Corrigendum to Fast AES-Based Universal Hash Functions and MACs

Abstract

In ToSC 2024(2), Bariant et al. proposed a new framework for designing efficient AES-based Universal Hash Functions (UHFs) and Message Authentification Codes (MACs). They proposed two MAC instances aiming for 128-bit security, PetitMac and LeMac, based on two different UHF candidates. The security of the UHF candidates was evaluated with Mixed Integer Linear Programing (MILP) modeling, to find the minimum number of active S-boxes in differential trails from a non-zero message difference to a zero state difference. The designers claimed at least 26 active S-boxes for the UHF of LeMac.
In this corrigendum, we point out that there was a mistake when writing the LeMac specification from the MILP model. The UHF candidate of LeMac presented in the paper does not correspond to the construction analysed with the MILP solver. In particular, the erroneous candidate only guarantees 25 active S-boxes rather than 26. Therefore, we propose to rename the candidate from the original paper to LeMac-0, and propose a fixed version of LeMac, with the correct underlying UHF candidate. The change of specification of LeMac is motivated by the fact that the new specification possesses better security guarantees than LeMac-0 for similar performances.