A Tweak for a PRF Mode of a Compression Function and Its Applications

  • Shoichi Hirose
  • Atsushi Yabumoto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10006)


We discuss a tweak for the domain extension called Merkle-Damgård with Permutation (MDP), which was presented at ASIACRYPT 2007. We first show that MDP may produce multiple independent pseudorandom functions (PRFs) using a single secret key and multiple permutations if the underlying compression function is a PRF against related key attacks with respect to the permutations. Using this result, we then construct a hash-function-based MAC function, which we call FMAC, using a compression function as its underlying primitive. We also present a scheme to extend FMAC so as to take as input a vector of strings.


Compression function MAC Provable security Pseudorandom function Vector-input PRF 



This work was supported in part by JSPS KAKENHI Grant Number JP16H02828.


  1. 1.
    Bellare, M.: New proofs for \(\sf NMAC\) and \(\sf HMAC\): security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006). doi: 10.1007/11818175_36 CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Bernstein, D.J., Tessaro, S.: Hash-function based PRFs: AMAC and its multi-user security. Cryptology ePrint Archive, Report 2016/142 (2016).
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_1 Google Scholar
  4. 4.
    Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: the cascade construction and its concrete security. In: Proceedings of the 37th IEEE Symposium on Foundations of Computer Science, pp. 514–523 (1996)Google Scholar
  5. 5.
    Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003). doi: 10.1007/3-540-39200-9_31 CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Ristenpart, T.: Multi-property-preserving hash domain extension and the EMD transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 299–314. Springer, Heidelberg (2006). doi: 10.1007/11935230_20 CrossRefGoogle Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: ECRYPT Hash Workshop (2007)Google Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28496-0_19 CrossRefGoogle Scholar
  9. 9.
    Black, J., Rogaway, P.: CBC MACs for arbitrary-length messages: the three-key constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 197–215. Springer, Heidelberg (2000). doi: 10.1007/3-540-44598-6_12 CrossRefGoogle Scholar
  10. 10.
    Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002). doi: 10.1007/3-540-46035-7_25 CrossRefGoogle Scholar
  11. 11.
    Cogliani, S., Maimut, D., Naccache, D., do Canto, R.P., Reyhanitabar, R., Vaudenay, S., Vizár, D.: OMD: a compression function mode of operation for authenticated encryption. In: Joux and Youssef [18], pp. 112–128Google Scholar
  12. 12.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993). doi: 10.1007/3-540-57332-1_17 Google Scholar
  13. 13.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology 10(3), 151–162 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    FIPS PUB 180–4: secure hash standard (SHS), March 2012Google Scholar
  15. 15.
    FIPS PUB 202: SHA-3 standard: permutation-based hash and extendable-output functions (2015)Google Scholar
  16. 16.
    Hirose, S., Park, J.H., Yun, A.: A simple variant of the Merkle-Damgård scheme with a permutation. J. Cryptology 25(2), 271–309 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-39887-5_11 CrossRefGoogle Scholar
  18. 18.
    Joux, A., Youssef, A. (eds.): SAC 2014. LNCS, vol. 8781. Springer, Heidelberg (2014)zbMATHGoogle Scholar
  19. 19.
    Kurosawa, K.: Power of a public random permutation and its application to authenticated-encryption. Cryptology ePrint Archive, report 2002/127 (2002).
  20. 20.
    Kurosawa, K.: Power of a public random permutation and its application to authenticated encryption. IEEE Trans. Inf. Theory 56(10), 5366–5374 (2010)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Mennink, B.: XPX: Generalized tweakable Even-Mansour with improved security guarantees. Cryptology ePrint Archive, Report 2015/476 (2015).
  22. 22.
    Minematsu, K.: A short universal hash function from bit rotation, and applications to blockcipher modes. In: Susilo, W., Reyhanitabar, R. (eds.) ProvSec 2013. LNCS, vol. 8209, pp. 221–238. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-41227-1_13 CrossRefGoogle Scholar
  23. 23.
    Mouha, N., Mennink, B., Herrewege, A.V., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux and Youssef [18], pp. 306–323Google Scholar
  24. 24.
    Nandi, M.: Fast and secure CBC-type MAC algorithms. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 375–393. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03317-9_23 CrossRefGoogle Scholar
  25. 25.
    NIST Special Publication 800-38B: Recommendation for block cipher modes of operation: The CMAC mode for authentication (2005)Google Scholar
  26. 26.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). doi: 10.1007/11761679_23 CrossRefGoogle Scholar
  27. 27.
    Sasaki, Y., Todo, Y., Aoki, K., Naito, Y., Sugawara, T., Murakami, Y., Matsui, M., Hirose, S.: Minalpher v1. Submission to CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) (2014)Google Scholar
  28. 28.
    Yasuda, K.: Boosting Merkle-Damgård hashing for message authentication. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 216–231. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-76900-2_13 CrossRefGoogle Scholar
  29. 29.
    Yasuda, K.: “Sandwich” is indeed secure: how to authenticate a message with just one hashing. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 355–369. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  30. 30.
    Yasuda, K.: HMAC without the “second” key. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 443–458. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Faculty of EngineeringUniversity of FukuiFukuiJapan
  2. 2.Graduate School of EngineeringUniversity of FukuiFukuiJapan

Personalised recommendations