Fine-Tuning the ISO/IEC Standard LightMAC

Chattopadhyay, Soumya; Jha, Ashwin; Nandi, Mridul

doi:10.1007/978-3-030-92078-4_17

Soumya Chattopadhyay¹⁰,
Ashwin Jha¹¹ &
Mridul Nandi¹⁰

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13092))

Included in the following conference series:

International Conference on the Theory and Application of Cryptology and Information Security

990 Accesses
2 Citations

Abstract

LightMAC, by Luykx et al., is a block cipher based message authentication code (MAC). The simplicity of design and low overhead allows it to have very compact implementations. As a result, it has been recently chosen as an ISO/IEC standard MAC for lightweight applications. LightMAC has been shown to achieve query-length independent security bound of $ O(q^2/2^n) $ when instantiated with two independently keyed n-bit block ciphers, where q denotes the number of MAC queries and the query-length is upper bounded by $ (n-s)2^{s} $ bits for a fixed counter size s. In this paper, we aim to minimize the number of block cipher keys in LightMAC. First, we show that the original LightMAC instantiated with a single block cipher key, referred as 1k-LightMAC, achieves security bound of $ O(q^2/2^n) $ while the query-length is at least $ (n-s) $ bits and at most $ (n-s)\min \{2^{n/4},2^s\} $ bits. Second, we show that a minor variant of 1k-LightMAC, dubbed as LightMAC-ds, achieves security bound of $ O(q^2/2^n) $ while query-length is upper bounded by $ (n-s)2^{s-1} $ bits. Of independent interest, our security proof of 1k-LightMAC employs a novel sampling approach, called the reset-sampling, as a subroutine within the H-coefficient proof setup.

Soumya Chattopadhyay and Mridul Nandi are supported by the project “Study and Analysis of IoT Security” under Government of India at R. C. Bose Centre for Cryptology and Security, Indian Statistical Institute, Kolkata. Ashwin Jha’s work was carried out in the framework of the French-German-Center for Cybersecurity, a collaboration of CISPA and LORIA.

Download conference paper PDF

A MAC Mode for Lightweight Block Ciphers

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication

A Lightweight Alternative to PMAC

Keywords

1 Introduction

Lightweight cryptography endeavors to safeguard communications in resource-constrained environments. The advent of Internet of Things has given a great impetus to this field of research in the last decade or so. As a result, several standardization efforts have tried to systematize the field, most notably the CAESAR competition [1], NIST lightweight cryptography standardization project [2], and the ISO/IEC standardization [3]. Specifically, the ISO/IEC 29192-6:2019 standard [3] specifies three message authentication code (or MAC) algorithms for lightweight applications. MACs are symmetric-key primitives that achieve data authenticity and integrity. The ISO/IEC standard recommends LightMAC [4], Tsudik’s keymode [5] and Chaskey-12 [6] as the three MAC algorithms. In this paper, we focus on LightMAC.

LightMAC, by Luykx et al. [4], is a parallelizable block cipher-based MAC. For an n-bit block cipher $ {E}$ instantiated with keys $ K_1 $ and $ K_2 $, and a global parameter $ s < n $, a simplified^{Footnote 1} version of LightMAC can be defined as:

$$\begin{aligned} \textsf {LightMAC} _{K_1,K_2}(m) := {E}_{K_2}({E}_{K_1}(x[1]) \oplus \cdots \oplus {E}_{K_1}(x[\ell -1]) \oplus m[\ell ]\Vert 10^{s-1}), \end{aligned}$$

(1)

where $ (m[1],\ldots ,m[\ell ]) $ denotes the $ (n-s) $-bit parsing of the input message m, and $ x[i] = \langle i \rangle _{s} \Vert m[i] $ for $ 1 \le i \le \ell -1 $, where $ \langle i \rangle _{s} $ denotes the s-bit binary representation of i. For obvious reasons s is also called the counter size. The counter-based encoding in LightMAC is inherited from some earlier MAC designs such as the XOR MACs by Bellare et al. [7] and Bernstein’s protected counter sums [8]. The use of counter-based encoding limits the rate—ratio of the number of n-bit blocks in the message m to the number of block cipher calls required to process m. For example, LightMAC requires 4 calls to process a message of length 3n bits when the counter size $ s = n/4 $, whence the rate is 3/4. Ideally, the rate should be as high as possible, with rate 1 or higher considered as holy grail. Dutta et al. [9] give optimal counter-based encoding strategies for some scenarios, resulting in significant speed-up. However, LightMAC still falls short on this account when compared to some other MAC schemes such as OMAC [10] and PMAC [11] etc.

However, LightMAC design is quite simple as it minimizes all auxiliary operations other than the block cipher call, which reduces the overhead to a minimum. For this reason, LightMAC is expected to have more compact implementations as compared to PMAC. Further, LightMAC is parallelizable like PMAC which enables it to exploit the parallel computing infrastructure, whenever available. As a result, LightMAC is a quite flexible algorithm, as it has qualities suitable for both memory-constrained environments as well as high performance computing.

Query-Length Independence: Yet another avenue where LightMAC gains over several other MAC schemes is its security guarantee. Many MAC algorithms, including PMAC and OMAC, have security bounds which degrade linearly with the query-length. Apparently, some sort of dependence on query-length is unavoidable in iterated MAC schemes. However, LightMAC is shown to have query-length independent security bounds.

It is well-known [12, 13] that variable input length (VIL) pseudorandom functions (or PRFs) are good candidates for deterministic MACs. Indeed, almost all the security bounds on deterministic MAC schemes, in fact, quantify their PRF security. In the following discussion q and $ \ell $ denote the number of queries and the bound on query-lengths, respectively.

Luykx et al. [4] showed that LightMAC achieves $ O(q^2/2^n) $ bound on the success probability of any adversary (also referred as the PRF advantage). This bound is independent of the query-length $ \ell $, apart from the obvious bound of $ \ell \le (n-s)2^{s} $.

In comparison, arguably the most popular parallelizable MAC, PMAC, suffers from a linear degradation in security with increase in query-length. Some birthday-bound (PRF advantage is at least $ q^2/2^n $) variants (or extensions) of PMAC, like PMAC with parity [14] and PMAC3 [15], do achieve query-length independence for a wide range of $ \ell $ values. However, this costs significant increase in design complexity, such as more than two-fold increase in memory usage and relatively complex auxiliary operations like multiple masking operations or generating error correcting codes.

The situation does not improve much, when we consider birthday-bound sequential modes either. Schemes like CBC-MAC [16], XCBC [17] and OMAC exhibit similar degradation in security with increase in query-length as PMAC. EMAC [18, 19] achieves query-length independence with slightly higher PRF advantage of $ O(q/2^{n/2}) $ while $ \ell \le 2^{n/4} $. However, EMAC only works for messages with “multiple-of-n” length. One can extend the construction to arbitrary domain by either using extra block cipher keys, as in ECBC and FCBC [17], or apply some injective padding rule on the input message before processing it through EMAC.

Beyond-the-birthday bound (BBB) secure constructions such as Sum-ECBC [20], PMAC+ [21], 3kf9 [22], PMACx [23], 1k-PMAC+ [24], and LightMAC+ [25], can also achieve query-length independent security bounds for a wide range of values of $ \ell $. However, these constructions require significantly more memory and additional operations (due to the BBB security requirement) as compared to LightMAC.

1.1 Motivation

ISO standards are widely used in communication protocols such as TLS, Bluetooth protocol, Zigbee etc. Being an ISO standard for lightweight cryptography, LightMAC is also widely recognized as a suitable MAC candidate for deployment in resource-constrained environments. Possibly, its simple and compact design and query-length independent security are the main reasons behind this perception. On a closer look, we see that the two independent keys greatly simplify the security argument of LightMAC. Due to the independence of keys, it can be viewed as an instance of the Hash-then-PRF paradigm [26, 27], and hence the PRF security bound follows directly from LightMAC output collision probability.

However, maintaining two block cipher keys could be a burden in memory-constrained environments. Currently LightMAC with 2 keys requires 256 bits for key (128-bit block cipher key). Instead, one-key variants of LightMAC use 128 bits, which is a significant optimization in memory footprint both in hardware and software. The problem is further aggravated when implementations store precomputed round keys to reduce latency. For example, in case of AES128 [28], this precomputation would require 176 bytes of memory per key. This motivates us to look into the problem of minimizing the number of keys in LightMAC, while maintaining the query-length independence. Specifically, we ask the following question:

$ \dagger :$ Is there a single-key LightMAC variant which achieves similar query-length independent bounds as two-key LightMAC?

As it turns out, the answer to this question is not straightforward. Recall the description of LightMAC from Eq. (1). Let $ y_i := {E}_{K_1}(x_i) $ and $ y^{\oplus } := y_1 \oplus \cdots \oplus y_{\ell -1} \oplus m_\ell \Vert 10^{s-1} $. We call $ x_i $ and $ y_i $ the i-th intermediate input and outputs, respectively and $ y^\oplus $ and $ t = E_{K_2}(y^\oplus ) $ the final input and output, respectively. There are two non-trivial bottlenecks (see Sect. 3.2) in answering the above questions:

1.
Collisions between intermediate input and final input, and
2.
Collisions between intermediate output and final output.

The naive way to handle these two cases is to bound the probability of these events to $ O(q^2\ell /2^n) $ as there are at most $ q\ell $ intermediate inputs/outputs and q final inputs/outputs. Clearly, this naive approach leads to a degradation in the security. So,

$ \star :$ we need a more sophisticated strategy to prove the security of single-key LightMAC.

Yet another approach is to explicitly separate the final inputs from intermediate inputs by fixing some input bit to 0 in intermediate inputs and 1 in final inputs. This will help in resolving the first bottleneck. However, the second bottleneck is still present. Hence, the resulting construction is not as straightforward as two-key LightMAC. Further, domain separation also introduces slight changes in the standardized design, which is not appreciated by end-users, in general. So,

$ \star \star :$ variants with very small modifications over the original LightMAC algorithm will be preferred.

In this paper, we aim to answer $ \dagger $ in affirmative using $ \star $ and $ \star \star $ as general guidelines.

1.2 Our Contributions

Our contributions are twofold:

First, in Sect. 4, we show that single-key LightMAC, denoted as 1k-LightMAC, is as secure as two-key LightMAC, while the query-lengths are lower bounded by $ (n-s) $ bits and upper bounded by $ (n-s)\min \{2^{n/4},2^s\} $ bits. In other words, we show a security bound of $ O(q^2/2^n) $ for 1k-LightMAC, while $ (n-s) \le \ell \le (n-s)\min \{2^{n/4},2^s\} $.

In order to circumvent the two bottlenecks discussed in Sect. 1.1, we use a novel sampling approach, called the reset-sampling – a proof style much in the same vein as the reprogramming of random oracles [29]. At the highest level, reset-sampling can be viewed as a subroutine in H-coefficient [30, 31] or Expectation method [32] based proofs that can be employed in order to transform a possibly bad transcript into a good transcript given that certain conditions are fulfilled. In other words, it resets some bad transcript into a good transcript. For example, in our analysis we reset the intermediate outputs appropriately whenever the corresponding intermediate input collides with some final input.

Second, in Sect. 5, we propose a close variant of 1k-LightMAC, dubbed as LightMAC-ds, and show that LightMAC-ds is asymptotically as secure as two-key LightMAC, i.e., it achieves security bound of $ O(q^2/2^n) $ while $ \ell \le (n-s)2^{s-1} $. The restriction on length is due to the loss of 1-bit from counter for domain separation.

Table 1. A comparative summary of several birthday-bound block cipher based MAC algorithms. Here q denotes the number of queries, $ \ell $ denotes the bound on query-length, and s denotes the counter size.

Full size table

Table 1 gives a comparison of LightMAC, 1k-LightMAC, and LightMAC-ds with several popular birthday-bound block cipher based MAC mode of operation. We deliberately refrain from enumerating beyond-the-birthday bound modes for a fair comparison, as they require relatively more memory and/or key material (due to the BBB security requirement). From the table, it is clear that the three LightMAC candidates are overall better than other modes considering security vs block cipher key size and security vs auxiliary memory. Further, 1k-LightMAC is almost as good as LightMAC and LightMAC-ds as long as $ (n-s) \le \ell \le (n-s)\min \{2^{n/4},2^s\} $. Note that, the lower bound on $ \ell $ is necessary to avoid some trivial collision events (see Sect. 3.2 for further details). Similarly, LightMAC-ds is as good as LightMAC as long as $ \ell \le (n-s)2^{s-1} $.

Practical Significance: Our results are restricted in terms of the length of messages, especially, 1k-LightMAC which effectively bounds the message length to roughly $ 2^{35.5} $ bytes for 128-bit block size. However, we believe that this is a minor issue. Indeed, many real life communication protocols limit the message lengths to much less than 1 Gigabyte. For example, SRTP [39] limits the payload length to at most 1 Megabyte. So, the impact of length restriction could, in fact, be minimal in most applications. Furthermore, we emphasize that 1k-LightMAC can be used as a drop-in replacement, since the required changes are minimal. This is particularly a compelling feature for the intended application area of the ISO/IEC-29192-6:2019 standard, i.e. resource constrained environments, where additional deployment or maintenance cost is highly undesirable. In summary, our results have significant practical importance due to the ISO/IEC standardization of LightMAC and the inherent advantages of 1k-LightMAC and LightMAC-ds over LightMAC.

