ZMAC+ - An Efficient Variable-output-length Variant of ZMAC

There is an ongoing trend in the symmetric-key cryptographic community to construct highly secure modes and message authentication codes based on tweakable block ciphers (TBCs). Recent constructions, such as Cogliati et al.’s HaT or Iwata et al.’s ZMAC, employ both the n -bit plaintext and the t -bit tweak simultaneously for higher performance. This work revisits ZMAC, and proposes a simpler alternative finalization based on HaT. As a result, we propose HtTBC, and call its instantiation with ZHash as a hash function ZMAC + . Compared to HaT, ZMAC + (1) requires only a single key and a single primitive. Compared to ZMAC, our construction (2) allows variable, per-query parametrizable output lengths. Moreover, ZMAC + (3) avoids the complex finalization of ZMAC and (4) improves the security bound from Ο ( σ 2 /2 n + min ( n , t ) ) to Ο ( q /2 n + q ( q + σ )/2 n + min ( n , t ) ) while retaining a practical tweak space.

[1]  Minematsu Kazuhiko,et al.  ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication , 2017 .

[2]  Jacques Patarin,et al.  A Proof of Security in O(2n) for the Xor of Two Random Permutations , 2008, ICITS.

[3]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[4]  Stefan Lucks,et al.  The Sum of PRPs Is a Secure PRF , 2000, EUROCRYPT.

[5]  Stefano Tessaro,et al.  Information-Theoretic Indistinguishability via the Chi-Squared Method , 2017, CRYPTO.

[6]  Mridul Nandi,et al.  Revisiting Full-PRF-Secure PMAC and Using It for Beyond-Birthday Authenticated Encryption , 2017, CT-RSA.

[7]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[8]  Yusuke Naito Sandwich Construction for Keyed Sponges: Independence Between Capacity and Online Queries , 2016, CANS.

[9]  Kan Yasuda,et al.  A New Variant of PMAC: Beyond the Birthday Bound , 2011, CRYPTO.

[10]  Mihir Bellare,et al.  A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion , 1999, IACR Cryptol. ePrint Arch..

[11]  Bart Preneel,et al.  On the XOR of Multiple Random Permutations , 2015, ACNS.

[12]  Jacques Patarin,et al.  Security in O(2n) for the Xor of Two Random Permutations \\ - Proof with the standard H technique - , 2013, IACR Cryptol. ePrint Arch..

[13]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[14]  Kaoru Kurosawa,et al.  Stronger Security Bounds for OMAC, TMAC, and XCBC , 2003, INDOCRYPT.

[15]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[16]  Phillip Rogaway Bucket Hashing and its Application to Fast Message Authentication , 1995, CRYPTO.

[17]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[18]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[19]  Tetsu Iwata,et al.  Cryptanalysis of PMACx, PMAC2x, and SIVx , 2017, IACR Trans. Symmetric Cryptol..

[20]  Yusuke Naito,et al.  Full PRF-Secure Message Authentication Code Based on Tweakable Block Cipher , 2015, ProvSec.

[21]  Bart Preneel,et al.  A MAC Mode for Lightweight Block Ciphers , 2016, FSE.

[22]  Phillip Rogaway,et al.  Robust Authenticated-Encryption AEZ and the Problem That It Solves , 2015, EUROCRYPT.

[23]  Mihir Bellare,et al.  Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible , 1998, EUROCRYPT.

[24]  Tetsu Iwata,et al.  Tweak-Length Extension for Tweakable Blockciphers , 2015, IMACC.

[25]  Guido Bertoni,et al.  Farfalle: parallel permutation-based cryptography , 2017, IACR Trans. Symmetric Cryptol..

[26]  Phillip Rogaway,et al.  The Software Performance of Authenticated-Encryption Modes , 2011, FSE.

[27]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[28]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[29]  Mihir Bellare,et al.  The Power of Verification Queries in Message Authentication and Authenticated Encryption , 2004, IACR Cryptol. ePrint Arch..

[30]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[31]  Benoit Cogliati,et al.  New Constructions of MACs from (Tweakable) Block Ciphers , 2017, IACR Trans. Symmetric Cryptol..

[32]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[33]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.