On the Influence of Message Length in PMAC’s Security Bounds

Luykx, Atul; Preneel, Bart; Szepieniec, Alan; Yasuda, Kan

doi:10.1007/978-3-662-49890-3_23

Cited by 10 publications

(20 citation statements)

References 19 publications

(23 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recently, Luykx et al [LPSY16] showed that one can construct a pair of messages which will collide with probability roughly /2 n , leading to an attack with advantage /2 n for q = 2 messages. However, their attack does not generalize to q messages.…”

Section: Security Of Pmac In the Random Permutation Modelmentioning

confidence: 99%

See 1 more Smart Citation

The Exact Security of PMAC

Gaži

Pietrzak

Rybár

2017

ToSC

View full text Add to dashboard Cite

PMAC is a simple and parallel block-cipher mode of operation, which was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a (pseudo)random permutation over n-bit strings, PMAC constitutes a provably secure variable input-length (pseudo)random function. For adversaries making q queries, each of length at most l (in n-bit blocks), and of total length σ ≤ ql, the original paper proves an upper bound on the distinguishing advantage of Ο(σ2/2n), while the currently best bound is Ο (qσ/2n).In this work we show that this bound is tight by giving an attack with advantage Ω (q2l/2n). In the PMAC construction one initially XORs a mask to every message block, where the mask for the ith block is computed as τi := γi·L, where L is a (secret) random value, and γi is the i-th codeword of the Gray code. Our attack applies more generally to any sequence of γi’s which contains a large coset of a subgroup of GF(2n). We then investigate if the security of PMAC can be further improved by using τi’s that are k-wise independent, for k > 1 (the original distribution is only 1-wise independent). We observe that the security of PMAC will not increase in general, even if the masks are chosen from a 2-wise independent distribution, and then prove that the security increases to O(q<2/2n), if the τi are 4-wise independent. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether 3-wise independence is already sufficient to get this level of security is left as an open problem.

show abstract

Section: Security Of Pmac In the Random Permutation Modelmentioning

confidence: 99%

“…, γ to contain a large coset of a subgroup of GF (2 n ), and it's not clear if the sequence from [Rog04] contains such a set. Let us mention that for similar reasons the attack from [LPSY16] does not apply to the [Rog04] construction either.…”

Section: Variants Of the Pmac Constructionmentioning

confidence: 99%

The Exact Security of PMAC

Gaži

Pietrzak

Rybár

2017

ToSC

View full text Add to dashboard Cite

show abstract

“…[16][17][18] All the objects are defined as "Thing" such as smart-phones, smart-cars, industrial sensors, actuators, household appliances, and grid-networking under the platform of data and network communications. [10][11][12][13][19][20][21] Interestingly, the major works are focused to build network and topology for the concept of IoT. 12,13,[19][20][21] The IoT is already starting to kick-out to the applications of real-world: From home to office via car, smart-phone, health-card, national-card, and bank-card.…”

Section: Figure 1 Concept Of Authentication Encryptionmentioning

confidence: 99%

“…12,13,[19][20][21] The IoT is already starting to kick-out to the applications of real-world: From home to office via car, smart-phone, health-card, national-card, and bank-card. [10][11][12][13][19][20][21] Interestingly, the major works are focused to build network and topology for the concept of IoT. Therefore, a blackhole is developing for the emerging concept of the IoT, where the blackhole means lack of security, lack of trust, lack of integrity, lack of privacy under the communication channels.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A simple authentication encryption scheme

Mazumder

Miyaji

2017

Concurrency and Computation

View full text Add to dashboard Cite

An authentication encryption (AE) scheme satisfies to transfer an authenticated data between 2 parties or more. There are vast applications of the AE such as access control, encryption, enhancing trust between multiple parties, and assure the originality of a message. However, the main challenge of the AE is to maintain low-cost features for its construction. Furthermore, there is another emerging issue of Internet of Things (IoT) in the field of data and network communication.The numbers of application of the IoT are increasing expeditiously, where various kinds of device have been used such as IoT-end device, constrained device, and RfID. Moreover, the main challenge of the IoT-end devices and resource constrained devices is to keep a certain level of security bound including minimum cost. However, the IoT-end devices, resource constrained devices, and RfID have lack of resources such as memory, power, and processors. Interestingly, the AE can play a vital role between data acquisition (sensors, actuators) and data aggregation of usual platform of the IoT. Thus, the construction of the AE should satisfy the properties of low-cost, least resources, and less operating-time. Though, there are many familiar constructions of AE such as OTR, McOE, POE, OAE, APE, COPE, CLOC, and SILK but most of the schemes depend on the features of nonce and associate data. In the aspect of security, the usage of nonce and associated data are adequate.However, these 2 features increase the overhead cost. Therefore, we propose a simple construction of IV-based AE where blockcipher compression function is used as encryption function. Our proposed scheme's efficiency-rate is 1 with reasonable privacy-security bound. In addition, it can encrypt arbitrary length of message in each iteration without padding.

show abstract

A Lightweight Alternative to PMAC

Minematsu

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

On the Influence of Message Length in PMAC’s Security Bounds

Cited by 10 publications

References 19 publications

The Exact Security of PMAC

The Exact Security of PMAC

A simple authentication encryption scheme

A Lightweight Alternative to PMAC

Contact Info

Product

Resources

About