Stronger Security Bounds for OMAC, TMAC and XCBC

Transcription

1 Stronger Security Bounds for OMAC, MAC and XCBC etsu Iwata Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University Nakanarusawa, Hitachi, Ibaraki , Japan {iwata, kurosawa}@cis.ibaraki.ac.jp April 30, 003 Abstract. OMAC, MAC and XCBC are CBC-type MAC schemes which are provably secure for arbitrary message length. In this paper, we present a more tight upper bound on Adv mac for each scheme, where Adv mac denotes the maximum success (forgery) probability of adversaries. Our bounds are expressed in terms of the total length of all queries of an adversary to the MAC generation oracle while the previous bounds are expressed in terms of the maximum length of each query. In particular, a significant improvement occurs if the lengths of queries are heavily unbalanced. Key words: OMAC, MAC, XCBC, modes of operation, block cipher, provable security.

2 Contents 1 Introduction Background Our Contribution Our Collision Bound Preliminaries 4.1 Notation CBC MAC XCBC, MAC and OMAC XCBC MAC-family and MAC OMAC-family, OMAC1 and OMAC Stronger Security Bounds Definitions of Security heorem Statements Proof for OMAC-family Q 1,...,Q 6 and MOMAC [8] MOMAC is Pseudorandom From MOMAC to OMAC-family Proof of Main Lemma for OMAC-family Proof for MAC-family Q 1,Q,Q 3 [9] and FCBC [3] FCBC is Pseudorandom From FCBC to MAC-family Proof of Main Lemma for MAC-family Proof for XCBC Q 1,Q,Q From FCBC to XCBC Proof of Main Lemma for XCBC eferences 6 A he Field with Ò Points 7

3 1 Introduction 1.1 Background he CBC MAC [5, 7] is a well-known method to generate a message authentication code (MAC) based on a block cipher E. We denote the CBC MAC value of a message M by CBC K (M), where K is the key of E. While Bellare, Kilian, and ogaway proved that the CBC MAC is secure for fixed length messages [1], it is not secure for variable length messages. herefore, several variants of CBC MAC have been proposed which are provably secure for variable length messages. hey include EMAC, XCBC, MAC and then OMAC. EMAC (Encrypted MAC) is obtained by encrypting CBC K1 (M) bye again with a new key K []. hat is, EMAC K1,K (M) =E K (CBC K1 (M)). Petrank and ackoff proved that EMAC is secure if the message length is a multiple of n, where n is the block length of E [1]. For arbitrary length messages, we can simply append the minimal 10 i to a message M so that the length is a multiple of n. In this method, however, we must append an entire extra block 10 n 1 if the size of the message is already a multiple of n. his is a wasting of one block cipher invocation. Black and ogaway next proposed XCBC to solve the above problem [3]. XCBC takes three keys: K 1 for E, and K and K 3. In XCBC, we do not append 10 n 1 if the size of the message is already a multiple of n. Only if this is not the case, we append the minimal 10 i. In order to distinguish them, K or K 3 is XOed before encrypting the last block. XCBC is now described as follows (see Fig. 1). If M = mn for some m>0, then XCBC computes exactly the same as the CBC MAC, except for XOing an n-bit key K before encrypting the last block. Otherwise, 10 i padding (i = n M 1modn) is appended to M and XCBC computes exactly the same as the CBC MAC for the padded message, except for XOing another n-bit key K 3 before encrypting the last block. M[1] K 1 E K 1 M[] M[3] M[1] M[] M[3] 10 } {{ i } K E K 1 E K 1 E K 1 E K 1 E Fig. 1. Illustration of XCBC. K3 Kurosawa and Iwata then proposed MAC which requires two keys, K 1 and K [9]. MAC is obtained from XCBC by replacing (K,K 3 ) with (K u,k ), where u is some non-zero constant and denotes multiplication in GF( n ). Finally, Iwata and Kurosawa proposed OMAC which requires only one key K of the block cipher E [8]. OMAC is a generic name for OMAC1 and OMAC. Let L = E K (0 n ). hen 1

4 able 1. Comparison of the key lengths. XCBC [3] MAC [9] OMAC [8] key length (k + n) bits (k + n) bits k bits OMAC1 is obtained by replacing (K,K 3 ) with (L u,l u ) in XCBC. Similarly, OMAC is obtained from XCBC by replacing (K,K 3 ) with (L u,l u 1 ). See able 1 for the comparison of the key lengths, where k denotes the key length of E. 1. Our Contribution XCBC, MAC and OMAC are all provably secure against chosen message attack. Indeed, the authors showed an upper bound on Adv mac for each scheme, where Adv mac denotes the maximum success (forgery) probability of adversaries. In this paper, we present a more tight upper bound on Adv mac for each scheme by using a more specific parameter. Consider adversaries who run in time at most t and query at most q messages to the MAC generation oracle. 1. he previous bounds are expressed in terms of the maximum length of each query.. Our bounds are expressed in terms of the total length of all queries. More precisely, 1. able shows the previous bounds on Adv mac F (t, q, m) which is defined as the maximum forgery probability of adversaries such that each query is at most m blocks, where 1 block is n bits, and. able 3 shows our bounds on Adv mac F (t, q, σ) which is defined as the maximum forgery probability of adversaries such that the total length of all queries are at most σ blocks, where F is XCBC, MAC or OMAC and n is the block length of the underlying block cipher E. In these tables, Adv prp E (t,q ) is the the maximum distinguishing probability between the block cipher E and a randomly chosen permutation, where the maximum is over all adversaries who run in time at most t and make at most q queries. able. Previous security bounds of XCBC, MAC and OMAC. Name Security Bound XCBC Adv mac XCBC (t, q, m) (4m +1)q +1 n +3 Adv prp E (t,q ), [3, Corollary ] where t = t + O(mq) and q = mq. MAC Adv mac MAC (t, q, m) (3m +1)q +1 n + Adv prp E (t,q ), [9, heorem 5.1] where t = t + O(mq) and q = mq. OMAC Adv mac OMAC (t, q, m) (5m +1)q +1 n + Adv prp E (t,q ), [8, heorem 5.1] where t = t + O(mq) and q = mq +1. In general, σ mq, where σ is the total block length of all queries, q is the number of queries, and m is the the maximum block length among all queries.

