The Exact Security of PMAC with Two Powering-Up Masks

PMAC is a rate-1, parallelizable, block-cipher-based message authentication code (MAC), proposed by Black and Rogaway (EUROCRYPT 2002). Improving the security bound is a main research topic for PMAC. In particular, showing a tight bound is the primary goal of the research, since Luykx et al.’s paper (EUROCRYPT 2016). Regarding the pseudo-random-function (PRF) security of PMAC, a collision of the hash function, or the difference between a random permutation and a random function offers the lower bound Ω(q2/2n) for q queries and the block cipher size n. Regarding the MAC security (unforgeability), a hash collision for MAC queries, or guessing a tag offers the lower bound Ω(q2 m/2 + qv/2) for qm MAC queries and qv verification queries (forgery attempts). The tight upper bound of the PRF-security O(q2/2n) of PMAC was given by Gaži et el. (ToSC 2017, Issue 1), but their proof requires a 4-wise independent masking scheme that uses 4 n-bit random values. Open problems from their work are: (1) find a masking scheme with three or less random values with which PMAC has the tight upper bound for PRF-security; (2) find a masking scheme with which PMAC has the tight upper bound for MAC-security. In this paper, we consider PMAC with two powering-up masks that uses two random values for the masking scheme. Using the structure of the powering-up masking scheme, we show that the PMAC has the tight upper bound O(q2/2n) for PRF-security, which answers the open problem (1), and the tight upper bound O(q2 m/2 + qv/2) for MAC-security, which answers the open problem (2). Note that these results deal with two-key PMACs, thus showing tight upper bounds of PMACs with single-key and/or with one powering-up mask are open problems.


Introduction
A MAC (Message Authentication Code) is a fundamental symmetric-key primitive that produces a tag to authenticate a message.MACs are often realized by using a block cipher so that these become secure MACs (unforgeable under chosen message attacks) or secure PRFs (Pseudo-Random Functions) under the standard assumption that the underlying keyed block ciphers are secure PRPs (Pseudo-Random Permutations).
Block-cipher-based MACs are mainly categorized into CBC such as [BKR94, BR00, IK03, KI03, PR00] and PMAC such as [BR02,Rog04,GPR16].PMAC was introduced by Black and Rogaway [BR02].Although PMAC is slightly less efficient than the CBC MACs due to the masking scheme, unlike the CBC MACs, it allows to process the message blocks fully in parallel.Under parallel implementation, PMAC can outperform the CBC MACs.
For n-bit input message blocks M 1 M 2 . . .M m , the output of the hash function PHASH 1 , using keyed block ciphers P, P over {0, 1} n , r n-bit random values L ∈ {0, 1} rn , and a masking scheme φ : {0, 1} rn × N → {0, 1} n , is computed as and the output of PMAC is computed as PMAC[L, P, P ] (M 1 M 2 . . .M m ) = P (PHASH[L, P ] (M 1 M 2 . . .M m )) . (2) Figure 1 shows the PMAC construction.The masking scheme is realized by e.g., Gray code [BR02], the powering-up scheme [Rog04], LFSR-based schemes [CS08], or a combination of powering-up and LFSR [GJMN16].Note that PMAC defined in (1), ( 2) is a simplified version of the original PMACs [BR02,Rog04], and follows the definitions given in [LPSY16a,LPTY16].The original versions are single-key MACs and the last keyed block cipher P is realized by using P of which input is defined by XORing a last message block with a masking value differently from masking values in PHASH.
The PMAC schemes were designed to become secure PRFs (and thus secure MACs).As mentioned below, the upper bounds of the PRF-security have mainly been improved.In particular, showing a tight upper bound is the primary goal of the research, since Luykx et al.'s paper [LPSY16a,LPSY16b].
Regarding an upper bound of PMAC, the first PRF-security proof was given by Black and Rogaway [BR02], where the masking scheme is based on Gray code φ(L, i) = γ i • L for the i-th Gray codeword γ i and an n-bit random value L. The derived upper bound is O(σ2 /2 n ) where σ is the total number of message blocks by all queries.Rogaway [Rog04] gave the same upper bound for PMAC with the powering-up scheme φ(L, i) = 2 i • L for an n-bit random value L, where the multiplication is done over GF (2 n ) * .Later, the security bounds were improved to O(m max q 2 /2 n ) by Minematsu and Matsushima [MM07], and then to O(qσ/2 n ) by Nandi [Nan10], for q queries and the maximum message block length m max .Note that these proofs deal with the original PMACs.
The lower bound of the PRF-security of PMAC is Ω(q 2 /2 n ) by a hash collision or by the difference between a random permutation and a random function.For the MAC-security, the lower bound is Ω(q 2 m /2 n + q v /2 n ) for q m MAC queries and q v verification queries (forgery attempts).A hash collision for MAC queries offers the lower bound Ω(q 2 m /2 n ), and guessing tags offers the one Ω(q v /2 n ).These lower bounds do not match the upper bounds mentioned above.
Gaži et al. [GPR16] filled the gap for the PRF-security of the Gray-code-based PMAC.They gave the lower bound Ω(m max q 2 /2 n ), and showed that the lower bound holds even with two Gray-code masks that use two n-bit random values. 2 Thus, the existing upper bound of the PRF-security of the PMAC is tight.However, their result does not imply that the same lower bound holds for other masking schemes.They considered a 4-wise independent masking scheme that requires 4 n-bit secret random values, and proved that PMAC with the masking scheme has the tight upper bound O(q 2 /2 n ) regarding PRFsecurity, as long as m max ≤ 2 n/2 , where two block cipher keys are independently drawn, i.e., P and P are independent, and the last block is absent, i.e., M m = 0 n .Note that the PRF-security bound O(q 2 /2 n ) offers the MAC-security one O((q m + q v ) 2 /2 n ), but there is a gap between the lower and upper bounds.

