 Hello everyone, my name is Yobin Sen, a final year PhD student in SATU. Today, our talk is Improved Secret Bounds for Generalized Facetime Networks. This is the joint work with Professor Guo and Professor Wang. They are four parts in our talk. The first one is the introduction to Facetime Networks. The second one is our contribution. The sixth one is our proofs for Generalized Facetime Networks. The first one is our conclusion. Facetime Networks is one of the most popular ways to design a block-side for. They either accept times of a Facetime permutation. A Facetime permutation usually makes a 2MB input to a 2MB output by a MB function, which is also called a long function. This figure is the expression of classical Facetime, which is also called a balanced Facetime, because the left path and right path input has sent a bit length. They are separated to generalize the classical Facetime. By replacing the long function with extending or constructing one, we can obtain the unbalanced Facetime. By alternatively using the expanding and constructing long function, we can obtain the alternating Facetime. By partitioning the input into more than two blocks, we can obtain the type 1, type 2, type 3 Facetails. These three kinds also are multi-light Facetails. The difference among these three types is that they use different number of functions in each round. By replacing the underlying primitive with the tickable block-side for, we can obtain the TBC-based Facetail. Let's take a view of the Generalized Facetail considered in our paper. In our paper, they are total at variant Generalized Facetail. The first one is the unbalanced Facetail. It uses the constructing long function as the constructing long functions. The second one is the unbalanced Facetail. They use the expanding long function. The drawback of the unbalanced Facetail is that we need to resize, we need to resize the left and right path in each round to make it fit to the underlying long functions. The third one is the alternating Facetail. You use the constructing and expanding long function in an alternative manner, so we don't need to resize the left and right half of the input. But we need to use the constructing and expanding long function at the same time. The fourth one is the numeric alternating Facetail. This is also used in some former presuming encryption. From the first to the seventh are three kinds of multiline Facetail. The difference is that they use a different number of functions in each round. For example, for four blocks in blocks, the type one Facetail uses only one function in a single round. The type two Facetail uses two functions in a single round. The type three Facetail uses three functions in a single round. The advantage of this multiline Facetail is that it can expanding the input and output of the underlying long functions. Actually, the input of the block cycle can be much larger than the input to the function. The final one is the type four block cycle-based Facetail. You use the type four block cycle as the underlying long function. So besides the two input, we also need additional check W. There are some important applications of the Facetail. For example, we know that block cycle days use the classical Facetail networks. The block cycle skip jack uses the unbalanced Facetail networks. The bare line Facetail uses the alternating Facetail networks. The card 250cx uses the type one, and the RCCX uses the type two, and the mask uses the type three Facetail networks. For the TPC-based Facetail, it can be used to construct double length checkable block cycle with high security. We now briefly reviewed the probability result for this generalized Facetail. For unbalanced alternating type one, type two, type three Facetail, there are serious words that show they can achieve the bursted bound security. Part of it also proves a beyond bursted bound security for unbalanced Facetail. Home and log-away prove that these Facetails can asymptotically achieve the unbalanced security. More concretely, in our result, they prove that these Facetails are CCH keywords up to two to the n times one minus ifsong queries for an ifsong greater than zero. The drawback of the bounds is that it requires a large number of long to achieve asymptotically unbalanced security. On the other hand, for TPC-based Facetail by Coran et al., three rounds are proved to have nb security, but nb security is not the optional security. The input size to the underlying TPC-based Facetail for is n plus w, which is greater than 2n. So with respect to the input size, nb security is only bursted type. Our contribution is improved previously more concretely for the unbalanced alternating type one, type two, type three Facetail. We improve the coupling analysis of home and log-away. We use a more fine-grained analysis to achieve almost the same security bound with the nearly half number of rounds. This table is the summary of improved bounds for generalized Facetail networks. The first card is the khaki skin. The second set are the previous bound and the number and the corresponding number of rounds. The fourth and fifth is our screen bound and the number of rounds. When the perimeter T is reasonable large, our bound is almost the same as log-away, while we only need a half number of rounds. For TPC-based Facetail, we give the first coupling analysis. By using this technique, we prove that this construction can achieve the true nb obscurity with the enough number of rounds. This table is the comparison between current at all bounds and our bounds. Current at all proof that the round can have nb security and our bounds show that with enough number of rounds, this construction can achieve. The more number of rounds, the more security we have. The third part is our improved proof for this generalized Facetail network. In all our proofs, we use the coupling techniques, so let's have a brief review for this technique. The coupling technique can be used to prove the ncpscurity, and now we can leave the ncpscurity to ccscurity by a composition name. In the ncpscurity, in this thing, where cptd is again, in the real world, the adversary needs to