Ga{\v z}i et al. [CRYPTO 2014] analyzed the NI-MAC construction proposed by An and Bellare [CRYPTO 1999] and gave a tight birthday-bound of $O(lq^{2}/2^{n})$, as an improvement over the previous bound of $O(l^{2}q^{2}/2^{n})$. In this paper, we design a simple extension of NI-MAC, called NI$^+$-MAC, and prove that it has $O(q^2l^4 / 2^{2n})$ security bound. Our construction not only lifts the security of NI-MAC beyond birthday, it also reduces the number of keys from 2 (NI uses 2 independent keys) to 1. Before this work, Yasuda had proposed [FSE 2008] a single fixed-keyed compression function based BBB-secure MAC that uses an extra tweak. However, our proposed construction NI$^+$ does not require any extra tweak and thereby has reduced the state size compared to Yasuda's proposal [FSE 2008]. Further, the security proof of Yasuda's construction is straight-forward, as tweakable functions are replaced by uniform independent random functions. On the other hand, our proof technique is completely different and uses the structure graph based analysis introduced by Bellare et al. [CRYPTO 2005].
↧