5 able 3. Security bounds of XCBC, MAC and OMAC obtained in this paper. Name Security Bound XCBC Adv mac XCBC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), MAC OMAC where t = t + O(σ) and q = σ. Adv mac MAC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ. Adv mac OMAC (t, q, σ) 4σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ +1. A significant improvement occurs if all queries are very short (say, 1 block) except for one very long query (m blocks). For example, suppose that n = 64 (for example, riple DES [4]), m = 16 and q = It is easy to see that σ = = 17. In this case, our bounds shown in able 3 are still meaningful while the previous bounds shown in able are useless because they become larger than one. 1.3 Our Collision Bound o show our security bounds, we derive upper bounds on some collision probabilities. For q distinct messages M (1),...,M (q) such that each M (i) is a multiple of n, let σ = M (1) + + M (q). For XCBC and MAC, we consider a collision such that CBC P (M (i) ) = CBC P (M (j) ) for some i j, where CBC P denotes the CBC MAC with a randomly chosen permutation P as the underlying block cipher E. We then prove that Pr(1 i< j q, CBC P (M (i) ) = CBC P (M (j) )) σ n for any M (1),...,M (q). It is formally stated in Lemma 5. and proved in Sec. 5.. For OMAC, we consider MOMAC-E, a variant of the CBC MAC, as follows. Let a message be M = M[1] M[] M[m], where M[1] = M[] = = M[m] = n and m. Let P 1 and P be two independent randomly chosen permutations. hen 1. Let Y [1] = P 1 (M[1]). For i =,...,m 1, compute Y [i] =P (M[i] Y [i 1]) 3. Finally define MOMAC-E P1,P (M) =M[m] Y [m 1]. We show that Pr(1 i< j q, MOMAC-E P1,P (M (i) ) = MOMAC-E P1,P (M (j) )) It is formally stated in Lemma 4. and proved in Sec. 4.. (σ q) n. 3

6 Preliminaries.1 Notation For a set A, x A means that x is chosen from A uniformly at random. If a, b {0, 1} are equal-length strings then a b is their bitwise XO. If a, b {0, 1} are strings then a b denote their concatenation. For simplicity, we sometimes write ab for a b if there is no confusion. For an n-bit string a = a n 1 a 1 a 0 {0, 1} n, let a < 1=a n a 1 a 0 0 denote the n-bit string which is a left shift of a by 1 bit, while a > 1=0a n 1 a a 1 denote the n-bit string which is a right shift of a by 1 bit. If a {0, 1} is a string then a denotes its length in bits. For any bit string a {0, 1} such that a n, we let pad n (a) = { a10 n a 1 if a <n, a if a = n. (1) Define a n = max{1, a /n }, where the empty string counts as one block. In pseudocode, we write Partition M into M[1] M[m] as shorthand for Let m = M n, and let M[1],...,M[m] be bit strings such that M[1] M[m] =M and M[i] = n for 1 i<m.. CBC MAC A block cipher E is a function E : K E {0, 1} n {0, 1} n, where K E is the set of keys and E(K, ) =E K ( ) is a permutation on {0, 1} n. n is called the block length of E. he CBC MAC [5, 7] is the simplest and most well-known MAC scheme based on block ciphers E. For a message M = M[1] M[] M[m] such that M[1] = M[] = = M[m] = n, let Y [0] = 0 n and Y [i] =E K (M[i] Y [i 1]) for i =1,...,m. hen the CBC MAC of M under key K is defined as CBC K (M) =Y [m]. Bellare, Kilian, and ogaway proved that the CBC MAC is secure for fixed length messages [1]. However, it is well known that CBC MAC is not secure for variable length messages..3 XCBC, MAC and OMAC XCBC, MAC and OMAC are CBC-type MAC schemes which are provably secure for arbitrary message length. Each scheme takes a message M {0, 1} and produces a tag in {0, 1} n. Each scheme is defined by using a block cipher E : K E {0, 1} n {0, 1} n. 4

7 Algorithm XCBC K1,K,K 3 (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] K else X[m] X[m] K 3 E K1 (X[m]) return Fig.. Definition of XCBC..3.1 XCBC XCBC takes three keys (K 1,K,K 3 ) K E {0, 1} n {0, 1} n. he algorithm of XCBC is described in Fig. and illustrated in Fig. 1, where pad n ( ) is defined in (1)..3. MAC-family and MAC MAC takes two keys (K 1,K ) K E {0, 1} n. In general, MAC-family is defined by not only a block cipher E but also (1) a universal hash function H : K H X {0, 1} n where K H is the set of keys and X is the domain and () two distinct constants Cst 1, Cst X. hey must satisfy the following three conditions for sufficiently small ɛ 1,ɛ,ɛ 3. (We write H K ( ) for H(K, ).) 1. y {0, 1} n,#{k K H H K (Cst 1 )=y} ɛ 1 #K H. y {0, 1} n,#{k K H H K (Cst )=y} ɛ #K H 3. y {0, 1} n,#{k K H H K (Cst 1 ) H K (Cst )=y} ɛ 3 #K H he algorithm of MAC-family is described in Fig. 3 and illustrated in Fig. 4. MAC is obtained by letting K H = {0, 1} n, H K (x) =K x, Cst 1 = u and Cst = 1, where denotes multiplication over GF( n ) (See Appendix A for details). Equivalently, MAC is obtained by letting H K (Cst 1 )=K u and H K (Cst )=K. he above three conditions are satisfied with ɛ 1 = ɛ = ɛ 3 = n..3.3 OMAC-family, OMAC1 and OMAC OMAC is a generic name for OMAC1 and OMAC, where OMAC1 and OMAC take just one key K K E. In general, OMAC-family is defined by not only a block cipher E but also (1) a universal hash function H : {0, 1} n X {0, 1} n 5

8 M[1] K 1 E K 1 Algorithm MAC-family K1,K (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] H K (Cst 1 ) else X[m] X[m] H K (Cst ) E K1 (X[m]) return M[] Fig. 3. Definition of MAC-family. M[3] M[1] M[] HK (Cst 1 ) E K 1 E K 1 E K 1 E K 1 E Fig. 4. Illustration of MAC-family. M[3] 10 } {{ i } HK (Cst ) where X is the domain, () two distinct constants Cst 1, Cst X and (3) an arbitrary n-bit constant Cst {0, 1} n. (he set of keys of H is {0, 1} n.) hey must satisfy the following six conditions for sufficiently small ɛ 1,ɛ,...,ɛ y {0, 1} n,#{l {0, 1} n H L (Cst 1 )=y} ɛ 1 n. y {0, 1} n,#{l {0, 1} n H L (Cst )=y} ɛ n 3. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) H L (Cst )=y} ɛ 3 n 4. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) L = y} ɛ 4 n 5. y {0, 1} n,#{l {0, 1} n H L (Cst ) L = y} ɛ 5 n 6. y {0, 1} n,#{l {0, 1} n H L (Cst 1 ) H L (Cst ) L = y} ɛ 6 n he algorithm of OMAC-family is described in Fig. 5 and illustrated in Fig. 6. OMAC1 is obtained by letting Cst =0 n, H L (x) =L x, Cst 1 = u and Cst = u, where denotes multiplication over GF( n ). Equivalently, OMAC1 is obtained by letting L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u. OMAC is the same as OMAC1 except for Cst = u 1. Equivalently, OMAC is obtained by letting L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u 1. he above six conditions are satisfied with ɛ 1 = = ɛ 6 = n for both OMAC1 and OMAC. 6