2 Preliminaries

Notational Setup: For $ n \in \mathbb {N}$, [n] denotes the set $ \{1,2,\ldots ,n\} $. The set of all bit strings (including the empty string) is denoted $ \{0,1\}^* $. The length of any bit string $ X \in \{0,1\}^* $, denoted |X| , is the number of bits in X. For $ n \in \mathbb {N}$, $ \{0,1\}^n$ denotes the set of all bit strings of length n, and $\{0,1\}^{\le n} := \bigcup _{i=0}^{n} \{0,1\}^i $. For any $ A,B \in \{0,1\}^* $, we write $ A\Vert B $ to denote the concatenation of A and B. For $ n \in \mathbb {N}$ and $ X \in \{0,1\}^* $, $ (X_1,\ldots ,X_l) \xleftarrow {n} X $ denotes the n-bit parsing of X where $ |X_i| = n $ for all $ 1 \le i \le l-1 $ and $ 0 \le |X_l| \le n-1 $. For any $ n \in \mathbb {N}$ and $ M \in \{0,1\}^* $, we define $ \mathsf {pad}_n(M) := M\Vert 10^d $ where d is the smallest integer such that $ |\mathsf {pad}_n(M)| $ is a multiple of n. For $ i,m \in \mathbb {N}$ such that $ i < 2^{m} $, we define $ \langle i \rangle _{m} $ as the m-bit binary encoding of the integer i. For $ 0 \le k \le n $, we define the falling factorial $ (n)_k := n!/(n-k)! = n(n-1)\cdots (n-k+1) $. The set of all functions from $ \mathcal {X}$ to $ \mathcal {Y}$ is denoted $ \mathcal {F}(\mathcal {X},\mathcal {Y}) $, and the set of all permutations of $ \mathcal {X}$ is denoted $ \mathcal {P}(\mathcal {X}) $. We simply write $ \mathcal {F}(a,b) $ and $ \mathcal {P}(a) $, whenever $ \mathcal {X}= \{0,1\}^a $ and $ \mathcal {Y}= \{0,1\}^b $.

For a pair of q-tuples $ \widetilde{X} = (X_1,\ldots ,X_q) $ and $ \widetilde{Y} = (Y_1,\ldots ,Y_q) $, $ (\widetilde{X},\widetilde{Y}) $ denotes the 2q-tuple $ (X_1,\ldots ,X_q,Y_1,\ldots ,Y_q) $. Similarly, one can extend notation for more than 2 tuples. Two q-tuples $ \widetilde{X} $ and $ \widetilde{Y} $ are said to be permutation compatible, denoted as $ \widetilde{X} \leftrightsquigarrow \widetilde{Y} $, if $ (X_i = X_j) \iff (Y_i = Y_j) $, for all $ i \ne j $. By an abuse of notation, we also use $ \widetilde{X} $ to denote the set $ \{X_i : i \in [q]\} $.

For a finite set $ \mathcal {X}$, denotes the uniform at random sampling of X from $ \mathcal {X}$, and denotes the without replacement sampling of a tuple $ \widetilde{\mathsf {X}} $ from the set $ \mathcal {X}$.

A Useful Lemma: The following result from linear algebra will be very useful in later analysis.

Lemma 2.1

Let with $ |\mathcal {S}| = N > l $. Let A be a $ k \times l $ binary matrix with rank r. We write the column vector $ (\mathsf {Y}_1, \ldots , \mathsf {Y}_l)^{tr} $ as $ \widetilde{\mathsf {Y}}$. Then, for any $ c \in (\{0,1\}^n)^k $, we have

$$\begin{aligned} {\Pr _{ }\left[ A \cdot \widetilde{\mathsf {Y}}= c\right] } \le \frac{1}{(N - l)^r} \end{aligned}$$

Proof

Since the rank of the matrix A is r, we can identify $1 \le i_1< \cdots < i_r \le l $ such that $ \mathsf {Y}_{i_1}, \ldots \mathsf {Y}_{i_r} $ will be uniquely determined by fixing the value for the remaining $ l-r $ variables. By conditioning on the values of these $ l-r $ variables, the probability that $ A \cdot \widetilde{\mathsf {Y}}= c $ is bounded by at most $ \frac{1}{(N - l + r)_r} $ which is less than $ \frac{1}{(N - l)^r} $. $\square $

We will often employ this lemma for $ k \ge 2 $ cases.

2.1 Security Definitions

Distinguishers: A (q, T) -distinguisher $ \mathscr {A}$ is an oracle Turing machine, that makes at most q oracle queries, runs in time at most T, and outputs a single bit. For any oracle $ \mathcal {O}$, we write $ \mathscr {A}^{\mathcal {O}} $ to denote the output of $ \mathscr {A}$ after its interaction with $ \mathcal {O}$. By convention, $ T = \infty $ denotes computationally unbounded (information-theoretic) and deterministic distinguishers. In this paper, we assume that the distinguisher is non-trivial, i.e., it never makes a duplicate query. Let $ \mathbb {A}(q,T) $ be the class of all non-trivial distinguishers limited to q queries and T computations.

Pseudorandom Function: A $ (\mathcal {K},\mathcal {X},\mathcal {Y}) $-keyed function $ {F}$ with key space $ \mathcal {K}$, domain $ \mathcal {X}$, and range $ \mathcal {Y}$ is a function $ {F}: \mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}$. We write $ {F}_K(X) $ for $ {F}(K,X) $.

The pseudorandom function or PRF advantage of any distinguisher $ \mathscr {A}$ against a $ (\mathcal {K},\mathcal {X},\mathcal {Y}) $-keyed function $ {F}$ is defined as

(2)

The PRF security of $ {F}$ against $ \mathbb {A}(q,T) $ is defined as

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{{F}}(q,T) := \max _{\mathscr {A}\in \mathbb {A}(q,T)} \mathbf {Adv}^{\mathsf {prf}}_{{F}}(\mathscr {A}). \end{aligned}$$

Pseudorandom Permutation: A $ (\mathcal {K},\{0,1\}^n) $-block cipher $ {E}$ with key space $ \mathcal {K}$ and block space $ \{0,1\}^n$ is a $ (\mathcal {K},\{0,1\}^n,\{0,1\}^n) $-keyed function, such that $ E(K,\cdot ) $ is a permutation over $ \{0,1\}^n$ for any key $ K \in \mathcal {K}$. We write $ {E}_K(X) $ for $ {E}(K,X) $.

The pseudorandom permutation or PRP advantage of any distinguisher $ \mathscr {A}$ against a $ (\mathcal {K},\{0,1\}^n) $-block cipher $ {E}$ is defined as

(3)

The PRP security of $ {E}$ against $ \mathbb {A}(q,T) $ is defined as

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prp}}_{{E}}(q,T) := \max _{\mathscr {A}\in \mathbb {A}(q,T)} \mathbf {Adv}^{\mathsf {prp}}_{{E}}(\mathscr {A}). \end{aligned}$$

2.2 H-Coefficient Technique

The H-coefficient technique by Patarin [30, 31] is a tool to upper bound the distinguishing advantage of any deterministic and computationally unbounded distinguisher $ \mathscr {A}$ in distinguishing the real oracle $ \mathcal {R}$ from the ideal oracle $ \mathcal {I}$. The collection of all queries and responses that $ \mathscr {A}$ made and received to and from the oracle, is called the transcript of $ \mathscr {A}$, denoted as $ \tau $.

Let $ \mathsf {\mathbb {R}}$ and $ \mathsf {\mathbb {I}}$ denote the transcript random variable induced by $ \mathscr {A}$’s interaction with $ \mathcal {R}$ and $ \mathcal {I}$, respectively. Let $ \mathcal {T}$ be the set of all transcripts. A transcript $ \tau \in \mathcal {T}$ is said to be attainable if $ {\Pr _{ }\left[ \mathsf {\mathbb {I}}= \tau \right] } > 0 $, i.e., it can be realized by $ \mathscr {A}$’s interaction with $ \mathcal {I}$. Following these notations, we state the main result of H-coefficient technique in Theorem 2.1. A proof of this theorem is available in multiple papers, including [40, 41].

Theorem 2.1

(H-coefficient). For $ \epsilon _1,\epsilon _2 \ge 0 $, suppose there is a set $ \mathcal {T}_{\mathsf {bad}} \subseteq \mathcal {T}$, that we call the set of all bad transcripts, such that the following conditions hold:

$ {\Pr _{ }\left[ \mathsf {\mathbb {I}}\in \mathcal {T}_{\mathsf {bad}}\right] } \le \epsilon _1 $; and
For any $ \tau \notin \mathcal {T}_{\mathsf {bad}} $, $ \tau $ is attainable and $ \displaystyle \frac{{\Pr _{ }\left[ \mathsf {\mathbb {R}}=\tau \right] }}{{\Pr _{ }\left[ \mathsf {\mathbb {I}}=\tau \right] }} \ge 1-\epsilon _2 $.

Then, for any computationally unbounded and deterministic distinguisher $ \mathscr {A}$, we have

$$\begin{aligned} \mathbf {Adv}_{\mathcal {R};\mathcal {I}}(\mathscr {A}) \le \epsilon _1 + \epsilon _2. \end{aligned}$$

3 Revisiting LightMAC

LightMAC is a block cipher-based parallelizable PRF construction by Luykx et al. [4]. It uses a counter-based encoding of input message blocks, much in the same vein as some of the previously proposed constructions like XMACC and XMACR [7] and protected counter sums [8]. Algorithm 3.1 gives the algorithmic description of LightMAC and Fig. 1 gives a pictorial illustration.

Throughout the rest of this paper, we refer to x[i] and y[i] as intermediate input and output, respectively, for all $ i \in [\ell -1] $ and $ y^\oplus $ and t are referred as the final input and output, respectively.

Note that, the block size n and counter size s are application specific parameters that are fixed before any invocation. In order to argue the security of LightMAC, we must have $ \langle i \rangle _{s} \ne \langle j \rangle _{s} $. When $ i = 2^s + j $ for some $ j \in [2^s-1] $, then $ \langle i \rangle _{s} = \langle j \rangle _{s} $. So, the maximum number of blocks in the padded message, denoted $ \ell _{\max } $, must be less than $ 2^s $. This will ensure that all the counters will be different.

3.1 Hash-Then-PRP and the Security of LightMAC

For some $ \epsilon \ge 0 $, a $ (\mathcal {K},\{0,1\}^{\le (n-s)2^s},\{0,1\}^n) $-keyed function H is called an $ \epsilon $-universal hash function if for all distinct $ m,m' \in \{0,1\}^{\le (n-s)2^s} $, we have

Universal hash functions are very useful in constructing PRFs via the Hash-then-PRP^{Footnote 2} paradigm [26, 37]. In this paradigm, given independently keyed $ \epsilon $-universal hash function $ H_{\mathsf {K}} $ and block cipher $ {E}_{\mathsf {K}'} $, we define the Hash-then-PRP composition as $ {E}_{K'} \circ H_{K} $. It is well-known that

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{{E}_{\mathsf {K}'} \circ H_{\mathsf {K}}}(q,T) \le \mathbf {Adv}^{\mathsf {prp}}_{{E}}(q,T') + {q \atopwithdelims ()2}\left( \frac{1}{2^n} + \epsilon \right) , \end{aligned}$$

(4)

where $ T' = T + q O(T_{E}) $ and $ T_{E}$ denotes the runtime of $ {E}$.

We skip the proof of this result as it is available in multiple papers including [37, 42]. An informal justification for Eq. (4) is based on the observation that if the input to $ {E}_{\mathsf {K}'} $ is distinct for all q queries then the outputs behave as “almost uniform at random”. The probability that some inputs to $ {E}_{\mathsf {K}'} $ collide is bounded by $ {q \atopwithdelims ()2}\epsilon $.

PRF Security of LightMAC: Consider a $ (\mathcal {K},\{0,1\}^{\le (n-s)2^s},\{0,1\}^n) $-keyed function LightHash, defined by the following mapping:

$$\begin{aligned} \forall m \in \{0,1\}^{\le (n-s)2^s},\quad \textsf {LightHash} _{{E}_{K_1}}(m) := y^\oplus , \end{aligned}$$

where $ y^\oplus $ is the final input corresponding to m in $ \textsf {LightMAC} _{{E}_{K_1},{E}_{K_2}}(m) $. Now, we can view LightMAC as an instantiation of Hash-then-PRP, by redefining LightMAC as

$$\begin{aligned} \textsf {LightMAC} _{{E}_{K_1},{E}_{K_2}}(m) := {E}_{K_2}(\textsf {LightHash} _{{E}_{K_1}}(m)). \end{aligned}$$

Suppose, $ \textsf {LightHash} _{\mathsf {\Pi }_1}$ is an -universal hash for . Then, using Eq. (4), we have

(5)

where $ \sigma $ denotes the total number of blocks in all q padded queries, and $ T' = T + \sigma O(T_{E}) $ and $ T_{E}$ denotes the runtime of $ {E}$.

