Abstract
Gaži et al. [CRYPTO 2014] analyzed the NI-MAC construction proposed by An and Bellare [CRYPTO 1999] and gave a tight birthday-bound of \(O(\ell q^{2}/2^{n})\), as an improvement over the previous bound of \(O(\ell ^{2}q^{2}/2^{n})\). In this paper, we design a simple extension of NI-MAC, called \(\mathrm{NI}^{+}\)-MAC, and prove that it has security bound beyond birthday (BBB) of order \(O(q^2\ell ^2 / 2^{2n})\) provided \(\ell \le 2^{n/4}\). Our construction not only lifts the security of NI-MAC beyond birthday, it also reduces the number of keys from 2 (NI uses 2 independent keys) to 1. Before this work, Yasuda had proposed [FSE 2008] a single fixed-keyed compression function based BBB-secure MAC with security bound \(O(\ell q^2/2^{2n})\) that uses an extra mask, and requires a storage space to store the mask. However, our proposed construction \(\mathrm{NI}^{+}\) does not require any extra mask and thereby reduces the state size compared to Yasuda’s proposal [FSE 2008] with providing the same order of security bound for light-weight applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
\(\text {Rate} \triangleq \frac{b}{rs}\), where b is the size of message block, s is the total size of the function without the key part and r is the total number of function calls to process a single message block.
- 2.
In [44] author has mistakenly stated the state size for the construction is \(b'+2n\) bits, without considering the state size required for storing the \(b'\)-bit mask, thus eventually state size becomes \(2(b' + n)\).
- 3.
We use the term collision and accident interchangeably.
References
An, J.H., Bellare, M.: Constructing vil-macsfrom fil-macs: message authentication under weakened assumptions. In: Wiener [40], pp. 252–269
Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)
Bellare, M., Goldreich, O., Krawczyk, H.: Stateless evaluation of pseudorandom functions: security beyond the birthday barrier. In: Wiener [40], pp. 270–287
Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994)
Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for CBC macs. In: Shoup [35], pp. 527–545
Bellare, M.: New proofs for \(\sf NMAC\) and \(\sf HMAC\): security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006)
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay [36], pp. 409–426
Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener [40], pp. 216–233
Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen [22], pp. 384–397
Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)
Datta, N., Dutta, A., Nandi, M., Paul, G., Zhang, L.: One-key double-sum MAC with beyond-birthday security. Cryptology ePrint Archive, Report 2015/958 (2015). http://eprint.iacr.org/
Dodis, Y., Ristenpart, T., Steinberger, J., Tessaro, S.: To hash or not to hash again? (In)Differentiability results for H \(^\text{2 }\) and HMAC. In: Canetti, R., Safavi-Naini, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 348–366. Springer, Heidelberg (2012)
Dodis, Y., Steinberger, J.: Domain extension for MACs beyond the birthday barrier. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 323–342. Springer, Heidelberg (2011)
Dutta, A., Nandi, M., Paul, G.: One-Key Compression Function Based MAC with Security beyond Birthday Bound. Cryptology ePrint Archive, Report 2015/1016, 20 October 2015. http://eprint.iacr.org/
Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF-security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 113–130. Springer, Heidelberg (2014)
Gaži, P., Pietrzak, K., Tessaro, S.: Generic security of NMAC and HMAC with input whitening. Cryptology ePrint Archive, Report 2015/881, 2015. http://eprint.iacr.org/
Hong, D., Sung, J., Hong, S.H., Lim, J.-I., Lee, S.-J., Koo, B.-S., Lee, C.-H., Chang, D., Lee, J., Jeong, K., Kim, H., Kim, J.-S., Chee, S.: HIGHT: a new block cipher suitable for low-resource device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006)
Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson [20], pp. 129–153
Jaulmes, É., Joux, A., Valette, F.: On the security of randomized CBC-MAC beyond the birthday paradox limit: a new construction. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 237–251. Springer, Heidelberg (2002)
Johansson, T. (ed.): FSE 2003. LNCS, vol. 2887. Springer, Heidelberg (2003)
Joux, A., Poupard, G., Stern, J.: New attacks against standardized macs. In: Johansson [20], pp. 170–181
Knudsen, L.R. (ed.): EUROCRYPT 2002. LNCS, vol. 2332. Springer, Heidelberg (2002)
