Keywords

1 Introduction

Message Authentication Codes (MACs) aim to guarantee the authenticity and integrity of submitted messages. So, a receiver can successfully determine with high probability whether a given pair (mt) of message and tag has been generated by the legitimate sender and has been transmitted correctly or not. MACs can be stateless deterministic, randomized, stateful; in general, one also distinguishes nonce-based constructions where the sender is responsible to supply a unique nonce to each message to be authenticated. Since cryptographically secure randomness can be expensive to obtain in various settings, our focus is on stateless and nonce-based constructions, hereafter.

While the primary goal of a MAC is unforgeability, indistinguishability from random bits can be a valuable replacement goal to evaluate the security. If tags are indistinguishable from random, they are also hard to forge.

The Wegman-Carter approach [34] is a popular and efficient paradigm for constructing secure MACs. There, a given message is first compressed with a universal hash function before the result is processed by a cryptographically secure random function. The initial approach added the hash \(h_{k'}(m)\) of a given message m to a key stream k to create a tag: \(t = h_{k'}(m) \oplus k\); in practice, the key stream is supposed to be computed from some secure pseudorandom function \(F(\nu )\) from some nonce \(\nu \). In [33], Shoup replaced the function F with a permutation, addressing the fact that there exist a number of standardized and well-analyzed block ciphers. Bernstein later proved the security of Shoup’s construction, e.g., [3]. Bernstein’s well-known bound still ensures that the advantage for any adversary that asks \(2^{n/2}\) authentication queries [2] is bounded by \(1.7 q_v \ell /2^n\), where \(q_v\) is the number of verification queries and \(\ell \) is the maximal message length, usually in terms of elements of a ring or field used in h. Throughout this work, we adopt the common way of referring to security bounds that are negligible up to \(\mathcal {O} (2^{n/2})\) blocks or queries as n/2 bits of security.

Despite its simplicity, there exist two interesting directions of extending the Wegman-Carter construction. First, the nonce requirement is a well-known considerable risk: if a single nonce is repeated, the security of the construction may collapse completely since the hash-function key could leak. Secondly, even if nonces never repeat, its security is inherently limited by Bernstein’s birthday-type bound. Recent works showed that Bernstein’s bound is tight [21, 27], which means that the original construction cannot provide higher security.

An ongoing series of research aims to find constructions with higher security guarantees that retained some security also under nonce reuse. As one of the starting points, one could identify the proposal of the Encrypted Davies-Meyer (EDM) and the Encrypted Wegman-Carter Davies-Meyer (EWCDM) modes by Cogliati et al. [9]. While EDM is a PRP-to-PRF conversion method and therefore restricted to inputs of n bits length, EWCDM supports nonce-based authentication for variable-input-length messages as does the original Wegman-Carter construction. In EWCDM, a nonce \(\nu \) is first processed by the Davies-Meyer construction under a permutation \(\pi _1\); its result is XORed with the hash of a message m and the sum is encrypted under a second independent permutation: \(\pi _2(\pi _1(\nu ) \oplus \nu \oplus h_{k'}(m))\). EDM misses the hash and uses \(\nu \) as the only message input. Its authors showed that both constructions provide at least 2n/3-bit security. Recently, Cogliati and Seurin [10] showed that one can use the same permutation twice in EDM while retaining 2n/3-bit security.

Mennink and Neves [23] improved on EWCDM. They proved almost full (i.e., n-bit) security for EDM and EWCDM and further showed full n-bit security of proposed dual constructions EDMD and EWCDMD. As a side effect, they made Patarin’s Mirror Theory [29,30,31] easier to grasp for a broader audience. Although Nandi [26] pointed out a slip in [23], which meant that the security of the nonce-based version of its dual, EWCDMD, is still limited by the birthday bound, the work by Mennink and Neves opened the gates for a wider study of possible constructions. At CRYPTO’18, Datta et al. [13] extended this direction by the Decrypted Wegman-Carter Davies-Meyer construction (DWCDM), a single-key variant of EWCDM that employs the permutation in both directions. The maximal security of their construction was capped by 2n/3 bits by design.

An alternative approach has been taken by Cogliati et al. [8]. They proposed four generic constructions based on the composition of universal hashing and a block cipher: Hash-as-Tweak (HaT), Nonce-as-Tweak (NaT), Hash-as-Key (HaK), and Nonce-as-Key (NaK). They proved n-bit security for all constructions in the ideal-permutation model (assuming a universal hash function). However, the former two constructions require a tweakable primitive, whereas the latter two require message-dependent rekeying.

We can identify four desiderata for interesting MACs based on permutations and universal hashing. In terms of security, the adversary’s advantage should remain negligible for \(\ell q \gg 2^{n/2}\). In terms of simplicity, the number of calls to the primitive(s) should be minimized. For efficiency, their calls should be parallelizable, and frequent rekeying should be avoided. Last but not least, they should support variable-length messages. So, in spite of recent advances, it remains an interesting question how one can generally achieve those aspects for stateless deterministic and/or nonce-based constructions.

Contribution. This work analyzes two constructions based on permutations and universal hashing using the Mirror Theory. Our first construction HPxNP is nonce-based, whereas our second, HPxHP, is stateless deterministic. We name them according to the fact whether they employ a universal hash function (HP) or a nonce (NP) as inputs to the permutation. Figure 1 illustrates them schematically. We show that both modes provide \(\mathcal {O} (2n/3)\) bits of security asymptotically.

Fig. 1.
figure 1

Our proposed constructions. \(\pi _1\) and \(\pi _2\) represent two permutations over \(\{0,1\}^{n} \), \(h_1\) and \(h_2\) two universal hash functions, m a variable-length message, \(\nu \), \(\nu ^1\), and \(\nu ^2\) nonces of fixed length, and t the authentication tag.

Full size image

Outline. Hereupon, we first cover briefly the necessary preliminaries used in this work, including a brief recap of Patarin’s Mirror Theory. Thereupon, Sect. 3 proposes our three constructions whose security is then analyzed in the subsequent Sects. 4 and 5. Section 6 concludes.

Remark 1

We note that the HPxHP construction is clearly not novel, but an abstraction of a variety of existing double-lane MACs, e.g., 3kf9 [37], GCM-SIV-2 [18], or PMAC \(^+\) [36]. However, in its abstract form, it has been studied by Datta et al. [11] (the same authors already had studied the construction in [12]) from a constructive view, or very recently by Leurent et al. [20] from an attacking view. More precisely, Leurent et al. [20] proposed a forgery attack with data complexity of \(\mathcal {O} (2^{3n/4})\) for such constructions. We also take the constructive view, so that our derived security bound is also inherently limited by the result by Leurent et al.; moreover, at the end of each analysis section, we further discuss the effect of using 4-wise independent hash functions for our constructions, with the positive result that the then-obtained security bounds render their result inapplicable and lead to higher security.

2 Preliminaries

General Notations. We use calligraphic uppercase letters \(\mathcal {X}, \mathcal {Y} \) for sets. We write \(\{0,1\}^{n} \) for the set of bit strings of length n, and denote the concatenation of binary strings x and y by \(x \,\Vert \, y\) and the result of their bitwise XOR by \(x \oplus y\). We write \(x \twoheadleftarrow \mathcal {X} \) to mean that x is chosen uniformly at random from the set \(\mathcal {X} \). We consider \(\mathsf {Func} (\mathcal {X}, \mathcal {Y})\) to be the set of all deterministic maps \(F: \mathcal {X} \rightarrow \mathcal {Y} \) and \(\mathsf {Perm} (\mathcal {X})\) to be the set of all permutations over \(\mathcal {X} \). Given an event E, we denote by \(\Pr [E]\) the probability of E. For two integers nk with \(n \ge k \ge 1\), we denote the falling factorial as \(\left( n\right) _{k} \,{\mathop {=}\limits ^{\text {def}}} \, \prod _{i = 0}^{k-1} (n - i)\).

