key: cord-0047007-lv2jw8k3
authors: Dutta, Avijit; Nandi, Mridul
title: BBB Secure Nonce Based MAC Using Public Permutations
date: 2020-06-06
journal: Progress in Cryptology - AFRICACRYPT 2020
DOI: 10.1007/978-3-030-51938-4_9
sha: e0507c18920113d82fe41822980b855ea65669b3
doc_id: 47007
cord_uid: lv2jw8k3

In the recent trend of CAESAR competition and NIST light-weight competition, cryptographic community have witnessed the submissions of several cryptographic schemes that are build on public random permutations. Recently, in CRYPTO 2019, Chen et al. have initiated an interesting research direction in designing beyond birthday bound PRFs from public random permutations and they proposed two instances of such PRFs. In this work, we extend this research direction by proposing a nonce-based MAC build from public random permutations. We show that our proposed MAC achieves 2n/3 bit security (with respect to the state size of the permutation) and the bound is essentially tight. Moreover, the security of the MAC degrades gracefully with the repetition of the nonce.

Nonce-Based MAC. Message Authentication Code (or in short MAC) is an important cryptogaphic primitive to authenticate any digital message or packet transmitted over an insecure communication channel. When a sender wants to send a message m, she computes a MAC function with input m, the shared secret key k, and possibly an auxiliary input variable ν (called nonce), and obtains a tag t. Then she sends (ν, m, t) to the receiver. Upon receiving, receiver verifies the authenticity of (ν, m, t) by computing the MAC using (ν, m, k) and checks whether the computed tag t matches with t.

Wegman-Carter (WC) MAC [25] is the first example of a nonce-based MAC which masks the hash value of the message with an encrypted nonce to generate the tag. WC MAC gives optimal security when the nonce is unique for every authenticated messages. However, its security is compromised if the nonce repeats even once. Wegman-Cater MAC, when instantiated with a polynomial hash, then the repetition of the nonce reveals the hash key of the polynomial hash. However, maintaining the uniqueness of the nonce for every authenticated messages is a challenging task in practical contexts. For example, it is difficult to maintain the uniqueness of the nonce while implementing the cipher in a stateless device or in cases where the nonce is chosen randomly from a small set. The nonce may also accidentally repeats due to a faulty implementation of the cipher or due to the fault occured by resetting of the nonce itself [4] . Therefore, the guard from the nonce repetition attack is much desired from a nonce-based MAC.

As a remedy of this, Encrypted Wegman-Carter-Shoup (EWCS) [11] MAC was proposed that guarantees the security even when the nonce repeats. But its security is limited only up to the birthday bound even when nonce is unique. To this end, Encrypted Wegman-Carter with Davies-Meyer [11] (or EWCDM) and Decrypted Wegman-Carter with Davies-Meyer [13] (or DWCDM) have been proposed that gives beyond the birthday bound security when nonce is unique 1 and birthday bound security when nonce repeats 2 . However, the security of both these constructions fall to the birthday bound with a single repetition of the nonce, i.e., if the nonce ever repeats accidentally, security of both the constructions immediately drops to the birthday bound.

Nonce Based Enhanced Hash-then-Mask. In FSE 2010 [21] , Minematsu proposed EHtM, a beyond birthday bound secure probabilisitic MAC. It is build upon two independent n-bit keyed functions F k1 and F k2 and an n-bit axu hash function H k h , defined as follows:

This construction has been further analyzed in [15] for improving its security bound. In Eurocrypt 2019, Dutta et al. [16] proposed a nonce-based variant of EHtM, called nEHtM MAC, where the random salt r is replaced by an n − 1 bit nonce value ν and an n-bit block cipher E k is used as an internal primitive instead of two independent n-bit keyed functions. Schematic diagram of nEHtM is shown in Fig. 1 Similar to EWCDM and DWCDM, nEHtM gives beyond the (birthday bound) security in nonce-respecting (resp. nonce misuse) setting. But, unlike these two constructions, security of nEHtM MAC degrades gracefully with the repetition of the nonce. In other words, security of nEHtM remains beyond the birthday bound with a single repetition of the nonce (which is not true for EWCDM and DWCDM). That is, one can get adequate security from nEHtM if the repetition of the nonce occurs in a controlled way, a feature which is not present in EWCDM or DWCDM. This phenomena is formally captured by a notion, called faulty nonce model [16] . Informally, it says that a nonce is faulty if it appears in a previous signing query. It has been stated in [16] that faulty nonce model is a weaker notion than multicollision of nonces -a natural and a popular metric to measure the misuses of nonce. Under the notion of faulty nonce model, Dutta et al. have shown that nEHtM is secured roughly upto 2 2n/3 queries.