Koblitz, N., Menezes, A.: Another look at HMAC. J. Math. Cryptology 7(3), 225–251 (2013)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational), February 1997
Landecker, W., Shrimpton, T., Terashima, R.S.: Tweakable blockciphers with beyond birthday-bound security. In: Canetti, R., Safavi-Naini, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 14–30. Springer, Heidelberg (2012)
Leurent, G., Peyrin, T., Wang, L.: New generic attacks against hash-based MACs. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 1–20. Springer, Heidelberg (2013)
Lucks, S.: A failure-friendly design principle for hash functions. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 474–494. Springer, Heidelberg (2005)
Maurer, U.M., Sjödin, J.: Domain expansion of MACs: alternative uses of the FIL-MAC. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 168–185. Springer, Heidelberg (2005)
Maurer, U.M., Sjödin, J.: Single-key AIL-MACs from any FIL-MAC. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 472–484. Springer, Heidelberg (2005)
Minematsu, K.: How to thwart birthday attacks against MACs via small randomness. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 230–249. Springer, Heidelberg (2010)
Naito, Y., Sasaki, Y., Wang, L., Yasuda, K.: Generic state-recovery and forgery attacks on ChopMD-MAC and on NMAC/HMAC. In: Sakiyama, K., Terada, M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 83–98. Springer, Heidelberg (2013)
Thomas Peyrin, Y., Sasaki, L.W.: Generic related-key attacks for HMAC. In: Wang and Sako [37], pp. 580–597
Peyrin, T., Wang, L.: Generic universal forgery attack on iterative hash-based MACs. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 147–164. Springer, Heidelberg (2014)
Preneel, B., van Oorschot, P.C.: MDx-MAC and building fast MACs from hash functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 1–14. Springer, Heidelberg (1995)
Shoup, V. (ed.): CRYPTO 2005. LNCS, vol. 3621. Springer, Heidelberg (2005)
Vaudenay, S. (ed.): EUROCRYPT 2006. LNCS, vol. 4004. Springer, Heidelberg (2006)
Wang, X., Sako, K. (eds.): ASIACRYPT 2012. LNCS, vol. 7658. Springer, Heidelberg (2012)
Wang, X., Yin, Y.L., Hongbo, Y.: Finding collisions in the full SHA-1. In: Shoup [35], pp. 17–36
Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)
Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999)
Yasuda, K.: Boosting merkle-damgård hashing for message authentication. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 216–231. Springer, Heidelberg (2007)
Yasuda, K.: Multilane HMAC— security beyond the birthday limit. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 18–32. Springer, Heidelberg (2007)
Yasuda, K.: “Sandwich” is indeed secure: how to authenticate a message with just one hashing. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 355–369. Springer, Heidelberg (2007)
Yasuda, K.: A one-pass mode of operation for deterministic message authentication— security beyond the birthday barrier. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 316–333. Springer, Heidelberg (2008)
Yasuda, K.: A double-piped mode of operation for MACs, PRFs and PROs: security beyond the birthday barrier. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 242–259. Springer, Heidelberg (2009)
Yasuda, K.: HMAC without the “Second” key. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 443–458. Springer, Heidelberg (2009)
Yasuda, K.: The sum of CBC MACs is a secure PRF. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 366–381. Springer, Heidelberg (2010)
Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011)
Yasuda, K.: On the full MAC security of a double-piped mode of operation. IEICE Trans. 94–A(1), 84–91 (2011)
Yasuda, K.: A parallelizable prf-based MAC algorithm: well beyond the birthday bound. IEICE Trans. 96(1), 237–241 (2013)
Zhang, L., Wenling, W., Sui, H., Wang, P.: 3kf9: enhancing 3GPP-MAC beyond the birthday bound. In: Wang and Sako [37], pp. 296–312
Acknowledgements
The authors are thankful to the Project Centre of Excellence in Cryptology (CoEC) of Indian Statistical Institute for partial support towards this research work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Proposition 2
We prove that \(\Pr [G \xleftarrow {\$} \mathcal {G(M)} : |fColl(G)| \ge 3] \le \frac{27\ell ^{6}}{2^{3n}}\), where \(\ell \) is the total number of blocks of the messages in \(\mathcal {M}\) where \(\ell \le 2^{n/2}\).
