Highly Secure Nonce-based MACs from the Sum of Tweakable Block Ciphers

. Tweakable block ciphers (TBCs) have proven highly useful to boost the security guarantees of authentication schemes. In 2017, Cogliati et al. proposed two MACs combining TBC and universal hash functions: a nonce-based MAC called NaT and a deterministic MAC called HaT . While both constructions provide high security, their properties are complementary: NaT is almost fully secure when nonces are respected (i.e., n -bit security, where n is the block size of the TBC, and no security degradation in terms of the number of MAC queries when nonces are unique), while its security degrades gracefully to the birthday bound ( n/ 2 bits) when nonces are misused. HaT has n -bit security and can be used naturally as a nonce-based MAC when a message contains a nonce. However, it does not have full security even if nonces are unique. This work proposes two highly secure and eﬃcient MACs to ﬁll the gap: NaT2 and eHaT . Both provide (almost) full security if nonces are unique and more than n/ 2-bit security when nonces can repeat. Based on NaT and HaT , we aim at achieving these properties in a modular approach. Our ﬁrst proposal, Nonce-as-Tweak2 ( NaT2 ), is the sum of two NaT instances. Our second proposal, enhanced Hash-as-Tweak ( eHaT ), extends HaT by adding the output of an additional nonce-depending call to the TBC and prepending nonce to the message. Despite the conceptual simplicity, the security proofs are involved. For NaT2 in particular, we rely on the recent proof framework for Double-block Hash-then-Sum by Kim et al. from Eurocrypt 2020.