We would like to mention here that this construction was also analyzed by Moch and List [22] in parallel to [16] in the name of HPxNP, where two independent n-bit block ciphers have been used (as they did not use the domain separation technique). However, Moch and List analyzed its security under the condition of the uniqueness of the nonce, whereas Dutta et al. [16] proved its graceful security with respect to the repetition of the nonce.

All the above discussed nonce-based MACs are build on block ciphers as their underlying primitives and even stronger, these primitives are evaluated only in the forward direction. As most of the block ciphers are designed to be efficient in both the forward and the inverse direction, block ciphers are over-hyped primitives for such purpose [10] . On the other extreme, cryptographic permutations are particularly designed with the motive to be fast in the forward direction, but not necessarily in the inverse direction. Examples of such permutation includes Keccak [2] , Gimli [1] , SPONGENT [5] . Moreover, in most of the cases evaluating an unkeyed public permutation is faster than evaluating a keyed block cipher, as the latter involves in evaluating the underlying key scheduling algorithm each time the block cipher is invoked in the design. With the advancement of public permutation-based designs and the efficiencies of evaluating it in the forward direction, numerous public permutation-based inverse-free hash and authenticated encryption designs have been proposed. The use of cryptographic permutation gained the momentum during SHA-3 competition [24] . Furthermore, the selection of the permutation-based Keccak sponge function as the SHA-3 standard has given a high level of confidence on using this primitive in the community. Today, permutation-based sponge construction has become a successful and a full-fledged alternative to the block cipher-based modes. In fact, in the first round of the ongoing NIST light-weight competition [23] , 24 out of 57 submissions are based on cryptographic permutations, and out of 24, 16 permutation based proposals have been qualified for the second round. This statistics, beyond any doubt, clearly depicts the wide adoption of permutation based designs [1, 3, 7, 8, 12, 14] in the community. In another direction, a long line of research work has been carried out in the study of designing block ciphers and tweakable block ciphers out of public random permutations. Even Mansour (EM) [17] and Iterated Even Mansour (IEM) cipher [6] are the notable approaches in this direction.

Nonce-based MAC build from Public Permutations. Nonce-based MACs using public permutations are mostly designed with sponge type of constructions. But the drawback of such designs are: (i) they do not use the full size of the permutation for guarranting security and (ii) they attain only the birthday bound security in the size of its capacity c, i.e., c/2 bit security (except Bettle [7] , whose security bound is roughly the size of its capacity). Now, it is an admissible fact that the sponge type designs, which offer c/2-bit security, are good in practice when they are instantiated with large size permutations such as Keccak [2] , whose state size is 1600 bits. But such large size permutations are not suitable for use in resource constrained environment. In such scneario, instead of using such large size permutations, one aims to use light-weight permutations such as SPONGENT [5] and PHOTON [18] , whose state size go as low as 88 and 100 bits respectively. If we use these light-weight permutations as underlying primitives in birthday bound secure sponge type constructions, then it practically offers inadequate security. As a result, sponge type constructions instantiated with light-weight permutations are not suitable for deploying in resource constrained environment. Thus, it is natural to ask

This question hinted us to think of designing a MAC whose security depends on the entire size of the underlying permutation (unlike sponge type constructions whose security depends on only a part of the entire size of the underlying permutation) and the security must cross the birthday barrier. Coming up with such a design is the goal of this paper. In this direction, Chen et al. [10] have shown two instances of public permutation-based pseudo random functions that give beyond the birthday bound security with respect to the size of the permutation. We extend this line of research work by designing a public permutationbased nonce-based MAC that gives beyond the birthday bound security with respect to the size of the permutation.

