Abstract
A number of blockcipher-based Message Authentication Codes (MACs) have been designed to have birthday-bound security. However, birthday-bound security becomes unreliable, when a block size is small, when large amounts of data are processed, or when a large number of connections need to be kept secure. Hence designing a MAC that has beyond-birthday-bound security without message length is an important research topic. \(\mathtt {LightMAC\_Plus}\) and \(\mathtt {LightMAC\_Plus2}\) proposed by Naito (ASIACRYPT 2017) are blockcipher-based MACs with such security: security up to roughly \(2^{2n/3}\) and \(2^{rn/(r+1)}\) (tagging or verification) queries, respectively, where \(n\) is the block size of the underlying blockcipher and \(r\) is the parameter of \(\mathtt {LightMAC\_Plus2}\). \(\mathtt {LightMAC\_Plus}\) and \(\mathtt {LightMAC\_Plus2}\) are counter-based MACs: in the hashing phases, for each message block of \(n-m\) bits (\(m\) is the counter size), a blockcipher is called once, and then in the finalization phases, it is called twice and \(r+2\) times, respectively. Regarding the key sizes, \(\mathtt {LightMAC\_Plus}\) and \(\mathtt {LightMAC\_Plus2}\) have 3 and \(r+3\) blockcipher keys, respectively. Hence, enhancing the MAC-security (i.e., increasing \(r\)), the key size is increased and the efficiency is degraded.
In this paper, we improve the analysis of the MAC-security of \(\mathtt {LightMAC\_Plus}\). The improved bound is roughly \(q_t^2q_v/2^{2n}\), where \(q_t\) is the number of tagging queries and \(q_v\) is the number of verification queries (or forgery attempts). Hence, if \(q_v\ll q_t\) (e.g., the number of forgery attempts is restricted by a system) or \(q_t\ll q_v\) (e.g., a sender does not send a message frequently), then \(\mathtt {LightMAC\_Plus}\) becomes a highly secure MAC without the increase of the key size or the efficiency degradation. For example, consider the case where \(q_v\ll q_t\): if \(q_v\le 2^{n/2}\) then it is a secure MAC up to roughly \(2^{3n/4}\) tagging queries, if \(q_v\le 2^{n/3}\) then it is a secure MAC up to roughly \(2^{5n/6}\) tagging queries, etc. We next present \(\mathtt {LightMAC\_Plus1k}\), a single key variant of \(\mathtt {LightMAC\_Plus}\). We prove that it achieves the same level of security as \(\mathtt {LightMAC\_Plus}\), i.e., the MAC-bound is roughly \(q_t^2q_v/2^{2n}\). (Note that in order to reduce the key size, the domain separation technique is used, by which there is a 4-bit security degradation from \(\mathtt {LightMAC\_Plus}\) to \(\mathtt {LightMAC\_Plus1k}\).)
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For a message M, the tag is defined by \(\mathrm {LightMAC}_{K_{1,1},K_{1,2}}(M) \oplus \cdots \oplus \mathrm {LightMAC}_{K_{r,1},K_{r,2}}(M)\), where for \(i \in \{1,\ldots ,r\}\), \(K_{i,1}\) and \(K_{i,2}\) are the blockcipher keys in the hash function and the finalization function, respectively. Note that in [11] the hash function is generalized by an almost universal hash function and the hash function of LightMAC is almost universal.
References
Bellare, M., Guérin, R., Rogaway, P.: XOR MACs: new methods for message authentication using finite pseudorandom functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 15–28. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_2
Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for CBC MACs. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 527–545. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_32
Bernstein, D.J.: How to stretch random functions: the security of protected counter sums. J. Cryptol. 12(3), 185–192 (1999)
Bhargavan, K., Leurent, G.: On the practical (in-)security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: CCS 2016, pp. 456–467. ACM (2016)
Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_25
Campbell, C.M.: Design and specification of cryptographic capabilities. In: Computer security and the Data Encryption Standard, pp. 54–66 (1977)
Cogliati, B., Lee, J., Seurin, Y.: New constructions of MACs from (tweakable) block ciphers. IACR Trans. Symmetric Cryptol. 2017(2), 27–58 (2017)
Dodis, Y., Steinberger, J.: Domain extension for MACs beyond the birthday barrier. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 323–342. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_19
Gaži, P., Pietrzak, K., Rybár, M.: The exact security of PMAC. IACR Trans. Symmetric Cryptol. 2016(2), 145–161 (2016)
Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39887-5_11
Iwata, T., Minematsu, K.: Stronger security variants of GCM-SIV. IACR Trans. Symmetric Cryptol. 2016(1), 134–157 (2016)
Iwata, T., Minematsu, K., Peyrin, T., Seurin, Y.: ZMAC: a fast tweakable block cipher mode for highly secure message authentication. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 34–65. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_2
