Keywords

1 Introduction

A MAC (Message Authentication Code) is a fundamental symmetric-key primitive that produces a tag to authenticate a message. MACs are often realized by using a blockcipher so that these become secure PRFs (Pseudo-Random Functions) under the standard assumption that the underlying keyed blockciphers are pseudo-random permutations. Hence, in security proofs, these are replaced with random permutations. The advantage of PRF-security is commonly measured by using the parameters: \(n\) the block length, q the total number of tagging queries, \(\ell \) the maximum message length (in blocks) of each query and \(\sigma \) the total message length (in blocks) of all queries. Many blockcipher-based MACs are provided with the so-called birthday security. The basic birthday bound looks like \(O(\ell ^2q^2/2^n)\) or \(O(\sigma ^2/2^n)\).

Blockcipher-based MACs are mainly categorized into CBC-type MACs and PMAC-type ones. These MACs are constructed from two functions: hash and finalization functions, where a hash function produces a fixed length hash value from an arbitrary length message; a finalization function produces a tag from a hash value. CBC-type MACs [2, 8, 15, 20, 30, 31] use hash functions that iterate a keyed blockcipher. The PRF-security bound becomes the birthday one due to the collision in the chaining values. PMAC-type MACs [9, 33] use hash functions using a keyed blockcipher parallelly. The following figure shows the structure of PMAC1, where \(E_K\) is a keyed blockcipher (\(K\) is a secret key), \(M_1,M_2,M_3\) and \(M_4\) are \(n\)-bit message blocks and multiplications are performed over the multiplication subgroup of \(GF(2^n)\). For collision inputs to the keyed blockcipher,the outputs are canceled out before the finalization function. Hence, the collision might trigger a distinguishing attack. By the birthday analysis for the input collision, the PRF-security bound becomes the birthday one.

figure a

MACs with Beyond the Birthday Bound Security. The birthday bound security may not be enough for blockciphers with short block sizes such as Triple-DES and lightweight blockciphers, as mentioned in [7]. Hence, designing a MAC with beyond the birthday bound (BBB) security is an important research of MAC design. Such MACs contribute not only to blockciphers with short block sizes but also to the longevity of 128-bit blockciphers.

Yasuda proposed a CBC-type MAC, called SUM-ECBC [36], and a PMAC-type one, called \(\mathtt {PMAC}\_\mathtt {Plus}\) [37]. He proved that the PRF-security bounds become \(O(\ell ^3q^3/2^{2n})\). Later, Zhang et al. proposed a CBC-type MAC, called 3kf9 [40] that is more efficient than SUM-ECBC. These hash functions have a double length (\(2n\) bit) internal state and produce a \(2n\)-bit value. These finalization functions have the xor of two keyed blockciphers that generates a tag from a \(2n\)-bit hash value. By the double length internal state, the influences of \(\ell \) and q on the bounds are weakened.

Yasuda designed a PMAC-type MAC, called PMAC with Parity [38], with the aim of weakening the influence of \(\ell \). He proved that the PRF-security bound becomes \(O(q^2/2^n+\ell q\sigma /2^{2n})\). Later, Zhang proposed a PMAC-type MAC with better efficiency, called PMACX [41]. Luykx et al. proposed a PMAC-type MAC, called LightMAC [25]. LightMAC is the counter-based construction that is used in the XOR MAC [1] and the protected counter sum [6]. LightMAC can be seen as a counter-based PMAC in which \((i)_m\Vert M_i\) is input to the i-th keyed blockcipher call, where \((i)_m\) is the \(m\)-bit binary representation of i and \(M_i\) is the i-th message block of \(n-m\) bits. By the presence of counters, the input collision can be avoided, thereby the influence \(\ell \) can completely be removed. They proved that the PRF-security bound becomes \(O(q^2/2^n)\), namely, LightMAC is a secure PRF up to \(O(2^{n/2})\) tagging queries.

Recently, Iwata and Minematsu proposed MACs with beyond the \(O(2^{n/2})\)-security, called \(\mathsf {F}_t\) [16]. \(\mathsf {F}_t\) is based on \(t\) keyed hash functions \(H_{L_1},\ldots ,H_{L_t}\) and \(t\) keyed blockciphers \(E_{K_1},\ldots ,E_{K_t}\), where \(L_1,\ldots ,L_t\) are hash keys. For a message M, the tag is defined as \(\mathsf {F}_t(M)=\bigoplus _{i=1}^tE_{K_i}(S_i)\) where \(S_i = H_{L_i}(M)\). They proved that the PRF-security bound becomes \(O(q^{t+1} \cdot \epsilon ^t)\) as long as the keyed hash functions are \(\epsilon \)-almost universal. They pointed out that the hash function of LightMAC is a \(O(1/2^n)\)-almost universal hash function, and adopting it as these hash functions, the PRF-security bound becomes \(O(q^{t+1}/2^{tn})\). Namely, it is a secure PRF up to \(O(2^{tn/(t+1)})\) tagging queries.

Why BBB-Security Without Message Length? We explain the importance of achieving BBB-security without message length. Here we consider the following example: the block length \(n=64\), the message length \(2^{15}\) bits (4 Kbytes), and the threshold \(1/2^{20}\) (a key is changed when the security bound equals the threshold). The message length is the case of HTTPS connection given in [7] and the threshold is given in [25]. We define the counter size as \(m=n/3\) (rounded to the nearest multiple of 8) (in this case, \(n=64\) and \(m=24\)). Putting these parameters into security bounds of \(\mathtt {PMAC}\_\mathtt {Plus}\) (\(O(\ell ^3q^3/2^{2n})\)), LightMAC (\(O(q^2/2^n)\)), and \(\mathsf {F}_t\) using LightMAC (\(O(q^{t+1}/2^{tn})\)), a key is changed after the tagging queries given in Table 1 (Line with “Queries”). Then, we consider the case that 2900 tagging queries of message length 4 Kbytes per second can be made. This example is the case of HTTPS connection given in [7]. In this case, a key is changed after the times given in Table 1 (Line with “Times”). Note that the security bound of \(\mathtt {PMAC}\_\mathtt {Plus}\) depends on the message length, thereby increasing the length decreases the time. As shown Table 1, \(\mathtt {PMAC}\_\mathtt {Plus}\) and LightMAC require a rekeying within a day, whereas \(\mathsf {F}_t\) does not require such frequent rekeyings.

Table 1. The numbers of tagging queries of changing a key and the times.
Full size table

Question. As mentioned above, achieving BBB-security without message length is important for blockciphers with short block sizes, and \(\mathsf {F}_t\) using LightMAC achieves such security. However, it is inefficient because for each input block \((i)_m\Vert M_i\) it requires \(t\) blockcipher calls. It is roughly \(t\) times slower than LightMAC. Therefore, the main question of this paper is: can we design more efficient MACs than \(\mathsf {F}_t\) while keeping \(O(2^{tn/(t+1)})\)-security?

Our Results. Firstly, we focus to design a MAC that is more efficient than \(\mathsf {F}_2\) and achieves the \(O(2^{2n/3})\)-security. As the research direction from PMAC to LightMAC, it is natural to consider a counter-based \(\mathtt {PMAC}\_\mathtt {Plus}\). We call the resultant scheme “\(\mathtt {LightMAC\_Plus}\)”. Regarding the efficiency, \(\mathtt {LightMAC\_Plus}\) requires roughly one blockcipher call for each input block \((i)_m\Vert M_i\), while \(\mathsf {F}_2\) requires two blockcipher calls. Hence, \(\mathtt {LightMAC\_Plus}\) is more efficient than \(\mathsf {F}_2\). Regarding the PRF-security, by the presence of counters, the influence of \(\ell \) can be removed. We prove that the PRF-security bound becomes \(O(q^3/2^{2n})\), namely, \(\mathtt {LightMAC\_Plus}\) is a secure PRF up to \(O(2^{2n/3})\) queries.

Next, we focus to design a MAC that is more efficient than \(\mathsf {F}_t\) and achieves \(O(2^{tn/(t+1)})\)-security, where \(t \ge 3\). Regarding the hash function, we also use that of \(\mathtt {LightMAC\_Plus}\). Hence, this hash function is roughly \(t\) times faster than that of \(\mathsf {F}_t\). In order to ensure randomnesses of tags, we use the xor of \(t\) keyed blockciphers. However, there is a gap between the output length of the hash function (\(2n\) bit) and the input length of the xor function (\(tn\) bit). Therefore, we propose a new construction that links between a \(2n\)-bit output and a \(tn\)-bit input. We call the resultant scheme “\(\mathtt {LightMAC\_Plus2}\)”, and prove that if \(t\le 7\), then the PRF-security bound becomes \(O(q^{t+1}/2^{tn} + q^2/2^{2n})\), namely, it is a secure PRF up to \(O(2^{tn/(t+1)})\) tagging queries. In the proof of \(\mathtt {LightMAC\_Plus2}\), we generalize the hash function by an \(\epsilon \)-almost universal one, and prove that if \(t\le 7\), then the PRF-security bound is \(O(q^{t+1}/2^{tn} + \epsilon )\). We prove that the counter-based hash function is \(O(q^2/2^{2n})\)-almost universal, which offers the PRF-security bound: \(O(q^{t+1}/2^{tn} + q^2/2^{2n})\).

