. And this type of query is also called a forward query. And once this oracle receives this query, then its response is chosen uniformly random from the set of NB strings. Here, each key is associated with its range and domain. They are all initialized as empty sets. And once this value is sampled, then it is added to this range. So later, the same point is not sampled again. This is because each key has to define a distinct permutation in a block Cypher. And then Y1 is returned to the adversary. Then the adversary recalls a triple that consists of plain text and the key and the Cypher text. And the second query is a backward query, decryption query. And these are called backward query. And its response is sampled in a similar way. And the third query is forward query again. In this way, after making a certain number of oracle queries, say Q queries, the adversary recalls a set of Q query response pairs. This set is called the query history. And the query history determines every evaluation of a block Cypher-based compression function. Then how this query history determines a valid evaluation of a tandem DM compression function. If we have two queries of this form, where B and L and R has been shifted left twice, then the first query can be placed at the top position. And the second query can be placed at the bottom position, forming a valid evaluations of the tandem DM that maps A, B, and L to A plus R concatenated with B plus S. Now what is the goal of an adversary? The goal of a collision-finding adversary is to find four queries satisfying these conditions. If the adversary is able to find such queries in its query history at the end of the tag, then the first query can be placed at TL position. TL represent top left. And the second query can be placed at the bottom left position. And the third query can be placed top right position. And the fourth query can be placed at the bottom right position, forming two valid evaluations of the tandem DM that collide. And here A, B, L are different from A prime, B prime, L prime. So we have a collision. So the predicate, call of Q, is said to be true if and only if such queries exist in the query story by definition. So the probability of this predicate is exactly the same as the collision-finding advantage of an adversary. So we want to bound this probability. Actually, we want this probability to be small. We want to prove this probability is small. By the way, the four queries forming a collision might not necessarily be distinct. As an example, if we have only two queries of this form, then this query can be placed at the TL position and the BL position. And the second query placed at both TL position and BL position. And as long as A and B are different, we have a collision. So here, TL and BL queries are the same, and TL and BL queries are the same. So in this way, actually, we can classify this predicate into three types according to the equality relations between the four queries. And in this talk, we are going to focus only on the first case, where all the queries are different, because this case can be regarded as the hardest and the most general case. So how can we upper bound the probability of this predicate? We use a case analysis. A general framework is to upper bound. It's to first upper bound the probability that the i's query completes a collision as the less query. And then we can take a union bound by summing these upper bounds of all possible q queries. And if these upper bounds are independent of each query, then we can just multiply q. So we want to upper bound the probability of call i1. Now we use case analysis. By left-right symmetry, we can assume the less query is placed at either TL position or BL position. And we again distinguish two cases when the less query is obtained by a backward query and the less query is obtained by a forward query. So we have force of cases, and then we can take a union bound again. So the probability of this predicate is upper bounded by the sum of the probabilities of these cases. And again, we are going to focus on the first two cases where the less query is placed at the TL position. Because the other cases where the less query is placed at the BL position can be analyzed in a similar way as the first two cases by rotating these diagrams 180 degrees. Now we look at the first case where the less query is placed at the TL position and obtained by a backward query. Now at the point when the less query is made, it is placed at the TL position. And since this query is backward, the values BL and R are fixed. And there is a unique query in the query history to be placed at the bottom left position. So B and L and R uniquely determines the triples to be placed in this position and B plus S. Now we want to count the number of queries, number of triples, to be placed in this position. Any query to be placed here should have the extra output of B plus S. And the number of queries satisfying this equality is small, say N most alpha, except with a small probability. So here we are excluding a bad event that this block cipher has a multi-collision with a multiplicity greater than alpha. So this probability is given as a function of alpha. And later we will optimize this parameter. Now once each of such BR queries is given, then this query uniquely determines the triple to be placed at the TL position. And uniquely determines A prime plus R prime. Now actually we wanted to restrict, we wanted to offer bounds on number of possible responses here. And in order a collision to occur, its response should be the same as A prime plus R prime plus R so that these two values are the same. So the probability of case one is bounded by alpha over 2 to the n minus q, except with a bad event of a multi-collision with multiplicity greater than alpha that we described at this step. So we have this upper bound. And now we look at the second case where the last query is placed at the top left position and is obtained by a forward query. Here we distinguish two cases again. The first case, in the first sub case, the BR query is obtained by a backward query. And the second sub case, in the second sub case, the BR query is obtained by a forward query. And this is a new and unusual element of our analysis because in a typical analysis, we don't care whether the queries already contained in the query history was obtained by a forward query or a backward query. Now we wanted to count the number of queries to be placed here. And each query to be placed here should have a response of b. And the number of backward queries whose answer is b is small, say n minus alpha, except with a small probability because b is the response of a query and always a response of a local query is chosen randomly. So in this case, and each of such queries uniquely determines the response of r. So the probability of this sub case is upper bounded by alpha over 2 to the n minus q except with a bad event that we described in the second step. Now we look at the second sub case where the BR query is obtained by a forward query. And as before, as the point when the last query is made, a, b, and r are fixed because the TR query is a forward. Now we want to upper bound the number of forward queries whose input value is b. But in this case, it is hard to probabilistically restrict this number because b is the input block. So the adversary is able to take control of the input block. So actually, we want to eliminate this case. And we can eliminate this case by slightly modifying our adversary. And this is our main idea. And modified adversaries are simple. So let me describe how this modified adversary behaves. This modified adversary, a prime, runs its original adversary as a subroutine and records its own query history, q prime. And then whenever a makes a forward query, increase of b under the key n and r, the modified adversary makes the same query, same query, and an additional query decryption of r under the key b and r. And when a makes a backward query, a decryption of r under the key b and r, then a prime makes the same query and an additional query of encryption of b under the key n and r. Then what is the property of this modified adversary? First of all, whenever a makes a query, a prime makes n most one additional query. So if a makes q queries, then a prime makes n most two times q queries. Furthermore, the query history of its original adversary is contained in the history of the modified adversary. So obviously, the collision-finding advantage of the original adversary is upbounded by the modified adversary collision-finding advantage. And the most important observation is that if a prime obtains the b a position of a certain evaluation by a forward query, then a prime will immediately make an additional backward query and place it at the top left position. In other words, if the tier position of certain evaluation is obtained by a forward query after the b a position is determined, then the b a query should have been obtained by a backward query. So this means our modified adversary does not create the second subcase that was harder to analyze. So this is our main result. This factor is the probability of bad event. And this is the probability of collision-finding. And here, q is replaced by 2 times q. And here, we observe that this factor is a decreasing function in terms of alpha. And this factor is increasing as a function of alpha. So here, we have to optimize alpha in order to obtain the best of a bound. And as a asymptotic result, the tandem dn compression function is turned out to be collision-resistant up to the birthday bound, ignoring log factor by using alpha to be n over log n. And for a typical parameter, say n when n is 128, we could prove the tandem dn compression function is collision-resistant up to 220 query complexity with the threshold probability 1 of 2 by using alpha 16. And as a final remark, we obtained the same result using typical analysis without these kinds of tricks, such as modifying the adversaries. But in this case, the analysis becomes much longer than the proof we described here. And the first-tyle proof, you can find it in our full version of this paper. And this is the end of my talk. Thank you. Any questions? So let's thank the speaker again.