Lightweight MACs from Universal Hash Functions

Abstract

Lightweight cryptography is a topic of growing importance, with the goal to secure the communication of low-end devices that are not powerful enough to use conventional cryptography. There have been many recent proposals of lightweight block ciphers, but comparatively few results on lightweight Message Authentication Codes (MACs).

Therefore, this paper focuses on lightweight MACs. We review some existing constructions, and revisit the choices made in mainstream MACs with a focus on lightweight cryptography. We consider MACs based on universal hash functions, because they offer information theoretic security, can be implemented efficiently and are widely used in conventional cryptography. However, many constructions used in practice (such as GMAC or Poly1305-AES) follow the Wegman-Carter-Shoup construction, which is only secure up to \(2^{64}\) queries with a 128-bit state.

We point out that there are simple solutions to reach security beyond the birthday bound, and we propose a concrete instantiation, \(\mathsf {MAC611}\), reaching 61-bit security with a 61-bit universal hash function. We wrote an optimized implementation on two ARM micro-controllers, and we obtain very good performances on the Cortex-M4, at only 3.7 c/B for long messages, and less than one thousand cycles for short messages.

A Comparison of Security Bounds

We can compare the maximum advantage of an adversary against \(\mathsf {MAC611}\), GMAC, CBC-MAC, Chakey, and LightMAC [23], as a function of the number of queries, for various query lengths. We have the following bounds:

$$\begin{aligned} \mathbf {Adv}_{\mathsf {MAC611}}^{\text {MAC}}(q)&\le \mathbf {Adv}_{E}^{\text {PRP}}\left( q+\tfrac{\rho }{\lambda }\right) + \tfrac{q+\rho /\lambda }{2^{3n/2}} + \tfrac{1}{2^n} + \tfrac{2\lambda }{|\mathbb {F}|} + \delta&\text {with } n=64\\ \mathbf {Adv}_{\text {Chaskey}}^{\text {MAC}}(q)&\le \frac{3(q\rho )^2+2q\rho t}{2^n}&\text {with }n=128\\ \mathbf {Adv}_{\textsf {{LightMAC}}}^{\text {MAC}}(q)&\le \mathbf {Adv}_{E}^{\text {PRP}}\left( q\rho \right) + \left( 1+\frac{2}{2^{n/2}-1}+\frac{1}{(2^{n/2}-1)^2}\right) \tfrac{q^2}{2^n}&\text {with }n=64\\ \mathbf {Adv}_{\text {GMAC}}^{\text {MAC}}(q)&\le \mathbf {Adv}_{\text {AES}}^{\text {PRP}}(q) + \tfrac{\rho }{2^{n}} \left( 1 - \tfrac{q}{2^{n}}\right) ^{-\tfrac{q+1}{2}}&\text {with }n=128 \\ \mathbf {Adv}_{\text {CBC-MAC}}^{\text {MAC}}(q)&\le \mathbf {Adv}_{\text {AES}}^{\text {PRP}}(q) + \tfrac{\rho ^2q^2}{2^{n-1}}&\text {with }n=128 \end{aligned}$$

The bounds for Poly1305-AES are essentially the same as for GMAC. Note that the bound for Chaskey involves the time t of the attacker; in the following we assume that the time and data of the attacker are the same, i.e. \(t=q\rho \).

We compare all the bounds in Fig. 2.

Fig. 2.

Security bound for several MAC constructions