Paper 2016/983
Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions
Avijit Dutta, Ashwin Jha, and Mridul Nandi
Abstract
Probabilistic MAC (message authentication code) is an alternative choice for a stateful MAC where maintaining internal state may be difficult or unsafe. Usually tag of a probabilistic MAC consists of an $m$-bit random coin (also called {\em salt}) and an $n$-bit core-tag depending on the salt. In terms of the security, probabilistic MAC falls under birthday collision of salts which is absent in stateful MAC. XMACR is an example of probabilistic MAC which remains secure up to $o(2^{m/2})$ tag generation queries. To achieve security beyond birthday in $n$, one can naturally use a large salt. For example, $\mathrm{MACRX}_3$ sets $m = 3n$ and provides security up to $o(2^{n})$ tag-generation queries. Large salt may restrict its applicability as it increases the cost of random string generation as well as the size of the overall tag. RWMAC (randomized version of WMAC) provides similar security with $m = n$ but it uses a PRF (pseudorandom function) over $2n$-bit inputs which is naturally more costlier than those over $n$-bit inputs. Achieving beyond birthday security using $n$-bit PRF and $n$-bit salt is a practical and challenging problem. Minematsu in FSE 2010 proposed Enhanced Hash-then-Mask (\tx{EHtM}) using $n$-bit salt and showed its security up to $o(2^{2n/3})$ tag-generation queries. In this paper we revisit this construction and we provide exact security analysis of \tx{EHtM}. In particular, we show that it has higher security, namely up to $o(2^{3n/4})$ queries, than what claimed by the designer. Moreover, we demonstrate a single attempt forgery attack which makes about $2^{3n/4}$ tag generation queries. XMACR and \tx{EHtM} follow the hash-then-mask paradigm due to Carter-Wegman. We revisit six possible constructions following hash-then-mask paradigm and we provide exact security analysis for all of these constructions, some of which however were known before.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- Preprint. MINOR revision.
- Contact author(s)
-
avirocks dutta13 @ gmail com
ashwin jha1991 @ gmail com
mridul nandi @ gmail com - History
- 2016-10-15: received
- Short URL
- https://ia.cr/2016/983
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2016/983, author = {Avijit Dutta and Ashwin Jha and Mridul Nandi}, title = {Exact Security Analysis of Hash-then-Mask Type Probabilistic {MAC} Constructions}, howpublished = {Cryptology {ePrint} Archive, Paper 2016/983}, year = {2016}, url = {https://eprint.iacr.org/2016/983} }