Introduction
Message Authentication Codes (MACs) belong to the core algorithms in symmetrickey cryptography as they protect the authenticity and integrity of the communication between two parties that share a secret key. For this purpose, they provide keyed algorithms for the generation and verification of an authentication tag that is sent alongside the message. A variety of MACs exists in practice, many of which are based on block ciphers, such as the the NIST standard CMAC [Dwo05,Dwo16], the ISO/IEC 9797-1 constructions [ISO11], or the 3GPP standards [3GP99]. Nevertheless, the manyfold applications and security desiderata render research in this area still of high interest and progress.
Beyond-birthday-bound Security. The community has proposed a portfolio of MACs with higher security guarantees, namely the beyond-birthday-bound (BBB) security. The first such approach was probably suggested by [ISO99], which contained six CBC-like MACs. For higher security, it recommends to XOR two single-pass MACs under independent keys. Though, the analysis was given in [SW19]. Already at the beginning of the previous decade, Yasuda proposed and analyzed SUM-ECBC [Yas10]. Many works followed this direction, including but not limited to 3kf9 [ZWSW12], PMAC + [Yas11], LightMAC_Plus [Nai17], or 1k_PMAC + [DDN + 17]. Many of those double-block constructions were shown to be secure for up to at least O(2 2n/3 ) authentication queries. Datta et al. [DDNP18] coined the term Double-Block Hash-then-Sum (DbHtS) for this approach in general. Leurent et al. [LNS18] proposed generic attacks on DbHtS constructions with a query complexity of O(2 3n/4 ). Very recently, Kim et al. [KLL20] showed that the bound of O(2 3n/4 ) queries for DbHtS MACs is tight.
Tweakable block ciphers (TBCs) [LRW02]. Tweakable block ciphers (TBCs) enrich the domains of classical block ciphers by an additional public input called the tweak. Thus, they could effectively increase the security and/or to simplify the design of modes based on block ciphers by providing an input that cleanly separates several domains. While TBCs have originally been built from block ciphers [LRW02,Rog04], the increasing number of existing dedicated TBCs, such as Deoxys-BC [JNP14a] or Skinny [BJK + 16], allow efficient instantiations. Nowadays, these are attractive primitives for the construction of highly secure modes from TBCs. For example, deterministic (i.e. there is no nonce), n-bit secure MACs those solely based on n-bit block TBCs 1 have been studied in the literature [Nai15,IMPS17,LN17,Nai18]. In a different approach, Cogliati et al. [CLS17] presented compact designs for n-bit secure nonce-based/deterministic MACs that exploited n-bit block TBCs combined with a universal hash function. They used a (first) hash of the message with either a nonce or a second hash under an independent key as state and tweak inputs to a TBC. Accordingly, their nonce-based and deterministic constructions were called Nonce-as-Tweak (NaT) and  where v denotes the maximal number of verification queries, and δ denotes the bound of the universal hash function for almost uniformity 3 . Thus, there is no contribution from MAC (tagging) queries in this setting. Note that this is the optimal security for a MAC scheme with n-bit tags. However, its security degrades gracefully to the birthday bound of n/2 bits when nonces repeat among MAC queries, i.e., under nonce-misusing (NM) adversaries.
HaT can be trivially converted into a nonce-based MAC by prepending a nonce to the message (e.g., by using N M instead of M ). In this case, its security in the NM setting is unchanged. On the downside, its security in the NR setting degrades concerning the number of MAC queries. Thus, it cannot achieve full security per se. Therefore, when used as nonce-based MACs, their security properties are complementary. Our goal is to achieve the best of both worlds by simple changes to the base constructions. We believe that this helps understand strong MAC constructions in general.
Our Contributions. We answer the aforementioned question by two novel constructions. Nonce-as-Tweak 2 (NaT2) is a sum of two instances of NaT. As a result, it is (almost) fully secure under nonce-respecting adversaries if the underlying TBCs are ideal -a property shared with NaT. However, in the nonce-misuse setting, its security degrades gracefully to 2n/3 bits -instead of n/2 bits as NaT. If the number of verification queries is limited to 2 n/2 , NaT2 can effectively ensure 3n/4-bit security, which is useful in some applications, e.g., that terminate communication when a number of verification failures are detected. Our second construction, enhanced Hash-as-Tweak (eHaT), extends HaT by adding the result of a nonce-dependent call of the TBC to its output of HaT, in addition to attaching the nonce to the message. This simple and generic approach leads also to (almost) full NR-security while maintaining n-bit NM-security with graceful degradation. In general, eHaT offers stronger security than NaT2. However, this implies some costs, such as an increased input length to the universal hash functions, a non-static tweak input to TBCs, and a certain limitation on the maximal allowable number of MAC queries (see Section 6). On the other hand, the second TBC call of eHaT can be substituted by a call to a PRF if available. Both constructions are illustrated in Figure 1. The security bounds in Table 1 reflect our explanations above. The only security terms in the nonce-respecting setting for NaT2 and eHaT depend on the number of verification queries and the properties of the hash-function. The bound NaT2 in the nonce-repeating setting is considerably stronger than that of NaT. The costs for the additional hash-function, TBC call, and the additional key for NaT2 are illustrated in the efficiency part. Similarly, the bound for eHaT is stronger in both settings, at the cost of an additional TBC call, two more multiplications in the hash function for the prepended nonce, and a second TBC key. We assumed that the underlying universal hash function is a polynomial hash function of O( /2 n )-almost-universal for an n-bit output (or /2 t -almost-universal for a t-bit output) for at most input blocks. Such a polynomial hash is well-known to need (m − 1) field multiplications over GF(2 n ) for m-block inputs. We note that /2 n can be reduced by using a different universal hash function: an inner-product hash function achieves optimal 1/2 n -almost-universality. As a disadvantage, the key length has to match that of the message. A better trade-off between collision probability and key size is possible, e.g., using the proposal by Sarkar [Sar11], who suggested multi-stage hash functions in the spirit of VHASH [Kro06]. For example, a two-stage hash construction with two polynomial hashes, a standard block length of n = 128 bits, and a maximal message length of 2 32 words would be 2 −96 -almost-universal with only two 128-bit keys.
Computations vs. Security. Our constructions have a certain computational overhead, i.e., a second hash-function evaluation for NaT2 compared to NaT and the additional processing of the nonce in the hash function in eHaT compared to HaT, respectively. Plus, our constructions need one additional (parallelizable) call to the TBC each. Although the computational costs are increased, we believe that our constructions are close to the minimum for achieving our security goals. If a nonce is available, full nonce-respecting security can be obtained by using the nonce as tweak one TBC call. For security under repeating nonces with variable-length messages, a single n-bit hash can collide at the birthday bound. If the output size of the polynomial hash is fixed to n bits, one needs a second hash call to produce more than n bits of hash material. 4 Similarly, if the tweak space is limited to n bits, two TBC calls are needed to process a 2n-bit hash and an n-bit nonce. Thus, we consider our constructions minimal.
Use of Extended Mirror Theory. We note that our proof of NaT2 develops a variant of the Extended Mirror Theory [DDNY18] further, which itself advanced Patarin's famous Mirror Theory [Pat10,Pat17] by adding inequalities, which are necessary to address failed verification queries in the mac setting. Our approach can prove for the first time a security level of 3n/4 bits for a system of equalities and inequalities, whereas earlier works [DDNY18,DNT19] showed at most 2n/3-bit security.
Generalized Tweak Lengths. NaT2 and eHaT provide security advantages compared to NaT and HaT, respectively, not only when t = n but in a more general setting. For smaller tweaks, t < n, the bounds are comparable. Though, they are better if the tweak length can exceed the block length, t > n, as is possible in practice, e.g., with Deoxys-BC-128-384 [JNP14b] or Skinny-64-192 [BJK + 16] (although, the TWEAKEY framework unifies key and tweak [JNP14b]). For a concrete example, assume t = 2n; in this case, NaT2 is secure for up to q ∈ O(2 2n ) queries in the nonce-respecting and µ ∈ O(2 3n/4 ) queries under nonce repetitions -assuming for simplicity that the adversary does not ask too many verification queries v 2 n and the hash functions are universal for all constructions. The security of NaT is capped at q ∈ O(2 n ) and µ ∈ O(2 n/2 ). Similarly, the security of eHaT under nonce-respecting adversaries depends only on v, and scales up to µ ∈ O(2 (n+t)/2 ) nonce-misusing queries. The security of HaT is limited by O(2 (n+t)/2 ) queries in both settings, and thus cannot benefit from nonces. As shown in Figure 2d, NaT2 and eHaT offer higher security than deterministic MACs (e.g. ZMAC) when µ is small and v q, which we think is a reasonable assumption. Compared to the nonce-based NaT, NaT2 is more secure when 0 < µ q 3/4 . eHaT is more secure for a broader range of µ. Moreover, NaT2 and eHaT are the only constructions that are still secure for q > 2 n queries when the tweak space is large enough.
Security Comparison. For better illustration, we compare the security of the constructions in four scenarios in Figure 2, for n = t = 64: (a) with many nonce repetitions µ = q = v, (b) some repetitions, with µ = q 3/4 , v = √ q, and (c) µ = √ q and v = q, as well as (d) under nonce-respecting adversaries with µ = 0 and v = √ q. We comment that (d) mostly keeps its shape even when µ is a small positive constant. For comparability, we assumed a practical universal hash function with = /2 n for = 2 10 blocks as a practical standard size. We also included EPWC and ZMAC for comparison, whose TBC-based hash functions are close to optimally almost universal. The dashed lines red and blue curves represent NaT and HaT, the solid ones NaT2 and eHaT, respectively. Note that we considered only constructions based on tweakable block ciphers. For example, while the DbHtS constructions [LNS18] are comparable in structure, they are built from classical block ciphers. Since those are weaker primitives, comparing with those constructions would be unfair to our advantage.
Outline. After Section 2 briefly recalls the necessary notations and definitions, Section 3 describes our proposed constructions NaT2 and eHaT. In Section 4, we provide what we call the extended mirror theory, which plays a key role in our analysis of NaT2, and several proofs of the lemmas. We start our analysis in Section 5 with NaT2, followed by that of eHaT in Section 6. Section 7 concludes this work.