Open Problems
Open problems from Gaži et al.'s work [GPR16] are listed below.
message block in PHASH, the original definition does not include the last message block Mm.
• The first open problem is to find a masking scheme with three or less random values with which PMAC has the tight upper bound O(q 2 /2 n ) regarding PRF-security.
• The second open problem is to find a masking scheme with which PMAC has the tight upper bound O(q 2 m /2 n + q v /2 n ) regarding MAC-security.

Our Results
In this paper, we consider PMAC with two powering-up masks, i.e., the masking scheme uses two n-bit random values L = (L 1 , L 2 ).The masking scheme is defined as In Section 4, regarding PRF-security, we show that the PMAC has the tight upper bound O(q 2 /2 n ), as long as m max ≤ 2 n/2 , and P and P are independent.Hence, the masking scheme ensures that at most two random values are sufficient for PMAC to achieve the O(q 2 /2 n ) PRF-security, although the Gray-code-based PMAC fails to achieve the security level.The main difficulty of the proof is to show that the collision probability of PHASH is O(q 2 /2 n ).In particular, we need to carefully analyze the influence of input collisions to P in PHASH.In our proof, using the structure of the masking scheme defined in (3), the number of pairs (L 1 , L 2 ) are upper bounded by roughly 2 n .As (L 1 , L 2 ) ∈ {0, 1} n × {0, 1} n , the probability that the hash collision occurs from the input collisions is upper bounded by O(q 2 /2 n ).Consequently, the tight upper bound is obtained. 3n Section 5, regarding MAC-security, we show that the PMAC has the tight upper bound O(q 2 m /2 n + q v /2 n ), as long as m max ≤ 2 n/2 , and P and P are independent.As [CS16], our proof is based on the coefficient H technique [Pat08] and mainly considers the indistinguishability between the real oracles (PMAC and the verification oracle) and the ideal oracles (a random function and a reject oracle).Roughly speaking, for MAC queries, if no collision occurs for PHASH, then PMAC can be regarded as a random function.Using the hash collision analysis of the PRF-security of the PMAC, the collision probability is at most O(q 2 m /2 n ).Under the condition that PMAC behaves like a random function for MAC queries, there are two strategies of forging a tag.The first strategy is to use a hash collision between MAC and verification queries: when making a verification query with the tag obtained by the previous MAC query, if the hash collision occurs, then the verification query is accepted.The second strategy is to guess a tag randomly.The success probability of each strategy is O(q v /2 n ).Thus, the tight upper bound is obtained.
Finally, open problems from our paper are listed below: (1) show a tight upper bounds of the PRF-security and/or of the MAC-security of PMAC of which masking scheme uses only one random value (the problem for the PRF-security of PMAC with one powering-up mask was posed by Luykx et al. [LPSY16a,LPSY16b]); (2) show a tight upper bounds of the PRF-security and/or of the MAC-security of single-key PMAC, i.e., P = P .

