 Hello, welcome to my presentation of our paper on the compactness of flashing modes and efficiency beyond multi-trade. This is a joint work with Elena Andriva from TU Vienna and Ornobroi from Klagenfurt. The general outline of the rest of my talk is as follows. I am going to start with one slight description of our result. To describe things in detail, I shall first state our motivation and recall some background results. Then we jump into our results on the two modes that we present, ABR and ABR+. Finally, I am going to briefly discuss some related extensions of our work. Here is the one slide representation of our work. We introduce two hashing modes, ABR and ABR+. Both the modes are based on two-and-two-n-bit compression functions. The parameter of ABR mode matches TAMS bound from crypto 2008. When compared to popular market tree, ABR mode compresses around 50% more messages by making same number of calls to the underlying compression function. In comparison, ABR+, achieves indifferentiability security notion. The only compromise it makes is it compresses one message block less than ABR mode. Our work has both theoretical and practical motivations. Indeed, achieving TAMS bound for general parameters have been an open problem since 2008. From practical perspective, the problem relates to minimizing multiplicative complexity. As more function calls implies increased multiplicative complexity, the natural question is how to compress more messages by making same number of function calls and thus minimizing the multiplicative complexity. Of course, an efficient hash function has other applications as well, like in archiving, proof systems, etc. Let's start from the background. A hash function takes strings of arbitrary length as input and produces strings of fixed length as output. A cryptographic hash function needs to satisfy some security notions. Two primary requirements are the collision resistance and the pre-image resistance. We say an adversary finds a collision in the hash function if it can produce two distinct messages m and m prime such that hm equal to hm prime. That is, the messages are mapped to the same point. We require that it takes approximately 2 to the power n over two many hash evaluations before the adversary can find a collision. Similarly, for pre-image resistance, the adversary is asked to invert the hash function h on any given point. We expect that an adversary needs to make approximately 2 to the power n many hash computations before finding the pre-image. There are notions like second pre-image resistance or target collision resistance analyzed in the literature. However, they are implied by collision resistance. In the last 15 years, indifferentiability from a random oracle have appeared as major security criteria. It says that the adversary should not be able to distinguish the hash function h from a random function from 01 start to 01 end. I would like to point out that indifferentiability from random oracle is indeed a very strong security notion and in particular it subsumes collision resistance and pre-image resistance. The hash functions are designed in two steps. First, one chooses a suitable function f which is a mu bit to n bit function with mu greater than equal to n. The hash function is implemented via a domain extension algorithm or a mode of operation algorithm which on input m iteratively queries the function f as a subroutine with suitable inputs and computes the hash value based on the responses. In the figure, the blocks GIs are the one which decides the input to query the function f. The security argument for the hash function is established via a reduction from f. It is shown that an attack against h can be converted into an attack against f. Often information theoretic arguments are used where f is modeled as an ideal object like a random function or a random permutation. To classical and yet the state-of-the-art examples are Marklet-Umbard and Marklet-Tree. Marklet-Umbard is a cascade construction where the message is pre-processed via applying a padding. For Marklet-Tree, the tree data structure is used to evaluate the hash. The messages are injected at the leaf level, the functions are evaluated level-wise and output of the root node is given as the hash value. Modern hash designs employing Marklet-Umbard or Marklet-Tree often uses padding to ensure the functions are independent. Blake or MD6 are good examples of such padding. In this work, we ask how can we construct the most efficient domain extension algorithm? In concrete terms, we wish to construct a collision-resistant kn to n-bit hash function, yet making minimum number of calls to the underlying 2n to n-bit function f. Of course, we are not the first to ask this question. In Eurocrypt 2005, Black, Koshan and Schimton proved that to construct a 2n to n-bit collision resistant function from n-bit permutations, more than one call to the permutation is necessary. Rogaway and Steinberger generalized this result to show that any kn to ln-bit function from permutations need to make 2k minus l many queries to the n-bit permutations. In 2008, Stam refined the above bound and conjectured that any collision-resistant t plus s to s-bit function from n plus c to n-bit function requires s plus 2t divided by 2n plus 2c minus s calls. In concrete terms, Stam's bound implies to construct 2n to n-bit function from n to n-bit functions, 3 calls are necessary. Similarly, to construct kn to n-bit function from 2n to n-bit functions, 2k minus 1 by 3 many calls are necessary. The only upper bound achieving n by 2 bits of collision security is the Schimton-Stam construction from 2008. The construction is described in the picture. The construction uses 3n to n-bit functions and compresses 2n-bit message to construct n-bit digest. However, the problem is open for