Hash-Function Based PRFs: AMAC and Its Multi-User Security

AMAC is a simple and fast candidate construction of a PRF from an MD-style hash function which applies the keyed hash function and then a cheap, un-keyed output transform such as truncation. Spurred by its use in the widely-deployed Ed25519 signature scheme, this paper investigates the provable PRF security of AMAC to deliver the following three-fold message: (1) First, we prove PRF security of AMAC (2) Second, we show that AMAC has a quite unique and attractive feature, namely that its multi-user security is essentially as good as its singleuser security and in particular superior in some settings to that of competitors. (3) Third, it is technically interesting, its security and analysis intrinsically linked to security of the compression function in the presence of leakage. 1 Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. URL: http://cseweb.ucsd.edu/~mihir/. Supported in part by NSF grants CNS1526801 and CNS-1228890. This work was done in part while the author was visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467. 2 University of Illinois at Chicago, USA, and Technische Universiteit Eindhoven, Netherlands., URL: https://cr.yp.to/djb.html. Supported in part by NSF grants CNS-1018836 and CNS-1314919. 3 Department of Computer Science, University of California Santa Barbara, Santa Barbara, California 93106, USA. URL: http://www.cs.ucsb.edu/~tessaro/. Supported in part by NSF grant CNS-1423566. This work was done in part while the author was visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467.