Our Contribution. The sole contribution of this paper is to design a beyond birthday bound secure nonce-based MAC using public random permutations. To this end we propose nEHtM p , a nonce based MAC designed using public permutations. As depicted in Fig. 1 , our construction structurally resembles to the nEHtM MAC [16] where we replace its block cipher with a public random permutation and an appropriate masking of the key. Note that, by instantiating the underlying block cipher of nEHtM MAC with 2-round iterated Even-Mansour cipher (as shown in Fig. 1 ), one can easily make the public permutation variant of nEHtM MAC, which becomes secure beyond the birthday bound (in faulty nonce model). However such transformation requires 4 permutation calls, 7 xor operations and one hash evaluation. Compared to this, nEHtM p requires only 2 permutation calls, 3 xor operations and one hash evaluation. We have shown that nEHtM p is secured roughly up to 2 2n/3 queries in the nonce-respecting setting. Moreover, this security bound degrades in a graceful manner under the faulty nonce model [16] . We show the unforgeability of this construction through an extended distinguishing game and apply the expectation method to bound its distinguishing advantage. We also show that our proven security bound is tight by giving a matching attack on it with roughly 2 2n/3 query complexity and 2 2n−4 time complexity 3 .

General Notations: For n ∈ N, we denote the set of all binary strings of length n and the set of all binary strings of finite arbitrary length by {0, 1} n and {0, 1} * respectively. We often refer the elements of {0, 1} n as block. For an n-bit binary string

i.e., chop msb (x) returns the string x by dropping just its msb. For any element x ∈ {0, 1} * , |x| denotes the number of bits in x and for x, y ∈ {0, 1} * , x y denotes the concatenation of x followed by y. We denote the bitwise xor operation of

a denotes the a-th block of i-th element x i . For a value s, we denote by t ← s the assignment of s to variable t. For any natural number j ∈ N, j s denotes the s bit binary representation of integer j. For i ∈ {0, 1} n , left k (i) represents the leftmost k bits of i. Similarly, right k (i) represents the rightmost k bits of i. For any finite set X , X ←$ X denotes that X is sampled uniformly at random from X and X 1 , . . . , X s ←$ X denotes that X i 's are sampled uniformly and independently from X . F X (n) denotes the set of all functions from X to {0, 1} n . We often write F(n) when the domain is clear from the context. We denote the set of all permutations over {0, 1} n by P(n).

where (a) 0 = 1 by convention and for q ∈ N, [q] refers to the set {1, . . . , q}.

Let F : K × N × M → T be a keyed function where K, N , M and T are the key space, nonce space, message space and the tag space respectively. We assume that F makes internal calls to the public random permutations π = (π 1 , . . . , π d ) for d ≥ 1, where all of the d permutations are independent and uniformly sampled from P(n) for some n ∈ N. For simplicity, we write F π k to denote F with uniform k and uniform π. Based on F π k , we define the nonce-based message authentication code I = (I.KGen, I.Sign, I.Ver) build from public permutations as follows: For k ∈ K, the signing algorithm I.Sign k , takes as input (ν, m) ∈ N × M and outputs t ← F π k (ν, m) and the verification algorithm I.Ver k , takes as input (ν, m, t) ∈ N × M × T and outputs 1 if F π k (ν, m) = t; otherwise it outputs 0. A signing query (ν, m) by an adversary A is called a faulty query if A has already queried to the signing algorithm with the same nonce but with a different message. Let A be a (η, q m , q v , p, t)-adversary against the unforgeability of I with oracle access of the signing algorithm I.Sign k , the verification algorithm I.Ver k and the d-tuple of permutations π and their inverses π = (π −1 1 , . . . , π −1 d ) such that it makes at most η faulty signing queries out of q m signing, q v verification and p primitive queries with running time of A at most t. A is said to be nonce respecting (resp. nonce misuse) if η = 0 (resp. η ≥ 1). However, A may repeats nonces in its verification queries. Moreover, the primitive queries are interleaved with the signing and the verification queries. A is said to forge I if for any of its verification queries (not obtained through a previous signing query), the verification algorithm returns 1. The advantage of A against the unforgeability of the nonce based MAC I is defined as