A (complexity-theoretic) distinguisher \(\mathbf {A}\) is an efficient adversary, i.e., an efficient Turing machine that is given access to a number of oracles \(\mathcal {O} \) which it can interact with. The task of \(\mathbf {A}\) is to distinguish between two worlds of oracles, one of which is chosen at the beginning of the experiment uniformly at random. After its interaction, \(\mathbf {A}\) outputs a bit that represents a guess of the world that \(\mathbf {A}\) interacted with. The distinguishing advantage between a real world \(\mathcal {P} \) and an ideal world \(\mathcal {O} \) is given by \(\mathop {\Delta }\nolimits _{\mathbf {A}}\left( {\mathcal {P}}, {\mathcal {O}}\right) \,{\mathop {=}\limits ^{\text {def}}} \,\left| \Pr \left[ \mathbf {A} ^{\mathcal {P}} \Rightarrow 1 \right] - \Pr \left[ \mathbf {A} ^{\mathcal {O}} \Rightarrow 1 \right] \right| \). Throughout this work, we consider information-theoretic distinguishers, i.e., distinguishers that are computationally unbounded, and that are limited only by the number of queries they can ask to their available oracles. We assume that distinguishers do not ask duplicate queries or queries to which they already can compute the answer themselves from earlier queries, as is common. W.l.o.g., we limit our interest to deterministic distinguishers since for each probabilistic distinguisher, there exists a deterministic one with equal advantage that fixed a random tape beforehand (cf. [1, 7]). We briefly recall the definitions for the advantage of distinguishing a construction from a random function (PRF) and a random permutation (PRP), respectively.

Definition 1

(PRF Advantage). Let \(\mathcal {K} \), \(\mathcal {X} \), and \(\mathcal {Y} \) be non-empty sets and let \(F: \mathcal {K} \times \mathcal {X} \rightarrow \mathcal {Y} \) and \(\rho \twoheadleftarrow \mathsf {Func} (\mathcal {X}, \mathcal {Y})\) and \(k \twoheadleftarrow \mathcal {K} \). Then, the PRF advantage of \(\mathbf {A}\) w.r.t. F is defined as \(\mathbf {{Adv}}^{\textsc {PRF}}_{F}(\mathbf {A}) \,{\mathop {=}\limits ^{\text {def}}} \, \mathop {\Delta }\nolimits _{\mathbf {A}}\left( {F_k}, {\rho }\right) \).

A keyed permutation \(E: \mathcal {K} \times \mathcal {X} \rightarrow \mathcal {X} \) is a family of permutations over \(\mathcal {X} \) indexed by a key \(K \in \mathcal {K} \).

Definition 2

(PRP Advantage). Let \(\mathcal {K} \) and \(\mathcal {X} \) be non-empty sets, \(E: \mathcal {K} \times \mathcal {X} \rightarrow \mathcal {X} \) be a keyed permutation, and let \(\pi \twoheadleftarrow \mathsf {Perm} (\mathcal {X})\) and \(k \twoheadleftarrow \mathcal {K} \). Then, the PRP advantage of \(\mathbf {A}\) w.r.t. F is defined as \(\mathbf {{Adv}}^{\textsc {PRP}}_{E_k}(\mathbf {A})\,{\mathop {=}\limits ^{\text {def}}} \,\mathop {\Delta }\nolimits _{\mathbf {A}}\left( {E_k}, {\pi }\right) \).

To recall the necessary definitions for universal hashing, let \(\mathcal {X} \) and \(\mathcal {Y} \) denote two non-empty sets, and \(\mathcal {H} = \{ h : \mathcal {X} \rightarrow \mathcal {Y} \}\) be a family of hash functions h.

Definition 3

(Almost-Universal Hash Function [5]). We say that \(\mathcal {H} \) is \(\varepsilon \)-almost-universal (\(\varepsilon \)-AU) if, for all distinct \(x, x' \in \mathcal {X} \), it holds that .

Almost-XOR-universal hash functions were introduced in [19]; the term, however, is due to Rogaway [32].

Definition 4

(Almost-XOR-Universal Hash Function [19, 32]). Here, let \(\mathcal {Y} \subseteq \{0,1\}^{n} \) for some positive integer n. We say that \(\mathcal {H} \) is \(\varepsilon \)-almost-XOR-universal (\(\varepsilon \)-AXU) if, for all distinct \(x, x' \in \mathcal {X} \) and arbitrary \(\Delta \in \mathcal {Y} \), it holds that \(\Pr _{h \twoheadleftarrow \mathcal {H}}[ h(x) \oplus h(x') = \Delta ] \le \varepsilon \).

Definition 5

(k-wise Independence [35]). We say that \(\mathcal {H} \) is k-independent if, for all pair-wise distinct \(x_1, \ldots x_k \in \mathcal {X} \) and all \(y_1, \ldots , y_k \in \mathcal {Y} ^k\), it holds that \(\Pr _{h \twoheadleftarrow \mathcal {H}}[ h(x_i) = y_i, \text { for } 1 \le i \le k ] = 1/|\mathcal {Y} |^k\).

2.1 H-Coefficient Technique

The H-coefficients technique is a proof method due to Patarin, where we consider the variant by Chen and Steinberger [7, 28]. The results of the interaction of an adversary \(\mathbf {A}\) with its oracles are collected in a transcript \(\tau \). The oracles can sample randomness prior to the interaction (often a key or an ideal primitive that is sampled beforehand), and are then deterministic throughout the experiment [7]. The task of \(\mathbf {A}\) is to distinguish the real world \(\mathcal {O} _{\text {real}} \) from the ideal world \(\mathcal {O} _{\text {ideal}} \). Let \(\varTheta _{\text {real}} \) and \(\varTheta _{\text {ideal}} \) denote the distribution of transcripts in the real and the ideal world, respectively. A transcript \(\tau \) is called attainable if the probability to obtain \(\tau \) in the ideal world – i.e. over \(\varTheta _{\text {ideal}} \) – is non-zero. Then, the fundamental Lemma of the H-coefficients technique, the proof to which is given in [7, 28], states:

Lemma 1

(Fundamental Lemma of the H-coefficient Technique [28]).

Assume, the set of attainable transcripts can be partitioned into two disjoint sets GoodT and BadT. Further assume that there exist \(\epsilon _1, \epsilon _2 \ge 0\) such that for any transcript \(\tau \in \textsf {GoodT} \), it holds that

$$\begin{aligned} \frac{\Pr \left[ \varTheta _{\text {real}} = \tau \right] }{\Pr \left[ \varTheta _{\text {ideal}} = \tau \right] }&\ge 1 - \epsilon _1, \quad \text { and } \quad \Pr \left[ \varTheta _{\text {ideal}} \in \textsf {BadT} \right] \le \epsilon _2. \end{aligned}$$

Then, for all adversaries \(\mathbf {A}\), it holds that \(\mathop {\Delta }\nolimits _{\mathbf {A}}\left( {\mathcal {O} _{\text {real}}}, {\mathcal {O} _{\text {ideal}}}\right) \le \epsilon _1 + \epsilon _2\).

2.2 Mirror Theory

We will combine the H-coefficient technique with Patarin’s Mirror Theory, which allows us to lower bound the amount of good transcripts. The ratio yields then the probability for a good transcript. In the following, we recall the necessary definitions of the Mirror Theory according to [23] that followed Patarin [29, 30].

Remark 2

Mirror Theory became popular to a broader audience after its reformulation by Mennink and Neves [23]. While the core ideas are not difficult to understand, the proof by Patarin in [29] employed a recursive argument that has been subject to intensive debates in the past, cf. [13, 23]. The correctness of the argument for the first recursion has been established, where Patarin showed \(\mathcal {O} (2n/3)\) bits of security for the sum of permutations [29]. Patarin’s proof had to approximate the second recursion; a full proof would have to continue on for many further recursions with an exponential number of cases, which seems a highly sophisticated task. Clearly, it is out of scope of this work. Instead of relying on the assumptions of the full Mirror Theory, we follow the line of e.g., [13, 22] and consider it not for full n-bit security. In this work, we require only up to \(\mathcal {O} (2n/3)\) bits of security, thus, effectively relying only the first recursion.

Mirror theory evaluates the number of possible solutions to a system of affine equations of the form \(P_{a_i} \oplus P_{b_i} = \lambda _i\) in a finite group. Let \(q \ge 1\) denote a number of equations and \(r \ge 1\) a number of unknowns. Let \(\mathcal {P} = \{P_1, \ldots , P_r\}\) represent the set of r distinct unknowns and consider an equation system

$$\begin{aligned} \mathcal {E} = \left\{ P_{a_1} \oplus P_{b_1} = \lambda _1, \ldots , P_{a_q} \oplus P_{b_q} = \lambda _q \right\} , \end{aligned}$$

where \(a_i, b_i\) for \(1 \le i \le q\) are mapped to \(\{1, \ldots , r\}\) by a surjective index map \(\varphi : \{a_1, b_1, \ldots , a_q, b_q\} \rightarrow \{1, \ldots , r\}\). Given a subset of equations \(\mathcal {I} \subseteq \{1, \ldots , q\}\), the multiset \(\mathcal {M} _{\mathcal {I}}\) is defined as \(\mathcal {M} _{\mathcal {I}} = \bigcup _{i \in \mathcal {I}} \{ \varphi (a_i), \varphi (b_i)\}\).