In [4, 9], it has been shown that , where $ \ell _{\max } $ is the upper bound on the query-length in blocks. It is simply because for any $m \ne m'$ with lengths $\ell , \ell '$ respectively, the event $ \textsf {LightHash} _{\mathsf {\Pi }_1}(m)=\textsf {LightHash} _{\mathsf {\Pi }_1}(m')$ is identical with

$$\begin{aligned} \bigoplus _{i=1}^{\ell -1}\mathsf {\Pi }_1(x[i]) \bigoplus _{j=1}^{\ell '-1}\mathsf {\Pi }_1(x'[j]) = \mathsf {pad}_n(m[\ell ]) \oplus \mathsf {pad}_n(m'[\ell ']). \end{aligned}$$

(6)

Now, since $m \ne m'$, either $ (x[1],\ldots ,x[\ell -1]) \ne (x'[1],\ldots ,x'[\ell '-1]) $, or

$$\begin{aligned} (x[1],\ldots ,x[\ell -1]) = (x'[1],\ldots ,x'[\ell '-1]) \wedge \mathsf {pad}_n(m[\ell ]) \ne \mathsf {pad}_n(m'[\ell ']). \end{aligned}$$

The second case has zero probability. In the first case, assuming $ \ell \ge \ell ' $, we have at least one block say x[i] which is distinct from all other blocks. Then, the probability of the event defined in Eq. (6) can be bounded above by probability that $ \mathsf {\Pi }_1(x[i]) $ attains a certain value conditioned on the output of $ \mathsf {\Pi }_1 $ on all other x[j] and $ x'[j'] $ values for $ j \in [\ell -1]\setminus \{i\} $ and $ j' \in [\ell '-1] $. There are at most $2 \ell _{\max }$ such values, i.e., $ \mathsf {\Pi }_1 $ is already sampled on at most $ 2\ell _{\max } $ points. Therefore, the probability is bounded above by $ 1/(2^{n}-2\ell _{\max }).$

By combining this bound with Eq. (5), we get the desired result for LightMAC in the following proposition.

Proposition 3.1

For $ \ell _{\max } < \min \{2^{n-2},2^s\} $, we have

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{\mathsf {LightMAC}}(q,T) \le 2\mathbf {Adv}^{\mathsf {prp}}_{{E}}(\sigma ,T') + \frac{1.5q^2}{2^n}, \end{aligned}$$

where $ \sigma $ denotes the total number of blocks in all q padded queries, and $ T' = T + \sigma O(T_{E}) $ and $ T_{E}$ denotes the runtime of $ {E}$.

3.2 Bottlenecks for Single-Key LightMAC

We have just seen that the query-length independent security argument for LightMAC comes quite easily from the Hash-then-PRP paradigm. This is possible because $ \mathsf {K}_1 $ and $ \mathsf {K}_2 $ are independent of each other. A natural direction to explore is the relaxation: $ K_1 = K_2 = K $, i.e., LightMAC instantiated with a single key. Formally, we define the single-key LightMAC construction as follows:

We remark that the additional nomenclature 1k-LightMAC is just for the sake of brevity. Indeed, 1k-LightMAC and LightMAC are algorithmically equivalent. We have just instantiated $ K_1 = K_2 = K $.

First thing to note is that Hash-then-PRP is no longer applicable as the hash function $ H_\mathsf {K} $ and block cipher $ {E}_\mathsf {K} $ are no longer independent. So, we have to look for a dedicated proof.

Suppose the adversary makes q queries $ m_1,\ldots ,m_q $ and the corresponding tuple of intermediate inputs and outputs are denoted $ x_i = (x_{i}[1],\ldots ,x_{i}[\ell _i-1]) $ and $ y_i = (y_{i}[1],\ldots ,y_{i}[\ell _i-1]) $, respectively. Similarly, the final input and output for the q queries is denoted $ y^\oplus _i $ and $ t_i $, respectively. Consider the events:

$ \mathtt {Icoll}:\exists (i,a) \in [q] \times [\ell _i-1], j \in [q], \text { such that } x_i[a] = y^\oplus _{j} $;
$ \mathtt {Ocoll}:\exists (i,a) \in [q] \times [\ell _i-1], j \in [q], \text { such that } y_i[a] = t_{j} $;

$ \mathtt {Icoll} $ denotes the event that a final input collides with some intermediate input and $ \mathtt {Ocoll} $ denotes the analogous event for output collisions (see Fig. 2).

In a dedicated proof we must take care of these cases as they may lead to inconsistent transcripts. For example, it is possible that $ x_i[a] = y^\oplus _{j} $ ($ \mathtt {Icoll} $ holds) but $ y_i[a] \ne t_{j} $ or vice-versa. The probability of realizing such a transcript is zero in the real world. In fact, one can easily create such inconsistencies by first making a query $ m_1 = \langle 1 \rangle _{s} $, and then making another query $ m_2 = 10^{n-s-1}\Vert x $, where x is any arbitrary bit string. Clearly, $ x_2[1] = y^\oplus _{1} $, which implies that $ \mathtt {Icoll} $ holds. This might help an adversary to mount an attack on 1k-LightMAC as it can access the internal variables using very short queries. Interestingly, if we swap the positions of counter and message block, then this trivial collision is no longer possible, and it might even be possible to show that the resulting variant is secure. Since our aim is to study the standardized algorithm, we simply assume that messages are at least $ (n-s) $ bits long, thereby ensuring that at least one block cipher call is made in the hash layer. But, this only helps to avoid collisions in the corner case. We still have to consider the possibility of $ \mathtt {Icoll} $ and $ \mathtt {Ocoll} $ in the general case. We have to ensure that such inconsistencies do not occur with high probability. A straightforward bound on these events introduces a bound of the form $ O(q^2\ell _{\max }/2^n) $ since there are at most $ q\ell _{\max } $ many (i, a) pairs and q choices for j. However, we aim to do better than this. In the next two sections, we show how we can handle these events in better way.

4 Security of 1k-LightMAC

This section is devoted to the PRF security of 1k-LightMAC. Throughout this section, we assume that messages are at least $ (n-s) $-bit long. This assumption is used to avoid some trivial bad events, as discussed in Sect. 3.2.

Theorem 4.1

Let $ q, \ell _{\min }, \ell _{\max }, \sigma , t > 0 $. For $ \ell _{\min } \ge 2 $, $ q +4\ell _{\max } \le 2^{n-1} $, the PRF security of $ \textsf {1k}\hbox {-}\textsf {LightMAC} $ against $ \mathbb {A}(q,T) $ is given by

$$ \mathbf {Adv}^{\mathsf {prf}}_{\mathsf {1k}\hbox {-}\mathsf {LightMAC}}(q,T) \le \mathbf {Adv}^{\mathsf {prp}}_{{E}}(\sigma +q,T') + \frac{1.5q^2}{2^{n}}+ \frac{7.5q^3\ell _{\max }^2}{2^{2n}} + \frac{4 q^4 \ell _{\max }^2}{2^{3n}} + \frac{2 \sigma }{2^n}, $$

where q denotes the number of queries, $ \ell _{\max } $ (res. $ \ell _{\min } $) denotes an upper (res. lower) bound on the number of blocks in any padded query, $ \sigma $ denotes the total number of blocks present in all q queries, $ T' = T + \sigma O(T_{E}) $ and $ T_{E}$ denotes the runtime of $ {E}$.

Further assuming $ \ell _{\max } \le \min \{2^{n/4},2^s\} $ and $ q \le \min \{2^{\frac{3n}{4}-2},2^{\frac{n}{2}-1.51}\} $, we have

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{\mathsf {1k}\hbox {-}\mathsf {LightMAC}}(q,T) \le \mathbf {Adv}^{\mathsf {prp}}_{{E}}(\sigma +q,T') + \frac{4q^2}{2^{n}} + \frac{2\sigma }{2^n}. \end{aligned}$$

The proof of this theorem is described in the rest of this section. First of all, we switch to the information-theoretic setting, i.e., $ {E}_{\mathsf {K}} $ is replaced with via a standard hybrid argument. Formally, we have

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{\textsf {1k}\hbox {-}\textsf {LightMAC}}(q,T) \le \mathbf {Adv}^{\mathsf {prp}}_{{E}}(\sigma +q,T') + \mathbf {Adv}^{\mathsf {prf}}_{\textsf {1k}\hbox {-}\textsf {LightMAC} _{\mathsf {\Pi }}}(q,\infty ). \end{aligned}$$

(7)

So it is enough to bound the PRF security of $ \textsf {1k}\hbox {-}\textsf {LightMAC} _{\mathsf {\Pi }} $, henceforth also referred as the real oracle. We apply the H-coefficient technique to bound this term. Fix any $ \mathscr {A}\in \mathbb {A}(q,\infty ) $ such that

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{\textsf {1k}\hbox {-}\textsf {LightMAC} _{\mathsf {\Pi }}}(q,\infty ) = \mathbf {Adv}^{\mathsf {prf}}_{\textsf {1k}\hbox {-}\textsf {LightMAC} _{\mathsf {\Pi }}}(\mathscr {A}). \end{aligned}$$

Going forward, we will bound the advantage of $ \mathscr {A}$.

4.1 Description of Oracles and Their Transcripts

Real Oracle: The real oracle corresponds to $ \textsf {1k}\hbox {-}\textsf {LightMAC} _{\mathsf {\Pi }} $. It responds faithfully to all the queries made by $ \mathscr {A}$. Once the query-response phase is over, it releases all the intermediate inputs and outputs to $ \mathscr {A}$.

In addition, the real oracle releases three binary variables, namely, $ \mathsf {FlagT}$, $ \mathsf {FlagZ}$, and $ \mathsf {FlagY}$, all of which are degenerately set to 0. The utility of these flags will become apparent from the description of ideal oracle. For now, it is sufficient to note that these flags are degenerate in the real world.

Formally, we have $ \mathsf {\mathbb {R}}:= (\widetilde{\mathsf {M}},\widetilde{\mathsf {T}},\widetilde{\mathsf {X}},\widetilde{\mathsf {Y}},\mathsf {FlagT},\mathsf {FlagZ},\mathsf {FlagY}) $, where

$ \widetilde{\mathsf {M}}= (\mathsf {M}_{1},\ldots ,\mathsf {M}_{q}) $ denotes the q-tuple of queries made by $ \mathscr {A}$, where $ \mathsf {M}_{i} \in \{0,1\}^{\le (n-s)2^s} $ for all $ i \in [q] $. In addition, for all $ i \in [q] $, let $ \ell _{i} := \left\lfloor \frac{|\mathsf {M}_i|}{n-s}\right\rfloor +1 $.
$ \widetilde{\mathsf {T}}= (\mathsf {T}_{1},\ldots ,\mathsf {T}_{q}) $ denotes the q-tuple of final outputs received by $ \mathscr {A}$, where $ \mathsf {T}_i \in \{0,1\}^n$.
$ \widetilde{\mathsf {X}}= (\mathsf {X}_{1},\ldots ,\mathsf {X}_{q}) $, where $ \mathsf {X}_i $ denotes the intermediate input tuple for the i-th query, i.e., for all $ a \in [\ell _i-1] $, $ \mathsf {X}_{i}[a] = \langle a \rangle _{s}\Vert \mathsf {M}_{i}[a] $.
$ \widetilde{\mathsf {Y}}= (\mathsf {Y}_{1},\ldots ,\mathsf {Y}_{q}) $, where $ \mathsf {Y}_i $ denotes the intermediate output tuple for the i-th query, i.e., for all $ a \in [\ell _i-1] $, $ \mathsf {Y}_{i}[a] = \mathsf {\Pi }(\mathsf {X}_{i}[a]) $. In addition, let $ \widetilde{\mathsf {Y}}^\oplus := (\mathsf {Y}^\oplus _1,\ldots ,\mathsf {Y}^\oplus _q) $, where $ \mathsf {Y}^\oplus _i := \bigoplus _{a\in [q]} \mathsf {Y}_{i}[a] \oplus \mathsf {pad}_n(\mathsf {M}_{i}[\ell _i]) $ for all $ i \in [q] $.
$ \mathsf {FlagI} = 0 $ for all $ \mathsf {I} \in \{\mathsf {T},\mathsf {Z},\mathsf {Y}\} $.

Note that, $ \widetilde{\mathsf {X}}$ is completely determined from $ \widetilde{\mathsf {M}}$. We have included it in the transcript just for the sake of simplicity. From the definition of 1k-LightMAC, we know that $ \mathsf {\Pi }(\mathsf {Y}^\oplus _i) = \mathsf {T}_i $ for all $ i \in [q] $. So, in the real world we always have $ (\widetilde{\mathsf {X}},\widetilde{\mathsf {Y}}^\oplus ) \leftrightsquigarrow (\widetilde{\mathsf {Y}},\widetilde{\mathsf {T}}) $, i.e., $ (\widetilde{\mathsf {X}},\widetilde{\mathsf {Y}}^\oplus ) $ is permutation compatible with $ (\widetilde{\mathsf {Y}},\widetilde{\mathsf {T}}) $. We keep this observation in our mind when we simulate the ideal oracle.

Ideal Oracle: We reuse the variable notations from the real oracle description to represent the ideal oracle transcript $ \mathsf {\mathbb {I}}$, i.e., $ \mathsf {\mathbb {I}}:= (\widetilde{\mathsf {M}},\widetilde{\mathsf {T}},\widetilde{\mathsf {X}},\widetilde{\mathsf {Y}},\mathsf {FlagT},\mathsf {FlagZ},\mathsf {FlagY}) $. This should not cause any confusion, as we never consider the random variables $ \mathsf {\mathbb {R}}$ and $ \mathsf {\mathbb {I}}$ jointly, whence the probability distributions of the constituent variables will always be clear from the context. The ideal oracle transcript is described in three phases, each contingent on some predicates defined over the previous stages. Specifically, the ideal oracle first initializes $ \mathsf {FlagT}= 0 $, $ \mathsf {FlagZ}= 0 $, $ \mathsf {FlagY}= 0 $, and then follows the sampling mechanism given below:

In the query-response phase, the ideal oracle faithfully simulates . Formally, for $ i \in [q] $, at the i-th query $ \mathsf {M}_{i} \in \{0,1\}^{\le (n-s)2^s} $, the ideal oracle outputs . The partial transcript generated at the end of the query-response phase is given by $ (\widetilde{\mathsf {M}},\widetilde{\mathsf {T}},\widetilde{\mathsf {X}}) $, where

$ \widetilde{\mathsf {M}}= (\mathsf {M}_1,\ldots ,\mathsf {M}_{q}) $ and $ \widetilde{\mathsf {T}}= (\mathsf {T}_1,\ldots ,\mathsf {T}_{q}) $.
$ \widetilde{\mathsf {X}}= (\mathsf {X}_1,\ldots ,\mathsf {X}_{q}) $, where $ \mathsf {X}_i = (\mathsf {X}_{i}[1],\ldots ,\mathsf {X}_{i}[\ell _{i}-1]) $ and $ \mathsf {X}_{i}[a] := \langle a \rangle _{s}\Vert \mathsf {M}_{i}[a] $ for all $ (i,a) \in [q] \times [\ell _{i}-1] $.

