How to Build Optimally Secure PRFs Using Block Ciphers

In EUROCRYPT '96, Aiello and Venkatesan proposed two candidates for $ 2n $-bit to $ 2n $-bit pseudorandom functions (PRFs), called Benes and modified Benes (or mBenes), based on $ n $-bit to $ n $-bit PRFs. While Benes is known to be secure up to $ 2^n $ queries (Patarin, AFRICACRYPT '08), the security of mBenes has only been proved up to $ 2^{n(1-\epsilon)} $ queries for all $ \epsilon > 0 $ by Patarin and Montreuil in ICISC '05. In this work, we show that the composition of a $ 2n $-bit hash function with mBenes is a secure variable input length (VIL) PRF up to $ 2^{n-2} $ queries (given appropriate hash function bounds). We extend our analysis with block ciphers as the underlying primitive and obtain two optimally secure VIL PRFs using block ciphers. The first of these candidates requires $ 6 $ calls to the block cipher. The second candidate requires just $ 4 $ calls to the block cipher, but here the proof is based on Patarin's mirror theory. Further, we instantiate the hash function with a PMAC+/LightMAC+ like hash, to get six candidates for deterministic message authentication codes with optimal security.

[1]  Jacques Patarin,et al.  A Proof of Security in O(2n) for the Xor of Two Random Permutations , 2008, ICITS.

[2]  Stefan Lucks,et al.  The Sum of PRPs Is a Secure PRF , 2000, EUROCRYPT.

[3]  Yusuke Naito,et al.  The Exact Security of PMAC with Two Powering-Up Masks , 2019, IACR Trans. Symmetric Cryptol..

[4]  Yusuke Naito The Exact Security of PMAC with Three Powering-Up Masks , 2020, IACR Cryptol. ePrint Arch..

[5]  Stefano Tessaro,et al.  Information-Theoretic Indistinguishability via the Chi-Squared Method , 2017, CRYPTO.

[6]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[7]  Valérie Nachef,et al.  Feistel Ciphers - Security Proofs and Cryptanalysis , 2017 .

[8]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[9]  Goutam Paul,et al.  Double-block Hash-then-Sum: A Paradigm for Constructing BBB Secure PRF , 2018, IACR Cryptol. ePrint Arch..

[10]  Thomas Shrimpton,et al.  Tweakable Blockciphers with Beyond Birthday-Bound Security , 2012, IACR Cryptol. ePrint Arch..

[11]  Kan Yasuda,et al.  Encrypt or Decrypt? To Make a Single-Key Beyond Birthday Secure Nonce-Based MAC , 2018, IACR Cryptol. ePrint Arch..

[12]  Mihir Bellare,et al.  The Power of Verification Queries in Message Authentication and Authenticated Encryption , 2004, IACR Cryptol. ePrint Arch..

[13]  Mihir Bellare,et al.  Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible , 1998, EUROCRYPT.

[14]  Benoit Cogliati,et al.  EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC , 2016, CRYPTO.

[15]  Jacques Patarin,et al.  Security of balanced and unbalanced Feistel Schemes with Linear Non Equalities , 2010, IACR Cryptol. ePrint Arch..

[16]  Jacques Patarin,et al.  Introduction to Mirror Theory: Analysis of Systems of Linear Equalities and Linear Non Equalities for Cryptography , 2010, IACR Cryptol. ePrint Arch..

[17]  Kan Yasuda,et al.  The Sum of CBC MACs Is a Secure PRF , 2010, CT-RSA.

[18]  Bruce Schneier,et al.  Building PRFs from PRPs , 1998, CRYPTO.

[19]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[20]  Goutam Paul,et al.  Single Key Variant of PMAC_Plus , 2017, IACR Trans. Symmetric Cryptol..

[21]  Jean-Philippe Aumasson,et al.  SipHash: A Fast Short-Input PRF , 2012, INDOCRYPT.

[22]  Ashwin Jha,et al.  On Length Independent Security Bounds for the PMAC Family , 2021, IACR Cryptol. ePrint Arch..

[23]  Jacques Patarin,et al.  Benes and Butterfly Schemes Revisited , 2005, ICISC.

[24]  Peng Wang,et al.  3kf9: Enhancing 3GPP-MAC beyond the Birthday Bound , 2012, ASIACRYPT.

[25]  Yusuke Naito,et al.  Blockcipher-Based MACs: Beyond the Birthday Bound Without Message Length , 2017, ASIACRYPT.

[26]  Kan Yasuda,et al.  A New Variant of PMAC: Beyond the Birthday Bound , 2011, CRYPTO.

[27]  Jacques Patarin Mirror theory and cryptography , 2017, Applicable Algebra in Engineering, Communication and Computing.

[28]  Bart Mennink,et al.  Optimal PRFs from Blockcipher Designs , 2017, IACR Trans. Symmetric Cryptol..

[29]  Ashwin Jha,et al.  Tight Security of Cascaded LRW2 , 2020, Journal of Cryptology.

[30]  Ramarathnam Venkatesan,et al.  Foiling Birthday Attacks in Length-Doubling Transformations - Benes: A Non-Reversible Alternative to Feistel , 1996, EUROCRYPT.

[31]  Jacques Patarin,et al.  A Proof of Security in O(2n) for the Benes Scheme , 2008, AFRICACRYPT.

[32]  ByeongHak Lee,et al.  Tight Security Bounds for Double-Block Hash-then-Sum MACs , 2020, EUROCRYPT.

[33]  Mihir Bellare,et al.  A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion , 1999, IACR Cryptol. ePrint Arch..

[34]  Bart Mennink,et al.  Encrypted Davies-Meyer and Its Dual: Towards Optimal Security Using Mirror Theory , 2017, CRYPTO.

[35]  Jacques Patarin Etude des generateurs de permutations pseudo-aleatoires bases sur le schema du d. E. S , 1991 .

[36]  Bart Mennink,et al.  Towards Tight Security of Cascaded LRW2 , 2018, IACR Cryptol. ePrint Arch..

[37]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.