Other Related Works
Several works show that by modifying the PMAC construction, the upper bound of the PRF-security is improved.
Note that these MACs have different structures from PMAC defined in (1), (2).Before Gaži et al.'s work [GPR16], Luykx et al. [LPSY16a,LPTY16] showed that for two distinct messages, the collision probability of the Gray-code-based PHASH depends on the message lengths.As the PRF-security of PMAC depends on the collision security of the hash collision, their result implies that the PMAC cannot achieve O(q 2 /2 n ) PRF-security.

Organization
The rest of the paper is organized as follows.In Section 2, the basic notations and the security definition are introduced.In Section 3, PMAC is defined, and the lower bounds of the PRF-security and of the MAC-security and the proofs are given.In Section 4, the tight upper bound of the PRF-security of the PMAC and the proof are given.In Section 5, the tight upper bound of the MAC-security of the PMAC and the proof are given.In Section 6, several modifications of the PMAC are discussed.Finally, in Section 7, the multi-user security of the PMAC is discussed (note that the previous sections consider the single-user security).

Basic Notations
Let λ be an empty string and {0, 1} * the set of all bit strings.For an integer n ≥ 0, let {0, 1} n the set of all n-bit strings, {0, 1} n * the set of all bit strings whose lengths are multiples of n, and 0 n resp. 1 n the bit string of n-bit zeroes resp.ones.For integers 0 < j ≤ i, (i) j = i(i − 1) • • • (i − j + 1) denotes the falling factorial.For an integer i ≥ 1, let [i] := {1, 2, . . ., i}.For a non-empty set T , T $ ← − T means that an element is chosen uniformly at random from T and is assigned to T .The concatenation of two bit strings X and Y is written as X Y or XY when no confusion is possible.For integers i and j with 0 ≤ i < 2 j , let str j (i) be the j-bit binary representation of i.For sets X and Y, Perm(X ) denotes the set of all permutations on X , and Func(X , Y) denotes the set of all functions from X to Y.

Binary Fields
Let GF (2 n ) be the field with 2 n elements and GF (2 n ) * the multiplication subgroup of this field which contains 2 n − 1 elements.We interchangeably think of an element a in GF (2 n ) in any of the following ways: as an n-bit string This paper uses a primitive polynomial with the property that the element 2 = x generates the entire multiplication group GF (2 n ) * of order 2 n − 1. Examples of primitive polynomials for n = 64 and n = 128 are a(x) = x 64 + x 4 + x 3 + x + 1 and a(x) = x 128 + x 7 + x 2 + x + 1.

Definition for Block Cipher
A block cipher is a set of permutations indexed by a key.Let a non-empty set K be a key space and an integer n the input/output-block size.A block cipher is denoted by E : K × {0, 1} n → {0, 1} n , and a block cipher E having a key K ∈ K is denoted by E K .
In our security proofs, keyed block ciphers are assumed to be secure pseudo-random permutations (PRPs).In the PRP-security game, an adversary A has access to either the keyed block cipher E K for K $ ← − K or a random permutation P $ ← − Perm({0, 1} n ), and returns a decision bit y ∈ {0, 1} after the interaction.An output of A with access to O is denoted by A O .The PRP-security advantage function of A is defined as where the probabilities are taken over K, P and A. The maximum over all adversaries that run in time at most t and make at most σ queries is denoted by

Definition for MAC
Let F : K × X → {0, 1} n be a MAC function for an integer n > 0, a key space K and an input space X .The MAC function having a key K ∈ K is denoted by F K .

PRF-Security
In the pseudo-random function (PRF) security game of F K , an adversary A has access to either and returns a decision bit y ∈ {0, 1} after the interaction.An output of A with access to O is denoted by A O .The PRF-security advantage function of A is defined as where the probabilities are taken over K, R and A. The maximum over all adversaries that run in time at most t and make at most q queries of each message length at most m max blocks is denoted by

MAC-Security
The MAC-security of F K is defined in terms of unforgeability under a chosen-message attack.In the MAC-security game, an adversary A has access to We call a query to F K "a MAC query" and a query to Verif[F K ] "a verification query."The MAC-security advantage function of A is defined as where the probabilities are taken over P and A. "A forges" means that A makes a verification query (M, T ) such that the message M has not been made by the previous MAC queries and accept is returned.The maximum over all adversaries that run in time at most t, and make at most q m MAC queries and at most q v verification queries of each message length at most m max blocks is denoted by Note that where q = q m + q v and t = t + O(σ) for σ the total number of message lengths in blocks by all queries.

