[{"project":[{"call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"quality_controlled":"1","tmp":{"name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","short":"CC BY (4.0)","image":"/images/cc_by.png"},"oa":1,"language":[{}],"publication_identifier":{"eissn":[]},"month":"02","department":[{"_id":"KrPi","tree":[{"_id":"ResearchGroups"},{"_id":"IST"}]}],"publication_status":"published","volume":2016,"date_created":"2019-04-04T13:48:23Z","dini_type":"doc-type:article","date_updated":"2023-09-07T12:02:27Z","related_material":{"record":[{"id":"838","relation":"dissertation_contains","status":"public"}]},"author":[{"last_name":"Gazi","first_name":"Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","first_name":"Krzysztof Z","last_name":"Pietrzak"},{"first_name":"Michal","last_name":"Rybar","id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87"}],"creator":{"id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","login":"dernst"},"ec_funded":1,"file_date_updated":"2020-07-14T12:47:24Z","page":"145-161","citation":{"chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Michal Rybar. “The Exact Security of PMAC.” IACR Transactions on Symmetric Cryptology. Ruhr University Bochum, 2017. https://doi.org/10.13154/TOSC.V2016.I2.145-161.","short":"P. Gazi, K.Z. Pietrzak, M. Rybar, IACR Transactions on Symmetric Cryptology 2016 (2017) 145–161.","mla":"Gazi, Peter, et al. “The Exact Security of PMAC.” IACR Transactions on Symmetric Cryptology, vol. 2016, no. 2, Ruhr University Bochum, 2017, pp. 145–61, doi:10.13154/TOSC.V2016.I2.145-161.","ieee":"P. Gazi, K. Z. Pietrzak, and M. Rybar, “The exact security of PMAC,” IACR Transactions on Symmetric Cryptology, vol. 2016, no. 2. Ruhr University Bochum, pp. 145–161, 2017.","apa":"Gazi, P., Pietrzak, K. Z., & Rybar, M. (2017). The exact security of PMAC. IACR Transactions on Symmetric Cryptology. Ruhr University Bochum. https://doi.org/10.13154/TOSC.V2016.I2.145-161","ista":"Gazi P, Pietrzak KZ, Rybar M. 2017. The exact security of PMAC. IACR Transactions on Symmetric Cryptology. 2016(2), 145–161."},"publication":"IACR Transactions on Symmetric Cryptology","date_published":"2017-02-03T00:00:00Z","dc":{"language":["eng"],"date":["2017"],"subject":["ddc:000"],"relation":["info:eu-repo/semantics/altIdentifier/doi/10.13154/TOSC.V2016.I2.145-161","info:eu-repo/semantics/altIdentifier/issn/2519-173X","info:eu-repo/grantAgreement/EC/H2020/682815"],"publisher":["Ruhr University Bochum"],"title":["The exact security of PMAC"],"rights":["info:eu-repo/semantics/openAccess"],"source":["Gazi P, Pietrzak KZ, Rybar M. The exact security of PMAC. IACR Transactions on Symmetric Cryptology. 2017;2016(2):145-161. doi:10.13154/TOSC.V2016.I2.145-161"],"creator":["Gazi, Peter","Pietrzak, Krzysztof Z","Rybar, Michal"],"description":["PMAC is a simple and parallel block-cipher mode of operation, which was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a (pseudo)random permutation over n-bit strings, PMAC constitutes a provably secure variable input-length (pseudo)random function. For adversaries making q queries, each of length at most l (in n-bit blocks), and of total length σ ≤ ql, the original paper proves an upper bound on the distinguishing advantage of Ο(σ2/2n), while the currently best bound is Ο (qσ/2n).In this work we show that this bound is tight by giving an attack with advantage Ω (q2l/2n). In the PMAC construction one initially XORs a mask to every message block, where the mask for the ith block is computed as τi := γi·L, where L is a (secret) random value, and γi is the i-th codeword of the Gray code. Our attack applies more generally to any sequence of γi’s which contains a large coset of a subgroup of GF(2n). We then investigate if the security of PMAC can be further improved by using τi’s that are k-wise independent, for k > 1 (the original distribution is only 1-wise independent). We observe that the security of PMAC will not increase in general, even if the masks are chosen from a 2-wise independent distribution, and then prove that the security increases to O(q<2/2n), if the τi are 4-wise independent. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether 3-wise independence is already sufficient to get this level of security is left as an open problem."],"type":["info:eu-repo/semantics/article","doc-type:article","text","http://purl.org/coar/resource_type/c_6501"],"identifier":["https://research-explorer.ista.ac.at/record/6196","https://research-explorer.ista.ac.at/download/6196/6197"]},"uri_base":"https://research-explorer.ista.ac.at","has_accepted_license":"1","day":"03","intvolume":" 2016","status":"public","ddc":[],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","_id":"6196","file":[{"file_id":"6197","relation":"main_file","date_created":"2019-04-04T13:53:58Z","date_updated":"2020-07-14T12:47:24Z","checksum":"f23161d685dd957ae8d7274132999684","file_name":"2017_IACR_Gazi.pdf","access_level":"open_access","creator":"dernst","file_size":597335,"content_type":"application/pdf"}],"oa_version":"Published Version","type":"journal_article","issue":"2","abstract":[{"lang":"eng"}]}]