Skip to main content
SpringerLink
Log in

Parallelizable MACs Based on the Sum of PRPs with Security Beyond the Birthday Bound

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11464))

Included in the following conference series:

Abstract

The combination of universal hashing and encryption is a fundamental paradigm for the construction of symmetric-key MACs, dating back to the seminal works by Wegman and Carter, Shoup, and Bernstein. While fully sufficient for many practical applications, the Wegman-Carter construction, however, is well-known to break if nonces are ever repeated, and provides only birthday-bound security if instantiated with a permutation. Those limitations inspired the community to severals recent proposals that addressed them, initiated by Cogliati et al.’s Encrypted Wegman-Carter Davies-Meyer (EWCDM) construction.

This work extends this line of research by studying two constructions based on the sum of PRPs: (1) a stateless deterministic scheme that uses two hash functions, and (2) a nonce-based scheme with one hash-function call and a nonce. We show up to 2n/3-bit security for both of them if the hash function is universal. Compared to the EWCDM construction, our proposals avoid the fact that a single reuse of a nonce can lead to a break.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Technically speaking, there is a total of \(q(q-1)/2\) of input pairs. When bounding the probability of a collision we used \(q^2\) instead, ignoring the factor 1 / 2.

  2. 2.

    To avoid confusion, by ‘and/or’ we actually mean the logical ‘or’.

References

  1. Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed sponge constructions using a modular proof approach. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 364–384. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_18

    Chapter  Google Scholar 

  2. Bernstein, D.J.: Stronger security bounds for wegman-carter-shoup authenticators. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 164–180. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_10

    Chapter  Google Scholar 

  3. Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005). https://doi.org/10.1007/11502760_3

    Chapter  Google Scholar 

  4. Bernstein, D.J.: Polynomial evaluation and message authentication, February 2007. https://cr.yp.to/antiforgery/pema-20071022.pdf

  5. Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)

    Article  MathSciNet  MATH  Google Scholar 

  6. Chakraborty, D., Ghosh, S., Sarkar, P.: A fast single-key two-level universal hash function. IACR Trans. Symmetric Cryptol. 2017(1), 106–128 (2017)

    Google Scholar 

  7. Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19

    Chapter  Google Scholar 

  8. Cogliati, B., Lee, J., Seurin, Y.: New constructions of MACs from (tweakable) block ciphers. IACR Trans. Symmetric Cryptol. 2017(2), 27–58 (2017)

    Google Scholar 

  9. Cogliati, B., Seurin, Y.: EWCDM: an efficient, beyond-birthday secure, nonce-misuse resistant MAC. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 121–149. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_5

    Chapter  Google Scholar 

  10. Cogliati, B., Seurin, Y.: Analysis of the single-permutation encrypted Davies-Meyer construction. Des. Codes Crypt. 86(12), 2703–2723 (2018)

    Article  MathSciNet  MATH  Google Scholar 

  11. Datta, N., Dutta, A., Nandi, M., Paul, G.: Double-block hash-then-sum: a paradigm for constructing BBB secure PRF. IACR Trans. Symmetric Cryptol. 2018(3), 36–92 (2018). Full updated version at https://eprint.iacr.org/2018/804

    Google Scholar 

  12. Datta, N., Dutta, A., Nandi, M., Paul, G., Zhang, L.: Building single-key beyond birthday bound message authentication code. Cryptology ePrint Archive, Report 2015/958 (2015). Version: 20160211:123920

    Google Scholar 

  13. Datta, N., Dutta, A., Nandi, M., Yasuda, K.: Encrypt or decrypt? To make a single-key beyond birthday secure nonce-based MAC. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 631–661. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_21

    Chapter  Google Scholar 

  14. Dutta, A., Jha, A., Nandi, M.: Exact security analysis of hash-then-mask type probabilistic MAC constructions. IACR Cryptology ePrint Archive 2016/ 983 (2016)

    Google Scholar 

  15. Dutta, A., Jha, A., Nandi, M.: Tight security analysis of EHtM MAC. IACR Trans. Symmetric Cryptol. 2017(3), 130–150 (2017)

    Google Scholar 

  16. Gueron, S., Kounavis, M.E.: Intel carry-less multiplication instruction and its usage for computing the GCM mode - rev 2.02. Intel White Paper. Technical report, Intel corporation, 20 April 2014

