A Single-Key Variant of LightMAC_Plus

: LightMAC_Plus proposed by Naito (ASIACRYPT 2017) is a blockcipher-based MAC that has beyond the birthday bound security without message length in the sense of PRF (Pseudo-Random Function) security. In this paper, we present a single-key variant of LightMAC_Plus that has beyond the birthday bound security in terms of PRF security. Compared with the previous construction LightMAC_Plus1k of Naito (CT-RSA 2018), our construction is simpler and of higher efﬁciency.


Introduction
A MAC (Message Authentication Code) is a fundamental symmetric-key primitive that produces a tag to authenticate a message. MACs are often based on a blockcipher (e.g., CBC-MAC [1], PMAC [2], OMAC [3], LightMAC [4]) so that these become secure PRFs (Pseudo-Random Functions) under the standard assumption that the underlying keyed blockciphers are pseudo-random permutations because of the well known observation that PRFs are secure MACs [1]. Most blockcipher-based MACs have a security bound that is called birthday security, i.e., against up to O(2 n/2 ) adversarial queries (here n is the block length of the underlying blockcipher).
However the birthday bound security may not be enough for blockciphers with short block sizes such as TripleDES and lightweight blockciphers such as PRESENT [5], LED [6], GIFT [7]. Therefore, designing a MAC with beyond birthday-bound security is an important research of MAC design. This kind of MACs contribute not only to the longevity of 128-bit blockciphers but also to blockciphers with short block sizes. To go beyond birthday-bound security, a series of blockcipher-based MACs have been proposed, including SUM-ECBC [8], PMAC_Plus [9] and 3kf9 [10].
LightMAC [4] is a variant of PMAC [2] and the first blockcipher-based MAC with birthday security without message length. In LightMAC, for each n-bit blockcipher call, an m-bit counter and an (n − m)-bit message block are input. By the presence of counters, LightMAC becomes a secure PRF up to O(2 n/2 ) tagging queries. LightMAC, adopts the counter-based construction used in the protected counter sum [11] and XOR MAC [12] to avoid the input collision. So the input for the i-th blockcipher call is i m M i , where i m represents the corresponding m-bit binary number of i and M i represents the i-th message block of n − m bits. For LightMAC, the xor value of the blockcipher outputs becomes a hash value, and then a tag is defined by encrypting the hash value. LightMAC_Plus proposed by Naito [13] is a blockcipher-based MAC which is beyond birthday secure up to roughly 2 2n/3 (tagging or verification) queries. LightMAC_Plus follows the Double-Block Hash-then-Sum (DbHtS), where a message is first mapped into a 2n-bit string by a doubleblock hash function and then the two encrypted values of each n-bit half is xor-summed to generate the tag. Datta et al. [14] have proved that both three-key and two-key DbHtS constructions can achieve beyond-birthday-bound security with a bound q 3 /2 2n where q is the number of MAC queries. Leurent et al. [15] show attacks on all three-key DbHtS constructions with query complexity 2 3n/4 . Very recently, Kim et al. [16] give a tight provable bound q 4/3 /2 n for three-key DbHtS constructions. Compared with LightMAC, LightMAC_Plus has a better security bound but the key size is increased and the efficiency is degraded.
Naito also proposed LightMAC_Plus1k [17] which is a single key variant of Light-MAC_Plus. LightMAC_Plus1k has been proved the same level of security as Light-MAC_Plus. To reduce the number of the keys from three to one, Naito use the first two bits for the domain separation: in the hash part, the most significant bit of an input to the blockcipher is set to zero; in the finalization function, the most significant two bits are 10 and 11. Moreover, by using of the domain separation, a 4-bit security degradation is compromised from LightMAC_Plus to LightMAC_Plus1k.

Our Contributions
Our main contribution in this paper is to design a simpler and more efficient single key variant of LightMAC_Plus, but with the same secure level as LightMAC_Plus1k. The new construction is called 1k-LightMAC_Plus. In order to reduce the key size, we also use the domain separation technique. Different from LightMAC_Plus1k, the hash function for 1k-LightMAC_Plus remains the same with LightMAC_Plus. In the finalization function, the least significant bit of an input to one of two keyed blockciphers is fixed to zero and the other is fixed to one. Due to the domain separation, the two blockciphers calling with the same key in the finalization function have completely distinct input sets. What is more, we proved that 1k-LightMAC_Plus has the same security level as LightMAC_Plus1k in the sense of PRF security.