Collision Security
Consider the collision security of a keyed hash function H : K × X → {0, 1} n with a key space K, an input space X , and an output length n > 0. The keyed function is denoted by H K for a key K ∈ K.The advantage function of the collision security of H K is defined as where the maximum goes over all q tuples of distinct messages of each message length at most m max blocks.

PMAC with Two Powering-Up Masks
Let r be the number of n-bit random values used in a masking scheme and φ : {0, 1} nr ×N → {0, 1} n a masking scheme in PMAC.For random values L ∈ {0, 1} nr and a keyed block cipher where the length of each message block M i is n bits.In the following analysis, the i-th input and output of E K are denoted by n is derived from PHASH by additionally encrypting the hash value using a keyed block cipher E K : Figure 1 shows the PMAC construction.
In this paper, we mainly analyze the security of PMAC where K and K are independently drawn, and two powering-up masks are used: and, the masking scheme is defined as The well known attacks on PMAC (more generally, hash-then-encrypt-type MACs) use a hash collision [PvO95].Precisely, a collision of PHASH implies a collision of PMAC, which offers a distinguishing attack and a forgery.Thus, the attack offers the upper bounds of the PRF-security Ω(q 2 /2 n ) for q queries, and of the MAC-security Ω(q 2 m /2 n + q v /2 n ) for q m MAC queries and q v verification queries.Another distinguishing attack is to use the difference between a random permutation and a random function, which offers the lower bound of the PRF-security Ω(q 2 /2 n ).Another forgery is to guess a tag, which offers the lower bound Ω(q v /2 n ).These attacks are existing ones, but for the sake of completeness, these attacks are given in Sections 3.1 (PRF-security) and 3.2 (MAC-security).Note that these attacks are not new.
On the other hand, proving the tight upper bounds of PMAC with the masking scheme (4) is non-trivial.In Section 4, we give the tight upper bound O(q 2 /2 n ) regarding the PRF-security of the PMAC.In Section 5, we give the tight upper bound O(q 2 m /2 n + q v /2 n ) regarding the MAC-security of the PMAC.

Lower Bound of the PRF-Security of PMAC
The lower bound of the PRF-security of PMAC is given in the following theorem, where the underlying block ciphers E K , E K are assumed to be random permutations Theorem 1.There exists an adversary A making q queries such that Proof.(PRF-attack 1) Let O be either PMAC[L, P, P ] or a random function R, where A PRF adversary that uses a collision of PHASH is defined below.1.For i = 1, . . ., q − 2, make a query M i = str n (2i − 1) str n (2i) 0 n and receive the response 3.Return 0.
If O = PMAC[L, P, P ], then as shown Figure 2, the tag collision at the step 2 offers the internal state (hash) collision occurs.Thus, even when modifying the last blocks as 0 n → 1 n at the step (2a), the collision occurs, and the probability that the adversary returns 1 at the step (2b) is 1.On the other hand, if O = R, the probability that the adversary returns 1 at the step (2b) is negligible.By the birthday analysis, the collision probability is Ω(q 2 /2 n ), and thus the lower bound in Theorem 1 is obtained.
(PRF-attack 2) Next, an adversary using the difference between P and R is defined below.

Otherwise return 1.
As the messages are all one block and all distinct, if O = PMAC[L, P, P ], then A returns 1.On the other hand, if O = R, then an output collision occurs with probability Ω(q 2 /2 n ) by the birthday analysis.Thus, the lower bound in Theorem 1 is obtained.

Lower Bound of the MAC-Security of PMAC
The lower bound of the MAC-security of PMAC is given in the following theorem, where the underlying keyed block ciphers E K , E K are assumed to be random permutations Theorem 2. There exists an adversary A making q queries such that Proof.(MAC-attack 1) The first term q 2 m /2 n is obtained by using a collision of PHASH, as the proof of Theorem 1.The adversarial procedure is given below.
1.For i = 1, . . ., q − 2, make a MAC queries M i = str n (2i − 1) str n (2i) 0 n and receive the response If a hash collision occurs at the step 2, the tag collision occurs PMAC[L, P, P ](M ) = PMAC[L, P, P ](M * ).Hence, at the step (2b), accept is returned, even when modifying the last block as 0 n → 1 n .By the birthday analysis, the collision probability is Ω(q 2 m /2 n ).Thus, the first term is obtained.
(MAC-attack 2) The second term q v /2 n is obtained from an adversary that makes verification queries whose tags are chosen uniformly at random from {0, 1} n .
(MAC-attack 3) The second term q v /2 n is also obtained from a hash collision between MAC and verification queries: firstly, an adversary makes a MAC query M * and obtains the response T * ; secondly, makes verification queries ( M 1 , T * ), . . ., ( M qv , T * ).If for some i the hash collision PHASH[L, P ](M * ) = PHASH[L, P ]( M i ) occurs, then PMAC[L, P, P ]( M i ) = T * , and thus the i-th response is accept.The collision probability is Ω(q v /2 n ), and thus the second term is obtained.