Now, we define a predicate on $ \widetilde{\mathsf {T}}$:

If $ \mathtt {BadT}$ is true, then $ \mathsf {FlagT}$ is set to 1, and $ \widetilde{\mathsf {Y}}= (\mathsf {Y}_{1},\ldots ,\mathsf {Y}_{q}) $ is defined degenerately: $ \mathsf {Y}_{i}[a] = 0^n $ for all $ (i,a) \in [q] \times [\ell _{i}-1] $. Otherwise, the ideal oracle proceeds to the next phase.

Onward, we must have $ \mathsf {T}_{i} \ne \mathsf {T}_{j} $ whenever $ i \ne j $, and $ \mathsf {FlagT}= 0 $, since this phase is only executed when $ \mathtt {BadT}$ is false. In the offline phase, the ideal oracle initially makes the following sampling:

where $ (x_1,\ldots ,x_{\sigma '}) $ is an arbitrary ordering of the set

$$\begin{aligned} \mathbb {X}(\widetilde{\mathsf {X}}):= \{x: x=\mathsf {X}_{i}[a], (i,a) \in [q] \times [\ell _i-1]\}. \end{aligned}$$

Next, the ideal oracle sets

$ \mathsf {Z}_i[a]:=\mathsf {R}_x $ if $ x = \mathsf {X}_{i}[a] $, for all $ (i,a) \in [q] \times [\ell _i-1] $, and
$ \mathsf {Z}_i^{\oplus } := \bigoplus _{a=1}^{\ell _i-1}\mathsf {Z}_i[a] \oplus \mathsf {pad}_n(\mathsf {M}_i[\ell _i]) $.

At this stage we have $ \mathsf {Z}_{i}[a] = \mathsf {Z}_{j}[b] $ if and only if $ \mathsf {X}_{i}[a] = \mathsf {X}_{j}[b] $. In other words, $ \widetilde{\mathsf {X}} \leftrightsquigarrow \widetilde{\mathsf {Z}} $. But the same might not hold for $ \mathsf {Z}^\oplus $ and $ \widetilde{\mathsf {T}}$. Now, we define four predicates on $ (\widetilde{\mathsf {Z}},\widetilde{\mathsf {X}}) $:

We write $ \mathtt {BadZ}:= \mathtt {BadZ1}\vee \mathtt {BadZ2}\vee \mathtt {BadZ3}\vee \mathtt {BadZ4}$. Looking ahead momentarily, $ \mathtt {BadZ}$ will represent bad scenarios that are difficult to fix in the third stage. For example, $ \mathtt {BadZ1}$ leads to permutation incompatibility between $ \mathsf {Z}^\oplus $ and $ \widetilde{\mathsf {T}}$ which is not desirable. We will discuss utility of the other three predicates in the description of next phase.

If $ \mathtt {BadZ}$ is true, then $ \mathsf {FlagZ}$ is set to 1, and $ \widetilde{\mathsf {Y}}= (\mathsf {Y}_{1},\ldots ,\mathsf {Y}_{q}) $ is again defined degenerately, as in the case of $ \mathtt {BadT}$. Otherwise, the ideal oracle proceeds to the next phase.

At this point, we know that $ \mathtt {BadZ}$ is false. In this phase, we will define the complete transcript generated in the ideal world, i.e., $ \mathsf {\mathbb {I}}$, by appropriately defining $ \widetilde{\mathsf {Y}}$. Remember, our goal is to maintain $ (\widetilde{\mathsf {X}},\widetilde{\mathsf {Y}}^\oplus ) \leftrightsquigarrow (\widetilde{\mathsf {Y}},\widetilde{\mathsf {T}}) $.

Definition 4.1

(full collision index). Any query index $ i \in [q] $ is called a full collision index if $ \exists ~ a \in [\ell _i-1], j \in [q] \text { such that }\mathsf {X}_{i}[a] = \mathsf {Z}_j^\oplus $. Additionally, let

$ \mathcal {I}:= \{i \in [q]: \mathsf {Z}^\oplus _j = \mathsf {X}_{i}[a],\text { for some } a \in [\ell _i-1], j \in [q]\} $.
$ \mathcal {J}:= \{j \in [q]: \mathsf {Z}_j^\oplus = \mathsf {X}_{i}[a]\text { for some } (i,a) \in [q] \times [\ell _i-1]\} $.
$ \mathsf {FCT}:= \{(i,a,j): i,j \in [q], a \in [\ell _i-1]\ \text{ such } \text{ that }\ \mathsf {Z}_j^\oplus = \mathsf {X}_{i}[a]\} $. Sometimes, we also use $ \widetilde{\mathsf {FCT}} := \{(i,a) \in [q] \times [\ell _{i}-1] : \exists j \in [q] \text { such that }\mathsf {Z}_j^\oplus = \mathsf {X}_{i}[a]\} $.

We refer to $ i \in \mathcal {I}$ and $ j \in \mathcal {J}$ as full-collision and resetting index, respectively.

Observe that we can simply set $ \widetilde{\mathsf {Y}}= \widetilde{\mathsf {Z}}$, whenever $ \mathcal {I}= \emptyset $, since $ \lnot (\mathtt {BadT}\vee \mathtt {BadZ}) $ holds. However, we need a more involved method when $ \mathcal {I}\ne \emptyset $. Next, we use a novel sampling approach, called reset-sampling, in context of the sampling for $ \widetilde{\mathsf {Y}}$.

Reset-Sampling: The sampling of $ \widetilde{\mathsf {Y}}$ is done in two stages:

Stage 1: For all $ (i,a) \in [q] \times [\ell _i-1] $, set $ \mathsf {Y}_{i}[a] = \mathsf {Z}_i[a]$.
Stage 2: For all $ (i,a,j) \in \mathsf {FCT}$, reset $ \mathsf {Y}_{i}[a] = \mathsf {T}_j $.

Finally, define $ \mathsf {Y}^\oplus := (\mathsf {Y}^\oplus _1,\ldots ,\mathsf {Y}^\oplus _q) $, where $ \mathsf {Y}^\oplus _i = \bigoplus _{a\in [q]} \mathsf {Y}_{i}[q] \oplus \mathsf {pad}_n(\mathsf {M}_{i}[\ell _i]) $.

In the second stage, we have reset $ \mathsf {Y}_{i}[a] $ from $ \mathsf {Z}_{i}[a] $ to $ \mathsf {T}_j $ for all $ (i,a,j) \in \mathsf {FCT}$. This fixes the previous inconsistency issue, i.e., $ \mathsf {X}_{i}[a] = \mathsf {Z}^\oplus _j $ and $ \mathsf {Y}_{i}[a] \ne \mathsf {T}_j $. Figure 3 gives a pictorial view of this step.

The following must hold due to the condition $ \lnot \mathtt {BadZ}$:

For each $ (i,a) \in \mathcal {I}\times [\ell _i-1] $, there is a unique choice for j (if exists) such that $ \mathsf {Y}_{i}[a] $ is reset to $ \mathsf {T}_j $. Otherwise, $ \lnot \mathtt {BadZ1}$ is violated.
Continuing the previous point, we must have $ j \ne i $. Otherwise, $ \lnot \mathtt {BadZ2}$ is violated. Indeed, $ i = j $ incurs a trivial inconsistency: $ (\mathsf {Y}_{i}[a] = \mathsf {T}_i) \wedge (\mathsf {X}_{i}[a] \ne \mathsf {Y}^\oplus _i) $ due to the resetting mechanism.
For each $ i \in \mathcal {I}$, there exists at most one $ a \in [\ell _i-1] $, such that $ \mathsf {Y}_{i}[a] $ is reset. Otherwise, $ \lnot \mathtt {BadZ3}$ is violated.
For all $ j \in \mathcal {J}$, none of the intermediate outputs are reset. Otherwise, $ \lnot \mathtt {BadZ4}$ is violated.

To summarize, the ideal oracle ensures that for each full collision index at most one intermediate output is reset, and the resetting index is uniquely determined. Further, a full collision index cannot be a resetting index. Thus, $ \lnot \mathtt {BadZ}$ helps in avoiding trivial inconsistencies as well as keeping the resetting to a minimum. Now, we define two predicates on $ (\widetilde{\mathsf {X}},\widetilde{\mathsf {Z}},\widetilde{\mathsf {Y}}) $:

We write $ \mathtt {BadY}:= \mathtt {BadY1}\vee \mathtt {BadY2}$. It is easy to see that $ \mathtt {BadY}$ simply handles the new inconsistencies that may arise due to the reset sampling. For example, $ \mathtt {BadY1}$ represents the scenario where resetting leads to collision between intermediate and final inputs. Similarly, $ \mathtt {BadY2}$ represents the scenario where resetting leads to collision between two final inputs.

If $ \mathtt {BadY}$ is true, then $ \mathsf {FlagY}$ is set to 1, and $ \widetilde{\mathsf {Y}}$ is redefined degenerately, as in the case of $ \mathtt {BadT}$ and $ \mathtt {BadZ}$. At this point, the ideal oracle transcript is completely defined.

Intuitively, if the ideal oracle is not sampling $ \widetilde{\mathsf {Y}}$ degenerately at any stage, then we must have $ (\widetilde{\mathsf {X}},\widetilde{\mathsf {Y}}^\oplus ) \leftrightsquigarrow (\widetilde{\mathsf {Y}},\widetilde{\mathsf {T}}) $. We justify this intuition in the following proposition.

Proposition 4.1

For $ \lnot (\mathtt {BadT}\vee \mathtt {BadZ}\vee \mathtt {BadY}) $, we must have $ (\widetilde{\mathsf {X}},\widetilde{\mathsf {Y}}^\oplus ) \leftrightsquigarrow (\widetilde{\mathsf {Y}},\widetilde{\mathsf {T}}) $.

Proof

We have

$\widetilde{\mathsf {X}} \leftrightsquigarrow \widetilde{\mathsf {Z}} $, by definition of $ \widetilde{\mathsf {Z}}$. Moreover the resetting guarantees $\widetilde{\mathsf {Z}} \leftrightsquigarrow \widetilde{\mathsf {Y}} $. Thus, $\widetilde{\mathsf {X}} \leftrightsquigarrow \widetilde{\mathsf {Y}}. $
We have $\mathsf {Y}_{i}[a]=\mathsf {T}_j$ if and only if $\mathsf {X}_{i}[a]=\mathsf {Z}^{\oplus }_j$. Now, $\lnot \mathtt {BadZ4}$ implies that $j \not \in \mathcal {I}$ thus, $ \mathsf {Y}^{\oplus }_j=\mathsf {Z}^{\oplus }_j $. Therefore, $\mathsf {Y}_{i}[a]=\mathsf {T}_j \Rightarrow \mathsf {X}_{i}[a]= \mathsf {Y}^{\oplus }_j $. Also, $\mathsf {X}_{i}[a]= \mathsf {Y}^{\oplus }_j$ implies $j \not \in \mathcal {I}$ (due to $\lnot \mathtt {BadY1}$), thus, $ \mathsf {Z}^{\oplus }_j = \mathsf {Y}^{\oplus }_j $. This gives us $\mathsf {X}_{i}[a]= \mathsf {Y}^{\oplus }_j \Rightarrow \mathsf {Y}_{i}[a]=\mathsf {T}_j $ from the second stage sampling of $\mathsf {Y}$. Thus, $\mathsf {X}_{i}[a]= \mathsf {Y}^{\oplus }_j \Leftrightarrow \mathsf {Y}_{i}[a]=\mathsf {T}_j $.
$ \lnot \mathtt {BadZ}\wedge \lnot \mathtt {BadY}$ and definition of $ \mathsf {Y}$ imply that $ \mathsf {Y}^{\oplus }_{i} $’s are distinct. Also, $\lnot \mathtt {BadT}$ implies that $\mathsf {T}_i$’s are distinct. Thus $ \widetilde{\mathsf {Y}}^{\oplus } \leftrightsquigarrow \widetilde{\mathsf {T}}$.

These observations suffice to conclude that $ (\widetilde{\mathsf {X}},\widetilde{\mathsf {Y}}^\oplus ) \leftrightsquigarrow (\widetilde{\mathsf {Y}},\widetilde{\mathsf {T}}) $. $\square $

4.2 Transcript Analysis

Set of Transcripts: Given the description of transcript random variable corresponding to the ideal oracle, we can define the set of transcripts $ \mathcal {T}$ as the set of all tuples $ \tau = (\widetilde{m},\widetilde{t},\widetilde{x},\widetilde{y},\mathrm {flagT},\mathrm {flagZ},\mathrm {flagY}) $, where

$ \widetilde{m}= (m_1,\ldots ,m_q) $, where $ m_i \in \left( \{0,1\}^{\le (n-s)2^s}\right) $ for $ i \in [q] $. For $ i \in [q] $, let $ \ell _i = \left\lfloor \frac{|m_i|}{n-s}\right\rfloor +1 $.
$ \widetilde{t}= (t_1,\ldots ,t_q) $, where $ t_i \in \{0,1\}^{n} $ for $ i \in [q] $;
$ \widetilde{x}= (x_1,\ldots ,x_q) $, where $ x_i = (x_i[1],\ldots ,x_i[\ell _i-1]) $ for $ i \in [q] $, and $ x_i[a] = \langle a \rangle _{s}\Vert m_i[a] $ for all $ a \in [\ell _i-1] $;
$ \widetilde{y}= (y_1,\ldots ,y_q) $, where $ y_i = (y_i[1],\ldots ,y_i[\ell _i-1]) $ for $ i \in [q] $, and $ y_i[a] \in \{0,1\}^n$ for all $ a \in [\ell _i-1] $.
$ \mathrm {flagT},\mathrm {flagZ},\mathrm {flagY} \in \{0,1\} $.