Notations
{0, 1} n represents the set of all strings of length n. For any two strings X, Y ∈ {0, 1} * , denote their concatenation as X||Y, and donote their bitwise exclusive or as X ⊕ Y. . |X| denotes the bit length of string X. We use N = 2 n . We use 1 and 0 to denote the n−bit binary string 0 n−1 1 and 0 n , respectively. Moreover we denote a ∈ {b, b ⊕ 1} as a = 1 b for a, b ∈ {0, 1} n . That is, a = 1 b implies either a = b or a = b ⊕ 1 but not both. The natural index set {1, 2, · · · , q} is denoted as [q] := [1 · · · q] for a positive integer q. For a given ordered set S we use minS to denote the minimum element of S. X ∩ Y denotes the intersection of set X and Y. If X ∩ Y = ∅ then we write X Y to denote the disjoint union. The set of all functions from X to Y is denoted as Func(X , Y ) and the set of all permutations over X is denoted as Perm(X ). The notation X $ ← S means that X is chosen uniformly at random from a finite set S and independently of all other random variables defined so far. We also denote P(a, b) as the number of permutations of taking b objects from a distinct objects at a time, which means that P(a, b) = ∏ b i=1 (a − (i − 1)). For a list L = {(a 1 , b 1 ), · · · , (a , b )}, Dom(L) := {a 1 , · · · , a }, Dom(L) := {0, 1} n \ {a 1 , · · · , a } and Rng(L) := {b 1 , · · · , b }, Rng(L) := {0, 1} n \ {b 1 , · · · , b }.

Security Definitions
F : K × X → Y is a keyed function with domain X ⊆ {0, 1} * , range Y and key space K. We also write F K (X) for F(K, X). A (q, t, σ)-distinguisher in the presence of F is an algorithm A that has oracle access to a function with domain X and range Y. Assume that A makes at most q queries and totally σ blocks one whose running time is at most t, and finally outputs a single bit. The PRF-security of F, i.e., distinguishing F from R that is randomly uniformly chosen from Func(X , Y ), is defined as F K (X) becomes a permutation When X = Y. Then the PRP-security of F can be defined as follows.

H-Coefficient Technique
Now we introduce a proof technique named the H-Coefficient technique [18,19]. Here just a brief description is provided, and interested readers can refer to [18,19] for a complete explanation. We assume that the distinguisher A is information-theoretic, which is computationally not bounded. Therefore, without loss of generality we assume A is deterministic. Suppose A interacts with one of two oracles, the "real world" oracle O or the "ideal world" oracle Q. The query-response tuples that A receives is called a view. Let X (resp. Y) be the probability distribution of the view when A interacts with O (resp. Q). Let T be the set of all attainable views τ when interacting with Q, that is The H-Coefficient technique partitions T into two subsets T good and T bad which are disjoint such that T = T good T bad . If there exist 0 ≤ 1 , 2 ≤ 1 so that

•
For ∀τ ∈ T good , it holds that Then the advantage of A can be bounded as

Specification
In this section, we introduce our single-key variant of LightMAC_Plus, which is called 1k-LightMAC_Plus. The XOR of two independent permutations is a "natural" PRP-to-PRF method. If only a single permutation is to be used, one can simulate this independence through domain separation. Therefore, domain separation can be used to reduce the number of keys. We process the finalization function of LightMAC_Plus with a same key but the least significant bit of an input to one of two keyed blockciphers is fixed to 0 and the other is fixed to 1.
The details for 1k-LightMAC_Plus is presented in Algorithm 1 (the subfunction used in Algorithm 1 is defined as Algorithm 2) and depicted in Figure 1.

Security Bound
Theorem 1. Any distinguisher with running time t, making q-tuple of distinct messages with an aggregate of total σ-many blocks, can distinguish 1k-LightMAC_Plus[E] from a uniform random function by The proof is provided in next section.

Proof of Theorem 1
In this section, we prove Thereom 1 with the H-coefficient technique.

Initialization
We assume that the distinguisher A interacts with either the ideal oracle or the real oracle 1k-LightMAC_Plus with a random permutation Π and that the distinguisher A always makes deterministic and non-repeating queries.

Ideal Oracle
The ideal oracle defined here is comprised of two phases: (a) One is called online phase. For each query M i made by A, the oracle samples the response T i $ ← {0, 1} n and then returns it to the distinguisher A. (b) The other is called offline phase. In this phase, the oracle samples the internal hash value for each query in a without-replacement manner from {0, 1} n . During the sampling, if some specific event happens, then the oracle aborts the process. The ideal oracle is formally shown in Figure 2.

Security Bound
Theorem 1. Any distinguisher with running time t, making q-tuple of distinct messages with an aggregate of total σ-many blocks, can distinguish 1k-LightMAC_Plus[E] from a uniform random function by The proof is provided in next section.