Table 2. Comparison of our MACs and other BBB-secure MACs. Column “# bits/BCs” refers to the number of bits of input message processed per blockcipher call. Column “# BCs in FF” refers to the number of blockcipher calls in a finalization function. \(\mathsf {F}_t\) uses the hash function of LightMAC. \(\mathtt {LightMAC\_Plus2}\) has the condition \(t\le 7\).
Full size table

Finally, in Table 2, we compare our MACs with BBB-secure MACs \(\mathtt {PMAC}\_\mathtt {Plus}\), LightMAC, and \(\mathsf {F}_t\). These MACs are PMAC-type ones, and thus parallelizable. We note that the PRF-security bound of \(\mathtt {LightMAC\_Plus2}\) is satisfied when \(t\le 7\). Proving the PRF-security with \(t> 7\) is left as an open problem.

Related Works. The PRF-security bounds of CBC-type MACs and PMAC-type MACs were improved to \(O(\ell q^2/2^n)\) [3, 27] and \(O(\sigma q/2^n)\) [29]. Luykx et al. studied the influence of \(\ell \) in the PMAC’s bound [24]. They showed that PMAC with Gray code [9] may not achieve the PRF-security bound of \(O(q^2/2^n)\). Gaži et al. [14] showed that there exists an attack to PMAC with Gray code with the probability of \(\mathrm {\Omega }(\ell q^2/2^n)\), and instead proved that PMAC with 4-wise independent masks achieves the PRF-security bound of \(O(q^2/2^n)\), where the input masks are defined by using 4 random values. Dodis and Steinberger [12] proposed a secure MAC from unpredicable keyed blockciphers with beyond the birthday bound security. Note that the security bound of their MAC includes the message length. Several randomized MACs achieve beyond the birthday bound security [18, 19, 26]. These require a random value for each query, while our MACs are deterministic, namely, a random value is not required.

Several compression function-based MACs achieve BBB security e.g., [13, 21, 35, 39]. Naito [28], List and Nandi [22], and Iwata et al. [17] proposed tweakable blockcipher-based MACs with BBB security. These MACs also employ the counter-based \(\mathtt {PMAC}\_\mathtt {Plus}\)-style construction, where a counter is input as tweak. Namely, in the security proofs, the power of a tweakable blockcipher is used (distinct tweaks offer distinct random permutations). On the other hand, our MACs do not change the permutation in the hash function for each message block and the permutations in the finalization function. Peyrin and Seurin proposed a nonce-based and tweakable blockcipher-based MAC with BBB security [32]. Several Wegman-Carter-type MACs with BBB security were proposed e.g., [10, 11, 34]. These MACs use a random value or a nonce, whereas our MACs do not require either of them.

Organization. In Sect. 2, we give notations and the definition of PRF-security. In Sect. 3, we give the description of \(\mathtt {LightMAC\_Plus}\) and the PRF-security bound. In Sect. 4, we give the proof of the PRF-security. In Sect. 5, we give the description of \(\mathtt {LightMAC\_Plus2}\) and the PRF-security bound. In Sect. 6, we give the proof of the PRF-security. Finally, in Sect. 7, we improve the efficiency of the hash function of \(\mathtt {LightMAC\_Plus2}\).

2 Preliminaries

Notation. Let \(\{0,1\}^*\) be the set of all bit strings. For a non-negative integer \(n\), let \(\{0,1\}^n\) be the set of all \(n\)-bit strings, and \(0^n\) the bit string of \(n\)-bit zeroes. For a positive integer i, \([i]: = \{1,2,\ldots ,i\}\). For non-negative integers \(i,m\) with \(i < 2^m\), \((i)_m\) denotes the \(m\)-bit binary representation of i. For a finite set X, \(x \xleftarrow {\$}X\) means that an element is randomly drawn from X and is assigned to x. For a positive integer \(n\), \(\mathsf {Perm}(n)\) denotes the set of all permutations: \(\{0,1\}^n\rightarrow \{0,1\}^n\) and \(\mathsf {Func}(n)\) denotes the set of all functions: \(\{0,1\}^*\rightarrow \{0,1\}^n\). For sets X and Y, \(X \leftarrow Y\) means that Y is assigned to X. For a bit string x and a set X, |x| and |X| denote the bit length of x and the number of elements in X, respectively. \(X^s\) denotes the s-array cartesian power of X for a set X and a positive integer s.

Let \(GF(2^n)\) be the field with \(2^n\) points and \(GF(2^n)^*\) the multiplication subgroup of \(GF(2^n)\) which contains \(2^n-1\) points. We interchangeably think of a point a in \(GF(2^n)\) in any of the following ways: as an \(n\)-bit string \(a_{n-1}\cdots a_1a_0 \in \{0,1\}^n\) and as a formal polynomial \(a_{n-1} \mathtt {x}^{n-1} + \cdots + a_1 \mathtt {x}+ a_0 \in GF(2^n)\). Hence we need to fix an irreducible polynomial \(a(\mathtt {x}) = \mathtt {x}^n+ a_{n-1} \mathtt {x}^{n-1} + \cdots +a_1 \mathtt {x}+ a_0\). This paper uses an irreducible polynomial with the property that the element \(2=\mathtt {x}\) generates the entire multiplication group \(GF(2^n)^*\) of order \(2^n-1\). Examples of irreducible polynomial for \(n= 64\) and \(n=128\) are given in [33]: \(a(\mathtt {x}) = \mathtt {x}^{64}+\mathtt {x}^4+\mathtt {x}^3+\mathtt {x}+1\) and \(a(\mathtt {x}) = \mathtt {x}^{128}+\mathtt {x}^7+\mathtt {x}^2+\mathtt {x}+1\), respectively.

PRF-Security. We focus on the information-theoretic model, namely, all keyed blockciphers are assumed to be random permutations, where a random permutation is defined as \(P\xleftarrow {\$}\mathsf {Perm}(n)\). Through this paper, a distinguisher \(\mathcal {D}\) is a computationally unbounded algorithm. It is given query access to an oracle \(\mathcal {O}\), denoted by \(\mathcal {D}^\mathcal {O}\). Its complexity is solely measured by the number of queries made to its oracles. Let \(F[\mathbf {P}]\) be a function using s permutations \(\mathbf {P}= (P^{(1)},\ldots ,P^{(s)})\).

The PRF-security of \(F[\mathbf {P}]\) is defined in terms of indistinguishability between the real and ideal worlds. In the real world, \(\mathcal {D}\) has query access to \(F[\mathbf {P}]\) for \(\mathbf {P}\xleftarrow {\$}\mathsf {Perm}(n)^s\). In the ideal world, it has query access to a random function \(\mathcal {R}\), where a random function is defined as \(\mathcal {R}\xleftarrow {\$}\mathsf {Func}(n)\). After interacting with an oracle \(\mathcal {O}\), \(\mathcal {D}\) outputs \(y \in \{0,1\}\). This event is denoted by \(\mathcal {D}^\mathcal {O}\Rightarrow y\). The advantage function is defined as

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{F[\mathbf {P}]}(\mathcal {D}) = \Pr \left[ \mathbf {P}\xleftarrow {\$}\mathsf {Perm}(n)^s; \mathcal {D}^{F[\mathbf {P}]} \Rightarrow 1 \right] - \Pr \left[ \mathcal {R}\xleftarrow {\$}\mathsf {Func}(n); \mathcal {D}^{\mathcal {R}} \Rightarrow 1 \right] . \end{aligned}$$

Note that the probabilities are taken over \(\mathbf {P}, \mathcal {R}\) and \(\mathcal {D}\).

3 \(\mathtt {LightMAC\_Plus}\)

3.1 Construction

Let \(\{E_K\}_{K\in \mathcal {K}} \subseteq \mathsf {Perm}(n)\) be a family of \(n\)-bit permutations (or a blockcipher) indexed by the key space \(\mathcal {K}\), where \(k > 0\) is the key length. Let \(m\) be the counter size with \(m< n\). Let \(K,K_1,K_2 \in \mathcal {K}\) be three keys for \(E\). For a message M, the response of \(\mathtt {LightMAC\_Plus}[E_K, E_{K_1}, E_{K_2}]\) is defined by Algorithm 1. Figure 1 illustrates the subroutine \(\mathsf {Hash}[E_{K}]\). Here, \(M\Vert 10^*\) means that first 1 is appended to M, and if the bit length of \(M\Vert 1\) is not a multiple of \(n-m\) bits, then a sequence of the minimum number of zeros is appended to \(M\Vert 1\) so that the bit length becomes a multiple of \(n- m\) bits. Note that \(M\Vert 10^*= M_1\Vert M_2\Vert \cdots \Vert M_l\) and \(\forall i \in [l]: |M_i|=n-m\). By the counter size \(m\) and the padding value \(10^*\), the maximum message length in bits is at most \((2^{m}-1) \times (n-m)-1\) bit.

Fig. 1.
figure 1

\(\mathtt {LightMAC\_Plus}\) where \(P:=E_K\), \(P_1:=E_{K_1}\) and \(P_2:=E_{K_2}\).

Full size image
figure b

3.2 Security

We prove the PRF-security of \(\mathtt {LightMAC\_Plus}\) in the information-theoretic model, namely, \(E_{K},E_{K_1}\) and \(E_{K_2}\) are replaced with random permutations \(P,P_1\) and \(P_2\), respectively. The upper-bound of the PRF-security advantage is given below, and the security proof is given in Sect. 4.

