Improved Security Bound of LightMAC_Plus and Its Single-Key Variant

Abstract

A number of blockcipher-based Message Authentication Codes (MACs) have been designed to have birthday-bound security. However, birthday-bound security becomes unreliable, when a block size is small, when large amounts of data are processed, or when a large number of connections need to be kept secure. Hence designing a MAC that has beyond-birthday-bound security without message length is an important research topic. \(\mathtt {LightMAC\_Plus}\) and \(\mathtt {LightMAC\_Plus2}\) proposed by Naito (ASIACRYPT 2017) are blockcipher-based MACs with such security: security up to roughly \(2^{2n/3}\) and \(2^{rn/(r+1)}\) (tagging or verification) queries, respectively, where \(n\) is the block size of the underlying blockcipher and \(r\) is the parameter of \(\mathtt {LightMAC\_Plus2}\). \(\mathtt {LightMAC\_Plus}\) and \(\mathtt {LightMAC\_Plus2}\) are counter-based MACs: in the hashing phases, for each message block of \(n-m\) bits (\(m\) is the counter size), a blockcipher is called once, and then in the finalization phases, it is called twice and \(r+2\) times, respectively. Regarding the key sizes, \(\mathtt {LightMAC\_Plus}\) and \(\mathtt {LightMAC\_Plus2}\) have 3 and \(r+3\) blockcipher keys, respectively. Hence, enhancing the MAC-security (i.e., increasing \(r\)), the key size is increased and the efficiency is degraded.

In this paper, we improve the analysis of the MAC-security of \(\mathtt {LightMAC\_Plus}\). The improved bound is roughly \(q_t^2q_v/2^{2n}\), where \(q_t\) is the number of tagging queries and \(q_v\) is the number of verification queries (or forgery attempts). Hence, if \(q_v\ll q_t\) (e.g., the number of forgery attempts is restricted by a system) or \(q_t\ll q_v\) (e.g., a sender does not send a message frequently), then \(\mathtt {LightMAC\_Plus}\) becomes a highly secure MAC without the increase of the key size or the efficiency degradation. For example, consider the case where \(q_v\ll q_t\): if \(q_v\le 2^{n/2}\) then it is a secure MAC up to roughly \(2^{3n/4}\) tagging queries, if \(q_v\le 2^{n/3}\) then it is a secure MAC up to roughly \(2^{5n/6}\) tagging queries, etc. We next present \(\mathtt {LightMAC\_Plus1k}\), a single key variant of \(\mathtt {LightMAC\_Plus}\). We prove that it achieves the same level of security as \(\mathtt {LightMAC\_Plus}\), i.e., the MAC-bound is roughly \(q_t^2q_v/2^{2n}\). (Note that in order to reduce the key size, the domain separation technique is used, by which there is a 4-bit security degradation from \(\mathtt {LightMAC\_Plus}\) to \(\mathtt {LightMAC\_Plus1k}\).)

Appendices

A Proof of Lemma 1

Let \(M^\alpha ,M^\beta \in \mathcal {M}\) be two distinct messages. In the following proof, the length in blocks of \(M^\alpha \) resp. \(M^\beta \) is denoted by \(l_\alpha \) resp. \(l_\beta \). Values corresponding with \(M^\alpha \) resp. \(M^\beta \) are denoted by the superscript symbol of \(\alpha \) resp. \(\beta \). Without loss of generality, assume that \(l_\alpha \le l_\beta \). \(\mathtt {LHash\_Plus}[P](M^{\alpha }) = \mathtt {LHash\_Plus}[P](M^{\beta })\) implies that

$$\begin{aligned}&S_1^\alpha = S_1^{\beta } \text{ and } S_2^\alpha = S_2^{\beta } \Leftrightarrow \nonumber \\&\underbrace{ \bigoplus _{i=1}^{l_\alpha } C^\alpha _i \oplus \bigoplus _{i=1}^{l_\beta } C^\beta _i }_{A_{9,1}} = 0^n \text{ and } \underbrace{ \bigoplus _{i=1}^{l_\alpha } 2^{l_\alpha -i} \cdot C^\alpha _i \oplus \bigoplus _{i=1}^{l_\beta } 2^{l_\beta -i} \cdot C^\beta _i }_{A_{9,2}} = 0^n. \end{aligned}$$

(9)

We consider the following three cases.

1. 1.

   \(\Big ( l_\alpha = l_\beta \Big ) \wedge \Big ( \exists a \in [l_\alpha ] \text{ s.t. } B_{a}^\alpha \ne B_{a}^\beta \Big ) \wedge \Big ( \forall i \in [l_\alpha ] \backslash \{a\}: B_{i}^\alpha = B_{i}^\beta \Big )\).

2. 2.

   \(\Big ( l_\alpha = l_\beta \Big ) \wedge \Big ( \exists a_1,a_2 \in [l_\alpha ] \text{ s.t. } B_{a_1}^\alpha \ne B_{a_1}^\beta \wedge B_{a_2}^\alpha \ne B_{a_2}^\beta \Big )\)

3. 3.

   \(\Big (l_\alpha \ne l_\beta \Big )\)

The first case is that there is just one position a where the inputs are distinct. The second case is that there are at least two positions \(a_1,a_2\) where the inputs are distinct. For each case, we upper-bound the probability that (9) is satisfied.

• The first case is considered: \(\exists a \in [l_\alpha ] \text{ s.t. } B_{a}^\alpha \ne B_{a}^\beta \) and \(\forall i \in [l_\alpha ] \backslash \{a\}: B_{i}^\alpha = B_{i}^\beta \). Since \(B_{a}^\alpha \ne B_{a}^\beta \Rightarrow C_a^\alpha \ne C_a^\beta \) and \(B_{i}^\alpha = B_{i}^\beta \Rightarrow C_{i}^\alpha = C_{i}^\beta \), \(A_{9,1} \ne 0^n\) and \(A_{9,2} \ne 0^n\). Hence, the probability that (9) is satisfied is 0.

• The second case is considered: \(\exists a_1,a_2,\ldots ,a_j \in [l_\alpha ]\) with \(j \ge 2\) s.t. \(\forall i \in [j]:B_{a_i}^\alpha \ne B_{a_i}^\beta \). Note that \(B_{a_i}^\alpha \ne B_{a_i}^\beta \Rightarrow C_{a_i}^\alpha \ne C_{a_i}^\beta \). Eliminating the same outputs between \(\{C^\alpha _i: 1 \le i \le l_\alpha \}\) and \(\{C^\beta _i: 1 \le i \le l_\beta \}\), we have

  $$\begin{aligned} A_{9,1} = \bigoplus _{i=1}^{j} \Big ( C^\alpha _{a_i} \oplus C^\beta _{a_i} \Big ) \text{ and } A_{9,2} = \bigoplus _{i=1}^{j} 2^{l_\alpha - a_i} \cdot \Big ( C^\alpha _{a_i} \oplus C^\beta _{a_i} \Big ) . \end{aligned}$$

  Since in \(A_{9,1}\) and \(A_{9,2}\) there are at most \(l_\alpha + l_\beta \) outputs, the numbers of possibilities for \(C^\alpha _{a_1}\) and \(C^\alpha _{a_2}\) are at least \(2^n- (l_\alpha + l_\beta -2)\) and \(2^n- (l_\alpha + l_\beta -1)\), respectively. Fixing other outputs, the equations in (9) provide a unique solution for \(C^\alpha _{a_1}\) and \(C^\alpha _{a_2}\). As a result, the probability that (9) is satisfied is at most \(1/(2^n- (l_\alpha + l_\beta -2))(2^n- (l_\alpha + l_\beta -1))\).