Proof of Theorem 1
In this section, we prove Thereom 1 with the H-coefficient technique.

Initialization
We assume that the distinguisher A interacts with either the ideal oracle or the real oracle 1k-LightMAC_Plus with a random permutation Π and that the distinguisher A always makes deterministic and non-repeating queries.

Ideal Oracle
The ideal oracle defined here is comprised of two phases: (a) One is called online phase. For each query M i made by A, the oracle samples the response T i $ ← {0, 1} n and then returns it to the distinguisher A. (b) The other is called offline phase. In this phase, the oracle samples the internal hash value for each query in a without-replacement manner from {0, 1} n . During the sampling, if some specific event happens, then the oracle aborts the process. The ideal oracle is formally shown in Figure 2.

Views
At the end of A interacting with the oracle and before A outputting the bit, we reveal the values of internal computations (X, Y,v [q] ,ŵ [q] ) to A. Thus, the view of A is in the form For two block tuples X, Y, if there exist permutations π ∈ Perm such that π(x i ) = y i , we call X and Y permutation compatible, denoted as X π → Y. It is straightforward that in the real world an attainable transcript must satisfy the following two conditions at the same time.

Views
At the end of A interacting with the oracle and before A outputting the bit, we reveal the values of internal computations (X, Y,v [q] ,ŵ [q] ) to A. Thus, the view of A is in the form For two block tuples X, Y, if there exist permutations π ∈ Perm such that π(x i ) = y i , we call X and Y permutation compatible, denoted as X π → Y. It is straightforward that in the real world an attainable transcript must satisfy the following two conditions at the same time.
The notation X id represents the probability distribution of transcript τ induced by the ideal world, while X re represents that induced by the real world. We call a transcript τ attainable if Pr[X id = τ] > 0. All such attainable views contribute to a set T . Besides, we partition T into two disjoint subsets T good and T bad such that T = T good T bad .

Analysis of Bad Events
We define bad events in the ideal world according to the freshness of v i and w i , which consists of four different cases. Here we first introduce a definition. Definition 1. Let X be the set of all the inputs X i j of internal hash part for ∀i ∈ [q] and ∀j ∈ [l i ]. If there exists an i ∈ [q] s.t. v i is non-fresh in the union set v [q] ∪ X and simultaneously w i is non-fresh in the union set w [q] ∪ X, then the tuple v [q] , w [q] is called "an extended covered tuple". Otherwise, the tuple is said to be "an e.c.f tuple" (short for "an extended cover free tuple").
Both v i and w i are non-fresh In this case, a bad event ECF occurs (defined in Figure 2). For 1k-lightMAC_Plus, "Non-fresh" v i can collide with some previous v or some input blocks and so is w i .

v i is fresh and w i is non-fresh
In this case, bad events PCF1 PCF2 and RCOLL happen. v i is non-fresh and w i is fresh This is similar to the "v i is fresh and w i is non-fresh" case.
Both v i and w i are fresh.
Owing to the computation of the internal hash part there may exist some inputsoutput couples of the random permutation Π that have been defined previously. In this case, the final part is the sum of two identical random permutations under conditional distribution. Here we introduce an observation on the conditional distribution of the sum of two identical random permutations by Datta et al. [20].