Theorem 1

Let \(\mathcal {D}\) be a distinguisher making q tagging queries. Then we have

4 Proof of Theorem 1

Let \(F=\mathtt {LightMAC\_Plus}\). In this section, we upper-bound the PRF-advantage

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{F[P,P_1,P_2]}(\mathcal {D}) =&\mathrm {Pr}[(P,P_1,P_2) \xleftarrow {\$}\mathsf {Perm}(n)^3; \mathcal {D}^{F[P,P_1,P_2]} \Rightarrow 1] \\&- \mathrm {Pr}[\mathcal {R}\xleftarrow {\$}\mathsf {Func}(n); \mathcal {D}^{\mathcal {R}} \Rightarrow 1] . \end{aligned}$$

Without loss of generality, we assume that \(\mathcal {D}\) is deterministic and makes no repeated query.

In this proof, we use the following notations. For \(\alpha \in [q]\), values defined at the \(\alpha \)-th query are denoted by using the superscript character of \(\alpha \) such as \(B_i^\alpha ,C_i^\alpha ,S_i^\alpha \), etc., and the message length \(l\) at the \(\alpha \)-th query is denoted by \(l_\alpha \). For \(\alpha \in [q]\) and \(j \in [2]\), \(\mathsf {Dom}P_j^\alpha := \bigcup _{\delta =1}^{\alpha } \{S_j^\delta \}\), \(\mathsf {Rng}P_j^{\alpha }:=\bigcup _{\delta =1}^{\alpha } \{T_j^\delta \}\) and \(\overline{\mathsf {Rng}P_j^{\alpha }} := \{0,1\}^n\backslash \mathsf {Rng}P_j^{\alpha }\).

4.1 Proof Strategy

This proof largely depends on the so-called game-playing technique [4, 5]. In this proof, a random permutation \(P\) used in \(\mathsf {Hash}\) is defined before starting the game, whereas other random permutations \(P_1\) and \(P_2\) are realized by lazy sampling. Before starting the game, for \(i \in [2]\), all responses of \(P_i\) are not defined, that is, \(\forall S_i \in \{0,1\}^n: P_i(S_i)=\perp \). When \(P_i(S_i^\alpha )\) becomes necessary, if \(P_i(S_i^\alpha )=\perp \) (or \(S_i^\alpha \not \in \mathsf {Dom}P_i^{\alpha -1}\)), then it is defined as \(P_i(S_i^\alpha ) \xleftarrow {\$}\overline{\mathsf {Rng}P^{\alpha -1}_i}\), and otherwise, \(P_i(S_i^\alpha )\) is not updated.

The main game is given in Fig. 2, where there are three sub-cases (See lines 2–4 in Fig. 2) and these procedures are defined in Fig. 3. The analysis of Case C is based on the proofs of \(\text{ sum }^2\) construction by Lucks [23] and SUM-ECBC by Yasuda [36]. We say a set \(\mathsf {Fair}^\alpha \subseteq (\{0,1\}^n)^2\) is fair if for each \(T \in \{0,1\}^n\),

$$\begin{aligned} \left| \{ (T_1,T_2) \in \mathsf {Fair}^\alpha \left| \right. T_1 \oplus T_2 = T \} \right| = \frac{\left| \mathsf {Fair}^\alpha \right| }{2^{n}} . \end{aligned}$$

Let \(L^\alpha = \overline{\mathsf {Rng}P_1^{\alpha -1}} \times \overline{\mathsf {Rng}P_2^{\alpha -1}}\). Lucks pointed out that at the \(\alpha \)-th query, there exists a set \(W \subset L^\alpha \) of size at most \((\alpha -1)^2\) such that \(L^\alpha \backslash W\) is fair. In Case C, the fair set is defined as \(\mathsf {Fair}^\alpha := L^\alpha \backslash W\). Hence, the \(\alpha \)-th output (\(T^\alpha = T_1^\alpha \oplus T_2^\alpha \)) is uniformly random over \(\{0,1\}^n\) as long as \((T_1^\alpha ,T_2^\alpha ) \in \mathsf {Fair}^\alpha \). See Lemma 2 of [23] or [36] for explicit constructions of fair sets.

Fig. 2.
figure 2

Main game.

Full size image
Fig. 3.
figure 3

Case A, Case B and Case C.

Full size image

Let \(\textsf {bad}= \mathsf {bad}_\mathsf {A}\vee \mathsf {bad}_\mathsf {B}\vee \mathsf {bad}_\mathsf {C}\). By the fundamental lemma of game-playing [4, 5], we have

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{F[P,P_1,P_2]}(\mathcal {D}) \le \mathrm {Pr}[\textsf {bad}] \le \mathrm {Pr}[ \mathsf {bad}_\mathsf {A}] + \mathrm {Pr}[ \mathsf {bad}_\mathsf {B}] + \mathrm {Pr}[\mathsf {bad}_\mathsf {C}] . \end{aligned}$$
(1)

Hereafter, we upper-bound \(\mathrm {Pr}[ \mathsf {bad}_\mathsf {A}]\), \(\mathrm {Pr}[ \mathsf {bad}_\mathsf {B}]\) and \(\mathrm {Pr}[\mathsf {bad}_\mathsf {C}]\).

4.2 Upper-Bound of \(\mathrm {Pr}[ \mathsf {bad}_\mathsf {A}]\)

First we define the following event:

$$\begin{aligned} \mathsf {coll}\Leftrightarrow \exists \alpha , \beta \in [q] \text{ with } \alpha \ne \beta \text{ s.t. } (S_1^\alpha ,S_2^\alpha ) = (S_1^{\beta },S_2^{\beta }). \end{aligned}$$

Then we have

$$\begin{aligned} \mathrm {Pr}[\mathsf {bad}_\mathsf {A}] \le \mathrm {Pr}[\mathsf {coll}] + \mathrm {Pr}[\mathsf {bad}_\mathsf {A}|\lnot \mathsf {coll}] . \end{aligned}$$

By Propositions 1 and 2, we have

$$\begin{aligned} \mathrm {Pr}[\mathsf {bad}_\mathsf {A}] \le \frac{2q^2}{2^{2n}} + \frac{\frac{4}{3} q^3}{2^{2n}} . \end{aligned}$$
(2)

Proposition 1

\(\mathrm {Pr}[\mathsf {coll}] \le \frac{2q^2}{2^{2n}}\).

Proof

Lemma 1 shows the upper-bound of the probability that for distinct two messages \(M^{\alpha } , M^{\beta } \in \{0,1\}^*\), \(\mathsf {Hash}[P](M^{\alpha }) = \mathsf {Hash}[P](M^{\beta })\), which is at most \(4/2^{2n}\). The sum of the upper-bounds for all combinations of message pairs gives

$$\begin{aligned} \mathrm {Pr}[\mathsf {coll}] \le \left( {\begin{array}{c}q\\ 2\end{array}}\right) \cdot \frac{4}{2^{2n}} \le \frac{2q^2}{2^{2n}} . \end{aligned}$$

   \(\square \)

Lemma 1

For distinct two messages \(M^{\alpha } , M^{\beta } \in \{0,1\}^*\), the probability that \(\mathsf {Hash}[P](M^{\alpha }) = \mathsf {Hash}[P](M^{\beta })\) is at most \(4/2^{2n}\).

Proof

Without loss of generality, we assume that \(l_\alpha \le l_\beta \). \(\mathsf {Hash}[P](M^{\alpha }) = \mathsf {Hash}[P](M^{\beta })\) implies that

$$\begin{aligned}&S_1^\alpha = S_1^{\beta } \text{ and } S_2^\alpha = S_2^{\beta } \Leftrightarrow \nonumber \\&\underbrace{ \bigoplus _{i=1}^{l_\alpha } C^\alpha _i \oplus \bigoplus _{i=1}^{l_\beta } C^\beta _i }_{A_{3,1}} = 0^n \text{ and } \underbrace{ \bigoplus _{i=1}^{l_\alpha } 2^{l_\alpha -i} \cdot C^\alpha _i \oplus \bigoplus _{i=1}^{l_\beta } 2^{l_\beta -i} \cdot C^\beta _i }_{A_{3,2}}= 0^n. \end{aligned}$$
(3)

We consider the following three cases.

  1. 1.

    \(\Big ( l_\alpha = l_\beta \Big ) \wedge \Big ( \exists a \in [l_\alpha ] \text{ s.t. } B_{a}^\alpha \ne B_{a}^\beta \Big ) \wedge \Big ( \forall i \in [l_\alpha ] \backslash \{a\}: B_{i}^\alpha = B_{i}^\beta \Big )\).

  2. 2.

    \(\Big ( l_\alpha = l_\beta \Big ) \wedge \Big ( \exists a_1,a_2 \in [l_\alpha ] \text{ s.t. } B_{a_1}^\alpha \ne B_{a_1}^\beta \wedge B_{a_2}^\alpha \ne B_{a_2}^\beta \Big )\)

  3. 3.

    \( \Big (l_\alpha \ne l_\beta \Big )\)

The first case is that there is just one position a where the inputs are distinct, whereas the second case is that there are at least two positions \(a_1,a_2\) where the inputs are distinct. For each case, we upper-bound the probability that (3) is satisfied.

  • Consider the first case: \(\exists a \in [l_\alpha ] \text{ s.t. } B_{a}^\alpha \ne B_{a}^\beta \) and \(\forall i \in [l_\alpha ] \backslash \{a\}: B_{i}^\alpha = B_{i}^\beta \). Since \(B_{a}^\alpha \ne B_{a}^\beta \Rightarrow C_a^\alpha \ne C_a^\beta \) and \(B_{i}^\alpha = B_{i}^\beta \Rightarrow C_{i}^\alpha = C_{i}^\beta \), \(A_{3,1} \ne 0^n\) and \(A_{3,2} \ne 0^n\). Hence, the probability that (3) is satisfied is 0.

