 So the next speaker is Yuusasaki from NTT. The title of the ox is Cryptanalysis on Merkley-Dumgoth-Based Mac, almost universal forgery and distinguishing H attacks. Thank you for the introduction. So my name is Yuusasaki. And first of all, I'd like to start with such a summary. So in this paper, we present two generic attacks against Merkley-Dumgoth-Based Mac construction, which instantiates a narrow pipe Merkley-Dumgoth hash. So the construction is described in the figure, but I will explain the details later. So we consider two attacks. The first one is distinguishing H. And a previous read, it was believed that the generic attack will cost 2,000 queries. But in this paper, we give the new attack, which only requires the three times of the birthday queries and also birthday order computational complexity. And then we give another attack called almost universal forgery attack. So that's the summary. OK, so first, I'd like to give the background. And then I will explain the generic distinguishing H and almost universal forgery. And finally, I conclude my talk and give each work. So this slide describes a very fundamental concept and which is a message authentication course. So it provides the integrity and the authenticity. The sender and the receiver share the secret key K. Now when the sender sends the message M to the receiver, he also sends the tag, which is computed by the hash function, taking M and K as the input. And then after the receiver receives the M, he computes the tag value by using the received M and shared key K and check the match of the tag and his results. Then he can check the integrity and the authenticity. OK, so in this paper, we analyze hash function based mark. And this is the hash function structure, which is the target of the paper. The first property is the Marker-Dungard domain's extension. So in this framework, the completion function is iteratively applied to compute the hash value. And another property is the nanopipe structure. That means the size of the internal state and the size of the hash value is the same. Now, I'd like to say that most of widely used hash functions fall into this category, like SHA1, SHA2, MD5, like MD, VAR2, whatever, all of them. It's a Marker-Dungard nanopipe structure. So how to construct mark scheme by using hash function? So there is a classic mark construction called the secret prefix mark. The structure is pretty simple. So first, the key, the secret key is processed as a first block. And then the message is computed. But unfortunately, this construction is known to be vulnerable against the forgery attack. So the attack is also called a length extension attack. So in this scheme, the attacker first clearly message M1 and receives the tag. Then once he obtained the internal state value sigma, then for any value of M2, he can compute sigma prime at offline. So the forgery will succeed with only complexity 1. So how to prevent this attack? So one approach is appending the rings of the input message before the message is computed. So the scheme is called length-prepended mark in short LP mark. Actually, this construction prevents the length extension attack. So first, this attacker asks one block message M1 and obtains the corresponding sigma. Then he append another message M2. But in this case, the rings prevent the value becomes different. So the internal state value will change. So this computation is no longer useful. So indeed, the LP mark works very well. And it has the security proof. So LP mark satisfies the prefix-free-ness. Its meaning is any message is not the prefix of other messages. And prefix-free mark was proved to be our secure PRF up to 2 to the n over 2 queries. So this was done by Bellard et al in 1996. OK, then let's consider the attack framework for MAC constructions. I think most popular attack framework is the forgery attack. But considering the distinguisher is also possible. And in this context, we have two frameworks of distinguishing attack. The one is called distinguishing R. In this framework, the attacker aims to distinguish the target construction from the random or local computation. But for distinguishing R, generic attack is known. And the complexity is 2 to the n over 2. So this was discovered by Plainel and Bono shot in 1995. And then we have another distinguishing attack called distinguishing H. So in this framework, so first the domain extension is fixed. Then the attacker tries to distinguish which compression function, feature of H and R, is a random function, is used as a compression function. So previously, it was believed that the generic attack will cost 2 to the n complexity. But it was a folklore. So there is no proof of this folklore. OK, so given this background, what happened before in history, the previous approach tried to find a distinguisher which is faster than the 2 to the n complexity because generic attack was believed to be 2 to the n. So most of them combined the generic birthday attack and dedicated differential crypt analysis. Because the previous attack requires the birthday attack, the number of queries is always bigger than 2 to the n over 2. And because the differential crypt analysis is applied, the attacking through rounds is quite hard. So here is the list of the previously published distinguishing H attack in CLP back. So first, so show one was evaluated, but it was only for reduced rounds, and the query is higher than the birthday complexity. And yeah, shout 2 and write in the family were evaluated. And most of them are for reduced rounds, and the complexity is bigger than 2 to the n over 2. So what I want to do now is stop evaluating each function separately. So I mean, I'd like to propose a generic attack. And here is our results. So we propose a generic distinguishing H attack against LP mark instantiating nanopipe microdanger hash function. So because the attack is generic, the full rounds can be attacked. And the number of queries is three times of the birthday complexity. And this is almost optimal. And this indicates that the folklore for the NB security was incorrect. OK, then I'd like to explain the attack procedure. So here is the basic idea. So first, please assume that an internal collision starting from different rings, prepend strings, can be generated. So first, the attacker queries two block message M1, M2, and obtains the corresponding tag sigma. So for this message, because the block length is 2, the computation starts from here. Then after first block, it will reach the internal collision. And for another message block, it will reach here. So the attacker can obtain the tag sigma. Then next, he queries three block messages. So because the block length is 3, the computation starts from here. And after the first block is computed, it reaches the internal collision. Then if M2 equals to M2 prime, it will be here. And after another M3 prime, he obtains the value of H4, its sigma prime. OK, so now he obtains the value of H3, the value of H4, and this message. So he collects