ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication

  • Tetsu Iwata
  • Kazuhiko Minematsu
  • Thomas Peyrin
  • Yannick Seurin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10403)


We propose a new mode of operation called \(\mathsf {ZMAC}\) allowing to construct a (stateless and deterministic) message authentication code (MAC) from a tweakable block cipher (TBC). When using a TBC with n-bit blocks and t-bit tweaks, our construction provides security (as a variable-input-length PRF) beyond the birthday bound with respect to the block-length n and allows to process \(n+t\) bits of inputs per TBC call. In comparison, previous TBC-based modes such as PMAC1, the TBC-based generalization of the seminal PMAC mode (Black and Rogaway, EUROCRYPT 2002) or PMAC_TBC1k (Naito, ProvSec 2015) only process n bits of input per TBC call. Since an n-bit block, t-bit tweak TBC can process at most \(n+t\) bits of input per call, the efficiency of our construction is essentially optimal, while achieving beyond-birthday-bound security. The \(\mathsf {ZMAC}\) mode is fully parallelizable and can be directly instantiated with several concrete TBC proposals, such as Deoxys and SKINNY. We also use \(\mathsf {ZMAC}\) to construct a stateless and deterministic Authenticated Encryption scheme called \(\mathsf {ZAE}\) which is very efficient and secure beyond the birthday bound.


MAC Tweakable block cipher Authenticated encryption 



The authors would like to thank the anonymous reviewers of CRYPTO 2017 for their helpful comments. The first author is supported by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B), Grant Number 26280045, and the work was carried out in part while visiting Nanyang Technological University, Singapore. The third author is supported by the Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06) and Temasek Labs (DSOCL16194). The fourth author has been partially supported by the French Agence Nationale de la Recherche through the BRUTUS project under Contract ANR-14-CE28-0015.