PRF-Security of PMAC with Two Powering-Up Masks
Regarding the PRF-security of PMAC where the masking scheme is defined in (4) and K, K are independently drawn, we give the tight upper bound O(q 2 /2 n ) for q queries.Theorem 3. Assume that 4 ≤ n, and the maximum length in blocks m max is at most 2 n/2 .Then, we have where t = t + O(σ) for σ the total number of message blocks by all queries.

The High-Level Structure of the Security Proof
The high-level structure of the proof is given below, which is based on the existing proof of PMAC given in [GPR16].

The PRF-Security from the Collision Security
Firstly, the underlying keyed block ciphers E K , E K are replaced with random permutations The replacement introduces the PRP-advantages of the keyed block ciphers.Secondly, a random permutation P is replaced with a random function g.By the PRP-PRF switch, the replacement introduces the term q 2 /2 n+1 .Thirdly, the PRF-security of the resultant MAC g • PHASH[L, P ] is considered.As the MAC returns fresh random values as long as no hash collision occurs, the PRFsecurity of the MAC is reduced to the collision security of PHASH[L, P ].Putting these steps together offers the following lemma which is given in Lemma 1 in [GPR16] (and also given in several papers).
where t = t + O(σ) for σ the total number of message blocks by all queries.
The collision advantage Adv coll PHASH[L,P ] (q, m max ) is upper bounded by summing the collision probabilities of any two messages.Thus, the following lemma is satisfied.

Analysis of the Collision Advantage Adv
The collision advantage Adv coll PHASH[L,P ] (2, m max ), which is equal to the following probability, is considered:

Outline
In order to upper bound the probability, two events are considered.The first event E 1 is that some output of P is not trivially canceled out.The second event E 2 is that all outputs of P are trivially canceled out.Whereas the analysis for E 1 is not new, the one for E 2 is new.
• For the hash collision with the event E 1 , the randomness of an output, which is not trivially canceled out, can be used, and thus the collision probability is upper bounded by O(1/2 n ) (as the output is chosen uniformly at random from roughly 2 n values).
• For the hash collision with the event E 2 , we need to analyze the collision probability for inputs to P .The analysis uses the structure of the masking scheme defined in (4).We show that the collision probability is upper bounded by O(1/2 n ).

Detail
For two distinct messages M α , M β , without loss of generality, assume that For γ ∈ {α, β}, let m γ be the block length of M γ , and variables/values corresponding with M γ are denoted by using the superscript character of γ such as X γ i , Y γ i , etc. Regarding Note that the above sets depend only on M α , M β and do not depend on random values L.
)} be the multiset of outputs of P that are not trivially canceled out.
The hash collision has the form of . A = B is satisfied if one of the following events occurs.
• E 1 : Y includes an odd multiplicity element.
• E 2 : Y includes only even multiplicity elements.We then have Regarding p 1 coll , under the event E 1 , some output Y ∈ Y used in A is not canceled out, and thus the number of possibilities of A is at least 2 n − (m α + m β ).Hence, we have as m max ≤ 2 n−2 from the assumption.Regarding p 2 coll , the analysis is given in Section 4.2.The upper bound is 4/2 n given in Equation (6).

Conclusion of the Proof
The upper bound in Theorem 3 is obtained by putting Lemmas 1, 2 and the upper bound (5) together.

Upper Bounding p 2 coll
The probability p 2 coll is upper bounded, where |M α | ≥ |M β | (assumed above).In this analysis, inputs are graphically depicted.Figure 3 is an example for inputs with m α = 5, , a dot at a row with γ and an i-th column represents X γ i .Dots connected with each other (1-, 3-th columns in Figure 3) are inputs that are trivially canceled out. Let be the set of pairs (L 1 , L 2 ) that offer hash collisions and satisfy the event The following analyses show that |L| ≤ 4 • 2 n , and thus we have There are three cases: m α = m β , m α = m β + 1, and m α = m β + 2. Figure 4 shows these cases.If m α = m β + 1 then Y includes an odd multiplicity element.Thus, the remaining cases m α = m β and m α = m β + 2 are considered.
The first case (m α = m β ) is considered.In this case, either occurs if E 2 occurs.Figure 5 shows collision patterns for the messages.For γ ∈ {α, β}, The number of possibilities of L 1 is 2 n , and fixing L 1 , L 2 is defined.Thus, we have , where i i = m α − 1 and i 2 = m α .Figure 5 shows the collision pattern.By the same analysis, we have |L| ≤ 2 n .The case (m α = m β ) is considered.If the event E 2 occur, then three input collisions occurs.For example,

The first two collisions offer
The Exact Security of PMAC with Two Powering-Up Masks the following system: The above system offers a unique solution for L 1 and L 2 .As shown Figure 7, there are at most six patterns (each pattern offers a unique solution for L 1 and L 2 ), and thus we have |L| ≤ 6.The case (m α = m β + 2) is considered.In this case, i 2 = m α − 2, i 3 = m α − 1.As Figure 7, there are at most two patterns, and each pattern offers a unique solution for L 1 and L 2 by the same analysis as the above.Thus, we have |L| ≤ 2.

Type-5: |I
) such that at least three of i 1 , i 2 , i 3 , i 4 are distinct. 4The input collisions offer the following system.

Remark
The above proof considers two events that cover attacks given in Section 3.1.The first event deals with the PRP-PRF switch at the last block.This event corresponds with (PRF-attack 2).The second event deals with a hash collision.This event corresponds with (PRF-attack 1).

MAC-Security of PMAC with Two Powering-Up Masks
Regarding the MAC-security of PMAC where the masking scheme defined in (4) and K, K are independently drawn, we give the tight upper bound O(q 2 m /2 n + q v /2 n ) for q m MAC and q v verification queries.
Theorem 4. Assume that 4 ≤ n, and the maximum length in blocks m max is at most 2 n/2 .Then, we have where t = t + O(σ) for σ the total number of message blocks by all queries.
As Section 4.1, the term 2•Adv prp E (σ, t ) is introduced by replacing the underlying keyed block ciphers E K , E K with random permutations respectively.Hereafter, Adv mac PMAC[L,P,P ] (q m , q v , m max ), the advantage function of the MACsecurity of PMAC[L, P, P ], is upper bounded.Without loss of generality, an adversary A is deterministic.We demand that A never asks a repeated query and a trivial verification query (M, T ) that was obtained from some previous MAC query.

Indistinguishability between Real and Ideal Worlds
As [CS16], we consider the indistinguishability between the real and ideal worlds.The real and ideal oracles are defined as Π R = (PMAC[L, P, P ], Verif[PMAC[L, P, P ]]) , and Π I = (R, Rej) , where R $ ← − Func({0, 1} * , {0, 1} τ ) is a random function and Rej is a reject oracle that returns a reject symbol reject for any query.The advantage function of an adversary A outputting a bit is defined as In the ideal world, in addition to the ideal oracles, a random permutation and random values L = (L 1 , L 2 ) $ ← − {0, 1} 2n are defined, which do not affect an adversarial behavior but are used in this proof.
Let τ m = (M 1 , T 1 ), (M 2 , T 2 ), . . ., (M qm , T qm ) be the list of MAC queries of A and the corresponding answers, and the list of verification queries ( M i , T i ) of A and the corresponding answers b i ∈ {accept, reject}.
In addition to the lists, hash values τ h,m by MAC queries and τ h,v by verification queries are revealed to A, after its interaction.Note that in the ideal world, for a message M , the hash value H is defined as H = PHASH[L, P ](M ).
τ h,m = H 1 , . . ., H qm and τ h,v = Ĥ1 , . . ., Ĥqv , where H i is the hash value defined by the i-th MAC query and Ĥi is the hash value defined by the i-th verification query.The transcript, which A obtains after the interaction, is defined as A transcript τ is said attainable (with respect to adversary A) if the probability to obtain this transcript in the ideal world is non-zero.In particular, note that for an attainable transcript τ , the answer of any verification query ( M i , T i ) is b i = reject.We denote T the set of attainable transcripts.We also denote T R , resp.T I , the probability distribution of the transcript τ induced by the real, resp.ideal oracles.
We upper bound the indistinguishability advantage by using the coefficient H technique [Pat08] (we follow the description of [CS14]).
Lemma 3. Fix an adversary A. Let T = T good ∪ T bad be a partition of the set of attainable transcripts.Assume that there exists ε such that for any τ ∈ T good , one has

Good and Bad Transcripts
T bad is defined so that one of the following events occurs.
• bad 1 ⇔ ∃i, j ∈ [q m ] s.t.i = j and H i = H j (a hash collision occurs for MAC queries).
• bad 2 ⇔ ∃i, j ∈ [q m ] s.t.i = j and T i = T j (a tag collision occurs for MAC queries).
T good is defined as T good = T \T bad .

Upper Bound of Pr[T I ∈ T bad ]
By the definition of T bad , Firstly, the probability that bad 1 occurs, denoted by p 1 , is upper bounded.For two distinct messages M α , M β of block lengths at most m max , the hash collision probability is upper bounded by 6/2 n (given in Equation (5) in Section 4.1.2).Using the upper bound, Secondly, the probability that bad 2 occurs denoted by p 2 is, by the birthday analysis, Thirdly, the probability that bad 3 occurs under the condition that bad 2 does not occur, denoted by p 3 , is upper bounded.Fix i ∈ [q v ].By ¬bad 2 , the number of messages of encryption queries whose responses are Ĥi is at most 1.Let j ∈ [q m ] such that H j = Ĥi .
Then, the hash collision probability for the inputs M j and M i is upper bounded by 6/2 n (given in Equation (5) in Section 4.1.2).Thus we have Finally, we have

Upper Bound ε
Let τ ∈ T good .Let p be the probability that a random permutation P and random values L = (L 1 , L 2 ) are compatible with the hash values in τ h,m , τ h,v .
Regarding the ideal world, for i ∈ [q m ], Pr[R(M i ) = T i ] = 1/2 n , and thus we have Next, the real world is considered.Regarding MAC queries, by ¬bad 2 , hash values H i are all distinct, and by ¬bad 1 , tags T i are all distinct.Thus, the probability that the responses are equal to T 1 , . . ., T qm is 1 (2 n ) qm .
Regarding verification queries, by ¬bad 3 , hash values defined by verification queries are distinct from those by MAC queries.The probability that the i-th responses is reject is at least and thus the probability that the responses are all reject is at least We thus have and thus we have ε = 2q v 2 n .

Upper Bound of Adv ind ΠR,ΠI (A)
Putting the upper bound of Pr[T I ∈ T bad ] and ε into Lemma 3 gives 5.2 Upper Bound of Adv mac PMAC[L,P,P ] (q m , q v , m max ) The indistinguishability between Π R and Π I ensures that the upper bound ( 8) is also the one of the difference Adv mac Π R (q m , q v , m max )−Adv mac Π I (q m , q v , m max ).As Adv mac Π I (q m , q v , m max ) = 0, we have

Remarks
The analysis in the above proof covers the three attacks in Section 3.2.The event bad 1 corresponds with (MAC-attack 1) that is the attack using a hash collision for MAC queries.The events bad 2 and bad 3 correspond with (MAC-attack 3) that is the attack using a hash collision between MAC and verification queries.In the evaluation of ε in Section 5.1.3,these events are used to ensure that tags by verification queries are (almost) n-bit random values, and thus correspond with (MAC-attack 2) that is the attack of guessing tags randomly.
The proof can be applied to other hash-then-encrypt-type MACs, where a block cipher key in the hash function is independently drawn from that of the finalization.Our proof offers the upper bound O(q 2 m /2 n + q v /2 n ) for q m MAC and q v verification queries as long as the hash collision probability for any distinct two messages is O(1/2 n ).Several hash-then-encrypt-type MACs such as EMAC [JN16] and LightMAC [LPTY16] achieve the hash collision probability, and thus have the tight upper bound.
The upper bound O(q 2 m /2 n +q v /2 n ) ensures that the PMAC has beyond-birthday-bound security with respect to verification queries as long as q 2 m ≤ q v .

