Paper 2016/983

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions

Avijit Dutta, Ashwin Jha, and Mridul Nandi

Abstract

Probabilistic MAC (message authentication code) is an alternative choice for a stateful MAC where maintaining internal state may be difficult or unsafe. Usually tag of a probabilistic MAC consists of an $m$-bit random coin (also called {\em salt}) and an $n$-bit core-tag depending on the salt. In terms of the security, probabilistic MAC falls under birthday collision of salts which is absent in stateful MAC. XMACR is an example of probabilistic MAC which remains secure up to $o(2^{m/2})$ tag generation queries. To achieve security beyond birthday in $n$, one can naturally use a large salt. For example, $\mathrm{MACRX}_3$ sets $m = 3n$ and provides security up to $o(2^{n})$ tag-generation queries. Large salt may restrict its applicability as it increases the cost of random string generation as well as the size of the overall tag. RWMAC (randomized version of WMAC) provides similar security with $m = n$ but it uses a PRF (pseudorandom function) over $2n$-bit inputs which is naturally more costlier than those over $n$-bit inputs. Achieving beyond birthday security using $n$-bit PRF and $n$-bit salt is a practical and challenging problem. Minematsu in FSE 2010 proposed Enhanced Hash-then-Mask (\tx{EHtM}) using $n$-bit salt and showed its security up to $o(2^{2n/3})$ tag-generation queries. In this paper we revisit this construction and we provide exact security analysis of \tx{EHtM}. In particular, we show that it has higher security, namely up to $o(2^{3n/4})$ queries, than what claimed by the designer. Moreover, we demonstrate a single attempt forgery attack which makes about $2^{3n/4}$ tag generation queries. XMACR and \tx{EHtM} follow the hash-then-mask paradigm due to Carter-Wegman. We revisit six possible constructions following hash-then-mask paradigm and we provide exact security analysis for all of these constructions, some of which however were known before.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Contact author(s)
avirocks dutta13 @ gmail com
ashwin jha1991 @ gmail com
mridul nandi @ gmail com
History
2016-10-15: received
Short URL
https://ia.cr/2016/983
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/983,
      author = {Avijit Dutta and Ashwin Jha and Mridul Nandi},
      title = {Exact Security Analysis of Hash-then-Mask Type Probabilistic {MAC} Constructions},
      howpublished = {Cryptology {ePrint} Archive, Paper 2016/983},
      year = {2016},
      url = {https://eprint.iacr.org/2016/983}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.