Furthermore, the following must always hold:

1.
if $ \mathrm {flagI} = 1 $ for some $ \mathrm {I} \in \{\mathrm {T,Z,Y}\} $, then $ y_i[a] = 0^n $ for all $ (i,a) \in [q] \times [\ell _i-1] $.
2.
if $ \mathrm {flagT} = 0 $, then $ t_i $’s are all distinct.
3.
if $ \mathrm {flagI} = 0 $ for all $ \mathrm {I} \in \{\mathrm {T,Z,Y}\} $, then $ (\widetilde{x},\widetilde{y}^\oplus ) \leftrightsquigarrow (\widetilde{y},\widetilde{t}) $.

The first two conditions are obvious from the ideal oracle sampling mechanism. The last condition follows from Proposition 4.1 and the observation that in ideal oracle sampling for any $ \mathsf {I} \in \{\mathsf {T},\mathsf {Z},\mathsf {Y}\} $, $ \mathsf {FlagI} = 1 $ if and only if $ \mathtt {Bad}\mathsf {I} $ is true. Note that, condition 3 is vacuously true for real oracle transcripts.

Bad Transcript: A transcript $ \tau \in \mathcal {T}$ is called bad if and only if the following predicate is true:

$$\begin{aligned} (\mathsf {FlagT}= 1) \vee (\mathsf {FlagZ}= 1) \vee (\mathsf {FlagY}= 1). \end{aligned}$$

In other words, we term a transcript bad if the ideal oracle sets $ \widetilde{\mathsf {Y}}$ degenerately. Let

$$\begin{aligned} \mathcal {T}_{\mathsf {bad}} := \{\tau \in \mathcal {T}:\tau \text { is bad.}\}. \end{aligned}$$

All other transcript $ \tau ' = (\widetilde{m},\widetilde{t},\widetilde{x},\widetilde{y},\mathrm {flagT},\mathrm {flagZ},\mathrm {flagY}) \in \mathcal {T}\setminus \mathcal {T}_{\mathsf {bad}} $ are called good. From the preceding characterization of the set of transcripts, we conclude that for any good transcript $ \tau ' $, we must have $ (\widetilde{x},\widetilde{y}^\oplus ) \leftrightsquigarrow (\widetilde{y},\widetilde{t}) $. Henceforth, we drop $ \mathrm {flagT} $, $ \mathrm {flagZ} $, $ \mathrm {flagY} $ notations for any good transcript with an implicit understanding that $ \mathrm {flagT} = \mathrm {flagZ} = \mathrm {flagY} = 0 $.

To apply the H-coefficient theorem we have to upper bound the probability $ {\Pr _{ }\left[ \mathsf {\mathbb {I}}\in \mathcal {T}_{\mathsf {bad}}\right] } $ and lower bound the ratio $ {\Pr _{ }\left[ \mathsf {\mathbb {R}}= \tau \right] }/{\Pr _{ }\left[ \mathsf {\mathbb {I}}= \tau \right] } $ for any $ \tau \in \mathcal {T}\setminus \mathcal {T}_{\mathsf {bad}} $.

Lemma 4.1

(bad transcript analysis). For $ 4\ell _{\max }+q \le 2^{n-1} $, we have

$$\begin{aligned} {\Pr _{ }\left[ \mathsf {\mathbb {I}}\in \mathcal {T}_{\mathsf {bad}}\right] } \le \frac{3q^2}{2^{n+1}}+ \frac{2.5q^3\ell _{\max }^2}{2^{2n}} + \frac{4 q^3 \ell _{\max }}{2^{2n}} + \frac{4 q^4 \ell _{\max }^2}{2^{3n}} + \frac{2 \sigma }{2^n}. \end{aligned}$$

The proof of this lemma is postponed to Sect. 4.3.

Good Transcript: Now, fix a good transcript $ \tau = (\widetilde{m},\widetilde{t},\widetilde{x},\widetilde{y}) $. Let $ \sigma ' := |\widetilde{x}| $. Since, $ \tau $ is good, we have $ (\widetilde{x},\widetilde{y}^\oplus ) \leftrightsquigarrow (\widetilde{y},\widetilde{t}) $. Then, we must have $ |\widetilde{y}^\oplus | = q $. Further, let $ |\widetilde{x}\cap \widetilde{y}^\oplus | = r $. Thus, $ |\widetilde{x}\cup \widetilde{y}^\oplus | = q+\sigma '-r $.

Real World: In the real world, the random permutation $ \mathsf {\Pi }$ is sampled on exactly $ q+\sigma '-r $ distinct points. Thus, we have

$$\begin{aligned} {\Pr _{ }\left[ \mathsf {\mathbb {R}}= \tau \right] } = \frac{1}{(2^n)_{q+\sigma '-r}}. \end{aligned}$$

(8)

Ideal World: Here, the probability computation is slightly involved due to the two stage sampling employed in the ideal oracle. First of all, we have

$$\begin{aligned} {\Pr _{ }\left[ \widetilde{\mathsf {T}}= \widetilde{t}\right] } = \frac{1}{2^{nq}}, \end{aligned}$$

(9)

since each $ \mathsf {T}_i $ is sampled uniformly from the set $ \{0,1\}^n$ independent of others. Now, observe that all the full collision and resetting indices are fully determined from the transcript $ \tau $ itself. In other words, we can enumerate the set $ \widetilde{\mathsf {FCT}} $. Now, since the transcript is good, we must have $ |\widetilde{\mathsf {FCT}}| = |\widetilde{x}\cap \widetilde{y}^\oplus | = r $, and for all indices $ (i,a) \notin \widetilde{\mathsf {FCT}} $, we have $ \mathsf {Y}_{i}[a] = \mathsf {Z}_{i}[a] $. Thus, we have

$$\begin{aligned} {\Pr _{ }\left[ \mathsf {Y}_{i}[a] = y^i_a \wedge (i,a) \notin \widetilde{\mathsf {FCT}} ~|~ \widetilde{\mathsf {T}}=\widetilde{t}\right] }&= {\Pr _{ }\left[ \mathsf {Z}_{i}[a] = y^i_a \wedge (i,a) \notin \widetilde{\mathsf {FCT}} ~|~ \widetilde{\mathsf {T}}= \widetilde{t}\right] } \nonumber \\&= \frac{1}{(2^n-q)_{\sigma '-r}}, \end{aligned}$$

(10)

where the second equality follows from the fact that truncation^{Footnote 3} of a without replacement sample from a set of size $ (2^n-q) $ is still a without replacement sample from the same set. We have

$$\begin{aligned} {\Pr _{ }\left[ \mathsf {\mathbb {I}}= \omega \right] }&= {\Pr _{ }\left[ \widetilde{\mathsf {T}}= \widetilde{t}\right] } \times {\Pr _{ }\left[ \widetilde{\mathsf {Y}}= \widetilde{y}~|~\widetilde{\mathsf {T}}=\widetilde{t}\right] }\nonumber \\&\le \frac{1}{2^{nq}} \times {\Pr _{ }\left[ \mathsf {Y}_{i}[a] = y_i[a] \wedge (i,a) \notin \widetilde{\mathsf {FCT}} ~|~ \widetilde{\mathsf {T}}=\widetilde{t}\right] }\nonumber \\&= \frac{1}{2^{nq}} \times \frac{1}{(2^n-q)_{\sigma '-r}}. \end{aligned}$$

(11)

The above discussion on good transcripts can be summarized in shape of the following lemma.

Lemma 4.2

For any $ \tau \in \mathcal {T}\setminus \mathcal {T}_{\mathsf {bad}} $, we have

$$\begin{aligned} \frac{{\Pr _{ }\left[ \mathsf {\mathbb {R}}=\tau \right] }}{{\Pr _{ }\left[ \mathsf {\mathbb {I}}= \tau \right] }} \ge 1. \end{aligned}$$

Proof

The proof follows from dividing Eq. (8) by Eq. (11). $\square $

From H-coefficient Theorem 2.1 and Lemma 4.1 and 4.2, we get

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{\textsf {1k}\hbox {-}\textsf {LightMAC} _{\mathsf {\Pi }}}(\mathscr {A}) \le \frac{3q^2}{2^{n+1}}+ \frac{2.5q^3\ell _{\max }^2}{2^{2n}} + \frac{4 q^3 \ell _{\max }}{2^{2n}} + \frac{4 q^4 \ell _{\max }^2}{2^{3n}} + \frac{2 \sigma }{2^n}. \end{aligned}$$

(12)

Theorem 4.1 follows from Eq. (7) and (12).

4.3 Proof of Lemma 4.1

We have

$$\begin{aligned} {\Pr _{ }\left[ \mathsf {\mathbb {I}}\in \mathcal {T}_{\mathsf {bad}}\right] }&= {\Pr _{ }\left[ (\mathsf {FlagT}= 1) \vee (\mathsf {FlagZ}=1) \vee (\mathsf {FlagY}=1)\right] }\\&= {\Pr _{ }\left[ \mathtt {BadT}\vee \mathtt {BadZ}\vee \mathtt {BadY}\right] }\\&\le {\Pr _{ }\left[ \mathtt {BadT}\right] } \times {\Pr _{ }\left[ \mathtt {BadZ}|\lnot \mathtt {BadT}\right] } \times {\Pr _{ }\left[ \mathtt {BadY}|\lnot (\mathtt {BadT}\vee \mathtt {BadZ})\right] } \end{aligned}$$

We will handle the three terms on the right hand side separately. Before delving further, we introduce few more notations.

Few more notations: For simplicity, we denote the last padded block of any message $m_i$ by $m_i[\ell _{i}]$ instead of $\mathsf {pad}_n(m_i[\ell _i])$. For any $(i,a)\ \text{ with }\ i \in [q], a \in [\ell _i]$, $\mathsf {Z}^{\oplus \setminus {a}}_{i}$ (res. $\mathsf {Y}^{\oplus \setminus {a}}_{i}$) denotes $\bigoplus _{b \ne a} \mathsf {Z}_{i}[b] \oplus m_i[\ell _i] $ (res. $\bigoplus _{b \ne a} \mathsf {Y}_{i}[b] \oplus m_i[\ell _i])$.

While we bound the probability of bad events, we need to deal with system of equations in $ \mathsf {Z}$ variables. Note that $ \mathsf {Z}$ can be viewed as $ \mathsf {\Pi }(\mathsf {X}) $ for the corresponding $ \mathsf {X}$ variable. We will often employ Lemma 2.1 implicitly (without referring at each application) to bound the probability that these system of equations hold.

