Abstract
Recent parallelizable message authentication codes (MACs) have demonstrated the benefit of tweakable block ciphers (TBCs) for authentication with high security guarantees. With ZMAC, Iwata et al. extended this line of research by showing that TBCs can simultaneously increase the number of message bits that are processed per primitive call. However, ZMAC and previous TBC-based MACs needed more memory than sequential constructions. While this aspect is less an issue on desktop processors, it can be unfavorable on resource-constrained platforms. In contrast, existing sequential MACs limit the number of message bits to the block length of the primitive n or below.This work proposes DoveMAC, a TBC-based PRF that reduces the memory of ZMAC-based MACs to 2n+ 2t+2k bits, where n is the state size, t the tweak length, and k the key length of the underlying primitive. DoveMAC provides (n+min(n+t))/2 bits of security, and processes n+t bits per primitive call. Our construction is the first sequential MAC that combines beyond-birthday-bound security with a rate above n bits per call. By reserving a single tweak bit for domain separation, we derive a single-key variant DoveMAC1k.
Highlights
Message Authentication Codes (MACs) secure the integrity and authenticity of communications
Many standardized MACs, such as CMAC [Dwo16], OMAC [IK03], or PMAC [BR02] are block-cipher modes of operations with birthday-bound security[1] This fact implies hardly a problem if the state size of the underlying primitive is at least 128 bits; resource-limited platforms often use primitives with smaller state and key size, e.g., HIGHT [HSH+06] or PRESENT [BKL+07]
Smaller state sizes result in lower security guarantees, which may be impractical when used in a mode with birthday-bound security, as emphasized in [IMG+14, MV04]
Summary
Message Authentication Codes (MACs) secure the integrity and authenticity of communications. Many block-cipher-based MACs with higher security were inspired by the classical PMAC [BR02] design Those process the message blocks in parallel, accumulate the results, and give the sum as input into a finalization that produces the tag. The same work developed ZMAC1, which could avoid the tweak-based domain separation in the hash function with limited loss of security Though, his variants share the same memory requirements with ZMAC.[2] EPWC or PMAC_TBC1k avoid the need for input masks. We propose DoveMAC, a highly secure PRF that needs 2n + 2t + 2k bits of memory, based on a tweakable block cipher with n-bit state and t-bit tweak size. Appendix C proposes an authenticated encryption scheme that combines DoveMAC for authentication, and Counter-in-Tweak [PS16] for highly secure encryption
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have