## Cryptology ePrint Archive: Report 2016/983

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions

Avijit Dutta and Ashwin Jha and Mridul Nandi

Abstract: Probabilistic MAC (message authentication code) is an alternative choice for a stateful MAC where maintaining internal state may be difficult or unsafe. Usually tag of a probabilistic MAC consists of an $m$-bit random coin (also called {\em salt}) and an $n$-bit core-tag depending on the salt. In terms of the security, probabilistic MAC falls under birthday collision of salts which is absent in stateful MAC. XMACR is an example of probabilistic MAC which remains secure up to $o(2^{m/2})$ tag generation queries. To achieve security beyond birthday in $n$, one can naturally use a large salt. For example, $\mathrm{MACRX}_3$ sets $m = 3n$ and provides security up to $o(2^{n})$ tag-generation queries. Large salt may restrict its applicability as it increases the cost of random string generation as well as the size of the overall tag. RWMAC (randomized version of WMAC) provides similar security with $m = n$ but it uses a PRF (pseudorandom function) over $2n$-bit inputs which is naturally more costlier than those over $n$-bit inputs. Achieving beyond birthday security using $n$-bit PRF and $n$-bit salt is a practical and challenging problem. Minematsu in FSE 2010 proposed Enhanced Hash-then-Mask (\tx{EHtM}) using $n$-bit salt and showed its security up to $o(2^{2n/3})$ tag-generation queries. In this paper we revisit this construction and we provide exact security analysis of \tx{EHtM}. In particular, we show that it has higher security, namely up to $o(2^{3n/4})$ queries, than what claimed by the designer. Moreover, we demonstrate a single attempt forgery attack which makes about $2^{3n/4}$ tag generation queries. XMACR and \tx{EHtM} follow the hash-then-mask paradigm due to Carter-Wegman. We revisit six possible constructions following hash-then-mask paradigm and we provide exact security analysis for all of these constructions, some of which however were known before.

Category / Keywords: secret-key cryptography /