\(\Pr [G \xleftarrow {\$} \mathcal {G(M)} : |fColl(G)| \ge 3] = \sum \limits _{i=3}^{\infty } \Pr [G \xleftarrow {\$} \mathcal {G(M)} : |fColl(G)| = i]\)
\(\le \sum \limits _{i=3}^{\infty } \sum \limits _{H \in \mathcal {G}^i(\mathcal {M})} \Pr [G \xleftarrow {\$} \mathcal {G(M)} : G = H] \le \sum \limits _{i=3}^{\infty } \sum \limits _{H \in \mathcal {G}^i(\mathcal {M})} \frac{1}{2^{ni}} \text { (from Proposition 1) }\)
\(\le \sum \limits _{i=3}^{\infty } \frac{|\mathcal {G}^i(\mathcal {M})|}{2^{in}}\).
Now, note that the a graph G is uniquely determined by its number of collisions. Therefore, \(|\mathcal {G}^i(\mathcal {M})| \le (\frac{2\ell (2\ell +1)}{2})^i \le (3\ell ^2)^i\). Now let a denotes \(\frac{3\ell ^2}{2^n}\). Assuming \(\ell \le 2^{n/2}\), we can write, \(\Pr [G \xleftarrow {\$} \mathcal {G(M)} : |fColl(G)| \ge 3] \le \frac{a^3}{(1-a)} \le \frac{27\ell ^6}{2^{3n}}.\) \(\square \)
B Diagram of NI
See Fig. 2
C Proof of Lemma 1, Case (A)
We provide the proof of \(\Pr [E_{\mathrm {coll}} \wedge |fColl(G)| = 0] \le \frac{1}{2^{2n}}\) here. We fix a structure graph \(H \in \mathcal {G}^0\) and then analyse the probability of the event \(E_{\mathrm {coll}}\) with respect to H in a case-by-case basis.
Case (A.1) When \(M^i\) or \(M^j\) is not a prefix of each other, we recall that p be the LCP of \(M^i\) and \(M^j\). Therefore, all \(Y^i_{\alpha }\) and \(Y^j_{\beta }\) are distinct where \(p+1 \le \alpha \le l_i, p+1 \le \beta \le l_j\). Moreover, \(Y^i_{\alpha } \ne Y^j_{\alpha }\), \(p+1 \le \alpha \le \min \{l_i, l_j\}\) as the number of collisions in H is 0. Therefore, we have,
It is obvious that \(\Pr [\varSigma ^i = \varSigma ^j] \le \frac{1}{2^n - 2 \ell }\) and the event \(\varTheta ^i = \varTheta ^j \wedge G = H\) conditioned on the event \(\varSigma ^i = \varSigma ^j\) implies a non trivial equation on \(\mathbf {Y}\) as we will obtain \(Y^i_{p+1}\) and \(Y^j_{p+1}\) for which \(\varTheta ^i \oplus \varTheta ^j = 0\) would become non-trivial. Thus, \(\Pr [\varTheta ^i = \varTheta ^j \wedge G = H | \varSigma ^i = \varSigma ^j] \le \frac{1}{2^n - 2 \ell }\). Therefore, \(\Pr [E_{\mathrm {coll}} \wedge G = H] \le \frac{1}{2^{2n}}\), assuming \(\ell \le 2^{n - 1}\).