Jaulmes, É., Joux, A., Valette, F.: On the security of randomized CBC-MAC beyond the birthday paradox limit a new construction. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 237–251. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_19
Jaulmes, E., Lercier, R.: FRMAC, a Fast randomized message authentication code. Cryptology ePrint Archive, Report 2004/166 (2004). http://eprint.iacr.org/2004/166
JTC1: ISO/IEC 9797–1:1999 Information technology – Security techniques – Message Authentication Codes (MACs)–Part 1: Mechanisms using a block cipher (1999)
Luykx, A., Preneel, B., Szepieniec, A., Yasuda, K.: On the influence of message length in PMAC’s security bounds. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 596–621. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_23
Luykx, A., Preneel, B., Tischhauser, E., Yasuda, K.: A MAC mode for lightweight block ciphers. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 43–59. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_3
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (2001). http://www.cacr.math.uwaterloo.ca/hac/
Minematsu, K.: How to thwart birthday attacks against MACs via small randomness. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 230–249. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13858-4_13
Minematsu, K., Matsushima, T.: New bounds for PMAC, TMAC, and XCBC. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 434–451. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74619-5_27
Naito, Y.: Blockcipher-based MACs: beyond the birthday bound without message length. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 446–470. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_16
Nandi, M.: A unified method for improving PRF bounds for a class of blockcipher based MACs. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 212–229. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13858-4_12
NIST: FIPS 81, DES Modes of Operation (1980)
NIST: recommendation for block cipher modes of operation: the CMAC mode for authentication. SP 800–38B (2005)
Pietrzak, K.: A tight bound for EMAC. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 168–179. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_15
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_2
Yasuda, K.: The sum of CBC MACs Is a secure PRF. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 366–381. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11925-5_25
Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_34
Yasuda, K.: PMAC with parity: minimizing the query-length influence. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 203–214. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27954-6_13
Zhang, L., Wu, W., Sui, H., Wang, P.: 3kf9: enhancing 3GPP-MAC beyond the birthday bound. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 296–312. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_19
Zhang, Y.: Using an error-correction code for fast, beyond-birthday-bound authentication. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 291–307. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_16
Acknowledgements
The author would like to thank the anonymous referees for their helpful comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Lemma 1
Let \(M^\alpha ,M^\beta \in \mathcal {M}\) be two distinct messages. In the following proof, the length in blocks of \(M^\alpha \) resp. \(M^\beta \) is denoted by \(l_\alpha \) resp. \(l_\beta \). Values corresponding with \(M^\alpha \) resp. \(M^\beta \) are denoted by the superscript symbol of \(\alpha \) resp. \(\beta \). Without loss of generality, assume that \(l_\alpha \le l_\beta \). \(\mathtt {LHash\_Plus}[P](M^{\alpha }) = \mathtt {LHash\_Plus}[P](M^{\beta })\) implies that
We consider the following three cases.
-
1.
\(\Big ( l_\alpha = l_\beta \Big ) \wedge \Big ( \exists a \in [l_\alpha ] \text{ s.t. } B_{a}^\alpha \ne B_{a}^\beta \Big ) \wedge \Big ( \forall i \in [l_\alpha ] \backslash \{a\}: B_{i}^\alpha = B_{i}^\beta \Big )\).
-
2.
\(\Big ( l_\alpha = l_\beta \Big ) \wedge \Big ( \exists a_1,a_2 \in [l_\alpha ] \text{ s.t. } B_{a_1}^\alpha \ne B_{a_1}^\beta \wedge B_{a_2}^\alpha \ne B_{a_2}^\beta \Big )\)
-
3.
\(\Big (l_\alpha \ne l_\beta \Big )\)
The first case is that there is just one position a where the inputs are distinct. The second case is that there are at least two positions \(a_1,a_2\) where the inputs are distinct. For each case, we upper-bound the probability that (9) is satisfied.
-
The first case is considered: \(\exists a \in [l_\alpha ] \text{ s.t. } B_{a}^\alpha \ne B_{a}^\beta \) and \(\forall i \in [l_\alpha ] \backslash \{a\}: B_{i}^\alpha = B_{i}^\beta \). Since \(B_{a}^\alpha \ne B_{a}^\beta \Rightarrow C_a^\alpha \ne C_a^\beta \) and \(B_{i}^\alpha = B_{i}^\beta \Rightarrow C_{i}^\alpha = C_{i}^\beta \), \(A_{9,1} \ne 0^n\) and \(A_{9,2} \ne 0^n\). Hence, the probability that (9) is satisfied is 0.
