 Hi, everyone. I'm Kazuhiko Minematsu from NAC Corporation. In this talk, I'd like to talk about the misuse-resistant authenticated encryption that enables a fast decryption. The title of my talk is Fast Decryption, a new feature of misuse-resistant A. Let me start with a brief introduction of non-space A. This is a symmetric key encryption for confidentiality and authenticity. Its encryption outputs a ciphertext and a tag, which is used to authenticate the input. And the decryption returns a plain text if the input to the decryption is authentic. A formally an input-to-encryption consists of key K, non-send, associated data A, and plain text M. The output is ciphertext C and tag D. The table NACT is sent to the receiver. An input to the decryption consists of key K and this table, and it returns a plain text M if the table is authentic. Otherwise, it returns an error symbol. For non-space A, non-send must be unique for each encryption. When it is repeated, the vesting attack can happen. A well-known example is GCM. Even one repetition of nouns in GCM allows the adversary to recover its sub-key and subsequently a universal forgery. In theory, the solution is easy by using, say, a counter or a random value of a sufficient length. But in practice, nouns may repeat due to various reasons, such as wrong configuration or a plural random sources, so on. Hence, an A scheme that registers potential nouns repeat is desirable. As an answer to this question, Shrimpton and Rolaway propose the FIV. It derives the tag T as a mark of total input consisting of AD and plain text. Here, AD may contain nouns. The picture of SIV is shown here. Tag T is used as an IV for an IV-based encryption, say, by counter-mode. And for decryption, it first decrypts C by using this IV and compares IV with the output of PRF taking associated data and the decrypted plain text. SIV maintains security even if nouns repeat as long as the total input type of A and N and M is unique for each encryption. From this feature, it is called Mrs. Resistance A or MRAE for short. In fact, MRAE receives significant attention and the most of known MRAE scheme rely on SIV or its variants, as you can see here. For some examples. The security of MRAE can be described in two notions, as in the case of nouns best Ae, namely privacy and authenticity. For privacy, it requires that the encryption output should run as long as the total inputs are distinct. For authenticity, it requires that the non-trivial forgery is hard. SIV for is these notions. To consider the essence of SIV, suppose we use a block cipher, then SIV needs a MAC or PRF and an IV-based encryption, and each can be realized by some modes, say, C-MAC and counter-mode. And this means that their rate is one-half for encryption and decryption. Well, the rate means that number of input blocks that can be processed by one primitive code. Here, we note that rate one nouns best Ae is indeed possible, for example, using OCB. This means that to build an MRAE by SIV, we have an efficiency gap. To fill the gap, this article proposes a new scheme called Decryption Fast SIV DFB. It is an MRAE scheme that achieves the rate one for decryption while preserving the one-half rate for encryption. Here, rate one decryption means that the decryption of DFB is as fast as plain unauthenticated decryption. Also, rate one-half is necessary to ensure privacy, because we need a two-plus operation. Thus, this implies that the DFB exchange is best possible with respect to the MRAE. Note that this is for the case of using a block cycle. If we use a different primitive, the resulting rates of DFB will change. Roughly saying, DFB's decryption rate can be the best possible decryption rate of nouns based Ae using that primitive, and the encryption rate can be the best possible encryption rate of SIV using that primitive. We will consider the case of using a tweakable block cycle later. So let me describe our ideas. In a nutshell, our idea is to compose a noun based Ae and a prf to build an MRAE. Assuming the former is the rate one. The idea is simple, but to my knowledge, it has never formally studied. Some cross ideas can be found in the literature, but for different purposes and they were not to improve the efficiency of MRAE. We proposed three compositions called DFB 1 and 2 and 3 and proved their security blockbox security based on the blockbox security of nouns based Ae and prf. We also showed two concrete schemes based on OCB and ThetaCB. The router is an idealized OCB using a tweakable block cycle. All proofs are rather intuitive, but we will see some pitfalls when we try to optimize the constructions. All right, let me show some stronger schemes. First, we derive IVB as SIV, but feed it to nouns based Ae rather than the IVB based encryption. This nouns based Ae is a tag T, so the encryption output is the tuple of V, V and A and C and T. Decryption is just a decryption of nouns based Ae we use. Undoing nouns based Ae does not take associate data, which we call plain NAE or PNAE for short. Actually, this is wrong because the associate data is discarded at the decryption, so it is not authenticated. For the second try, associate data must be verified at decryption, so we use a noun plain NAE based Ae, which is also known as AeAe. Then the AeAe is now authenticated. But as you can see here, the decryption reads a match of plain text, even if the ID is different. So it does not fail for the MRA security. So to get a correct solution, we must reflect the whole input. So then it works. We call this scheme DFV1, although DFV1 works, but AeAe is now twice processed at encryption. This is worse than the SIV. To get rid of such inefficiency, we assume that the PRF taking A and M is decomposed into two smaller PRFs, F and G, and A is processed by F independently of M. We let S denote the result of processing