Definition 6

(Circle-freeness). An equation system \(\mathcal {E} \) is circle-free if there exists no subset of indices \(\mathcal {I} \subseteq \{1, \ldots , q\}\) of equations s.t. \(\mathcal {M} _{\mathcal {I}}\) has even multiplicity elements only.

So, no linear combination of equations is independent of the unknowns.

Definition 7

(Block-maximality). Let \(\mathcal {Q} _1, \ldots , \mathcal {Q} _s = \{1, \ldots , r\}\) be a partitioning of the r indices into s minimal so-called blocks s.t. for all equation indices \(i \in \{1, \ldots , q\}\), there exists a single block index \(\ell \in \{1, \ldots , s\}\) s.t. the unknowns of the i-th equation are contained in only this block: \(\{\varphi (a_i), \varphi (b_i)\} \subseteq \mathcal {Q} _{\ell }\). Then, the system of equations \(\mathcal {E} \) is called \(\xi \)-block-maximal for \(\xi \ge 2\) if there exists no \(i \in \{1, \ldots , s\}\) s.t. \(|\mathcal {Q} _{i}| > \xi \).

So, the unknowns can be partitioned into blocks of size at most \(\xi + 1\) if \(\mathcal {E} \) is \(\xi \)-block-maximal.

Definition 8

(Non-degeneracy). A system of equations \(\mathcal {E} \) is non-degenerate iff there is no \(\mathcal {I} \subseteq \{1, \ldots , q\}\) s.t. \(\mathcal {M} _{\mathcal {I}}\) has exactly two odd multiplicity elements and \(\bigoplus _{i \in \mathcal {I}} \lambda _i = 0\).

So, an equation system is non-degenerate if there is no linear combination of one or more equations that imply \(P_i = P_j\) for distinct ij and \(P_i, P_j \in \mathcal {P} \). The central theorem of Patarin’s mirror theorem is then Theorem 2 in [23], which itself is a brief form of Theorem 6 in [29].

Theorem 1

(Mirror Theorem [23]). Let \(\xi \ge 2\). Let \(\mathcal {E} \) be a system of equations over the unknowns \(\mathcal {P} \) that is (i) circle-free, (ii) \(\xi \)-block-maximal, and (iii) non-degenerate. Then, as long as \((\xi - 1)^2 \cdot r \le 2^n/67\), the number of solutions s.t. \(P_i \ne P_j\) for all pairwise distinct \(i, j \in \{1, \ldots , r\}\) is at least

$$\begin{aligned} \frac{(2^n)_r}{(2^n)^q}. \end{aligned}$$

A proof sketch is given in [23, Appendix A], and the details in [29]. An updated proof had been given in [25].

Mennink and Neves described a relaxation wherein the condition that two unknowns \(P_a\) and \(P_b\) must differ whenever a and b differ is released to the degree that distinct unknowns must be pairwise distinct only inside their blocks. So, it must hold for \(a \ne b\) that \(P_a \ne P_b\) when \(a, b \in \mathcal {R} _j\) for some \(j \in \{1, \ldots , s\}\) for a given partitioning \(\{1, \ldots , r\} = \bigcup _{i = 1}^{s} \mathcal {R} _i\).

Definition 9

(Relaxed Non-degeneracy). An equation system \(\mathcal {E} \) is relaxed non-degenerate w.r.t. the partitioning \(\{1, \ldots , r\} = \bigcup _{i = 1}^{s} \mathcal {R} _i\) iff there is no \(\mathcal {I} \subseteq \{1, \ldots , q\}\) s.t. \(\mathcal {M} _{\mathcal {I}}\) has exactly two odd multiplicity elements and \(\bigoplus _{i \in \mathcal {I}} \lambda _i = 0\).

In their Theorem 3, [23] extended Theorem 1 to the following relaxed form:

Theorem 2

(Relaxed Mirror Theorem [23]). Let \(\xi \ge 2\) and \(\mathcal {E} \) be a system of equations over the unknowns \(\mathcal {P} \) that is (i) circle-free, (ii) \(\xi \)-block-maximal, and (iii) non-degenerate. Then, as long as \((\xi - 1)^2 \cdot r \le 2^n/67\), the number of solutions s.t. \(P_i \ne P_j\) for all pairwise distinct \(i, j \in \{1, \ldots , r\}\) is at least

$$\begin{aligned} \frac{\textsf {NonEq} (\mathcal {R} _1, \ldots , \mathcal {R} _s; \mathcal {E})}{(2^n)^q}, \end{aligned}$$

where \(\textsf {NonEq} (\mathcal {R} _1, \ldots , \mathcal {R} _s; \mathcal {E})\) is the number of solutions to \(\mathcal {P} \) that satisfy \(P_a \ne P_b\) for all \(a, b \in \mathcal {R} _j\) for all \(1 \le j \le s\) as well as all inequalities by \(\mathcal {E} \).

Mennink and Neves stress that the relaxed Theorem 2 is equivalent to Theorem 1 for \(s = 1\), i.e., when the equation system consists of a single block. Moreover, the number of solutions that are covered in the term \(\textsf {NonEq} (\mathcal {R} _1, \ldots , \mathcal {R} _s; \mathcal {E})\) can be lower bounded by \((2^n)_{|\mathcal {R} _1|} \cdot \prod _{i = 2}^{s} \left( 2^n - (\xi - 1)\right) _{|\mathcal {R} _i|}\) since every variable is in exactly one block which imposes at most \(\xi - 1\) additional inequalities to the other unknowns in its block.

Remark 3

We consider PRF security in the information-theoretic setting, similar to [23]. The underlying permutations are secret and assumed to be drawn uniformly at random from \(\mathsf {Perm} (\{0,1\}^{n})\). Our results generalize to the complexity-theoretic setting where the permutations \(\pi _1\) and \(\pi _2\) will be instantiated with a block cipher E under independent random secret keys \(k_1\) and \(k_2\), \(E_{k_1}\) and \(E_{k_2}\), respectively. The bounds from this paper can be easily adapted to the complexity-theoretic setting by adding a term of \(2 \cdot \mathbf {{Adv}}^{\textsc {PRP}}_{E_{k}}(q)\). The term refers to twice the maximal advantage for an adversary \(\mathbf {A} '\) to distinguish \(E: \mathcal {K} \times \{0,1\}^{n} \rightarrow \{0,1\}^{n} \) keyed with a random key \(k \twoheadleftarrow \mathcal {K} \) from a random permutation \(\pi \), where \(\mathbf {A}\) asks at most q queries. Note that we employ only the forward direction of the permutation; so, PRP security suffices.

3 Constructions

Let \(n \ge 1\) be a positive integer, and let \(\mathcal {K} \) denote a non-empty set. Let \(\pi _1, \pi _2 \twoheadleftarrow \mathsf {Perm} (\{0,1\}^{n})\) be independently uniformly at random sampled permutations over n-bit strings. Let \(\mathcal {H} = \{ h \;|\; h: \{0,1\}^{*} \rightarrow \{0,1\}^{n} \}\) be a family of \(\varepsilon _1\)-AXU hash functions; for HPxHP, we will define and use instead \(\mathcal {H} _1 = \{ h_1 \;|\; h_1: \{0,1\}^{*} \rightarrow \{0,1\}^{n} \}\) as a family of \(\varepsilon _1\)-AU hash functions, and \(\mathcal {H} _2 = \{ h_2 \;|\; h_2 : \{0,1\}^{*} \rightarrow \{0,1\}^{n} \}\) as a family of \(\varepsilon _2\)-AU hash functions. We require the hash functions to be sampled independently uniformly at random, which is usually realized by sampling hash keys independently uniformly at random.

Our first, nonce-based construction, HPxNP, is illustrated in Fig. 1a. It shares similarities with Minematsu’s Enhanced Hash-then-Mask construction [24] that had been analyzed further in [14, 15]; however, Minematsu’s construction used a function instead of a permutation and a per-message random IV. In this construction, the message is hashed to an n-bit value h(m). For this construction, we need \(\mathcal {H} \) to be an \(\varepsilon \)-almost-XOR-universal family of hash functions. An n-bit nonce \(\nu \) is XORed to the hash u to obtain \(v := h(m) \oplus \nu \); v and \(\nu \) serve as inputs to the two calls to a permutation \(\pi _1\) and \(\pi _2\), respectively, and yield \(x := \pi _1(v)\) and \(y := \pi _2(\nu )\). Finally, the outputs of the permutation calls are XORed and released as authentication tag: \(t := x \oplus y\).

