Universal Forgery and Multiple Forgeries of MergeMAC and Generalized Constructions.

This article presents universal forgery and multiple forgeries against MergeMAC that has been recently proposed to fit scenarios where bandwidth is limited and where strict time constraints apply. MergeMAC divides an input message into two parts, \(m\Vert \tilde{m}\), and its tag is computed by \(\mathcal {F}( \mathcal {P}_1(m) \oplus \mathcal {P}_2(\tilde{m}) )\), where \(\mathcal {P}_1\) and \(\mathcal {P}_2\) are PRFs and \(\mathcal {F}\) is a public function. The tag size is 64 bits. The designers claim 64-bit security and mention that it might be insecure to accept beyond-birthday-bound queries.