where the randomness is defined over k ←$ K, π 1 , . . . , π d ←$ P(n) and the randomness of the adversary (if any). We write

where the maximum is taken over all (η, q m , q v , p, t)-adversaries A. In this paper, we skip the time parameter of the adversary as we will assume throughout the paper that the adversary is computationally unbounded. This will render us to assume that the adversary is deterministic.

Upper bound on Adv nMAC I (A) ( [15] ). To obtain an upper bound for Adv nMAC I (A), we consider a random oracle RF that samples the tag t independently and uniformly at random from {0, 1} n for every nonce message pair (ν, m) and the Rej oracle always returns ⊥ for any (ν, m, t). Then, Adv nMAC

where A O ⇒ 1 denotes that adversary A outputs 1 after interacting with its oracle O (which could be a multiple of oracles).

Let K h and X be two non-empty finite sets and H be a keyed function H :

Then, H is said to be an axu -almost xor universal (axu) hash function, if for any distinct x, x ∈ X and for any Δ ∈ {0, 1} n ,

Moreover, H is said to be an reg -almost regular (ar) hash function, if for any x ∈ X and for any Δ ∈ {0, 1} n ,

The Expectation Method of Hoang and Tessaro [19] was used to derive a tight multi-user security bound of the key-alternating cipher. This technique has subsequently been used in [16, 20] . Let A be a computationally unbounded deterministic distinguisher that interacts with either of the two worlds: O re or O id , where these oracles are possibly randomized stateful systems. After the interaction, A returns a single bit. This interaction between A and the system results in an ordered sequence of queries and responses which is summarized

query of A and y i is the corresponding response of the system to which A interacts with. Let D re (resp. D id ) be the random variable that takes a transcript resulting from the interaction between A and O re (resp. O id ). A transcript τ is said to be attainble if Pr[D id = τ ] > 0. Let Θ denotes the set of all attainable transcripts.

Let Φ : Θ → [0, ∞) be a non-negative function which maps any attainable transcript to a non-negative real value. Suppose there is a set of good transcripts GoodT ⊆ Θ such that for any τ ∈ GoodT,

Then, the statistical distance between D re and D id can be bounded as

where BadT Δ = Θ \ GoodT is the set of all bad transcripts. In other words, the

In the rest of the paper, we write Θ, GoodT and BadT to denote the set of attainable, set of good and set of bad transcripts respectively.

We use the sum capture lemma by Chen et al. [9] . Informally, the result states that for a random subset S of {0, 1} n of size q and for any two arbitrary subsets A and B of {0, 1} n , the size of the set {(s, a, b) ∈ S × A × B : s = a ⊕ b} is at most q|A||B|/2 n , except with negligible probability. In our setting, S is the set of tag values t i , which are sampled with replacement from {0, 1} n . 

where the randomness is defined over the set S.

In this section, we present a lower bound on the number of solutions of a system of bi-variate affine equations and bi-variate affine non-equations over a finite number of unknown variables which are without replacement samples of {0, 1} n . This result will become handy for analysing the security of our proposed construction.

Initial Setup: Consider an undirected edge-labelled acylic graph G = (V

where the edge set is partitioned into two disjoint sets F and F . For an edge 

The set of components in G is denoted by comp(G) = (C 1 , . . . , C k ), μ i denotes the size of (i.e. the number of vertices in) the i-th component C i and μ max = max{μ 1 , . . . , μ k } is the size of the largest component of G. ρ i the total number of vertices upto the i-th component with the convention that ρ 0 = 0 (Fig. 2) . 

Then the total number of injective solutions, chosen from a set Z = {0, 1} n \ U of size 2 n − σ, for the induced system of equations and nonequations E G is at least:

provided ρ k μ max ≤ 2 n /4 where ρ i = ρ i + σ.