1.
Bounding $ {\Pr _{ }\left[ \mathtt {BadT}\right] } $: Since, we have at most $ {q \atopwithdelims ()2} $ choice for i, j, and for each such pair, $ \mathsf {T}_{i} = \mathsf {T}_{j} $ holds with exactly $ 2^{-n} $ probability. Thus, we have
$$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadT}\right] } \le \frac{q^2}{2^{n+1}}. \end{aligned}$$
(13)
2.
Bounding $ {\Pr _{ }\left[ \mathtt {BadZ}|\lnot \mathtt {BadT}\right] } $: Here, we have four cases.
1. (a)
  $ \mathtt {BadZ1}: \exists i \ne j \in [q],\text { such that }\mathsf {Z}_i^{\oplus } = \mathsf {Z}_j^{\oplus } $. This is similar to $ \mathtt {BadT}$ above. We have
  $$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadZ1}|\lnot \mathtt {BadT}\right] } \le \frac{q^2}{2\cdot (2^n - q - 2\ell _{\max })}. \end{aligned}$$
2. (b)
  $ \mathtt {BadZ2}: \exists (i,a) \in [q] \times [\ell _i-1],\text { such that }\mathsf {X}_{i}[a] = \mathsf {Z}_i^{\oplus } $. It is easy to see that
  $$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadZ2}|\lnot \mathtt {BadT}\right] } \le \sum _{i=1}^{q} \frac{\ell _i-1}{2^n - q - \ell _{\max }} \le \frac{\sigma }{2^n-q-\ell _{\max }}. \end{aligned}$$
3. (c)
  $ \mathtt {BadZ3}: \exists i \ne j \ne k \in [q], a,b \in [\ell _i-1],\text { such that }(\mathsf {X}_{i}[a] = \mathsf {Z}_j^{\oplus }) \wedge (\mathsf {X}_{i}[b] = \mathsf {Z}_k^{\oplus }) $. Here, $ j \ne k $ implies that the system of equations has rank 2. Thus, using Lemma 2.1, we have
  $$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadZ3}|\lnot \mathtt {BadT}\right] } \le \frac{q^3 \ell _{\max }^2}{12(2^n-q-2\ell _{\max })^2}. \end{aligned}$$
4. (d)
  $ \mathtt {BadZ4}: \exists i \ne j \ne k \in [q], a \in [\ell _i-1], b \in [\ell _j-1],\text { such that }(\mathsf {X}_{i}[a] = \mathsf {Z}_j^{\oplus }) \wedge (\mathsf {X}_{j}[b] = \mathsf {Z}_k^{\oplus }) $. Using similar argumentation as above, we have,
  $$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadZ4}|\lnot \mathtt {BadT}\right] } \le \frac{q^3 \ell _{\max }^2}{12(2^n-q-2\ell _{\max })^2}. \end{aligned}$$
Combining all the four cases and assuming $ q + 2\ell _{\max } \le 2^{n-1} $, we have
$$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadZ}|\lnot \mathtt {BadT}\right] } \le \frac{q^2}{2^n} + \frac{0.34q^3 \ell _{\max }^2}{2^{2n}} + \frac{2 \sigma }{2^n} \end{aligned}$$
(14)
3.
Bounding $ {\Pr _{ }\left[ \mathtt {BadY}|\lnot (\mathtt {BadT}\vee \mathtt {BadZ})\right] } $: Here, we have two cases:
1. (a)
  $ \mathtt {BadY1}:\exists i,j,k \in [q],\exists a \in [\ell _i-1], b \in [\ell _k-1] \text { such that }(\mathsf {X}_{i}[a] = \mathsf {Z}^{\oplus }_j) \wedge (\mathsf {Y}^{\oplus }_i = \mathsf {X}_{k}[b]) $. By virtue of resetting mechanism and $ \lnot \mathtt {BadZ}$, we arrive at an equivalent system of $ \mathsf {Z}$-equations
  $$\begin{aligned} \mathsf {Z}^\oplus _{j}&= \mathsf {X}_{i}[a]\\ \mathsf {Z}^{\oplus \setminus {a}}_{i}&= \mathsf {X}_{k}[b]\oplus \mathsf {T}_{j} \end{aligned}$$
  We claim that the system always has rank 2. This can be argued as follows: Suppose the system has rank less than 2. Then, we must have $ \mathsf {Z}^\oplus _{j} \oplus \mathsf {X}_{i}[a] \oplus \mathsf {Z}^{\oplus \setminus {a}}_{i} \oplus \mathsf {X}_{k}[b]\oplus \mathsf {T}_{j} = 0^n $. However, $ \widetilde{\mathsf {Z}}$ are sampled from $ \{0,1\}^n\setminus \widetilde{\mathsf {T}}$. Hence, $ \mathsf {T}_j $ does not cancel out trivially. So, we must always have rank 2. Now if the rank is 2, then we can always rewrite the system of equations such that we have an equation in $ \mathsf {T}_j $ and another equation involving some $ \mathsf {Z}$ variables. Then, the first equation holds with at most $ 1/2^{n} $ probability (using the randomness of $ \mathsf {T}_j $) and conditioned on this the second equation holds with probability at most $ 1/(2^{n}-q-2\ell _{\max }) $. Thus, we have
  $$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadY1}|\lnot (\mathtt {BadT}\vee \mathtt {BadZ})\right] } \le \frac{q^3 \ell _{\max }^2 }{2^{n}(2^{n}-q-2\ell _{\max })}. \end{aligned}$$
2. (b)
  $ \mathtt {BadY2}:\exists i,j,k \in [q], \exists a \in [\ell _i-1], \text { such that }(\mathsf {X}_{i}[a] = \mathsf {Z}^{\oplus }_j) \wedge (\mathsf {Y}^{\oplus }_i = \mathsf {Y}_k^{\oplus })$. Here we get $ \mathsf {X}_{i}[a] = \mathsf {Z}^\oplus _{j} \wedge \mathsf {Z}^{\oplus \setminus {a}}_{i} = \mathsf {Y}^\oplus _{k} \oplus \mathsf {T}_j$ which changes according to the following subcases:
  - Case A: when $k \not \in \mathcal {I}$: Then the above system becomes
    $$\begin{aligned} \mathsf {Z}^\oplus _{j}&= \mathsf {X}_{i}[a]\\ \mathsf {Z}^{\oplus \setminus {a}}_{i}&= \mathsf {Z}^\oplus _{k}\oplus \mathsf {T}_{j} \end{aligned}$$
    Using similar argumentation as before we can conclude that the system has rank 2. Therefore, we have
    $$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadY2}\wedge \text{ Case } \text{ A } | \lnot (\mathtt {BadZ}\vee \mathtt {BadT})\right] } \le \frac{q^3 \ell _{\max }}{(2^{n}-q-3\ell _{\max })^2}. \end{aligned}$$
  - Case B: when $k \in \mathcal {I}$: In this case we have the following system of equations:
    $$\begin{aligned} \mathsf {Z}^\oplus _{j}&=\mathsf {X}_{i}[a]\\ \mathsf {Z}^\oplus _{l}&=\mathsf {X}_{k}[b]\\ \mathsf {Z}^{\oplus \setminus {a}}_{i} \oplus \mathsf {Z}^{\oplus \setminus {b}}_{k}&= \mathsf {T}_{j} \oplus \mathsf {T}_{l} \end{aligned}$$
    We must have $ j \ne l $. Otherwise we will have $ \mathsf {Z}_i^\oplus = \mathsf {Z}_k^\oplus $ which again violates $ \lnot \mathtt {BadZ}$. Thus, $ j \ne l $. Now, $ j \ne l $ and $ \lnot \mathtt {BadZ}$ implies that $ \mathsf {Z}_j^\oplus \ne \mathsf {Z}^\oplus _l $. Then, following a similar line of argument as before, we conclude that the system has rank 3. Therefore, we have
    $$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadY2}\wedge \text {Case B}|\lnot (\mathtt {BadZ}\vee \mathtt {BadT})\right] } \le \frac{q^4 \ell _{\max }^2}{2^n(2^{n}-q-4\ell _{\max })^2}. \end{aligned}$$
Combining all the cases with the assumption that $ q+4\ell _{\max } \le 2^{n-1} $, we have
$$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadY}|\lnot (\mathtt {BadT}\vee \mathtt {BadZ})\right] } \le \frac{2 q^3 \ell _{\max }^2}{2^{2n}} + \frac{4 q^3 \ell _{\max }}{2^{2n}} + \frac{4 q^4 \ell _{\max }^2}{2^{3n}}. \end{aligned}$$
(15)

The result follows from summing up Eq. (13)–(15). $\square $

5 LightMAC-ds: A Minute Variant of Single-Key LightMAC

In the previous section we showed that single-key LightMAC achieves query-length independent security bounds while $ \ell _{\min } \ge 2 $ and $ \ell _{\max } \le 2^{n/4} $. Now, we propose a simple variant of LightMAC that achieves query-length independent security unconditionally.

5.1 Description of LightMAC-ds

For any $ x \in \{0,1\}^n$ and $ k < n $, let $ \mathsf {chop}_k(x) $ denote the most significant $ n-k $ bits of x. The complete algorithmic description of LightMAC-ds is given in Algorithm 5.1.

It is clear from the description that LightMAC-ds uses the familiar technique of domain separation to generate two “almost independent” instances of $ {E}$. Specifically, we fix the most significant 1-bit of the block cipher input to

0 in the processing of encoded message blocks (see line no. 5 in Algorithm 5.1).
1 in the tag generation call (see line no. 10 in Algorithm 5.1).

Since 1-bit is reserved for domain separation, the effective counter size is reduced to $ s-1 $ for some global parameter $ s < n $. Thus, the maximum message length can be at most $ (n-s)2^{s-1} $, which is a slight drop from $ (n-s)2^s $ in case of LightMAC, for large value of n and s.

5.2 Security of LightMAC-ds

Surprisingly (or not), the security argument for LightMAC-ds is quite similar to the one for single-key LightMAC. In fact, it is slightly easy to argue the security here, as we have already ensured $ \lnot \mathtt {Icoll} $ (see Sect. 3.2) by the virtue of domain separation. However, we still have to handle $ \mathtt {Ocoll} $ (see Sect. 3.2) which would require a slight care while sampling the intermediate outputs in the ideal world. Note that, such complications do not arise in case of LightMAC for the obvious reason of independence between the primitives used to generate the intermediate and final outputs. The PRF security of LightMAC-ds is presented in Theorem 5.1.

Theorem 5.1

Let $ q,\ell _{\max },T > 0 $. For $ q+2\ell _{\max } \le 2^{n-1} $, the PRF security of $ \mathscr {A}$ against $ \mathbb {A}(q,T) $ is given by

$$ \mathbf {Adv}^{\mathsf {prf}}_{\mathsf {LightMAC}\hbox {-}\mathsf {ds}}(q,T) \le \mathbf {Adv}^{\mathsf {prp}}_{{E}}(\sigma +q,T') + \frac{2.5q^2}{2^{n}}, $$

where $ \ell $ denotes an upper bound on the number of blocks in any padded query, $ T' = T + O(T_{E}) $ and $ T_{E}$ denotes the runtime of $ {E}$.

As expected, the proof is quite similar and a bit easier than the proof of Theorem 4.1. As the first step, we apply the hybrid argument to get

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{\mathsf {LightMAC}\hbox {-}\mathsf {ds}}(q,T) \le \mathbf {Adv}^{\mathsf {prp}}_{{E}}(\sigma +q,T') + \mathbf {Adv}^{\mathsf {prf}}_{\textsf {LightMAC}\hbox {-}\textsf {ds} _{\mathsf {\Pi }}}(q,\infty ). \end{aligned}$$

(16)

We are interested in a bound on the PRF security of $ \textsf {LightMAC}\hbox {-}\textsf {ds} _{\mathsf {\Pi }} $, henceforth also referred as the real oracle. Fix any $ \mathscr {A}\in \mathbb {A}(q,\infty ) $ such that

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{\textsf {LightMAC}\hbox {-}\textsf {ds} _{\mathsf {\Pi }}}(q,\infty ) = \mathbf {Adv}^{\mathsf {prf}}_{\textsf {LightMAC}\hbox {-}\textsf {ds} _{\mathsf {\Pi }}}(\mathscr {A}). \end{aligned}$$

Going forward, we will bound the advantage of $ \mathscr {A}$ using H-coefficient technique.

5.3 Description of Oracles and Their Transcripts

Real Oracle: The real oracle is defined analogously as in the proof of Theorem 5.1. We describe it just for the sake of completeness. The real oracle faithfully responds to all the queries made by $ \mathscr {A}$. Once the query-response phase is over, it releases all the intermediate inputs and outputs to $ \mathscr {A}$. Additionally, the real oracle releases two binary flags, $ \mathsf {FlagT}$ and $ \mathsf {FlagZ}$, that are degenerately set to 0. Formally, we have

$$\begin{aligned} \mathsf {\mathbb {R}}:= (\widetilde{\mathsf {M}},\widetilde{\mathsf {T}},\widetilde{\mathsf {X}},\widetilde{\mathsf {Y}},\mathsf {FlagT},\mathsf {FlagZ}), \end{aligned}$$

where

$ \widetilde{\mathsf {M}}= (\mathsf {M}_{1},\ldots ,\mathsf {M}_{q}) $ denotes the q-tuple of queries made by $ \mathscr {A}$, where $ \mathsf {M}_{i} \in \{0,1\}^{\le (n-s)2^{s-1}} $ for all $ i \in [q] $. In addition, for all $ i \in [q] $, let $ \ell _{i} := {\lfloor \frac{|\mathsf {M}_i|}{n-s}\rfloor } + 1 $.
$ \widetilde{\mathsf {T}}= (\mathsf {T}_{1},\ldots ,\mathsf {T}_{q}) $ denotes the q-tuple of final outputs received by $ \mathscr {A}$, where $ \mathsf {T}_i \in \{0,1\}^n$.
$ \widetilde{\mathsf {X}}= (\mathsf {X}_{1},\ldots ,\mathsf {X}_{q}) $, where $ \mathsf {X}_i $ denotes the intermediate input tuple for the i-th query, i.e., for all $ a \in [\ell _i-1] $, $ \mathsf {X}_{i}[a] = 0\Vert \langle a \rangle _{s-1}\Vert \mathsf {M}_{i}[a] $.
$ \widetilde{\mathsf {Y}}= (\mathsf {Y}_{1},\ldots ,\mathsf {Y}_{q}) $, where $ \mathsf {Y}_i $ denotes the intermediate output tuple for the i-th query, i.e., for all $ a \in [\ell _i-1] $, $ \mathsf {Y}_{i}[a] = \mathsf {\Pi }(\mathsf {X}_{i}[a]) $. In addition, let $ \widetilde{\mathsf {Y}}^\oplus := (\mathsf {Y}^\oplus _1,\ldots ,\mathsf {Y}^\oplus _q) $, where $ \mathsf {Y}^\oplus _i := \bigoplus _{a\in [\ell _i-1]} \mathsf {Y}_{i}[a] \oplus \mathsf {pad}_n(\mathsf {M}_{i}[\ell _i]) $ for all $ i \in [q] $.
$ \mathsf {FlagT}= \mathsf {FlagZ}= 0 $.

Let $ \mathsf {chop}_1(\widetilde{\mathsf {Y}}^\oplus ) = (1\Vert \mathsf {chop}_1(\mathsf {Y}_{i}[1]),\ldots ,1\Vert \mathsf {chop}_1(\mathsf {Y}_{i}[\ell _i-1])) $. It is straightforward to see that in the real world we always have $ (\widetilde{\mathsf {X}},\mathsf {chop}_1(\widetilde{\mathsf {Y}}^\oplus )) \leftrightsquigarrow (\widetilde{\mathsf {Y}},\widetilde{\mathsf {T}}) $, i.e., $ (\widetilde{\mathsf {X}},\mathsf {chop}_1(\widetilde{\mathsf {Y}}^\oplus )) $ is permutation compatible with $ (\widetilde{\mathsf {Y}},\widetilde{\mathsf {T}}) $.