  • Consider the second case: \(\exists a_1,a_2,\ldots ,a_j \in [l_\alpha ]\) with \(j \ge 2\) s.t. \(\forall i \in [j]:B_{a_i}^\alpha \ne B_{a_i}^\beta \). Note that \(B_{a_i}^\alpha \ne B_{a_i}^\beta \Rightarrow C_{a_i}^\alpha \ne C_{a_i}^\beta \). Eliminating the same outputs between \(\{C^\alpha _i: 1 \le i \le l_\alpha \}\) and \(\{C^\beta _i: 1 \le i \le l_\beta \}\), we have

    $$\begin{aligned} A_{3,1} = \bigoplus _{i=1}^{j} \Big ( C^\alpha _{a_i} \oplus C^\beta _{a_i} \Big ) \text{ and } A_{3,2} = \bigoplus _{i=1}^{j} 2^{l_\alpha - a_i} \cdot \Big ( C^\alpha _{a_i} \oplus C^\beta _{a_i} \Big ) . \end{aligned}$$

    Since in \(A_{3,1}\) and \(A_{3,2}\) there are at most \(l_\alpha + l_\beta \) outputs, the numbers of possibilities for \(C^\alpha _{a_1}\) and \(C^\alpha _{a_2}\) are at least \(2^n- (l_\alpha + l_\beta -2)\) and \(2^n- (l_\alpha + l_\beta -1)\), respectively. Fixing other outputs, the equations in (3) provide a unique solution for \(C^\alpha _{a_1}\) and \(C^\alpha _{a_2}\). As a result, the probability that (3) is satisfied is at most \(1/(2^n- (l_\alpha + l_\beta -2))(2^n- (l_\alpha + l_\beta -1))\).

  • Consider the third case. Without loss of generality, assume that \(l_\alpha < l_\beta \). Eliminating the same outputs between \(\{C^\alpha _i: 1 \le i \le l_\alpha \}\) and \(\{C^\beta _i: 1 \le i \le l_\beta \}\), we have

    $$\begin{aligned} A_{3,1} = \bigoplus _{i=1}^{u} C^\alpha _{a_i} \oplus \bigoplus _{i=1}^{v} C^\beta _{b_i} , \end{aligned}$$

    where \(a_1,\ldots ,a_u \in [l_\alpha ]\) and \(b_1,\ldots ,b_v \in [l_\beta ]\). By \(l_\alpha < l_\beta \), \(l_\beta \in \{b_1,\ldots ,b_v\}\) and \(l_\beta \ne 1\). Since in \(A_{3,1}\) and \(A_{3,2}\) there are at most \(l_\alpha + l_\beta \) outputs, the numbers of possibilities for \(C^\beta _{1}\) and \(C^\beta _{l_\beta }\) are at least \(2^n- (l_\alpha + l_\beta -2)\) and \(2^n- (l_\alpha + l_\beta -1)\), respectively. Fixing other outputs, the equations in (3) provide a unique solution for \(C^\beta _{1}\) and \(C^\beta _{l_\beta }\). As a result, the probability that (3) is satisfied is at most \(1/(2^n- (l_\alpha + l_\beta -2))(2^n- (l_\alpha + l_\beta -1))\).

The above upper-bounds give

$$\begin{aligned} \mathrm {Pr}\left[ \mathsf {Hash}[P](M^{\alpha }) = \mathsf {Hash}[P](M^{\beta })\right] \le \frac{1}{(2^n-(l_\alpha + l_\beta ))^2} \le \frac{4}{2^{2n}} , \end{aligned}$$

assuming \(l_\alpha + l_\beta \le 2^{n-1}\).

   \(\square \)

Proposition 2

\(\mathrm {Pr}[\mathsf {bad}_\mathsf {A}|\lnot \mathsf {coll}] \le \frac{\frac{4}{3} q^3}{2^{2n}}\).

Proof

First, fix \(\alpha \in [q]\) and \(\beta ,\gamma \in [\alpha -1]\) with \(\beta \ne \gamma \) (from the condition \(\lnot \mathsf {coll}\)), and upper-bound the probability that \(S_1^\alpha = S_1^{\beta } \wedge S_2^\alpha = S_2^{\gamma }\), which implies

$$\begin{aligned} \underbrace{ \bigoplus _{i=1}^{l_\alpha - 1} C_i^\alpha \oplus \bigoplus _{i=1}^{l_{\beta } - 1} C_i^{\beta } }_{A_{4,1}} = 0^n \text{ and } \underbrace{ \bigoplus _{i=1}^{l_\alpha - 1} 2^{l_\alpha -i} \cdot C_i^\alpha \oplus \bigoplus _{i=1}^{l_{\gamma } - 1} 2^{l_{\gamma }-i} \cdot C_i^{\gamma } }_{A_{4,2}} = 0^{n}. \end{aligned}$$
(4)

Since \(M^{\alpha }, M^{\beta }\) and \(M^{\gamma }\) are distinct, there are at least two distinct outputs \(C^{\alpha ,\beta }\) and \(C^{\alpha ,\gamma }\) where \(C^{\alpha ,\beta }\) appears in \(A_{4,1}\) and \(C^{\alpha ,\gamma }\) appears in \(A_{4,2}\). Fixing other outputs in \(A_{4,1}\) and \(A_{4,2}\), the equations in (4) provide a unique solution for \(C^{\alpha ,\beta }\) and \(C^{\alpha ,\gamma }\). Since there are at most \(l_\alpha +l_{\beta }\) outputs in \(A_{4,1}\), the number of possibilities for \(C^{\alpha ,\beta }\) is at least \(2^n-(l_\alpha +l_{\beta }-1)\). Since there are at most \(l_\alpha +l_{\gamma }\) outputs in \(A_{4,2}\), the number of possibilities for \(C^{\alpha ,\gamma }\) is at least \(2^n-(l_\alpha +l_{\gamma }-1)\). Hence, the probability that (4) is satisfied is at most

$$\begin{aligned} \frac{1}{(2^n-(l_\alpha +l_{\beta }-1))(2^n-(l_\alpha +l_{\gamma }-1))} \le \frac{4}{2^{2n}} , \end{aligned}$$

assuming \(l_\alpha +l_{\beta }-1 \le 2^{n-1}\) and \(l_\alpha +l_{\gamma }-1 \le 2^{n-1}\).

Finally, we just run induces \(\alpha ,\beta \), and \(\gamma \) to get

$$\begin{aligned} \mathrm {Pr}[\mathsf {bad}_\mathsf {A}|\lnot \mathsf {coll}] \le&\sum _{\alpha =1}^q \left( \sum _{\beta ,\gamma \in [1,\alpha -1] \text{ s.t. } \beta \ne \gamma } \frac{4}{2^{2n}} \right) \le \sum _{\alpha =1}^q \frac{4 (\alpha -1)^2}{2^{2n}} = \sum _{\alpha =1}^{q-1} \frac{4 \alpha ^2}{2^{2n}}\nonumber \\ \le \,&\frac{4}{2^{2n}} \times \frac{q (q - 1)(2q-1)}{6} \le \frac{\frac{4}{3} q^3}{2^{2n}} . \end{aligned}$$

   \(\square \)

4.3 Upper-Bound of \(\mathrm {Pr}[\mathsf {bad}_\mathsf {B}]\)

First, fix \(\alpha \in [q]\) and \(j\in [2]\), and upper-bound the probability that \(\mathcal {D}\) sets \(\mathsf {bad}_\mathsf {B}\) at the \(\alpha \)-th query, namely, \(S^\alpha _{j} \in \mathsf {Dom}P_j^{\alpha -1}\), \(S_{j+1}^\alpha \not \in \mathsf {Dom}P_{j+1}^{\alpha -1}\), and \(T_{j+1}^\alpha \in \mathsf {Rng}P^{\alpha -1}_{j+1}\). Note that if \(j=2\) then \({j+1}\) is regarded as 1.

  • Regarding \(S_{j}^\alpha \in \mathsf {Rng}P_{j}^{\alpha -1}\), fix \(\beta \in [\alpha -1]\) and consider the case that \(S_{j}^\alpha = S_{j}^\beta \). Since \(M^{\alpha } \ne M^{\beta }\), there is an output \(C^{\alpha ,\beta }\) in \(\{C_1^\alpha ,\ldots ,C_{l_\alpha }^\alpha , C_1^\beta , \ldots , C_{l_\beta }^\beta \}\) that is distinct from other outputs. Fixing other outputs, \(S^\alpha _{j} = S^\beta _{j}\) provides a unique solution for \(C^{\alpha ,\beta }\). There are at most \(2^n- (l_\alpha +l_\beta -1)\) possibilities for \(C^{\alpha ,\beta }\). Hence, the probability that \(S^\alpha _{j} \in \mathsf {Dom}P_{j}^{\alpha -1}\) is at most \(|\mathsf {Dom}P_{j}^{\alpha -1}| \times 1/(2^n- (l_\alpha +l_\beta -1)) \le 2(\alpha -1)/2^n\), assuming \(l_\alpha + l_\beta - 1 \le 2^{n-1}\).

