One-Key Compression Function Based MAC with Security beyond Birthday Bound

One-Key Compresson Functon Based MAC wth Securty beyond Brthday Bound Avjt Dutta, Mrdul Nand, Goutam Paul Indan Statstcal Insttute, Kolkata 700 108, Inda. avrocks.dutta13@gmal.com, mrdul.nand@gmal.com, goutam.paul@scal.ac.n Abstract. Gaž et al. [CRYPTO 014] analyzed the NI-MAC constructon proposed by An and Bellare [CRYPTO 1999] and gave a tght brthday-bound of O(lq / n ), as an mprovement over the prevous bound of O(l q / n ). In ths paper, we desgn a smple extenson of NI-MAC, called NI + -MAC, and prove that t has securty bound beyond brthday (BBB) of order O(q l / n ) provded l n/4. Our constructon not only lfts the securty of NI-MAC beyond brthday, t also reduces the number of keys from (NI uses ndependent keys) to 1. Before ths work, Yasuda had proposed [FSE 008] a sngle fxed-keyed compresson functon based BBB-secure MAC wth securty bound O(lq / n ) that uses an extra mask, requres a storage space to store the mask. However, our proposed constructon NI + does not requre any extra mask and thereby has reduced the state sze compared to Yasuda s proposal [FSE 008] wth provdng the same order of securty bound for lght-weght applcatons Keywords: Beyond Brthday, MAC, NI, Structure-Graph. 1 Introducton In symmetrc key paradgm, MAC (Message Authentcaton Code) s used for preservng message ntegrty and message orgn authentcaton. The desgn of a MAC should not only consder achevng securty, but also target attanng effcency. In the lterature, three dfferent approaches of desgnng a MAC exsts: (a) unversal hash functon based MAC, a popular example of whch s UMAC [8], (b) a compresson functon based MAC, lke NMAC [], HMAC [], NI [1] etc. (c) Block cpher based MAC, such as CBC MAC [4], PMAC [9], OMAC [17]. etc. Most of the popular MACs are block cpher based MACs, but each one of them suffers from the same problem - securty s guaranteed up to the brthday bound. When the block length of the underlyng block cpher s 18-bt, then brthday bound does not seem to be a problem, as we are guaranteed to have 64 bts of securty whch s well acceptable for many practcal applcatons. But when we deal wth 64-bt block cpher (e.g. HIGHT [16], PRESENT [10]) as used n many lght weght crypto devces (e.g. RFID, smartcard) then brthday bound

problem becomes the man bottleneck. NMAC and HMAC. NMAC and ts varant HMAC [] s the frst re-keyng compresson functon based MAC where a key s appended to a message and then the appended message s hashed usng Merkle-Damgård technque. It has been standardzed n [3] and has become popular and wdely used n many network protocols lke SSH, IPSec, TLS etc. Bellare et al. n [] proves that NMAC s a secure PRF based on the assumpton () f s a secure PRF and () Casc f s a WCR (weakly collson resstant). HMAC, when nstantated wth MD4 or SHA-1, plays the role of Casc f and both have been found not to satsfy the WCR property [37, 38] and hence the securty of HMAC [] stands vod. To restore the PRF securty of NMAC, Bellare n [6] nvestgates the proof and drops assumpton (). Kobltz and Menezes n [] crtczes the way [6] dscusses the practcal mplcaton of ther result aganst unform and non-unform reductons used n the proof. Dods et al. n [1] nvestgates the ndfferentable property of HMAC from a keyed random oracle. In a recent lne of researches, generc attack aganst terated hash based MAC are beng nvestgated [31, 3, 30, 5]. More recently, Gaž et al. n [14] showed a tght bound on NMAC. There s also a recent result [15] on the generc securty analyss of NMAC and HMAC wth nput whtenng. Yasuda n [40] had proposed a novel way of teratng a compresson functon dedcated for the use of MAC whch s more effcent than standard HMAC to process data much faster. In [4] Yasuda has showed that classcal sandwched constructon wth Merkle-Damgård teraton based hashng provdes a secure MAC whch s an alternatve for HMAC, useful n stuaton where the message sze s small and hgh performance s requred. A new secret-prefx MAC based on hash functons s presented n [45] whch s smlar to HMAC but does not requre the second key. U. Maurer et al. n [7] has presented a MAC constructon namely PDI, that transforms any Fxed-Input Length (FIL) MAC to Alternatve Input Length (AIL) MAC and nvestgated the tradeoff between the effcency of MAC and the tghtness of ts securty reducton. In [8] constructon of AIL MAC from a FIL MAC wth a sngle key was presented whch s better than NI [1]. Beyond Brthday Secure MAC. We dscuss two types of MACs n ths category - one s block cpher based and the other one s compresson functon based. Block Cpher Based Beyond Brthday Secure MAC. Recently, many MAC constructons have been proposed wth securty beyond the brthday barrer wthout degradng the performance. The frst attempt was made n ISO 9797-1 [3] wthout securty proof. But Algorthm 4 of ISO 9797-1 was attacked by Joux et al. [0] that falsfed the securty bound. Algorthm 6 of ISO 9797-1 was proven to be secure aganst O( n/3 ) queres wth restrctons on the message length [46]. In [46] Yasuda also presented SUM-ECBC, a 4-key rate-1/ constructon wth beyond brthday bound securty. In 011, Yasuda mproved the number of keys and rate over SUM-ECBC and proposed a 3-key rate-1 PMAC Plus construc-

ton [47] wth beyond brthday securty. In 01, Zhang et al. [50] proposed a 3key verson of f9 MAC (3kf9) that acheves BBB securty. There s also another determnstc MAC mode provdes securty beyond the brthday bound. Gven an n-bt to n-bt fxed-key block cpher wth MAC securty ɛ aganst q queres, Dods et al. [13] have desgned a varable-length MAC achevng O(ɛqpoly(n)) MAC securty. However, ths desgn requres even longer keys and more block cpher nvocatons. By party method, Bellare et al. present MACRX [3] wth BBB securty, condtoned on the nput parameters are random and dstnct. In [18], Jaulmes et al. proposed a randomzed MAC that provdes BBB securty based on the deal model (or possbly based on tweakable block cpher). Another BBB secure randomzed constructon called generc enhanced hash then MAC has been proposed n [9] by Mnematsu. In [4], the authors propose a tweakable block-cpher based two-key rate- BBB-secure MAC wth securty margn of O(q l / n ). Recently Datta et al. n [11] unfy PMAC Plus and 3kf9 n one key settng wth beyond brthday securty. Compresson Functon Based Beyond Brthday Secure MAC. Besdes the block cpher based BBB MAC constructons, Yasuda n [41] proposed a compresson functon based MAC constructon - Mult-lane HMAC, that acheves BBB securty. In [44] Yasuda presented a double ppe mode operaton (Lucks Constructon [6]) for constructng AIL MAC from a FIL MAC that acheves BBB securty. Ths work s further extended to provde full securty n [48]. In [43] Yasuda has proposed a fxed sngle keyed compresson functon based cascaded MAC n whch, for a l blocks message, one needs to compute l many dfferent masks where the masks are generated from a sngle mask 0 usng the feld multplcaton. The securty of the scheme has been proved to be O(lq / n ). Further mprovement on [43] s followed n [49]. Fxed-Key MAC. An et al.n [1] proposed a fxed-keyed compresson functon based MAC called NI-MAC. The constructon of NI-MAC s smlar to that of NMAC [], the only dfference s that NI-MAC uses two ndependent keyed compresson functons f K1, f K. The motvaton of desgnng NI was to avod constant re-keyng on mult-block messages n NMAC and to allow for a securty proof startng by the standard swtch from a PRF to a random functon, followed by nformaton-theoretc analyss. We menton here that the securty proof technque for re-keyng compresson functon based MAC s completely dfferent from that of fxed-keyed compresson functon based MAC. The securty of the former scheme s proved usng reducton argument, whereas that of the latter s proved by replacng the fxed-keyed compresson functon wth a random functon. Gaž et al.n [14] revsted the proof of NI-MAC and gave a tght brthday bound of O( lq ), a better bound than earler O( l q n ). n Our Contrbutons. We have the followng two man contrbutons.

