Tight security analysis of the public Permutation-based $ {{\textsf{PMAC_Plus}}} $

In CRYPTO 2011, Yasuda proposed a variable input-length PRF based on an $ n $-bit block cipher, called $ {{\textsf{PMAC_Plus}}} $. $ {{\textsf{PMAC_Plus}}} $ is a rate-$ 1 $ construction and inherits the well-known $ {{\textsf{PMAC}}} $ parallel network with a low additional cost. However, unlike $ {{\textsf{PMAC}}} $, $ {{\textsf{PMAC_Plus}}} $ is secure roughly up to $ 2^{2n/3} $ queries. Later in CRYPTO 2018, Leurent et al., and then Lee et al. in EUROCRYPT 2020 established a tight security bound of $ 2^{3n/4} $ on $ {{\textsf{PMAC_Plus}}} $. In this paper, we propose a public permutation-based variable input-length PRF called $ {{{\textsf{pPMAC_Plus}}}} $. We show that $ {{{\textsf{pPMAC_Plus}}}} $ is secure against all adversaries that make at most $ 2^{2n/3} $ queries. We also show that the bound is essentially tight. It is of note here that instantiation of each block cipher of $ {{\textsf{PMAC_Plus}}} $ with the two-round iterated Even-Mansour cipher can yield a beyond-birthday-secure PRF based on public permutations. Altogether, the solution incurs $ (2\ell + 4) $ permutation calls, whereas our proposal requires only $ (\ell+2) $ permutation calls, $ \ell $ being the maximum number of message blocks.