Tight Security Bounds for Double-Block Hash-then-Sum MACs

Abstract

In this work, we study the security of deterministic MAC constructions with a double-block internal state, captured by the double-block hash-then-sum ( \(\mathsf {DbHtS}\) ) paradigm. Most \(\mathsf {DbHtS}\) constructions, including \(\mathsf {PolyMAC}\) , \(\mathsf {SUM\text {-}ECBC}\) , \(\mathsf {PMAC\text {-}Plus}\) , \(\mathsf {3kf9}\) and \(\mathsf {LightMAC\text {-}Plus}\) , have been proved to be pseudorandom up to \(2^{\frac{2n}{3}}\) queries when they are instantiated with an n-bit block cipher, while the best known generic attacks require \(2^{\frac{3n}{4}}\) queries. We close this gap by proving the PRF-security of \(\mathsf {DbHtS}\) constructions up to \(2^{\frac{3n}{4}}\) queries (ignoring the maximum message length). The core of the security proof is to refine Mirror theory that systematically estimates the number of solutions to a system of equations and non-equations, and apply it to prove the security of the finalization function. Then we identify security requirements of the internal hash functions to ensure 3n/4-bit security of the resulting constructions when combined with the finalization function. Within this framework, we prove the security of \(\mathsf {DbHtS}\) whose internal hash function is given as the concatenation of a universal hash function using two independent keys. This class of constructions include \(\mathsf {PolyMAC}\) and \(\mathsf {SUM\text {-}ECBC}\) . Moreover, we prove the security of \(\mathsf {PMAC\text {-}Plus}\) , \(\mathsf {3kf9}\) and \(\mathsf {LightMAC\text {-}Plus}\) up to \(2^{\frac{3n}{4}}\) queries.