Abstract
PMAC is a simple and parallel block-cipher mode of operation, which was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a (pseudo)random permutation over n-bit strings, PMAC constitutes a provably secure variable input-length (pseudo)random function. For adversaries making q queries, each of length at most l (in n-bit blocks), and of total length σ ≤ ql, the original paper proves an upper bound on the distinguishing advantage of Ο(σ2/2n), while the currently best bound is Ο (qσ/2n).In this work we show that this bound is tight by giving an attack with advantage Ω (q2l/2n). In the PMAC construction one initially XORs a mask to every message block, where the mask for the ith block is computed as τi := γi·L, where L is a (secret) random value, and γi is the i-th codeword of the Gray code. Our attack applies more generally to any sequence of γi’s which contains a large coset of a subgroup of GF(2n). We then investigate if the security of PMAC can be further improved by using τi’s that are k-wise independent, for k > 1 (the original distribution is only 1-wise independent). We observe that the security of PMAC will not increase in general, even if the masks are chosen from a 2-wise independent distribution, and then prove that the security increases to O(q<2/2n), if the τi are 4-wise independent. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether 3-wise independence is already sufficient to get this level of security is left as an open problem.
Highlights
PMAC is a block-cipher mode of operation, introduced by Black and Rogaway at Eurocrypt 2002 [BR02]
In [BR02], the key is just a single key K ∈ K for a block-cipher E : K × {0, 1}n → {0, 1}n, π, π are instantiated both with E(K, .), and the mask function is defined as τ (i) = γi · L
In this work we show that this bound is tight by giving an attack with advantage Ω(q2 /2n)
Summary
PMAC (for Parallelizable Message Authentication Code) is a block-cipher mode of operation, introduced by Black and Rogaway at Eurocrypt 2002 [BR02]. The mode, when instantiated with a block-cipher over {0, 1}n, constitutes a variable input-length pseudorandom function {0, 1}∗ → {0, 1}n (which is typically used for message authentication, the name). In [BR02], the key is just a single key K ∈ K for a block-cipher E : K × {0, 1}n → {0, 1}n, π, π are instantiated both with E(K, .), and the mask function is defined as τ (i) = γi · L,. Where γi is the ith Gray codeword[1] and L = E(K, 0)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