(1) We propose a fxed key compresson functon based MAC NI + wth rate 1 b/(b + n), whch s an extenson of exstng NI-MAC, that acheves beyondbrthday securty of securty bound O(q l / n ), where b s the block length and n s the number of output bts. Our proposed constructon not only lfts the securty of NI beyond brthday (Sect. 4), but also reduces the number of requred keys from two (NI uses two ndependent keys) to one. () Yasuda n [43] proposed a rate-1, one pass mode BBB secure MAC wth a beyond brthday securty bound of O(lq / n ). The constructon uses a keyedcompresson functon f k from b bts to n bts and a b -bt mask 0 where one needs to store the mask value. Note that, the assumpton n the constructon [43] s b n. Now, for processng a message of l blocks, one needs to compute the masks 1,,..., l whch are computed from 0 usng feld multplcaton. The state sze of the Yasuda s proposed constructon s (b + n), as one needs to store the b -bt maskng value and the b -bt checksum value along wth two n bts partal outputs. In ths regard, our constructon NI + s a rate-b/b + n sngle-keyed compresson functon based MAC that uses a keyed-compresson functon f k from (b + n)-bts to n bts, where b > n. Our constructon does not use any mask and therefore the state sze of NI + s reduced to (b + n) as one needs to store b-bt checksum value along wth two n bt partal outputs. However, to compare the state-sze of Yasuda s constructon wth our desgn, one needs to consder the compresson functons wth the same nput sze n both the scheme,.e., one needs to replace nput sze (b ) of the compresson functon used n the constructon proposed n [43] by b + n, whch gves the state sze of Yasuda s scheme to (b + n) + n = (b + n), whch s twce of our state sze. Though reducng ths state-sze to n bts was placed as an open problem n [43, Secton 7], our constructon has slghtly mproved the state sze, albet wth the cost of an extra factor of l n the securty bound. However, we note that ths bound s comparable to that of [43] for lght-weght applcatons n whch l s usually to be small. In the followng table we show dfferent parameters and the securty bound of known stateless and determnstc BBB secure MACs. We wrte BC to denote block cpher based MAC n whch the underlyng prmtve s a block cpher and CF rk denotes re-keyng compresson functon based MAC n whch the underlyng prmtve s a compresson functon (e.g. HMAC), CF fk denotes fxed-keyed compresson functon based MAC (e.g. NI). 1 Rate b rs, where b-sze of message block, s-total nput sze of the functon wthout the key part and r s the total number of functon calls to process a sngle message block. In [43] author has mstakenly stated the state sze for the constructon s b + n bts, wthout consderng the state sze requred for storng the b -bt mask, thus eventually state sze becomes (b + n).

Constructon Type # Keys Rate Securty Bound State sze (#bts) SUM-ECBC [46] BC 4 1/ O(l 3 q 3 / n ) n PMAC Plus [47] BC 3 1 O(l 3 q 3 / n ) 4n 3kf9 [50] BC 3 1 O(l 3 q 3 / n ) n 1kf9 [11] BC 1 1 O(q 3 l 4 / n ) n 1k PMAC+ [11] BC 1 1 O(q 3 l 4 / n ) 4n L-Lane (L = ) HMAC [41] CF rk 3 1/ O(l q / n ) n 1-pass mode [43] CF fk 1 1 O(lq / n ) (b + 4n) NI + [Ths paper] CF fk 1 b/(b + n) O(l q / n ) (b + n) Prelmnares In ths secton, we brefly dscuss the notatons and defntons used n ths paper. We also state some exstng basc results. We denote S as the cardnalty of set S. Let x $ S denote that x s chosen unformly at random from S. [n] denotes the set of ntegers {1,,..., n}. (s) n denotes the last n bt substrng of b bt strng s. Let M be a bnary strng over {0, 1}. Length of M n bts s denoted by M. When M mod b 0, we pad 10 d to M to make M mod b = 0 where d = n 1 M mod b and b denotes the block length of M. M 1 M... M l denotes the partton of message M after M s beng padded, where each M {0, 1} b and l denotes the number of blocks of M. l denotes the maxmum number of blocks n a message. By a q-set or a q-tuple x := (x : I) for an ndex set I, we mean a set or a tuple of sze q. When all elements x s are dstnct we wrte x dst q. Random Functons. Let F unc(a, B) denote the set of all functons from A to B. A random functon F s a functon whch s chosen from F unc(a, B) followng some dstrbuton, not necessarly unform. In partcular, a functon ρ n s sad to be a unform random functon, f ρ n s chosen unformly at random from the set of all functons from a specfed fnte doman D to {0, 1} n. Throughout the paper we fx a postve nteger n. We wll specfy a unform random functon by performng lazy samplng. In lazy samplng, ntally the functon ρ s undefned at every pont of ts doman. We mantan a set Dom(ρ) that grows dynamcally to keep the record of already defned doman ponts of ρ. Dom(ρ) s ntalzed to be empty. If x / Dom(ρ) then we wll choose y $ {0, 1} n and add x n Dom(ρ). In ths regard, x s sad to be fresh. On the other hand, f x Dom(ρ) (.e x = x ) then y f(x ). In ths regard x s sad to be covered. Securty Defntons. We consder that an adversary A s an oracle algorthm wth access to ts oracle O( ) and outputs ether 1 or 0. Accordngly, we wrte A O( ) = 1 or 0. The resource of A s measured n terms of the tme complexty t whch takes nto account the tme t takes to nteracts wth ts oracle O( ) and the tme for ts nternal computatons, query complexty q takes nto account the number of queres asked to the oracle by the adversary, data complexty l takes nto account the maxmum number of blocks n each query.

Pseudo-Random Functon. We defne dstngushng advantage of an oracle algorthm A for dstngushng two random functons F from G as Adv A (F ; G) := Pr[A F = 1] Pr[A G = 1]. We defne PRF-advantage of A for an n-bt constructon F by Adv prf F (A) := Adv A (F ; ρ n ). We call A a (q, l, t)-dstngusher f t makes at most q queres wth at most l-blocks n each query and runs n tme at most t. We wrte Adv prf F (q, l, t) = max A Adv prf F (A) where maxmum s taken over all (q, l, t)-dstngusher A. In an nformaton theoretc stuaton we also gnore the tme parameter t. We call a keyed constructon F s (q, l, ɛ)-prf f Adv prf F (q, l) ɛ. Informally, F s called a secure PRF, f ɛ s neglgble, Collson-Free and Cover-Free. Now we defne some other nformaton-theoretc securty advantages (n whch there s no presence of an adversary). Let H be a random functon whch outputs two n bt blocks, denoted by (Σ, Θ) ({0, 1} n ). For a q-tuple of dstnct messages M = (M 1,..., M q ), we wrte H(M ) = (Σ, Θ ). For a q-tuple of pars (Σ, Θ ), we say that 1. A tuple (Σ, Θ ) s collded f, j [q] such that Σ = Σ j and Θ = Θ j for some j. Otherwse the tuple s sad to be collson-free.. A tuple (Σ, Θ ) s covered f, j [q] such that Σ = (Mα) j n and Θ = Y j α 1 where α [l ] or α [ ] and j could be equal to, Mα j denotes the α th block of j th message M j and Y j α 1 s a n bt bnary strng that denotes the output of (α 1) th block correspondng to j th message M j. Otherwse the tuple s sad to be cover-free. Defnton 1. We defne (q, l)-collson advantage and (q, l)-cover-free advantage as Adv coll F (q, l) = max M dst q Pr[(Σ, Θ ) s not collson-free]. Adv cf F (q, l) = max Pr[(Σ, Θ ) s not cover-free]. M dst q Clearly, Adv coll F (q, l) q Advcoll F (, l). Smlarly, Adv cf F (q, l) q Advcf F (, l). So t would be suffcent to concentrate on a par of messages whle boundng collson free or cover-free advantages. We say that a constructon F s (q, l, ɛ)- xxx f Adv xxx F (q, l) ɛ where xxx denotes ether collson-free or cover-free.

.1 Structure Graphs In ths secton, we brefly revst the structure graph analyss [5, 14]. Consder a cascaded constructon wth a functon f, where f s a unform random functon, that works on a message M = M 1 M... M l of length l blocks as follows: Y 0 = 0, and Y = f(y 1, M ) for = 1,..., l, where M s the th block of message M. Informally, for a set of any two fxed dstnct messages M = {M 1, M } and a unformly chosen random functon f, we construct the structure graph G f (M) wth {0, 1} n as the set of nodes as follows. We follow the computatons for M 1 followed by those of M by creatng nodes labelled by the values y of the ntermedate channg varables Y wth the edge (y, y +1 ) labelled by the block M +1. In ths process, f we arrve at a vertex already labelled, whle not followng an exstng edge, we call ths event an f-collson. 3 The sequence of alternatng vertces and edges correspondng to the computatons for a message M j s called an M j -walk or more generally a message walk, denoted by W j. A more formal dscusson on structure graph appears n Appendx A. Let G(M) denote the set of all structure graphs correspondng to the set of messages M (by varyng f over a functon famly). For a fxed graph G G(M), let fcoll(g) denote the set of all f-collsons n G. We state the followng results. Proposton 1. n fcoll(g). [14, Lemma ] For a fxed graph G, Pr f [G f (M) = G] Proposton. Pr[G $ G(M) : fcoll(g) 3] 7l6, where l s the total n number of blocks of the messages n M. Proof of the Prosposton can be found n Appendx B. It s to be noted that for CBC-MAC analyss [5], f(α, β) s taken as π(α β) and for the NI-MAC analyss [14], f(α, β) s taken as ρ(α β), where π s a random permutaton over n bts and ρ s a random functon from b + n bts to n bts, where b s the message block-length and n s the length of the channg varable as well as the tag. 3 Proposed Constructon of NI + for Beyond-Brthday Secure MAC We present the schematc dagram of NI + n Fg. 3.1 followed by the descrpton n Algorthm 1. Let f k : {0, 1} b+n {0, 1} n be a keyed functon from b + n bts to n bts where b > n where b refers to the block length of a message block and n refers to the output length n bts. Let M {0, 1} bl. So we can wrte M = (M 1, M,..., M l ) where each M {0, 1} b. We defne a checksum block 3 We use the term collson and accdent nterchangably.

0 n M 1 M M 3 M l M... f k f k f k f k f k Y 1 Y Y 3 Y l 1 Y l Σ c Σ f k T 0 n Θ Fg. 3.1. Constructon of NI + MAC 1 3 4 5 6 7 8 Input: f k : k $ K, M {0, 1}, c 10 b n 1 Output: T {0, 1} n M 1 M... M l M 10 ; //l s the number of message blocks n M Z 0 n ; Y 0 n ; for = 1 to l do Y f k (M, Y ); Z Z Y ; end CS l =1M ; Y f k (CS, Y ); Z Z Y ; Σ Y ; Θ Z; T f k (c Σ, Θ); Return T ; Algorthm 1: Algorthm for NI + MAC CS = l =1 M. We denote Casc f k (M) := f k1 (... (f k (f k (0, M 1 ), M ),..., M l ). Output of Casc f k (M) and the checksum block CS s passed through the same functon f k and the output s denoted as Σ. We obtan Θ by xorng all the ntermedate channg values (.e l =1 Y Σ). We concatenate a fxed b n bt strng c = 10 b n 1 wth the n bt strng Σ Θ to match the nput sze of f k and then the entre concatenated b bt strng (.e c Σ Θ) s passed through f k and fnally outputs the tag T. We sometmes denote CS by M l+1. Note that, NI + s smlar to that of NI up to Casc f k (M) except the followng dfferences. Schematc dagram of NI s gven n Appendx C. (a) In NI constructon, b-bt encodng of M and the last message block output Y l s passed through a dfferent keyed compresson functon f k. In NI +, we substtute the b-bt length encodng by the checksum block CS. Moreover, CS and Y l s passed through the same keyed compresson functon. (b) NI s a two fxed-keyed compresson functon based MAC. NI + s a sngle fxed-keyed compresson functon based MAC. (c) NI provdes only brthday bound (lq / n ) securty. NI + provdes beyond brthday bound securty (q l / n ) when l n/4. Remark 1 We note that the beyond brthday securty s not possble to acheve f we just keep the orgnal structure of NI-MAC and output Σ as the last block output (.e Σ = f K ( M, Y l )) and Θ as the sum of all ntermedate channg

varables (.e Θ = l =1 Y Σ) as the brthday bound attack s followed from Prennnel and Oorschot s attack [33]. 4 Securty Analyss of NI + -MAC Gaž et. al n [14] have shown that the advantage of NI-MAC s bounded above by ( q n l + 64l4 ). In ths secton we analyze the advantage of our constructon NI + - n MAC and show that the advantage of NI + -MAC acheves beyond brthday bound securty; better than that of NI-MAC. Thus we have the followng theorem. Theorem 1. Let f : ({0, 1} k ){0, 1} b {0, 1} n {0, 1} n be a (ɛ, t, q) secure PRF. Then NI + be a ɛ, t, q, l secure PRF, where ɛ ɛ + q n + q n + q l n + q l 4 3n + 54q l 6 3n, such that t = t + Õ (lq). Moreover, f l n/4 then, ɛ ɛ + q n + q l n. Proof. Let A be a adaptve PRF-adversary aganst NI + runnng n tme t and askng at most q queres, each of length at most l blocks. NI + uses a sngle keyed functon f. Now f we replace f by a unformly dstrbuted random functon r such that r $ F unc({0, 1} b {0, 1} n, {0, 1} n ) and call the resultng constructon NI + r, then usng the standard reducton from nformaton theoretc settng to complexty theoretc settng we have, Adv prf ɛ + Adv prf. NI + NI + r Therefore to prove Theorem 1, we only need to prove Adv prf NI + r q n + q n + q l n + q l 4 3n + 54q l 6 3n. Consder the followng Game as shown n Algorthm where the adversary A queres to oracle O wth dstnct messages M and obtans the response T. Note that Game G 0 truly smulates a unform random functon and G 1 smulates the actual constructon NI + r. Therefore usng the fundamental lemma of gameplayng technque [7], we have the followng: Adv prf NI + r = Pr[A G 1 = 1] Pr[A G0 = 1] Pr[A G1 sets badsgma A G1 sets bad] Pr[A G1 sets badsgma] + Pr[A G1 sets bad]. (1)

1 ntalze : badsgma, bad false; On the j th query M j ; 3 M j 1 M j... M j l M j 10 Partton(M j ), Y 0 = 0; 4 for = 1 to l ; 5 f ((M j, Y j 1 ) Dom(f)) Y j f(m j, Y j 1 ); 6 Else Y j {0, 1} n ; 7 f(m j, Y j 1 ) Y j ; 8 Dom(f) Dom(f) (M j, Y j 1 ); 9 f (( l =1M j, Y j l ) Dom(f)) Y j l+1 f( l =1M j, Y j l ); 10 Else Y j l+1 {0, 1}n ; 11 f( l =1M j, Y j l ) Y j l+1 ; 1 Dom(f) Dom(f) ( l =1M j, Y j l ); 13 Σ j Y j l+1, Θj l+1 =1 Y j ; 14 f (Σ j = 0) badsgma true; 15 T j $ {0, 1} n ; 16 f ((Σ j, Θ j ) = (Σ, Θ ) for some {1,,..., j 1}, or (c Σ j, Θ j ) = (Ms, Ys 1) such that s [l + 1] or s [ + 1], {, j}); 17 f ( bad); 18 Coll(, j) true, bad true; 19 0 1 f ((Σ j, Θ j ) = (Σ, Θ )) T j f(σ, Θ ) ; Else Return T j ; T j f(m s, Y s 1) ; Algorthm : Game G 0 s wthout boxed statement and G 1 s wth boxed statement. Therefore, we evaluate now the probablty Pr[A G1 sets bad]. To evaluate ths, let us defne a double block functon H f (M) := (Σ, Θ) wth respect to a unform random functon f. Recall that the tuple H f (M ) := (Σ, Θ ), [q] s sad to be collson-free f, ether Σ Σ j or Θ Θ j or both j [ 1]. Smlarly, the tuple (Σ, Θ ) s sad to be cover-free f, ether Σ (Mα) j n or Θ Y j α 1 or both j []. Therefore, t s then easy to see that, Pr[A G1 sets bad] Adv coll H (q, l) + Adv cf H (q, l) q (Advcoll H (, l) + Adv cf H (, l)). () Now we state the followng lemma, proof of whch s deferred untl next secton. The frst three cases of the lemma bound the collson-free advantage and the last three cases bound the cover-free advantage of functon H f ( ). Notaton: Let E coll denotes the collson event (.e. Σ = Σ j Θ = Θ j ) and E cf denotes the covered event (.e. Σ = x Θ = Yt s ) for some n bt constant x. W denotes the walk graph correspondng to message M. Y denotes the vector of ntermedate computatons (.e (Y 1, Y,..., Y l )). l and denote the message

length n number of blocks of M and M j respectvely. When M s not a prefx of M j or M j s not a prefx of M, p denotes longest common prefx (LCP) of M and M j. That means Mp+1 M j p+1 and M α = Mα j where 1 α p. Let G(M, M j ) denotes the set of all structure graphs correspondng to two fxed messages M and M j. G a G(M, M j ) be the set of all structure graphs wth accdent a where, n ths paper, we consder a = 0, 1,. Moreover, when a = 1 or we denote Gnl a G a be the set of all structure graphs such that none of the two message walks W, W j contans a loop. Gl a denotes the set of all remanng structure graphs. Moreover, G a = Gnl a Ga l for a = 1,. Lemma 1. Let us consder G $ G(M, M j ), where M and M j are any two dstnct messages, each of length at most l blocks and a partcular n bt constant x, we have the followngs: Case (A) : Pr[E coll fcoll(g) = 0] 1. n Case (B) : Pr[E coll fcoll(g) = 1] l. n Case (C) : Pr[E coll fcoll(g) = ] l4. 3n Case (D) : Pr[E cf fcoll(g) = 0] 1. n Case (E) : Pr[E cf fcoll(g) = 1] l. 3n Case (F) : Pr[E cf fcoll(g) = ] l4. 3n Resume the proof of Theorem 1: Now we have all the materals to prove Theorem 1 whch s gven n the followng. It s easy to see the followngs: Adv coll H (, l) Pr[E coll fcoll(g) = k] + Pr[ fcoll(g) 3]. Adv cf H (, l) k=0 Pr[E cf fcoll(g) = k] + Pr[ fcoll(g) 3]. k=0 Therefore, we have the followng results, Adv coll H (, l) 1 l l4 7l6 + + +. (3) n n 3n 3n Adv cf H (, l) 1 l l4 7l6 + + +. (4) n n 3n 3n Equaton (3) follows from Case (A),(B) and (C) of Lemma 1. Smlarly, Equaton (4) follows from Case (D),(E) and (F) of Lemma 1. Substtutng Equaton (3) and (4) nto Equaton () we obtan Pr[A G1 sets bad] q n + q l n + q l 4 3n + 54q l 6 3n. Moreover t s easy to see that Pr[A G1 sets badsgma] q. Therefore, substtutng these two probablty expressons back to Equaton (1) wll n gve Adv prf NI + r q n + q l l 4 l 6 n +q n +q 3n +54q. 3n

4.1 Proof of Lemma 1 We prove all the followng cases usng structure graph analyss. After fxng two dstnct messages we choose a structure graph unformly at random from the set of all structure graphs. Then we analyze manly two events E coll and E cf n vew of the number of collsons occurred n the randomly chosen structure graph G. Therefore, we have, Pr[E coll fcoll(g) = a] = H G a Pr[E coll G = H] Pr[E cf fcoll(g) = a] = H G a Pr[E cf G = H] It s easy to see that G a l a as structure graph s unquely determned by the number of accdents occurred n the graph when the two messages are fxed. Therefore, we only need to bound () Pr[E coll G = H] and () Pr[E cf G = H] for some fxed structure graph H havng accdent a where we consder a = 0, 1 or. Case (A) : Proof of Pr[E coll fcoll(g) = 0] 1. We fx a structure n graph H G 0 and then analyze the probablty of the event E coll wth respect to H n a case-by-case bass. Case () When M or M j s not a prefx of each other, we recall that p be the LCP of M and M j. Therefore, all Yα and Y j β are dstnct where p + 1 α l, p + 1 β. Moreover, Yα Yα, j p + 1 α mn{l, } as the number of collsons n H s 0. Therefore, we have, Pr[E coll G = H] = Pr[Θ = Θ j G = H Σ = Σ j ] Pr[Σ = Σ j ] It s obvous that Pr[Σ = Σ j ] 1 n l and the event Θ = Θ j G = H condtoned on the event Σ = Σ j mples a non trval equaton on Y as we wll obtan Yp+1 and Y j p+1 for whch Θ Θ j = 0 would become non-trval. Thus, Pr[Θ = Θ j G = H Σ = Σ j ] 1 n l. Therefore, Pr[E coll G = H] 1 n, assumng l n 1. Case () Consder ether of the two messages s a prefx of other (w.l.o.g M j s a prefx of M ). Snce l > therefore, p =. Snce the number of collson n H s 0, Yp+1,... Yl are all dstnct wth each other and wth Y1,..., Yl j. Ths mples that Yl as depcted n Fg. 4.1. Therefore, the probablty of Θ = Θ j G = H condtoned on the event Σ = Σ j wll be O(1/ n ) as we wll obtan two random varables Yl and Y j for whch Θ Θ j = 0 would become non-trval. Moreover, Pr[Σ = Σ j ] 1. Therefore agan, n Y j Pr[E coll G = H] 1 n. Snce, G 0 = 1, we have, Pr[E coll fcoll(g) = 0] 1 n.

Fg. 4.1. Structure graph wth 0 accdent Case (B) : Proof of Pr[E coll fcoll(g) = 1] l. Lke the earler n case, we fx a structure graph H G 1 and then analyze the probablty of the event E coll wth respect to H n a case-by-case bass. Snce G 1 = Gnl 1 G1 l, t follows that H Gnl 1 or H G1 l. We analyze each case separately as follows: Case (B.1) When H Gnl 1. It essentally mples that H s the unon of two walk graphs W, W j such that W and W j are path. Wthout loss of generalty, we consder l. Case (B.) When H Gl. It mples that ether of the walks W or W j contans a loop. (B.1) Analyss of Gnl 1. Let us consder H G1 nl. Frst of all we would lke to note that f M j s a proper prefx of M then Gnl 1 = 0, as n that case number of accdents of H wll be 0. So, wthout loss of generalty, lets assume that M j s not a prefx of M and p be the LCP of M and M j. Therefore, Yα = Yα, j 1 α p. As number of collson s 1 therefore, let the colldng par s (Yβ, Y j β j ), where p + 1 β l, p + 1 β j. Case () Let β = β j = p + 1 and l = and after the collson Yβ = Y j β, for p + β l. In ths case, t s clear that checksum block of th message CS and checksum block of j th message CS j would not be equal and therefore even f Yl = Y j, the event Σ = Σ j would not be trval. So, even though Pr[Θ = Θ j Σ = Σ j G = H] = 1, but the requred randomness wll be obtaned from the followng two equatons : () Y p+1 Y j p+1 = 0, () Σ Σ j = 0 such that the rank of the system of equatons s. Therefore, Pr[E coll G = H] 1 n. Case () Let β = β j = p + 1 and l = and after the collson Yβ Y j β, for p + β l. Then we wll always obtan Yk and Y j k such that Θ = Θ j s non-trval for some k, k. Therefore agan n ths case we have, Pr[E coll G = H] 1 n. Case () Let β = β j = p + and l = and Yβ = Y j β, for p + 3 β l, then Θ = Θ j would mply Yp+1 = Y j p+1 ; creates one more collson whch volates the condton that the structure graph has only one collson. Therefore, n general, we assume that the colldng par s (Yβ, Y j β j ), where p + 1 β l, p + 1 β j. Snce the number of collson allowed n H s 1,

after the collson pont ether W and W j follow the same path or they wll get bfurcated rght from the collson pont and wll never meet agan. If W and W j follows the same path, then for Case () we have shown that we can ensure to get the probablty O(1/ n ). If not, then except Case () where β = β j = p +, we wll obtan two random varables Yk and Y j k such that equaton Θ Θ j = 0 becomes non-trval. If W and W j gets bfurcated rght after the collson pont, then the equalty of Θ becomes non-trval for two random varables Y Y j p+1 p+1 and as depcted n (a) and (b) of Fg. 4.. Note that t s easy to follow that we wll always obtan two such random varables. (a) (b) (c) (d) Fg. 4.. Structure graphs wth 1 accdent. (a) and (b): no loop, (c) and (d): one loop. Case (v) Fnally, f β = l and β j = then one can easly fnd out two random varables from the set {Yp+1,..., Yl } {Y j 1 p+1,..., Y j 1 } such that the equaton on Θ becomes non-trval. Therefore, n each of the above cases we have obtaned Pr[E coll G = H] 1 n. Snce G 1 nl G1 l, we have, Pr[E coll fcoll(g) = 1] l n. (B.) Analyss of Gl 1. Let us fx a structure graph H G1 l. Wthout loss of generalty we assume that W contans a loop. That means α s a smallest nteger such that Yα = Yα+c for c 1. Here c denotes the loop sze. Note that, the loop actually creates a collson and therefore, nether () W j or W makes another dfferent loop, nor () W j colldes wth W as n both of the cases number of collsons wll ncrease to. Thus, the only possbltes are ether () W j completely les on W () W j could follow W but after a pont W j and W gets bfurcated and never meets. We wll analyze the probablty of the event E coll G = H separately for each of the above cases.