choose qmg at the beginning, and then you can query this match to obtain the corresponding outputs. In the idea world, the only difference is that the block cycle is now replaced with a random implementation, and so the outputs are simply simple as random without a specimen from the set. For convenience, we need to use another idea world. In the idea world, we replace the input with q, a value that I need for the sample at the random without a specimen from the set. And we also replace the random permutation with the block cycle, and the eq is the permutation. So in the idea world, the outputs are also needed for the sample at the random without a specimen from the set. So this idea world is exactly the same, the output exactly the same as the previous idea world. And to distinguish the advantages, the adversary can distinguish the idea world from the idea world. We need to define q intermediate again. In the idea world, the first analog inputs are chosen by the adversary, while the remaining q-allows are picked only for the algorithm from the set. So by using hybrid arguments, the NCPH security is obtained by summing over the gap between these q-walls. Here, mu0 is the distribution of the outputs in the idea world. Mu0 is the distribution of outputs in the else world. Muq is the distribution of outputs in the real world. And we need to use the coupling technique to bound the distance between the two neighboring walls. A coupling of mu and nu is the distribution of lambda on the space, such that the marginal distribution of lambda is mu and nu. So we will use the coupling demo to bound the distance between the mu0 and mu0 plus 1. Let mu and nu be two probability distribution on the final event space, and that variable x, y be a coupling of mu and nu. Then the distance between mu and nu is bounded by the probability that the x0 equals to y. The proof of this lemma can be found in previous paper. We now briefly discuss our intuition between the improved security bounds. In Hong Kong log-away's proof, they use every two b1 to guarantee in each coupling trail the probability that the coupling trail is very small. But we discover that every b1 is already enough to achieve these papers. The only thing that we need to do is just analyze the first b1. Since the output of the b1 is already somewhat rated greater than an accretion free, so we can reduce the number of r1 in the usual coupling trail in the coupling energies. But to achieve this, we need to analyze more fine grains in the internal accretion, because to be wrong, it is very easy to analyze the internal accretion. But for the reduced r1, it becomes more complicated. So we need a more fine grain analysis of internal accretion. Here is our lemma. We prove that the conditional probability here can be nicely bounded. Here L is the number of queries this has made to the cycle before the coupling. By using a similar idea, we can improve the security bounds for alternating type 1, type 2, type 3, phase tails. And for the TBC-based phase tails, we need to define two bad events. Here, we only discussed the crucial point in our proof. For the more detail, we refer to our papers. We need to define two bad events. The first one is happened when the output of the eye ticker representation collide with previous output. And also when the output of the eye plus 1 permutation collide with previous output. The first bad event involves the first blood cycle and the second blood cycle. For the second beta event, similarly, the beta event happens when the output of the eye ticker representation collide with previous output in the first cycle. And the output of the eye plus ticker profile collide with previous output in the second cycle. We learn a couple according to four subcases when the none of the beta event happens. There is some intuition. As you can see, both the BI and DI are collision-free. Then the output of the eye plus 1 permutation is the resin stream. And this also holds for the second cycle. So if these two are collision-free, we can assign the B, L plus 1 to the DI plus 1. And for the remaining three cases, we can also discuss because there are some differences, but they are all distributed in the same space. There is a detailed discussion in our paper. At this stage, we need to bound the probability of the beta event. If the beta event does not happen, then we can couple successfully. To bound the beta event, we need to define for sub-event, that is the number of tricks. The number of repeated tricks is no greater than the stretch-hole C. And the intuition is that when the number of repeated tricks is small, then the output for the tick-ball presentation under this trick will be ready. Here is our result. When the number of repeated tricks is small than C, if defined as the stretch-hole C, then we can obtain the probability of the beta event is smaller than this 10. By using exactly the same procedure, we can prove that the second event is also bounded by this 10. For our conclusion, we surely improved the security bound for generalized phase-tails. For unbanned alternating type 1, type 2, and type 3 phase-tails, we improved the coupling analysis of Hong and Workaway. We used a more fine-grained internal collision analysis to achieve the asymptotic optimal bound with nearly half number of bounds. And for a TBC-based phase-tail, we give the first coupling analysis, and we prove that this construction can achieve the two-MBA security with enough number of wrongs. The coupling technique is useful to analyze many wrong phase-tails, but usually the bound obtained by this technique is not very tight, so our future work is to give a tighter analysis for the coupling technique, or maybe if we can do it fine, the coupling technique will be better. And the second future work is to consider a small number of wrongs, since, not unsurprisingly, the coupling technique needs to cause many wrongs to achieve the optimal security. So maybe we can use a lot of methods, such as chi-square method or the popular edge coefficient technique to achieve the same square bound with much smaller number of wrongs. So that's it. And thank you for your listening.