9 M[1] K E Algorithm OMAC-family K (M) L E K (Cst) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] H L (Cst 1 ) else X[m] X[m] H L (Cst ) E K (X[m]) return M[] Fig. 5. Definition of OMAC-family. M[3] M[1] M[] HL (Cst 1 ) K E K E K E K E K E Fig. 6. Illustration of OMAC-family. M[3] 10 } {{ i } HL (Cst ) 3 Stronger Security Bounds 3.1 Definitions of Security Our definitions follow from [1, 6, 11]. Let Perm(n) denote the set of all permutations on {0, 1} n. We say that P is a random permutation if P is randomly chosen from Perm(n). he security of a block cipher E can be quantified as Adv prp E (t, q), the maximum advantage that an adversary A can obtain when trying to distinguish E K ( ) (with a randomly chosen key K) from a random permutation P ( ), where the maximum is over all adversaries who run in time at most t, and make at most q queries to an oracle (which is either E K ( ) orp ( )). his advantage is defined as follows. Adv prp def E (A) = Pr(K K E : A EK( ) =1) Pr(P Perm(n) :A P ( ) =1) Adv prp def { E (t, q) = max Adv prp E (A)} A We say that a block cipher E is secure if Adv prp E (t, q) is sufficiently small (prp stands for Pseudoandom Permutation). Similarly, a MAC algorithm is a map F : K F {0, 1} {0, 1} n, where K F is a set of keys and we write F K ( ) for F (K, ). We say that an adversary A FK( ) forges if A outputs (M,F K (M)) where A never queried M to its oracle F K ( ). hen we define the advantage as Adv mac def F (A) =Pr(K K F : A FK( ) forges) Adv mac F (t, q, σ) def = max A {Advmac F (A)} where the maximum is over all adversaries who run in time at most t, and make at most q queries, having aggregate length of at most σ blocks, where the aggregate length of q queries 7

10 M (1),...,M (q) is σ = 1 i q M (i) n. We say that a MAC algorithm is secure if Adv mac F (t, q, σ) is sufficiently small. Let and(,n) denote the set of all functions from {0, 1} to {0, 1} n. his set is given a probability measure by asserting that a random element of and(,n) associates to each string M {0, 1} a random string (M) {0, 1} n. hen we define the advantage as Adv viprf F (A) def = Pr(K K F : A FK( ) =1) Pr( and(,n):a ( ) =1) Adv viprf F (t, q, σ) def { } = max Adv viprf F (A) A where the maximum is over all adversaries who run in time at most t, make at most q queries, having aggregate length of at most σ blocks. We say that a MAC algorithm is pseudorandom if Adv viprf F (t, q, σ) is sufficiently small (viprf stands for Variable-length Input Pseudoandom Function). Without loss of generality, adversaries are assumed to never ask a query outside the domain of the oracle, and to never repeat a query. 3. heorem Statements We first prove that OMAC-family, MAC-family and XCBC are pseudorandom if the underlying block cipher is a random permutation P (information-theoretic result). Lemma 3.1 (Main Lemma for OMAC-family) Suppose that H, Cst 1 and Cst satisfy the conditions in Sec..3.3 for some sufficiently small ɛ 1,...,ɛ 6, and let Cst be an arbitrarily n-bit constant. Suppose that a random permutation P Perm(n) is used in OMAC-family as the underlying block cipher. Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen where ɛ = max{ɛ 1,...,ɛ 6 }. Pr(P Perm(n) :A OMAC-family P ( ) =1) Pr( and(,n):a ( ) =1) σ ( 5 n +3ɛ ) Lemma 3. (Main Lemma for MAC-family) Suppose that H, Cst 1 and Cst satisfy the conditions in Sec..3. for some sufficiently small ɛ 1,ɛ,ɛ 3. Suppose that a random permutation P Perm(n) is used in MAC-family as the underlying block cipher. Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K KH : A MAC-family P,K ( ) =1), () where ɛ = max{ɛ 1,ɛ,ɛ 3 }. Pr( and(,n):a ( ) =1) σ ( 5 n + ɛ ), (3) Lemma 3.3 (Main Lemma for XCBC) Suppose that a random permutation P Perm(n) is used in XCBC as the underlying block cipher. Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K,K 3 {0, 1} n : A XCBC P,K,K ( ) 3 =1) Pr( and(,n):a ( ) =1) 3σ (4) n. 8

11 Proofs are given in Sec. 4, Sec. 5, and Sec. 6, respectively. Given the above three lemmas, it is standard to pass to the following complexity-theoretic result (For example, see [1, Section 3.]). It shows that OMAC, MAC and XCBC are pseudorandom if the underlying block cipher is secure. Corollary 3.1 Let E : K E {0, 1} n {0, 1} n be the underlying block cipher used in OMAC, MAC and XCBC. hen Adv viprf 4σ OMAC (t, q, σ) n + Advprp E (t,q ), where t = t + O(σ) and q = σ +1, Adv viprf 3σ MAC (t, q, σ) n + Advprp E (t,q ), where t = t + O(σ) and q = σ, and Adv viprf 3σ XCBC (t, q, σ) n + Advprp E (t,q ), where t = t + O(σ) and q = σ. Finally, we obtain the following theorem in the usual way (For example, see [1, Proposition.7]). It shows that OMAC, MAC and XCBC are secure as MACs if the underlying block cipher is secure. heorem 3.1 Let E : K E {0, 1} n {0, 1} n be the underlying block cipher used in OMAC, MAC and XCBC. hen Adv mac OMAC (t, q, σ) 4σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ +1, Adv mac MAC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ, and Adv mac XCBC (t, q, σ) 3σ +1 n + Adv prp E (t,q ), where t = t + O(σ) and q = σ. 4 Proof for OMAC-family 4.1 Q 1,...,Q 6 and MOMAC [8] Let H, Cst 1 and Cst satisfy the conditions in Sec..3.3 for some sufficiently small ɛ 1,...,ɛ 6, and Cst be an arbitrarily n-bit constant. For a random permutation P Perm(n) and a random n-bit string nd {0, 1} n, define Q 1 (x) def = P (x) nd, Q (x) def = P (x nd) nd, Q 3 (x) def = P (x nd H L (Cst 1 )), Q 4 (x) def = P (x nd H L (Cst )), Q 5 (x) def = P (x H L (Cst 1 )) and Q 6 (x) def = P (x H L (Cst )), where L = P (Cst). he following proposition shows that Q 1 ( ), Q ( ), Q 3 ( ), Q 4 ( ), Q 5 ( ), Q 6 ( ) are indistinguishable from a pair of six independent random permutations P 1 ( ), P ( ), P 3 ( ), P 4 ( ), P 5 ( ), P 6 ( ). Proposition 4.1 Let A be an adversary which asks at most q queries in total. hen Pr(P Perm(n); nd {0, 1} n : A Q 1( ),...,Q 6 ( ) =1) ( ) Pr(P 1,...,P 6 Perm(n) :A P 1 ( ),...,P 6 ( ) =1) 3q 1 n + ɛ, where ɛ = max{ɛ 1,...,ɛ 6 }. (5) 9

12 Algorithm MOMAC P1,P,P 3,P 4,P 5,P 6 (M) Partition M into M[1] M[m] if m then X[1] M[1] Y [1] P 1 (X[1]) for i to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then P 3 (X[m]) else P 4 (X[m]) if m =1then X[m] pad n (M[m]) if M[m] = n then P 5 (X[m]) else P 6 (X[m]) return Fig. 7. Definition of MOMAC. M[1] P 1 M[] P M[3] P 3 M[1] P 1 M[] P M[3] 10 } {{ i } P 4 Fig. 8. Illustration of MOMAC for M >n. M P 5 M 10 } {{ i } P 6 Fig. 9. Illustration of MOMAC for M n. A proof is given in [8]. Next, we recall MOMAC (Modified OMAC) [8]. It uses six independent random permutations P 1,P,P 3,P 4,P 5,P 6 Perm(n). he algorithm MOMAC P1,...,P 6 ( ) is described in Fig. 7 and illustrated in Fig. 8 and Fig MOMAC is Pseudorandom We prove that MOMAC is pseudorandom (information-theoretic result). Lemma 4.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr( and(,n):a ( ) =1) σ n. o prove Lemma 4.1, we first define MOMAC-E (MOMAC without final encryption). It takes a message M such that M = mn for some m. It is obtained from MOMAC by 10

13 removing the final encryption, that is, it uses two independent random permutations P 1,P Perm(n). More precisely, the algorithm MOMAC-E P1,P ( ) is described in Fig. 10. Algorithm MOMAC-E P1,P (M) Partition M into M[1] M[m] X[1] M[1] Y [1] P 1 (X[1]) for i to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] M[m] Y [m 1] return X[m] Fig. 10. Definition of MOMAC-E. Note that M = mn for some m. We first show the following lemma. Lemma 4. (MOMAC-E Collision Bound) Let q, m 1,...,m q and σ be integers such that m i, σ = m m q, and σ n /. LetM (1),...,M (q) be fixed and distinct bit strings such that M (i) = m i n. hen the probability of collision, Pr(P 1,P Perm(n) :1 i< j q, MOMAC-E P1,P (M (i) )=MOMAC-E P1,P (M (j) )) is at most (σ q) n. Proof. We view the computation of MOMAC-E P1,P (M (i) ) as playing the game given in Fig. 11. In Fig. 11, M (i) [1] M (i) [m i ] is a partition of M (i). We initially set each range point of P 1 and P as undefined. he notation Domain(P i ) denotes the set of points x where P i (x) is no longer undefined. We use ange(p i ) to denote the set of points P i (x) which are no longer undefined. We use ange(p i ) to denote {0, 1} n \ ange(p i ). During the game, the X (i) [j] are those values produced after XOing with the current message block M (i) [j], Y (i) [1] values are P 1 (X (i) [1]) and, for j, Y (i) [j] values are P (X (i) [j]). he game has two parts: computation of X (1) [],...,X (q) [] (line 11 3) and computation of X (1) [m 1 ],...,X (q) [m q ] (line 31 45). We examine the probability that P 1 and P cause a collision, which will occur in our game if and only if X (i) [m i ]=X (j) [m j ] for some 1 i<j q. his condition will set bad 1 or bad to true. However, we set bad i to true in many other cases in order to simplify the analysis. he idea behind the variable bad i is as follows: throughout the game (line 13 and 35), we randomly choose a range value for P 1 and P at some undefined domain point. Since P 1 and P have not yet been determined at this point, the choice of our range value will be an independent uniform selection: there is no dependence on any prior choice. If the range value for P i were already determined by some earlier choice, the analysis would become more involved. We avoid the latter condition by setting bad i to true whenever such interdependencies are detected. he detection mechanism works as follows: throughout the processing of M (1),...,M (q), we will require P 1 be evaluated at q domain point X (1) [1],...,X (q) [1] and P be evaluated at σ q domain point X (1) [],...,X (1) [m 1 ],...,X (q) [],...,X (q) [m q ] (ignoring duplications due to any common prefix of M (1),...,M (q) ), we can rest assured that we are free to assign their 11

14 Initialization: 1: for i 1 to q do X (i) [1] M (i) [1]; : for all x {0, 1} n do P 1 (x),p (x) undefined; 3: bad 1, bad false; BAD ; Computation of X (1) [],...,X (q) []: 11: for i 1 to q do 1: if X (i) [1] Domain(P 1 ) then 13: Y (i) [1] ange(p 1 ); 14: P 1 (X (i) [1]) Y (i) [1]; 15: X (i) [] Y (i) [1] M (i) []; 16: BAD {X (i) []}; 17: Index {k i +1 k q and X (i) [1] = X (k) [1]}; 18: for all k Index do 19: Y (k) [1] Y (i) [1]; 0: X (k) [] Y (k) [1] M (k) []; 1: BAD BAD {X (k) []}; : if BAD BAD then bad 1 true; 3: else BAD BAD BAD; Computation of X (1) [m 1 ],...,X (q) [m q ]: 31: for j to σ do 3: for i 1 to q do 33: if j<m i then 34: if X (i) [j] Domain(P ) then 35: Y (i) [j] ange(p ); 36: P (X (i) [j]) Y (i) [j]; 37: X (i) [j +1] Y (i) [j] M (i) [j +1]; 38: BAD {X (i) [j +1]}; 39: Index {k i +1 k q, j<m k and X (i) [j] =X (k) [j]}; 40: for all k Index do 41: Y (k) [j] Y (i) [j]; 4: X (k) [j +1] Y (k) [j] M (k) [j +1]; 43: BAD BAD {X (k) [j +1]}; 44: if BAD BAD then bad true; 45: else BAD BAD BAD; Fig. 11. Game used in the proof of Lemma 4.. 1

15 corresponding range points without constraint. We maintain a set BAD to track which domain points of P have already been determined. Next we begin randomly choosing range points for X (i) [j]; if any such choice leads to a value already contained in BAD, we set bad i to true. Note that the choice of Y (i) [j] for X (i) [j] may automatically determines some other Y (k) [j] for X (k) [j] due to common prefix of M (1),...,M (q). We maintain sets Index and BAD to track such points. We now bound the probability of the event that bad 1 true and bad true by analyzing our game. Bounding the probability of bad 1 true. In line, it is required that some Y (i) [1] was selected in line 13 such that Y (i) [1] M (i) [] BAD, ory (i) [1] M (k) [] BAD for some k Index. he set BAD begins with the empty set and then grows by the number of points in BAD with each random choice of Y (i) [1]. Now, suppose that for the t-th process of line 13, the corresponding BAD after line 1 has l t points, assuming that bad 1 is false for the first t 1 process of line 13. Define V (t) def = Pr (bad 1 true at the t-th choice of Y (i) [1] bad 1 is false before choosing Y (i) [1]), line 13 where Pr ( ) shows that the probability is taken over the random choice in line 13. hen we line 13 have V (t) = (l l t 1 )l t n, (t 1) since P 1 has n (t 1) undefined domain points, BAD has (l l t 1 ) points, and BAD has l t points. Also, suppose that line 11 3 terminates after s process of line 13. hen we have Pr (bad 1 true) V (t) = (l l t 1 )l t line 13 1 t s 1 t s n. (t 1) Now we can bound the above by 1 t s (l l t 1 )l t n (t 1) n 1 t s (l l t 1 )l t = n l 0 l1 l s l 0 n, where l 0 def = l l s. he first inequality follows since s is at most q, which is at most n /. Bounding the probability of bad true. Next, in line 44, it is required that some Y (i) [j] was selected in line 35 such that Y (i) [j] M (i) [j +1] BAD, ory (i) [j] M (k) [j +1] BAD for some k Index. he set BAD begins with l 0 points. It grows by the number of points in BAD with each random choice of Y (i) [j]. Now, suppose that for the t -th process of line 35, the corresponding BAD after line 43 has l t points, assuming that bad is false for the first t 1 process of line 35. Define V (t ) def = Pr (bad true at the t -th choice of Y (i) [j] bad is false before choosing Y (i) [j]), line 35 where Pr ( ) shows that the probability is taken over the random choice in line 35. hen we line 35 have V (t )= (l 0 + l l t 1 )l t n (t, 1) 13

16 since P has n (t 1) undefined domain points, BAD has (l 0 + l l t 1 ) points, and BAD has l t points. Also, suppose that the game terminates after s process of line 35. hen we have Pr (bad true) line 35 1 t s V (t )= (l 0 + l l t 1 )l t n (t 1) 1 t s. Now we can bound the above by (l 0 + l l t 1 )l t n (t 1) 1 t s n (l 0 + l l t 1 )l t (σ q) l 0 n, 1 t s where the first inequality follows since s is at most σ, which is at most n /, and the second inequality follows since σ q l 0 + l l s and (l 0 + l l t 1)l t (σ q) l 0 l 1 l s 1 t s (σ q) l 0. Completing the Proof. Finally, we obtain the stated bound since Pr (bad 1 true)+ line 13 Pr (bad true) l 0 line 35 n + (σ q) l 0 n = (σ q) n. Q.E.D. We next consider the following four sets. def D 1 = {M M {0, 1}, n< M and M is a multiple of n} def D = {M M {0, 1}, n< M and M is not a multiple of n} def D 3 = {M M {0, 1} and M = n} def D 4 = {M M {0, 1} and M <n} We show the following lemma. Lemma 4.3 Let q 1,q,q 3,q 4 be four non-negative integers. For 1 i 4, let M (1) i,...,m (q i) i be fixed bit strings such that M (j) i D i for 1 j q i and {M (1) i,...,m (q i) i } are distinct. Similarly, for 1 i 4, let (1) i,..., (q i) i be fixed n-bit strings such that { (1) i,..., (q i) i } are distinct. hen the number of P 1,...,P 6 Perm(n) such that ( is at least {( n )!} 6 1 (σ q) σ = σ σ 4. MOMAC P1,...,P 6 (M (i) (i) 1 )= MOMAC P1,...,P 6 (M (i) MOMAC P1,...,P 6 (M (i) 3 MOMAC P1,...,P 6 (M (i) 4 n ) (i) )= (i) )= (i) )= 1 for 1 i q 1, for 1 i q, 3 for 1 i q 3 and 4 for 1 i q 4 1 qn, where q = q q 4, σ i = 1 j q i M (j) i n and (6) 14

17 Proof. We first consider M (1) 1,...,M(q 1) 1. he number of (P 1,P ) such that MOMAC-E P1,P (M (i) 1 ) = MOMAC-E P 1,P (M (j) 1 ) for 1 i< j q 1 is at most {( n )!} (σ 1 q 1 ) from Lemma 4.. n We next consider M (1),...,M(q ). Let M (i) denote the padded message of M (i). hen the number of (P 1,P ) such that MOMAC-E P1,P (M (i) ) = MOMAC-EP1,P (M (j) ) for 1 i< j q is at most {( n )!} (σ q ) from Lemma 4.. n herefore, we have at least ( {( n )!} 1 (σ 1 q 1 ) n (σ ) q ) n choice of (P 1,P ) such that { MOMAC-EP1,P (M (i) 1 ) MOMAC-E P 1,P (M (j) 1 ) for 1 i< j q 1 and MOMAC-E P1,P (M (i) ) MOMAC-E P1,P (M (j) ) for 1 i< j q (7) We fix any (P 1,P ) which satisfies (7). Now P 1 and P are fixed in such a way that the inputs to P 3 are distinct and the inputs to P 4 are distinct. Also, the corresponding outputs { (1) 1,..., (q 1) 1 } are distinct, and { (1),..., (q ) } are distinct. We know that the inputs to P 5 are distinct, and the corresponding outputs { (1) 3,..., (q 3) 3 } are distinct. Also, the inputs to P 6 are distinct, and and the corresponding outputs { (1) 4,..., (q 4) 4 } are distinct. herefore, we have at least ( ) {( n )!} ( n q 1 )! ( n q )! ( n q 3 )! ( n q 4 )! 1 (σ 1 q 1 ) n (σ q ) n ( ) choice of P 1,...,P 6 which satisfies (6). his bound is at least {( n )!} 6 1 (σ q) 1 n since qn (σ q) (σ 1 q 1 ) +(σ q ) and ( n q i )! (n )! q i. n his concludes the proof of the lemma. Q.E.D. We now prove Lemma 4.1. Proof (of Lemma 4.1). Let O be either MOMAC P1,...,P 6 or. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. Now for the query A makes to the oracle O, define the query-answer pair (M (i) j, (i) j ) D j {0, 1} n, where A s i-th query in D j was M (i) j D j and the answer it got was (i) j {0, 1} n. Suppose that we run A with the oracle. For this run, assume that A made q j queries in D j, where 1 j 4 and q q 4 = q. Also, for 1 i 4, let σ i = 1 j q i M (j) i n (therefore, q 3 = σ 3 and q 4 = σ 4 ). For this run, we define view v of A as v def = ( (1) 1,..., (q 1) 1 ), ( (1),..., (q ) ), ( (1) 3,..., (q 3) 3 ), ( (1) 4,..., (q (8) 4) 4 ). Since A is deterministic, the i-th query A makes is fully determined by the first i 1 queryanswer pairs. his implies that if we fix some qn-bit string V and return the i-th n-bit block as the answer for the i-th query A makes (instead of the oracle), then 15

18 A s queries are uniquely determined, q 1,...,q 4 are uniquely determined, σ 1,...,σ 4 are uniquely determined, the parsing of V into the format defined in (8) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. Let V one be a set of all qn-bit strings V such that A outputs 1. We let N one def =#V one. Also, let V good be a set of all qn-bit strings V such that: For 1 i< j q, the i-th n-bit block of V the j-th n-bit block of V. Note that if V V good, then the corresponding parsing v of V satisfies that: { (1) 1,..., (q 1) 1 } are distinct, { (1),..., (q ) } are distinct, { (1) 3,..., (q 3) 3 } are distinct and { (1) 4,..., (q 4) 4 } are distinct. Now observe that the number of V which is not in the set V good is at most ( q) qn herefore, we have #{V V (V one V good )} N one n. ( ) q qn n. (9) Evaluation of p rand. We first evaluate p rand def =Pr( and(,n):a ( ) =1). hen it is not hard to see p rand = V Îone 1 qn = N one qn. Evaluation of p real. p real We next evaluate def = Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) = #{(P 1,...,P 6 ) A MOMAC P 1,...,P ( ) 6 =1} {( n )!} 6. hen from Lemma 4.3, we have p real # {(P 1,...,P 6 ) (P 1,...,P 6 ) satisfying (6)} {( n )!} 6 V (Îone Î good ) ( ) (σ q) 1 1 n qn. V (Îone Î good ) 16

19 Completing the Proof. p real From (9) we have ( ( ) ) ( ) q qn (σ q) 1 N one n 1 n qn ( ( ) ) ( ) q 1 (σ q) = p rand n 1 n ( ) q 1 (σ q) p rand n n p rand q +(σ q) n p rand σ n. (10) Applying the same argument to 1 p real and 1 p rand yields that 1 p real 1 p rand σ n. (11) Finally, (10) and (11) give p real p rand σ. n Q.E.D. 4.3 From MOMAC to OMAC-family he next lemma shows that OMAC-family P ( ) and MOMAC P1,...,P 6 ( ) are indistinguishable. Lemma 4.4 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n) :A OMAC-family P ( ) =1) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) 3σ ( 1 n + ɛ ) Proof. We prove through a contradiction argument. Suppose that there exists an adversary A such that Pr(P Perm(n) :A OMAC-family P ( ) =1) ( ) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) > 3σ 1 n + ɛ. By using A, we show a construction of an adversary B A such that: B A asks at most σ queries, and Pr(P Perm(n) :B Q 1( ),...,Q 6 ( ) A =1) ( ) P Pr(P 1,...,P 6 Perm(n) :B 1 ( ),...,P 6 ( ) A =1) > 3σ 1 n + ɛ, which contradicts Proposition 4.1. Let O 1 ( ),...,O 6 ( ) beb A s oracles. he construction of B A is given in Fig. 1. When A asks M (r), then B A computes (r) = MOMAC O1,...,O 6 (M (r) ) as if the underlying random permutations are O 1,...,O 6, and returns (r). When A halts and outputs b, then B A outputs b. Now we see that:. 17

20 Algorithm B O 1,...,O 6 A 1: When A asks its r-th query M (r) : : (r) MOMAC O1,...,O 6 (M (r) ) 3: return (r) 4: When A halts and outputs b: 5: output b Fig. 1. Algorithm B A. Note that for 1 i 6, O i is either P i or Q i M[1] P nd M[] nd P M[3] nd H L (Cst 1 ) M[1] M[] M[3] 10 i } {{ } nd P P nd nd nd H L (Cst ) P P nd Fig. 13. Computation of B A when O i = Q i for 1 i 6, and M >n. M M 10 } {{ i } HL (Cst 1 ) HL (Cst ) P P Fig. 14. Computation of B A when O i = Q i for 1 i 6, and M n. B A asks at most σ queries to its oracles, since A asks at most q queries having aggregate length of at most σ blocks. Pr(P 1,...,P 6 Perm(n) :B P 1 ( ),...,P 6 ( ) A =1) = Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P 6 ( ) = 1), since B A gives A a perfect simulation of MOMAC P1,...,P 6 ( ) ifo i ( ) =P i ( ) for 1 i 6. Pr(P Perm(n) :B Q 1( ),...,Q 6 ( ) A =1) = Pr(P Perm(n) :A OMAC P ( ) = 1), since B A gives A a perfect simulation of OMAC P ( ) ifo i ( ) =Q i ( ) for 1 i 6. See Fig. 13 and Fig. 14. Note that nd is canceled in Fig. 13. his concludes the proof of the lemma. Q.E.D. 4.4 Proof of Main Lemma for OMAC-family We finally give a proof of Main Lemma for OMAC-family. Proof (of Lemma 3.1). By the triangle inequality, the left hand side of () is at most Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr( and(,n):a ( ) =1) (1) 18

21 + Pr(P Perm(n) :A OMAC-family P ( ) =1) Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1). (13) Lemma 4.1 gives us an upper bound on (1) and Lemma 4.4 gives us an upper bound on (13). herefore the bound follows since σ ( ) ( ) n + 3σ 1 n + ɛ = σ 5 n +3ɛ. his concludes the proof of the lemma. Q.E.D. 5 Proof for MAC-family 5.1 Q 1,Q,Q 3 [9] and FCBC [3] Let H, Cst 1 and Cst satisfy the conditions in Sec..3. for some sufficiently small ɛ 1,ɛ,ɛ 3. For a random permutation P Perm(n) and a random string K K H, define Q 1 (x) def = P (x), Q (x) def = P (x H K (Cst 1 )), Q 3 (x) def = P (x H K (Cst )). he following proposition shows that Q 1 ( ), Q ( ), Q 3 ( ) are indistinguishable from a pair of three independent random permutations P 1 ( ), P ( ), P 3 ( ). Proposition 5.1 Let A be an adversary which asks at most q queries in total. hen Pr(P Perm(n); K KH : A Q 1( ),Q ( ),Q 3 ( ) =1) ( ) Pr(P 1,P,P 3 Perm(n) :A P 1 ( ),P ( ),P 3 ( ) =1) q 1 n + ɛ, where ɛ = max{ɛ 1,ɛ,ɛ 3 }. A proof is given in [9]. Next we recall FCBC [3]. It uses three independent random permutations P 1,P,P 3 Perm(n). he algorithm FCBC P1,P,P 3 ( ) is described in Fig. 15 and illustrated in Fig FCBC is Pseudorandom We prove that FCBC is pseudorandom (information-theoretic result). Lemma 5.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) σ n. o prove Lemma 5.1, we define CBC-E (CBC MAC without final encryption). It takes a message M such that M = mn for some m 1. It is obtained from the CBC MAC by removing the final encryption. More precisely, the algorithm CBC-E P ( ) is described in Fig. 17, where P Perm(n) is a random permutation. We first show the following lemma. (14) 19

22 Algorithm FCBC P1,P,P 3 (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] P 1 (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then P (X[m]) else P 3 (X[m]) return Fig. 15. Definition of FCBC. M[1] P 1 M[] P 1 M[3] P M[1] P 1 M[] P 1 M[3] 10 } {{ i } P 3 Fig. 16. Illustration of FCBC. Algorithm CBC-E P (M) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] M[m] Y [m 1] return X[m] Fig. 17. Definition of CBC-E. 0

23 Lemma 5. (CBC-E Collision Bound) Let q, m 1,...,m q and σ be integers such that m i 1, σ = m m q, and σ n /. Let M (1),...,M (q) be fixed and distinct bit strings such that M (i) = m i n. hen Pr(P Perm(n) :1 i< j q, CBC-E P (M (i) ) = CBC-E P (M (j) )) σ n. Proof. We view the computation of CBC-E P (M (i) ) as playing the game given in Fig. 18. Initialization: 1: for i 1 to q do X (i) [1] M (i) [1]; : for all x {0, 1} n do P (x) undefined; 3: bad false; BAD {X (1) [1],...,X (q) [q]}; Computation of X (1) [m 1 ],...,X (q) [m q ]: 11: for j 1 to σ do 1: for i 1 to q do 13: if j<m i then 14: if X (i) [j] Domain(P ) then 15: Y (i) [j] ange(p ); 16: P (X (i) [j]) Y (i) [j]; 17: X (i) [j +1] Y (i) [j] M (i) [j +1]; 18: BAD {X (i) [j +1]}; 19: Index {k i +1 k q, j<m k and X (i) [j] =X (k) [j]}; 0: for all k Index do 1: Y (k) [j] Y (i) [j]; : X (k) [j +1] Y (k) [j] M (k) [j +1]; 3: BAD BAD {X (k) [j +1]}; 4: if BAD BAD then bad true; 5: else BAD BAD BAD; Fig. 18. Game used in the proof of Lemma 5.. Similarly to the proof of Lemma 4., it is enough to bound the probability of the event that bad true. In line 4, it is required that some Y (i) [j] was selected in line 15 such that Y (i) [j] M (i) [j + 1] BAD, ory (i) [j] M (k) [j +1] BAD for some k Index. Suppose that the set BAD begins with l 0 points. hen it grows by the number of points in BAD with each random choice of Y (i) [j]. Now, suppose that for the t-th process of line 15, the corresponding BAD after line 3 has l t points, assuming that bad is false for the first t 1 process of line 15. Define V (t) def = Pr line 15 (bad true at the t-th choice of Y (i) [j] bad is false before choosing Y (i) [j]). hen we have V (t) = (l 0 + l l t 1 )l t n, (t 1) since P has n (t 1) undefined domain points, BAD has (l 0 + l l t 1 ) points, and BAD has l t points. 1

24 Also, suppose that the game terminates after s process of line 15. hen we have Pr (bad true) V (t) = (l 0 + l l t 1 )l t line 15 1 t s 1 t s n (t 1). Now we can bound the above by 1 t s (l 0 + l l t 1 )l t n (t 1) n 1 t s (l 0 + l l t 1 )l t σ n, where the first inequality follows since s is at most σ, which is at most n /, and the second inequality follows since σ l 0 + l l s and (l 0 + l l t 1 )l t σ l 0 l 1 l s 1 t s σ. Q.E.D. We next consider the following two sets. { def D1 = {M M {0, 1} and M is a positive multiple of n} def D = {M M {0, 1} and M is not a positive multiple of n} We show the following lemma. Lemma 5.3 Let q 1,q be two non-negative integers. For 1 i, let M (1) i,...,m (q i) i be fixed bit strings such that M (j) i D i for 1 j q i and {M (1) i,...,m (q i) i } are distinct. Similarly, for 1 i, let (1) i,..., (q i) i be fixed n-bit strings such that { (1) i,..., (q i) i } are distinct. hen the number of P 1,P,P 3 Perm(n) such that { FCBCP1,P,P 3 (M (i) (i) 1 )= FCBC P1,P,P 3 (M (i) 1 for 1 i q 1 and (i) (15) )= for 1 i q is at least {( n )!} 3 ( 1 σ n ) 1 qn, where q = q 1 + q, σ i = 1 j q i M (j) i n and σ = σ 1 + σ. Proof. We first consider M (1) 1,...,M(q 1) 1. he number of P 1 such that CBC-E P1 (M (i) 1 ) = CBC-E P 1 (M (j) 1 ) for 1 i< j q 1 is at most {( n )!} σ 1 from Lemma 5.. n We next consider M (1),...,M(q ) number of P 1 such that. Let M (i) denote the padded message of M (i). hen the CBC-E P1 (M (i) ) = CBC-EP1 (M (j) ) for 1 i< j q is at most {( n )!} σ n from Lemma 5.. herefore, we have at least ( {( n )!} 1 σ 1 n σ n )

25 choice of P 1 such that { CBC-EP1 (M (i) 1 ) CBC-E P 1 (M (j) 1 ) for 1 i< j q 1 and CBC-E P1 (M (i) ) CBC-E P1 (M (j) ) for 1 i< (16) j q We fix any P 1 which satisfies (16). Now P 1 is fixed in such a way that the inputs to P are distinct and the inputs to P 3 are distinct. Also, the corresponding outputs { (1) 1,..., (q 1) 1 } are distinct, and { (1),..., (q ) } are distinct. herefore, we have at least ( ) {( n )!} 1 σ 1 n σ n ( n q 1 )! ( n q )! ( ) choice of P 1,P,P 3 which satisfies (15). his bound is at least {( n )!} 3 1 σ 1 n since qn σ σ1 + σ and (n q i )! (n )! q i n. his concludes the proof of the lemma. Q.E.D. We now prove Lemma 5.1 Proof (of Lemma 5.1). We proceed similarly to the proof of Lemma 4.1. Let O be either FCBC P1,P,P 3 or. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. Now for the query A makes to the oracle O, define the query-answer pair (M (i) j D j {0, 1} n, where A s i-th query in D j was M (i), (i) j ) j D j and the answer it got was (i) j {0, 1} n. Suppose that we run A with the oracle. For this run, assume that A made q j queries in D j, where 1 j and q 1 + q = q. Also, for 1 i, let σ i = 1 j q i M (j) i n. For this run, we define view v of A as v def = ( (1) 1,..., (q 1) 1 ), ( (1),..., (q ) ). (17) Since A is deterministic, the i-th query A makes is fully determined by the first i 1 queryanswer pairs. his implies that if we fix some qn-bit string V and return the i-th n-bit block as the answer for the i-th query A makes (instead of the oracle), then A s queries are uniquely determined, q 1,q are uniquely determined, σ 1,σ are uniquely determined, the parsing of V into the format defined in (17) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. def Let V one be a set of all qn-bit strings V such that A outputs 1. We let N one =#V one. Also, let V good be a set of all qn-bit strings V such that: For 1 i< j q, the i-th n-bit block of V the j-th n-bit block of V. Note that if V V good, then the corresponding parsing v of V satisfies that: { (1) 1,..., (q 1) 1 } are distinct and { (1),..., (q ) } are distinct. Now observe that the number of V which is not in the set V good is at most ( q) qn. herefore, we have n ( ) q qn #{V V (V one V good )} N one n. (18) 3

26 Evaluation of p rand. We first evaluate p rand def =Pr( and(,n):a ( ) =1). hen it is not hard to see p rand = V Îone 1 qn = N one qn. Evaluation of p real. p real We next evaluate def = Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) = #{(P 1,P,P 3 ) A FCBC P 1,P,P ( ) 3 =1} {( n )!} 3. hen from Lemma 5.3, we have p real # {(P 1,P,P 3 ) (P 1,P,P 3 ) satisfying (15)} {( n )!} 3 V (Îone Î good ) ( ) 1 σ 1 n qn. V (Îone Î good ) Completing the Proof. p real From (18) we have ( ( ) ) ( ) q qn N one n 1 σ 1 n qn ( ( ) ) ( ) q 1 = p rand n 1 σ n ( ) q 1 p rand n σ n p rand q + σ n p rand σ n. (19) Applying the same argument to 1 p real and 1 p rand yields that 1 p real 1 p rand σ n. (0) Finally, (19) and (0) give p real p rand σ n. Q.E.D. 5.3 From FCBC to MAC-family he next lemma shows that MAC-family P,K ( ) and FCBC P1,P,P 3 ( ) are indistinguishable. 4

