DoveMAC: A TBC-based PRF with Smaller State, Full Security, and High Rate

Recent parallelizable message authentication codes (MACs) have demonstrated the benefit of tweakable block ciphers (TBCs) for authentication with high security guarantees. With ZMAC, Iwata et al. extended this line of research by showing that TBCs can simultaneously increase the number of message bits that are processed per primitive call. However, ZMAC and previous TBC-based MACs needed more memory than sequential constructions. While this aspect is less an issue on desktop processors, it can be unfavorable on resource-constrained platforms. In contrast, existing sequential MACs limit the number of message bits to the block length of the primitive n or below.This work proposes DoveMAC, a TBC-based PRF that reduces the memory of ZMAC-based MACs to 2n+ 2t+2k bits, where n is the state size, t the tweak length, and k the key length of the underlying primitive. DoveMAC provides (n+min(n+t))/2 bits of security, and processes n+t bits per primitive call. Our construction is the first sequential MAC that combines beyond-birthday-bound security with a rate above n bits per call. By reserving a single tweak bit for domain separation, we derive a single-key variant DoveMAC1k.

[1]  Ingrid Verbauwhede,et al.  Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers , 2014, Selected Areas in Cryptography.

[2]  Bart Mennink,et al.  Security of Full-State Keyed and Duplex Sponge: Applications to Authenticated Encryption , 2015, IACR Cryptol. ePrint Arch..

[3]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[4]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[5]  Ashwin Jha,et al.  On The Exact Security of Message Authentication Using Pseudorandom Functions , 2017, IACR Trans. Symmetric Cryptol..

[6]  Yusuke Naito,et al.  Improved Security Bound of LightMAC_Plus and Its Single-Key Variant , 2018, CT-RSA.

[7]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[8]  Mihir Bellare,et al.  Improved Security Analyses for CBC MACs , 2005, CRYPTO.

[9]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[10]  Thomas Peyrin,et al.  Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers , 2016, CRYPTO.

[11]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[12]  Krzysztof Pietrzak,et al.  A Tight Bound for EMAC , 2006, ICALP.

[13]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[14]  Kan Yasuda,et al.  A New Variant of PMAC: Beyond the Birthday Bound , 2011, CRYPTO.

[15]  Thomas Peyrin,et al.  Tweaks and Keys for Block Ciphers: The TWEAKEY Framework , 2014, ASIACRYPT.

[16]  Goutam Paul,et al.  Single Key Variant of PMAC_Plus , 2017, IACR Trans. Symmetric Cryptol..

[17]  Minematsu Kazuhiko,et al.  ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication , 2017 .

[18]  Mihir Bellare,et al.  XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions , 1995, CRYPTO.

[19]  Kan Yasuda,et al.  A One-Pass Mode of Operation for Deterministic Message Authentication- Security beyond the Birthday Barrier , 2008, FSE.

[20]  Daniel J. Bernstein,et al.  How to Stretch Random Functions: The Security of Protected Counter Sums , 1999, Journal of Cryptology.

[21]  Jongsung Kim,et al.  HIGHT: A New Block Cipher Suitable for Low-Resource Device , 2006, CHES.

[22]  Ashwin Jha,et al.  A New Look at Counters: Don’t Run Like Marathon in a Hundred Meter Race , 2017, IEEE Transactions on Computers.

[23]  Ashwin Jha,et al.  Revisiting structure graphs: Applications to CBC-MAC and EMAC , 2016, J. Math. Cryptol..

[24]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[25]  Roberto Maria Avanzi,et al.  The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes , 2017, IACR Trans. Symmetric Cryptol..

[26]  Goutam Paul,et al.  One-Key Compression Function Based MAC with Security Beyond Birthday Bound , 2016, ACISP.

[27]  Kan Yasuda,et al.  PMAC with Parity: Minimizing the Query-Length Influence , 2012, CT-RSA.

[28]  Chanathip Namprempre,et al.  Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..

[29]  Yusuke Naito,et al.  Full PRF-Secure Message Authentication Code Based on Tweakable Block Cipher , 2015, ProvSec.

[30]  Bart Preneel,et al.  A MAC Mode for Lightweight Block Ciphers , 2016, FSE.

[31]  Yusi Zhang,et al.  Using an Error-Correction Code for Fast, Beyond-Birthday-Bound Authentication , 2015, CT-RSA.

[32]  Peng Wang,et al.  3kf9: Enhancing 3GPP-MAC beyond the Birthday Bound , 2012, ASIACRYPT.

[33]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[34]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[35]  内藤 祐介,et al.  Blockcipher-Based MACs: Beyond the Birthday Bound Without Message Length , 2018 .

[36]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[37]  Mridul Nandi,et al.  Revisiting Full-PRF-Secure PMAC and Using It for Beyond-Birthday Authenticated Encryption , 2017, CT-RSA.

[38]  Kan Yasuda,et al.  A Double-Piped Mode of Operation for MACs, PRFs and PROs: Security beyond the Birthday Barrier , 2009, EUROCRYPT.

[39]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[40]  Yusuke Naito On the Efficiency of ZMAC-Type Modes , 2018, CANS.

[41]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers , 2016 .

[42]  Tetsu Iwata,et al.  Stronger Security Variants of GCM-SIV , 2016, IACR Trans. Symmetric Cryptol..

[43]  Kan Yasuda,et al.  The Sum of CBC MACs Is a Secure PRF , 2010, CT-RSA.