general parameters. In particular, we did not know whether to construct kn to n-bit function from 2n to n-bit functions 2k minus 1 by 3 many calls are sufficient to achieve collision resistance. And to put matters in perspective, we recall that the mercury makes k minus 1 many calls. We show that, yes, indeed such constructions exist. We present an augmented binary tree, ABR hashing mode, which compresses kn-bit message to n-bit digest by making 2k minus 1 by 3 calls to the underline 2n to n-bit functions and achieve n by 2 bit of collision resistance. Compared to Markley tree, this gives almost 50 percent improvement as 50 percent more messages can be compressed. We also present a simple modification of ABR tree that we call ABR plus mode that can achieve indifferentiability from random oracle by making the same 2k minus 1 by 3 calls to the underline functions. The only difference is that in case of ABR plus, we compress one block less. The ABR tree is shown in the picture. Starting with the tree, at each non-lift function call, an additional message block is zored with both the input. Like Schindt and Stam, one previous chaining value is feed forward and zored with the output. I am going to present an overview of the collision resistance output. The main difficulty is in handling the fact that the adversary may query the functions adaptively. For example, the adversary may make some queries to the root say and later make queries at the lower level and try to match with the previous query input. The core idea is to define a bad event if such match happens too many times. We derive an upper bound on the expected number of such match and apply Markov inequality. In more detail, the crucial parameter of our analysis is the notion of the load of a node in the transcript. It is the number of computable messages in the transcript with queries to all the nodes in the subtree of that node. The idea is conditioned on some bad events, the collision probability can be derived in terms of load square by 2 to the n. The main technical task is to find the correct bad events such that the derivation works and the load is suitably bounded. We identify two bad events. The first one happens when a query to a function increases the load of that function by k to the power l for some suitably chosen k that here l is the height of the tree. The second one happens when a query to a lower level function say f j minus d b prime increases the load of a function f j b by k to the power l here the function j minus d b prime is in the subtree of j b. What we could prove is that the collision probability of each of the small blocks conditioned on the bad events not happening can be bounded by k to the power 2 l times q square by 2 to the n. We can also bound the bad events individually. For the first one one can imply a previously known technique however for the second one we need our markup track. The ABR plus mode is shown in the picture. Compared to ABR mode the additional message block is not sought at the leaf level. The general idea is that a collision resistant preimage aware function when composed with independent random function gives indifference stability from random work. So in case of ABR plus we take two ABR trees and then envelope them with an independent random function to compute the ABR plus hash value. Now this idea of indifference stability is analogous to the well-known principle that collision resistance followed by PRF gives us a PRF. The same idea works here. The collision resistance of the ABR modes ensure that the query to the root are all fresh and as the root function in itself is a random function the arguments go through. Now I am going to talk about certain corollaries of our result that may not be very apparent. To start with consider the direct extension of shimtan stamp construction in the 2N2N bit setting. Here the function compresses five message blocks with three calls to the function F. This construction in particular has a simpler collision resistance argument. Here it is sufficient to consider level wise adversely. The reason is that the messages are injected that are injected at the leaf node does not affect the transcript as the probabilities are calculated over the randomness of the function F as well as the each of these function F rise are random functions. Thus there are broadly two cases to consider collision at the leaf node and collision at the final output condition done no collision at the leaf nodes. The probability for the collision of the leaf node can be individually bounded by q square by 2 to the N whereas for the third condition we give a new counting argument where we prove for the collision probability condition done no collision at the leaf can be bounded by N square q square by 2 to the N. Once the collision probability is settled then like the previous case we get an intermediate indifferentiability result. We take 2 5N to N betabier construction and add an independent random function as envelope. Like previous case we can argue that the preimage aware collision resistance followed by random function gives indifferentiability. These constructions give an intermediate relatively easier to prove collision resistant hash function where the additional messages are injected at alternate levels. For the proof of this we need to recursively apply our indifferentiability result with the composition theorem. To conclude we presented new design principles for tree hash with almost 50% more efficiency than market tree. This is the first general parameter construction towards achieving stamp spot. Interestingly we get an almost optimal efficiency with indifferentiability from random molecules as well. A natural open problem is to achieve stamp's bound for double length hash functions. This concludes my presentation, thank you.