Tight Security Bounds For Double-Block Hash-Then-Sum Macs

In this work, we study the security of deterministic MAC constructions with a double-block internal state, captured by the double-block hash-then-sum (DbHtS) paradigm. Most DbHtS constructions, including PolyMAC, SUM-ECBC, PMAC-Plus, 3kf9 and LightMAC-Plus, have been proved to be pseudorandom up to 2(2n/3) queries when they are instantiated with an n-bit block cipher, while the best known generic attacks require 2(3n/4) queries.We close this gap by proving the PRF-security of DbHtS constructions up to 2 3n 4 queries (ignoring the maximum message length). The core of the security proof is to refine Mirror theory that systematically estimates the number of solutions to a system of equations and non-equations, and apply it to prove the security of the finalization function. Then we identify security requirements of the internal hash functions to ensure 3n/4-bit security of the resulting constructions when combined with the finalization function.Within this framework, we prove the security of DbHtS whose internal hash function is given as the concatenation of a universal hash function using two independent keys. This class of constructions include PolyMAC and SUM-ECBC. Moreover, we prove the security of PMAC-Plus, 3kf9 and LightMAC-Plus up to 2(3n/4) queries.