Preliminaries
Notation. We fix a positive integer n such that n ≥ 3. We denote 0 n (i.e., n-bit string of all zeros) by 0. For positive integers p ≤ q, we write [q] = {1, . . . , q} and [p.
.q] = {p, p+1, . . . , q}. Given a finite non-empty set X , x ← $ X denotes that x is chosen uniformly at random from X . The set of all sequences that consist of b pairwise distinct elements of X is denoted X * b . For integers 1 ≤ b ≤ a, we will write (a) b = a(a − 1) · · · (a − b + 1) and (a) 0 = 1 by convention. If |X | = a, then (a) b becomes the size of X * b . When two sets X and Y are disjoint, their (disjoint) union is denoted X Y. For a (a) Scenario 1: set X ⊂ {0, 1} n and λ ∈ {0, 1} n , we will write X ⊕ λ = {x ⊕ λ : x ∈ X }. For a graph G = (V, E), we will interchangeably write |V| and |G| for the number of vertices of G.
Universal Hash Functions. Let δ > 0, and let H : K × M → X be a keyed function for three non-empty sets K, M, and X . H is said to be δ-almost universal (AU) if for any distinct M , M ∈ M, it holds that For a positive integer q, fix M 1 , . . . , M q ∈ M. For a random key K ∈ K, let X i = H K (M i ) for i = 1, . . . , q. Then we can define an equivalence relation ∼ on [q]: for α, β ∈ [q], α ∼ β if and only if X α = X β . For some nonnegative integer r, let P 1 , . . . , P r denote the equivalence classes of [q] with respect to ∼ such that p i := |P i | ≥ 2 for i = 1, . . . , r. Jha and Nandi [JN20] proved the following lemma, which is also useful in our security proof.
Lemma 1. Let p i , i = 1 . . . , r, be the random variables as defined above. Then we have where the expectation is taken over the uniform distribution of K ∈ K. Proof. Let c denote the random variable that counts the number of "X-colliding" pairs. More precisely, c := (i, j) ∈ [q] 2 : i < j and X i = X j .
Then it is easy to show that Furthermore, we have E [c] ≤ q 2 δ, which completes the proof. Thus, Lemma 1 says that the number of collisions is limited by 2q 2 δ on expectation. Moreover, the corollary below yields an upper bound on the number of occurrences of any single hash value. The proof in [JN20] stems from Markov's inequality.
In our security proof, we also need to upper bound the probability of three hash collisions with two independent hash keys. With a smaller number of hash keys, the three collisions are not independent of each other anymore. To address this situation, one should carefully upper bound the number of colliding pairs made by a single key, and then use the randomness of the second hash key; Jha and Nandi [JN20] proved the following lemma.
Lemma 2 (Alternating Collisions Lemma in [JN20]). Let q be a positive integer, let δ > 0, and let H : K × M → X be a δ-almost universal hash function. Then, for any (M 1 , . . . , M q ) ∈ M * q , we have Tweakable Block Ciphers. A tweakable permutation with tweak space N and message space X is a mapping π : N × X → X such that, for any tweak N ∈ N , X → π(N, X) is a permutation of X . A tweakable block cipher [LRW02] E with key space K, tweak space N and message space X is a mapping E : K × N × X → X such that for any key K ∈ K, (N, X) → E(K, N, X) is a tweakable permutation with tweak space N and message space X . Note that the tweak is public and can be chosen freely for every query by the adversary as long as a scheme does not restrict its usage otherwise. We will sometimes write E K (N, X) to denote E(K, N, X). We also write TPerm(N , X ) to mean the set of all tweakable permutations with tweak space N and message space X . To analyze the security of a tweakable block cipher E : K × N × {0, 1} n → {0, 1} n , we consider a distinguisher A whose goal is to tell apart the real world and the ideal world; in the real world, A is given oracle access to E K where a secret key K ∈ K is chosen uniformly at random. In the ideal world, A is given a random tweakable permutation π ∈ TPerm(N , {0, 1} n ) instead of E K . In any world, the adversary is allowed to adaptively make forward and backward queries to the oracle. Formally, A's tprp (tweakable pseudorandom permutation) advantage is defined by We define Adv tprp E (q, t) as the maximum of Adv tprp E (A) over all distinguishers A against E making at most q encryption oracle queries and running in time at most t. When we consider information-theoretic security, we will drop the parameter t.

