On the Size of Source Space in a Secure MAC

A message authentication code (MAC) is (t, ε) secure if an attacker cannot forge a valid message with probability better than ε after adaptively obtaining t valid messages. For a fixed key space K, it is important for an MAC to support a source space S as large as possible, because this implies a bandwidth saving in practice. Hence, we study the possible size of S in an MAC through |S| or equivalently (to our convenience) the ratio (log |S|/|K|) for a fixed K. Our novelty in the methodology is to regard the MAC function of a given source state as a partition mapping for K. Under this view, we obtain an upper bound on |S| for a (t, ε)-secure MAC. Then, by analyzing a randomized partition of K, we prove the existence of an approximately optimal (t, ε)-secure MAC (in the sense of a large |S|). Our ratio (log |S|/|K|) is much larger than the previous results, where the previous results usually considered only case t = 1 by proposing a good universal hashing. This method is hard to extend to the case of a general t as a universal hashing relates only two inputs, while the general case needs to relate t inputs. Finally, we construct a selectively (1, ε)-secure MAC, where an attacker fixes two source states in advance with one for his forgery and the other for his inquiry for a valid message. Our ratio (log |S|/|K|) in this construction is close to the upper bound of its kind and is significantly larger than our existential result above for case t = 1.