  • Regarding \(T_{j+1}^\alpha \in \mathsf {Rng}P_{j+1}^{\alpha -1}\), \(T_{j+1}^\alpha \) is randomly drawn from \(\{0,1\}^n\) after \(S_{j}^\alpha \in \mathsf {Rng}P_{j}^{\alpha -1}\) and \(S_{j+1}^\alpha \not \in \mathsf {Dom}P_{j+1}^{\alpha -1}\) are satisfied. In this case, \(T_{j+1}^\alpha \) is defined independently from \(S^\alpha _{j}\) and \(S_{j+1}^\alpha \). Since \(|\mathsf {Rng}P_{j+1}^{\alpha -1}| \le \alpha -1\), this probability that \(T_{j+1}^\alpha \in \mathsf {Rng}P_{j+1}^{\alpha -1}\) is at most \((\alpha -1)/2^n\).

Hence, the probability that \(\mathcal {D}\) sets \(\mathsf {bad}_\mathsf {B}\) at the \(\alpha \)-th query is upper-bounded by the multiplication of the above probabilities, which is \(\frac{2(\alpha -1)^2}{2^{2n}}\).

Finally, we just run induces \(\alpha \) and j to get

$$\begin{aligned} \mathrm {Pr}[\mathsf {nosol}] \le&\sum _{\alpha = 1}^q \sum _{j=1}^2 \frac{2(\alpha -1)^2}{2^{2n}} \le \frac{\frac{4}{3} q^3}{2^{2n}} . \end{aligned}$$
(5)

4.4 Upper-Bound of \(\mathrm {Pr}[\mathsf {bad}_\mathsf {C}]\)

For each \(\alpha \in [q]\), since \(\left| \overline{\mathsf {Rng}P_1^{\alpha -1}} \times \overline{\mathsf {Rng}P_2^{\alpha -1}} \backslash \mathsf {Fair}^\alpha \right| \le (\alpha -1)^2\), the probability that \((T_1^\alpha , T_2^\alpha ) \not \in \mathsf {Fair}^\alpha \) is at most

$$\begin{aligned} \frac{(\alpha -1)^2}{(2^n- (\alpha -1))^2} \le \frac{4(\alpha -1)^2}{2^{2n}} , \end{aligned}$$

assuming \(\alpha -1 \le 2^{n-1}\). Hence, we have

$$\begin{aligned} \mathrm {Pr}[\mathsf {bad}_\mathsf {C}] \le \sum _{\alpha =1}^q \frac{4(\alpha -1)^2}{2^{2n}} = \sum _{\alpha =1}^{q-1} \frac{4(\alpha -2)^2}{2^{2n}} \le \frac{\frac{4}{3}q^3}{2^{2n}} . \end{aligned}$$
(6)

4.5 Conclusion of Proof

Putting (2), (5) and (6) into (1) gives

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{F[P,P_1,P_2]}(\mathcal {D}) \le \frac{2q^2}{2^{2n}} + \frac{\frac{4}{3} \cdot q^3}{2^{2n}} + \frac{\frac{4}{3}q^3}{2^{2n}} + \frac{\frac{4}{3}q^3}{2^{2n}} \le \frac{2q^2}{2^{2n}} + \frac{4 q^3}{2^{2n}} . \end{aligned}$$

5 \(\mathtt {LightMAC\_Plus2}\)

5.1 Construction

Let \(\mathcal {K}\), \(\mathcal {K}_H\) and \(\mathsf {Dom}H\) be three non-empty sets. Let \(\{E_K\}_{K\in \mathcal {K}} \subset \mathsf {Perm}(n)\) be a family of \(n\)-bit permutations (or a blockcipher) indexed by key space \(\mathcal {K}\). Let \(\{H_{K_H}\}_{K_H \in \mathcal {K}_H}\) be a family of hash functions: \(\mathsf {Dom}H\rightarrow \{0,1\}^{2n}\) indexed by key space \(\mathcal {K}_H\). Let \(m\) be the counter size with \(m< n\). Let \(K_{0,1},K_{0,2},K_1,\ldots ,K_t\in \mathcal {K}\) be the \(E\)’s keys and \(K_H \in \mathcal {K}_H\) the hash key. For a message M, the response of \(\mathtt {LightMAC\_Plus2}[H_{K_H}, E_{K_{0,1}}, E_{K_{0,2}}, E_{K_1},\ldots , E_{K_t}]\) is defined by Algorithm 2, where \(|S_1|=n\) and \(|S_2|=n\). The finalization function is illustrated in Fig. 4.

figure c
Fig. 4.
figure 4

Finalization function of \(\mathtt {LightMAC\_Plus2}\), where \(P_{0,1} := E_{K_{0,1}},P_{0,2} := E_{K_{0,2}},P_1 := E_{K_1}, \ldots ,P_t:= E_{K_t}\).

Full size image

5.2 Almost Universal Hash Function

In the security proof, we assume that the hash function \(H\) is an almost universal (AU) hash function. The definition is given below.

Definition 1

Let \(\epsilon >0\). \(H\) is an \(\epsilon \)-AU hash function if for any two distinct messages \(M,M' \in \mathsf {Dom}H\), \(\Pr [K_H \xleftarrow {\$}\mathcal {K}_H; H_{K_H}(M) = H_{K_H}(M')] \le \epsilon \).

5.3 Security

We prove the PRF-security of \(\mathtt {LightMAC\_Plus2}\) in the information-theoretic model, where permutations \(E_{K_{0,1}},E_{K_{0,2}},E_{K_1},\ldots ,E_{K_{t-1}}\) and \(E_{K_t}\) are replaced with random permutations \(P_{0,1},P_{0,2},P_1,\ldots ,P_{t-1}\) and \(P_t\), respectively, and \(H\) is assumed to be an \(\epsilon \)-AU hash function, where a key is drawn as \(K_H \xleftarrow {\$}\mathcal {K}_H\). The upper-bound of the PRF-security advantage is given below, and the security proof is given in Sect. 6.

Theorem 2

Assume that \(t\le 7\). Let \(H\) is an \(\epsilon \)-AU hash function. Let \(\mathcal {D}\) be a distinguisher making q tagging queries. Then we have

Define the hash function as \(H_{K_H}:= \mathsf {Hash}[P]\) (given in Algorithm 1). By Lemma 1, \(\mathsf {Hash}\) is a \(4/2^{2n}\)-AU hash function, where \(\mathcal {K}_H = \mathsf {Perm}(n)\) and \(K_H=P\). Hence, combining Lemma 1 and Theorem 2, the following corollary is obtained.

Corollary 1

Let \(H_{K_H}:= \mathsf {Hash}[P]\). Then we have

6 Proof of Theorem 2

Assume that \(t\le 7\). Let \(F=\mathtt {LightMAC\_Plus2}\) and \(\mathbf {P}= (P_{0,1},P_{0,2},P_1,\ldots ,P_t)\). In this section, we upper-bound the PRF-advantage

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{F[H_{K_H},\mathbf {P}]}(\mathcal {D}) =&\mathrm {Pr}[\mathbf {P}\xleftarrow {\$}\mathsf {Perm}(n)^{t+2}; K_H \xleftarrow {\$}\mathcal {K}_H; \mathcal {D}^{F[H_{K_H},\mathbf {P}]} \Rightarrow 1] \\&- \mathrm {Pr}[\mathcal {R}\xleftarrow {\$}\mathsf {Func}(n); \mathcal {D}^{\mathcal {R}} \Rightarrow 1] . \end{aligned}$$

Without loss of generality, we assume that \(\mathcal {D}\) is deterministic and makes no repeated query.

In this proof, we use the following notations. For \(\alpha \in [q]\), values defined at the \(\alpha \)-th query are denoted by using the superscript of \(\alpha \) such as \(B_i^\alpha ,C_i^\alpha ,S_i^\alpha \), etc., and the message length \(l\) at the \(\alpha \)-th query is denoted by \(l_\alpha \). For \(\alpha \in [q]\) and \(j \in [t]\), \(\mathsf {Dom}P_j^\alpha := \bigcup _{\delta =1}^{\alpha } \{X_j^\delta \}\), \(\mathsf {Rng}P_j^{\alpha }:=\bigcup _{\delta =1}^{\alpha } \{Y_j^\delta \}\) and \(\overline{\mathsf {Rng}P_j^{\alpha }} := \{0,1\}^n\backslash \mathsf {Rng}P_j^{\alpha }\).

Fig. 5.
figure 5

Main Game.

Full size image
Fig. 6.
figure 6

Case A, Case B and Case C.

Full size image

6.1 Proof Strategy

This proof uses the same strategy as in the proof of Theorem 1 (given in Subsect. 4.1). In this proof, random permutations \(P_{0,1}\) and \(P_{0,2}\) are defined before starting the game, whereas other random permutations are realized by lazy sampling. The main game is given in Fig. 5, where there are three sub-cases defined by inputs to random permutations \(X_1^\alpha ,\ldots ,X_t^\alpha \) (See lines 4–6 in Fig. 5). The sub-cases are given in Fig. 6. Note that for \(i \in [t]\), “\(X^\alpha _i\) is new” means that \(X^\alpha _i \not \in \mathsf {Dom}P_i^{\alpha -1}\), and “\(X^\alpha _i\) is not new” means that \(X^\alpha _i \in \mathsf {Dom}P_i^{\alpha -1}\).