Highly Secure Nonce-based MACs from the Sum of Tweakable Block Ciphers
Nonce-based MACs. Given four non-empty sets K, N , M, and T , a nonce-based keyed function with key space K, nonce space N , message space M and tag space T is simply a function F : K × N × M → T . Stated otherwise, it is a keyed function whose domain is a cartesian product N × M. We denote F K (N, M ) for F (K, N, M ). For K ∈ K, let Auth K be the mac oracle which takes as input a pair (N, M ) ∈ N × M and returns F K (N, M ), and let Ver K be the verification oracle which takes as input a triple (N, M, T ) ∈ N × M × T and returns 1 ("accept") if F K (N, M ) = T , and 0 ("reject") otherwise. We assume that an adversary makes queries to the two oracles Auth K and Ver K for a secret key K ∈ K. A MAC query (N, M ) made by an adversary is called a faulty query if the adversary has already queried to the mac oracle with the same nonce but with a different message (cf. [DNT19]). For example, if i-th query is denoted by (N i , M i ) and there are four distinct queries, , the third and the fourth queries are faulty and the number of faulty queries is two. We would like to emphasize that the term of faulty queries to provide consistency for readers familiar with [DNT19], where it characterized faulty implementations or environments that led to repeating nonces. It does not represent faults from processing errors or side-channel attacks. A (µ, q, v, t)-adversary against the nonce-based mac security of F is an adversary A with oracle access to Auth K and Ver K , making at most q MAC queries to its first oracle with at most µ faulty queries and at most v verification queries to its second oracle, and running in time at most t. We say that A forges if any of its queries to Ver K returns 1. The advantage of A against the nonce-based mac security of F is defined as where the probability is also taken over the random coins of A, if any. The adversary is not allowed to ask a verification query (N, M, T ) if a previous MAC query (N, M ) to Auth K returned T . However, it is still possible that a verification query (N, M, T ) is first made, possibly rejected, and a MAC query (N, M ) is subsequently made. When µ = 0, we say that A is nonce-respecting, that is, all nonces in the MAC queries are unique. Otherwise, A is called nonce-misusing. However, the adversary is always allowed to repeat nonces in its verification queries and reuse a nonce from a previous MAC query. We define Adv mac F (µ, q, v, t) as the maximum of Adv mac F (A) over all (µ, q, v, t)-adversaries. When we consider information-theoretic security, we will drop the parameter t. This work shows the mac security of NaT2 and eHaT using the advantage of an adversary trying to distinguish the real world (Auth K , Ver K ) and the ideal world. The ideal world oracles are (Rand, Rej), where Rand returns an independent random value (instantiating a truly random function) and Rej returns 0 for every verification query. Then, whereas for mac security, an adversary makes at most q MAC queries to its first oracle with at most µ faulty queries and at most v verification queries to its second oracle, runs in time at most t, and returns a decision bit. The detail of obtaining the bound is given in Section 2.3 of [CLS17].
Expectation Method. Consider a construction F based on a universal hash function H and a tweakable block cipher E using keys (K h , K). Suppose, a distinguisher A adaptively makes q MAC queries and v verification queries to either (Auth K h ,K , Ver K h ,K ) for a random secret key (K h , K) ∈ K h × K (in the real world) or (Rand, Rej) (in the ideal world), where Rand returns an independent random value (instantiating a truly random function) and Rej return 0 for every verification query. Moreover, A records all the queries in As a common means to alleviate the proof, we will provide the distinguisher A with additional information τ a (e.g. hash key K h ) for free after A has finished its interaction with the oracles, but before it releases its output decision bit. Thus, A can compute all inputs to the internal primitives itself. In the ideal world, that information will be selected uniformly at random from the appropriate domain and given to A. This will not degrade the adversarial distinguishing advantage since the distinguisher is free to ignore this additional information. We will call the transcript of the attack; it contains all information that A has obtained at the end of the attack. When we consider an information-theoretic distinguisher, we can assume that the distinguisher is deterministic without making any redundant query. A transcript τ is called attainable if the probability to obtain this transcript in the ideal world is non-zero. Note that any key K h ∈ K h and any sequence of tags (T 1 , . . . , T q ) ∈ ({0, 1} n ) q uniquely determine an attainable transcript containing them, and each attainable transcript appears in the ideal world with the same probability, namely 1/(2 n ) q . We denote Γ the set of attainable transcripts. We also denote T re (resp. T id ) the probability distribution of the transcript τ induced by the real world (resp. the ideal world). By extension, we use the same notation to denote a random variable distributed according to each distribution. In this setting, it is obvious that A's distinguishing advantage upper bounds A's forging probability. To upper bound the distinguishing advantage, we will use Patarin's Hcoefficient technique; we partition the set of attainable transcripts Γ into a set of "good" transcripts Γ good such that the probabilities to obtain some transcript τ ∈ Γ good are close in the real world and the ideal world, and a set Γ bad of "bad" transcripts such that the probability to obtain any τ ∈ Γ bad is small in the ideal world. The lower bound in the probability ratio for obtaining a good transcript in both worlds will be given as a function of τ , and we will take its expectation. This refinement is called the expectation method, first introduced in [HT16], summarized in the following theorem.
Lemma 3. Fix a distinguisher A. Let Γ = Γ good Γ bad be a partition of the set of attainable transcripts, and there exists a non-negative function ε 1 (τ ) s. t. for any τ ∈ Γ good , and there exists ε 2 such that Pr[T id ∈ Γ bad ] ≤ ε 2 . Then, one has where the expectation is taken over the distribution T id in the ideal world.
Proof. Since the distinguisher's output is a (deterministic) function of the transcript, its distinguishing advantage 5 is upper bounded by the statistical distance between T id and T re . Thus we have Algorithm 1 NaT2 Moreover we have: CS14] correspond to a special case of the expectation method that requires ε 1 (τ ) is independent of (good) τ . Thus it reduces to ε 1 and the distinguishing advantage is at most ε 1 + ε 2 .

The NaT2 and eHaT Constructions
This section describes our proposals and discusses their efficiency.

Descriptions
NaT2. Let H : K h ×M → {0, 1} n be a keyed function and let E : K×T ×{0, 1} n → {0, 1} n be a TBC, where M = {0, 1} * denotes the message space and T = {0, 1} t denotes the tweak space. NaT2 is based on them using T as the nonce space. Specifically, for an input tuple (N, M ) ∈ T × M, the n-bit tag T is computed as This is exactly a sum of two independent instances of NaT. An illustration is given in Figure 1c. The security bounds of NaT2 will be given in Section 5.
eHaT. For eHaT, we extend HaT. Let H : K h × M → T be a keyed function. The values U and V are hash values from hash instances of H and H , respectively. In this case, the keyed hash functions take the concatenation N M instead of M as in HaT. The two hash values V and U are given to a TBC to produce X, which corresponds to the output of HaT taking N M as the message (recall that HaT is a deterministic MAC). Moreover, there is an additional TBC to process the nonce (as a tweak, the block input is set to a constant) to produce the output Y . The sum of X and Y is used as the tag output: An illustration is given in Figure 1d. The security bounds will be given in Section 6.

