Study on message authentication schemes with beyond-birthday bound security and nonce-misuse resistance

Abstract

This paper presents a method for proving information-theoretic security of message authentication codes (MACs). We choose MAC constructions that are not known to be tight: EWCDM proposed by Cogliati and Seurin (CRYPTO '16), DWCDM proposed by Datta~\textit{et al.} (CRYPTO '18) and 5 kinds of MACs including a two-permutation variant of nEHtM where the original nEHtM was proposed by Dutta {\it et al.} (EUROCRYPT '19) and 5 kinds of MACs were proposed by Chen {\it et al.} (ASIACRYPT '21). By utilizing this method, we prove full $n$-bit security of several MACs, EWCDM, DWCDM, the variant of nEHtM, $F^{\text{EDM}}_{B_3}$, and $F^{\text{SoP}}_{B_3}$, in a nonce-respecting setting. Moreover, the variant of nEHtM and $F^{\text{SoP}}_{B_3}$ provides security when the number of queries with repeated nonces is upper bounded by $O(2^{n/8})$, improving the previous bound of $\frac{3n}{4}$-bit. To obtain those results, we generalize the Mirror theory for a wide range of $\xi_{\max}$ to apply to two-permutation-based constructions. Our approach is modular in the sense that MAC security can be obtained from PRF security, i.e., to the best of our knowledge, this is the first paper using Mirror theory but not using extended Mirror theory to prove MAC security of nonce-based MACs. Additionally, we present a matching forgery attack on $F^{\text{EDM}}_{B_4}$ and $F^{\text{EDM}}_{B_5}$ using $O(2^{3n/4})$ MAC queries and a single verification query without using repeated nonces. As a result, we provide tightness results for all kinds of two-permutation-based MACs except $F^{\text{EDMD}}_{B_2}$.