The Exact Security of PMAC

نویسندگان

  • Peter Gazi
  • Krzysztof Pietrzak
  • Michal Rybár
چکیده

PMAC is a simple and parallel block-cipher mode of operation, which was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a (pseudo)random permutation over n-bit strings, PMAC constitutes a provably secure variable input-length (pseudo)random function. For adversaries making q queries, each of length at most ` (in n-bit blocks), and of total length σ ≤ q`, the original paper proves an upper bound on the distinguishing advantage of O(σ2/2n), while the currently best bound is O(qσ/2). In this work we show that this bound is tight by giving an attack with advantage Ω(q2`/2n). In the PMAC construction one initially XORs a mask to every message block, where the mask for the ith block is computed as τi := γi · L, where L is a (secret) random value, and γi is the i-th codeword of the Gray code. Our attack applies more generally to any sequence of γi’s which contains a large coset of a subgroup of GF (2). We then investigate, if the security of PMAC can be further improved by using τi’s that are k-wise independent, for k > 1 (the original distribution is only 1-wise independent). We observe that the security of PMAC will not increase in general, even if the masks are chosen from a 2-wise independent distribution, and then prove that the security increases to O(q2/2n), if the τi are 4-wise independent. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether 3-wise independence is already sufficient to get this level of security is left as an open problem.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

On the Influence of Message Length in PMAC's Security Bounds

Many MAC (Message Authentication Code) algorithms have security bounds which degrade linearly with the message length. Often there are attacks that confirm the linear dependence on the message length, yet PMAC has remained without attacks. Our results show that PMAC’s message length dependence in security bounds is non-trivial. We start by studying a generalization of PMAC in order to focus on ...

متن کامل

Another Look at PMAC

We can view an existing Message Authentication Code (MAC) as a Carter-Wegman MAC in spite of the fact it may not have been designed as one. This will make the analysis easier than it has been when considered from other viewpoints. In this paper, we can look PMAC with two keys as a Carter-Wegman MAC and get a simple security proof for it. Using this viewpoint to look at PMAC, we will learn not o...

متن کامل

Single Key Variant of PMAC_Plus

In CRYPTO 2011, Yasuda proposed PMAC_Plus message authentication code based on an n-bit block cipher. Its design principle inherits the well known PMAC parallel network with a low additional cost. PMAC_Plus is a rate-1 construction like PMAC (i.e., one block cipher call per n-bit message block) but provides security against all adversaries making queries altogether consisting of roughly upto 22...

متن کامل

Improved security analysis of PMAC

In this paper we provide a simple, concrete and improved security analysis of Parallelizable Message Authentication Code or PMAC. In particular, we show that the advantage of any distinguisher A at distinguishing PMAC from a random function is at most (5qσ − 3.5q)/2. Here, σ is the total number of message blocks in all q queries made by A and PMAC is based on a random permutation over {0, 1}. I...

متن کامل

Revisiting Full-PRF-Secure PMAC and Using It for Beyond-Birthday Authenticated Encryption

This paper proposes an authenticated encryption scheme, called SIVx, that preserves BBB security also without the requirement for nonces. For this purpose, we propose a single-key BBB-secure message authentication code with 2n-bit outputs, called PMAC2x, based on a tweakable block cipher. PMAC2x is motivated by PMAC TBC1k by Naito; we revisit its security proof and point out an invalid assumpti...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:
  • IACR Trans. Symmetric Cryptol.

دوره 2016  شماره 

صفحات  -

تاریخ انتشار 2016