Brief Comparison
Both constructions have two keyed hash functions and two TBC calls. In this sense, their respective efficiency values are close in general. Still, there are some differences: the keyed hash function under NaT2 takes the message, while those under eHaT takes the concatenation of the nonce and the message. Therefore, eHaT is more costly, and this can be non-trivial when the messages are short. For t = n, the hash functions H and H for eHaT can be reduced to a single one under two independent keys. For t = n, both can also use the same core operation, e.g., a polynomial hash, that operates in different fields.
In the case that a polynomial hash function over GF(2 n ), this implies that the number of multiplications is increased by two (See Table 1). We note that omitting N in the hash computations in eHaT (but keeping the nonce encryption by the second TBC) results in a nonce-based MAC without NM security. This corresponds to the classical hash-then-mask MAC, with the underlying keyed hash function being the whole HaT.
Another difference between NaT2 and eHaT is their tweak usage: NaT2 takes the nonce as a tweak for two TBCs, while eHaT takes a nonce for one TBC and a hash output for the other TBC. We observe that dedicated TBCs often employ a tweak schedule together with a key (dubbed tweakey schedule in Skinny for example) to derive the round keys. If the tweak is a nonce, most typically a counter, the tweak schedule can be pre-computed or incrementally computed to save the total computation. This implies that NaT2 is advantageous over eHaT in terms of tweak processing. The difference in security is more involved. Despite the conceptual simplicity, the security analyses of both constructions are surprisingly complex, in particular for NaT2. It can be seen as a nonce-based variant of DbHtS MAC and adopt the security proof framework for DbHtS recently introduced by Kim et al. [KLL20].

Extended Mirror Theory
The goal of this section is to lower bound the number of solutions to a certain type of system of equalities and inequalities. This will be the foundation that we can thereupon prove the security of NaT2 in Section 5. For simplicity, we will denote Z = 2 n throughout this section.
Transcript Graph. We will represent a system of inequalities and inequalities by a "bipartite" graph. The vertices in the graph are divided into two parts; P and Q are the two disjoint and independent vertex sets such that every edge connects a vertex in P to one in Q. For both P and Q, the vertices correspond to n-bit distinct unknowns. We will assume that the number of vertices is at most Z/2, and by abuse of notation, identify the vertices with the values assigned to them. We distinguish two types of edges, namely, =-labeled edges and =-labeled edges that correspond to inequalities and inequalities, respectively. Each edge is additionally labeled by an element in {0, 1} n . So, if two vertices P and Q are adjacent by an edge with label (λ, =) (respectively (λ, =)) for some λ ∈ {0, 1} n , then it would mean that P ⊕ Q = λ (respectively P ⊕ Q = λ).
Nice Graphs. In this work, we will focus on a graph G = (V, E = E = ) with certain properties, as listed below.
3. If P and Q are connected with a (λ, =)-labeled edge, then they are not connected by a λ-labeled trail in G = .
Any graph G satisfying the above properties will be called a nice graph. Given a nice graph G = (V, E = E = ), an assignment of distinct values to the vertices in P and Q satisfying all the inequalities in E = and all the inequalities in E = is called a solution to G. We remark that if we assign any value to a vertex P , then =-labeled edges determine the values of all the other vertices in the component containing P in G = , where the assignment is unique since G = contains no cycle, and the values in the same component are all distinct since λ(L) = 0 for any trail L. Furthermore, any inequation between two vertices in the same component will be redundant due to the third property above. The number of possible assignments of distinct values to the vertices in V is (Z) |V| . One might expect that when such an assignment is chosen uniformly at random, it would satisfy all the inequalities and inequalities in G with probability close to 1/Z q , where q denotes the number of =-labeled edges (i.e., inequalities) in G = . Indeed, we can prove that the number of solutions to G is close to up to a certain error (that can be negligible according to the parameters).
Proof Idea. Given an arbitrary nice graph G, we will decompose G = into three subgraphs, denoted G = 1 , G = 2 and G = 3 , respectively, where is the union of components containing at least one trail of length two; • G = 2 = (V 2 , E = 2 ) is the union of components of size two (i.e., trails of length one); is the set of isolated vertices.
For i = 1, 2, 3, let E = i denote the set of =-labeled edges connecting a vertex in V i and one in i j=1 V j , and let In order to lower bound the number of solutions to G, we will first lower bound the number of solutions to G 1 using Lemma 4, and then G 2 and G 3 (= G) using Lemma 5 and Lemma 6, respectively.
Theorem 1. For positive integers q and v, let G = (V, E = E = ) be a nice graph such that |E = | = q and |E = | = v. With the notation defined as above, assume that G = 1 is decomposed into k components C 1 , . . . , C k for some k. Then, the number of solutions to G, denoted h * (G), satisfies Proof. For i = 1, 2, 3, let Then we have q = q 1 + q 2 (with q 3 = 0) and v = v 1 + v 2 + v 3 . Note that we interchangeably write |G = i | and |V i |. By Lemma 4, the number of solutions to G 1 , denoted h(G 1 ), satisfies (2) By Lemma 5, for a fixed solution to G 1 , the number of solutions to G 2 , denoted h(G 2 ), satisfies since 2 3 |V 1 | + q 2 ≤ q 1 + q 2 ≤ q. By Lemma 6, for a fixed solution to G 2 , the number of solutions to G 3 , denoted h(G 3 ), satisfies By (2), (3), (4), we have The proof is based on three lemmas: • Lemma 4 will study the number of solutions of G = 1 , that is, for a graph that contains exactly the components with a trail of length two or larger.
• Lemma 5 considers the number of solutions of G = 2 , that is, for a graph that contains exactly the components with a trail of length one.