Ideal Oracle: We reuse the notations from real oracle description to represent the variables in the ideal oracle transcript $ \mathsf {\mathbb {I}}$, i.e.

$$\begin{aligned} \mathsf {\mathbb {I}}:= (\widetilde{\mathsf {M}},\widetilde{\mathsf {T}},\widetilde{\mathsf {X}},\widetilde{\mathsf {Y}},\mathsf {FlagT},\mathsf {FlagZ}). \end{aligned}$$

The ideal oracle transcript is described in two phases, with the second one contingent on some predicate defined over the first stage. Specifically, the ideal oracle initializes $ \mathsf {FlagT}= \mathsf {FlagZ}= 0 $, and then follows the sampling mechanism given below:

In the query-response phase, the ideal oracle faithfully simulates . Formally, for $ i \in [q] $, at the i-th query $ \mathsf {M}_{i} \in \{0,1\}^{\le (n-s)2^{s-1}} $, the ideal oracle outputs . The partial transcript generated at the end of the query-response phase is given by $ (\widetilde{\mathsf {M}},\widetilde{\mathsf {T}},\widetilde{\mathsf {X}}) $, where

$ \widetilde{\mathsf {M}}= (\mathsf {M}_1,\ldots ,\mathsf {M}_{q}) $ and $ \widetilde{\mathsf {T}}= (\mathsf {T}_1,\ldots ,\mathsf {T}_{q}) $.
$ \widetilde{\mathsf {X}}= (\mathsf {X}_1,\ldots ,\mathsf {X}_{q}) $, where $ \mathsf {X}_i = (\mathsf {X}_{i}[1],\ldots ,\mathsf {X}_{i}[\ell _{i}-1]) $ and $ \mathsf {X}_{i}[a] := 0\Vert \langle a \rangle _{s-1}\Vert \mathsf {M}_{i}[a] $ for all $ (i,a) \in [q] \times [\ell _{i}-1] $.

Now, we define a predicate on $ \widetilde{\mathsf {T}}$:

If $ \mathtt {BadT}$ is true, then $ \mathsf {FlagT}= 1 $, and $ \widetilde{\mathsf {Y}}= (\mathsf {Y}_{1},\ldots ,\mathsf {Y}_{q}) $ is defined degenerately: $ \mathsf {Y}_{i}[a] = 0^n $ for all $ (i,a) \in [q] \times [\ell _{i}-1] $. Otherwise, the ideal oracle proceeds to the next phase.

In the offline phase, the ideal oracle initially makes the following sampling:

where $ (x_1,\ldots ,x_t) $ is an arbitrary ordering of the set

$$\begin{aligned} \mathbb {X}(\widetilde{\mathsf {X}}):= \{x: x=\mathsf {X}_i[a], (i,a) \in [q] \times [\ell _i-1]\}. \end{aligned}$$

Next, the ideal oracle sets

$ \mathsf {Z}_i[a]:=\mathsf {R}_x $ if $ x = \mathsf {X}_i[a] $, for all $ (i,a) \in [q] \times [\ell _i-1] $, and
$ \mathsf {Z}_i^{\oplus } := \bigoplus _{a=1}^{\ell _i-1}\mathsf {Z}_i[a] \oplus \mathsf {pad}_n(\mathsf {M}_i[\ell _i]) $.

At this stage we have $ \mathsf {Z}_{i}[a] = \mathsf {Z}_{j}[b] $ if and only if $ \mathsf {X}_{i}[a] = \mathsf {X}_{j}[b] $. In other words, $ \widetilde{\mathsf {X}} \leftrightsquigarrow \widetilde{\mathsf {Z}} $. But the same might not hold for $ \mathsf {chop}_1(\widetilde{\mathsf {Z}}^\oplus ) $ and $ \widetilde{\mathsf {T}}$. Now, we define a predicate on $ (\widetilde{\mathsf {Z}},\widetilde{\mathsf {X}}) $:

Note that, $ \lnot \mathtt {BadZ}$ ensures $ \mathsf {chop}_1(\widetilde{\mathsf {Z}}^\oplus ) \leftrightsquigarrow \widetilde{\mathsf {T}} $, that when coupled with the $ \widetilde{\mathsf {X}} \leftrightsquigarrow \widetilde{\mathsf {Z}} $ due to the sampling mechanism ensures $ (\widetilde{\mathsf {X}},\mathsf {chop}_1(\widetilde{\mathsf {Z}}^\oplus )) \leftrightsquigarrow (\widetilde{\mathsf {Z}},\widetilde{\mathsf {T}}) $. Intuitively, this makes the ideal world almost similar to the real world.

If $ \mathtt {BadZ}$ is true, then $ \mathsf {FlagZ}= 1 $, and $ \widetilde{\mathsf {Y}}:= (\mathsf {Y}_{1},\ldots ,\mathsf {Y}_{q}) $ is again defined degenerately, as in the case of $ \mathtt {BadT}$. Otherwise, $ \widetilde{\mathsf {Y}}:= \widetilde{\mathsf {Z}}$. At this point, the transcript random variable for the ideal world is completely determined.

5.4 Transcript Analysis

Set of Transcripts: Given the description of the transcript random variable corresponding to the ideal oracle, we can define the set of transcripts $ \mathcal {T}$ as the set of all tuples $ \tau = (\widetilde{m},\widetilde{t},\widetilde{x},\widetilde{y},\mathrm {flagT},\mathrm {flagZ}) $, where

$ \widetilde{m}= (m_1,\ldots ,m_q) $, where $ m_i \in \left( \{0,1\}^{\le (n-s)2^{s-1}}\right) $ for $ i \in [q] $. Let $ \ell _i = {\lfloor \frac{|m_i|}{n-s}\rfloor } + 1 $ for $ i \in [q] $.
$ \widetilde{t}= (t_1,\ldots ,t_q) $, where $ t_i \in \{0,1\}^{n} $ for $ i \in [q] $;
$ \widetilde{x}= (x_1,\ldots ,x_q) $, where $ x_i = (x_i[1],\ldots ,x_i[\ell _i-1]) $ for $ i \in [q] $, and $ x_i[a] = 0\Vert \langle a \rangle _{s-1}\Vert m_i[a] $ for all $ a \in [\ell _i-1] $;
$ \widetilde{y}= (y_1,\ldots ,y_q) $, where $ y_i = (y_i[1],\ldots ,y_i[\ell _i-1]) $ for $ i \in [q] $, and $ y_i[a] \in \{0,1\}^n$ for all $ a \in [\ell _i-1] $.
$ \mathrm {flagT},\mathrm {flagZ} \in \{0,1\} $.

Furthermore, the following must always hold:

1.
if $ \mathrm {flagI} = 1 $ for some $ \mathrm {I} \in \{\mathrm {T,Z}\} $, then $ y_i[a] = 0^n $ for all $ (i,a) \in [q] \times [\ell _i-1] $.
2.
if $ \mathrm {flagT} = 0 $, then $ t_i $’s are all distinct.
3.
if $ \mathrm {flagI} = 0 $ for all $ \mathrm {I} \in \{\mathrm {T,Z}\} $, then $ (\widetilde{x},\mathsf {chop}_1(\widetilde{\mathsf {Y}}^\oplus )) \leftrightsquigarrow (\widetilde{y},\widetilde{t}) $.

Bad Transcript: A transcript $ \tau \in \mathcal {T}$ is called bad if and only if the following predicate is true:

$$\begin{aligned} (\mathsf {FlagT}= 1) \vee (\mathsf {FlagZ}= 1). \end{aligned}$$

In other words, we term a transcript bad if the ideal oracle sets $ \widetilde{\mathsf {Y}}$ degenerately. Let

$$\begin{aligned} \mathcal {T}_{\mathsf {bad}} := \{\tau \in \mathcal {T}:\tau \text { is bad.}\}. \end{aligned}$$

All other transcript $ \tau ' = (\widetilde{m},\widetilde{t},\widetilde{x},\widetilde{y},\mathrm {flagT},\mathrm {flagZ}) \in \mathcal {T}\setminus \mathcal {T}_{\mathsf {bad}} $ are called good. It is pretty straightforward to deduce that for any good transcript we must have $ (\widetilde{x},\mathsf {chop}_1(\widetilde{y}^\oplus )) \leftrightsquigarrow (\widetilde{y},\widetilde{t}) $.

Lemma 5.1

(bad transcript analysis). For $ q+2\ell _{\max } \le 2^{n-1} $, we have

$$\begin{aligned} {\Pr _{ }\left[ \mathsf {\mathbb {I}}\in \mathcal {T}_{\mathsf {bad}}\right] } \le \frac{2.5q^2}{2^{n}}. \end{aligned}$$

Proof

We have

$$\begin{aligned} {\Pr _{ }\left[ \mathsf {\mathbb {I}}\in \mathcal {T}_{\mathsf {bad}}\right] }&= {\Pr _{ }\left[ (\mathsf {FlagT}= 1) \vee (\mathsf {FlagZ}= 1)\right] }\\&= {\Pr _{ }\left[ \mathtt {BadT}\vee \mathtt {BadZ}\right] }\\&\le {\Pr _{ }\left[ \mathtt {BadT}\right] } \times {\Pr _{ }\left[ \mathtt {BadZ}|\mathtt {BadT}\right] }. \end{aligned}$$

We will handle the two terms on the right hand side separately:

1.
Bounding $ {\Pr _{ }\left[ \mathtt {BadT}\right] } $: Since, we have at most $ {q \atopwithdelims ()2} $ choice for i, j, and for each such pair, $ \mathsf {T}_{i} = \mathsf {T}_{j} $ holds with exactly $ 2^{-n} $ probability. Thus, we have
$$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadT}\right] } \le \frac{q^2}{2^{n+1}}. \end{aligned}$$
(17)
2.
Bounding $ {\Pr _{ }\left[ \mathtt {BadZ}|\lnot \mathtt {BadT}\right] } $: Fix two indices $ i \ne j $. Now, we can have two cases:
1. (a)
  $ \ell _i = \ell _j $: Since $ \mathsf {M}_i \ne \mathsf {M}_j $, we must have at least one index a, such that $ \mathsf {M}_{i}[a] \ne \mathsf {M}_{j}[a] $, which implies that $ \mathsf {X}_{i}[a] \ne \mathsf {X}_{j}[a] $. Further, note that $ \mathsf {X}_{i}[a] \ne \mathsf {X}_{k}[b] $ for all $ (k,b) \in \{i,j\} \times [\ell _k-1] $. Then, by conditioning on the value of $ \mathsf {Z}_{k}[b] $ for all $ (k,b) \in \{i,j\} \times [\ell _k-1] \setminus \{(i,a)\} $, we bound the probability that $ \mathsf {chop}_1(\mathsf {Z}^\oplus _i) = \mathsf {chop}_1(\mathsf {Z}^\oplus _i) $ to at most $ 2/(2^n-q-2\ell _{\max }) $, where the factor of 2 in the numerator is due to 1-bit chopping. There are at most $ {q \atopwithdelims ()2} $ choices for i, j, so in this case the probability is at most $ q^2/(2^n-q-2\ell _{\max }) $.
2. (b)
  $ \ell _i \ne \ell _j $: Without loss of generality we assume that $ \ell _i > \ell _j $. Then, applying exactly the same argumentation as used in the preceding case with $ (i,a) = (i,\ell _i-1) $, we can bound the probability in this case to at most $ q^2/(2^n-q-2\ell _{\max }) $.
Since the two cases are mutually exclusive, we have
$$\begin{aligned} {\Pr _{ }\left[ \mathtt {BadZ}|\lnot \mathtt {BadT}\right] } \le \frac{q^2}{(2^n - q - 2\ell _{\max })}. \end{aligned}$$
(18)

The result follows by summing up Eq. (17) and (18) and using $ q + 2\ell _{\max } \le 2^{n-1} $.

$\square $

Good Transcript: Fix a good transcript $ \tau = (\widetilde{m},\widetilde{t},\widetilde{x},\widetilde{y},0,0) $. Let $ \sigma ' := |\widetilde{x}| $. Since, $ \tau $ is good, we have $ (\widetilde{x},\mathsf {chop}_1(\widetilde{y}^\oplus )) \leftrightsquigarrow (\widetilde{y},\widetilde{t}) $. Then, we must have $ |\mathsf {chop}_1(\widetilde{y}^\oplus )| = q $. Further, $ \widetilde{x}\cap \mathsf {chop}_1(\widetilde{y}^\oplus ) = \emptyset $ due to domain separation. Thus, $ |\widetilde{x}\cup \mathsf {chop}_1(\widetilde{y}^\oplus )| = q+\sigma ' $.

Real World: In the real world, the random permutation $ \mathsf {\Pi }$ is sampled on exactly $ q+\sigma ' $ distinct points. Thus, we have

$$\begin{aligned} {\Pr _{ }\left[ \mathsf {\mathbb {R}}= \tau \right] } = \frac{1}{(2^n)_{q+\sigma '}}. \end{aligned}$$

(19)

Ideal World: In the ideal world, first $ \widetilde{\mathsf {T}}$ is sampled in with replacement fashion from a set of size $ 2^n $. Then, exactly $ \sigma ' $ values are sampled corresponding to $ \widetilde{\mathsf {Y}}$ in without replacement fashion from a set of size $ 2^n-q $. Thus, we have

$$\begin{aligned} {\Pr _{ }\left[ \mathsf {\mathbb {I}}= \tau \right] } = \frac{1}{2^{nq}} \times \frac{1}{(2^n-q)_{\sigma '}}. \end{aligned}$$

(20)

On dividing Eq. (19) by (20), we get

$$\begin{aligned} \frac{{\Pr _{ }\left[ \mathsf {\mathbb {R}}= \tau \right] }}{{\Pr _{ }\left[ \mathsf {\mathbb {I}}= \tau \right] }} \ge 1. \end{aligned}$$

From H-coefficient Theorem 2.1 and Lemma 5.1, we get

$$\begin{aligned} \mathbf {Adv}^{\mathsf {prf}}_{\textsf {LightMAC}\hbox {-}\textsf {ds} _{\mathsf {\Pi }}}(\mathscr {A}) \le \frac{2.5q^2}{2^n}. \end{aligned}$$

(21)

Theorem 5.1 follows from Eq. (16) and (21).

