On the Size of Source Space in a Secure MAC

Abstract

A message authentication code (MAC) is $(t, \epsilon )$ secure if an attacker cannot forge a valid message with probability better than $\epsilon $ after adaptively obtaining $t$ valid messages. For a fixed key space ${\cal K}$ , it is important for an MAC to support a source space ${\cal S}$ as large as possible, because this implies a bandwidth saving in practice. Hence, we study the possible size of ${\cal S}$ in an MAC through $|{\cal S}|$ or equivalently (to our convenience) the ratio $({\log |{\cal S}|}/{|{\cal K}|})$ for a fixed ${\cal K}$ . Our novelty in the methodology is to regard the MAC function of a given source state as a partition mapping for ${\cal K}$ . Under this view, we obtain an upper bound on $|{\cal S}|$ for a $(t, \epsilon )$ -secure MAC. Then, by analyzing a randomized partition of ${\cal K}$ , we prove the existence of an approximately optimal $(t, \epsilon )$ -secure MAC (in the sense of a large $|{\cal S}|$ ). Our ratio $({\log |{\cal S}|}/{|{\cal K}|})$ is much larger than the previous results, where the previous results usually considered only case $t=1$ by proposing a good universal hashing. This method is hard to extend to the case of a general $t$ as a universal hashing relates only two inputs, while the general case needs to relate $t$ inputs. Finally, we construct a selectively $(1, \epsilon )$ -secure MAC, where an attacker fixes two source states in advance with one for his forgery and the other for his inquiry for a valid message. Our ratio $({\log |{\cal S}|}/{|{\cal K}|})$ in this construction is close to the upper bound of its kind and is significantly larger than our existential result above for case $t=1$ .