Case () : W j completely les on W. Let us assume W W j = Y j 1... Y j α 1 (Y α j... Y j α+c 1 )k Y j α+c+1 we have the followng cases: = Y1... Yα 1 (Y α... Yα+c 1) k Yα+c+1... Yl j... Y and where k 0. Now As W j les on W, t s easy to see that f k = 0 then W j be a subsequence of Y1... Yα 1 and therefore one can ensures the non-trvalty of equaton Θ Θ j = 0 whch holds wth probablty 1. Moreover, Y n l Y j and thus Σ = Σ j also holds wth probablty 1 and therefore Pr[E n coll G = H] 1. n If k 1, then t s obvous that Y j 1... Y j α 1 = Y 1... Yα 1. Now, f we assume that the length of the tal of W (.e Yα+c+1... Yl ) s same as that of W j then t must have been the case that k k and wthout loss of generalty we can assume that k > k. Snce Yl = Y j, dependng on the equalty of CS and CS j we have Pr[Σ = Σ j fcoll(g) = 1] = 1. Therefore, Pr[E coll G = H] = Pr[Θ = Θ j Σ = Σ j G = H] Pr[Σ = Σ j G = H] Pr[G = H] As k > k therefore, t s obvous to see that there must be at least two random varables Ys and Ys for whch Θ = Θ j would become non-trval as depcted n (c) of Fg. 4.. Thus n the above equaton, Pr[Θ = Θ j Σ = Σ j G = H] 1 and n Pr[G = H] 1. Therefore, Pr[E n coll G = H] 1. Moreover, f we assume n that the tal length of W and W j are not same (w.l.o.g tal(w ) > tal(w j )) then we have ether k = k or k k. The case of k = k has already been taken care of. If k k then Yl Y j and therefore, Θ Θ j = 0 would become non-trval for the random varable Yl and Y j. Moreover, Pr[Σ = Σ j ] 1. n Thus, Pr[E coll G = H] 1 n. Case () : W j follows W but after they get bfurcated and never meets. In ths case W j bfurcates from W rght after some pont X. Ths condton necessarly mples that Yl Y j. Now t s to be noted that f W j completely les on W (as n head(w ) = head(w j ) and k = k ) and bfurcates rght from the pont X = Yl, then 1 Θ = Θ j would mply Yl = Y j, ntroduces one more collson and hence the number of collson would ncrease. Therefore, even f head(w ) = head(w j ) ether k k or W j must get bfurcated from W from some earler pont of Yl 1. In both of these cases one should obtan at least two random varables (ether from porton of loop or from porton of tal) Ys and Ys for some s and s that ensures the non-trvalty of equaton on Θ as depcted n (d) of Fg. 4.. Moreover as Yl Y j ths ensures that Pr[Σ = Σ j ] 1. Hence, Pr[E n coll G = H] 1. n

Therefore, n all of the above cases we have obtaned Pr[E coll G = H] 1 n. Moreover, G 1 l G1 l. So, Pr[E coll fcoll(g) = 1] l n. Case (C) : Proof of Pr[E coll fcoll(g) = ] xl4 3n Lkewse the analyss of Case (B), we frst fx a graph H G and analyze the probablty of E coll wth respect to H n a case-by-case bass. Wth the same argument, ether H G nl or H G l. Case (C.1) Let us consder H Gnl whch mples that none of the message walks W or W j contans a loop. Case (C.) Let us consder H Gl whch mples that ether of the message walks W or W j contans a loop. (C.1) Analyss of G nl. Let p be the LCP of M and M j. Snce number of accdent of H s, we denote the collson pars are : (Y α, Y j α j ) and (Y β, Y j β j ) where p + 1 α, β l and p + 1 α j, β j. Case () Let l =, α = α j = p + 1 and β = β j = p + and after collson Ys = Ys j, for p + 3 s l. Ths case s boled down to the analyss of subcase () under Case (B.1). Therefore, even though Pr[Θ = Θ j Σ = Σ j G = H] = 1, we obtan the requred randomness from the followng three lnearly ndependent equatons : () Yp+1 Y j p+1 = 0, () Y p+ Y j p+ = 0 and () Σ Σ j = 0 such that the rank of the system of equatons become 3. Therefore, Pr[E coll G = H] 1 3n. Case () Ths case s smlar to Case () except that after the collson Y s Y j s. Agan ths case s boled down to the analyss of subcase () under Case (B.1). Therefore t s easy to see that the obtaned rank of the lnear system of equatons wll be at least 3. Therefore n ths case also, we obtan, Pr[E coll G = H] 1 3n. Case () Let l = and two collson ponts are not consecutve lke Case (). We can also assume that after the fnal collson pont (.e Yβ = Y j β j ) Ys = Ys j for s l. So, we can obtan a system of lnear equatons of rank 3 such that Θ Θ j = 0 along wth two collsons gve three lnearly ndependent equatons. Therefore, n ths case we obtan, Pr[E coll G = H] 1. 3n In general, we assume that the colldng par s (Yα, Yα j j ) and (Yβ, Y j β j ), where p+1 α, β l, p+1 α j, β j. Snce the number of collson allowed n H s, after the frst collson pont (Yα, Yα j ), W and W j must bfurcate and then meets wth each other to form the second collson pont (Yβ, Y j β j ) and then W, W j follow the same path or they wll get bfurcated from the second collson pont and wll never meet agan. If W and W j follows the same path, then for Case () we have shown that we can ensure to get the probablty O(1/ n ). If not, then we wll obtan two random varables Yk and Y j k such that equaton Θ Θ j = 0 becomes non-trval. If W and W j gets bfurcated after the second collson pont, then the equalty of Θ becomes non-trval for two

(a) (b) (c) (d) (e) (f) (g) (h) () (j) (k) (l) (m) (n) (o) (p) (q) (r) (s) (t) Fg. 4.3. Structure graphs wth accdents. (a) and (b) : No loop, (c) to (l) : one loop, (m) to (t) : two loops.

random varables Yk and Y j k as depcted n (a) and (b) of Fg. 4.3. Note that t s easy to follow that we wll always obtan two such random varables. Therefore, the obtaned rank of the lnear system of equatons comprsng of equatons () Σ Σ j = 0, Θ Θ j = 0, Yα Yα j j = 0, Yβ = Y j β j = 0 wll be at least 3. Therefore, Pr[E coll G = H] 1. 3n Case (v) Fnally, β = l and β j = where α < β, α j < β j, then one can easly fnd out two random varables from the set {Yp+1,..., Yl } {Y j 1 p+1,..., Y j l } j 1 such that the equaton on Θ becomes non-trval. Therefore, from the all of the above cases we have the followng, Pr[E coll G = H] 1 3n. Moreover, G nl G l 4. Therefore, Pr[E coll fcoll(g) = ] l4 3n. (C.) Analyss of Gl. We characterze the all possble graphs n followng two ways : () When both the accdent comes from a sngle message walk. () When two message walks are nvolved to yeld two accdents. (.) When each message walk contrbutes a sngle accdent. (.) When two message walk jontly contrbutes two accdents. Let p be the LCP of M and M j. Snce number of accdent of H s, here the collson pars wll be one of the followngs based on the three cases lsted above: (a) (Yα, Y ) and (Y α β, Y ) (sngle message walk) where α β < α < β < β, (b) (Yα, Y ) and (Y j α β j, Y j ) (each message walk contrbutes sngle accdent) where β j α < α and β < β, (c) (Y α, Yα j j ) and (Yβ, Y j β j ) (two message walks jontly contrbute two accdents) where p + 1 α, β l and p + 1 α j, β j. Case () : Both accdents come from a sngle message walk. To analyze ths case, note that, only a sngle message walk (e.g W ) yelds two accdents; that means, the accdent par s (Yα, Y ) and (Y α β, Y ), thus W contans two β dstnct loops, whereas W j does not contan any loop. In ths regard, t s to be noted that W j ether les on W or W j eventually bfurcates from W and never meets agan. Now we have two possbltes under ths case. (a) When l =, then t has to be the case that W j must bfurcates from W j from some fxed certan pont node X n H. Note that, t may also happen that X does not exst n some H and n that specfc cases we wll obtan two parallel walks. Now one can easly see that two dstnct accdents yelds two lnearly ndependent equatons. That s Y α Y α = 0 Yβ Y = 0. β

