{"author":[{"full_name":"Rybar, Michal","last_name":"Rybar","first_name":"Michal","id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87"}],"title":"(The exact security of) Message authentication codes","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","department":[{"_id":"KrPi"}],"language":[{"iso":"eng"}],"ddc":["000"],"citation":{"mla":"Rybar, Michal. <i>(The Exact Security of) Message Authentication Codes</i>. Institute of Science and Technology Austria, 2017, doi:<a href=\"https://doi.org/10.15479/AT:ISTA:th_828\">10.15479/AT:ISTA:th_828</a>.","short":"M. Rybar, (The Exact Security of) Message Authentication Codes, Institute of Science and Technology Austria, 2017.","ieee":"M. Rybar, “(The exact security of) Message authentication codes,” Institute of Science and Technology Austria, 2017.","ista":"Rybar M. 2017. (The exact security of) Message authentication codes. Institute of Science and Technology Austria.","chicago":"Rybar, Michal. “(The Exact Security of) Message Authentication Codes.” Institute of Science and Technology Austria, 2017. <a href=\"https://doi.org/10.15479/AT:ISTA:th_828\">https://doi.org/10.15479/AT:ISTA:th_828</a>.","apa":"Rybar, M. (2017). <i>(The exact security of) Message authentication codes</i>. Institute of Science and Technology Austria. <a href=\"https://doi.org/10.15479/AT:ISTA:th_828\">https://doi.org/10.15479/AT:ISTA:th_828</a>","ama":"Rybar M. (The exact security of) Message authentication codes. 2017. doi:<a href=\"https://doi.org/10.15479/AT:ISTA:th_828\">10.15479/AT:ISTA:th_828</a>"},"abstract":[{"lang":"eng","text":"In this thesis we discuss the exact security of message authentications codes HMAC , NMAC , and PMAC . NMAC is a mode of operation which turns a fixed input-length keyed hash function f into a variable input-length function. A practical single-key variant of NMAC called HMAC is a very popular and widely deployed message authentication code (MAC). PMAC is a block-cipher based mode of operation, which also happens to be the most famous fully parallel MAC. NMAC was introduced by Bellare, Canetti and Krawczyk Crypto’96, who proved it to be a secure pseudorandom function (PRF), and thus also a MAC, under two assumptions. Unfortunately, for many instantiations of HMAC one of them has been found to be wrong. To restore the provable guarantees for NMAC , Bellare [Crypto’06] showed its security without this assumption. PMAC was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a pseudorandom permutation over n -bit strings, PMAC constitutes a provably secure variable input-length PRF. For adversaries making q queries, each of length at most ` (in n -bit blocks), and of total length σ ≤ q` , the original paper proves an upper bound on the distinguishing advantage of O ( σ 2 / 2 n ), while the currently best bound is O ( qσ/ 2 n ). In this work we show that this bound is tight by giving an attack with advantage Ω( q 2 `/ 2 n ). In the PMAC construction one initially XORs a mask to every message block, where the mask for the i th block is computed as τ i := γ i · L , where L is a (secret) random value, and γ i is the i -th codeword of the Gray code. Our attack applies more generally to any sequence of γ i ’s which contains a large coset of a subgroup of GF (2 n ). As for NMAC , our first contribution is a simpler and uniform proof: If f is an ε -secure PRF (against q queries) and a δ - non-adaptively secure PRF (against q queries), then NMAC f is an ( ε + `qδ )-secure PRF against q queries of length at most ` blocks each. We also show that this ε + `qδ bound is basically tight by constructing an f for which an attack with advantage `qδ exists. Moreover, we analyze the PRF-security of a modification of NMAC called NI by An and Bellare that avoids the constant rekeying on multi-block messages in NMAC and allows for an information-theoretic analysis. We carry out such an analysis, obtaining a tight `q 2 / 2 c bound for this step, improving over the trivial bound of ` 2 q 2 / 2 c . Finally, we investigate, if the security of PMAC can be further improved by using τ i ’s that are k -wise independent, for k &gt; 1 (the original has k = 1). We observe that the security of PMAC will not increase in general if k = 2, and then prove that the security increases to O ( q 2 / 2 n ), if the k = 4. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether k = 3 is already sufficient to get this level of security is left as an open problem. Keywords: Message authentication codes, Pseudorandom functions, HMAC, PMAC. "}],"file":[{"checksum":"ff8639ec4bded6186f44c7bd3ee26804","file_id":"4799","relation":"main_file","date_created":"2018-12-12T10:10:13Z","date_updated":"2020-07-14T12:48:12Z","file_size":847400,"creator":"system","file_name":"IST-2017-828-v1+3_2017_Rybar_thesis.pdf","access_level":"open_access","content_type":"application/pdf"},{"date_created":"2019-04-05T08:24:11Z","date_updated":"2020-07-14T12:48:12Z","file_size":26054879,"creator":"dernst","file_name":"2017_Thesis_Rybar_source.zip","access_level":"closed","content_type":"application/zip","checksum":"3462101745ce8ad199c2d0f75dae4a7e","file_id":"6202","relation":"source_file"}],"status":"public","degree_awarded":"PhD","has_accepted_license":"1","oa":1,"publication_status":"published","month":"06","date_published":"2017-06-26T00:00:00Z","article_processing_charge":"No","doi":"10.15479/AT:ISTA:th_828","date_created":"2018-12-11T11:48:46Z","publist_id":"6810","pubrep_id":"828","_id":"838","publisher":"Institute of Science and Technology Austria","publication_identifier":{"issn":["2663-337X"]},"file_date_updated":"2020-07-14T12:48:12Z","alternative_title":["ISTA Thesis"],"year":"2017","page":"86","date_updated":"2023-09-07T12:02:28Z","oa_version":"Published Version","related_material":{"record":[{"status":"public","relation":"part_of_dissertation","id":"2082"},{"status":"public","relation":"part_of_dissertation","id":"6196"}]},"type":"dissertation","day":"26"}