Case (A.2) Consider either of the two messages is a prefix of other (w.l.o.g \(M^j\) is a prefix of \(M^i\)). Since \(l_i > l_j\) therefore, \(p = l_j\). Since the number of collision in H is 0, \(Y^i_{p+1}, \ldots Y^i_{l_i}\) are all distinct with each other and with \(Y^i_{1}, \ldots , Y^i_{l_j}\). This implies that \(Y^i_{l_i} \ne Y^j_{l_j}\) as depicted in Fig. 3. Therefore, the probability of \(\varTheta ^i = \varTheta ^j \wedge G = H\) conditioned on the event \(\varSigma ^i = \varSigma ^j\) will be \(O(1/2^n)\) as we will obtain two random variables \(Y^i_{l_i}\) and \(Y^j_{l_j}\) for which \(\varTheta ^i \oplus \varTheta ^j = 0\) would become non-trivial. Moreover, \(\Pr [\varSigma ^i = \varSigma ^j] \le \frac{1}{2^n}\). Therefore again, \(\Pr [E_{\mathrm {coll}} \wedge G = H] \le \frac{1}{2^{2n}}\).
Since, \(\mathcal {G}^0 = 1\), we have, \(\Pr [E_{\mathrm {coll}} \wedge |fColl(G)| = 0] \le \frac{1}{2^{2n}}\). \(\square \)
D Proof of Lemma 1, Case (D)
We present the proof of \(\Pr [E_{\mathrm {cf}} \wedge |fColl(G)| = 0] \le \frac{1}{2^{2n}}\) here. We fix a structure graph \(H \in \mathcal {G}^0\) and then analyse the probability of the event \(E_{\mathrm {cf}}\) with respect to H in a case-by-case basis.
Case (i) Let p be the LCP of \(M^i\) and \(M^j\). Therefore, \(Y^i_{\alpha } = Y^j_{\alpha }\) where \(1 \le \alpha \le p\) and \(Y^i_{\beta } \ne Y^j_{\beta }\) where \(p+1 \le \beta \le \min \{l_i, l_j\}\) as the number of accident in H is 0. Moreover, if \(l_i > l_j\) then all \(Y^i_{\beta }\) would have been distinct as \(|fColl(G)| = 0\) where \(l_j + 1 \le \beta \le l_i\). Note that, it is also true that \(Y^i_{l_i} \ne Y^j_{l_j}\). Therefore, we have the following set of equations:
where s could be either i or j and \(t \in [l_i+1]\) or \(t \in [l_j+1]\). For each of these cases one can easily check that the above system of equation has rank 2. Therefore, \(\Pr [E_{\mathrm {cf}} \wedge G = H] \le \frac{1}{2^{2n}}\).
Case (ii). Without loss of generality let us consider that \(M^j\) is a prefix of \(M^i\). Since \(l_i > l_j\) therefore, \(p = l_j\). Since, number of collisions in H is 0, \(Y^i_{p+1}, \ldots Y^i_{l_i}\) are all distinct with each other and with \(Y^j_{1}, \ldots , Y^j_{l_j}\). This implies that \(Y^i_{l_i} \ne Y^j_{l_j}\) as depicted in Fig. 3. Therefore, the set of equations (Eqs. (5) and (6)) has the full rank. Therefore, again we have, \(\Pr [E_{\mathrm {cf}} \wedge G = H] \le \frac{1}{2^{2n}}\).
Therefore from the above two cases we have, \(\Pr [E_{\mathrm {cf}} \wedge G = H] \le \frac{1}{2^{2n}}\) for any non-zero n bit constant x. Moreover \(|\mathcal {G}^0| \le 1\). So \(\Pr [E_{\mathrm {cf}} \wedge |fColl(G)| = 0] \le \frac{1}{2^{2n}}\).
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Dutta, A., Nandi, M., Paul, G. (2016). One-Key Compression Function Based MAC with Security Beyond Birthday Bound. In: Liu, J., Steinfeld, R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science(), vol 9722. Springer, Cham. https://doi.org/10.1007/978-3-319-40253-6_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-40253-6_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40252-9
Online ISBN: 978-3-319-40253-6
eBook Packages: Computer ScienceComputer Science (R0)