 Hello, this is Pyeonghap, and I'm going to talk about 12th of fully secure authenticating encryption scheme from pseudo-random permutation. This is joint work with Won Seok, Young Min, and Ju Young. Let's start with the introduction. As everyone knows, authenticated encryption is a symmetric algorithm that protects both integrity and confidentiality at once. If families want to send a message with associated data to Bob securely, at least compute cyber-text and tag by using authenticated encryption, then send it to Bob. Bob will try to decrypt the message from given associated data, tag, cyber-text, and tag. If the given cyber-text and tag pair is valid, Bob would get the correct decryption, but otherwise Bob would get failure symbol bot. Using nonce is a common way to guarantee the variability of the cyber-text, and we call them nonce-based authenticated encryption, or NAE, in short. In NAE, security is guaranteed only if a nonce is never repeated. For example, Galois counter-mode, or GCM, makes its hash key as soon as a single nonce is used twice. However, it might be challenging to keep the uniqueness of the nonce, for example, in a stateless device where good quality of randomness is not available. Therefore, there are such AE designs achieving nonce-misuse resistance called misuse resistant AE, or MRAE. MRAE guarantees security even if the nonce is repeated. I will introduce two constructions that motivated this work. Nonce-based enhanced hashed-in mask is a message authentication code proposed by Dutta, Landy, and Hanikar at 2019. It provides beyond-the-birth-a-bound security, or more precisely, it is secured up to two-to-three-and-over-four authentication queries. Also, its security gracefully degrades in nonce misuse setting. In detail, the security of NHTM can be represented with a function of number of queries with repeated nonces. AES GCM SIV is a recently proposed misuse resistant AE, which is secured up to two-to-three-and queries in nonce-respecting setting, and secured up to two-to-three-and-over-two queries in nonce misuse setting. It can be seen as a variant of GCM SIV, and the core difference is to use nonce-based key derivation. AES GCM SIV uses KDF to generate independent keys for each different nonce, and it could achieve full security in either cyber model while losing some efficiency from key derivation or key scheduling. In this research, we tried to construct a block-sumper-based AE, which provides full MB security. We also wanted nonce misuse resistance with graceful security degradation. Finally, we targeted to have rate one-over-two and parallelizability, which are the basic properties to be computed efficiently. Let's talk about our contribution. The synthetic counter with masking mode, SGM. SGM can be seen as another variant of GCM SIV, and it follows an SIV structure which is proposed by Perrin and Zerrin at 2017. To encrypt a given message, SGM first encrypts the nonce and generates three nonce-based marks, delta, delta prime, and delta double prime. Then, it computes tag in a similar way to any HTM, together with delta double prime. In the encryption phase, it first computes the synthetic counters from the linear combination of tag and delta. At the end, it encrypts the synthetic counters, then adds the delta prime to get the key stream. SGM is the first block-sumper-based and rate one-over-two parallelizable MRA with ambient security up to query complexity. It also provides graceful security degradation in non-special setting. Now, we will talk about the security of SGM. To give formal security proof, we use Distinguishing Game. In this game, the adversary is interacting either with the real world and the idea world. The real world comprises the A encryption and decryption, while the idea world comprises a random function and reject function. The adversary tries to distinguish two worlds by making Q encryption queries, V decryption queries with lengths at most L blocks. Note that SGM denotes the number of all queries blocks. The distinguishing advantage of the adversary is defined as the probability of correctly determined or interactive world minus one over two, which is a probability of winning by simple random guessing. And this is our main lemma, expectation method. Expectation method informally says if the probability to have that transcript is negligible and idea world and the real world have a negligible indifference without getting the transcript, one cannot distinguish the idea world and the real world. I will not cover this precisely, but the important point is we should define the proper set of the transcript, then upper bound the two values, epsilon-bed and epsilon-ratio. And here is our result on the security of SGM. Since the result theorem is quite complex, let us briefly introduce it. And the result, mu counts the number of 14 on this in encryption queries. Note that adversary can freely choose nos in the decryption queries. If we focus on nos-resetting model, or mu equal to zero in other words, the advantage can be upper bounded with the form of Q times L squared over 2tn. Also, in faulting nos model, so if mu is larger than zero, the security gracefully falls to birthday bound as you can see in the graph. Here is the comparison of SGM with existing AE modes. You can see that SGM outperforms previous block-cypher-based AE modes and also comparable to Tricor block-cypher-based or either cypher-based modes. GAE is the exceptional case since it has rate two over three, but I want to emphasize that the Tric input in GAE is random, which degrades the overall efficiency, and also GAE needs to use twin-bit tag, which is twice larger than common length of the tag. This is the result of experiments done in Skylake architecture, which supports PCL mode, AVX, and ASNI, hardware acceleration. Also, according to our experiments, SGM is slightly faster than ASGM-SIV in both short message cases and long message cases. It is because case scheduling can be pre-computed in SGM. One can be aware of its large key size, but we can reduce it by using key derivation function at initialization time. Now, I will introduce the core ideas for the security proof. Since the cybertext should look random, when constructing the pseudo-random permutation-based AE, we need to construct a pseudo-random function from the pseudo-random permutation, and we should use it to generate a random string. However, if we use naive PRP to PR3, the security cannot go beyond birthday mode. Therefore, in this research, we decided to use XOR permutations or XORP in short. As you can see in the figure in XORP, it increases W different inputs and then computes W-1 outputs by XORing them. There are some recent results that the outputs of XORP are almost random. Therefore, we can construct a secure PRF with only one additional PRP using XORP. Although there have been many studies on XORP, there are two of the most outstanding results. One is pattern's mirror theory. Mirror theory is a theory to bound the number of solutions to certain system of equations and non-equations. It provides optimum security when W is equal to 2, and in this research, we will use slightly modified version of the mirror theory in the paper from Che Edel. Another is done with Keisker method which is proposed by Di Edel at Crypto 2017. Keisker method is the recent theory to prove the PR security of XORP-like construction. And in this paper, we use generalized version of Batacharia and Nandis results. I will introduce how the security of SCM could be derived by the randomness of XORP. Let us first focus on the mask generation. In mask generation function, we directly applied XORP structure so we can consider delta, delta prime and delta double prime as a truly random string. Note that the number of queries in this structure are equal to the number of different noses in the authenticated encryption. And W is equal to 4 at this moment. Next step is to compute the tag. To Easter proof, we reveal hash key at the end of the distinguishing game so all inputs on blockcipers are known. Let Xi be the input on blockciper in ice query. In non-respecting queries, tag Ti are truly random since delta double prime are also truly random. However, in faulty-nose queries, delta double prime is not any more random since two queries should share same delta prime if their noses are the same. Therefore, instead of using the randomness of delta double prime, one can compute the difference between the blockciper outputs which can be seen as an output of XORP construction. Then, after applying the result of pseudo-randomness of XORP outputs, we can also conclude that all tags are generated randomly in faulty-nose queries. The final step is keystream generation. Similar to before, we reveal the delta at the end of the game so all inputs on blockcipers are known. Then, one can compute the difference between two blockciper outputs who shares the same noses. Therefore, we can use the randomness of XORP outputs on this construction. So, we can conclude that jet variables or keystreams are all generated in random. Together with the expectation method, we could get the zero, which gives a security bound of SCM. This is our conclusion. In this research, we proposed SCM which synthetic counter is masking mode which is almost fully secure MRA. SCM enjoys great full-security degradation in the faulty-nose model and it provides full security in the non-respecting model in terms of the threshold number of queries. Also, SCM has an efficiency comparable to AS due to MSIV. Here's the responses. This is the end of the slide and thank you for the listening.