-
The second case is considered: \(\exists a_1,a_2,\ldots ,a_j \in [l_\alpha ]\) with \(j \ge 2\) s.t. \(\forall i \in [j]:B_{a_i}^\alpha \ne B_{a_i}^\beta \). Note that \(B_{a_i}^\alpha \ne B_{a_i}^\beta \Rightarrow C_{a_i}^\alpha \ne C_{a_i}^\beta \). Eliminating the same outputs between \(\{C^\alpha _i: 1 \le i \le l_\alpha \}\) and \(\{C^\beta _i: 1 \le i \le l_\beta \}\), we have
$$\begin{aligned} A_{9,1} = \bigoplus _{i=1}^{j} \Big ( C^\alpha _{a_i} \oplus C^\beta _{a_i} \Big ) \text{ and } A_{9,2} = \bigoplus _{i=1}^{j} 2^{l_\alpha - a_i} \cdot \Big ( C^\alpha _{a_i} \oplus C^\beta _{a_i} \Big ) . \end{aligned}$$Since in \(A_{9,1}\) and \(A_{9,2}\) there are at most \(l_\alpha + l_\beta \) outputs, the numbers of possibilities for \(C^\alpha _{a_1}\) and \(C^\alpha _{a_2}\) are at least \(2^n- (l_\alpha + l_\beta -2)\) and \(2^n- (l_\alpha + l_\beta -1)\), respectively. Fixing other outputs, the equations in (9) provide a unique solution for \(C^\alpha _{a_1}\) and \(C^\alpha _{a_2}\). As a result, the probability that (9) is satisfied is at most \(1/(2^n- (l_\alpha + l_\beta -2))(2^n- (l_\alpha + l_\beta -1))\).
-
The third case is considered. Without loss of generality, assume that \(l_\alpha < l_\beta \). Eliminating the same outputs between \(\{C^\alpha _i: 1 \le i \le l_\alpha \}\) and \(\{C^\beta _i: 1 \le i \le l_\beta \}\), we have
$$\begin{aligned} A_{9,1} = \bigoplus _{i=1}^{u} C^\alpha _{a_i} \oplus \bigoplus _{i=1}^{v} C^\beta _{b_i} , \end{aligned}$$where \(a_1,\ldots ,a_u \in [l_\alpha ]\) and \(b_1,\ldots ,b_v \in [l_\beta ]\). By \(l_\alpha < l_\beta \), \(l_\beta \in \{b_1,\ldots ,b_v\}\) and \(l_\beta \ne 1\). Note that \(C^\beta _{l_\beta }\) remains in \(A_{9,1}\). Since in \(A_{9,1}\) and \(A_{9,2}\) there are at most \(l_\alpha + l_\beta \) outputs, the numbers of possibilities for \(C^\beta _{1}\) and \(C^\beta _{l_\beta }\) are at least \(2^n- (l_\alpha + l_\beta -2)\) and \(2^n- (l_\alpha + l_\beta -1)\), respectively. Fixing other outputs, the equations in (9) provide a unique solution for \(C^\beta _{1}\) and \(C^\beta _{l_\beta }\). As a result, the probability that (9) is satisfied is at most \(1/(2^n- (l_\alpha + l_\beta -2))(2^n- (l_\alpha + l_\beta -1))\).
The above upper-bounds give
B Proof of Lemma 2
Let \(M^\alpha ,M^\beta , M^\gamma \in \mathcal {M}\) be three distinct messages. In the following proof, for \(\delta \in \{\alpha ,\beta ,\gamma \}\), the length in blocks of \(M^\delta \) is denoted by \(l_\delta \), and values corresponding with \(M^\delta \) are denoted by the superscript symbol of \(\delta \). Note that \(S_1^\alpha = S_1^{\beta } \wedge S_2^\alpha = S_2^{\gamma }\), which implies
Since \(M^{\alpha }, M^{\beta }\) and \(M^{\gamma }\) are distinct, there are at least two distinct outputs \(C^{\alpha ,\beta }\) and \(C^{\alpha ,\gamma }\) where \(C^{\alpha ,\beta }\) appears in \(A_{10,1}\) and \(C^{\alpha ,\gamma }\) appears in \(A_{10,2}\). Fixing other outputs in \(A_{10,1}\) and \(A_{10,2}\), the equations in (10) provide a unique solution for \(C^{\alpha ,\beta }\) and \(C^{\alpha ,\gamma }\). Since there are at most \(l_\alpha +l_{\beta }\) outputs in \(A_{10,1}\), the number of possibilities for \(C^{\alpha ,\beta }\) is at least \(2^n-(l_\alpha +l_{\beta }-1)\). Since there are at most \(l_\alpha +l_{\gamma }\) outputs in \(A_{10,2}\), the number of possibilities for \(C^{\alpha ,\gamma }\) is at least \(2^n-(l_\alpha +l_{\gamma }-1)\). Hence, the probability that (10) is satisfied is at most
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Naito, Y. (2018). Improved Security Bound of LightMAC_Plus and Its Single-Key Variant. In: Smart, N. (eds) Topics in Cryptology – CT-RSA 2018. CT-RSA 2018. Lecture Notes in Computer Science(), vol 10808. Springer, Cham. https://doi.org/10.1007/978-3-319-76953-0_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-76953-0_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76952-3
Online ISBN: 978-3-319-76953-0
eBook Packages: Computer ScienceComputer Science (R0)