Double-block Hash-then-Sum: A Paradigm for Constructing BBB Secure PRF

SUM-ECBC (Yasuda, CT-RSA 2010) is the first beyond birthday bound (BBB) secure block cipher based deterministic MAC. After this work, some more BBB secure deterministic MACs have been proposed, namely PMAC_Plus (Yasuda, CRYPTO 2011), 3kf9 (Zhang et al., ASIACRYPT 2012) and LightMAC_Plus (Naito, ASIACRYPT 2017). In this paper, we have abstracted out the inherent design principle of all these BBB secure MACs and present a generic design paradigm to construct a BBB secure pseudo random function, namely Double-block Hash-then- Sum or in short (DbHtS). A DbHtS construction, as the name implies, computes a double block hash on the message and then sum the encrypted output of the two hash blocks. Our result renders that if the underlying hash function meets certain security requirements (namely cover-free and block-wise universal advantage is low), DbHtS construction provides 2n/3-bit security. We demonstrate the applicability of our result by instantiating all the existing beyond birthday secure deterministic MACs (e.g., SUM-ECBC, PMAC_Plus, 3kf9, LightMAC_Plus) as well as a simple two-keyed variant for each of them and some algebraic hash based constructions.

[1]  Thomas Johansson,et al.  On Families of Hash Functions via Geometric Codes and Concatenation , 1993, CRYPTO.

[2]  Mridul Nandi,et al.  Generic Attacks against Beyond-Birthday-Bound MACs , 2018, IACR Cryptol. ePrint Arch..

[3]  Mihir Bellare,et al.  Improved Security Analyses for CBC MACs , 2005, CRYPTO.

[4]  内藤 祐介,et al.  Blockcipher-Based MACs: Beyond the Birthday Bound Without Message Length , 2018 .

[5]  Benoit Cogliati,et al.  The Indistinguishability of the XOR of k Permutations , 2014, FSE.

[6]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[7]  Goutam Paul,et al.  One-Key Compression Function Based MAC with Security Beyond Birthday Bound , 2016, ACISP.

[8]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[9]  Hugo Krawczyk,et al.  MMH: Software Message Authentication in the Gbit/Second Rates , 1997, FSE.

[10]  Bert den Boer A Simple and Key-Economical Unconditional Authentication Scheme , 1993, J. Comput. Secur..

[11]  Mihir Bellare,et al.  A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion , 1999, IACR Cryptol. ePrint Arch..

[12]  Bart Preneel,et al.  On the XOR of Multiple Random Permutations , 2015, ACNS.

[13]  Bart Preneel,et al.  A MAC Mode for Lightweight Block Ciphers , 2016, FSE.

[14]  Krzysztof Pietrzak,et al.  The Exact PRF-Security of NMAC and HMAC , 2014, IACR Cryptol. ePrint Arch..

[15]  John P. Steinberger,et al.  Domain Extension for MACs Beyond the Birthday Barrier , 2011, EUROCRYPT.

[16]  Kan Yasuda,et al.  A One-Pass Mode of Operation for Deterministic Message Authentication- Security beyond the Birthday Barrier , 2008, FSE.

[17]  Jacques Patarin,et al.  A Proof of Security in O(2n) for the Benes Scheme , 2008, AFRICACRYPT.

[18]  Mihir Bellare,et al.  Constructing VIL-MACsfrom FIL-MACs: Message Authentication under Weakened Assumptions , 1999, CRYPTO.

[19]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[20]  Jacques Patarin,et al.  Security in O(2n) for the Xor of Two Random Permutations \\ - Proof with the standard H technique - , 2013, IACR Cryptol. ePrint Arch..

[21]  Jacques Patarin,et al.  A Proof of Security in O(2n) for the Xor of Two Random Permutations , 2008, ICITS.

[22]  Stefan Lucks,et al.  The Sum of PRPs Is a Secure PRF , 2000, EUROCRYPT.

[23]  Stefano Tessaro,et al.  Information-Theoretic Indistinguishability via the Chi-Squared Method , 2017, CRYPTO.

[24]  Thomas Peyrin,et al.  GIFT: A Small Present - Towards Reaching the Limit of Lightweight Encryption , 2017, CHES.

[25]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[26]  Richard Taylor,et al.  An Integrity Check Value Algorithm for Stream Ciphers , 1993, CRYPTO.

[27]  Tetsu Iwata,et al.  Stronger Security Variants of GCM-SIV , 2016, IACR Trans. Symmetric Cryptol..

[28]  Kan Yasuda,et al.  The Sum of CBC MACs Is a Secure PRF , 2010, CT-RSA.

[29]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[30]  Kan Yasuda,et al.  A New Variant of PMAC: Beyond the Birthday Bound , 2011, CRYPTO.

[31]  John P. Steinberger,et al.  Minimizing the Two-Round Even–Mansour Cipher , 2014, Journal of Cryptology.

[32]  Jacques Patarin,et al.  Introduction to Mirror Theory: Analysis of Systems of Linear Equalities and Linear Non Equalities for Cryptography , 2010, IACR Cryptol. ePrint Arch..

[33]  Mridul Nandi,et al.  Improved security analysis of PMAC , 2007, J. Math. Cryptol..

[34]  Goutam Paul,et al.  Single Key Variant of PMAC_Plus , 2017, IACR Trans. Symmetric Cryptol..

[35]  Mihir Bellare,et al.  Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible , 1998, EUROCRYPT.

[36]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[37]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[38]  Jacques Patarin,et al.  About Feistel Schemes with Six (or More) Rounds , 1998, FSE.

[39]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[40]  Ashwin Jha,et al.  Revisiting structure graphs: Applications to CBC-MAC and EMAC , 2016, J. Math. Cryptol..

[41]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[42]  Peng Wang,et al.  3kf9: Enhancing 3GPP-MAC beyond the Birthday Bound , 2012, ASIACRYPT.