PMAC\(r\)x: A Vector-Input MAC for High-Dimensional Vectors with BBB Security

Abstract

At Eurocrypt 2006, Rogaway and Shrimpton presented the idea of vector-input MAC that accepts a vector consisting of variable-length bitstrings. They proposed S2V as a concrete instantiation of the vector-input MAC and S2V is more efficient than the classical method, encoding a vector into a single bitstring and then applying a conventional MAC such as CMAC. However, S2V severely limits the maximum number of elements in a vector. Moreover, the security is up to the birthday bound with respect to the block length of the underlying block cipher (i.e., n/2-bit security for n-bit block). To overcome these drawbacks, we use tweakable block ciphers (TBCs) and present a new vector-input MAC, called PMAC\(r\)x, taking PMAC2x by List and Nandi (CT-RSA 2017) as the baseline scheme. Our proposal allows a significantly larger number of elements than S2V and enjoys the beyond-the-birthday-bound (BBB) security. PMAC\(r\)x is more efficient than the encode-then-PMAC2x method with respect to the number of primitive calls, as in the case of S2V (where the comparison is made with CMAC).

Appendices

A Proof of Lemma 3

Proof

We prove only for \(\Pr [V=\tilde{V}]\le 1/(2^n-1)\). Although there are some formal differences with respect to the inner coefficients 2 or 3, \(\Pr [W=\tilde{W}]\le 1/(2^n-1)\) can be proved similarly to \(\Pr [V=\tilde{V}]\le 1/(2^n-1)\).

Let \(m^i\) and \(\tilde{m}^i\) be the number of blocks of each \(M^i\) and \(\tilde{M}^i\), respectively. Below we show that \(\Pr [V=\tilde{V}]\le 1/(2^n-1)\) by dividing into cases in the same way as the proof of Lemma 2.

Case 1. There exists only one \({\boldsymbol{i}}\) such that \({\boldsymbol{M}}^{{\boldsymbol{i}}}\boldsymbol{\ne }\boldsymbol{\tilde{M}}^{{\boldsymbol{i}}}\).

Case 1.1. \(\boldsymbol{\tilde{m}}^{{\boldsymbol{i}}} = {{\boldsymbol{m}}}^{{\boldsymbol{i+1}}}\).   In this case, \(X^i = Z^i[1] \oplus \cdots \oplus Z^i[m^i]\) and \(\tilde{X}^i = \tilde{Z}^i[1] \oplus \cdots \oplus \tilde{Z}^i[m^i] \oplus \tilde{Z}^i[m^i+1]\). Thus, we have

$$\begin{aligned} V=\tilde{V} \iff X^i\oplus \tilde{X}^i = 0^n \iff \bigoplus _{1\le \ell \le m^i}(Z^i[\ell ]\oplus \tilde{Z}^i[\ell ])\oplus \tilde{Z}^i[m^i+1]=0^n. \end{aligned}$$

(18)

Case 1.1.1. \({\boldsymbol{M}}^{{\boldsymbol{i}}}[\boldsymbol{\ell }]=\boldsymbol{\tilde{M}}^{{\boldsymbol{i}}}[\boldsymbol{\ell }]\) for any \(\boldsymbol{\ell }\) such that \({\boldsymbol{1}}\boldsymbol{\le } \boldsymbol{\ell } \boldsymbol{\le } {\boldsymbol{m}}^{{\boldsymbol{i}}}\).   In this case, (18) \(\iff \tilde{Z}^i[m^i+1]=0^n\) holds. Since \(\tilde{Z}^i[m^i+1]\) takes \(2^n\) possible values, the probability that (18) holds is at most \(1/2^n\).

Case 1.1.2. \({\boldsymbol{M}}^{{\boldsymbol{i}}}[\boldsymbol{\ell }]\boldsymbol{\ne } \boldsymbol{\tilde{M}}^{{\boldsymbol{i}}}[\boldsymbol{\ell }]\) for at least one \(\boldsymbol{\ell }\) such that \({\boldsymbol{1}}\boldsymbol{\le } \boldsymbol{\ell }\boldsymbol{\le }\boldsymbol{\tilde{m}}^{{\boldsymbol{i}}}\).   If we arbitrarily fix the elements of \(Z^i\) and \(\tilde{Z}^i\) except \(\tilde{Z}^i[m^i+1]\), we have (18) \(\iff \tilde{Z}^i[m^i+1]=\texttt{Cst},\) where \(\texttt{Cst}\) is a constant. Since \(\tilde{Z}^i[m^i+1]\) takes \(2^n\) possible values, the probability that (18) holds is at most \(1/2^n\).