of A. And we reuse this S to bring associate data's information into the plain and non-space data. In the end, this problem is closely related to a conversion of a plain non-space data into a non-space data. In fact, this conversion problem has been studied by Logaware at CCS 2002. He suggested two options. The first is Ciphertext Translation, which explores S to the tab. As you can see in the rest part of the slide. The second is non-stealing, which attaches the raw associate data to NAS, assuming there is some redundant space. The latter can be easily extended to the case of using S, which is a PRF output of associate data instead of associate data itself. Based on these conversions, we propose two schemes. The first, the Australia second scheme, the FV2, uses Ciphertext Translation, and this slide shows its encryption and decryption. For simplicity, we assume unfinished decryption routine denoted by UDEC and UDEC for plain text non-space decryption. The decryption receives the table NCT and then computes UDEC of N and C that produces M and U, and finally computes T and U. This assumption holds for most of non-space data schemes. The third scheme, the FV3, uses a generalized version of NAS scaling. And yeah, I'll skip here. This slide shows the probable security bounds of all schemes. I'm not going into the details, but this bound tells us that the security is reduced to the underlying NA security and PRF security. For the proofs of the FV2 and 3, we use the simulation framework proposed by Lowe at his CCS 2002 paper. There are some remarks. First, the bounds are possibly not tight. For example, if we use OCB as an underlying NAE, the FV2 bound will have QD times sigma squared over 2 to the N. It is a cubic degradation and is inherited from the original Ciphertext Translation bound. Second, some optimizations of the constructions may look easy, but in fact not. For instance, consider taking XOR of S and M when computing PRF for A and M. This will improve efficiency as G's input becomes shorter. As a standalone construction, it is fine up to the birth time, but the fact that S is also used by NAE makes proofs interactable. See the paper for more details. Let me move to the concrete instantiations. The first is a block Cipher based one, which we call OCB DFB. More specifically, we use PMAC for PRF and OCB2 for brand non-space encryption, authenticated encryption, and the entire structure is based on DFB2. The router OCB2F is a fixed version of a block on OCB2 and we adopt it for simplicity of pseudocode, but in fact OCB3 can be used as well. This scheme achieves a parallel misuse-resistant AE, having encryption rate one-half and decryption rate being one. This slide shows the bound of OCB DFB. As I mentioned, if we use the generic bound of DFB2, it will introduce some cubic degradation, while the original OCB and PMAC has quadratic terms, only the quadratic terms. However, using a dedicated proof that slightly modifies the proof strategy enables a quadratic bound. And as a result, this OCB DFB is half of NB2 secure, so standard style of bursted bound security. It's comparable to OCB. The natural question here is how to achieve a stronger beyond bursted bound security. There are some possible directions to achieve BBB security, but here we focus on using TBC. It has an additional input called tweak in addition to key and message. We assume that both message block and tweak are end bits. Our goal is to achieve end-bit security. Then the IVB must be at least two end-bits, because of the introduction of this cubic term with respect to the IV length. To implement to PRF, there is already a nice construction, ZMAC, as it has two end-bit output and end-bit security. However, to implement brain non-space TAE, the popular Theta-CB3 does not work as its non-season end-bits. To overcome this limitation, we develop Theta-CBL, or where L means a long nurse. It is a variant of the Theta-CB3 that has a two end-bit nurse and accepts a message to the end blocks as well as the original. The security is end-bits. This figure shows the case of three block encryption of Theta-CBL. We note that if we were to use Theta-CB for two end-bit nurse, the underlying TBC must have three end-bit tweaks. But we avoid this by introducing the XTX-tweak extension. Shorter tweaks generally imply the smaller computation, as one can see in the specifications of skinny TBL blocks hyper. Hence, Theta-CBL can be considered as an efficient improvement over Theta-CB, in addition to the extended non-space. In the same manner to OCB DFB, we build Theta-CB DFB by using ZMAC for PRF and Theta-CBL for brain non-space TAE. Thanks to ZMAC, which processes two input blocks by one core, the encryption rate now becomes two over three, and the decryption rate is being one. This slide shows a comparison of our proposals and other SIV-based MRA schemes. TBCAB denotes the TBC of A-bit tweak and B-bit block, and as you can see, the OCB DFB and Theta-CB DFB have the encryption rate identical to the best previous scheme, while achieving the decryption rate being one. On the downside, because the output contains IV and TAG, the bandwidth is increased. To conclude, this work proposed a simple extension improvement of MRA construction by combining ideas of SIV and R1 non-space TAE. This also implies that studying on R1 non-space TAE is also useful to MRA constructions. There are a number of future directions. Studying the RUP security of DFB is one of them, where the RUP means that the release of unbrewfied plaintext, which is a situation that unbrewfied plaintext might leak in the decryption. We already showed some preliminary results in the paper regarding the RUP security, and the implementation of our schemes and benchmarking will also be needed to see the practical benefit of our proposals. Okay, that's it. Thanks for your attention.