A Double-Piped Mode of Operation for MACs, PRFs and PROs: Security beyond the Birthday Barrier

Abstract

We revisit the double-pipe construction introduced by Lucks at Asiacrypt 2005. Lucks originally studied the construction for iterated hash functions and showed that the approach is effective in improving security against various types of collision and (second-)preimage attacks. Instead, in this paper we apply the construction to the secret-key setting, where the underlying FIL (fixed-input-length) compression function is equipped with a dedicated key input. We make some adjustments to Lucks' original design so that now the new mode works with a single key and operates as a multi-property-preserving domain extension of MACs (message authentication codes), PRFs (pseudo-random functions) and PROs (pseudo-random oracles). Though more than twice as slow as the Merkle-Damgard construction, the double-piped mode enjoys security strengthened beyond the birthday bound, most notably, high MAC security. More specifically, when iterating an FIL-MAC whose output size is n -bit, the new double-piped mode yields an AIL-(arbitrary-input-length-)MAC with security up to $O\bigl(2^{5n/6}\bigr)$ query complexity. This bound contrasts sharply with the birthday bound of $O\bigl(2^{n/2}\bigr)$, which has been the best MAC security accomplished by earlier constructions.