Arbitrary Length Messages
The previous sections consider PMAC of which input lengths are multiples of n.Using the one-zero padding 10 * , arbitrary length messages can be handled: the last message block is defined as M m 10 n−1−|Mm| .As PMAC1 [Rog04], using multiplications by 3, 5 over GF (2 n ) * , one can avoid an additional block cipher call by the one-zero padding: for example, the last input block is defined as (9)

Random Values L 1 , L 2 from Keyed Block Cipher E K
Using the block cipher E K used at the last block, secret values L 1 , L 2 can be defined, e.g., L 1 ← E K (0 n ), L 2 ← E K (1 n ).In this case, if no input to E K (hash value) collides with 0 n or 1 n , then the (almost) same security bounds in Theorems 3, 4 can be obtained.
Regarding PMAC defined in Section 3, an adversary can obtain an output of E K for any input, by a one-block query to PMAC, yielding (PRF and forgery) attacks on the MAC.On the other hand, applying secret masks to the last blocks such as (9), an adversary cannot obtain L 1 and L 2 by queries to PMAC, unless some last input block is 0 n or 1 n incidentally.By the randomness of L 1 or L 2 , the probability that some last block is 0 n or 1 n is at most O(q/2 n ), which appears to the security bounds.

Other Powering-Up Methods
As shown in the proof of Theorem 3 (Section 4), in order to obtain the tight upper bounds of PMAC with two powering-up masks, we need to remove the possibility of existing collision systems (see the analysis of the type-5 messages of the event E 2 in Section 4.2).The proof of Theorem 3 shows that using the masking scheme defined in (4), no collision system exists.
Regarding other other masking schemes, the PMAC_Plus's scheme [Yas11]: φ(i) = 2 i • L 1 ⊕ 2 2i • L 2 is considered, as the first MAC with two masks.For integers i 1 , i 2 , i 3 , i 4 whose at least three are distinct, and message blocks M γ1 i1 , M γ2 i2 , M γ3 i3 and M γ4 i4 , the following system is considered, In order to ensure that no collision system exists, we need to show that assuming 2 i1 ⊕2 i2 = 2 i3 ⊕ 2 i4 , 2 i1 ⊕ 2 i2 = 2 i3 ⊕ 2 i4 or 2 2i1 ⊕ 2 2i2 = 2 2i3 ⊕ 2 2i4 is satisfied.However, assuming Thus, the possibility of existing collision systems cannot be removed by the PMAC_Plus's masking scheme.More generally, the possibility cannot be removed by masking schemes: φ(i) = 2 ai • L 1 ⊕ 2 bi • L 2 for integers 0 < a < b such that a < b and ∃j ∈ N s.t.b/a = 2 j .Hence, we use the masking scheme defined in (4) that does not have the property.

Single-Key PMAC with Two Powering-Up Masks
When K = K , in order to obtain the same security bounds in Theorems 3, 4, one needs to ensure that no collision occurs between inputs to E K and to E K .However, for the total number of message blocks σ and the number of queries q, the input collision probability is O(qσ/2 n ), and thus our results cannot be applied to the single-key version for obtaining the tight upper bounds.

Multi-User Security of PMAC with Two Powering-Up Masks
In the previous sections, we discuss the single-user security of PMAC defined in Section 3.
Regarding the multi-user security, our proofs for the single-user security can easily be extended to the ones for the multi-user security.Assume that the number of users is u.First, 2u keyed block ciphers are replaced with random permutations.In this replacement, the multi-user PRP-security advantage of the keyed block ciphers is introduced (the advantage is defined in e.g.[ML15]).Next, consider the security of the PMAC with random permutations.Since for each user, random permutations are chosen independently, one can analyze the security of the PMAC for each of u users independently.For the PRF-security, let q i be the number of queries by the i-th user, then from Theorem 3, the upper bound becomes O(q 2 1 /2 n + q 2 2 /2 n + • • • + q 2 u /2 n ), which is tight.Similarly, for MAC-security of the PMAC, the tight upper bound can be obtained.
and receive the responses T = O(M ) and T * = O(M * ).(b) If T = T * , then return 1.

Figure 2 :
Figure 2: An internal state collision from a tag collision.

Figure 3 :
Figure 3: Graphical representation of inputs to P .

Figure 4 :
Figure 4: Inputs from the type-3 messages.Inputs that are not in Y are omitted.

Figure 5 :
Figure 5: Collision patterns for the type-3 messages.The dot lines represent input collisions.Inputs that are not in Y are omitted.

Figure 6 :
Figure 6: Inputs from the type-4 messages.Inputs that are not in Y are omitted.

Figure 7 :
Figure 7: Collision patterns for the type-4 messages.The dot lines represent input collisions.Inputs that are not in Y are omitted.