Improved Security Bound of LightMAC_Plus and Its Single-Key Variant

  • Yusuke Naito
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)


A number of blockcipher-based Message Authentication Codes (MACs) have been designed to have birthday-bound security. However, birthday-bound security becomes unreliable, when a block size is small, when large amounts of data are processed, or when a large number of connections need to be kept secure. Hence designing a MAC that has beyond-birthday-bound security without message length is an important research topic. \(\mathtt {LightMAC\_Plus}\) and \(\mathtt {LightMAC\_Plus2}\) proposed by Naito (ASIACRYPT 2017) are blockcipher-based MACs with such security: security up to roughly \(2^{2n/3}\) and \(2^{rn/(r+1)}\) (tagging or verification) queries, respectively, where \(n\) is the block size of the underlying blockcipher and \(r\) is the parameter of \(\mathtt {LightMAC\_Plus2}\). \(\mathtt {LightMAC\_Plus}\) and \(\mathtt {LightMAC\_Plus2}\) are counter-based MACs: in the hashing phases, for each message block of \(n-m\) bits (\(m\) is the counter size), a blockcipher is called once, and then in the finalization phases, it is called twice and \(r+2\) times, respectively. Regarding the key sizes, \(\mathtt {LightMAC\_Plus}\) and \(\mathtt {LightMAC\_Plus2}\) have 3 and \(r+3\) blockcipher keys, respectively. Hence, enhancing the MAC-security (i.e., increasing \(r\)), the key size is increased and the efficiency is degraded.

In this paper, we improve the analysis of the MAC-security of \(\mathtt {LightMAC\_Plus}\). The improved bound is roughly \(q_t^2q_v/2^{2n}\), where \(q_t\) is the number of tagging queries and \(q_v\) is the number of verification queries (or forgery attempts). Hence, if \(q_v\ll q_t\) (e.g., the number of forgery attempts is restricted by a system) or \(q_t\ll q_v\) (e.g., a sender does not send a message frequently), then \(\mathtt {LightMAC\_Plus}\) becomes a highly secure MAC without the increase of the key size or the efficiency degradation. For example, consider the case where \(q_v\ll q_t\): if \(q_v\le 2^{n/2}\) then it is a secure MAC up to roughly \(2^{3n/4}\) tagging queries, if \(q_v\le 2^{n/3}\) then it is a secure MAC up to roughly \(2^{5n/6}\) tagging queries, etc. We next present \(\mathtt {LightMAC\_Plus1k}\), a single key variant of \(\mathtt {LightMAC\_Plus}\). We prove that it achieves the same level of security as \(\mathtt {LightMAC\_Plus}\), i.e., the MAC-bound is roughly \(q_t^2q_v/2^{2n}\). (Note that in order to reduce the key size, the domain separation technique is used, by which there is a 4-bit security degradation from \(\mathtt {LightMAC\_Plus}\) to \(\mathtt {LightMAC\_Plus1k}\).)


MAC Blockcipher Beyond-birthday-bound security without message length \(\mathtt {LightMAC\_Plus}\) 



The author would like to thank the anonymous referees for their helpful comments and suggestions.


  1. 1.
    Bellare, M., Guérin, R., Rogaway, P.: XOR MACs: new methods for message authentication using finite pseudorandom functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 15–28. Springer, Heidelberg (1995). Google Scholar
  2. 2.
    Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for CBC MACs. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 527–545. Springer, Heidelberg (2005). CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J.: How to stretch random functions: the security of protected counter sums. J. Cryptol. 12(3), 185–192 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Bhargavan, K., Leurent, G.: On the practical (in-)security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: CCS 2016, pp. 456–467. ACM (2016)Google Scholar
  5. 5.
    Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  6. 6.
    Campbell, C.M.: Design and specification of cryptographic capabilities. In: Computer security and the Data Encryption Standard, pp. 54–66 (1977)Google Scholar
  7. 7.
    Cogliati, B., Lee, J., Seurin, Y.: New constructions of MACs from (tweakable) block ciphers. IACR Trans. Symmetric Cryptol. 2017(2), 27–58 (2017)Google Scholar
  8. 8.
    Dodis, Y., Steinberger, J.: Domain extension for MACs beyond the birthday barrier. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 323–342. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  9. 9.
    Gaži, P., Pietrzak, K., Rybár, M.: The exact security of PMAC. IACR Trans. Symmetric Cryptol. 2016(2), 145–161 (2016)Google Scholar
  10. 10.
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). CrossRefGoogle Scholar
  11. 11.
    Iwata, T., Minematsu, K.: Stronger security variants of GCM-SIV. IACR Trans. Symmetric Cryptol. 2016(1), 134–157 (2016)Google Scholar
  12. 12.
    Iwata, T., Minematsu, K., Peyrin, T., Seurin, Y.: ZMAC: a fast tweakable block cipher mode for highly secure message authentication. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 34–65. Springer, Cham (2017). CrossRefGoogle Scholar
  13. 13.
    Jaulmes, É., Joux, A., Valette, F.: On the security of randomized CBC-MAC beyond the birthday paradox limit a new construction. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 237–251. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  14. 14.
    Jaulmes, E., Lercier, R.: FRMAC, a Fast randomized message authentication code. Cryptology ePrint Archive, Report 2004/166 (2004).
  15. 15.
    JTC1: ISO/IEC 9797–1:1999 Information technology – Security techniques – Message Authentication Codes (MACs)–Part 1: Mechanisms using a block cipher (1999)Google Scholar
  16. 16.
    Luykx, A., Preneel, B., Szepieniec, A., Yasuda, K.: On the influence of message length in PMAC’s security bounds. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 596–621. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  17. 17.
    Luykx, A., Preneel, B., Tischhauser, E., Yasuda, K.: A MAC mode for lightweight block ciphers. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 43–59. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  18. 18.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (2001). zbMATHGoogle Scholar
  19. 19.
    Minematsu, K.: How to thwart birthday attacks against MACs via small randomness. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 230–249. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  20. 20.
    Minematsu, K., Matsushima, T.: New bounds for PMAC, TMAC, and XCBC. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 434–451. Springer, Heidelberg (2007). CrossRefGoogle Scholar
  21. 21.
    Naito, Y.: Blockcipher-based MACs: beyond the birthday bound without message length. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 446–470. Springer, Cham (2017). CrossRefGoogle Scholar
  22. 22.
    Nandi, M.: A unified method for improving PRF bounds for a class of blockcipher based MACs. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 212–229. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  23. 23.
    NIST: FIPS 81, DES Modes of Operation (1980)Google Scholar
  24. 24.
    NIST: recommendation for block cipher modes of operation: the CMAC mode for authentication. SP 800–38B (2005)Google Scholar
  25. 25.
    Pietrzak, K.: A tight bound for EMAC. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 168–179. Springer, Heidelberg (2006). CrossRefGoogle Scholar
  26. 26.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). CrossRefGoogle Scholar
  27. 27.
    Yasuda, K.: The sum of CBC MACs Is a secure PRF. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 366–381. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  28. 28.
    Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  29. 29.
    Yasuda, K.: PMAC with parity: minimizing the query-length influence. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 203–214. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  30. 30.
    Zhang, L., Wu, W., Sui, H., Wang, P.: 3kf9: enhancing 3GPP-MAC beyond the birthday bound. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 296–312. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  31. 31.
    Zhang, Y.: Using an error-correction code for fast, beyond-birthday-bound authentication. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 291–307. Springer, Cham (2015). Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Mitsubishi Electric CorporationKanagawaJapan

Personalised recommendations