Our second construction, HPxHP, is illustrated in Fig. 1b. It consists of two parallel invocations of the hash functions on the input message \(m \in \{0,1\}^{*} \) that are hashed using \(h_1 \in \mathcal {H} _1\) and \(h_2 \in \mathcal {H} _2\), respectively, to two n-bit values u and v. Those serve as inputs to the two calls to a permutation \(\pi _1\) and \(\pi _2\), respectively and yield \(x := \pi _1(u)\) and \(y := \pi _2(v)\). Finally, the outputs of the permutation calls are XORed and released as authentication tag: \(t := x \oplus y\).

In practice, the permutations \(\pi _1\) and \(\pi _2\) will be instantiated with a secure block cipher E under two independent keys \(k_1\) and \(k_2\). An intuitive choice for the hash function is, for example, polynomial hashing. Let \(\mathbb {F} _{2^n}\) be the Galois Field \(GF(2^n)\) with a fixed primitive polynomial \(p(\texttt {x})\). For \(n = 128\), the GCM polynomial \(p(\texttt {x}) = \texttt {x} ^{128} + \texttt {x} ^7 + \texttt {x} ^2 + \texttt {x} + \texttt {1} \) is a usual choice. The hash function is instantiated by sampling a hash key \(k \twoheadleftarrow \mathbb {F} _{2^n}\). Given k and a message \(m \in (\mathbb {F} _{2^n})^\ell \) of \(\ell \) blocks \(m_i\), \(1 \le i \le \ell \), polynomial hashing is then defined as the sum of

$$\begin{aligned} h_k(m)&{\mathop {=}\limits ^{\text {def}}} \sum _{i = 1}^{\ell } k^{\ell + 1 - i} \cdot m_i, \end{aligned}$$

where additions and multiplications are in \(\mathbb {F} _{2^n}\). It is well-known that, for messages of at most \(\ell \) blocks (after padding), polynomial hashing is \(\ell /2^{n}\)-AXU and \(\ell /2^{n}\)-AU. Note that polynomial hashing requires an injective padding to prevent trivial hash collisions; a \(10^*\)-padding works, but may extend messages by a block.

While the sum of a polynomial hash is sequential, computing the individual terms on a few cores in parallel is well-known at the cost of storing multiple powers of the hash key. For instance, optimized instances of GCM parallelize the computations of four (or eight) subsequent blocks \(k^4 \cdot m_i\), \(k^3 \cdot m_{i + 1}\), \(k^{2} \cdot m_{i + 2}\), and \(k^4 \cdot m_{i + 3}\), before their results are summed, reduced by the modulus, and summed to the sum of the previous blocks \(\sum _{j = 1}^{i - 1} k^{j} m_j\) [16, 17]. Thus, several hash multiplications, or two hash-function calls, or hashing and computing a permutation are efficiently parallelizable as long as the platform is not too resource-restricted. Note that a number of related hash functions exist with similar security properties; pseudo-dot-product hashing, BRW hashing, or combined approaches such as [6] can half the number of necessary multiplications, and provide similar parallelizability. We refer the interested reader to an overview by Bernstein [4].

4 Security Analysis of HPxNP

First, we consider the construction HPxNP. Patarin’s approach [29] allows us to obtain a bound of \(\mathcal {O} (2n/3)\) bits of security. At the end of this section, we discuss the implications of considering \(\xi _{\text {average}}\) instead, as was also suggested ibidem.

Theorem 3

Let \(n \ge 1, \xi \ge 2\) be integers, and \(\mathcal {H} = \{ h \,|\,h: \{0,1\}^{*} \rightarrow \{0,1\}^{n} \}\) be a family of \(\varepsilon \)-AXU hash functions with \(h \twoheadleftarrow \mathcal {H} \). For any nonce-respecting PRF distinguisher \(\mathbf {A}\) that asks at most \(q \le 2^n/(67\xi ^2)\) queries, it holds that

Note that in this case, the optimal choice of \(\xi \) to obtain the best bound is \(2^{n/6}\), assuming that \(\varepsilon \in \mathcal {O} (2^{-n})\). Then, the bound in Theorem 3 is dominated by the first term of \(\mathcal {O} (q^2/2^{4n/3} + q^2/2^{2n} + q/2^n)\), while the number of queries is allowed to be \(q \le 2^{2n/3}\). Other values for \(\xi \) reduce either the security bound or the number of queries.

The remainder of this section is devoted to show Theorem 3. Here, \(\mathbf {A}\) makes q construction queries \((\nu _i, m_i)\), for \(1 \le i \le q\), that are stored together with the query results \(t_i\) in a transcript \(\tau = \{(\nu _i, m_1, t_1), \ldots , (\nu _q, m_q, t_q)\}\). In both worlds, the oracle samples h at the start uniformly at random from all hash instances. \(\mathbf {A}\) sees the results \(t_i\) after each query. We use a common method to alleviate the proof: after the adversary finished its interaction with the oracle, but before outputting its final decision bit, \(\mathbf {A}\) is given the hash-function instance h so that it can compute the values \(u_1, \ldots , u_q\) itself. Clearly, this only makes the adversary stronger, but spares a discussion of security internals of the hash function.

Let \(1 \le r \le 2q\) and consider the set \(\mathcal {P} = \{P_1\), \(\ldots \), \(P_r\}\) of r unknowns. We consider a system of q equations

$$\begin{aligned} \mathcal {E} = \{ P_{a_1} \oplus P_{b_1} = t_1, \quad P_{a_2} \oplus P_{b_2} = t_2, \quad \ldots , \quad P_{a_q} \oplus P_{b_q} = t_q\}, \end{aligned}$$

where \(P_{a_i} := x_i = \pi _1(h(m_i) \oplus \nu _i)\) and \(P_{b_i} := y_i = \pi _2(\nu _i)\). We further define an index mapping \(\varphi : \{a_1, b_1,\ldots , a_q, b_q\} \rightarrow \{1, \ldots , r\}\). For all \(i, j \in \{1, \ldots , q\}\):

  • \(\varphi (a_i) \ne \varphi (a_j) \Leftrightarrow h_1(m_i) \oplus \nu _i \ne h_1(m_j) \oplus \nu _j\).

  • \(\varphi (b_i) \ne \varphi (b_j)\) since \(\nu _i \ne \nu _j\).

  • \(\varphi (a_i) \ne \varphi (b_j)\) since both permutations \(\pi _1\) and \(\pi _2\) are independent.

The index mapping \(\varphi \) has a range of size \(q_x + q_y\), where \(q_x = |\{x_i,\ldots ,x_q\}| \le q\) and \(q_y = |\{\nu _1,\ldots ,\nu _q\}| = q\).

4.1 Bad Transcripts

\(\varphi \) only exposes collisions of the form \(\varphi (a_i) = \varphi (a_j)\) or equivalently \(x_i = x_j\). We define the following bad events:

  • \(\textsf {bad} _1\): there exist \(\xi \) distinct equation indices \(i_1, i_2, \ldots , i_{\xi } \in \{1, \ldots , q\}\) s.t. \(x_{i_1} = x_{i_2} = \ldots = x_{i_{\xi }}\) where \(\xi \) is the threshold given in Theorem 3.

  • \(\textsf {bad} _2\): There exist query indices \(i \ne j\), \(i, j \in \{1, \ldots , q\}\) s.t. \((u_i, t_i) = (u_j, t_j)\).

Let us consider \(\textsf {bad} _1\) first. Since h is \(\varepsilon \)-AXU, the expected amount of collisions is \(q^2 \cdot \varepsilon \). Unfortunately \(\varepsilon \)-AXU is not strong enough to allow for statements regarding multicollisions, i.e. we cannot make a statement on the probability that three or more input values collide. Considering the maximal block size \(\xi \), the worst case would be that all collisions occur in the same hash value. If there exists a block of size \((\xi +1)\), this block contains \(\xi ^2\) collisions. Let \(\textsf {\#Colls} (q)\) be the random variable that counts the collisions in h. By Markov’s Inequality, the probability that there are more than \(\left( {\begin{array}{c}\xi \\ 2\end{array}}\right) \) collisions in h is at most:

$$\begin{aligned} \Pr \left[ \textsf {\#Colls} _1(q) \ge \left( {\begin{array}{c}\xi \\ 2\end{array}}\right) \right]&\le \frac{\mathbb {E}(C)}{\left( {\begin{array}{c}\xi \\ 2\end{array}}\right) } = \frac{\left( {\begin{array}{c}q\\ 2\end{array}}\right) \cdot \varepsilon }{\left( {\begin{array}{c}\xi \\ 2\end{array}}\right) } \le \frac{2q^2 \varepsilon }{\xi ^2}. \end{aligned}$$