• The third case is considered. Without loss of generality, assume that \(l_\alpha < l_\beta \). Eliminating the same outputs between \(\{C^\alpha _i: 1 \le i \le l_\alpha \}\) and \(\{C^\beta _i: 1 \le i \le l_\beta \}\), we have

  $$\begin{aligned} A_{9,1} = \bigoplus _{i=1}^{u} C^\alpha _{a_i} \oplus \bigoplus _{i=1}^{v} C^\beta _{b_i} , \end{aligned}$$

  where \(a_1,\ldots ,a_u \in [l_\alpha ]\) and \(b_1,\ldots ,b_v \in [l_\beta ]\). By \(l_\alpha < l_\beta \), \(l_\beta \in \{b_1,\ldots ,b_v\}\) and \(l_\beta \ne 1\). Note that \(C^\beta _{l_\beta }\) remains in \(A_{9,1}\). Since in \(A_{9,1}\) and \(A_{9,2}\) there are at most \(l_\alpha + l_\beta \) outputs, the numbers of possibilities for \(C^\beta _{1}\) and \(C^\beta _{l_\beta }\) are at least \(2^n- (l_\alpha + l_\beta -2)\) and \(2^n- (l_\alpha + l_\beta -1)\), respectively. Fixing other outputs, the equations in (9) provide a unique solution for \(C^\beta _{1}\) and \(C^\beta _{l_\beta }\). As a result, the probability that (9) is satisfied is at most \(1/(2^n- (l_\alpha + l_\beta -2))(2^n- (l_\alpha + l_\beta -1))\).

The above upper-bounds give

$$\begin{aligned} \mathrm {Pr}\left[ \mathtt {LHash\_Plus}[P](M^{\alpha }) = \mathtt {LHash\_Plus}[P](M^{\beta })\right]&\le \frac{1}{(2^n-(l_\alpha + l_\beta ))^2} \\&\le \frac{1}{(2^n-2\ell )^2} . \end{aligned}$$

B Proof of Lemma 2

Let \(M^\alpha ,M^\beta , M^\gamma \in \mathcal {M}\) be three distinct messages. In the following proof, for \(\delta \in \{\alpha ,\beta ,\gamma \}\), the length in blocks of \(M^\delta \) is denoted by \(l_\delta \), and values corresponding with \(M^\delta \) are denoted by the superscript symbol of \(\delta \). Note that \(S_1^\alpha = S_1^{\beta } \wedge S_2^\alpha = S_2^{\gamma }\), which implies

$$\begin{aligned} \underbrace{ \bigoplus _{i=1}^{l_\alpha } C_i^\alpha \oplus \bigoplus _{i=1}^{l_{\beta }} C_i^{\beta } }_{A_{10,1}} = 0^n \text{ and } \underbrace{ \bigoplus _{i=1}^{l_\alpha } 2^{l_\alpha -i} \cdot C_i^\alpha \oplus \bigoplus _{i=1}^{l_{\gamma } } 2^{l_{\gamma }-i} \cdot C_i^{\gamma } }_{A_{10,2}} = 0^{n}. \end{aligned}$$

(10)

Since \(M^{\alpha }, M^{\beta }\) and \(M^{\gamma }\) are distinct, there are at least two distinct outputs \(C^{\alpha ,\beta }\) and \(C^{\alpha ,\gamma }\) where \(C^{\alpha ,\beta }\) appears in \(A_{10,1}\) and \(C^{\alpha ,\gamma }\) appears in \(A_{10,2}\). Fixing other outputs in \(A_{10,1}\) and \(A_{10,2}\), the equations in (10) provide a unique solution for \(C^{\alpha ,\beta }\) and \(C^{\alpha ,\gamma }\). Since there are at most \(l_\alpha +l_{\beta }\) outputs in \(A_{10,1}\), the number of possibilities for \(C^{\alpha ,\beta }\) is at least \(2^n-(l_\alpha +l_{\beta }-1)\). Since there are at most \(l_\alpha +l_{\gamma }\) outputs in \(A_{10,2}\), the number of possibilities for \(C^{\alpha ,\gamma }\) is at least \(2^n-(l_\alpha +l_{\gamma }-1)\). Hence, the probability that (10) is satisfied is at most

$$\begin{aligned} \frac{1}{(2^n-(l_\alpha +l_{\beta }-1))(2^n-(l_\alpha +l_{\gamma }-1))} \le \frac{1}{(2^n-2\ell )^2}. \end{aligned}$$