Lemma 1 ([20], Section 3).
For any set Y with size d and a k tuple t [k] := (t 1 , · · · , t k ) of non zero n bit strings, let Then, |H| ≥ P(N−d,2k) Interested readers can refer to Section 3 of paper [20] for full proof. We define the event Then we focus on Pr [ECF|ZeroT]. If the bad tag ECF is set to 1, at least one of the following cases happens: (1) We denote these four cases as ECF 1 , ECF 2 , ECF 3 and ECF 4 in order. Note that v i = v j is equivalent to S i 1 = 1 S j 1 and w i = w j is equivalent to S i 2 = 1 S j 2 (line 4 in Figure 2 for the definition of S 1 and S 2 ). Now we concentrate on the upper bound of Pr[ It means that the set NEQ i,j consists of all the index couples for which the two corresponding message blocks are not equal. Assume that γ = min NEQ i,j and l i ≤ l j and it is straightforward that γ ≤ l j . The equations v i = 1 X j α and w i = 1 X k β can be rewritten in matrix form with respect to variable Y as follows: To analyze the solution of the matrix, another lemma [20] is introduced here. Lemma 2 ([20], Section 2.4). Assume that S ⊆ N and the size of S is N . Y i is sampled from S in a without-replacement manner for 1 ≤ i ≤ s and Let Y := (Y 1 , . . . , Y s ). A is a fixed b × s matrix with rank n. For any b × 1 vector v, the following inequality holds.
Interested readers can refer to Section 2 of paper [20] for full proof.  Figure 2). We separate event PCF1 into two disjointed events in terms of Case A or Case B. We define PCF1 1 : Then we bound the probability in the following.
Pr[PCF1 2 ] can be proven in a similar analysis: To sum up, we can obtain the following result Next we concentrate on Pr[PCF2|ZeroT]. The bad flag PCF2 occurs in Case A or Case B (refer to Figure 2). We separate event PCF2 into three disjointed events. We define . To obtain a good bound, we introduce a property [20].
Interested readers can refer to Appendix B of paper [20] for full proof.
Firstly, we bound the probability of Pr[PCF2 1 |ZeroT]. We analyze it by whether the condition T i equals T k or not. If T i = T k , then Y j α = Y l β . Because Y's are the outputs of a permutation, we obtain that X j α = X l β . Furthermore, v i = v k . Therefore, The first inequality is deduced from the property. Furthermore, when T i = T k , the three included events can be written as the following matrix equality with respect to variable Y: ) equals to(1, 1) simultaneously, then rank(A) ≥ 2, otherwise rank(A) = 3. Therefore, Therefore, we can obtain Pr[PCF 2 ] and Pr[PCF 3 ] can be proven in a similar analysis: In total, we have Finally we analyze the bounding of Pr [RCOLL|ZeroT]. The bad flag RCOLL occurs in Case C or Case D (refer to Figure 2). We separate RCOLL into RCOLL 1 and RCOLL 2 and define RCOLL 1 := (v i = 1 v j ) ∧ (ŵ i ∈ Ran(L 2 )) and RCOLL 2 := (w i = 1 w j ) ∧ (v i ∈ Ran(L 2 )).
Because the number of elements in Ran(L 2 )) is at most 2q + η, the inequality (*) holds from the property. The last inequality holds owing to q ≤ σ ≤ N 2 . Similarly one can show From inequalities (1)- (6), we can obtain

Analysis of Good Transcripts
Having defined bad events and computed the upper bound of the probability of each bad transcript in the ideal world, it remains to lower bound Pr[X re = τ]/ Pr[X id = τ] for a good transcript τ.
Firstly, we discuss in an ideal oracle what properties a good transcript have. For each i ∈ F (line 10 of Figure 2), both v i and w i are fresh; therefore, it is the same case with the correspondingv i andŵ i . As ECF is not set to one, for each i / ∈ F eitherv i orŵ i is fresh (but not both). Assume the size of F is f , then there are q − f non-fresh message blocks and q + f fresh message blocks.
Denote F v as the set of all the indices i s.t. v i is in collision with some input of the hash computation and F w is defined in a similar way. Then we define an equivalence relation ∼ v on F v := [q]\(F v ∪ F ) (line 6 of Figure 2) as i ∼ v j if v i = v j . Also the equivalence relation i ∼ w j on F w := [q]\(F w ∪ F ) is defined similarly. Here, we would like to point out that we cannot have v j = w j because we have applied domain-separation technique by setting the most significant bit as 0 and 1, respectively. ∼ v and ∼ w are equivalence relations on F v and F w , respectively. We partition the set F v as C 1 · · · C t where each C j is a subset of F v and the set F w as C 1 · · · C t where C j is a subset of F w . The equivalence class C j is called "the v-class" and C j "the w-class". We point that each part contains at least two elements. Let c j = minC j be the minimum value of partition C j and so is c j = minC j . So, when i = c j or i = c j for some j ∈ [t] or j ∈ [t ], we sample the output L 2 (·) (Case C or Case D, respectively in Figure 2), which dominates the outputs for each element with respect to the corresponding equivalent class C j or C j , respectively.
Upon the above analysis, we can obtain that different elements in tuple (v [q] , w [q] ) have different corresponding elements in (v [q] ,ŵ [q] ) for a good transcript. Hence there exists a permutation Π such that the two tuples (v [q] , w [q] ) and (v [q] ,ŵ [q] ) are part of its inputs and outputs, respectively.

Lemma 3.
Assuming that τ = (M [q] , T [q] , X, Y,v [q] ,ŵ [q] ) is a good transcript, we can obtain Proof. Define a set I = F ∪ F v ∪ F w . In addition, assume that the size of L 1 is η.
Assuming that η + 2 f ≤ N 2 , η ≤ σ and f ≤ q ≤ σ, with Lemma 1 we have Following (9)-(11), we can obtain Next, for a good transcript τ the interpolation probability in the real world is computed.

Conflicts of Interest:
The author declares no conflict of interest.