52
Highly Secure Nonce-based MACs from the Sum of Tweakable Block Ciphers • Finally, Lemma 6 considers G = 3 , that is the set of isolated vertices. In the proofs of those lemmas, we will proceed stepwise. However, the other graphs may already have fixed some values before. For this purpose, we partition the set of vertices V into two disjoint sets, denoted V k and V u , respectively. The vertices in V k represent those distinct values that have been fixed already by other graphs. Then, the number of possible assignments of distinct values to the vertices in V u can be lower bounded in a way that the entire assignment becomes a solution to G.
Lemma 4. For a positive integer q and a nonnegative integer v, let G = (V, E = E = ) be a nice graph such that |E = | = q and |E = | = v. Suppose that 1. V is partitioned into two subsets, denoted V k and V u ; 2. P (resp. Q) is partitioned into two subsets, denoted P k = P∩V k and P u = P∩V u (resp. Q k = P ∩ Q k and Q u = Q ∩ V u ); 3. there is no =-labeled edge that is incident to a vertex in V k ; 4. there is no =-labeled edge connecting two vertices in V k .
Suppose that G = uk = (V u , E = ) is decomposed into k components C 1 , . . . , C k for some k. Given a fixed assignment of distinct values to the vertices in V k , the number of solutions to G, denoted h(G), satisfies Proof. For i = 1, . . . , k, • let C i = P i Q i where P i ∈ P and Q i ∈ Q; be the graph obtained from V k C 1 C 2 · · · C i by adding all the =-labeled edges connecting the vertices in V k C 1 C 2 · · · C i ; • let v i be the number of =-labeled edges that connect a vertex in C i and one in G i−1 ; • let h(i) be the number of solutions to G i .
Let h(0) = 1 and let σ 0 = |V k |. Then we have G k = G, and hence h( Thus, the lemma trivially holds. Therefore, we can assume that for i = 0, . . . , k − 1, σ i c i+1 ≤ Z. In order to find a relation between h(i) and h(i + 1), we fix a solution to G i . If we fix a vertex V * ∈ P i+1 and assign any value to V * , then the other unknowns in P i+1 are uniquely determined, since there is a unique trail from V * to any other vertices in P i+1 . In order to make all assigned values distinct (for each P and Q), it is sufficient that where λ V denotes the label of the unique trail from V * to V if V = V * and λ V * = 0. Moreover, V * should satisfy v i+1 inequalities. The number of choices satisfying these conditions is at least Then, for 0 ≤ i ≤ q − 1, we have The next lemma considers the case that every component of the graph contains exactly two vertices.
Lemma 5. For a positive integer q and a nonnegative integer v, let G = (V, E = E = ) be a nice graph such that |E = | = q and |E = | = v. Suppose that 1. V is partitioned into two subsets, denoted V k and V u ; 2. P (resp. Q) is partitioned into two subsets, denoted P k = P∩V k and P u = P∩V u (resp. Q k = P ∩ Q k and Q u = Q ∩ V u ); 3. there is no =-labeled edge that is incident to a vertex in V k ; 4. there is no =-labeled edge connecting two vertices in V k .
Suppose that G = uk = (V u , E = ) is decomposed into q components of size two. Given a fixed assignment of distinct values to the vertices in V k , the number of solutions to G, denoted h(G), satisfies Highly Secure Nonce-based MACs from the Sum of Tweakable Block Ciphers Proof. We will write the connected components of G = unknown as follows: • let α i = |P k | + i and β i = |Q k | + i; be the graph obtained from V k C 1 C 2 · · · C i by adding all the =-labeled edges connecting the vertices in V k C 1 C 2 · · · C i ; • let v i be the number of =-labeled edges that connect a vertex in C i and one in G i−1 ; • let h(i) be the number of solutions to G i .
In order to find a relation between h(i) and h(i + 1), we fix a solution to G i . Then we can For X ∈ X i and Y ∈ Y i ⊕ λ i+1 , let h (X, Y ) denote the number of solutions to G i such that X ⊕ Y = λ i+1 . Then we have We observe that 1. if X and Y are connected with a (λ i+1 , =)-labeled edge, then the additional equation 2. if X and Y are connected with either a (λ, =)-labeled edge such that λ = λ i+1 or a (λ i+1 , =)-labeled edge, then the system of equations and inequalities (with the additional equation) has no solution.
Let i ≥ 2. Suppose that X = P j and Y = Q j for distinct j and j , X and Y are not connected with any =-labeled edge, and λ i+1 / ∈ {λ j , λ j }, then we have Wonseok Choi, Akiko Inoue, Byeonghak Lee, Jooyoung Lee, Eik List, Kazuhiko Minematsu and Yusuke Naito 55 there is a = -labeled edge between P j and Q j , and let Since |S 1 | ≤ 2v and |S 2 | ≤ 2iG, we have By (6), (7), (8), and since 2i ≤ 2q ≤ Z, we have and by (5), Since σ i ≤ Z/2, we have Highly Secure Nonce-based MACs from the Sum of Tweakable Block Ciphers Finally, we consider a graph containing no =-labeled edges. So G = consists only of isolated vertices.
Lemma 6. For a nonnegative integer v, let G = (V, E = ) be a nice graph such that |E = | = v. Suppose that 1. V is partitioned into two subsets, denoted V k and V u ; 2. P (resp. Q) is partitioned into two subsets, denoted P k = P∩V k and P u = P∩V u (resp. Q k = P ∩ Q k and Q u = Q ∩ V u ); 3. there is no =-labeled edge connecting two vertices in V k .
Given a fixed assignment of distinct values to the vertices in V k , the number of solutions to G, denoted h(G), satisfies Since the proof is short, we can list it here: Proof. The number of possible assignments of distinct values outside V k to the vertices in V u is (Z − |P k |) |Pu| (Z − |Q k |) |Qu| . Among these assignments, at most 1 Z−|V k | (Z − |P k |) |Pu| (Z − |Q k |) |Qu| assignments violate any fixed =-labeled edge. Therefore, we have As a special case of interest of Theorem 1, we can also consider Theorem 2. In fact, it considers a nice transcript graph of a transcript that contains only a single MAC query, and v verification queries.
Theorem 2. For a nonnegative integer v, let G = (V, E = E = ) be a nice graph such that |E = | = 1 and |E = | = v. The number of solutions to G, denoted h * (G), satisfies Proof. Let G = = (V = , E = ) be a unique component of size two. The number of solutions to G = , denoted h(G = ), is exactly Z. By Lemma 6, for a fixed solution to G = , the number of solutions to G, denoted h(G), satisfies Wonseok Choi, Akiko Inoue, Byeonghak Lee, Jooyoung Lee, Eik List, Kazuhiko Minematsu and Yusuke Naito 57 By h(G = ) = Z and Equation (9), we have