Moreover, the followng two equatons Σ Σ j = 0 and Θ Θ j = 0 s not mpled from the prevous two lnearly ndependent equatons comng from accdents as one can easly see that Yl Y j and thus, Σ Σ j = 0 s not a trval equaton. Thus one can ensure that the rank of ths system of lnear equatons s at least 3. (b) When l, then wthout loss of generalty we assume that l >. Therefore, ether W j bfurcates from W or W j completely les on W. Former case has already been treated. So, when W j completely les on W where W j < W 4, then agan Y Y j, makng the equaton Σ Σ j = 0 non-trval. l Moreover, two accdents mply two lnearly ndependent equatons. Altogether, the rank of the system of equatons become at least 3. Therefore, n ths case, we obtan P r[e coll G = H] 1. (5) 3n Case (.) : Each message walk contrbutes a sngle accdent. When two message walk W, W J ndvdually contrbutes a sngle accdent, that s the accdent par s (Yα, Y ) and (Y j α β j, Y j ). Note that the last collson pont, say, β j (Y j β j, Y j ) must be after the LCP pont. Therefore, each of W and W j contans β j a sngle loop and they never meet agan, otherwse that wll contrbute to one more accdent. Therefore, the structure of the graph s smple as depcted n (m) and (n) of Fg 4.3. It s very straght-forward to see that Yl Y j. Moreover, two dstnct accdent gves two lnearly ndependent equatons and therefore, one can see that the rank becomes at least 3. Thus, Equaton (5) holds n ths case. Case (.) : Two message walks jontly contrbute two accdents. Former two cases were easy to handle as those cases contan smple structure graphs. Ths case s lttle nvolved to handle as t contans many knd of structure graphs as depcted n (c) to (t) of Fg, 4.3. Let d denotes the gap of two colldng nodes 5. Note that for (e), (f), (o) and (p) of Fg. 4.3, value of d s 0. For the rest of the cases, d > 0. To keep our dscusson smple, we gve the detals proof of (c) of Fg. 4.3 and then one can use the smlar analyss for the proof of the rest of the cases. Detals analyss for Case (c) of Fg. 4.3. Let the fst collson pont s (Yα, Yα j j ). Ths accdent s contrbuted by two message walks W and W j. After ths frst accdent pont, the second message walk may or may not take part n formng the second collson. (a) If W j takes part n formng the second collson then after the frst collson pont W and W j wll move n unson and after formng the second collson W j and W may bfurcates or agan they move n unson dependng on the message blocks of M j. (b) On the other hand, f W j does not take part then ether () W j bfurcates from a node X where X {Y α, Yα +1,..., Yα } and never meets agan or () W j +d completely les on W and W j < β. Note that n both of the cases (a) and (b), two collson 4 Length of a walk W s denoted as W. 5 gap of two colldng nodes means the number of edges n the structure graphs between two vertces whch are collded.

gve rses to two lnearly ndependent equatons Y α Y j α j = 0 Y β Y j β j = 0. (a) We consder W j takes part n formng the second collson. If l =, then we wll fnd Yp+1 for whch Θ Θ j = 0 becomes non-trval and hence the rank of the above two equatons along wth Θ Θ j = 0 becomes 3. If l then agan one can ensure to obtan Y j l such that the varable s fresh n the equaton Θ Θ j = 0 whch makes the rank of the above three equatons to 3. (b) We consder w j does not take part n formng the second collson. Therefore () When W j bfurcates from W then agan Y j wll be the fresh random varable n the equaton Θ Θ j = 0; makng the rank of the system of equatons to at least 3. () If W j completely les on W, whch essentally mples < l, and therefore, one can obtan Yl whch wll be fresh n the equaton Θ Θ j = 0; makng the rank at least 3. Therefore, n all of the above cases, we have observed that the rank of the followng system of equatons s at least 3. Therefore, we have, Y α Y j α j = 0 Y β Y j β j = 0 Σ Σ j = 0 Θ Θ j = 0. Pr[E coll G = H] 1 3n. All of the remanng cases can be analyzed smlarly and one can show the rank to be at least 3. Snce, G l G l 4. Therefore, Pr[E coll fcoll(g) = ] l4 3n. Case (D) : Proof of Pr[E cf fcoll(g) = 0] 1 n. We fx a structure graph H G 0 and then analyse the probablty of the event E cf wth respect to H n a case-by-case bass. Case () Let p be the LCP of M and M j. Therefore, Yα = Yα j where 1 α p and Yβ Y j β where p + 1 β mn{l, } as the number of accdent n H s 0. Moreover, f l > then all Yβ would have been dstnct as fcoll(g) = 0 where + 1 β l. Note that, t s also true that Yl Y j. Therefore, we have the followng set of equatons: Yl +1 = x, (6) Y1 Y... Yl +1 + Yt s = 0, (7)

where s could be ether or j and t [l +1] or t [ +1]. For each of these cases one can easly check that the above system of equaton has rank. Therefore, Pr[E cf G = H] 1. n Case (). Wthout loss of generalty let us consder that M j s a prefx of M. Snce l > therefore, p =. Snce, number of collsons n H s 0, Yp+1,... Yl are all dstnct wth each other and wth Y j 1,..., Y j. Ths mples that Yl Y j as depcted n Fg. 4.1. Therefore, the set of equatons (Equaton (6) and (7)) has the full rank. Therefore, agan we have, Pr[E cf G = H] 1. n Therefore from the above two cases, we have, Pr[E cf G = H] 1 for any n non-zero n bt constant x. Moreover G 0 1. So Pr[E cf fcoll(g) = 0] 1 n. Case (E) : Proof of Pr[E cf fcoll(g) = 1] l. Agan, we fx a n structure graph H G 1 and then analyse the probablty of the event E cf wth respect to H n a case-by-case bass. Therefore, H Gnl 1 or H G1 l. We analyse each case separately as follows. Case (E.1) Let us consder H Gnl 1 whch mples that none of the message walks W or W j contans a loop. Case (E.) Let us consder H Gl 1 whch mples that ether of the message walks W or W j contans a loop (E.1) Analyss of G 1 nl. As before M or M j could not be a prefx of each other. Let p be the LCP of M and M j and let the colldng par s (Y β, Y j β j ), where p + 1 β l, p + 1 β j. In ths case, t s easy to check that the followng system of equatons wll have rank. Yl +1 = x, Y1 Y... Yl +1 + Yt s = 0. Therefore, we have Pr[E cf G = H] 1 n. Note that, G 1 nl G1 l. Therefore Pr[E cf fcoll(g) = 1 ] l n. (E.) Analyss of G l. As before let us assume that W contans a loop of sze c such that Y α = Y α+c for c 1. Snce the loop creates a collson, nether () W j or W makes another dfferent loop, nor () W j colldes wth W as n both of the cases the number of collsons wll ncrease to. Thus we have the followng two possbltes. (1) W j concdes wth W () W j could follow W but after a pont W and W j departs and never meets agan. We analyze the probablty of the event E cf G = H separately for each of the two above cases. In partcular, n each of the followng analyss our man concern wll be to show the rank of the set of equatons as defned earler (.e Equaton (6) and (7)) to be, that s t acheves full rank n each of the followng subcases.