    Google Scholar 

  17. Gueron, S., Lindell, Y.: GCM-SIV: full nonce misuse-resistant authenticated encryption at under one cycle per byte. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS, pp. 109–119. ACM (2015)

    Google Scholar 

  18. Iwata, T., Minematsu, K.: Stronger security variants of GCM-SIV. IACR Trans. Symmetric Cryptol. 2016(1), 134–157 (2016)

    Google Scholar 

  19. Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_15

    Chapter  Google Scholar 

  20. Leurent, G., Nandi, M., Sibleyras, F.: Generic attacks against beyond-birthday-bound MACs. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 306–336. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_11

    Chapter  Google Scholar 

  21. Luykx, A., Preneel, B.: Optimal forgeries against polynomial-based MACs and GCM. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 445–467. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_17

    Chapter  Google Scholar 

  22. Mennink, B.: Towards tight security of cascaded LRW2. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 192–222. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_8

    Chapter  MATH  Google Scholar 

  23. Mennink, B., Neves, S.: Encrypted davies-meyer and its dual: towards optimal security using mirror theory. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 556–583. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_19

    Chapter  Google Scholar 

  24. Minematsu, K.: How to thwart birthday attacks against MACs via small randomness. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 230–249. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13858-4_13

    Chapter  Google Scholar 

  25. Nachef, V., Patarin, J., Volte, E.: Feistel Ciphers: Security Proofs and Cryptanalysis. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-49530-9

    Book  MATH  Google Scholar 

  26. Nandi, M.: Birthday attack on dual EWCDM. IACR Cryptology ePrint Archive 2017/579 (2017)

    Google Scholar 

  27. Nandi, M.: Bernstein bound on WCS is tight. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 213–238. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_8

    Chapter  Google Scholar 

  28. Patarin, J.: The “coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21

    Chapter  Google Scholar 

  29. Patarin, J.: Introduction to mirror theory: analysis of systems of linear equalities and linear non equalities for cryptography. IACR Cryptology ePrint Archive 2010/287 (2010)

    Google Scholar 

  30. Patarin, J.: Mirror theory and cryptography. IACR Cryptology ePrint Archive 2016/702 (2016)

    Google Scholar 

  31. Patarin, J.: Mirror theory and cryptography. Appl. Algebra Eng. Commun. Comput. 28(4), 321–338 (2017)

    Article  MathSciNet  MATH  Google Scholar 

  32. Rogaway, P.: Bucket hashing and its application to fast message authentication. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 29–42. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_3

    Chapter  Google Scholar 

  33. Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_24

    Chapter  Google Scholar 

  34. Wegman, M.N., Carter, L.: New classes and applications of hash functions. In: FOCS, pp. 175–182. IEEE Computer Society (1979)

    Google Scholar 

  35. Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)

    Article  MathSciNet  MATH  Google Scholar 

  36. Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_34

    Chapter  Google Scholar 

  37. Zhang, L., Wu, W., Sui, H., Wang, P.: 3kf9: enhancing 3GPP-MAC beyond the birthday bound. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 296–312. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_19

    Chapter  Google Scholar 

Download references

Acknowledgments

We would like to thank the anonymous reviewers for their helpful comments.

Author information

Authors and Affiliations

  1. Universität Mannheim, Mannheim, Germany

    Alexander Moch

  2. Bauhaus-Universität Weimar, Weimar, Germany

    Eik List

Authors
  1. Alexander Moch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eik List
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander Moch .

Editor information

Editors and Affiliations

  1. Singapore Management University, Singapore, Singapore

    Robert H. Deng

  2. Universidad del Rosario, Bogota, Colombia

    Valérie Gauthier-Umaña

  3. Cyxtera Technologies, Bogota, Colombia

    Martín Ochoa

  4. Columbia University, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Moch, A., List, E. (2019). Parallelizable MACs Based on the Sum of PRPs with Security Beyond the Birthday Bound. In: Deng, R., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds) Applied Cryptography and Network Security. ACNS 2019. Lecture Notes in Computer Science(), vol 11464. Springer, Cham. https://doi.org/10.1007/978-3-030-21568-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-21568-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-21567-5

  • Online ISBN: 978-3-030-21568-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation