TIGHT SECURITY ANALYSIS OF THE PUBLIC PERMUTATION-BASED PMAC Plus

In CRYPTO 2011, Yasuda proposed a variable input-length PRF based on an n-bit block cipher, called PMAC Plus. PMAC Plus is a rate-1 construction and inherits the well-known PMAC parallel network with a low additional cost. However, unlike PMAC, PMAC Plus is secure roughly up to 22n/3 queries. Later in CRYPTO 2018, Leurent et al., and then Lee et al. in EUROCRYPT 2020 established a tight security bound of 23n/4 on PMAC Plus. In this paper, we propose a public permutation-based variable input-length PRF called pPMAC Plus. We show that pPMAC Plus is secure against all adversaries that make at most 22n/3 queries. We also show that the bound is essentially tight. It is of note here that instantiation of each block cipher of PMAC Plus with the two-round iterated Even-Mansour cipher can yield a beyond-birthday-secure PRF based on public permutations. Altogether, the solution incurs (2l + 4) permutation calls, whereas our proposal requires only (l + 2) permutation calls, l being the maximum number of message blocks.