Proof. We proceed the proof by counting the number of solutions in each of the k components. Letμ ij denotes the number of edges from F connecting vertices between i-th and j-th component of G = and μ i to be the number of edges in F incident on v i ∈ V \ G = (V). For the first component, the number of solutions is at least exactly (2 n − μ 1 σ). We fix such a solution and count the number of solutions for the second component. which is (2 n − μ 1 μ 2 −μ 1,2 − μ 2 σ). This is because, let Y iμ 1 +1 be an arbitrary vertex of the second component and let y iμ 1 +1 be a solution of it. This solution is valid if the following conditions hold:

• y iμ 1 +1 / ∈ U. • y iμ 1 +1 does not take μ 1 values (y i1 , . . . , y iμ 1 ) from the first component.

• It must discard μ 1 (μ 2 −1) values (y i1 ⊕L(P j ), . . . , y iμ 1 ⊕L(P j )) for all possible paths P j from a fixed vertex to any other vertex in the second component. • It must discard p(μ 2 − 1) values as (y iμ 1 +1 ⊕ L(P j )) / ∈ Y for all possible paths P j from Y iμ 1 +1 to any other vertices in the second component. Summing up all the conditions, the number of solutions for the second component is at least (2 n − μ 1 μ 2 − μ 2 σ −μ 12 ). In general, the total number of solutions for the i-th component is at least

Suppose there are k vertices that do not belong to the set of vertices of the subgraph G = . Fix such a vertex Y ρ k +i and let us assume that μ ρ k +i blue dashed edges are incident on it. If y ρ k +i is a valid solution to the variable Y ρ k +i , then we must have (a) y ρ k +i should be distinct from the previous ρ k assigned values, (b) y ρ k +i should be distinct from the (i − 1) values assigned to the variables that do not belong to the set of vertices of the subgraph G = (V), (c) y ρ k +i should be distinct from the values of U, and (d) y ρ k +i should not take those μ ρ k +i values. Therefore, the total number of solutions is at least

After a simple algebraic calculation on Eq. (6), we obtain

Bounding D.1. With a simplification on the expression of D.1, we have

where (4) follows from the fact that 2 n (ρ i−1 μ i + μi 2 ) − A i ≤ 2 2n /2, which holds true when ρ k μ max ≤ 2 n /4, (5) holds true due to the fact that A i ≤ 3(ρ i−1 ) 2 μi 2 and (χ 1 + . . . + χ k ) = q v , the total number of blue dashed edges across the components of G = and μ 1 + . . . + μ k ≤ α.

Bounding D.2. For bounding D.2, we have

where (6) follows due to the fact that (ρ k + i − 1) ≤ 2 n /2 and (7) follows as we denote (μ ρ k +1 + . . . + μ ρ k +k ) = q v , the total number of blue dashed edges incident on the vertices outside of the set G = (V). 

where q v = q v + q v , the total number of non-equation edges in G.

In this section, we first state that nEHtM p achieves 2n/3-bit security in public permutation model in the faulty nonce model. Followed by this, we demonstrate a matching attack in Subsect. 4.2 to show the security bound is tight.

We show that nEHtM p is secure against all adversaries that makes roughly 2 2n/3 queries in the faulty nonce model. However, similar to nEHtM, the construction posses a birthday bound forging attack when the number of faulty nonces reaches to an order of 2 n/2 [16] . 

We defer the proof of this theorem in Sect. 5. The forging advantage of nEHtM p for η ≤ 2 n/3 , q m ≤ 2 2n/3 and p ≤ 2 2n/3 is thus given by 

In this section we show a matching attack on nEHtM p with 2 2n/3 signing queries and total 2 2n/3 + 2 primitive queries. For carrying out the attack, we consider the following version of Polyhash function, a specific instantiation of an axu and ar hash function: for a message m, if the size of m is not a multiple of n, where n is the key size of the hash function, then we first apply an injective padding (e.g., 10 * ) on it to generate a padded message m . Then the output of the hash function for m is computed as follows:

where l denotes the number of message blocks of m and m i denotes the i-th message block of m . Now, it is easy to see that the hash function is (l max +1)/2 nsecure axu and ar hash function, where l max is the maximum number of message blocks allowed. With this instance of the hash function of nEHtM p , we mount the following attack. To begin with, we exploit bad event B.1 to mount the attack on the construction. We construct a deterministic adversary A that forges nEHtM p by making 2 2n/3 signing queries and total 2 2n/3 + 2 many primitive queries to π as follows:

