Paper 2017/852

Blockcipher-based MACs: Beyond the Birthday Bound without Message Length

Yusuke Naito

Abstract

We present blockcipher-based MACs (Message Authentication Codes) that have beyond the birthday bound security without message length in the sense of PRF (Pseudo-Random Function) security. Achieving such security is important in constructing MACs using blockciphers with short block sizes (e.g., 64 bit). Luykx et al. (FSE2016) proposed LightMAC, the first blockcipher-based MAC with such security and a variant of PMAC, where for each $n$-bit blockcipher call, an $m$-bit counter and an $(n-m)$-bit message block are input. By the presence of counters, LightMAC becomes a secure PRF up to $O(2^{n/2})$ tagging queries. Iwata and Minematsu (TOSC2016, Issue1) proposed F_t, a keyed hash function-based MAC, where a message is input to $$ keyed hash functions (the hash function is performed $$ times) and the $$ outputs are input to the xor of $$ keyed blockciphers. Using the LightMAC's hash function, F_t becomes a secure PRF up to $$ tagging queries. However, for each message block of $$ bits, it requires $$ blockcipher calls. In this paper, we improve F_t so that a blockcipher is performed only once for each message block of $$ bits. We prove that our MACs with $$ are secure PRFs up to $$ tagging queries. Hence, our MACs with $$ are more efficient than F_t while keeping the same level of PRF-security.