Security Analysis of NaT2
Recall that NaT2 computes a tag T for a tuple (N, M ) following Algorithm 1 and Figure 1c.
Up to the tprp-security of E, the keyed tweakable permutation E K (resp. E K ) can be replaced by a truly tweakable random permutation π (resp. π ). The core task will be to show the following Theorem.
The remaining part of this section will be devoted to the proof of Theorem 3.

Graph Representation of Transcripts
Suppose that an adversary A makes q MAC queries using at most µ faulty nonces, and makes v verification queries. Let and let q w = |τ m (w)| and v w = |τ v (w)|. Note that A is given K 1 and K 2 for free at the end of the attack. Then, from the transcript The core of the security proof is to estimate the number of possible ways of fixing evaluations of π and π in a way that π( . For a fixed w, we will identify { π(N i , U i ) : N i = w} ∪ π(N j , U j ) : N j = w with a set of unknowns (by an abuse of notation) where r w ≤ q w + v w since there can be hash collisions. Similarly, we will identify where N i = w, let π(w, U i ) = P j ∈ P w and let π (w, V i ) = Q k ∈ Q w . Then P j and Q k are connected with a (T i , =)-labeled edge. Similarly, for i ∈ [v] where N i = w, P j and Q k are connected with a (T i , =)-labeled edge if π(w, U i ) = P j and π (w, V i ) = Q k . In this way, we obtain a graph G w = (V w , E w ) on V w := P w Q w , and call the union of graphs G w for all nonces as the transcript graph of τ and denoted G τ . By definition, G τ has no isolated vertices. Furthermore, G τ is a bipartite graph with independent sets w P w and w Q w , and contains no edge between P w and Q w for w = w .

Bad Transcripts
For a fixed positive integer L (to be optimized later), a transcript τ = (K 1 , K 2 , τ m , τ v ) is defined as bad if one of the following conditions holds.
If a transcript τ is not bad, then it will be called a good transcript. For a good transcript τ and for a w such that q w + v w > 0, we observe that 1. G = w , being a bipartite graph, contains no cycle without bad 1 ; 2. G = w contains no even length trail L such that λ(L) = 0 without bad 1 ∨ bad 2 ; 3. if two vertices are connected by a λ-labeled trail in G = w , then they cannot be connected with a (λ, =)-labeled edge without bad 1 ∨ bad 3 .
Furthermore, we see that G = τ contains no trail of length 4 without bad 1 . With this observation, we conclude that for any w and a good transcript τ , it holds that 1. G w is nice (as defined in Section 4); 2. |G w | ≤ 2(2µ + v) ≤ 2 n−2 . Wonseok Choi, Akiko Inoue, Byeonghak Lee, Jooyoung Lee, Eik List, Kazuhiko Minematsu and Yusuke Naito 59 These properties allow us to apply Theorem 1 later. In the following, we upper bound the probabilities of the individual bad events in the ideal world.
bad 1 . The number of queries using any repeated nonce is at most 2µ. So the number of pairs (i, j) ∈ [q] * 2 such that N i = N j is at most 4µ 2 . For each of such pairs, say (i, j), the probability that U i = U j and V i = V j is at most δ 2 . Therefore, we have All in all, we have ≤ 8µ 2 δ 2 n + 8µ 2 δ 3/2 + 8µ 2 δ L + 4(v + 1)µ 2 δ 2 + vδ .

Concluding the Proof Using the Extended Mirror Theory
For any good transcript τ and nonce w, let G = w denote the graph obtained by deleting all =-labeled edges from G w . We can decompose G = w into three subgraphs as follows.
where G = w,1 is the union of the components containing at least one trail of length two, G = w,2 is the set of isolated edges, and G = w,3 is the set of isolated vertices. We also decompose G = w,1 into connected components as follows.
We will also write c w = G = w,1 (= kw i=1 c w,i ) and c = w c w . The probability of obtaining τ in the real world is computed over the randomness of π and π . For a fixed nonce w, let π(·) = π(w, ·) and π (·) = π (w, ·). By Theorem 1 and Theorem 2, the number of possible ways of evaluating π and π at the unknowns in V w = P w Q w (i.e., h * (G w )) is lower bounded by for w such that q w ≥ 2, and ε 1 (τ, w) := 2v w 2 n for w such that q w = 1. Since the probability that π (resp. π ) realizes each assignment is exactly 1/(2 n ) |Pw| (resp. 1/(2 n ) |Qw| ) and where since the sum of all q w ≥ 2 is at most 2µ.
Upper Bounding c. We observe that each edge of E = w,1 corresponds to a collision on U or V . Therefore, we have Taking the Expectation of ε 1 (τ, w). Let us define following three helpful random variables, Moreover, for each w and i ∈ [k w ], let r w,i = |C w,i ∩ P| and s w,i = |C w,i ∩ Q|. Then, we obtain We can set L = 2 n/2 3 . Our bound in Theorem 3 follows then from (10), (11), (14) and by applying Lemma 3.