Attack Algorithm:

A first chooses a single block message m consisting of all zeroes, i.e., m = 0 n . 2. Then A makes 2 2n/3 signing queries with (ν j , m) and obtains the tag t j for j ∈ [2 2n/3 ], where ν j = 0 n/3−1 j 2n/3 . 3. A makes 2 2n/3−1 forward primitive queries to π with x 1 j and obtains the output y 1 j for j ∈ [2 2n/3−1 ], where x 1 j = 0 j 2n/3−1 0 n/3 . 4. A makes again 2 2n/3−1 forward primitive queries to π with x 2 j and obtains the output y 2

A makes two additional forward primitive queries to π with x 1 = x 1 j ⊕ 0 1 n−1 and x 2 = x 2 k ⊕ 0 1 n−1 . Let the received response be y 1 and y 2 respectively. 7. Finally, A forges with (ν i ⊕ 1 n−1 , m, y 1 ⊕ y 2 ).

Analysis of the Forging Advantage. We first note that the structure of ν j , x 1 j and x 2 j are as follows: . Note that, the number of elements (ν i , x 1 j ) that satisfy the relation 0 (ν i ⊕k) = x 1 j is exactly 2 n/3 . As a result, the expected number of triplets (i, j, ) that satisfy 0 (ν i ⊕k) = x 1 j and 1 (ν i ⊕k 2 h ) = x 2 is exactly 1. For this particular triplet (i, j, ) that satifies the relation, A makes two additional forward primitive queries to π with x 1 = x 1 j ⊕ Δ and x 2 = x 2 ⊕ Δ, where Δ = 0 1 n−1 . Thus, if A makes a forging query with ν i ⊕ 1 n−1 (which is distinct from all other nonces that belong to the signing queries) and with the same message m = 0 n , then we have

which makes (ν i ⊕ 1 n−1 , m, y 1 ⊕ y 2 ) a valid and succesful forging attempt. Note that, the number of signing queries required is 2 2n/3 and the total number of primitive queries required is 2 2n/3 + 2. However, the time complexity of this attack is 2 2n−2 .

Due to Eq. (1), we bound the distinguishing advantage instead of bounding the forging advantage of nEHtM p . For this, we consider any information theoretic deterministic distinghisher A that has access to the following oracles in either the real world or in the ideal world: in the real world it has access to (nEHtM p .Sig π (k,k h ) , nEHtM p .Ver π (k,k h ) , π, π −1 ); in the ideal world it has access to (RF, Rej, π, π −1 ). We summarize the interactions of the distinguisher with its oracle in a transcript τ m ∪ τ v , where τ m m 1 , t 1 , b 1 ) , . . . , (ν qv , m qv , t qv , b qv )} is the verification transcript. Primitives queries to π are summarized in two lists in the form of τ We assume that none of the transcripts contain any duplicate elements and after the interaction, we reveal the keys k, k h to the distinguisher (before it output its decision), which happens to be the keys used in the construction for the real world and uniformly sampled dummy keys for the ideal world. The complete view is denoted by τ = (τ m , τ v , τ (1) p , τ (2) p , k, k h ).

For the notational simplicity, we denote

We also define three sets: (a) T

p }. The main idea of identifying bad events is to avoid the input collision of the permutation with primitive queries as that will determine the corresponding tag; hence losing the randomness of the tag, which in turn, will help the adversary to distinguish the output from random. Transcript for nEHtM p ) . Given a parameter ξ ∈ N, where ξ ≥ η, an attainable transcript τ = (τ m , τ v , τ (1) p , τ (2) p , k, k h ) is called a bad transcript if any one of the following holds:

(the optimal value of ξ shall be determined later in the proof ). Proof of the lemma can be found in Sect. 6.

