The Exact Security of PMAC
نویسندگان
چکیده
PMAC is a simple and parallel block-cipher mode of operation, which was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a (pseudo)random permutation over n-bit strings, PMAC constitutes a provably secure variable input-length (pseudo)random function. For adversaries making q queries, each of length at most ` (in n-bit blocks), and of total length σ ≤ q`, the original paper proves an upper bound on the distinguishing advantage of O(σ2/2n), while the currently best bound is O(qσ/2). In this work we show that this bound is tight by giving an attack with advantage Ω(q2`/2n). In the PMAC construction one initially XORs a mask to every message block, where the mask for the ith block is computed as τi := γi · L, where L is a (secret) random value, and γi is the i-th codeword of the Gray code. Our attack applies more generally to any sequence of γi’s which contains a large coset of a subgroup of GF (2). We then investigate, if the security of PMAC can be further improved by using τi’s that are k-wise independent, for k > 1 (the original distribution is only 1-wise independent). We observe that the security of PMAC will not increase in general, even if the masks are chosen from a 2-wise independent distribution, and then prove that the security increases to O(q2/2n), if the τi are 4-wise independent. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether 3-wise independence is already sufficient to get this level of security is left as an open problem.
منابع مشابه
On the Influence of Message Length in PMAC's Security Bounds
Many MAC (Message Authentication Code) algorithms have security bounds which degrade linearly with the message length. Often there are attacks that confirm the linear dependence on the message length, yet PMAC has remained without attacks. Our results show that PMAC’s message length dependence in security bounds is non-trivial. We start by studying a generalization of PMAC in order to focus on ...
متن کاملAnother Look at PMAC
We can view an existing Message Authentication Code (MAC) as a Carter-Wegman MAC in spite of the fact it may not have been designed as one. This will make the analysis easier than it has been when considered from other viewpoints. In this paper, we can look PMAC with two keys as a Carter-Wegman MAC and get a simple security proof for it. Using this viewpoint to look at PMAC, we will learn not o...
متن کاملSingle Key Variant of PMAC_Plus
In CRYPTO 2011, Yasuda proposed PMAC_Plus message authentication code based on an n-bit block cipher. Its design principle inherits the well known PMAC parallel network with a low additional cost. PMAC_Plus is a rate-1 construction like PMAC (i.e., one block cipher call per n-bit message block) but provides security against all adversaries making queries altogether consisting of roughly upto 22...
متن کاملImproved security analysis of PMAC
In this paper we provide a simple, concrete and improved security analysis of Parallelizable Message Authentication Code or PMAC. In particular, we show that the advantage of any distinguisher A at distinguishing PMAC from a random function is at most (5qσ − 3.5q)/2. Here, σ is the total number of message blocks in all q queries made by A and PMAC is based on a random permutation over {0, 1}. I...
متن کاملRevisiting Full-PRF-Secure PMAC and Using It for Beyond-Birthday Authenticated Encryption
This paper proposes an authenticated encryption scheme, called SIVx, that preserves BBB security also without the requirement for nonces. For this purpose, we propose a single-key BBB-secure message authentication code with 2n-bit outputs, called PMAC2x, based on a tweakable block cipher. PMAC2x is motivated by PMAC TBC1k by Naito; we revisit its security proof and point out an invalid assumpti...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- IACR Trans. Symmetric Cryptol.
دوره 2016 شماره
صفحات -
تاریخ انتشار 2016