Security Analysis of eHaT
Recall that eHaT computes a tag T for a tuple (N, M ) following Algorithm 2 and Figure 1d. Up to the tprp-security of E, the keyed tweakable permutation E K (resp. E K ) can be replaced by a truly tweakable random permutation π (resp. π ). For the i-th MAC query (N i , M i ), we define For the i-th verification query (N i , M i , T i ), we define As a further step of simplifying our task, we introduce µ for the number of MAC queries whose nonce repeats in other MAC queries. That is, µ includes the number of queries with faulty nonces and the MAC queries with the initial occurrence of their respective nonces. If µ is the number of faulty queries, it is easy to see that where the equality µ = 2µ holds if every faulty nonce repeats exactly once and is strictly lower if any nonce repeats twice or more times. We will call those nonce-repeating MAC queries. The core task will be then to show the following theorem.
Theorem 4. Let δ > 0, H : K × M → {0, 1} n be a δ-almost-universal hash function, H : K × M → {0, 1} t be a δ -almost-universal hash function, π, π ← $ TPerm(F t 2 , F n 2 ), and K 1 ← $ K and K 2 ← $ K . For non-negative integers µ, q, and v, if µ = 0, adversaries are nonce-respecting, we have Adv mac Note that, due to the absence of bad 5 , there is no contradiction from choosing Y i . Then we evaluate the probability to obtain leftover values in τ µ . For s ∈ {0, 1} t , let Thus, µ s is the number of nonce-repeating queries whose tweak input to π is equal to s, i.e., V = s and s∈{0,1} t µ s = µ . Note that by the absence of bad 1 , a good transcript avoids hash collisions in For each tweak s, the number of solutions of π with tweak inputs s is (2 n ) µ s . Note that the absence of bad 1 and bad 2 in good transcripts ensures that there is no hash value such that the probability would become 0. Thus, it holds that Probability of τ n and τ v . We define another useful partition of τ n and τ v , • τ n,1 := τ n \ τ n,0 ; For each (N i , M i , T i ) ∈ τ n,0 , the evaluation of X i is already fixed by τ µ , so the probability that Pr[Y i = X i ⊕ T i ] = 2 −n . It follows that Pr [T re = τ n,0 | T re = τ µ ] = 1 (2 n ) |τn,0| .
For each (N i , M i , T i ) ∈ τ n,1 , both X i and Y i were not defined by τ µ and τ n,0 . Let W be the hash outputs (or namely, the inputs to π) in τ n,1 , i.e., where r i counts the number of inequalities that π(W i ) should be satisfied and s i counts the number of available evaluations of π(W i ) assuming that we fixed π on τ µ , τ n,0 and W j where j < i. Then, Pr [T re = τ n,1 , τ v,0 | T re = τ µ , τ n,0 ] ≥ 1 2 n|τn,1| i∈ [x] 2 n − r i − s i 2 n − s i ≥ 1 2 n|τn,1| 1 −

66
Highly Secure Nonce-based MACs from the Sum of Tweakable Block Ciphers where the last inequality comes from the inequalities i∈[x] r i ≤ 2v and s i ≤ v max . For each i ∈ I v,1 , the X i is already fixed, so the probability that Pr [Y i = X i ⊕ T i ] = 2 −n . Also, for each i ∈ I v,2 , the real world fixes Y i = π (N i , 0 n ) if it is not defined. For each such i, the number of solutions for π(V i , U i ) is at least 2 n − (v max − 1 + v) due to the absence of bad 6 . Therefore, for i ∈ I v,1 ∪ I v,2 , .
It follows that Note that for a verification query (N i , M i , T i ), if there exists a MAC query (N j , M j ) such that (N i , M i ) = (N j , M j ), π(V j , U j ) (= π(V i , U i )) was defined so that it is not equal to Y i ⊕ T i due to the absence of bad 4 .
Summing up. Multiplying all bounds from Equations (17) through (21) yields Together with Equation (16), we obtain that The bound in Lemma 8 follows.

Bound for µ > 0 without bad 6
For a maximum message length in blocks , if δ = /2 t , the term 2q 2 3 δ depends on the message length. For < 2 t/3 , the security is not endangered before q reaches 2 t . The term 2q 2 3 δ is introduced by the bad event bad 6 that defines the maximum multiplicity of V for MAC queries. Thus, removing bad 6 from the bad events in the proof of Theorem 4 for µ > 0 would allow us to remove the -dependent term. In this case, the number of solutions for π(V i , U i ) in the analysis of τ v in Subsection 6.2 changes -more precisely, v max is replaced with q. By the replacement, the lower bound in Eq. (21) becomes 1 − 3v/(2 n − (q + v)). We thus get the -free term 3v/(2 n − (q + v)), which is valid as long as q < 2 n . Adding the term to the bound in Theorem 4 would yield the following corollary.

Conclusion
This work proposed NaT2 and eHaT, two highly secure nonce-based MACs. Taking NaT and HaT proposed by Cogliati et al. [CLS17] as a baseline, we derive NaT2 and eHaT with conceptually simple changes. Our proposals possess almost full security in the nonce-respecting and beyond-birthday-bound security in the nonce-misusing setting. Since neither NaT nor (a simple nonce-based variant of) HaT could achieve both properties simultaneously, our constructions enhance their security guarantees well. Our constructions NaT2 and eHaT provide the same level of security in the nonce-respecting setting as NaT and HaT. However, in the nonce-misuse setting, NaT2 and eHaT provide stronger security in terms of the threshold number of verification queries and MAC queries, respectively. Few more possible future directions exist, most notably, studying the tightness of the bounds or related MAC designs in the (ideal-)block cipher setting.