For a good transcript τ = (τ m , τ v , τ (1) p , τ (2) p , k h , k), the ideal interpolation probability is

Computing Real Interpolation Probability. To compute the real interpolation probability, we regroup the elements of τ m , τ 

. Since τ is a good transcript, it does not meet any of the bad conditions listed in Definition 2. We know that if ν i ⊕ k =x 1 j , then ν i ⊕ H i cannot collide withx 2 (due to ¬B.1) and y 1 j ⊕ t i cannot collide with y 2 (due to ¬B.8). Similarly forτ (2) p . This way, we will end up with soundly definedτ 

We denote q p = p 1 + p 2 = 2p + s 1 + s 2 . We say that a permutation π is compatible withτ

if the following holds:

Therefore, the remaining part is to count the number of compatible permutations π. As a result, we have

where h α denotes the number of injective solutions to the following system of equations and non-equations (E = ∪ E = ), with α many distinct variables. For notational simplicity, we denote π(0 ν i ⊕ k) as U i and π(1 ν i ⊕ H i ) as V i .

It is to be noted here that E = ∪ E = is defined over α many distinct variables. Therefore, some variables in E = ∪ E = may collide to each other. Thus, from Eq. (7) and Eq. (8), we have,

Note that, A.1 ≥ 1 and A.2 ≥ 1. Therefore, we are left to bound A.3. Note that, the induced graph G of E = ∪ E = has α many vertices. Moreover, |F| = q m and |F | = q v . It is easy to verify that as τ is a good transcript, G is a good graph.

Therefore, by putting σ = q p in Theorem 1, we have

From Eq. (8) and Eq. (10), we have

where the simplification for (1) follows from the fact ρ i−1 = α + q p ≤ 2(q m + q p ). Now, from Sect. 6.2 of [16] we have

By applying the expectation method of Sect. 2.3 on Eq. (11), we have

By doing a simple algebra on Eq. (12) and by assuming q m ≤ q m , q p ≤ 4p, we have

Finalizing the proof. We have assumed that ξ ≥ η and from the condition of Theorem 1, we have ξ ≤ 2 n /(8q m + 2q p ) ≤ 2 n /8q m . By assuming η ≤ 2 n /8q m (otherwise the bound becomes vacuously true) we choose ξ = 2 n /8q m . Hence, the result follows by applying Eq. In the following, we bound the probabilities of all the bad events individually. The lemma will follow by adding the individual bounds.

Bounding B.1. For any possible signing query (ν i , m i , t i ) ∈ τ m and a pair of any possible primitive queries (x 1 j , y 1 j ) ∈ τ (1) p and (x 2 , y 2 ) ∈ τ (2) p , the only randomness in the equation ν i ⊕ k =x 1 j is k and the randomness in the equation ν i ⊕ H i =x 2 is k h , the hash key. In the ideal world, k and k h are dummy keys, sampled uniformly and independently from their respective space. Therefore, for a fixed choice of i, j and , the probability of the event is reg /2 n−1 , where reg is the regular advantage of the underlying hash function. Summing over all possible choices of i, j and we have

Bounding B.2. Let N be the set of all query indices i for which there is a j = i such that ν i = ν j . It is easy to see that |N | ≤ 2η. Event B.2 occurs if for some j ∈ N , ν j ⊕ H j = ν ⊕ H for some = j. For any such fixed i, j, , the probability of the event is at most axu , where axu is the almost xor universal advantage of the underlying hash function. The number of such choices of (i, j, ) is at most 2ηq m . Hence, Pr[B.2] ≤ 2ηq m axu .