As is the case with the proof of Theorem 1, Case C uses a fair set for the xor of s random permutations with \(s \ge 2\). For s random permutations \(P_{a_1},\ldots ,P_{a_s}\) at the \(\alpha \)-th query, we say a set \(\mathsf {Fair}^\alpha \subseteq (\{0,1\}^n)^s\) is fair if for each \(T \in \{0,1\}^n\),

$$\begin{aligned} \left| \left\{ (Y_{a_1},Y_{a_2},\ldots ,Y_{a_s}) \in \mathsf {Fair}^\alpha \left| \bigoplus _{i \in [s]} Y_{a_i} = T \right\} \right. \right| = \frac{\left| \mathsf {Fair}^\alpha \right| }{2^n}. \end{aligned}$$

Let \(L^\alpha := \overline{\mathsf {Rng}P_{a_1}^{\alpha -1}} \times \overline{\mathsf {Rng}P_{a_2}^{\alpha -1}} \times \cdots \times \overline{\mathsf {Rng}P_{a_s}^{\alpha -1}}\). Lucks [23] pointed out that when s is even, there exists a set \(W \subset L^\alpha \) of size at most \((\alpha -1)^s\) such that \(L^\alpha \backslash W\) is fair, and when s is odd, there exists a set \(W' \subset (\{0,1\}^n)^s\) of size at most \((\alpha -1)^s\) with \(W' \cap L^\alpha =\emptyset \) such that \(W' \cup L^\alpha \) is fair. See Lemma 2 of [23] or [36] for explicit constructions of fair sets. In Case C, the fair set is defined as \(\mathsf {Fair}^\alpha := L^\alpha \backslash W\) when s is even; \(\mathsf {Fair}^\alpha := L^\alpha \cup W'\) when s is odd.

Let \(\textsf {bad}= \mathsf {bad}_\mathsf {A}\vee \mathsf {bad}_\mathsf {B}\vee \mathsf {bad}_\mathsf {C}\). Then by the fundamental lemma of game-playing [4, 5], we have

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{F[\mathbf {P}]}(\mathcal {D}) \le \mathrm {Pr}[\textsf {bad}] \le \mathrm {Pr}[ \mathsf {bad}_\mathsf {A}] + \mathrm {Pr}[ \mathsf {bad}_\mathsf {B}] + \mathrm {Pr}[\mathsf {bad}_\mathsf {C}] . \end{aligned}$$
(7)

Hereafter, we upper-bound \(\mathrm {Pr}[ \mathsf {bad}_\mathsf {A}]\), \(\mathrm {Pr}[ \mathsf {bad}_\mathsf {B}]\) and \(\mathrm {Pr}[\mathsf {bad}_\mathsf {C}]\).

6.2 Upper-Bound of \(\mathrm {Pr}[\mathsf {bad}_\mathsf {A}]\)

First we define the following event:

$$\begin{aligned} \mathsf {coll}\Leftrightarrow \exists \alpha , \beta \in [q] \text{ with } \alpha \ne \beta \text{ s.t. } (S_1^\alpha ,S_2^\alpha ) = (S_1^{\beta },S_2^{\beta }). \end{aligned}$$

Then we have

$$\begin{aligned} \mathrm {Pr}[\mathsf {bad}_\mathsf {A}] \le \mathrm {Pr}[\mathsf {coll}] + \mathrm {Pr}[\mathsf {bad}_\mathsf {A}|\lnot \mathsf {coll}] , \end{aligned}$$

Regarding \(\mathrm {Pr}[\mathsf {coll}]\), since \(H\) is an \(\epsilon \)-AU hash function, the sum of \(\epsilon \) for all combinations of message pairs gives

$$\begin{aligned} \mathrm {Pr}[\mathsf {coll}] \le \left( {\begin{array}{c}q\\ 2\end{array}}\right) \cdot \epsilon \le 0.5 q^2 \epsilon . \end{aligned}$$

Regarding \(\mathrm {Pr}[\mathsf {bad}_\mathsf {A}|\lnot \mathsf {coll}]\), for \(\alpha \in [q]\), Lemma 2 gives the upper-bound of the probability that all of \(X_1^\alpha ,\ldots ,X_t^\alpha \) are not new, which is \(\left( \frac{\alpha -1}{2^n-q}\right) ^t\). Then, we run the index \(\alpha \) to get

$$\begin{aligned} \mathrm {Pr}[\mathsf {bad}_\mathsf {A}|\lnot \mathsf {coll}] \le \sum _{\alpha =1}^{q} \left( \frac{\alpha -1}{2^n-q} \right) ^t= \sum _{\alpha =1}^{q-1} \left( \frac{\alpha }{2^n-q} \right) ^t. \end{aligned}$$

Finally we have

$$\begin{aligned} \mathrm {Pr}[\mathsf {bad}_\mathsf {A}] \le 0.5 q^2 \epsilon + \sum _{\alpha =1}^{q-1} \left( \frac{\alpha }{2^n-q} \right) ^t. \end{aligned}$$
(8)

Lemma 2

Assume that \(\mathsf {coll}\) does not occur. Fix \(\alpha \in [q]\), \(s \le t\) and \(a_1,a_2,\ldots ,a_s \in [t]\) such that \(a_1,a_2,\ldots ,a_s\) are distinct. Then the probability that \(\forall i \in [s]\): \(X_{a_i}^\alpha \) is not new, that is, \(\exists \beta _{i} \in [\alpha -1]\) s.t. \(X_{a_i}^\alpha = X_{a_i}^{\beta _{i}}\) is at most \(\left( \frac{\alpha -1}{2^n-q}\right) ^s\).

Proof

First, fix \(\beta _1,\ldots ,\beta _s \in [\alpha -1]\), and upper-bound the probability that

$$\begin{aligned} \underbrace{\forall i \in [s]: X_{a_i}^\alpha \oplus X_{a_i}^{\beta _i}}_{A_9} =0^n. \end{aligned}$$
(9)

By Lemma 3, we have only to consider the case where \(\beta _1,\ldots ,\beta _{s}\) are distinct. Thus if \(\alpha \le s\), then this probability is 0. In the following, we consider the case: \(\alpha > s\). Note that \(A_9\) is defined as

$$\begin{aligned} X_{a_i}^\alpha \oplus X_{a_i}^{\beta _i} =&\left( R_1^\alpha \oplus 2^{a_i-1} \cdot R_2^\alpha \right) \oplus \left( R_1^{\beta _i} \oplus 2^{a_i-1} \cdot R_2^{\beta _i} \right) \\ =&\left( R_1^\alpha \oplus R_1^{\beta _i} \right) \oplus 2^{a_i-1} \cdot \left( R_2^\alpha \oplus R_2^{\beta _i} \right) , \end{aligned}$$

where \(R_1^\alpha = P_{0,1}(S_1^\alpha )\), \(R_2^\alpha = P_{0,2}(S_2^\alpha )\), \(R_1^{\beta _i} = P_{0,1}(S_1^{\beta _i})\) and \(R_2^{\beta _i} = P_{0,2}(S_2^{\beta _i})\). Then, the number of independent random variables in \(\{R_1^{\alpha },R_1^{\beta _1}, \ldots , R_1^{\beta _s}, R_2^{\alpha },R_2^{\beta _1}\), \(\ldots , R_2^{\beta _s}\}\) that appear in \(A_9\) is counted. Note that \(\{R_1^{\alpha },R_1^{\beta _1}, \ldots , R_1^{\beta _s}\}\) are independently defined from \(\{R_2^{\alpha },R_2^{\beta _1}, \ldots , R_2^{\beta _s}\}\).

First, the number of independent random variables in \(\{R_1^{\beta _1},\ldots ,R_1^{\beta _s}\}\) and \(\{R_2^{\beta _1},\ldots ,R_2^{\beta _s}\}\) is counted. By \(\lnot \mathsf {coll}\), for all \(i,j \in [s]\) with \(i \ne j\), \((S_1^{\beta _i},S_2^{\beta _i}) \ne (S_1^{\beta _j},S_2^{\beta _j})\), that is, \((R_1^{\beta _i},R_2^{\beta _i}) \ne (R_1^{\beta _j},R_2^{\beta _j})\). Note that if there are \(z_1\) (resp., \(z_2\)) independent random variables in \(\{R_1^{\beta _1},\ldots ,R_1^{\beta _s}\}\) (resp., \(\{R_2^{\beta _1},\ldots ,R_2^{\beta _s}\}\)), then the number of distinct pairs for \((R_1,R_2)\) is \(z_1 \cdot z_2\) and the number of distinct random variables is \(z_1+z_2\). If (\(z_1 \le 2 \wedge z_2 \le 2\)) or (\(z_1 = 1 \wedge z_2 \le 4\)), then \(z_1 \cdot z_2 \le z_1 + z_2\), and if \(z_1 = 2\) and \(z_2 = 3\), then \(z_1 + z_2 = 5 < z_1 \cdot z_2 = 6\). Since \(s \le z_1 \cdot z_2\), the sum of the numbers of independent random variables in \(\{R_1^{\beta _1},\ldots ,R_1^{\beta _s}\}\) and in \(\{R_2^{\beta _1},\ldots ,R_2^{\beta _s}\}\) is at least \(\min \{5,s\}\).

By Lemma 4, we have only to consider the case that \(\forall i \in [s]: R_1^\alpha \ne R_1^{\beta _i}\) and \(R_2^\alpha \ne R_2^{\beta _i}\). Hence, the number of independent random variables in \(\{R_1^{\beta _1},\ldots ,R_1^{\beta _s}\}\) and \(\{R_2^{\beta _1},\ldots ,R_2^{\beta _s}\}\) is at least \(s \le \min \{5,s\} + 2\). By \(s \le t\le 7\), there are at least s independent random variables in \(A_9\).

Fixing other outputs in \(A_9\) except for the s outputs, the equations in (9) provide a unique solution for the s outputs. The number of possibilities for the s outputs are at least \(2^n-s\). Hence, the probability that (9) is satisfied is at most \((1/(2^n-s))^s\).

Finally, the probability that \(\forall i \in [s]: \exists \beta _i \in [\alpha -1]\) s.t. \(X_{a_i}^\alpha = X_{a_i}^{\beta _i}\) is at most

$$\begin{aligned} (\alpha -1)^s \cdot \left( \frac{1}{2^n-s} \right) ^s \le \left( \frac{\alpha -1}{2^n-q} \right) ^s . \end{aligned}$$

   \(\square \)

Lemma 3

Assume that \(\mathsf {coll}\) does not occur. For \(\alpha , \beta \in [q]\) with \(\alpha \ne \beta \), if there exists \(j \in [t]\) such that \(X^\alpha _j = X^\beta _j\), then for all \(i \in [t] \backslash \{j\}\), \(X_i^\alpha \ne X_i^\beta \).

Proof

Assume that \(X^\alpha _j = X^\beta _j\), which implies

$$\begin{aligned} X^\alpha _j = X^\beta _j \Leftrightarrow R_1^\alpha \oplus R_1^{\beta } = 2^{j-1} \cdot \left( R_2^\alpha \oplus R_2^{\beta } \right) . \end{aligned}$$

By \(\lnot \mathsf {coll}\), \(R_1^\alpha \oplus R_1^\beta \ne 0^n\) and \(R_2^\alpha \oplus R_2^\beta \ne 0^n\). Then, for any \(i \in [t] \backslash \{j\}\)

$$\begin{aligned} X^\alpha _i \oplus X^\beta _i =&\left( R^\alpha _1 \oplus R^\beta _1 \right) \oplus 2^{i-1} \cdot \left( R_2^\alpha \oplus R_2^{\beta } \right) \\ =&\left( 2^{j-1} \oplus 2^{i-1} \right) \cdot \left( R_2^\alpha \oplus R_2^{\beta } \right) \ne 0^n, \end{aligned}$$

namely, \(X^\alpha _i \ne X^\beta _i\).

   \(\square \)

Lemma 4

For \(\alpha ,\beta \in [q]\) with \(\alpha \ne \beta \), if \((R^\alpha _1 \ne R^\beta _1 \wedge R^\beta _2 = R^\beta _2)\) or \((R^\alpha _1 = R^\beta _1 \wedge R^\beta _2 \ne R^\beta _2)\), then for all \(i \in [t]\) \(X_i^\alpha \ne X_i^\beta \).

Proof

Let \(\alpha ,\beta \in [q]\) with \(\alpha \ne \beta \). If \(R^\alpha _1 \ne R^\beta _1 \wedge R^\beta _2 = R^\beta _2\), then for any \(i \in [t]\),

$$\begin{aligned} X_i^\alpha \oplus X_i^\beta = \left( R_1^\alpha \oplus 2^{i-1} \cdot R_2^\alpha \right) \oplus \left( R_1^\beta \oplus 2^{i-1} \cdot R_2^\beta \right) = R_1^\alpha \oplus R_1^\beta \ne 0^n. \end{aligned}$$

If \(R^\alpha _1 = R^\beta _1 \wedge R^\beta _2 \ne R^\beta _2\), then for any \(i \in [t]\),

$$\begin{aligned} X_i^\alpha \oplus X_i^\beta = \left( R_1^\alpha \oplus 2^{i-1} \cdot R_2^\alpha \right) \oplus \left( R_1^\beta \oplus 2^{i-1} \cdot R_2^\beta \right) = 2^{i-1} \cdot \left( R_2^\alpha \oplus \cdot R_2^\beta \right) \ne 0^n. \end{aligned}$$

   \(\square \)

6.3 Upper-Bound of \(\mathrm {Pr}[\mathsf {bad}_\mathsf {B}]\)

First, fix \(\alpha \in [q]\) and \(a \in [t]\), and upper-bound the probability that

$$\begin{aligned}&X^\alpha _{a} \text{ is } \text{ new },~\underbrace{\forall i \in [t] \backslash \{a\}: X^\alpha _i \text{ is } \text{ not } \text{ new }}_{A_{10,2}}, \text{ and } \underbrace{Y^\alpha _a \in \mathsf {Rng}P^{\alpha -1}_a}_{A_{10,3}}. \end{aligned}$$
(10)

Regarding \(A_{10,2}\), by Lemma 2, the probability that \(A_{10,2}\) is satisfied is at most \(\left( \frac{\alpha -1}{2^n-q} \right) ^{t-1}\). Regarding \(A_{10,3}\), since \(Y^\alpha _a\) is randomly drawn and \(|\mathsf {Rng}P^{\alpha -1}_a| \le \alpha -1\), the probability that \(A_{10,3}\) is satisfied is at most \(\frac{\alpha -1}{2^n}\). Hence the probability that (10) is satisfied is at most

$$\begin{aligned} \left( \frac{\alpha -1}{2^n-q} \right) ^{t-1} \cdot \frac{\alpha -1}{2^n} \le \left( \frac{\alpha -1}{2^n-q} \right) ^{t} . \end{aligned}$$

Finally, we run induces \(\alpha \) and a to get

$$\begin{aligned} \mathrm {Pr}[\mathsf {bad}_\mathsf {B}] \le \sum _{\alpha = 1}^q \sum _{a=1}^t\left( \frac{\alpha -1}{2^n-q} \right) ^{t} \le \sum _{\alpha = 1}^{q-1} t\cdot \left( \frac{\alpha }{2^n-q} \right) ^{t} . \end{aligned}$$
(11)

6.4 Upper-Bound of \(\mathrm {Pr}[\mathsf {bad}_\mathsf {C}]\)

First, fix \(\alpha \in [q]\), \(s \in \{2,\ldots ,t\}\) and \(a_1,\ldots ,a_s \in [t]\) such that \(a_1,\ldots ,a_s\) are distinct, and consider the case that

$$\begin{aligned}&X_{a_1}^\alpha ,\ldots , X_{a_{s-1}}^\alpha \text{ and } X_{a_s}^\alpha \text{ are } \text{ new },~ \underbrace{ \forall i \in [t] \backslash \{a_1,\ldots ,a_s\}: X^\alpha _i \text{ is } \text{ not } \text{ new } }_{A_{12,2}}, \text{ and } \nonumber \\&\underbrace{ (Y_{a_1}^\alpha ,\ldots , Y_{a_{s-1}}^\alpha , Y_{a_s}^\alpha ) \not \in \mathsf {Fair}^\alpha \text{ if } s \text{ is } \text{ even } ; (Y_{a_1}^\alpha ,\ldots , Y_{a_{s-1}}^\alpha , Y_{a_s}^\alpha ) \not \in L^\alpha \text{ if } s \text{ is } \text{ odd } }_{A_{12,3}}. \end{aligned}$$
(12)

Regarding \(A_{12,2}\), by Lemma 2, the probability that \(A_{12,2}\) is satisfied is at most \(\left( \frac{\alpha -1}{2^n- q } \right) ^{t-s}\). Regarding \(A_{12,3}\), if s is even, then since \(\left| L^\alpha \backslash \mathsf {Fair}^\alpha \right| \le (\alpha -1)^s\), the probability that \(A_{12,3}\) is satisfied is at most \(\left( \frac{\alpha -1}{2^n- q } \right) ^s\); if s is odd, then since \(\left| \mathsf {Fair}^\alpha \backslash L^\alpha \right| \le (\alpha -1)^s\), the probability that \(A_{12,3}\) is satisfied is at most \(\left( \frac{\alpha -1}{2^n- q } \right) ^s\). Hence, the probability that the conditions in (12) are satisfied is at most

$$\begin{aligned} \left( \frac{\alpha -1}{2^n-q} \right) ^{t-s} \cdot \left( \frac{\alpha -1}{2^n- q } \right) ^s = \left( \frac{\alpha -1}{ 2^n- q} \right) ^t. \end{aligned}$$

Finally, we run induces \(\alpha \) and s to get

$$\begin{aligned} \mathrm {Pr}[\mathsf {bad}_\mathsf {C}] \le&\sum _{\alpha = 1}^q \sum _{s = 2}^{t} \left( \left( {\begin{array}{c}t\\ s\end{array}}\right) \cdot \left( \frac{\alpha -1}{ 2^n- q} \right) ^t\right) = \sum _{s = 2}^{t} \left( {\begin{array}{c}t\\ s\end{array}}\right) \cdot \left( \sum _{\alpha = 1}^{q-1} \left( \frac{\alpha }{2^{n}-q} \right) ^t\right) . \end{aligned}$$
(13)

6.5 Conclusion of Proof

Putting (8), (11) and (13) into (7) gives

$$\begin{aligned}&\mathbf {Adv}^{\mathsf {prf}}_{F[H_{K_H},\mathbf {P}]}(\mathcal {D}) \\&\le 0.5 q^2 \epsilon + \sum _{\alpha =1}^{q-1} \left( \frac{\alpha }{2^n-q} \right) ^t+ t\cdot \sum _{\alpha = 1}^{q-1} \left( \frac{\alpha }{2^n-q} \right) ^{t} + \sum _{s = 2}^{t} \left( {\begin{array}{c}t\\ s\end{array}}\right) \left( \sum _{\alpha = 1}^{q-1} \left( \frac{\alpha }{2^{n}-q} \right) ^t\right) \\&\le 0.5 q^2 \epsilon + \sum _{s = 0}^{t} \left( {\begin{array}{c}t\\ s\end{array}}\right) \cdot \left( \sum _{\alpha = 1}^{q-1} \left( \frac{\alpha }{2^{n}-q} \right) ^t\right) = 0.5 q^2 \epsilon + 2^t\cdot \left( \sum _{\alpha = 1}^{q-1} \left( \frac{\alpha }{2^{n}-q} \right) ^t\right) \\&= 0.5 q^2 \epsilon + \sum _{\alpha = 1}^{q-1} \left( \frac{2 \alpha }{2^{n}-q} \right) ^t\le 0.5 q^2 \epsilon + \frac{2^tq^{t+1}}{(2^{n}-q)^t} , \end{aligned}$$

where the last term uses the fact that \(\sum _{\alpha =1}^x \alpha ^t\le x^{t+1}\) for \(x \ge 1\) and \(t\ge 1\).