For \(\textsf {bad} _2\), recall that the ideal world samples the tags independently uniformly at random. Since h is \(\varepsilon \)-AXU, it follows for some distinct pair \(i, j \in \{1, \ldots , q\}\):

$$\begin{aligned} \Pr \left[ u_i = u_j \wedge t_i = t_j \right]&\le \frac{\left( {\begin{array}{c}q\\ 2\end{array}}\right) \cdot \varepsilon }{2^n}. \end{aligned}$$

It follows from the sum of both probability for \(\textsf {bad} _1\) and \(\textsf {bad} _2\) that

$$\begin{aligned} \Pr \left[ \tau \in \textsf {BadT} \left| \varTheta _{\text {ideal}} = \tau \right. \right]&\le \frac{2q^2 \cdot \varepsilon }{\xi ^2} + \frac{\left( {\begin{array}{c}q\\ 2\end{array}}\right) \cdot \varepsilon }{2^n}. \end{aligned}$$

4.2 Ratio of Good Transcripts

Lemma 2

The system of equations is (i) circle-free, (ii) \(\xi \)-block-maximal and (iii) relaxed non-degenerate with respect to the partitioning into \(\mathcal {R} _1 \sqcup \mathcal {R} _2\), where \(\mathcal {R} _1 =^{\text {def}} \{\varphi (a_1), \ldots , \varphi (a_q)\}\) and \(\mathcal {R} _2 =^{\text {def}} \{\varphi (b_1), \ldots , \varphi (b_q)\}\).

Proof

The proof relies on the fact that \(\varphi (b_i) \ne \varphi (b_j)\) and \(\varphi (a_i) \ne \varphi (b_j)\) for any \(i \ne j\). For any \(\mathcal {I} \subseteq \{1,\ldots ,q\}\) the corresponding multiset \(M_{\mathcal {I}}\) has at least \(|\mathcal {I} |\) odd multiplicity elements and therefore the system of equations \(\mathcal {E} \) is (i) circle-free.

(ii) If \(\mathcal {E} \) were not \(\xi \)-block-maximal, then there must be an ordering \(\mathcal {I} = \{i_1,\ldots ,i_{\xi }\}\) s.t. \(\varphi (a_{i_1}) = \ldots = \varphi (a_{i_{\xi }})\). This is equivalent to a \(\xi \)-fold collision \(x_{i_1} = \ldots = x_{i_{\xi }}\), which contradicts the assumption that \(\tau \) is a good transcript.

(iii) Suppose that \(\mathcal {E} \) would be relaxed degenerate. Then, there would exist a minimal subset \(\mathcal {I} \subseteq {1,\ldots ,q}\) that has exactly two odd multiplicity elements corresponding to the same oracle and s.t. \(\bigoplus _{i\in \mathcal {I}} t_i = 0\). If \(|\mathcal {I} | = 1\), \(M_{\mathcal {I}}\) would have two elements from different oracles. If \(|\mathcal {I} | = 2\) and \(t_{i_1} = t_{i_2}\), then we would know that \(x_{i_1} \ne x_{i_2}\) since \(\nu _{i_1} \ne \nu _{i_2}\), i.e. \(y_{i_1} \ne y_{i_2}\). Therefore, we have four odd multiplicity elements. If \(|\mathcal {I} | \ge 3\), there would exist at least three odd multiplicity elements. So, \(\mathcal {E} \) cannot be relaxed degenerate, which concludes the proof.    \(\square \)

Lemma 3

Let \(\tau \in \textsf {GoodT} \) and \(q \le 2^n/(67\xi ^2)\). Then, it holds that

$$\begin{aligned} \frac{\Pr \left[ \varTheta _{\text {real}} = \tau \right] }{\Pr \left[ \varTheta _{\text {ideal}} = \tau \right] }&\ge 1 - \frac{q}{2^n}. \end{aligned}$$

Proof

The probability to obtain a good transcript \(\tau \) consists of that for obtaining the tags \(t_1, \ldots , t_q\), and the hash-function outputs \(h(m_i)\). The probability to obtain the latter is given in both worlds by \(|\mathcal {H} |^{-1}\). The bound in Lemma 3 is determined by the ratio of the respective probabilities. This term appears in the real world as well as in the ideal world and cancels out eventually. Hence, we ignore it for the remainder of the analysis. The probability of obtaining the rest of the transcript, i.e., the tags \(t_i\), in the ideal world is then given by

$$\begin{aligned} \Pr \left[ \left. t_1, \ldots , t_q \right| \varTheta _{\text {ideal}} \right]&= \frac{1}{(2^n)^q} \end{aligned}$$

since the outputs \(t_i\) are sampled independently and uniformly at random from \(\{0,1\}^{n} \) in the ideal world. In the real world, the probability is given by

$$\begin{aligned} \Pr \left[ \varTheta _{\text {real}} = \tau \right]&\ge \frac{\frac{\textsf {NonEQ}(\mathcal {R}_1,\mathcal {R}_2;\mathcal {E})}{2^{nq}} \cdot (2^n-q_x)! \cdot (2^n-q_y)!}{(2^n!)^2}\\&= \frac{\textsf {NonEQ}(\mathcal {R}_1,\mathcal {R}_2;\mathcal {E})}{2^{nq}(2^n)_{q_x}(2^n)_{q_y}}. \end{aligned}$$

Remember that \(q_y = q\) since all \(\nu _i\) are distinct.To lower bound \(\textsf {NonEQ}(\mathcal {R}_1,\mathcal {R}_2;\mathcal {E})\), note that we have \((2^n)_{q_x}\) choices for \(\{P_j \,|\,j \in \mathcal {R} _1\}\) and at least \((2^n-1)_{q}\) possible choices for \(\{P_j \,|\,j \in \mathcal {R} _2\}\), as every index in \(\mathcal {R} _2\) is in a block with exactly one unknown from \(\mathcal {R} _1\). Thus

$$\begin{aligned} \Pr \left[ \varTheta _{\text {real}} = \tau \right]&\ge \frac{(2^n-1)_q(2^n)_{q_x}}{2^{nq}(2^n)_q(2^n)_{q_x}} = \frac{1}{2^{nq}} \left( 1 - \frac{q}{2^n}\right) . \end{aligned}$$

Hence, we obtain the ratio as in Lemma 3.    \(\square \)

4.3 Using \(\xi _{\text {average}} \)

In [29], Patarin suggests that one potentially can consider the average instead of the maximal block size for the sum of permutations in Mirror Theory. More precisely, Generalization 2 of [29, Sect. 6] suggests that:

“The theorem \(P_i \oplus P_j\) is still true if we change the condition \(\xi _{\max } \alpha \ll 2^n \) by \(\xi _{\text {average}} \ll 2^n\).”

The bottleneck in our bound is the event \(\textsf {bad} _1\); \(\textsf {bad} _2\) as well as the good transcripts do not consider \(\xi \) at all and the respective terms become significant for \(q = 2^n\). Upper bounding the block size is necessary to ensure the condition \(q \le 2^n/(67\xi _{\text {max}}^2)\). Using a universal family of hash functions only allows for a very crude upper bound of the maximal block size which limits us at a security level of around \(2^{2n/3}\) queries.

If we could use the average block size as suggested by Patarin, we are limited by the condition \(q \le 2^n/(67\xi _{\text {average}} ^2)\); then, \(\textsf {bad} _1\) would no longer be necessary and would significantly improve the bound. The following theorem would yield an upper bound on the expected average block size \(\xi _{\text {average}} \).

Theorem 4

For any \(q \le 2^n\) and \(\varepsilon \le 1\), we expect that \(\xi _{\text {average}} \le (q-1)\varepsilon + 2\).

The proof is deferred to the full version of this work, but we will briefly sketch the idea for \(\varepsilon = 2^{-n}\): For \(q \ll 2^n\), the expected amount of collisions \(q^2/2^n\) is in . For \(q = 2^n\), the expected amount of collisions is \(2^{n-1}\). In the worst case (regarding the average), the collisions are uniformly distributed, i.e. \(h(m_1) = h(m_2), h(m_3) = h(m_4), \dots , h(m_{2^n-1}) = h(m_{2^n})\). This pattern corresponds to the case that every block were of size 3 and hence the average is 3 as well. Any other pattern would not increase the average block size. The proof will consider the more general case for \(\varepsilon \). From Theorem 4, we obtain

$$\begin{aligned} q&\le \frac{2^n}{67 ((q-1)\varepsilon + 2)^2}. \end{aligned}$$

We note that the use of \(\xi _{\text {average}} \) implies the need to employ the stronger form of the Mirror Theory, that assumes that the iterated proof suggested by Patarin holds. Both the stronger form of the Mirror Theory and the Generalization 2 [29] are subject to their own analysis.

