On the Efficiency of ZMAC-Type Modes

Naito, Yusuke

doi:10.1007/978-3-030-00434-7_10

Yusuke Naito¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11124))

Included in the following conference series:

International Conference on Cryptology and Network Security

923 Accesses
1 Citations

Abstract

In this paper, we study the efficiency of \(\mathsf {ZMAC}\)-type message authentication codes (MACs). \(\mathsf {ZMAC}\) was proposed by Iwata et al. (CRYPTO 2017) and is a highly efficient and highly secure MAC based on tweakable blockcipher (TBC). \(\mathsf {ZMAC}\) achieves the so-called beyond-birthday-bound security: security up to \(2^{\min \{b, (b+t)/2\}}\) TBC calls, using a TBC with the input-block space \(\{0,1\}^b\) and the tweak space \(\mathcal {TW}= \mathcal {I}\times \{0,1\}^t\) where \(\mathcal {I}\) is a set with \(|\mathcal {I}| = 5\) and is used for tweak separations. In the hash function, the \(b\)-bit and \(t\)-bit spaces are used to take message blocks (in previous MACs, only the \(b\)-bit input-block space is used). In the finalization function, a TBC is called twice, and these spaces are not used. List and Nandi (ToSC 2017, Issue 4) proposed \(\mathsf {ZMAC}^+\), a variant of \(\mathsf {ZMAC}\), where one TBC call is removed from the finalization function. Although both the \(b\)-bit and \(t\)-bit spaces in the hash function are used to take message blocks, those in the finalization function are not used. That rises the following question with the aim of improving the efficiency: can these spaces be used while retaining the same level of security as \(\mathsf {ZMAC}\)? In this paper, we consider the following three \(\mathsf {ZMAC}\)-type MACs.

\(\mathsf {ZMACb}\): only the \(b\)-bit space is used.
\(\mathsf {ZMACt}\): only the \(t\)-bit space is used.
\(\mathsf {ZMACbt}\): both the \(b\)-bit and \(t\)-bit spaces are used.

We show that none of the above MACs achieve the same level of security as \(\mathsf {ZMAC}(^+)\). Hence, \(\mathsf {ZMAC}^+\) is the most efficient MAC in the \(\mathsf {ZMAC}\)-type ones with \(2^{\min \{b, (b+t)/2\}}\)-security.

We next consider whether the tweak separations can be removed (i.e., \(\mathcal {I}\) can be used to take a message block), with the aim of improving the efficiency of \(\mathsf {ZMAC}^+\). Iwata et al. mentioned that the tweak separations can be removed by using distinct field multiplications such as multiplications by 3 and 7, but these render the implementation much more complex (note that in \(\mathsf {ZMAC}\), field multiplications by 2 are used). For this problem, we show that the tweak separations can be removed without the field multiplications except for the multiplications by 2, that is, all spaces \(\mathcal {TW}\) and \(\{0,1\}^b\) in the hash function can be used to take message blocks without such complex implementations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
Usually, the tweak separations are realized by using one byte in the tweak space of each TBC call. In this case, there is no impact on the efficiency from the modification.
2.
\(\mathsf {ZMAC}^+\) can produce variable-length outputs, where each \(b\)-bit output is defined by one TBC call. Using \(\mathsf {ZMAC}^+\) as a MAC, the \(b\)-bit output length is enough to ensure the \(2^{\min \{b,(b+t)/2\}}\)-security, where a TBC is called once. In [12], the security bound is improved to \(O(q/2^b+ q\sigma /2^{b+\min \{b,t\}})\).
3.
In [6] (Lemma 1), the TPRP-security of \(\mathsf {XT}\) is considered. Since a TRP with a constant input block, i.e., the input block is fixed to some constant, behaves like a random function, the PRF-security of \(\mathsf {XT}_0\) is obtained from the TPRP-security of \(\mathsf {XT}\).

References

Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
Chapter Google Scholar
Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_25
Chapter Google Scholar
Cogliati, B., Lee, J., Seurin, Y.: New constructions of MACs from (tweakable) block ciphers. IACR Trans. Symmetric Cryptol. 2017(2), 27–58 (2017)
Google Scholar
Datta, N., Dutta, A., Nandi, M., Paul, G., Zhang, L.: Single key variant of PMAC\(\_\)Plus. IACR Trans. Symmetric Cryptol. 2017(4), 268–305 (2017)
Google Scholar
Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39887-5_11
Chapter Google Scholar
Iwata, T., Minematsu, K., Peyrin, T., Seurin, Y.: ZMAC: a fast tweakable block cipher mode for highly secure message authentication. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 34–65. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_2. IACR Cryptology ePrint Archive 2017, 535 (2017)
Chapter Google Scholar
Iwata, T., Seurin, Y.: Reconsidering the security bound of AES-GCM-SIV. IACR Trans. Symmetric Cryptol. 2017(4), 240–267 (2017)
Google Scholar
Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_15
Chapter Google Scholar
JTC1: ISO/IEC 9797–1:1999 Information technology – Security techniques – Message Authentication Codes (MACs)–Part 1: Mechanisms using a block cipher (1999)
Google Scholar
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_3
Chapter Google Scholar
List, E., Nandi, M.: Revisiting full-PRF-secure PMAC and using it for beyond-birthday authenticated encryption. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 258–274. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_15
Chapter Google Scholar
List, E., Nandi, M.: ZMAC+ - an efficient variable-output-length variant of ZMAC. IACR Trans. Symmetric Cryptol. 2017(4), 306–325 (2017)
Google Scholar
Mennink, B.: Optimally secure tweakable blockciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 428–448. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_21
Chapter Google Scholar
Minematsu, K., Iwata, T.: Tweak-length extension for tweakable blockciphers. In: Groth, J. (ed.) IMACC 2015. LNCS, vol. 9496, pp. 77–93. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27239-9_5
Chapter Google Scholar
Minematsu, K., Iwata, T.: Cryptanalysis of PMACx, PMAC2x, and SIVx. IACR Trans. Symmetric Cryptol. 2017(2), 162–176 (2017)
Google Scholar
Naito, Y.: Full PRF-secure message authentication code based on tweakable block cipher. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 167–182. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26059-4_9
Chapter Google Scholar
Naito, Y.: Blockcipher-based MACs: beyond the birthday bound without message length. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part III. LNCS, vol. 10626, pp. 446–470. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_16
Chapter Google Scholar
Naito, Y.: Improved security bound of LightMAC\(\_\)Plus and its single-key variant. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 300–318. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_16
Chapter Google Scholar
Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Chapter Google Scholar
Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_2
Chapter Google Scholar
Yasuda, K.: The sum of CBC MACs is a secure PRF. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 366–381. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11925-5_25
Chapter Google Scholar
Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_34
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

Mitsubishi Electric Corporation, Kanagawa, Japan
Yusuke Naito

Authors

Yusuke Naito
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yusuke Naito .

Editor information

Editors and Affiliations

IBM Research - Zurich, Rüschlikon, Switzerland
Jan Camenisch
KTH Royal Institute of Technology, Stockholm, Sweden
Panos Papadimitratos

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Naito, Y. (2018). On the Efficiency of ZMAC-Type Modes. In: Camenisch, J., Papadimitratos, P. (eds) Cryptology and Network Security. CANS 2018. Lecture Notes in Computer Science(), vol 11124. Springer, Cham. https://doi.org/10.1007/978-3-030-00434-7_10

Download citation

DOI: https://doi.org/10.1007/978-3-030-00434-7_10
Published: 01 September 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00433-0
Online ISBN: 978-3-030-00434-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics