PMAC with parity: Minimizing the query-length influence

Abstract

We present a new variant of PMAC (Parallelizable Message Authentication Code). The new mode calls an n-bit block cipher using four different block-cipher keys but attains a security bound of a novel form O(q 2/2 n + ℓσq/2 2n ). Here, q denotes the total number of queries, ℓ the maximum length of each query (in blocks), and σ the total query complexity (in blocks). Our bound improves over the previous PMAC security O(ℓq 2/2 n ) from FSE 2007 and over O(σq/2 n ) from FSE 2010. Moreover, when ℓ > 2 n/6, our bound holds valid for larger values of q than the beyond-birthday bound O(ℓ 3 q 3/2 2n ) does-the bound of the PMAC variant from CRYPTO 2011. In particular, our bound becomes "ℓ-free" as O(q 2/2 n ) under the condition that all queries are shorter than 2 n/2 blocks (i.e., ℓ≤ 2 n/2). Our construction is fairly efficient; it runs at rate 2/3 (meaning 1.5 encryptions to process n bits), which can be made even faster by increasing the number of keys. Thus our construction brings substantial gain in security guarantee without much loss in efficiency, which becomes especially valuable for 64-bit block ciphers. © 2012 Springer-Verlag.