5 Security Analysis of HPxHP

The analysis of HPxHP shares many similarities with that of HPxNP, but differs in certain key points. Regarding the maximum block size, a hash collision (considering the hashes separately) may occur now on one of both sides, i.e., there may be a collision in \(h_1(m) = h_1(m')\) or in \(h_2(m) = h_2(m')\), which increases the block size and effectively doubles the probability of obtaining a hash collision.Footnote 1 Further, since collisions may occur on both sides, it is possible to obtain a circle.

With a universal hash function, we can obtain security up to \(\mathcal {O}(2^{2n/3})\) queries, matching the security bound of earlier analyses. With a stronger k-wise independent hash function, it is possible to obtain security up to \(\mathcal {O}(2^{\frac{(n-1)k}{k+1}})\) queries. Putting stronger requirements on the family of hash functions increases its size and therefore the length of the key. We still find this result interesting since recent results [20] provided attacks with a query complexity of \(\mathcal {O}(2^{3n/4})\). If we demand stronger properties from the hash function, our security level exceeds the complexity by the known attacks. Again, we provide an analysis with a universal hash function and \(\xi _{\text {max}}\) first. Thereupon, we will argue about the necessary proof changes to adapt to stronger hash-function families.

Theorem 5

Let \(n \ge 1, \xi \ge 2\) be integers and \(\mathcal {H} _1\) and \(\mathcal {H} _2\) be \(\varepsilon _1\) and \(\varepsilon _2\)-AU families of hash functions, respectively, and let \(h_1 \twoheadleftarrow \mathcal {H} _1\) and \(h_2 \twoheadleftarrow \mathcal {H} _2\) be sampled independently uniformly at random. Let \(\varepsilon =^{\text {def}} \max \{\varepsilon _1,\varepsilon _2 \}\). For any PRF distinguisher \(\mathbf {A}\) that asks at most \(q \le 2^n/(67\xi ^2)\) queries, it holds that

For \(\xi = 2^{n/6}\), and assuming an optimal \(\varepsilon = \mathcal {O} (2^{-n})\), the bound in Theorem 5 has the form of \(\mathcal {O} (q^2/2^{4n/3} + q^2/2^{2n} + q^3/2^{2n} + q/2^{5n/6})\) for \(q \in \mathcal {O} (2^{2n/3})\) queries. So, it is dominated by the first term. The remainder of this section contains the proof of Theorem 5. Consider a deterministic distinguisher \(\mathbf {A} \) that has access to either or \(\rho \), which chooses the outputs given to \(\mathbf {A}\) uniformly at random. \(\mathbf {A}\) makes q construction queries \(m_i\) that are stored together with the query results \(t_i\) in a transcript \(\tau = \{(m_1, t_1), \ldots , (m_q, t_q)\}\). In both worlds, the oracle samples \(h_1\) and \(h_2\) at the beginning independently and uniformly at random from their hash families. \(\mathbf {A}\) sees the results \(t_i\) after each query. Again, we make the adversary stronger by defining that the hash keys are revealed to the adversary after it finished its interaction with the oracle, but before outputting its final decision bit.

Let \(1 \le r \le 2q\) and consider the set \(\mathcal {P} = \{P_1\), \(\ldots \), \(P_r\}\) of r unknowns. Again, we consider a system of q equations

$$\begin{aligned} \mathcal {E} = \{ P_{a_1} \oplus P_{b_1} = t_1, \quad P_{a_2} \oplus P_{b_2} = t_2, \quad \ldots , \quad P_{a_q} \oplus P_{b_q} = t_q\}, \end{aligned}$$

where \(P_{a_i} := x_i = \pi _1(h_1(m_i))\) and \(P_{b_i} := y_i = \pi _2(h_2(m_i))\). We further define an index mapping \(\varphi : \{a_1, b_1, \ldots , a_q, b_q\} \rightarrow \{1, \ldots , r\}\); \(\varphi \) maps equal permutation outputs \(x_i = x_j\) that occur for any \(i \ne j\) (from equal hash values \(u_i = u_j\)) to the same unknown \(P_{k}\); similarly, \(\varphi \) maps equal permutation outputs \(y_i = y_j\) that occur for any \(i \ne j\) (from equal hash values \(v_i = v_j\)) to the same unknown \(P_{\ell }\). For all \(i, j \in \{1, \ldots , q\}\), it holds that

  • \(\varphi (a_i) \ne \varphi (a_j) \Leftrightarrow h_1(m_i) \ne h_1(m_j)\).

  • \(\varphi (b_i) \ne \varphi (b_j) \Leftrightarrow h_2(m_i) \ne h_2(m_j)\).

  • \(\varphi (a_i) \ne \varphi (b_j)\) since both permutations \(\pi _1\) and \(\pi _2\) are independent.

In the real world, the transcript has collisions in the values \(x_i = x_j\) or \(y_i = y_j\) for \(i \ne j\), when the corresponding hash values \(u_i = u_j\) or \(v_i = v_j\) collide. A collision in \(x_i\) and \(x_j\) corresponds to a collision in \(\varphi (a_i)\) and \(\varphi (a_j)\) and a collision in \(y_i\) and \(y_j\) corresponds to a collision in \(\varphi (b_i)\) and \(\varphi (b_j)\). Multi-collisions in the range values of \(\pi _1\) and \(\pi _2\) correspond to blocks in the mirror theory. To upper bound the size of the largest block \(\mathcal {Q} _k\), we need to consider a special type of collision between two queries i and j. In this setting, we say that two queries i and j collide if \(h_1(m_i) = h_1(m_j)\) and/orFootnote 2 \(h_2(m_i) = h_2(m_j)\). The probability for such a collision to happen is \(\varepsilon _1 + \varepsilon _2 \le 2\varepsilon \).

We define an event \(\textsf {bad} _1\) if there exists a \(\xi \)-multi-collision in any subset of queries \(\{i_1, \ldots , i_{\xi +1}\} \subseteq \{1,\ldots ,q\}\), where \(\xi \) is the threshold in Theorem 5. We need to consider four more events that render a transcript to be bad:

  • \(\textsf {bad} _1\): There exists a subset \(\mathcal {I} \subseteq \{1, \ldots , q\}\) of size \(|\mathcal {I} | = \xi \), s.t. for each pair of distinct indices \(i, j \in \mathcal {I} \), it holds that \(\varphi (a_i) = \varphi (a_j)\) and/or \(\varphi (b_i) = \varphi (b_j)\); \(\xi \) is the threshold in Theorem 5.

  • \(\textsf {bad} _2\): There exist \(i \ne j\), \(i, j \in \{1, \ldots , q\}\) s.t. \((u_i, v_i) = (u_j, v_j)\) and \(t_i \ne t_j\).

  • \(\textsf {bad} _3\): There exist \(i \ne j\), \(i, j \in \{1, \ldots , q\}\) s.t. \((u_i, t_i) = (u_j, t_j)\) and \(v_i \ne v_j\).

  • \(\textsf {bad} _4\): There exist \(i \ne j\), \(i, j \in \{1, \ldots , q\}\) s.t. \((v_i, t_i) = (v_j, t_j)\) and \(u_i \ne u_j\).

  • \(\textsf {bad} _5\): There exists a subset \(\mathcal {I} \subseteq \{1, \ldots , q\}\) s.t. \(\mathcal {M} _{\mathcal {I}}\) contains only elements of even multiplicity.

If an attainable transcript \(\tau \) is not bad, we define \(\tau \) as good. We denote by \(\textsf {GoodT} \) and \(\textsf {BadT} \) the sets of good and bad transcripts, respectively. In the H-coefficient technique, the probability that a transcript is bad is analyzed solely for the ideal world. The bound in Theorem 5 follows then from Lemma 1 and Lemmas 4, 5 and 6.

5.1 Bad Transcripts

Lemma 4

Let \(\xi \ge 1\) denote the threshold from Theorem 5. It holds that

$$\begin{aligned} \Pr \left[ \left. \tau \in \textsf {BadT} \right| \varTheta _{\text {ideal}} = \tau \right]&\le \frac{4 q^2 \varepsilon }{\xi ^2} + 3 \cdot (q \varepsilon )^2 + q^3 \varepsilon ^2. \end{aligned}$$

Proof

In the following, we upper bound the probability that a transcript is bad. Most of the time, we can upper bound the probabilities of the individual bad events to occur and simply take the sum of their probabilities. We will postpone the discussion of the first bad event and begin with the second bad event.

