PMAC is a simple and parallel block-cipher mode of operation, which was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a (pseudo)random permutation over n -bit strings, PMAC constitutes a provably secure variable input-length (pseudo)random function. For adversaries making q queries, each of length at most l (in n -bit blocks), and of total length σ ≤ ql , the original paper proves an upper bound on the distinguishing advantage of Ο (σ 2 /2 n ), while the currently best bound is Ο ( qσ /2 n ).In this work we show that this bound is tight by giving an attack with advantage Ω ( q 2 l /2 n ). In the PMAC construction one initially XORs a mask to every message block, where the mask for the i th block is computed as τ i := γ i · L , where L is a (secret) random value, and γ i is the i -th codeword of the Gray code. Our attack applies more generally to any sequence of γ i ’s which contains a large coset of a subgroup of GF (2 n ). We then investigate if the security of PMAC can be further improved by using τ i ’s that are k -wise independent, for k > 1 (the original distribution is only 1-wise independent). We observe that the security of PMAC will not increase in general, even if the masks are chosen from a 2-wise independent distribution, and then prove that the security increases to O ( q< 2 /2 n ), if the τ i are 4-wise independent. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether 3-wise independence is already sufficient to get this level of security is left as an open problem.
[1]
Ueli Maurer,et al.
Indistinguishability of Random Systems
,
2002,
EUROCRYPT.
[2]
Mihir Bellare,et al.
The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs
,
2006,
EUROCRYPT.
[3]
Bart Preneel,et al.
On the Influence of Message Length in PMAC's Security Bounds
,
2016,
EUROCRYPT.
[4]
Toshiyasu Matsushima,et al.
New Bounds for PMAC, TMAC, and XCBC
,
2007,
FSE.
[5]
Bart Preneel,et al.
A MAC Mode for Lightweight Block Ciphers
,
2016,
FSE.
[6]
Yusi Zhang,et al.
Using an Error-Correction Code for Fast, Beyond-Birthday-Bound Authentication
,
2015,
CT-RSA.
[7]
Phillip Rogaway,et al.
Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC
,
2004,
ASIACRYPT.
[8]
Kan Yasuda,et al.
PMAC with Parity: Minimizing the Query-Length Influence
,
2012,
CT-RSA.
[9]
Mridul Nandi.
A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs
,
2010,
IACR Cryptol. ePrint Arch..
[10]
Kan Yasuda,et al.
A New Variant of PMAC: Beyond the Birthday Bound
,
2011,
CRYPTO.
[11]
John Black,et al.
A Block-Cipher Mode of Operation for Parallelizable Message Authentication
,
2002,
EUROCRYPT.