Blockcipher-based MACs: Beyond the Birthday Bound without Message Length

We present blockcipher-based MACs (Message Authentication Codes) that have beyond the birthday bound security without message length in the sense of PRF (Pseudo-Random Function) security. Achieving such security is important in constructing MACs using blockciphers with short block sizes (e.g., 64 bit). Luykx et al. (FSE 2016) proposed LightMAC, the first blockcipher-based MAC with such security and a variant of PMAC, where for each n-bit blockcipher call, an m-bit counter and an (n−m)-bit message block are input. By the presence of counters, LightMAC becomes a secure PRF up to O(2) tagging queries. Iwata and Minematsu (TOSC 2016, Issue 1) proposed Ft, a keyed hash function-based MAC, where a message is input to t keyed hash functions (the hash function is performed t times) and the t outputs are input to the xor of t keyed blockciphers. Using the LightMAC’s hash function, Ft becomes a secure PRF up to O(2 ) tagging queries. However, for each message block of (n − m) bits, it requires t blockcipher calls. In this paper, we improve Ft so that a blockcipher is performed only once for each message block of (n − m) bits. We prove that our MACs with t ≤ 7 are secure PRFs up to O(2) tagging queries. Hence, our MACs with t ≤ 7 are more efficient than Ft while keeping the same level of PRF-security. Keyword: MAC, blockcipher, PRF, PRP, beyond the birthday bound, message length, counter.