Abstract
Observing the growing popularity of random permutation (RP)-based designs (e.g, Sponge), Bart Mennink in CRYPTO 2019 has initiated an interesting research in the direction of RP-based pseudorandom functions (PRFs). Both are claimed to achieve beyond-the-birthday-bound (BBB) security of 2n/3 bits (n being the input block size in bits) but require two instances of RPs and can handle only oneblock inputs. In this work, we extend research in this direction by providing two new BBB-secure constructions by composing the tweakable Even-Mansour appropriately. Our first construction requires only one instance of an RP and requires only one key. Our second construction extends the first to a nonce-based Message Authentication Code (MAC) using a universal hash to deal with multi-block inputs. We show that the hash key can be derived from the original key when the underlying hash is the Poly hash. We provide matching attacks for both constructions to demonstrate the tightness of the proven security bounds.
Highlights
There is significant research on the design of pseudorandom functions (PRFs) from PRPs and vice versa
This direction is not very popular as PRPs are easier to build than PRFs and several cryptographic designs desire to be instantiated with PRFs
Both use two independent instances of random permutations and at least one randomly sampled key. They are deterministic and do not handle nonce. We explore this direction of research and address the following relevant questions: Can we design minimally structured PRF? Does there exist a nonce-based Message Authentication Code (MAC) constructed using an RP which is again minimal in structure and can handle arbitrary-length data? We found the answer to be “yes”, and we mainly propose two BBB secure deterministic and nonce based designs using only one instance of a random permutation and one uniformly sampled construction key
Summary
There is significant research on the design of PRFs from PRPs and vice versa. The most relevant work based on PRP-from-PRF has been the Luby-Rackoff construction [LR88]. Cogliati and Seurin updated the WC MAC and designed the EWC-MAC [CS18] (Encrypted Wegman-Carter): eK2 (fK1 (x) ⊕ HKh (x)) (f is a deterministic PRF, H is a key universal hash and K1, K2 and Kh are unform and independent), which is birthday bound secure under both nonce misuse and respect scenario (can be proved using the PRP-PRF switching lemma). This design achieves BBB security of 2n/3-bits (though n-bit security was conjectured and proved by Mennink et al [MN17] using mirror theory) under nonce respect and birthday bound under nonce misuse This construction is not minimal in structure as it uses two independent instances of keys K1 and K2. Mennink et al, [CLM19a] recently in CRYPTO 2019, studied permutation-based PRFs and proposed two BBB secure constructions denoted as SOEM and SOKAC Both designs are not minimal in structure and cannot handle arbitrary-length data.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
