# Revisiting structure graphs: Applications to CBC-MAC and EMAC

@article{Jha2016RevisitingSG, title={Revisiting structure graphs: Applications to CBC-MAC and EMAC}, author={Ashwin Jha and Mridul Nandi}, journal={Journal of Mathematical Cryptology}, year={2016}, volume={10}, pages={157 - 180} }

Abstract In [2], Bellare, Pietrzak and Rogaway proved an O ( ℓ q 2 / 2 n ) ${O(\ell q^{2}/2^{n})}$ bound for the PRF (pseudorandom function) security of the CBC-MAC based on an n-bit random permutation Π, provided ℓ < 2 n / 3 ${\ell<2^{n/3}}$ . Here an adversary can make at most q prefix-free queries each having at most ℓ ${\ell}$ many “blocks” (elements of { 0 , 1 } n ${\{0,1\}^{n}}$ ). In the same paper an O ( ℓ o ( 1 ) q 2 / 2 n ) ${O(\ell^{o(1)}q^{2}/2^{n})}$ bound for EMAC (or…

## 12 Citations

Tight Security Bounds for Double-Block Hash-then-Sum MACs

- Computer Science, PhysicsEUROCRYPT
- 2020

This work studies the security of deterministic MAC constructions with a double-block internal state, captured by thedouble-block hash-then-sum (\(\mathsf {DbHtS}\)) paradigm, proved to be pseudorandom up to \(2^{\frac{2n}{3}}\) queries.

Security Analysis of NIST CTR-DRBG

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2020

This work proves that \(\mathsf {CTR\text {-}DRBG}\) satisfies the robustness notion of Dodis et al. (CCS’13), the standard security goal for PRNGs.

On Length Independent Security Bounds for the PMAC Family

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2020

This work identifies a flaw in the analysis of Naito’s PMAC variant that invalidates the security proof and formulate an equivalent problem which must be solved in order to achieve `-free security bounds for this variant.

The Exact Security of PMAC with Two Powering-Up Masks

- Computer ScienceIACR Trans. Symmetric Cryptol.
- 2019

This paper considers PMAC with two powering-up masks that uses two random values for the masking scheme, and shows that the PMAC has the tight upper bound O(q2/2n) for PRF-security, which answers the open problem.

On The Exact Security of Message Authentication Using Pseudorandom Functions

- Computer ScienceIACR Trans. Symmetric Cryptol.
- 2017

For many variations of encrypted CBC MACs (i.e. EMAC, ECBC, FCBC, XCBC and TCBC), random function based instantiation has a security bound Ο ( q σ / 2 n ), a significant improvement over the folklore PRP/PRF transition.

A Survey on Applications of H-Technique : Revisiting Security Analysis of PRP and PRF

- 2019

The Coefficients H Technique (also called H-technique), developed by Patarin in circa ’91, is a tool to obtain upper bounds on distinguishing advantages. This tool is known to provide relatively…

DoveMAC: A TBC-based PRF with Smaller State, Full Security, and High Rate

- Computer ScienceIACR Trans. Symmetric Cryptol.
- 2019

DoveMAC is proposed, a TBC-based PRF that reduces the memory of ZMAC-based MACs to 2n+ 2t+2k bits, and is the first sequential MAC that combines beyond-birthday-bound security with a rate above n bits per call.

Applications of H-Technique: Revisiting Symmetric Key Security Analysis

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2018

A full description of the H-technique is given and it is shown that it can provide optimal bounds on the distinguishing advantage and simpler proofs are given for some popular symmetric key designs, across different paradigms, using the Htechnique.

Fine-tuning the ISO/IEC Standard LightMAC

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2021

This paper aims to minimize the number of block cipher keys in LightMAC, and shows that the original LightMAC instantiated with a single block cipher key, referred as 1k-LightMAC, achieves security bound of O(q/2) while the query-length is at least (n−s) bits and at most (n − s) min{2, 2} bits.

Double-block Hash-then-Sum: A Paradigm for Constructing BBB Secure PRF

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2018

This paper abstracted out the inherent design principle of all beyond birthday bound (BBB) secure block cipher based deterministic MACs and present a generic design paradigm to construct a BBB secure pseudo random function, namely Double-block Hash-then- Sum or in short (DbHtS).

## References

SHOWING 1-10 OF 44 REFERENCES

3kf9: Enhancing 3GPP-MAC beyond the Birthday Bound

- Computer ScienceASIACRYPT
- 2012

The new MAC 3kf9 is obtained by combining f9 (3GPP-MAC) and EMAC sharing the same internal structure, and so it is almost as efficient as the original CBC MAC.

A Tight Bound for EMAC

- Mathematics, Computer ScienceICALP
- 2006

We prove a new upper bound on the advantage of any adversary for distinguishing the encrypted CBC-MAC (EMAC) based on random permutations from a random function. Our proof uses techniques recently…

A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2010

It is proved that all SADEs have PRF advantages O(tq/2n + N( t, q)/2n) where t is the total number of blockcipher computations needed for all q queries and N(t, q) is a parameter defined in the paper.

PRF Domain Extension Using DAGs

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2005

It is shown that the underlying graph can be an arbitrary directed acyclic graph (DAG), and the resulting function on the larger domain is still a PRF, and the general theorem allows one to have further optimizations over PMAC, and many modes which deal with variable lengths.

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

- Computer ScienceCRYPTO
- 2000

The security of this and other constructions are proved, giving concrete bounds on an adversary's inability to forge in terms of her inability to distinguish the block cipher from a random permutation.

Improved security analysis of PMAC

- Computer Science, MathematicsJ. Math. Cryptol.
- 2007

It is shown that the advantage of any distinguisher at distinguishing PMAC from a random function is at most (5qσ – 3.5q 2)/2 n .

Improved security analysis for OMAC as a pseudorandom function

- Computer ScienceJ. Math. Cryptol.
- 2009

Improved security analysis for distinguishing OMAC from a uniform random function works for OMAC1 and CMAC which has been recommended by NIST as a candidate of blockcipher based MAC.

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

- Computer ScienceJournal of Cryptology
- 2004

This work proposes some simple variants of the CBC MAC that enable the efficient authentication of arbitrary-length messages and proves the security of this and other constructions, giving concrete bounds on an adversary’s inability to forge in terms of his inability to distinguish the block cipher from a random permutation.

Improved Security Analyses for CBC MACs

- Computer ScienceCRYPTO
- 2005

Borders are improved on the advantage of any q-query adversary at distinguishing between the CBC MAC over a random n-bit permutation and a random function outputting n bits, improving prior bounds of m2q2/2n.

One-Key Compression Function Based MAC with BBB Security

- 2016

Gaži et al. [CRYPTO 2014] analyzed the NI-MAC construction proposed by An and Bellare [CRYPTO 1999] and gave a tight birthday-bound ofO(lq/2), as an improvement over the previous bound of O(lq/2). In…