**Blockcipher-based MACs: Beyond the Birthday Bound without Message Length**

*Yusuke Naito*

**Abstract: **We present blockcipher-based MACs (Message Authentication Codes) that have beyond the birthday bound security without message length in the sense of PRF (Pseudo-Random Function) security. Achieving such security is important in constructing MACs using blockciphers with short block sizes (e.g., 64 bit).

Luykx et al. (FSE2016) proposed LightMAC, the first blockcipher-based MAC with such security and a variant of PMAC, where for each $n$-bit blockcipher call, an $m$-bit counter and an $(n-m)$-bit message block are input. By the presence of counters, LightMAC becomes a secure PRF up to $O(2^{n/2})$ tagging queries. Iwata and Minematsu (TOSC2016, Issue1) proposed F_t, a keyed hash function-based MAC, where a message is input to $t$ keyed hash functions (the hash function is performed $t$ times) and the $t$ outputs are input to the xor of $t$ keyed blockciphers. Using the LightMAC's hash function, F_t becomes a secure PRF up to $O(2^{t n/(t+1)})$ tagging queries. However, for each message block of $(n-m)$ bits, it requires $t$ blockcipher calls.

In this paper, we improve F_t so that a blockcipher is performed only once for each message block of $(n-m)$ bits. We prove that our MACs with $t \leq 7$ are secure PRFs up to $O(2^{t n/(t+1)})$ tagging queries. Hence, our MACs with $t \leq 7$ are more efficient than F_t while keeping the same level of PRF-security.

**Category / Keywords: **MAC, blockcipher, PRF, PRP, beyond the birthday bound, message length, counter

**Original Publication**** (in the same form): **IACR-ASIACRYPT-2017

**Date: **received 2 Sep 2017, last revised 6 Sep 2017

**Contact author: **Naito Yusuke at ce MitsubishiElectric co jp

**Available format(s): **PDF | BibTeX Citation

**Version: **20170909:211224 (All versions of this report)

**Short URL: **ia.cr/2017/852

[ Cryptology ePrint archive ]