Abstract

Recent parallelizable message authentication codes (MACs) have demonstrated the benefit of tweakable block ciphers (TBCs) for authentication with high security guarantees. With ZMAC, Iwata et al. extended this line of research by showing that TBCs can simultaneously increase the number of message bits that are processed per primitive call. However, ZMAC and previous TBC-based MACs needed more memory than sequential constructions. While this aspect is less an issue on desktop processors, it can be unfavorable on resource-constrained platforms. In contrast, existing sequential MACs limit the number of message bits to the block length of the primitive n or below.This work proposes DoveMAC, a TBC-based PRF that reduces the memory of ZMAC-based MACs to 2n+ 2t+2k bits, where n is the state size, t the tweak length, and k the key length of the underlying primitive. DoveMAC provides (n+min(n+t))/2 bits of security, and processes n+t bits per primitive call. Our construction is the first sequential MAC that combines beyond-birthday-bound security with a rate above n bits per call. By reserving a single tweak bit for domain separation, we derive a single-key variant DoveMAC1k.

Highlights

  • Message Authentication Codes (MACs) secure the integrity and authenticity of communications

  • Many standardized MACs, such as CMAC [Dwo16], OMAC [IK03], or PMAC [BR02] are block-cipher modes of operations with birthday-bound security[1] This fact implies hardly a problem if the state size of the underlying primitive is at least 128 bits; resource-limited platforms often use primitives with smaller state and key size, e.g., HIGHT [HSH+06] or PRESENT [BKL+07]

  • Smaller state sizes result in lower security guarantees, which may be impractical when used in a mode with birthday-bound security, as emphasized in [IMG+14, MV04]

Read more

Summary

Introduction

Message Authentication Codes (MACs) secure the integrity and authenticity of communications. Many block-cipher-based MACs with higher security were inspired by the classical PMAC [BR02] design Those process the message blocks in parallel, accumulate the results, and give the sum as input into a finalization that produces the tag. The same work developed ZMAC1, which could avoid the tweak-based domain separation in the hash function with limited loss of security Though, his variants share the same memory requirements with ZMAC.[2] EPWC or PMAC_TBC1k avoid the need for input masks. We propose DoveMAC, a highly secure PRF that needs 2n + 2t + 2k bits of memory, based on a tweakable block cipher with n-bit state and t-bit tweak size. Appendix C proposes an authenticated encryption scheme that combines DoveMAC for authentication, and Counter-in-Tweak [PS16] for highly secure encryption

Preliminaries
The DoveMAC Construction
PRF Security
Collision Analysis
Instantiation
Conclusion and Future Work
A Attacks on Preliminary Constructions
Distinguisher When Omitting The Checksum
A Birthday-bound Forgery When The State Input Is XORed to The Bottom Row
An Insecure Single-key Variant of DoveMAC
A Birthday-bound Distinguisher of DoveMAC with Longer Outputs
B Proof of Lemma 3
C Authenticated Encryption
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call