Message Authentication Codes from Unpredictable Block Ciphers

  • Yevgeniy Dodis
  • John Steinberger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5677)


We design an efficient mode of operation on block ciphers, SS-NMAC. Our mode has the following properties, when instantiated with a block cipher f to yield a variable-length, keyed hash function H:

  • (1) MAC Preservation. H is a secure message authentication code (MAC) with birthday security, as long as f is unpredictable.

  • (2) PRF Preservation. H is a secure pseudorandom function (PRF) with birthday security, as long as f is pseudorandom.

  • (3) Security against Side-Channels. As long as the block cipher f does not leak side-channel information about its internals to the attacker, properties (1) and (2) hold even if the remaining implementation of H is completely leaky. In particular, if the attacker can learn the transcript of all block cipher calls and other auxiliary information needed to implement our mode of operation.

Our mode is the first to satisfy the MAC preservation property (1) with birthday security, solving the main open problem of Dodis et al. [7] from Eurocrypt 2008. Combined with the PRF preservation (2), our mode provides a hedge against the case when the block cipher f is more secure as a MAC than as a PRF: if it is false, as we hope, we get a secure variable-length PRF; however, even if true, we still “salvage” a secure MAC, which might be enough for a given application.

We also remark that no prior mode of operation offered birthday security against side channel attacks, even if the block cipher was assumed pseudorandom.

Although very efficient, our mode is three times slower than many of the prior modes, such as CBC, which do not enjoy properties (1) and (3). Thus, our work motivates further research to understand the gap between unpredictability and pseudorandomness of the existing block ciphers, such as AES.


  1. 1.
    Alon, N., Goldreich, O., Hastad, J., Peralta, R.: Simple Construction of Almost k-wise Independent Random Variables. Random Struct. Algorithms 3(3), 289–304 (1992)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    An, J.H., Bellare, M.: Constructing VIL-MACs from FIL-MACs: Message Authentication under Weakened Assumptions. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 252–269. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  3. 3.
    Bellare, M.: New Proofs for NMAC and HMAC: Security without Collision-Resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Kilian, J., Rogaway, P.: The Security of Cipher Block Chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994)Google Scholar
  5. 5.
    Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom Functions Re-visited: The Cascade Construction and Its Concrete Security. In: FOCS 1996, pp. 514–523 (1996)Google Scholar
  6. 6.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  7. 7.
    Dodis, Y., Pietrzak, K., Puniya, P.: A New Mode of Operation for Block Ciphers and Length-Preserving MACs. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 198–219. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Dodis, Y., Puniya, P.: Feistel Networks Made Public, and Applications. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 534–554. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Dodis, Y., Steinberger, J.: Message Authentication Codes from Unpredictable Block Ciphers. Full version of this paper,
  10. 10.
    Goldreich, O., Levin, L.: A hard-core predicate for all one-way functions. In: STOC 1989, pp. 25–32 (1989)Google Scholar
  11. 11.
    Luby, M., Rackoff, C.: How to construct pseudo-random permutations from pseudo-random functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
    Naor, J., Naor, M.: Small-Bias Probability Spaces: Efficient Constructions and Applications. SIAM J. Comput. 22(4), 838–856 (1993)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Naor, M., Reingold, O.: From unpredictability to indistinguishability: A simple construction of pseudo-random functions from MACs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 267–282. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  14. 14.
    Petrank, E., Rackoff, C.: CBC MAC for Real-Time Data Sources. J. Cryptology 13(3), 315–338 (2000)MathSciNetCrossRefMATHGoogle Scholar
  15. 15.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  16. 16.
    Phillip Rogaway and John Steinberger, How to Build a Permutation-Based Hash Function, CRYPTO 2008, pages 433–450.CrossRefGoogle Scholar
  17. 17.
    Shrimpton, T., Stam, M.: Building a Collision-Resistant Compression Function from Non-Compressing Primitives. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 643–654. Springer, Heidelberg (2008), Cryptology ePrint Archive: Report 2007/409CrossRefGoogle Scholar
  18. 18.
    Simon, D.R.: Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  19. 19.
    Wang, X., Yu, H.: How to break MD5 and Other Hash Functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Zuckerman, D.: Private communicationGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • John Steinberger
    • 2
  1. 1.Department of Computer ScienceNew York UniversityUSA
  2. 2.Department of MathematicsUniversity of British ColumbiaCanada

Personalised recommendations