Hello, I'm Akinori Hosoyamada from NTT Social Informatics Laboratories.This is a study on white box situa AAD mode of white box situa block ciphers.This is a joint work with Takano Lee Sobe and Yosuke Todo and Kanya Suda.This picture illustrates the usual black box model, where we studied the security of cryptographic scheme or cryptographic algorithm.We assume that there is an attacker and there is the black box oracle of the target algorithm.An attacker may make some queries to the oracle and the oracle returns responses.And here the important thing is we assume that the attacker does not have direct access to the implementation of the algorithm.So this is the usual black box model.But in the real world, sometimes we have some problems with the black box model.The problem is that there may exist a kind of malware which enters into a personal computer or server where the cryptographic algorithm is implemented.And this malware may leak some information to the attacker.And in such a situation, results shown in the black box model guarantee no security about the cryptographic algorithm.And white box cryptography is a technique to remedy such a situation.More concretely, white box cryptography is a technique to protect data against attackers who may have full and direct access to implementations of cryptographic algorithms.And there are two major requirements in white box cryptography resistance against key extraction and resistance against code lifting.Here key extraction is an attack to recover the secret key and code lifting is an attack to copy the entire implementation.It is obvious that the resistance against key extraction is mandatory.But the important thing is the resistance against code lifting is also mandatory because if an attacker can copy the entire implementation of the cryptographic algorithm,then that attacker can do any cryptographic operation arbitrarily.So the resistance against code lifting is also mandatory.And next, I'd like to explain about incompressibility.This is a set written notion against code lifting, introduced by De La Ville et al.And roughly speaking, incompressibility formalizes the hardness of compressing cryptographic implementations while keeping functionality.And intuitively, incompressibility implies the hardness for malware to leak useful information.And the good point about incompressibility or its variance is that they are achievable without relying on special secure hardware.And there still exist high demand for software-only solutions in various scenarios like cloud-based payment services.So we also focus on incompressibility.And next, I'd like to explain the motivation of our research.First, there exist secure and efficient incompressible block ciphers in previous works,but there exist no modes of operation to convert such block ciphers into incompressible AEADs.And second, there is no incompressible AE steam achieving both of confidentiality and authenticity without relying on special hardware in the presence of leakage.And so a natural question is, can't we reduce incompressibility like set written notions of an AEAD mode to those of block ciphers?This is a very natural question, but it seems new set written notions are necessary for both of block ciphers and AEADs,because existing set written notions do not seem suitable for reductions from AEADs to block ciphers.And these are our main results.First, we introduced new white box set written notions for AEADs and block ciphers hand-to-hand.And second, we showed that a weak variant of public indifferentiality implies reduction between our new set written notions.And third, we showed that the SIV construction instantiated with a spongy basal PRF and counter mode becomes a white box set write AEAD mode of block ciphers.And fourth, we introduced a new white box set write wild block block cipher, which we use space 25616.And finally, in our paper, we assume that malware can be detected if they consume lots of computational resources or send huge data outside,but we assume nothing about set your hardware.So this is the summary of our results. Please read our paper for more details.