all the information for the last block. That means he can easily check the function is H or something else. OK, so if this assumption is satisfied, then we can easily detect which of H or R is instantiated. So how to detect the internal collision? Only with queries of different length. So the attacker wants to find the collision between these two. But unfortunately, he can't see the value here. So the idea is after he obtains the sigma, he computes the second message block at offline. So this is offline simulation. Because there is no secret information here, he can do this very easily. So here is the exact attack procedure. So first, the attacker fix the value of the second message block, so M2 prime to a randomly chosen value. Anybody with OK. Then he prepares two to the N over two different message for the first message block. And queries these messages and obtain the corresponding sigma. And at offline, he simulates the value after the second message block. And he stores the results in the memory. OK, in the next step, he prepares two to the N over two different two block messages in one prime and the M2 prime. The M2 prime is always fixed value. OK, so now he can check the collision between this value and the sigma prime. So if the collision occurs, then it may suggest internal collision here, or it is just collision in the second block. So the attacker's goal is obtaining only internal collision. So to eliminate the noise, for step 4, for the matched M1 and M1 prime, he checks the match with different teams of prime. Then only the internal collision can be obtained. OK, so this is the evaluation of the attack. So if the step 4 succeeds, then H is the target hash function. And step 1 is just fixing the message. So of course, the complexity is negligible. And step 2 is also query the birthday message. So that means the query complexity is 2 to the N over 2. And he does the offline computation 2 to the N over 2 times. In a straightforward way, he also needs the memory to store 2 to the N over 2 values. Then step 3 is quite simple. It's just a query of 2 to the N over 2 two block messages. So the complexity is just double of the 2 to the N over 2. And the step 4 is just checking. So it's negligible. In total, the complexity is like this. So everything is in the order of the birthday complexity. And please note, if you use the memoryless meeting the middle attack for step 2 and for step 3, then the attack can be memoryless. So this can be negligible with only a small additional cost for query and complexity. OK, so it is our generated distinguishing H attack. So if also something in your attack is applied, so why don't you consider a much stronger attack? And actually, we did it. And the attack is almost universal for jewelry attack. So the concept of almost universal for jewelry attack was introduced by a dunkle metal in the last year. In this framework, the first attacker will do some pre-computation or pre-query. After that, a target message is randomly given. And so this is an interesting point. Then the attacker can modify the one block of the given message. So the attack target is almost the given message, but one block is modified. OK, then the perform the for jewelry attack and the modified target. So this is the framework. But in these people, we a little bit lose the restriction. So in our attack, the first log 2L blocks are replaced. And L is the size of the message. OK, then let's consider the attack on the LP mark. So according to this step, so first we want to do some pre-computation. But the problem is we don't know the target message, especially target message length. So length prep end value is not determined yet. So which pre-computation can you do? That's the problem. So the idea is generate a modified collision, starting from various length prep end values. So this message block maps this internal state to y and this internal state to y and this internal state to y. So if the given message is one block, then if you replace the message block with x, then you know that the target is y. And similarly, if the given message is 8 block and if you replace the first message block with x, then you know that the internal state would be y. So due to the modified collision with the different length prep end values, you can have some length prediction, length adjustment facility. But unfortunately, generating modified collision is very inefficient. So the idea is using the diamond structure, which was originally proposed by Kelsey and the Conan for a Harding attack. Then in the birthday order, the modified collision, starting from eight different values, can be constructed. But because of the tree structure, we needed to replace the first log L block instead of one block. And this slide shows the potential applications of this kind of structure, the diamond structure. The application is some connecting problem, finding the connection problem. So you want to find the message which starts from one training value and hopefully reach some of the pre-computed structure. But you can't determine the total message length until you find the connection. Because in this part, the modification can be applied for various message lengths. Such structure can be useful for connection problem of multi-targets with various message lengths. So one application is a long message attack. Until you find the connection, you can say the total message length. Another application is a Harding attack and which finds the connection from this value or any of the node in the construction. So until you know the depth of the node, which is connected, you can determine the total message length. So the diamond structure would be useful. OK, so I conclude my talk and I give some future work. So in this paper, we propose a generic distinction H attack and LP mark. And the complexity is just order of the birthday complexity. So the NB2 security folklore is incorrect. And we showed a more cryptanalysis called almost a universal luxury on LP mark. Then finally, I will give some future research directions. So one direction is finding a new problem on MAC in which a generic attack costs between 2 to the N over 2 and 2 to the N. So like almost a universal luxury attack, you may be able to find some new problem on the MAC security, which would be interesting. So another future work is finding a new application of a differential with probability higher than 2 to the minus N. So previously, it was believed that as soon as a differential with probability slightly better than 2 to the minus N is found, then it can be converted to distinguish attack on MAC construction. Because we have some applications, so finding these problems would be nice. But in this paper, we showed that this conversion does not work. So the distinguish attack combated in such a way is worse than the generic attack. So finding the new application, so if we have this, so what can be done? So finding such problem is maybe interesting problem. That's about it. Thank you for your attention.