Case () : W j concdes wth W. Let k denotes the number of teratons n the loop of W and k be the number of teratons n the loop of W j. Now rrespectve of the value of k and k, the system of equatons (Equaton (6) and (7)) wll have rank and therefore, we can upper bound the probablty of our desred event to 1. n Case () : W j could follow W but after a pont W and W j departs and never meets agan. The analyss for ths case would be smlar to Case (). Here W and W j bfurcates from a certan pont say X and l X, X 0. Therefore, t s trval to see that the set of equatons (.e Equaton (6) and (7)) wll have full rank. Agan, as we have shown n the prevous case that Pr[E cf G = H] 1. n Therefore, for the above two cases Pr[E cf G = H] 1 G 1 l. Therefore, Pr[E cf fcoll(g) = 1] l n. n. Moreover, G 1 l Case (F) : Proof of Pr[E cf fcoll(g) = ] xl4 3n Proof of ths bound s smlar to Case (C) and thus we skp the proof of the bound. 5 Concluson In ths paper, we have proposed a non-tweaked sngle fxed-key compresson functon based MAC NI +, a varant of NI-MAC that acheves BBB securty and effcent than NI-MAC n terms of number of keys. Moreover, our constructon s better than Yasuda s proposed sngle-fxed key compresson functon based MAC constructon that uses an extra mask of b bts whch needs a storage space. Moreover, we have been able to slghtly reduce the state sze from (b + n) bts to (b + n) bts whch was an open problem n [43] to reduce the state sze to n bts. Thus we are leavng the problem stll open whch does not requre now a extra mask. References 1. Jee Hea An and Mhr Bellare. Constructng vl-macsfrom fl-macs: Message authentcaton under weakened assumptons. In Wener [39], pages 5 69.. Mhr Bellare, Ran Canett, and Hugo Krawczyk. Keyng hash functons for message authentcaton. In Neal Kobltz, edtor, CRYPTO 96, volume 1109 of LNCS, pages 1 15. Sprnger, 1996. 3. Mhr Bellare, Oded Goldrech, and Hugo Krawczyk. Stateless evaluaton of pseudorandom functons: Securty beyond the brthday barrer. In Wener [39], pages 70 87. 4. Mhr Bellare, Joe Klan, and Phllp Rogaway. The securty of cpher block channg. In Yvo Desmedt, edtor, CRYPTO 94, volume 839 of LNCS, pages 341 358. Sprnger, 1994.

5. Mhr Bellare, Krzysztof Petrzak, and Phllp Rogaway. Improved securty analyses for CBC macs. In Shoup [34], pages 57 545. 6. Mhr Bellare. New proofs for NMAC and HMAC: securty wthout collsonresstance. In Cyntha Dwork, edtor, CRYPTO 006, volume 4117 of LNCS, pages 60 619. Sprnger, 006. 7. Mhr Bellare and Phllp Rogaway. The securty of trple encrypton and a framework for code-based game-playng proofs. In Vaudenay [35], pages 409 46. 8. John Black, Sha Halev, Hugo Krawczyk, Ted Krovetz, and Phllp Rogaway. UMAC: fast and secure message authentcaton. In Wener [39], pages 16 33. 9. John Black and Phllp Rogaway. A block-cpher mode of operaton for parallelzable message authentcaton. In Knudsen [1], pages 384 397. 10. Andrey Bogdanov, Lars R. Knudsen, Gregor Leander, Chrstof Paar, Axel Poschmann, Matthew J. B. Robshaw, Yannck Seurn, and C. Vkkelsoe. PRESENT: an ultra-lghtweght block cpher. In Pascal Paller and Ingrd Verbauwhede, edtors, CHES 007, volume 477 of LNCS, pages 450 466. Sprnger, 007. 11. Nlanjan Datta, Avjt Dutta, Mrdul Nand, Goutam Paul, and Ltng Zhang. Onekey double-sum mac wth beyond-brthday securty. Cryptology eprnt Archve, Report 015/958, 015. http://eprnt.acr.org/. 1. Yevgeny Dods, Thomas Rstenpart, John P. Stenberger, and Stefano Tessaro. To hash or not to hash agan? (n)dfferentablty results for H and HMAC. In Rehaneh Safav-Nan and Ran Canett, edtors, CRYPTO 01, volume 7417 of LNCS, pages 348 366. Sprnger, 01. 13. Yevgeny Dods and John P. Stenberger. Doman extenson for macs beyond the brthday barrer. In Kenneth G. Paterson, edtor, EUROCRYPT 011, volume 663 of LNCS, pages 33 34. Sprnger, 011. 14. Peter Gaz, Krzysztof Petrzak, and Mchal Rybár. The exact prf-securty of NMAC and HMAC. In Juan A. Garay and Rosaro Gennaro, edtors, CRYPTO 014, volume 8616 of LNCS, pages 113 130. Sprnger, 014. 15. Peter Gaž, Krzysztof Petrzak, and Stefano Tessaro. Generc securty of nmac and hmac wth nput whtenng. Cryptology eprnt Archve, Report 015/881, 015. http://eprnt.acr.org/. 16. Deukjo Hong, Jaechul Sung, Seokhe Hong, Jongn Lm, Sangjn Lee, Bonseok Koo, Changhoon Lee, Donghoon Chang, Jaesang Lee, Ktae Jeong, Hyun Km, Jongsung Km, and Seongtaek Chee. HIGHT: A new block cpher sutable for low-resource devce. In Lous Goubn and Mtsuru Matsu, edtors, CHES 006, volume 449 of LNCS, pages 46 59. Sprnger, 006. 17. Tetsu Iwata and Kaoru Kurosawa. OMAC: one-key CBC MAC. In Johansson [19], pages 19 153. 18. Élane Jaulmes, Antone Joux, and Frédérc Valette. On the securty of randomzed CBC-MAC beyond the brthday paradox lmt: A new constructon. In FSE, 00, volume 365 of LNCS, pages 37 51. Sprnger, 00. 19. Thomas Johansson, edtor. In FSE, 003, volume 887 of LNCS. Sprnger, 003. 0. Antone Joux, Gullaume Poupard, and Jacques Stern. New attacks aganst standardzed macs. In Johansson [19], pages 170 181. 1. Lars R. Knudsen, edtor. EUROCRYPT 00, volume 33 of LNCS. Sprnger, 00.. Neal Kobltz and Alfred Menezes. Another look at hmac. J. Mathematcal Cryptology, 7(3):5 51, 013. 3. H. Krawczyk, M. Bellare, and R. Canett. HMAC: Keyed-Hashng for Message Authentcaton. RFC 104 (Informatonal), February 1997.