Case 1.2. \(\tilde{m}^i \ge m^i+2\).   In this case, \(X^i = Z^i[1] \oplus \cdots \oplus Z^i[m^i]\) and \(\tilde{X}^i = \tilde{Z}^i[1] \oplus \cdots \oplus \tilde{Z}^i[m^i] \oplus \cdots \oplus \tilde{Z}^i[\tilde{m}^i-1] \oplus \tilde{Z}^i[\tilde{m}^i]\). Thus,

$$\begin{aligned} V=\tilde{V}&\iff \bigoplus _{1\le \ell \le m^i}(Z^i[\ell ]\oplus \tilde{Z}^i[\ell ])\oplus \cdots \oplus \tilde{Z}^i[\tilde{m}^i-1]\oplus \tilde{Z}^i[\tilde{m}^i]=0^n \end{aligned}$$

(19)

holds. If we arbitrarily fix the elements of \(Z^i\) and \(\tilde{Z}^i\) except \(\tilde{Z}^i[\tilde{m}^i]\), we have (19) \(\iff \tilde{Z}^i[\tilde{m}^i]=\texttt{Cst},\) where \(\texttt{Cst}\) is a constant. Since \(\tilde{Z}^i[\tilde{m}^i]\) takes \(2^n\) possible values, the probability that (19) holds is at most \(1/2^n\).

Case 1.3. \(\tilde{m}^i = m^i\).   In this case, \(X^i = Z^i[1] \oplus \cdots \oplus Z^i[m^i]\) and \(\tilde{X}^i = \tilde{Z}^i[1] \oplus \cdots \oplus \tilde{Z}^i[m^i]\). Thus,

$$\begin{aligned} V=\tilde{V} \iff \bigoplus _{1\le \ell \le m^i}(Z^i[\ell ]\oplus \tilde{Z}^i[\ell ])=0^n. \end{aligned}$$

(20)

Case 1.3.1. There exists only one different block.   Let \(\ell \) be the index of the different block (i.e., \(M^i[\ell ]\ne \tilde{M}^i[\ell ]\)). Then, we have (20) \(\iff Z^i[\ell ]\oplus \tilde{Z}^i[\ell ]=0^n.\) The above holds only if there exists \((Z^i[\ell ],\tilde{Z}^i[\ell ])\) such that \(Z^i[\ell ]=\tilde{Z}^i[\ell ]\), but this contradicts the assumption that \(M^i[\ell ]\ne \tilde{M}^i[\ell ]\). Therefore, the probability that (20) holds is 0.

Case 1.3.2. There are two or more different blocks.   Let \(\ell \) be one of the indices of the different blocks (i.e., \(M^i[\ell ]\ne \tilde{M}^i[\ell ]\)), and assume that we arbitrarily fix the elements of \(Z^i\) and \(\tilde{Z}^i\) except \(Z^i[\ell ]\) and \(\tilde{Z}^i[\ell ]\). Then, we have (20) \(\iff Z^i[\ell ]\oplus \tilde{Z}^i[\ell ]=\texttt{Cst},\) where \(\texttt{Cst}\) is a constant. There exists only one \((Z^i[\ell ],\tilde{Z}^i[\ell ])\) that satisfies the above, and such \((Z^i[\ell ],\tilde{Z}^i[\ell ])\) takes \(2^n\cdot 1=2^n\) possible values. By the assumption, \(Z^i[\ell ]\ne \tilde{Z}^i[\ell ]\) holds and then \((Z^i[\ell ],\tilde{Z}^i[\ell ])\) takes \(2^n(2^n-1)\) possible values. Therefore, the probability that (20) holds is at most \(2^n/(2^n(2^n-1))=1/(2^n-1)\).

Case 2. There exist \({\boldsymbol{i}}\) and \({\boldsymbol{j}}\) (\({\boldsymbol{i}}\boldsymbol{<} {\boldsymbol{j}}\)) such that \({\boldsymbol{M}}^{{\boldsymbol{i}}}\boldsymbol{\ne }\boldsymbol{\tilde{M}}^{{\boldsymbol{i}}}\) and \({\boldsymbol{M}}^{{\boldsymbol{j}}}\boldsymbol{\ne }\boldsymbol{\tilde{M}}^{{\boldsymbol{j}}}\).   If we arbitrarily fix X except \(X^i\) and \(\tilde{X}^i\), we have

$$\begin{aligned} V = \tilde{V} \iff X^i \oplus X^j \oplus \tilde{X}^i \oplus \tilde{X}^j = \texttt{Cst}, \end{aligned}$$

(21)

where \(\texttt{Cst}\) is a constant.

