Authenticated encryption and message authentication schemes with beyond birthday-bound security

Abstract

Confidentiality aims to keep the message content private to everyone except authorized users, while authenticity aims to verify that the message content was created by a legitimate author, and those are two major goals of cryptography. In symmetric-key cryptography, confidentiality is guaranteed through message encryption and authentication through message authentication codes (MACs). Authenticated encryption (AE) provides both confidentiality and authenticity at the same time. Most of the currently widely used symmetric-key cryptographic schemes provide security within the birthday-bound of the input length of the underlying primitive. For example, the GCM authenticated encryption mode guarantees security only for less than 2^64 messages when 128-bit block cipher (e.g. AES) is used. Although this security security bound is still sufficient in most environment, as data usage increases, the need for symmetric-key cryptographic schemes that provide higher security is increasing. From this point of view, this study deals with authentication encryption and message authentication schemes with beyond birthday-bound security, especially, 1) security analysis on Double-block Hash-then-Sum (DbHtS) and 2) the proposal and analysis of Synthetic Counter with Masking (SCM), a nonce-misuse-resistance authentication encryption that provides almost-perfect security. DbHtS MAC has a structure that uses double-block internal state, PolyMAC, SUM-ECBC, 3kf9, PMAC-Plus, and LightMAC-Plus that follow this structure and all of them have been proved to be pseudorandom up to 2^{2n/3} queries when they are instantiated with an n-bit block cipher, while the best known generic attacks require 2^{3n/4} queries. In this study, we proved that all DbHtS MACs are secure up to 2^{3n/4} queries through a refinement of mirror theory and identification of the security requirements of the internal hash function. SCM follows the NSIV structure proposed by Peyrin and Seurin, encrypts the nonce and the hashed message separately, then adds them to create a tag, and uses both the tag and nonce to encrypt the message in a similar way to counter mode. As a result, we obtain, for the first time, a block cipherbased authenticated encryption scheme of rate 1/2 that provides n-bit security with respect to the query complexity. The efficiency of SCM was slightly better than AES-GCM-SIV, which is a standardized misuse-resistant AE.