6 Conclusion

In this paper we studied the single-key instance of LightMAC, an ISO/IEC standard for lightweight message authentication codes. Our main contribution is a query-length independent security bound for 1k-LightMAC. Specifically, we showed that 1k-LightMAC achieves PRF security bound of $ O(q^2/2^n) $ while $ (n-s) \le \ell \le (n-s)\min \{2^{n/4},2^s\} $. Further, we proposed a slight variant of LightMAC, called LightMAC-ds that achieves security bound of $ O(q^2/2^n) $ while $ \ell \le (n-s)2^{s-1} $.

6.1 Future Directions in Reset-Sampling

To prove the security of 1k-LightMAC, we used a novel sampling approach, called reset-sampling, that works as a subroutine within the H-coefficient proof setup. Although this approach is at a very nascent stage, we believe that reset-sampling could potentially be useful in deriving better security bounds for other single-key constructions. Indeed, OMAC [10] – another popular and standardized MAC algorithm – has a similar bottleneck as 1k-LightMAC, and might benefit from this sampling approach. In the following, we briefly discuss a possible reset-sampling approach for query-length independent security bounds for OMAC.

A simplified variant of OMAC for any message $ m \in (\{0,1\}^n)^{\ell } $ can be defined as follows: $ y[0] := 0^n $; for $ 1 \le i \le \ell -1 $, $ x[i] = m[i] \oplus y[i-1] $ and $ y[i] = {E}_K(x[i]) $; $ x[\ell ] = m[\ell ] \oplus y[\ell -1] \oplus 2{E}_K(0^n) $; and $ \textsf {OMAC} _{{E}_K}(m) := y[\ell ] = {E}_K(x[\ell ]) $.

For all $ i \in [\ell -1] $, x[i] and y[i] are referred as intermediate input and output, respectively, and $ x[\ell ] $ and $ y[\ell ] $ are referred as the final input and output respectively.

Suppose the adversary makes q queries. Given our analysis of 1k-LightMAC, it is easy to observe that the most contentious issue is the event when some intermediate input (res. output) collides with some final input (res. output). Intuitively, this leads to a leakage of internal values to the adversary. However, notice that this does not necessarily mean that the adversary can actually detect and exploit this to mount an attack. This is precisely the point where reset-sampling can help. As an example, consider the following sampling approach in the ideal world:

The ideal oracle faithfully answers the q queries in the online phase.
Once the query-response phase is over:
- The ideal oracle samples the intermediate inputs/outputs by following the OMAC definition, except for one small change: the intermediate outputs are sampled outside the set of all final outputs. This helps in avoiding collisions between some intermediate output and some final output.
- Now, we may have a situation where some intermediate input $ x_i[a] $ collides with some final input $ x_j[\ell _j] $, which is an inconsistency.
- However, if $ x_i[a+1] $ is fresh, i.e., it does not collide with any other intermediate/final input, then we can possibly reset $ y_i[a] $ to $ y_j[\ell _j] $ and redefine $ x_i[a+1] := x'_i[a+1] = m_i[a+1] \oplus y_j[\ell _j] $.
- This might result in a collision of the form $ x'_i[a+1] = x_k[b] $, but as we have seen in case of 1k-LightMAC, the probability of such collisions are easily bounded to $ O(q^3\ell ^2/2^{2n}) $ by considering the compound event $ x_i[a] = x_j[\ell _j] \cap x'_i[a+1] = x_k[b] $. There will be some more inconsistencies arising due to the resetting. But we ignore them for the sake of brevity.
- Finally, the ideal oracle releases the intermediate inputs and outputs.

A more formal and rigorous analysis of OMAC using reset-sampling will most probably require handling of several other bad events, and could be an interesting future research topic. Although the above description is very succinct and rough, it is expressive enough to demonstrate the idea of resetting. The technique is particularly useful for deriving improved bounds for single-key constructions, as demonstrated for 1k-LightMAC and outlined for OMAC. Interestingly, the dominating term in the bound of 1k-LightMAC is the collision probability. Indeed, the bad events introduced due to reset sampling only contribute beyond-the-birthday bound terms. In fact, this seems to be a general characteristic of reset sampling based proof, as the additional bad events are generally joint events involving two or more sources of randomness. Consequently, we believe that reset sampling may, in future, find wide applications in the analysis of single-key variant of BBB secure constructions, such as LightMAC+ [25], PMAC+ [21] etc.

Notes

1.
Assuming all messages have length $ (n-s)r $ for some $ 1 \le r \le 2^s $.
2.
Here, we say PRP instead of PRF to highlight the use of block cipher based finalization.
3.
Removing some elements from the tuple.

References

CAESAR: Competition for authenticated encryption: security, applicability and robustness. Online Webpage (2014)
Google Scholar
NIST: Lightweight cryptography standardization project. Online Webpage (2018)
Google Scholar
27, I.J.S.: Information technology – lightweight cryptography – part 6: Message authentication codes (MACs). ISO/IEC 29192-6, International Organization for Standardization (2019)
Google Scholar
Luykx, A., Preneel, B., Tischhauser, E., Yasuda, K.: A MAC mode for lightweight block ciphers. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 43–59. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_3
Chapter Google Scholar
Tsudik, G.: Message authentication with one-way hash functions. In: Proceedings of the IEEE - INFOCOM 1992, pp. 2055–2059 (1992)
Google Scholar
Mouha, N.: Chaskey: a MAC algorithm for microcontrollers - status update and proposal of Chaskey-12. IACR Cryptol. ePrint Arch. 2015, 1182 (2015)
Google Scholar
Bellare, M., Guérin, R., Rogaway, P.: XOR MACs: new methods for message authentication using finite pseudorandom functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 15–28. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_2
Chapter Google Scholar
Bernstein, D.J.: How to stretch random functions: the security of protected counter sums. J. Cryptol. 12(3), 185–192 (1999)
Article MathSciNet Google Scholar
Dutta, A., Jha, A., Nandi, M.: A new look at counters: don’t run like marathon in a hundred meter race. IEEE Trans. Comput. 66(11), 1851–1864 (2017)
Article MathSciNet Google Scholar
Iwata, T., Kurosawa, K.: OMAC: one-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39887-5_11
Chapter Google Scholar
Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_25
Chapter Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: Proceedings of the Symposium on Foundations of Computer Science - FOCS 1984, pp. 464–479 (1984)
Google Scholar
Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. IACR Cryptol. ePrint Arch. 2004, 309 (2004)
Google Scholar
Yasuda, K.: PMAC with parity: minimizing the query-length influence. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 203–214. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27954-6_13
Chapter Google Scholar
Naito, Y.: The exact security of PMAC with two powering-up masks. IACR Trans. Symmetric Cryptol. 2019(2), 125–145 (2019)
Article Google Scholar
Ehrsam, W.F., Meyer, C.H.W., Smith, J.L., Tuchman, W.L.: Message verification and transmission error detection by block chaining. Patent 4074066, USPTO (1976)
Google Scholar
Black, J., Rogaway, P.: CBC MACs for arbitrary-length messages: the three-key constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 197–215. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_12
Chapter Google Scholar
Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_32
Chapter Google Scholar
Berendschot, A., et al.: Final Report of RACE Integrity Primitives. Lecture Notes in Computer Science, vol. 1007. Springer, Heidelberg (1995)
Google Scholar
Yasuda, K.: The sum of CBC MACs is a secure PRF. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 366–381. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11925-5_25
Chapter Google Scholar
Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_34
Chapter Google Scholar
Zhang, L., Wu, W., Sui, H., Wang, P.: 3kf9: enhancing 3GPP-MAC beyond the birthday bound. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 296–312. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_19
Chapter Google Scholar
Zhang, Y.: Using an error-correction code for fast, beyond-birthday-bound authentication. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 291–307. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_16
Chapter Google Scholar
Datta, N., Dutta, A., Nandi, M., Paul, G., Zhang, L.: Single key variant of PMAC_Plus. IACR Trans. Symmetric Cryptol. 2017(4), 268–305 (2017)
Article Google Scholar
Naito, Y.: Blockcipher-based MACs: beyond the birthday bound without message length. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 446–470. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_16
Chapter Google Scholar
Wegman, M.N., Carter, L.: New classes and applications of hash functions. In: Proceedings of the Symposium on Foundations of Computer Science - FOCS 1979, pp. 175–182 (1979)
Google Scholar
Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for CBC MACs. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 527–545. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_32
Chapter Google Scholar
NIST: Announcing the Advanced Encryption Standard (AES). FIPS 197, National Institute of Standards and Technology, U.S. Department of Commerce (2001)
Google Scholar
Fischlin, M., Lehmann, A., Ristenpart, T., Shrimpton, T., Stam, M., Tessaro, S.: Random oracles with(out) programmability. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 303–320. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_18
Chapter Google Scholar
Patarin, J.: Etude des Générateurs de Permutations Pseudo-aléatoires Basés sur le Schéma du DES. Ph.D. thesis, Université de Paris (1991)
Google Scholar
Patarin, J.: The “coefficients H’’ technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Chapter Google Scholar
Hoang, V.T., Tessaro, S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 3–32. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_1
Chapter Google Scholar
Jha, A., Nandi, M.: Revisiting structure graphs: applications to CBC-MAC and EMAC. J. Math. Cryptol. 10(3–4), 157–180 (2016)
MathSciNet MATH Google Scholar
Minematsu, K., Matsushima, T.: New bounds for PMAC, TMAC, and XCBC. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 434–451. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74619-5_27
Chapter Google Scholar
Nandi, M.: Improved security analysis for OMAC as a pseudorandom function. J. Math. Cryptol. 3(2), 133–148 (2009)
Article MathSciNet Google Scholar
Nandi, M., Mandal, A.: Improved security analysis of PMAC. J. Math. Cryptol. 2(2), 149–162 (2008)
Article MathSciNet Google Scholar
Gazi, P., Pietrzak, K., Rybár, M.: The exact security of PMAC. IACR Trans. Symmetric Cryptol. 2016(2), 145–161 (2016)
Google Scholar
Chakraborty, B., Chattopadhyay, S., Jha, A., Nandi, M.: On length independent security bounds for the PMAC family. IACR Cryptol. ePrint Arch. 2020, 656 (2020)
Google Scholar
Baugher, M., McGrew, D., Naslund, M., Carrara, E., Norrman, K.: The secure real-time transport protocol (SRTP). RFC 3711, IETF (2004)
Google Scholar
Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19
Chapter Google Scholar
Mennink, B., Neves, S.: Encrypted Davies-Meyer and its dual: towards optimal security using mirror theory. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 556–583. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_19
Chapter Google Scholar
Jha, A., Nandi, M.: A survey on applications of h-technique: Revisiting security analysis of PRP and PRF. IACR Cryptol. ePrint Arch. 2018, 1130 (2018)
Google Scholar

Download references

Author information

Authors and Affiliations

Indian Statistical Institute, Kolkata, India
Soumya Chattopadhyay & Mridul Nandi
CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Ashwin Jha

Authors

Soumya Chattopadhyay
View author publications
You can also search for this author in PubMed Google Scholar
Ashwin Jha
View author publications
You can also search for this author in PubMed Google Scholar
Mridul Nandi
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

NTT Corporation, Tokyo, Japan
Mehdi Tibouchi
Nanyang Technological University, Singapore, Singapore
Huaxiong Wang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Chattopadhyay, S., Jha, A., Nandi, M. (2021). Fine-Tuning the ISO/IEC Standard LightMAC. In: Tibouchi, M., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2021. ASIACRYPT 2021. Lecture Notes in Computer Science(), vol 13092. Springer, Cham. https://doi.org/10.1007/978-3-030-92078-4_17

Download citation

DOI: https://doi.org/10.1007/978-3-030-92078-4_17
Published: 01 December 2021
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92077-7
Online ISBN: 978-3-030-92078-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Fine-Tuning the ISO/IEC Standard LightMAC

Abstract

Similar content being viewed by others

A MAC Mode for Lightweight Block Ciphers

ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication

A Lightweight Alternative to PMAC

Keywords

1 Introduction

1.1 Motivation

1.2 Our Contributions

2 Preliminaries

Lemma 2.1

Proof

2.1 Security Definitions

2.2 H-Coefficient Technique

Theorem 2.1

3 Revisiting LightMAC

3.1 Hash-Then-PRP and the Security of LightMAC

Proposition 3.1

3.2 Bottlenecks for Single-Key LightMAC

4 Security of 1k-LightMAC

Theorem 4.1

4.1 Description of Oracles and Their Transcripts

Definition 4.1

Proposition 4.1

Proof

4.2 Transcript Analysis

Lemma 4.1

Lemma 4.2

Proof

4.3 Proof of Lemma 4.1

5 LightMAC-ds: A Minute Variant of Single-Key LightMAC

5.1 Description of LightMAC-ds

5.2 Security of LightMAC-ds

Theorem 5.1

5.3 Description of Oracles and Their Transcripts

5.4 Transcript Analysis

Lemma 5.1

Proof

6 Conclusion

6.1 Future Directions in Reset-Sampling

Notes

References

Author information

Authors and Affiliations

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Search

Navigation