On the Efficiency of ZMAC-Type Modes

  • Yusuke Naito
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11124)


In this paper, we study the efficiency of \(\mathsf {ZMAC}\)-type message authentication codes (MACs). \(\mathsf {ZMAC}\) was proposed by Iwata et al. (CRYPTO 2017) and is a highly efficient and highly secure MAC based on tweakable blockcipher (TBC). \(\mathsf {ZMAC}\) achieves the so-called beyond-birthday-bound security: security up to \(2^{\min \{b, (b+t)/2\}}\) TBC calls, using a TBC with the input-block space \(\{0,1\}^b\) and the tweak space \(\mathcal {TW}= \mathcal {I}\times \{0,1\}^t\) where \(\mathcal {I}\) is a set with \(|\mathcal {I}| = 5\) and is used for tweak separations. In the hash function, the \(b\)-bit and \(t\)-bit spaces are used to take message blocks (in previous MACs, only the \(b\)-bit input-block space is used). In the finalization function, a TBC is called twice, and these spaces are not used. List and Nandi (ToSC 2017, Issue 4) proposed \(\mathsf {ZMAC}^+\), a variant of \(\mathsf {ZMAC}\), where one TBC call is removed from the finalization function. Although both the \(b\)-bit and \(t\)-bit spaces in the hash function are used to take message blocks, those in the finalization function are not used. That rises the following question with the aim of improving the efficiency: can these spaces be used while retaining the same level of security as \(\mathsf {ZMAC}\)? In this paper, we consider the following three \(\mathsf {ZMAC}\)-type MACs.

  • \(\mathsf {ZMACb}\): only the \(b\)-bit space is used.

  • \(\mathsf {ZMACt}\): only the \(t\)-bit space is used.

  • \(\mathsf {ZMACbt}\): both the \(b\)-bit and \(t\)-bit spaces are used.

We show that none of the above MACs achieve the same level of security as \(\mathsf {ZMAC}(^+)\). Hence, \(\mathsf {ZMAC}^+\) is the most efficient MAC in the \(\mathsf {ZMAC}\)-type ones with \(2^{\min \{b, (b+t)/2\}}\)-security.

We next consider whether the tweak separations can be removed (i.e., \(\mathcal {I}\) can be used to take a message block), with the aim of improving the efficiency of \(\mathsf {ZMAC}^+\). Iwata et al. mentioned that the tweak separations can be removed by using distinct field multiplications such as multiplications by 3 and 7, but these render the implementation much more complex (note that in \(\mathsf {ZMAC}\), field multiplications by 2 are used). For this problem, we show that the tweak separations can be removed without the field multiplications except for the multiplications by 2, that is, all spaces \(\mathcal {TW}\) and \(\{0,1\}^b\) in the hash function can be used to take message blocks without such complex implementations.


MAC Tweakable blockcipher ZMAC BBB-security 


  1. 1.
    Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). Scholar
  2. 2.
    Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002). Scholar
  3. 3.
    Cogliati, B., Lee, J., Seurin, Y.: New constructions of MACs from (tweakable) block ciphers. IACR Trans. Symmetric Cryptol. 2017(2), 27–58 (2017)Google Scholar
  4. 4.
    Datta, N., Dutta, A., Nandi, M., Paul, G., Zhang, L.: Single key variant of PMAC\(\_\)Plus. IACR Trans. Symmetric Cryptol. 2017(4), 268–305 (2017)Google Scholar
  5. 5.
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). Scholar
  6. 6.
    Iwata, T., Minematsu, K., Peyrin, T., Seurin, Y.: ZMAC: a fast tweakable block cipher mode for highly secure message authentication. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 34–65. Springer, Cham (2017). IACR Cryptology ePrint Archive 2017, 535 (2017)CrossRefGoogle Scholar
  7. 7.
    Iwata, T., Seurin, Y.: Reconsidering the security bound of AES-GCM-SIV. IACR Trans. Symmetric Cryptol. 2017(4), 240–267 (2017)Google Scholar
  8. 8.
    Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). Scholar
  9. 9.
    JTC1: ISO/IEC 9797–1:1999 Information technology – Security techniques – Message Authentication Codes (MACs)–Part 1: Mechanisms using a block cipher (1999)Google Scholar
  10. 10.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). Scholar
  11. 11.
    List, E., Nandi, M.: Revisiting full-PRF-secure PMAC and using it for beyond-birthday authenticated encryption. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 258–274. Springer, Cham (2017). Scholar
  12. 12.
    List, E., Nandi, M.: ZMAC+ - an efficient variable-output-length variant of ZMAC. IACR Trans. Symmetric Cryptol. 2017(4), 306–325 (2017)Google Scholar
  13. 13.
    Mennink, B.: Optimally secure tweakable blockciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 428–448. Springer, Heidelberg (2015). Scholar
  14. 14.
    Minematsu, K., Iwata, T.: Tweak-length extension for tweakable blockciphers. In: Groth, J. (ed.) IMACC 2015. LNCS, vol. 9496, pp. 77–93. Springer, Cham (2015). Scholar
  15. 15.
    Minematsu, K., Iwata, T.: Cryptanalysis of PMACx, PMAC2x, and SIVx. IACR Trans. Symmetric Cryptol. 2017(2), 162–176 (2017)Google Scholar
  16. 16.
    Naito, Y.: Full PRF-secure message authentication code based on tweakable block cipher. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 167–182. Springer, Cham (2015). Scholar
  17. 17.
    Naito, Y.: Blockcipher-based MACs: beyond the birthday bound without message length. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part III. LNCS, vol. 10626, pp. 446–470. Springer, Cham (2017). Scholar
  18. 18.
    Naito, Y.: Improved security bound of LightMAC\(\_\)Plus and its single-key variant. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 300–318. Springer, Cham (2018). Scholar
  19. 19.
    Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). Scholar
  20. 20.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). Scholar
  21. 21.
    Yasuda, K.: The sum of CBC MACs is a secure PRF. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 366–381. Springer, Heidelberg (2010). Scholar
  22. 22.
    Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Mitsubishi Electric CorporationKanagawaJapan

Personalised recommendations