Full PRF-Secure Message Authentication Code Based on Tweakable Block Cipher

Abstract

We propose a new message authentication code (MAC) based on a tweakable block cipher (TBC). We prove that the new MAC is a pseudo-random function (PRF) up to \(O(2^n)\) queries, that is, full PRF-security, where the output length of the TBC is n bits. We note that although Yasuda proposed a full PRF-secure MAC based on a compression function (CF), that does not offer a full PRF-secure TBC-based MAC due to the PRF/PRF switch. Hence our MAC is the first full PRF-secure one based on a TBC.

A Analysis of the XOR of Two Random Permutations \(\widetilde{P}^{tw_1}\) and \(\widetilde{P}^{tw_2}\)

The following analysis is almost exactly the same as the one for Yasuda’s analysis in [18, 19] that follows the analysis for Lucks’ \(\text{ sum }^2\) construction [14].

In this case, we have only to analyze the case where the indistinguishability of the xor of two random permutations \(\widetilde{P}^{tw_1}\) and \(\widetilde{P}^{tw_2}\) from a random function under the following conditions.

• The input \(w_1\) (resp., \(w_2\)) to \(\widetilde{P}^{tw_1}\) (resp., \(\widetilde{P}^{tw_2}\)) is a fresh input

• The number of inputs to \(\widetilde{P}^{tw_1}\) is at most \(\rho -1\) due to \(\mathsf {mcoll}=\mathsf {false}\) and the same is true for \(\widetilde{P}^{tw_2}\).

Then we simulate the xor of two random permutation and a random function by using the technique of fair sets developed by Lucks. In this case, a fair set R is chosen so that the number of pair \((tag_1,tag_2) \in R\) such that

$$\begin{aligned} tag = tag_1 \oplus tag_2 \end{aligned}$$

is the same for each \(tag \in \{0,1\}^n\). For \((w_1,w_2) \in \{0,1\}^n \times \{0,1\}^n\), we unroll the outputs of \(\widetilde{P}^{tw_1}\) into \(Y_1=\{tag_{1}^1, \ldots , tag_{1}^\alpha \}\), and the outputs of \(\widetilde{P}^{tw_2}\) into \(Y_2=\{tag_{2}^{1}, \ldots , tag_{2}^{\beta } \}\). Let \(Y_1^*\leftarrow \{0,1\}^n \backslash Y_1\) and \(Y_2^*\leftarrow \{0,1\}^n \backslash Y_2\). Then we choose a fair set \(R \subset Y_1^*\times Y_2^*\) as follows. For each \(1 \le j_1 \le \alpha \) and \(1 \le j_2 \le \beta \), we choose arbitrary representatives \((tag_{1}^{(j_1)},tag_{2}^{(j_2)}) \in Y_1^*\times Y_2^*\) such that \(tag_{1}^{(j_1)} \oplus tag_{2}^{(j_2)} = tag_{1}^{j_1} \oplus tag_{2}^{j_2}\). We then define \(R \leftarrow Y_1^*\times Y_2^*\backslash \bigcup _{j_1,j_2}\{ (tag_{1}^{(j_1)}, tag_{2}^{(j_2)}) \}\). We see that, for each value \(tag \in \{0,1\}^n\),

$$\begin{aligned} \left| \{(tag_1,tag_2) \in R ~ | ~ tag_1 \oplus tag_2 = tag \} \right| = 2^n - \alpha - \beta . \end{aligned}$$

Hence R is a fair set. We note that \(\alpha \le \rho -1\) and \(\beta \le \rho -1\). Then for an input pair \((w_1,w_2)\), tag is defined by the following procedure.

1. 1.

   Choose a fair set \(R \subset Y_1^*\times Y_2^*\)

2. 2.

   \((tag_1,tag_2) \xleftarrow {\$}Y_1^*\times Y_2^*\)

3. 3.

   If \((tag_1,tag_2) \not \in R\) then

   

4. 4.

   \(tag \leftarrow tag_1 \oplus tag_1\)

5. 5.

   Return tag

Since R is a fair set, the above procedure without the boxed statement simulates the xor of two random permutations where \(tag_1\) is the output of \(\widetilde{P}^{tw_1}\) for input \(w_1\) and \(tag_2\) is the output of \(\widetilde{P}^{tw_2}\) for input \(w_2\), and the above procedure with the boxed statement simulates a random function.

Then at one execution of the above procedure, the probability that the behavior of the xor function is different from that of a random function is bounded by \(\frac{|Y_1^*\times Y_2^*\backslash R|}{|Y_1^*\times Y_2^*|} = \frac{\alpha \beta }{(2^n-\alpha )(2^n-\beta )} \le \frac{\rho ^2}{(2^n-\rho )^2} \).

Hence at the i-th query the probability that Case 4 holds is bounded by \(\frac{\rho ^2}{(2^n-\rho )^2} \).