  1. [BI99]
    Bellare, M., Impagliazzo, R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. IACR Cryptology ePrint Archive, Report 1999/024 (1999).
  2. [BJK+16]
    Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y., Sasdrich, P., Sim, S.M.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53008-5_5 CrossRefGoogle Scholar
  3. [BKN09]
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03356-8_14 CrossRefGoogle Scholar
  4. [BKR00]
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  5. [BR02]
    Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002). doi: 10.1007/3-540-46035-7_25 CrossRefGoogle Scholar
  6. [BR05]
    Black, J., Rogaway, P.: CBC MACs for arbitrary-length messages: the three-key constructions. J. Cryptology 18(2), 111–131 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  7. [CAE]
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness.
  8. [CDMS10]
    Coron, J.-S., Dodis, Y., Mandal, A., Seurin, Y.: A domain extender for the ideal cipher. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 273–289. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-11799-2_17 CrossRefGoogle Scholar
  9. [CLP14]
    Cogliati, B., Lampe, R., Patarin, J.: The indistinguishability of the XOR of \(k\) permutations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 285–302. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46706-0_15 Google Scholar
  10. [FLS+10]
    Ferguson, N., Lucks, S., Schneier, B., Whiting, D., Bellare, M., Kohno, T., Callas, J., Walker, J.: The Skein Hash Function Family. SHA3 Submission to NIST (Round 3) (2010)Google Scholar
  11. [GL15]
    Gueron, S., Lindell, Y.: GCM-SIV: full nonce misuse-resistant authenticated encryption at under one cycle per byte. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM Conference on Computer and Communications Security - CCS 2015, pp. 109–119. ACM (2015)Google Scholar
  12. [GLS+14]
    Grosso, V., Leurent, G., Standaert, F.-X., Varici, K., Durvaux, F., Gaspar, L., Kerckhof, S.: SCREAM and iSCREAM. Submitted to the CAESAR competition (2014)Google Scholar
  13. [HP08]
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85174-5_9 CrossRefGoogle Scholar
  14. [IK03]
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-39887-5_11 CrossRefGoogle Scholar
  15. [IMV16]
    Iwata, T., Mennink, B., Vizár, D.: CENC is Optimally Secure (2016).
  16. [Iwa06]
    Iwata, T.: New blockcipher modes of operation with beyond the birthday bound security. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 310–327. Springer, Heidelberg (2006). doi: 10.1007/11799313_20 CrossRefGoogle Scholar
  17. [JNP14a]
    Jean, J., Nikolić, I., Peyrin, T.: Deoxys v1. Submitted to the CAESAR competition (2014)Google Scholar
  18. [JNP14b]
    Jean, J., Nikolić, I., Peyrin, T.: Joltik v1. Submitted to the CAESAR competition (2014)Google Scholar
  19. [JNP14c]
    Jean, J., Nikolić, I., Peyrin, T.: KIASU v1. Submitted to the CAESAR competition (2014)Google Scholar
  20. [JNP14d]
    Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45608-8_15 Google Scholar
  21. [KR11]
    Krovetz, T., Rogaway, P.: The software performance of authenticated-encryption modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 306–327. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-21702-9_18 CrossRefGoogle Scholar
  22. [LN17]
    List, E., Nandi, M.: Revisiting full-PRF-secure PMAC and using it for beyond-birthday authenticated encryption. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 258–274. Springer, Cham (2017). doi: 10.1007/978-3-319-52153-4_15 CrossRefGoogle Scholar
  23. [LRW02]
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_3 CrossRefGoogle Scholar
  24. [Luc00]
    Lucks, S.: The sum of PRPs is a secure PRF. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 470–484. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_34 CrossRefGoogle Scholar
  25. [MI15]
    Minematsu, K., Iwata, T.: Tweak-length extension for tweakable blockciphers. In: Groth, J. (ed.) IMACC 2015. LNCS, vol. 9496, pp. 77–93. Springer, Cham (2015). doi: 10.1007/978-3-319-27239-9_5 CrossRefGoogle Scholar
  26. [MI17]
    Minematsu, K., Iwata, T.: Cryptanalysis of PMACx, PMAC2x, and SIVx. IACR Trans. Symmetric Cryptol. 2017(2) (2017)Google Scholar
  27. [Min09]
    Minematsu, K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 308–326. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03317-9_19 CrossRefGoogle Scholar
  28. [MV04]
    McGrew, D.A., Viega, J.: The security and performance of the galois/counter mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30556-9_27 CrossRefGoogle Scholar
  29. [Nai15]
    Naito, Y.: Full PRF-secure message authentication code based on tweakable block cipher. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 167–182. Springer, Cham (2015). doi: 10.1007/978-3-319-26059-4_9 Google Scholar
  30. [Pat08]
    Patarin, J.: A proof of security in O(2n) for the xor of two random permutations. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85093-9_22 CrossRefGoogle Scholar
  31. [Pat10]
    Patarin, J.: Introduction to Mirror Theory: Analysis of Systems of Linear Equalities and Linear Non Equalities for Cryptography (2010).
  32. [Pat13]
    Patarin, J.: Security in \(O(2^n)\) for the Xor of Two Random Permutations: Proof with the Standard \(H\) Technique. IACR Cryptology ePrint Archive, Report 2013/368 (2013).
  33. [PC15]
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. J. Cryptology 28(4), 769–795 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  34. [PS16]
    Peyrin, T., Seurin, Y.: Counter-in-tweak: authenticated encryption modes for tweakable block ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 33–63. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_2 CrossRefGoogle Scholar
  35. [Rog04]
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30539-2_2 CrossRefGoogle Scholar
  36. [RS06]
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). doi: 10.1007/11761679_23 CrossRefGoogle Scholar
  37. [Yas10]
    Yasuda, K.: The sum of CBC MACs is a secure PRF. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 366–381. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-11925-5_25 CrossRefGoogle Scholar
  38. [Yas11]
    Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22792-9_34 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Tetsu Iwata
    • 1
  • Kazuhiko Minematsu
    • 2
  • Thomas Peyrin
    • 3
    • 4
    • 5
  • Yannick Seurin
    • 6
  1. 1.Nagoya UniversityNagoyaJapan
  2. 2.NEC CorporationKawasakiJapan
  3. 3.School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore
  4. 4.School of Computer Science and EngineeringNanyang Technological UniversitySingaporeSingapore
  5. 5.Temasek LaboratoriesNanyang Technological UniversitySingaporeSingapore
  6. 6.ANSSIParisFrance

Personalised recommendations