Fig. 7.
figure 7

\(\mathsf {Hash}^*\).

Full size image

7 Improving the Efficiency of \(\mathsf {Hash}\)

In this section, we consider a hash function \(\mathsf {Hash}^*\) with better efficiency than \(\mathsf {Hash}\). \(\mathsf {Hash}^*\) is defined in Algorithm 3 and is illustrated in Fig. 7. Here, \(M\Vert 10^*\) means that first 1 is appended to M, and if \(|M\Vert 1| \le n\), then a sequence of the minimum number of zeros is appended to \(M\Vert 1\) so that the length in bits becomes \(n\) bit; if \(|M\Vert 1| > n\), then a sequence of the minimum number of zeros is appended to \(M\Vert 1\) so that the total length minus \(n\) becomes a multiple of \(n- m\).

figure d

The difference between \(\mathsf {Hash}\) and \(\mathsf {Hash}^*\) is that in \(\mathsf {Hash}\) the last block message \(M_l\) is input to \(E_K\), while in \(\mathsf {Hash}^*\) it is not input. Therefore, replacing \(\mathsf {Hash}\) with \(\mathsf {Hash}^*\), the efficiency of \(\mathtt {LightMAC\_Plus2}\) is improved.

In Lemma 5, the collision probability of \(\mathsf {Hash}^*\) is given, where \(E_K\) is replaced with a random permutation \(P\). Combining Theorem 2 and Lemma 5 offers the following corollary.

Corollary 2

Assume that \(t\le 7\). Then we have

Lemma 5

Let \(P\xleftarrow {\$}\mathsf {Perm}(n)\) be a random permutation. For distinct two messages \(M^{\alpha }, M^{\beta } \in \{0,1\}^*\), the probability that \(\mathsf {Hash}^*[P](M^{\alpha }) = \mathsf {Hash}^*[P](M^{\beta })\) is at most \(4/2^{2n}\).

Proof

In this proof, values defined from \(M^\alpha \) (resp., \(M^\beta \)) are denoted by using the superscript of \(\alpha \) (resp., \(\beta \)), length \(l\) of \(M^\alpha \) (resp., \(M^\beta \)) is denoted by \(l_\alpha \) (resp., \(l_\beta \)). Without loss of generality, we assume that \(l_\alpha \le l_\beta \). \(H[P](M^{\alpha }) = H[P](M^{\beta })\) implies that

$$\begin{aligned}&S_1^\alpha = S_1^{\beta } \text{ and } S_2^\alpha = S_2^{\beta } \Leftrightarrow \nonumber \\&\underbrace{ \bigoplus _{i=1}^{l_\alpha -1} C^\alpha _i \oplus \bigoplus _{i=1}^{l_\beta -1} C^\beta _i }_{A_{14,1}} = Z^{\alpha ,\beta } \text{ and } \underbrace{ \bigoplus _{i=1}^{l_\alpha -1} 2^{l_\alpha -i} \cdot C^\alpha _i \oplus \bigoplus _{i=1}^{l_\beta -1} 2^{l_\beta -i} \cdot C^\beta _i }_{A_{14,2}} = Z^{\alpha ,\beta } \end{aligned}$$
(14)

where \(Z^{\alpha ,\beta } = M_{l_\alpha }^{\alpha } \oplus M_{l_\beta }^{\beta }\). We consider the following six cases.

  1. 1.

    \(\Big ( l_\alpha = l_\beta = 1 \Big )\)

  2. 2.

    \(\Big ( l_\alpha = l_\beta \ne 1\Big )\wedge \Big ( \forall a \in [l_\alpha -1] \text { s.t. } B_{a}^\alpha = B_{a}^\beta \Big ) \wedge \Big ( M_{l_\alpha } \ne M_{l_\beta } \Big )\)

  3. 3.

    \(\Big (l_\alpha = l_\beta \ne 1 \Big ) \wedge \Big (\exists a \in [l_\alpha -1] \text { s.t. } B_{a}^\alpha \ne B_{a}^\beta \Big ) \wedge \) \(\Big (\forall i \in [l_\alpha -1] \backslash \{a\}: B_{i}^\alpha = B_{i}^\beta \Big )\).

  4. 4

    \(\Big (l_\alpha = l_\beta \ne 1 \Big ) \wedge \Big (\exists a_1, a_2 \in [l_\alpha -1] \text { s.t. } B_{a_1}^\alpha \ne B_{a_1}^\beta \wedge B_{a_2}^\alpha \ne B_{a_2}^\beta \Big )\)

  5. 5.

    \( \Big (l_\alpha \ne l_\beta \Big ) \wedge \Big (l_\beta = 2 \Big )\)

  6. 6.

    \( \Big (l_\alpha \ne l_\beta \Big ) \wedge \Big (l_\beta \ge 3 \Big )\)

Note that by \(l_\alpha \le l_\beta \), when \(l_\alpha \ne l_\beta \), \(l_\beta \ne 1\), thereby we do not have to consider the case of \(\Big (l_\alpha \ne l_\beta \Big ) \wedge \Big (l_\beta = 1 \Big )\). The third case is that there is just one position a where the inputs are distinct, whereas the fourth case is that there are at least two positions \(a_1, a_2\) where the inputs are distinct. For each case we evaluate the probability that the equalities in (14) hold.

  • Consider the first and second cases. In these cases, \(A_{14,1} = A_{14,2}= 0^n\) and \(Z^{\alpha ,\beta } \ne 0^n\). Hence (14) is not satisfied.

  • Consider the third case. In this case, \(A_{14,1} = (C_a^\alpha \,\oplus \,C_a^\beta ) \ne 2^{l_\alpha - a} \cdot (C_a^\alpha \,\oplus \,C_a^\beta ) = A_{14,2}\). Hence, in (14) is not satisfied.

  • Consider the fourth case. First we eliminate the same outputs between \(\{C^\alpha _i, 1 \le i \le l_\alpha -1\}\) and \(\{C^\beta _i, 1 \le i \le l_\beta -1\}\) from \(A_{14,1}\) and \(A_{14,2}\), and then we have

    $$\begin{aligned} A_{14,1} = \bigoplus _{i=1}^{j} \Big (C^\alpha _{a_i} \oplus C^\beta _{a_i} \Big ) \text { and } A_{14,2} = \bigoplus _{i=1}^{j} 2^{l_\alpha - a_i} \cdot \Big (C^\alpha _{a_i} \oplus C^\beta _{a_i} \Big ) , \end{aligned}$$

    where \(a_1,\ldots ,a_j \in [l_\alpha -1]\) with \(j \ge 2\). Since in \(A_{14,1}\) and \(A_{14,2}\) there are at most \(l_\alpha + l_\beta -2\) outputs, the numbers of possibilities for \(C^\alpha _{a_1}\) and \(C^\alpha _{a_2}\) are at least \(2^n- (l_\alpha + l_\beta -3)\) and \(2^n- (l_\alpha + l_\beta -4)\), respectively. Fixing other outputs, the equations in (14) provide a unique solution for \(C^\alpha _{a_1}\) and \(C^\alpha _{a_2}\). Thus, the probability that (14) is satisfied is at most \(1/(2^n- (l_\alpha + l_\beta -2))(2^n- (l_\alpha + l_\beta -3))\).

  • Consider the fifth case. In this case, \(l_\alpha = 1\) and \(A_{14,1} = C_1^\beta \ne 2 \cdot C_1^\beta = A_{14,2}\). Hence (14) is not satisfied.

  • Consider the sixth case. We eliminate the same outputs between \(\{C^\alpha _i : 1 \le i \le l_\alpha -1\}\) and \(\{C^\beta _i : 1 \le i \le l_\beta -1\}\) from \(A_{14,1}\). By \(l_\alpha < l_\beta \), \(C^\beta _{l_\beta }\) remains in \(A_{14,1}\). Since in \(A_{14,1}\) and \(A_{14,2}\) there are at most \(l_\alpha + l_\beta -2\) outputs, the numbers of possibilities for \(C^\beta _{l_\beta }\) and \(C^\beta _{1}\) are at least \(2^n- (l_\alpha + l_\beta -3)\) and \(2^n- (l_\alpha + l_\beta -4)\), respectively. Fixing other outputs, the equations in (14) provide a unique solution for \(C^\beta _{l_\beta }\) and \(C^\beta _{1}\). As a result, the probability of (14) is at most \(1/(2^n- (l_\alpha + l_\beta -3))(2^n- (l_\alpha + l_\beta -4))\).

Thus, we have

$$\begin{aligned} \mathrm {Pr}\left[ \mathsf {Hash}^*[P](M^{\alpha }) = \mathsf {Hash}^*[P](M^{\beta })\right] \le \frac{1}{(2^n- (l_\alpha + l_\beta ))^2} \le \frac{4}{2^{2n}} , \end{aligned}$$

assuming \(l_\alpha + l_\beta \le 2^{n-1}\).

   \(\square \)