One-Key Compression Function Based MAC with Security Beyond Birthday Bound

Abstract

Gaži et al. [CRYPTO 2014] analyzed the NI-MAC construction proposed by An and Bellare [CRYPTO 1999] and gave a tight birthday-bound of \(O(\ell q^{2}/2^{n})\), as an improvement over the previous bound of \(O(\ell ^{2}q^{2}/2^{n})\). In this paper, we design a simple extension of NI-MAC, called \(\mathrm{NI}^{+}\)-MAC, and prove that it has security bound beyond birthday (BBB) of order \(O(q^2\ell ^2 / 2^{2n})\) provided \(\ell \le 2^{n/4}\). Our construction not only lifts the security of NI-MAC beyond birthday, it also reduces the number of keys from 2 (NI uses 2 independent keys) to 1. Before this work, Yasuda had proposed [FSE 2008] a single fixed-keyed compression function based BBB-secure MAC with security bound \(O(\ell q^2/2^{2n})\) that uses an extra mask, and requires a storage space to store the mask. However, our proposed construction \(\mathrm{NI}^{+}\) does not require any extra mask and thereby reduces the state size compared to Yasuda’s proposal [FSE 2008] with providing the same order of security bound for light-weight applications.

Appendices

A Proof of Proposition 2

We prove that \(\Pr [G \xleftarrow {\$} \mathcal {G(M)} : |fColl(G)| \ge 3] \le \frac{27\ell ^{6}}{2^{3n}}\), where \(\ell \) is the total number of blocks of the messages in \(\mathcal {M}\) where \(\ell \le 2^{n/2}\).

\(\Pr [G \xleftarrow {\$} \mathcal {G(M)} : |fColl(G)| \ge 3] = \sum \limits _{i=3}^{\infty } \Pr [G \xleftarrow {\$} \mathcal {G(M)} : |fColl(G)| = i]\)

\(\le \sum \limits _{i=3}^{\infty } \sum \limits _{H \in \mathcal {G}^i(\mathcal {M})} \Pr [G \xleftarrow {\$} \mathcal {G(M)} : G = H] \le \sum \limits _{i=3}^{\infty } \sum \limits _{H \in \mathcal {G}^i(\mathcal {M})} \frac{1}{2^{ni}} \text { (from Proposition 1) }\)

\(\le \sum \limits _{i=3}^{\infty } \frac{|\mathcal {G}^i(\mathcal {M})|}{2^{in}}\).

Now, note that the a graph G is uniquely determined by its number of collisions. Therefore, \(|\mathcal {G}^i(\mathcal {M})| \le (\frac{2\ell (2\ell +1)}{2})^i \le (3\ell ^2)^i\). Now let a denotes \(\frac{3\ell ^2}{2^n}\). Assuming \(\ell \le 2^{n/2}\), we can write, \(\Pr [G \xleftarrow {\$} \mathcal {G(M)} : |fColl(G)| \ge 3] \le \frac{a^3}{(1-a)} \le \frac{27\ell ^6}{2^{3n}}.\)    \(\square \)

B Diagram of NI

See Fig. 2

Fig. 2.

Construction of \(\text{ NI }\)-MAC

C Proof of Lemma 1, Case (A)

We provide the proof of \(\Pr [E_{\mathrm {coll}} \wedge |fColl(G)| = 0] \le \frac{1}{2^{2n}}\) here. We fix a structure graph \(H \in \mathcal {G}^0\) and then analyse the probability of the event \(E_{\mathrm {coll}}\) with respect to H in a case-by-case basis.

Case (A.1) When \(M^i\) or \(M^j\) is not a prefix of each other, we recall that p be the LCP of \(M^i\) and \(M^j\). Therefore, all \(Y^i_{\alpha }\) and \(Y^j_{\beta }\) are distinct where \(p+1 \le \alpha \le l_i, p+1 \le \beta \le l_j\). Moreover, \(Y^i_{\alpha } \ne Y^j_{\alpha }\), \(p+1 \le \alpha \le \min \{l_i, l_j\}\) as the number of collisions in H is 0. Therefore, we have,

$$\begin{aligned} \Pr [E_{\mathrm {coll}} \wedge G = H]= & {} \Pr [\varTheta ^i = \varTheta ^j \wedge G = H | \varSigma ^i = \varSigma ^j] \cdot \Pr [\varSigma ^i = \varSigma ^j]. \end{aligned}$$

It is obvious that \(\Pr [\varSigma ^i = \varSigma ^j] \le \frac{1}{2^n - 2 \ell }\) and the event \(\varTheta ^i = \varTheta ^j \wedge G = H\) conditioned on the event \(\varSigma ^i = \varSigma ^j\) implies a non trivial equation on \(\mathbf {Y}\) as we will obtain \(Y^i_{p+1}\) and \(Y^j_{p+1}\) for which \(\varTheta ^i \oplus \varTheta ^j = 0\) would become non-trivial. Thus, \(\Pr [\varTheta ^i = \varTheta ^j \wedge G = H | \varSigma ^i = \varSigma ^j] \le \frac{1}{2^n - 2 \ell }\). Therefore, \(\Pr [E_{\mathrm {coll}} \wedge G = H] \le \frac{1}{2^{2n}}\), assuming \(\ell \le 2^{n - 1}\).

