# Revisiting structure graphs: Applications to CBC-MAC and EMAC

@article{Jha2016RevisitingSG,
title={Revisiting structure graphs: Applications to CBC-MAC and EMAC},
author={Ashwin Jha and Mridul Nandi},
journal={Journal of Mathematical Cryptology},
year={2016},
volume={10},
pages={157 - 180}
}
• Published 2016
• Computer Science, Mathematics
• Journal of Mathematical Cryptology
Abstract In [2], Bellare, Pietrzak and Rogaway proved an O ⁢ ( ℓ ⁢ q 2 / 2 n ) ${O(\ell q^{2}/2^{n})}$ bound for the PRF (pseudorandom function) security of the CBC-MAC based on an n-bit random permutation Π, provided ℓ < 2 n / 3 ${\ell<2^{n/3}}$ . Here an adversary can make at most q prefix-free queries each having at most ℓ ${\ell}$ many “blocks” (elements of { 0 , 1 } n ${\{0,1\}^{n}}$ ). In the same paper an O ⁢ ( ℓ o ⁢ ( 1 ) ⁢ q 2 / 2 n ) ${O(\ell^{o(1)}q^{2}/2^{n})}$ bound for EMAC (or…
12 Citations
Tight Security Bounds for Double-Block Hash-then-Sum MACs
• Computer Science, Physics
EUROCRYPT
• 2020
This work studies the security of deterministic MAC constructions with a double-block internal state, captured by thedouble-block hash-then-sum ($$\mathsf {DbHtS}$$) paradigm, proved to be pseudorandom up to $$2^{\frac{2n}{3}}$$ queries.
Security Analysis of NIST CTR-DRBG
• Computer Science
IACR Cryptol. ePrint Arch.
• 2020
This work proves that $$\mathsf {CTR\text {-}DRBG}$$ satisfies the robustness notion of Dodis et al. (CCS’13), the standard security goal for PRNGs.
On Length Independent Security Bounds for the PMAC Family
• Computer Science
IACR Cryptol. ePrint Arch.
• 2020
This work identifies a flaw in the analysis of Naito’s PMAC variant that invalidates the security proof and formulate an equivalent problem which must be solved in order to achieve `-free security bounds for this variant.
The Exact Security of PMAC with Two Powering-Up Masks
• Yusuke Naito
• Computer Science
IACR Trans. Symmetric Cryptol.
• 2019
This paper considers PMAC with two powering-up masks that uses two random values for the masking scheme, and shows that the PMAC has the tight upper bound O(q2/2n) for PRF-security, which answers the open problem.
On The Exact Security of Message Authentication Using Pseudorandom Functions
• Computer Science
IACR Trans. Symmetric Cryptol.
• 2017
For many variations of encrypted CBC MACs (i.e. EMAC, ECBC, FCBC, XCBC and TCBC), random function based instantiation has a security bound Ο ( q σ / 2 n ), a significant improvement over the folklore PRP/PRF transition.
A Survey on Applications of H-Technique : Revisiting Security Analysis of PRP and PRF
• 2019
The Coefficients H Technique (also called H-technique), developed by Patarin in circa ’91, is a tool to obtain upper bounds on distinguishing advantages. This tool is known to provide relatively
DoveMAC: A TBC-based PRF with Smaller State, Full Security, and High Rate
• Computer Science
IACR Trans. Symmetric Cryptol.
• 2019
DoveMAC is proposed, a TBC-based PRF that reduces the memory of ZMAC-based MACs to 2n+ 2t+2k bits, and is the first sequential MAC that combines beyond-birthday-bound security with a rate above n bits per call.
Applications of H-Technique: Revisiting Symmetric Key Security Analysis
• Computer Science
IACR Cryptol. ePrint Arch.
• 2018
A full description of the H-technique is given and it is shown that it can provide optimal bounds on the distinguishing advantage and simpler proofs are given for some popular symmetric key designs, across different paradigms, using the Htechnique.
Fine-tuning the ISO/IEC Standard LightMAC
• Computer Science
IACR Cryptol. ePrint Arch.
• 2021
This paper aims to minimize the number of block cipher keys in LightMAC, and shows that the original LightMAC instantiated with a single block cipher key, referred as 1k-LightMAC, achieves security bound of O(q/2) while the query-length is at least (n−s) bits and at most (n − s) min{2, 2} bits.
Double-block Hash-then-Sum: A Paradigm for Constructing BBB Secure PRF
• Computer Science
IACR Cryptol. ePrint Arch.
• 2018
This paper abstracted out the inherent design principle of all beyond birthday bound (BBB) secure block cipher based deterministic MACs and present a generic design paradigm to construct a BBB secure pseudo random function, namely Double-block Hash-then- Sum or in short (DbHtS).

## References

SHOWING 1-10 OF 44 REFERENCES
3kf9: Enhancing 3GPP-MAC beyond the Birthday Bound
• Computer Science
ASIACRYPT
• 2012
The new MAC 3kf9 is obtained by combining f9 (3GPP-MAC) and EMAC sharing the same internal structure, and so it is almost as efficient as the original CBC MAC.
A Tight Bound for EMAC
We prove a new upper bound on the advantage of any adversary for distinguishing the encrypted CBC-MAC (EMAC) based on random permutations from a random function. Our proof uses techniques recently
A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs
• Mridul Nandi
• Mathematics, Computer Science
IACR Cryptol. ePrint Arch.
• 2010
It is proved that all SADEs have PRF advantages O(tq/2n + N( t, q)/2n) where t is the total number of blockcipher computations needed for all q queries and N(t, q) is a parameter defined in the paper.
PRF Domain Extension Using DAGs
• C. Jutla
• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2005
It is shown that the underlying graph can be an arbitrary directed acyclic graph (DAG), and the resulting function on the larger domain is still a PRF, and the general theorem allows one to have further optimizations over PMAC, and many modes which deal with variable lengths.
CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions
• Computer Science
CRYPTO
• 2000
The security of this and other constructions are proved, giving concrete bounds on an adversary's inability to forge in terms of her inability to distinguish the block cipher from a random permutation.
Improved security analysis of PMAC
• Computer Science, Mathematics
J. Math. Cryptol.
• 2007
It is shown that the advantage of any distinguisher at distinguishing PMAC from a random function is at most (5qσ – 3.5q 2)/2 n .
Improved security analysis for OMAC as a pseudorandom function
Improved security analysis for distinguishing OMAC from a uniform random function works for OMAC1 and CMAC which has been recommended by NIST as a candidate of blockcipher based MAC.
CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions
• Computer Science
Journal of Cryptology
• 2004
This work proposes some simple variants of the CBC MAC that enable the efficient authentication of arbitrary-length messages and proves the security of this and other constructions, giving concrete bounds on an adversary’s inability to forge in terms of his inability to distinguish the block cipher from a random permutation.
Improved Security Analyses for CBC MACs
• Computer Science
CRYPTO
• 2005
Borders are improved on the advantage of any q-query adversary at distinguishing between the CBC MAC over a random n-bit permutation and a random function outputting n bits, improving prior bounds of m2q2/2n.
One-Key Compression Function Based MAC with BBB Security
• 2016
Gaži et al. [CRYPTO 2014] analyzed the NI-MAC construction proposed by An and Bellare [CRYPTO 1999] and gave a tight birthday-bound ofO(lq/2), as an improvement over the previous bound of O(lq/2). In