Case 2.1. \(\tilde{m}^i>m^i\) and \(\tilde{m}^j>m^j\)   In this case, \(X^i = Z^i[1] \oplus \cdots \oplus Z^i[m^i]\), \(\tilde{X}^i = \tilde{Z}^i[1] \oplus \cdots \oplus \tilde{Z}^i[m^i] \oplus \cdots \oplus \tilde{Z}^i[\tilde{m}^i]\), \(X^j = Z^j[1] \oplus \cdots \oplus Z^j[m^j]\), and \(\tilde{X}^j = \tilde{Z}^j[1] \oplus \cdots \oplus \tilde{Z}^j[m^j] \oplus \cdots \oplus \tilde{Z}^j[\tilde{m}^j]\). If we arbitrarily fix Z and \(\tilde{Z}\) except \(\tilde{Z}^i[\tilde{m}^i]\) and \(\tilde{Z}^j[\tilde{m}^j]\), we have (21) \(\iff \tilde{Z}^i[\tilde{m}^i]\oplus \tilde{Z}^j[\tilde{m}^j]=\texttt{Cst},\) where \(\texttt{Cst}\) is a constant. There exists only one \((Z^i[\tilde{m}^i],\tilde{Z}^j[\tilde{m}^j])\) that satisfies the above and such \((Z^i[\tilde{m}^i],\tilde{Z}^j[\tilde{m}^j])\) takes \(2^n\cdot 1=2^n\) possible values, while \((Z^i[\tilde{m}^i],\tilde{Z}^j[\tilde{m}^j])\) takes \(2^n\cdot 2^n\) possible values. Therefore, the probability that (21) holds is at most \(2^n/(2^n\cdot 2^n)=1/2^n\).

Case 2.2. \(\tilde{m}^i>m^i\) and \(\tilde{m}^j<m^j\)   If we arbitrarily fix the elements of Z and \(\tilde{Z}\) except \(\tilde{Z}^i[\tilde{m}^i]\) and \(Z^j[m^j]\), we have (21) \(\iff \tilde{Z}^i[\tilde{m}^i]\oplus Z^j[m^j]=\texttt{Cst},\) where \(\texttt{Cst}\) is a constant. Then, similarly to Case 2.1, the probability that (21) holds is at most \(1/2^n\).

Case 2.3. \(\tilde{m}^i>m^i\) and \(\tilde{m}^j = m^j\)   If we arbitrarily fix the elements of Z and \(\tilde{Z}\) except \(\tilde{Z}^i[\tilde{m}^i]\), we have (21) \(\iff \tilde{Z}^i[\tilde{m}^i]=\texttt{Cst},\) where \(\texttt{Cst}\) is a constant. Hence, the probability that (21) holds is at most \(1/2^n\).

Case 2.4. \(\tilde{m}^i = m^i\) and \(\tilde{m}^j = m^j\)   Let \(\ell \) be one of the indices of the different blocks for \(M^i\) and \(\tilde{M}^i\) (i.e., \(M^i[\ell ]\ne \tilde{M}^i[\ell ]\)), and assume that the elements of \(Z^i\) and \(\tilde{Z}^i\) except \(Z^i[\ell ]\) and \(\tilde{Z}^i[\ell ]\). Then, we have (21) \(\iff Z^i[\ell ]\oplus \tilde{Z}^i[\ell ]=\texttt{Cst},\) where \(\texttt{Cst}\) is a constant. Therefore, similarly to Case 1.3.2, the probability that (21) holds is at most \(1/(2^n-1)\).    \(\square \)

B The structure of PMAC2x

Fig. 3.

The structure of PMAC2x [16, 17], where \(\bigodot \) with 2 is a multiplication by 2 in \(\textrm{GF}(2^n)\), Conv is a regular function \(\{{0,1}\}^n\rightarrow \{{0,1}\}^n\), and \(\hat{X}\) and \(\hat{Y}\) are the outputs of Conv for X and Y, respectively. Here, a function is called regular iff all outputs are produced by an equal number of inputs.