Paper 2013/111

Message Authentication Codes Secure against Additively Related-Key Attacks

Keita Xagawa


Message Authentication Code (MAC) is one of most basic primitives in cryptography. After Biham (EUROCRYPT 1993) and Knudsen (AUSCRYPT 1992) proposed related-key attacks (RKAs), RKAs have damaged MAC's security. To relieve MAC of RKA distress, Bellare and Cash proposed pseudo-random functions (PRFs) secure against multiplicative RKAs (CRYPTO 2010). They also proposed PRFs secure against additive RKAs, but their reduction requires sub-exponential time. Since PRF directly implies Fixed-Input Length (FIL) MAC, their PRFs result in MACs secure against multiplicative RKAs. In this paper, we proposed Variable-Input Length (VIL) MAC secure against additive RKAs, whose reductions are polynomial time in the security parameter. Our construction stems from MACs from number-theoretic assumptions proposed by Dodis, Kiltz, Pietrzak, Wichs (EUROCRYPT 2012) and public-key encryption schemes secure against additive RKAs proposed by Wee (PKC 2012).

Note: Correct minor typos

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
message authentication coderelated-key attack
Contact author(s)
xagawa keita @ lab ntt co jp
2013-04-01: revised
2013-02-27: received
See all versions
Short URL
Creative Commons Attribution


      author = {Keita Xagawa},
      title = {Message Authentication Codes Secure against Additively Related-Key Attacks},
      howpublished = {Cryptology ePrint Archive, Paper 2013/111},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.