On Efficient Message Authentication Via Block Cipher Design Techniques

In an effort to design a MAC scheme that is built using block cipher components and runs faster than the modes of operation for message authentication, Daemen and Rijmen have proposed a generic MAC construction ALRED and a concrete ALRED instance Pelican. The Pelican MAC uses four rounds of AES as a building block to compute the authentication tag in a CBC-like manner. It is about 2.5 times faster than a CBC-MAC with AES, but it is not proven secure. Minematsu and Tsunoo observed that one can build almost universal (AU2) hash functions using differentially uniform permutations (e.g., four AES rounds with independent keys), and hence, provably secure MAC schemes as well. They proposed two MAC schemes MT-MAC and PC-MAC. MT-MAC hashes the message using a Wegman-Carter binary tree. Its speedup for long messages approaches 2.5, but it is not very memory efficient. PC-MAC hashes the message in a CBC-like manner. It is more memory efficient. However, its speedup over the message authentication modes is about 1.4. We notice that using a non-linear permutation as a building block, one can construct almost XOR universal (AXU 2) hash functions whose security is close to the maximum differential probability of the underlying non-linear permutation. Hence, using four AES rounds as a building block will lead to efficient Wegman-Carter MAC schemes that offer much better security than the modes of operation for message authentication. If the target security is that of the message authentication modes with AES, then one can use non-linear permutations defined on 64-bit blocks and achieve greater speedup and better key agility. For instance, the ideally achievable speedup when using the 64-bit components we suggest is 3.3 to 5.0 as opposed to the 2.5 speedup when using four AES rounds.