Advertisement

On the Efficiency of ZMAC-Type Modes

  • Yusuke Naito
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11124)

Abstract

In this paper, we study the efficiency of \(\mathsf {ZMAC}\)-type message authentication codes (MACs). \(\mathsf {ZMAC}\) was proposed by Iwata et al. (CRYPTO 2017) and is a highly efficient and highly secure MAC based on tweakable blockcipher (TBC). \(\mathsf {ZMAC}\) achieves the so-called beyond-birthday-bound security: security up to \(2^{\min \{b, (b+t)/2\}}\) TBC calls, using a TBC with the input-block space \(\{0,1\}^b\) and the tweak space \(\mathcal {TW}= \mathcal {I}\times \{0,1\}^t\) where \(\mathcal {I}\) is a set with \(|\mathcal {I}| = 5\) and is used for tweak separations. In the hash function, the \(b\)-bit and \(t\)-bit spaces are used to take message blocks (in previous MACs, only the \(b\)-bit input-block space is used). In the finalization function, a TBC is called twice, and these spaces are not used. List and Nandi (ToSC 2017, Issue 4) proposed \(\mathsf {ZMAC}^+\), a variant of \(\mathsf {ZMAC}\), where one TBC call is removed from the finalization function. Although both the \(b\)-bit and \(t\)-bit spaces in the hash function are used to take message blocks, those in the finalization function are not used. That rises the following question with the aim of improving the efficiency: can these spaces be used while retaining the same level of security as \(\mathsf {ZMAC}\)? In this paper, we consider the following three \(\mathsf {ZMAC}\)-type MACs.

  • \(\mathsf {ZMACb}\): only the \(b\)-bit space is used.

  • \(\mathsf {ZMACt}\): only the \(t\)-bit space is used.

  • \(\mathsf {ZMACbt}\): both the \(b\)-bit and \(t\)-bit spaces are used.

We show that none of the above MACs achieve the same level of security as \(\mathsf {ZMAC}(^+)\). Hence, \(\mathsf {ZMAC}^+\) is the most efficient MAC in the \(\mathsf {ZMAC}\)-type ones with \(2^{\min \{b, (b+t)/2\}}\)-security.

We next consider whether the tweak separations can be removed (i.e., \(\mathcal {I}\) can be used to take a message block), with the aim of improving the efficiency of \(\mathsf {ZMAC}^+\). Iwata et al. mentioned that the tweak separations can be removed by using distinct field multiplications such as multiplications by 3 and 7, but these render the implementation much more complex (note that in \(\mathsf {ZMAC}\), field multiplications by 2 are used). For this problem, we show that the tweak separations can be removed without the field multiplications except for the multiplications by 2, that is, all spaces \(\mathcal {TW}\) and \(\{0,1\}^b\) in the hash function can be used to take message blocks without such complex implementations.

Keywords

MAC Tweakable blockcipher ZMAC BBB-security 

References

  1. 1.
    Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53008-5_5CrossRefGoogle Scholar
  2. 2.
    Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_25CrossRefGoogle Scholar
  3. 3.
    Cogliati, B., Lee, J., Seurin, Y.: New constructions of MACs from (tweakable) block ciphers. IACR Trans. Symmetric Cryptol. 2017(2), 27–58 (2017)Google Scholar
  4. 4.
    Datta, N., Dutta, A., Nandi, M., Paul, G., Zhang, L.: Single key variant of PMAC\(\_\)Plus. IACR Trans. Symmetric Cryptol. 2017(4), 268–305 (2017)Google Scholar
  5. 5.
    Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-39887-5_11CrossRefGoogle Scholar
  6. 6.
    Iwata, T., Minematsu, K., Peyrin, T., Seurin, Y.: ZMAC: a fast tweakable block cipher mode for highly secure message authentication. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 34–65. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_2. IACR Cryptology ePrint Archive 2017, 535 (2017)CrossRefGoogle Scholar
  7. 7.
    Iwata, T., Seurin, Y.: Reconsidering the security bound of AES-GCM-SIV. IACR Trans. Symmetric Cryptol. 2017(4), 240–267 (2017)Google Scholar
  8. 8.
    Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45608-8_15CrossRefGoogle Scholar
  9. 9.
    JTC1: ISO/IEC 9797–1:1999 Information technology – Security techniques – Message Authentication Codes (MACs)–Part 1: Mechanisms using a block cipher (1999)Google Scholar
  10. 10.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_3CrossRefGoogle Scholar
  11. 11.
    List, E., Nandi, M.: Revisiting full-PRF-secure PMAC and using it for beyond-birthday authenticated encryption. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 258–274. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-52153-4_15CrossRefGoogle Scholar
  12. 12.
    List, E., Nandi, M.: ZMAC+ - an efficient variable-output-length variant of ZMAC. IACR Trans. Symmetric Cryptol. 2017(4), 306–325 (2017)Google Scholar
  13. 13.
    Mennink, B.: Optimally secure tweakable blockciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 428–448. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48116-5_21CrossRefGoogle Scholar
  14. 14.
    Minematsu, K., Iwata, T.: Tweak-length extension for tweakable blockciphers. In: Groth, J. (ed.) IMACC 2015. LNCS, vol. 9496, pp. 77–93. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-27239-9_5CrossRefGoogle Scholar
  15. 15.
    Minematsu, K., Iwata, T.: Cryptanalysis of PMACx, PMAC2x, and SIVx. IACR Trans. Symmetric Cryptol. 2017(2), 162–176 (2017)Google Scholar
  16. 16.
    Naito, Y.: Full PRF-secure message authentication code based on tweakable block cipher. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 167–182. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-26059-4_9CrossRefGoogle Scholar
  17. 17.
    Naito, Y.: Blockcipher-based MACs: beyond the birthday bound without message length. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part III. LNCS, vol. 10626, pp. 446–470. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70700-6_16CrossRefGoogle Scholar
  18. 18.
    Naito, Y.: Improved security bound of LightMAC\(\_\)Plus and its single-key variant. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 300–318. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-76953-0_16CrossRefGoogle Scholar
  19. 19.
    Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04159-4_21CrossRefGoogle Scholar
  20. 20.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30539-2_2CrossRefGoogle Scholar
  21. 21.
    Yasuda, K.: The sum of CBC MACs is a secure PRF. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 366–381. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-11925-5_25CrossRefGoogle Scholar
  22. 22.
    Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_34CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Mitsubishi Electric CorporationKanagawaJapan

Personalised recommendations