For \(\textsf {bad} _2\), it holds that \(h_1\) and \(h_2\) are both \(\varepsilon \)-AU and independent. We drop the condition \(t_i \ne t_j\) since it only decreases the probability and an upper bound suffices for our purpose. The probability that both hash values collide simultaneously for two queries is at most

$$\begin{aligned} \Pr \left[ \textsf {bad} _2\right]&\le \left( {\begin{array}{c}q\\ 2\end{array}}\right) \varepsilon ^2 \le \frac{q^2 \varepsilon ^2}{2}. \end{aligned}$$

For the third and fourth bad events, the probabilities can be formulated similarly. To upper bound \(\textsf {bad} _3\), the probability that \(u_i = u_j\) is again at most \(\varepsilon \) for a fixed pair of distinct query indices \(i \ne j\). Since the outputs \(t_i\) and \(t_j\) are sampled uniformly at random and independently from the hash values, we can again neglect the requirement \(v_i \ne v_j\) and obtain the same upper bound for \(\textsf {bad} _3\) as for \(\textsf {bad} _2\), when we use \(\varepsilon \ge 2^{-n}\). A similar argument holds for \(\textsf {bad} _4\).

When upper bounding the probability of \(\textsf {bad} _5\), we are limited by the hash function. We consider all 3-tuples \((m_a, m_b, m_c)\) such that \(h_1(m_a) = h_1(m_b)\) and \(h_2(m_b) = h_2(m_c)\). This event can be bounded by \(\left( {\begin{array}{c}q\\ 3\end{array}}\right) \varepsilon ^2\), which also excludes the occurrence of circles. Thus, it holds that \(\Pr \left[ \textsf {bad} _5\right] \le q^3 \varepsilon ^2\). Double-collisions that are small circles by themselves are excluded by \(\textsf {bad} _2\).

Now, we consider \(\textsf {bad} _1\). Again, we upper bound the maximal block size for the individual hash functions. Then, we condition \(\textsf {bad} _1\) on \(\lnot \textsf {bad} _5\) to ensure that no collisions in \(h_1\) are connected to collisions in \(h_2\). Both hash functions are \(\varepsilon \)-almost-universal. Again, the worst case w.r.t. block maximality is that all collisions occur in the same block of size \(\xi +1\). Such a block would have \(\left( {\begin{array}{c}\xi \\ 2\end{array}}\right) \) collisions. Let \(\textsf {\#Colls} _1(q)\) be a random variable for the number of collisions between \(h_1(m_i) = h_1(m_j)\) for \(1 \le i, j \le q\) and \(i \ne j\). Using Markov’s Inequality, we obtain

$$\begin{aligned} \Pr \left[ \textsf {\#Colls} _1(q) \ge \left( {\begin{array}{c}\xi \\ 2\end{array}}\right) \right]&\le \frac{\mathbb {E}\left[ \textsf {\#Colls} _1(q)\right] }{\left( {\begin{array}{c}\xi \\ 2\end{array}}\right) } \le \frac{2q^2 \varepsilon }{\xi ^2}. \end{aligned}$$

We can derive a similar argument using a random variable \(\textsf {\#Colls} _2(q)\) for the number of collisions between collisions \(h_2(m_i) = h_2(m_j)\), So, the probability to obtain a block of size \(\xi \) is upper bounded by

$$\begin{aligned} \Pr \left[ \textsf {bad} _1 | \lnot \textsf {bad} _5 \right]&\le \frac{4 q^2 \varepsilon }{\xi ^2}. \end{aligned}$$

Our bound in Lemma 4 follows from summing up the obtained terms.    \(\square \)

5.2 Good Transcripts

It remains to upper bound the ratio of probabilities for a good transcript in both worlds. For the real world, we will use the Relaxed Mirror Theory. We show that a good transcript fulfills all properties needed by the Relaxed Mirror Theorem.

Lemma 5

Let \(\tau \in \textsf {GoodT} \). Let \(\mathcal {E} \) be the system of q equations corresponding to \((\varphi ^{\tau }, m_1, \ldots , m_q)\). Then, \(\mathcal {E} \) is (i) circle-free, (ii) \(\xi \)-block-maximal, and (iii) relaxed non-degenerate w.r.t. the partitioning \(\{1, \ldots , r\} = \mathcal {R} _1 \cup \mathcal {R} _2\), where \(\mathcal {R} _1 = \{\varphi (a_i),\ldots ,\varphi (a_q)\}\) and \(\mathcal {R} _2 = \{\varphi (b_i),\ldots ,\varphi (b_q)\}\).

Proof

We defined \(\tau \) to be a good transcript; hence, no bad event has occurred, which implies that the transcript is (i) circle-free since we excluded \(\textsf {bad} _5\) here.

(ii) If \(\mathcal {E} \) were not \(\xi \)-block-maximal, there would exist a minimal subset \(\mathcal {Q} \subseteq \{1, \ldots , r\}\) with \(|\mathcal {Q} | \ge \xi +1\) so that there exists some \(i \in \{1, \ldots , q\}\) for which either \(\{\varphi (a_i), \varphi (b_i)\} \subseteq \mathcal {Q} \) or \(\{\varphi (a_i), \varphi (b_i)\} \cap \mathcal {Q} = \emptyset \). The latter event does not violate the block-maximality, so we can focus on the former statement.

Assuming that \(\mathcal {E} \) were not \(\xi \)-block-maximal, we can define a subset of indices \(\mathcal {I} \subset \{1, \ldots , q\}\) for which it holds that \(\{\varphi (a_i), \varphi (b_i)\} \subseteq \mathcal {Q} \) for all \(i \in \mathcal {I} \). Then, we can define an ordered sequence of the indices in \(\mathcal {I} \) to \(i_1, \ldots , i_{\xi }\) s.t. it would have to hold for all pairs of subsequent indices \(i_j, i_{j+1}\), for \(1 \le j < \xi \) that \(\varphi (a_i) = \varphi (a_j)\) and/or \(\varphi (b_i) = \varphi (b_j)\). This is equivalent to our definition of \(\textsf {bad} _1\) and would therefore violate our assumption that \(\tau \) is good. Hence, every good transcript \(\tau \) is \(\xi \)-block-maximal.

(iii) Assume that \(\tau \) would be relaxed degenerate. This would imply there exists a subset \(\mathcal {I} \subseteq \{1,\dots ,q\}\) such that the multiset \(M_\mathcal {I} \) has exactly two odd multiplicity elements from a single set \(\mathcal {R}_1\) or \(\mathcal {R}_2\) and the tags of the elements corresponding to \(\mathcal {I} \) sum up to zero, i.e.

$$\begin{aligned} \bigoplus _{i \in \mathcal {I}} t_i = \bigoplus _{i \in \mathcal {I}} \pi _1(h_1(m_i)) \oplus \pi _2(h_2(m_i)) = 0. \end{aligned}$$

Recall that \(\varphi (a_i) \ne \varphi (a_j)\) if and only if \(h_1(m_i) \ne h_1(m_j)\), \(\varphi (b_i) \ne \varphi (b_j)\) if and only if \(h_2(m_i) \ne h_2(m_j)\) and \(\varphi (a_i) \ne \varphi (b_j)\) for any choice of i and j. An element \(\varphi (a_i)\) has even multiplicity in \(M_\mathcal {I} \) if there is an even amount of inputs that collide in \(h_1(m_i)\). And similarly an element \(\varphi (b_i)\) has even multiplicity in \(M_\mathcal {I} \) if there is an even amount of inputs that collide in \(h_2(m_i)\). If there is an even amount of queries that collide in a hash value, one can easily see that these elements will cancel out in the above sum.

For simplicity, assume, there exists a subset \(\mathcal {I} \subseteq \{1,\ldots ,q\}\) with exactly two odd multiplicity elements from \(\mathcal {R}_1\) and even multiplicity elements only from \(\mathcal {R}_2\). All elements from \(\mathcal {R}_2\) cancel out in the sum above. and all even multiplicity elements from \(\mathcal {R}_1\) cancel out as well. Let the two odd multiplicity elements from \(\mathcal {R}_1\) have multiplicity \(2n_1+1\) and \(2n_2+1\), where \(n_1,n_2 \ge 0\). In total, \(2n_1\) and \(2n_2\) terms will cancel out and what remains is \(\pi _1(h_1(m_i)) \oplus \pi _1(h_1(m_j)) = 0\) where \(\varphi (a_i) \ne \varphi (a_j)\). However, this event cannot occur since \(\varphi (a_i) \ne \varphi (a_j)\) implies that \(h_1(m_i) \ne h_1(m_j)\); thus the system cannot be relaxed degenerate.    \(\square \)

Lemma 6

Let \(\tau \in \textsf {GoodT} \) and \(q \le 2^n/(67\xi ^2)\). Then, it holds that

$$\begin{aligned} \frac{\Pr \left[ \varTheta _{\text {real}} = \tau \right] }{\Pr \left[ \varTheta _{\text {ideal}} = \tau \right] }&\ge 1 - \frac{\xi \cdot q}{2^n - \xi }. \end{aligned}$$

Proof

The probability to obtain a good transcript \(\tau \) consists of that for obtaining the tags \(t_1, \ldots , t_q\), and the hash-function outputs \(u_i\) and \(v_i\). The probability to obtain the latter is given in both worlds by \(\Pr \left[ (h_1, h_2) \;|\; (h_1, h_2) \twoheadleftarrow \mathcal {H} _1 \times \mathcal {H} _2 \right] \). The bound in Lemma 6 is determined by the ratio of the respective probabilities. This term appears in the real world as well as in the ideal world and cancels out eventually. Hence, we ignore it for the remainder of the analysis. The probability for the tags \(t_i\) in the ideal world is then given by \(\Pr [ t_1, \ldots , t_q| \varTheta _{\text {ideal}} ] = 1/(2^n)^q\) since the outputs \(t_i\) are sampled independently and uniformly at random from \(\{0,1\}^{n} \) in the ideal world.

In the real world, the situation is more complex and a little more work is necessary. We denote by \(q_x := |\{\pi _1(h_1(m_i)) \;|\; i \in \{1,\dots , q\}\}|\) the amount of distinct values for \(\pi _1\) and similarly we denote by \(q_y := |\{\pi _2(h_2(m_i)) \;|\; i \in \{1,\dots , q\}\}|\) the amount of distinct values for \(\pi _2\). The number of solutions to the \(q_x + q_y\) unknowns is at least \(\textsf {NonEQ}(\mathcal {R}_1,\mathcal {R}_2;\mathcal {E})/2^{nq}\). There are \((2^n-q_x)!\) possible choices for the remaining output values of \(\pi _1\) and \((2^n-q_y)!\) possible choices for the remaining output values of \(\pi _2\). Thus, we can lower bound

$$\begin{aligned} \Pr \left[ \varTheta _{\text {real}} = \tau \right]&\ge \frac{\frac{\textsf {NonEQ}(\mathcal {R}_1,\mathcal {R}_2;\mathcal {E})}{2^{nq}} \cdot (2^n-q_x)! \cdot (2^n-q_y)!}{(2^n!)^2} = \frac{\textsf {NonEQ}(\mathcal {R}_1,\mathcal {R}_2;\mathcal {E})}{2^{nq}(2^n)_{q_x}(2^n)_{q_y}}. \end{aligned}$$

We will use the obvious lower bound for \(\textsf {NonEQ}(\mathcal {R}_1,\mathcal {R}_2;\mathcal {E})\) and we obtain

$$\begin{aligned} \Pr \left[ \varTheta _{\text {real}} = \tau \right]&\ge \frac{(2^n)_{q_x}(2^n-\xi )_{q_y}}{2^{nq}(2^n)_{q_x}(2^n)_{q_y}} = \frac{1}{2^{nq}} \cdot \frac{(2^n-\xi )_{q_y}}{(2^n)_{q_y}}. \end{aligned}$$

We can immediately see that

$$\begin{aligned} \frac{\Pr \left[ \varTheta _{\text {real}} = \tau \right] }{\Pr \left[ \varTheta _{\text {ideal}} = \tau \right] } \ge \frac{(2^n-\xi )_{q_y}}{(2^n)_{q_y}}. \end{aligned}$$

We can further reformulate the expression \((2^n-\xi )_{q_y}/(2^n)_{q_y}\) to

$$\begin{aligned}& \frac{(2^n-q_y)(2^n-q_y-1) \cdots (2^n - q_y - (\xi -1))}{(2^n)(2^n-1)(2^n-2) \cdots (2^n - (\xi -1))} = \prod _{i = 0}^{\xi - 1} \frac{2^n - i - q_y}{2^n - i}. \end{aligned}$$

This can be reformed to and upper bounded by

$$\begin{aligned} \prod _{i = 0}^{\xi - 1} \left( 1-\frac{q_y}{2^n - i}\right) \ge \left( 1-\frac{q}{2^n-\xi }\right) ^{\xi } \ge 1 - \frac{\xi \cdot q}{2^n - \xi }, \end{aligned}$$

where the final inequality is Bernoulli’s.    \(\square \)

5.3 Using k-Wise Independent Hash Functions

In contrast to the analysis of HPxNP, for HPxHP, we find \(\xi \) not only in the analysis of \(\textsf {bad} _1\), but also in that of \(\textsf {bad} _5\) plus in the bound for the good transcripts. For the same reasons as in HPxNP, \(\textsf {bad} _1\) and \(\textsf {bad} _5\) cap the bound at around \(q = 2^{2n/3}\). Using the average block size would not work here since it would not affect the bound of \(\textsf {bad} _5\). However, we can increase the security bound of HPxHP with stronger, k-wise independent hash functions. For even k, this allows to obtain a bound of \(q = 2^{kn/(k+1)}\) since such hash functions yield better bounds for circles of sizes \({\ge }k\). Since circles always contain an even amount of queries, there would be no benefit of an uneven values k. Leurent et al. required a 4-circle that is expected after \(2^{3n/4}\) queries for their attack. Using a 4-independent hash function, the first 4-circle occurs after \(2^{n}\) queries on average. So, we can obtain a security bound that exceeds the complexity of Leurent et al.’s attack. For simplicity, we will consider 4-wise independent hash functions first and illustrate the changes to the security bound of HPxHP. Thereupon, we extend our analysis to larger values of k. For space limitations, we defer the proofs of Lemmas 7 and 8 to the full version of this work.

Lemma 7

Let \(\mathcal {H} _1\) and \(\mathcal {H} _2\) be independent 4-wise independent hash functions. Let \(\xi \ge 7\). Then

$$\begin{aligned} \Pr \left[ \textsf {bad} _1 | \lnot \textsf {bad} _2 \right]&\le \frac{2\left( {\begin{array}{c}q\\ 4\end{array}}\right) }{2^{3n} \left( {\begin{array}{c}\xi \\ 4\end{array}}\right) } + \frac{16q^5}{2^{4n}}. \end{aligned}$$

We find two interesting points here: (1) Raising the requirement of the hash functions to 4-wise independence yields a 4-circle after \(2^n\) queries on average instead of after \(2^{3n/4}\) queries as in the attack by Leurent et al. Thus, a security level of \(2^{4n/5}\) can be obtained. (2) We cannot show yet if it is possible to consider \(\xi _{\text {average}}\) instead of \(\xi _{\text {max}} \). If we can consider the average block size instead of the maximum block size, the upper bound of circles is the bottleneck. Vice versa, it seems that attacks on the HPxHP-type of MACs must exploit the occurrence of circles. We can formulate the following lemma to bound the probability of \(\textsf {bad} _5\).

Lemma 8

Let \(\mathcal {H} _1\) and \(\mathcal {H} _2\) be independent 4-wise independent hash functions. Then \(\Pr \left[ \textsf {bad} _5 | \lnot \textsf {bad} _2 \wedge \lnot \textsf {bad} _1 \right] \le q^4/2^{4n}\).

6 Conclusion

We presented two MAC constructions that are provably secure to up to \(\mathcal {O}(2^{2n/3})\) queries; HPxHP avoids nonces at the price of two independent hash-function evaluations; HPxNP trades one hash-function call for the use of a nonce.

Our results add to the works that demonstrate the usefulness of Patarin’s Mirror Theory for such constructions. We indicated that considering the average instead of the maximal block size in the Mirror Theory would greatly increase the security of one of our constructions. A proof is deferred to the full version of this work. Though, a deeper study of Patarin’s theory is required to derive the consequences of this replacement, which is out of the scope of this work.

Leurent et al.’s generic distinguisher on constructions similar to HPxHP with a data complexity of \(\mathcal {O}(2^{3n/4})\) queries exploited the occurrence of circles in the underlying hash functions. So, there is still a gap between the best security bound and their attack. We studied that stronger, k-wise independent hash functions decreased the probability of circles in the full version of this work where we indicate that it can raise the security level above the bound of \(\mathcal {O}(2^{3n/4})\).

We can imagine that the security level of our constructions is higher than 2n/3 bits. For example, the bottleneck in our proof of HPxNP is the bound for the maximal block size as long as the hash function family is “only” universal. A stronger hash function helps here; plus, it may as well be possible to consider the average block size and obtain \(\mathcal {O}(2^{n})\) security. However, this needs to be verified.