27 Lemma 5.4 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K KH : A MAC-family P,K ( ) =1) ( ) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) σ 1 n + ɛ. By using Proposition 5.1, it can be proved similarly to the proof of Lemma Proof of Main Lemma for MAC-family We finally give a proof of Main Lemma for MAC-family. Proof (of Lemma 3.). By the triangle inequality, the left hand side of (3) is at most Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) + Pr(P Perm(n),K KH : A MAC-family P,K ( ) =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 () =1). Lemma 5.1 gives us an upper bound on (1) and Lemma 5.4 gives us an upper bound on (). herefore the bound follows since σ ( ) ( ) n + σ 1 n + ɛ = σ 5 n + ɛ. his concludes the proof of the lemma. Q.E.D. 6 Proof for XCBC 6.1 Q 1,Q,Q 3 For a random permutation P Perm(n) and two random n-bit strings K,K 3 {0, 1} n, define Q 1 (x) def = P (x), Q (x) def = P (x K ), (3) Q 3 (x) def = P (x K 3 ). he following proposition shows that Q 1 ( ), Q ( ), Q 3 ( ) are indistinguishable from a pair of three independent random permutations P 1 ( ), P ( ), P 3 ( ). Proposition 6.1 Let A be an adversary which asks at most q queries in total. hen Pr(P Perm(n); K,K 3 {0, 1} n : A Q 1( ),Q ( ),Q 3 ( ) =1) Pr(P 1,P,P 3 Perm(n) :A P 1 ( ),P ( ),P 3 ( ) =1) q n, where ɛ = max{ɛ 1,ɛ,ɛ 3 }. It can be proved by extending the proof of [3, Lemma 4]. Also, it can be proved similar to Proposition 5.1. (1) 5

28 6. From FCBC to XCBC he next lemma shows that XCBC P,K,K 3 ( ) and FCBC P1,P,P 3 ( ) are indistinguishable. Lemma 6.1 Let A be an adversary which asks at most q queries, having aggregate length of at most σ blocks. Assume σ n /. hen Pr(P Perm(n),K,K 3 {0, 1} n : A XCBC P,K,K ( ) 3 =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) σ n. By using Proposition 6.1, it can be proved similarly to the proof of Lemma Proof of Main Lemma for XCBC We finally give a proof of Main Lemma for XCBC. Proof (of Lemma 3.3). By the triangle inequality, the left hand side of (4) is at most Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1) Pr( and(,n):a ( ) =1) + Pr(P Perm(n),K,K 3 {0, 1} n : A XCBC P,K,K ( ) 3 =1) Pr(P 1,P,P 3 Perm(n) :A FCBC P1,P,P ( ) 3 =1). (4) (5) Lemma 5.1 gives us an upper bound on (4) and Lemma 6.1 gives us an upper bound on (5). herefore the bound follows since σ n + σ n = 3σ n. his concludes the proof of the lemma. Q.E.D. eferences [1] M. Bellare, J. Kilian, and P. ogaway. he security of the cipher block chaining message authentication code. JCSS, vol. 61, no. 3, pp , 000. Earlier version in Advances in Cryptology CYPO 94, LNCS 839, pp , Springer-Verlag, [] A. Berendschot, B. den Boer, J. P. Boly, A. Bosselaers, J. Brandt, D. Chaum, I. Damgård, M. Dichtl, W. Fumy, M. van der Ham, C. J. A. Jansen, P. Landrock, B. Preneel, G. oelofsen, P. de ooij, and J. Vandewalle. Final eport of ACE Integrity Primitives. LNCS 1007, Springer-Verlag, [3] J. Black and P. ogaway. CBC MACs for arbitrary-length messages: he three key constructions. Advances in Cryptology CYPO 000, LNCS 1880, pp , Springer- Verlag, 000. [4] FIPS Publication Data Encryption Standard (DES). U. S. Department of Commerce / National Institute of Standards and echnology, October 5,

29 [5] FIPS 113. Computer data authentication. Federal Information Processing Standards Publication 113, U. S. Department of Commerce / National Bureau of Standards, National echnical Information Service, Springfield, Virginia, [6] O. Goldreigh, S. Goldwasser and S. Micali. How to construct random functions. J. ACM, vol. 33, no. 4, pp , October [7] ISO/IEC Information technology security techniques data integrity mechanism using a cryptographic check function employing a block cipher algorithm. International Organization for Standards, Geneva, Switzerland, Second edition. [8]. Iwata and K. Kurosawa. OMAC: One-Key CBC MAC. Pre-proceedings of Fast Software Encryption, FSE 003, pp , 003. o appear in LNCS, Springer-Verlag. [9] K. Kurosawa and. Iwata. MAC: wo-key CBC MAC. opics in Cryptology C-SA 003, LNCS 61, pp , Springer-Verlag, 003. [10]. Lidl and H. Niederreiter. Introduction to finite fields and their applications, revised edition. Cambridge University Press, [11] M. Luby and C. ackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput., vol. 17, no., pp , April [1] E. Petrank and C. ackoff. CBC MAC for real-time data sources. J.Cryptology, vol. 13, no. 3, pp , Springer-Verlag, 000. A he Field with n Points We interchangeably think of a point a in GF( n ) in any of the following ways: 1. as an abstract point in a field;. as an n-bit string a n 1 a 1 a 0 {0, 1} n ; 3. as a formal polynomial a(u) =a n 1 u n a 1 u + a 0 with binary coefficients. o add two points in GF( n ), take their bitwise XO. We denote this operation by a b. o multiply two points, fix some irreducible polynomial f(u) having binary coefficients and degree n. o be concrete, choose the lexicographically first polynomial among the irreducible degree n polynomials having a minimum number of coefficients. We list some indicated polynomials (See [10, Chapter 10] for other polynomials). f(u) =u 64 + u 4 + u 3 + u + 1 for n = 64, f(u) =u 18 + u 7 + u + u + 1 for n = 18, and f(u) =u 56 + u 10 + u 5 + u + 1 for n = 56. o multiply two points a GF( n ) and b GF( n ), regard a and b as polynomials a(u) = a n 1 u n a 1 u + a 0 and b(u) =b n 1 u n b 1 u + b 0, form their product c(u) where one adds and multiplies coefficients in GF(), and take the remainder when dividing c(u) by f(u). Note that it is particularly easy to multiply a point a {0, 1} n by u. We show a method for n = 18, where f(u) =u 18 + u 7 + u + u + 1. hen multiplying a = a 17 a 1 a 0 by u yields a 7