A Lightweight Alternative to PMAC

Abstract

PMAC is a parallelizable message authentication code (MAC) based on a block cipher. PMAC has many desirable features, such as parallelizability and essential optimality in terms of the number of block cipher calls, and the provable security. However, PMAC needs a pre-processing of one block cipher call taking all-zero block to produce the input masks to all subsequent block cipher calls. This incurs an overhead for both time and memory, which is often non-negligible. In particular, this makes PMAC’s state size 3n bits. To address these issues, we propose a new parallelizable MAC as an alternative to PMAC, which we call \(\text {LAPMAC}\). \(\text {LAPMAC}\) enables a high parallelizability, and unlike PMAC, it does not need a pre-processing to create an input mask. This leads to 2n-bit state memory compared to PMAC’s 3n-bit state. Moreover, \(\text {LAPMAC}\) is highly optimized in terms of the number of block cipher calls, for example it requires exactly the same number of block cipher calls as PMAC when one pre-processing call is allowed, and achieves the same number of block cipher calls as the state-of-the-art serial MACs those do not need the pre-processing call.

We prove that \(\text {LAPMAC}\) is secure up to around \(2^{n/2}\) queried blocks, under the standard pseudorandomness assumption of the underlying block cipher.

A Proof of Lemma 3

In Fig. 7, we build the game to bound the probability of collision of \(\text{ CBC }[{\textsf {R}}_{\mathsf {h},1},{\textsf {R}}_{\mathsf {h},2}]\). The game and the subsequent analysis are essentially the same as the proof of Lemma 4.2 of [20]. First we give some notations for the game, which are mostly taken from [20]. We implement \({\textsf {R}}_{h,1}\) and \({\textsf {R}}_{h,2}\) by lazy sampling, where they are expressed as lists. For \(i=1,2,\) we maintain the lists of input and output to \({\textsf {R}}_{h,i}\) determined in the game. In particular, \(\text {Domain}({\textsf {R}}_{h,i})\) denotes the list of inputs and \({\textsf {R}}_{h,i}(x)\) denotes the output corresponding to input x. Initially \(\text {Domain}({\textsf {R}}_{h,i})\) is set to empty, and \({\textsf {R}}_{h,i}(x)\) is undefined if \(x\not \in \text {Domain}({\textsf {R}}_{h,i})\). We maintain the flags, \(\mathsf {bad}_1\) and \(\mathsf {bad}_2\), which are initialized to \(\mathsf {false}\). We also introduce two sets for chain blocks, \(\mathrm {BAD}_1\) and \(\mathrm {BAD}_2\), to determine whether the flags are set (to \(\mathsf {true}\)) or not. We observe that the output collision of \(\text{ CBC }[{\textsf {R}}_{h,1},{\textsf {R}}_{h,2}]\) only occurs when \(\mathsf {bad}_1\) is set at line 22, or \(\mathsf {bad}_2\) is set at line 44. Thus, (12) is at most the sum of \(\Pr [\mathsf {bad}_1\leftarrow \mathsf {true}]\) and \(\Pr [\mathsf {bad}_2\leftarrow \mathsf {true}]\).

Fig. 7.

Game for collision analysis of \(\text{ CBC }[{\textsf {R}}_{h,1},{\textsf {R}}_{h,2}]\).

Following [20], for the t-th process of line 13, let \(l_t\) denote the size of \(\mathrm {BAD}_2\) after line 21, assuming \(\mathsf {bad}_1\) is \(\mathsf {false}\) for the first \(t-1\) process of line 13. The probability of \(\mathsf {bad}_1\leftarrow \mathsf {true}\) is bounded as follows. Let V(t) denote the probability of \(\mathsf {bad}_1\leftarrow \mathsf {true}\) at the t-th choice of \(Y_i[1]\) (at line 13) conditioned by the even that \(\mathsf {bad}_1\) is \(\mathsf {false}\) before choosing \(Y_i[1]\). Then

$$V(t) \le \frac{(l_1+\dots +l_{t-1})l_t}{2^n}$$

holds since sampling at line 13 is uniform over n bits and \(\mathrm {BAD}_1\) has \((l_1+\dots +l_{t-1})\) points and \(\mathrm {BAD}_2\) has \(l_t\) points. Let s denote the total number of process line 13. Then we have

$$\begin{aligned} \Pr [\mathsf {bad}_1\leftarrow \mathsf {true}]&\le \sum _{1\le t\le s}V(t) = \sum _{1\le t\le s}\frac{(l_1+\dots +l_{t-1})l_t}{2^n}\end{aligned}$$

(25)

$$\begin{aligned}&\le \frac{1}{2^n}\cdot \frac{{l'_0}^2-(l_1^2+\dots +l_s^2)}{2} \le \frac{{l'_0}^2}{2^{n}} \end{aligned}$$

(26)

where \({l'_0}^2=l_1+\dots +l_s\).

The probability of \(\mathsf {bad}_2\leftarrow \mathsf {true}\) is similarly bounded. Let \(l'_{t'}\) denote the size of \(\mathrm {BAD}_2\) after line 43, at the \(t'\)-th process of line 35, assuming \(\mathsf {bad}_2\) is \(\mathsf {false}\) for the first \(t'-1\) process of line 35. Let \(s'\) denote the total number of process line 35 in the game. Here, \(s'\le \sigma \). Let \(V'(t)\) denote the probability of \(\mathsf {bad}_2\leftarrow \mathsf {true}\) at the \(t'\)-th choice of \(Y_i[j]\) (at line 35) conditioned by the event that \(\mathsf {bad}_2\) is \(\mathsf {false}\) before choosing \(Y_i[j]\). Then we have

$$ V'(t') \le \frac{(l'_0 + l'_1+\dots +l'_{t'-1})l'_{t'}}{2^n},$$

and

$$\begin{aligned} \Pr [\mathsf {bad}_2\leftarrow \mathsf {true}]&\le \sum _{1\le t'\le s'}V'(t') \le \sum _{1\le t'\le s'}\frac{(l'_0 + l'_1+\dots +l'_{t'-1})l'_{t'}}{2^n} \le \frac{{\sigma }^2-{l'_0}^2}{2^{n}} \end{aligned}$$

(27)

as we have \(\sigma \ge l'_0 + l'_1+\dots +l'_{t'-1}\), \(s'\le \sigma \) which is at most \(2^n/2\) by assumption. From (26) and (27), the proof is concluded as

$$\begin{aligned} \Pr [\mathsf {bad}_1\leftarrow \mathsf {true}] + \Pr [\mathsf {bad}_2\leftarrow \mathsf {true}] \le \frac{\sigma ^2}{2^n}. \end{aligned}$$

(28)