Case (A.2) Consider either of the two messages is a prefix of other (w.l.o.g \(M^j\) is a prefix of \(M^i\)). Since \(l_i > l_j\) therefore, \(p = l_j\). Since the number of collision in H is 0, \(Y^i_{p+1}, \ldots Y^i_{l_i}\) are all distinct with each other and with \(Y^i_{1}, \ldots , Y^i_{l_j}\). This implies that \(Y^i_{l_i} \ne Y^j_{l_j}\) as depicted in Fig. 3. Therefore, the probability of \(\varTheta ^i = \varTheta ^j \wedge G = H\) conditioned on the event \(\varSigma ^i = \varSigma ^j\) will be \(O(1/2^n)\) as we will obtain two random variables \(Y^i_{l_i}\) and \(Y^j_{l_j}\) for which \(\varTheta ^i \oplus \varTheta ^j = 0\) would become non-trivial. Moreover, \(\Pr [\varSigma ^i = \varSigma ^j] \le \frac{1}{2^n}\). Therefore again, \(\Pr [E_{\mathrm {coll}} \wedge G = H] \le \frac{1}{2^{2n}}\).

Since, \(\mathcal {G}^0 = 1\), we have, \(\Pr [E_{\mathrm {coll}} \wedge |fColl(G)| = 0] \le \frac{1}{2^{2n}}\).    \(\square \)

Fig. 3.

Structure graph with 0 accident

D Proof of Lemma 1, Case (D)

We present the proof of \(\Pr [E_{\mathrm {cf}} \wedge |fColl(G)| = 0] \le \frac{1}{2^{2n}}\) here. We fix a structure graph \(H \in \mathcal {G}^0\) and then analyse the probability of the event \(E_{\mathrm {cf}}\) with respect to H in a case-by-case basis.

Case (i) Let p be the LCP of \(M^i\) and \(M^j\). Therefore, \(Y^i_{\alpha } = Y^j_{\alpha }\) where \(1 \le \alpha \le p\) and \(Y^i_{\beta } \ne Y^j_{\beta }\) where \(p+1 \le \beta \le \min \{l_i, l_j\}\) as the number of accident in H is 0. Moreover, if \(l_i > l_j\) then all \(Y^i_{\beta }\) would have been distinct as \(|fColl(G)| = 0\) where \(l_j + 1 \le \beta \le l_i\). Note that, it is also true that \(Y^i_{l_i} \ne Y^j_{l_j}\). Therefore, we have the following set of equations:

$$\begin{aligned}&Y^i_{l_i+1} = x, \end{aligned}$$

(5)

$$\begin{aligned}&Y^i_1 \oplus Y^i_2 \oplus \ldots \oplus Y^i_{l_i+1} + Y^s_t = 0, \end{aligned}$$

(6)

where s could be either i or j and \(t \in [l_i+1]\) or \(t \in [l_j+1]\). For each of these cases one can easily check that the above system of equation has rank 2. Therefore, \(\Pr [E_{\mathrm {cf}} \wedge G = H] \le \frac{1}{2^{2n}}\).

Case (ii). Without loss of generality let us consider that \(M^j\) is a prefix of \(M^i\). Since \(l_i > l_j\) therefore, \(p = l_j\). Since, number of collisions in H is 0, \(Y^i_{p+1}, \ldots Y^i_{l_i}\) are all distinct with each other and with \(Y^j_{1}, \ldots , Y^j_{l_j}\). This implies that \(Y^i_{l_i} \ne Y^j_{l_j}\) as depicted in Fig. 3. Therefore, the set of equations (Eqs. (5) and (6)) has the full rank. Therefore, again we have, \(\Pr [E_{\mathrm {cf}} \wedge G = H] \le \frac{1}{2^{2n}}\).

Therefore from the above two cases we have, \(\Pr [E_{\mathrm {cf}} \wedge G = H] \le \frac{1}{2^{2n}}\) for any non-zero n bit constant x. Moreover \(|\mathcal {G}^0| \le 1\). So \(\Pr [E_{\mathrm {cf}} \wedge |fColl(G)| = 0] \le \frac{1}{2^{2n}}\).