Bounding B.3. For any two signing queries (ν i , m i , t i ), (ν j , m j , t j ) ∈ τ m and a primitive query (x 1 , y 1 ) ∈ τ (1) p , the only randomness in the equation ν i ⊕ k =x 1 is k and the randomness in the equation H i ⊕ H j = ν i ⊕ ν j is k h . In the ideal world, k and k h are dummy keys, sampled uniformly and independently from their respective space. Therefore, for a fixed choice of i, j and , the probability of the event is axu /2 n−1 , where axu is the almost xor universal advantage of the underlying hash function. Summing over all possible choices of i, j and we have

Bounding B.4. For any two signing queries (ν i , m i , t i ), (ν j , m j , t j ) ∈ τ m and a primitive query (x 2 , y 2 ) ∈ τ (2) p , the only randomness in the equation ν i ⊕H i =x 2 is k h . In the ideal world, k h is sampled uniformly from K h . Therefore, for a fixed choice of i, j and , the probability of the event is reg . The number of choices of i = j ∈ [q m ] such that ν i = ν j is at most 2η and the number of choices of is at most p. Summing over all possible choices of i, j and we have 

randomness in the equation ν a ⊕ k = x 1 j is k and the randomness in the equation ν a ⊕ H a = x 2 is k h . In the ideal world, k and k h are dummy keys, sampled uniformly and independently from their respective spaces. Therefore, for a fixed choice of a, j and , the probability of the event is reg /2 n−1 . Summing over all possible choices of a, j and we have 

Gimli: a cross-platform permutation

Keccak

Elephant. NIST LWC

Nonce-disrespecting adversaries: practical forgery attacks on GCM in TLS. In: 10th USENIX Workshop on Offensive Technologies

SPONGENT: the design space of lightweight cryptographic hashing

Key-alternating ciphers in a provable setting: encryption using a small number of public permutations

Beetle family of lightweight and secure authenticated encryption ciphers

Minimizing the tworound even-mansour cipher

How to build pseudorandom functions from public random permutations

EWCDM: an efficient, beyond-birthday secure, noncemisuse resistant MAC

Xoodyak, a lightweight cryptographic scheme

Encrypt or decrypt? To make a single-key beyond birthday secure nonce-based MAC

Ascon v1.2. NIST LWC

Tight security analysis of ehtm MAC

Beyond birthday bound secure MAC in faulty nonce model

A construction of a cipher from a single pseudorandom permutation

The PHOTON family of lightweight hash functions

Key-alternating ciphers and key-length extension: exact bounds and multi-user security

The multi-user security of double encryption

How to thwart birthday attacks against MACs via small randomness

Parallelizable MACs based on the sum of PRPs with security beyond the birthday bound

SHA-3 standard

New hash functions and their use in authentication and set equality

We would like to thank all the anonymous reviewers of Africacrypt 2020. Mridul Nandi is supported by NTRO Project.

Bounding B.6. Similar to B.5, for a fixed choice of indices i and j, the probability of the event is at most axu /2 n , as the event ν i ⊕ H i = ν j ⊕ H j is independent over t i = t j . Summing over all possible choices of i and j we haveBounding B.7. Event B.7 is bounded by Lemma 1, where we take A = Y 1 andAs we are bounding the event B.8 | B.7, number of i, j and that satifies t i = y 1 j ⊕ y 2 is at most C. For a fixed choice of indices i, j and , the probability of the event is at most 1/2 n−1 . Hence, by summing over all possible choices of i, j and , we have This event is thus a (ξ + 1)-multicollision on the univ -universal hash function 4 mapping (ν, m) to ν ⊕ H k h (m) (as H k h is an axu -almost-xor universal). Therefore, by applying the multicollision theorem of universal hash function (Theorem 1) of [16] , we have Pr[B.10] ≤ q 2 m axu /2ξ.Bounding B.11. For some a ∈ [q v ] and i ∈ [q m ], if ν i = ν a , ν i ⊕H i = ν a ⊕H a and t i = t a , then m i = m a (as the distinguisher is non-trivial). Hence the probability that ν i ⊕ H i = ν a ⊕ H a holds is at most axu , due to the axu probability of the hash function. Now, for any choice of a ∈ [q v ], there can be at most (η + 1) indices i such that ν i = ν a . Hence, the required probability is bounded asBounding B.12. For any possible verification query (ν a , m a , t a ) ∈ τ v and a pair of any possible primitive queries (x 1 j , y 1 j ) ∈ τ (1) p and (x 2 , y 2 ) ∈ τ (2) p , the only