Security of Symmetric Primitives under Incorrect Usage of Keys

. We study the security of symmetric primitives under the incorrect usage of keys. Roughly speaking, a key-robust scheme does not output ciphertexts/tags that are valid with respect to distinct keys. Key-robustness is a notion that is often tacitly expected/assumed in protocol design — as is the case with anonymous auction, oblivious transfer, or public-key encryption. We formalize simple, yet strong deﬁnitions of key robustness for authenticated-encryption, message-authentication codes and PRFs. We show standard notions (such as AE or PRF security) guarantee a basic level of key-robustness under honestly generated keys, but fail to imply key-robustness under adversarially generated (or known) keys. We show robust encryption and MACs compose well through generic composition, and identify robust PRFs as the main primitive used in building robust schemes. Standard hash functions are expected to satisfy key-robustness and PRF security, and hence suﬃce for practical instantiations. We however provide further theoretical justiﬁcations (in the standard model) by constructing robust PRFs from (left-and-right) collision-resistant PRGs.


Introduction
Cryptography is complex and hard to understand. While the wide and diverse landscape of cryptographic notions of security is a useful resource for the academic community (as it allows to describe exactly what kind of security a certain cryptographic scheme guarantees -and implicitly which one it does not), this complexity often hinders the ability of practitioners and users of cryptography to implement truly secure cryptographic systems. In the eyes of the users, cryptography is often seen as an all-or-nothing process: once cryptography is "turned on," data gets encrypted and therefore the system is secure, hopefully with as little fine print as possible. The shortcomings of this all-or-nothing property has been shown by a long series of attacks on real-world cryptographic protocols.
The academic community is reacting to this real-world need with simpler and more comprehensive notions of security. The most clear example of this is the introduction of the notion of Authenticated Encryption (AE) [Rog02, RS06]. While early cryptography considered confidentiality to be the only goal of encryption, over the years it has become apparent that virtually every application requiring confidentiality would also benefit from some form of authenticity guarantees. Therefore, instead of letting the users pick an encryption and a MAC scheme (and combine them in appropriate ways), cryptographers are currently designing schemes that guarantee all properties at once (cf. the CAESER competition). Other examples in this direction are the study of misuse-resistant AE schemes [RS06], which guarantee best possible security even in the presence of repeating nonces, security under related-key attacks (RKAs) [Bih94,BK03], and security in the presence of key-dependent messages [BRS02].
In this quest towards coming up with encryption schemes that are as ideally secure as possible, we introduce the notion of key-robustness. 1 In a nutshell, key-robustness looks at a setting where multiple keys (possibly known and/or chosen by the adversary) are present in the system. When using strong encryption, like authenticated encryption, it might be tempting to assume that any given ciphertext would only be valid for a single secret key. As we shall see, this may or may not be the case depending on the context. We start with some motivating examples before discussing the details.
Example 1 -Storage Authenticity. In this application a user wants to encrypt some data which is stored on an untrusted storage provider. To ensure authenticity of the data, the user encrypts it using an AE scheme. Then the user stores the key on a different storage provider. What happens now if the second storage provider is corrupt? It might be tempting to think that, since the data is encrypted with AE, any tampering on the key will be detected when the user decrypts the data with the key. This in unfortunately not the case and as we discuss later, AE security alone does not guarantee authenticity of the original data against an adversary that can tamper with the stored key. Note that tampering with the key can be done with the knowledge of the original key.

Example 2 -Anonymous Communication.
Most practical symmetric encryption schemes have ciphertexts that look random, which in particular implies a form of key anonymity: when given two ciphertexts c 0 , c 1 it is hard to tell whether or not they were generated using the same (unknown) secret key. Imagine a protocol with one sender and several receivers, where each receiver shares a key k i with the sender. Anonymity guarantees that if the sender broadcasts a ciphertext constructed using k i , then a different receiver j should only learn that i = j and nothing else. At the same time, such protocols often intuitively assume that at most one of the receivers will believe to be the intended receiver, i.e., decryption will fail for all but one of the users. This is however not covered by current security definitions. More generally, whenever user anonymity is a security goal, it is likely that some form of robustness is also needed in order to avoid undesired behavior [ABN10].
Example 3 -Oblivious Transfer. Consider the following protocol, for constructing a 3 2 -OT protocol using only 3 1 -OTs: the sender picks 3 random keys k 1 , k 2 , k 3 and inputs the message x 1 = (k 2 , k 3 ), x 2 = (k 1 , k 3 ) and x 3 = (k 1 , k 2 ) to the OT. At the same time, the sender sends encryptions of his messages under these keys, i.e., sends c i = E(k i , m i ) for i = 1..3. Now the receiver inputs the index of the message he does not want to learn to the 3 1 -OT and learns all keys except k i . Intuitively the fact that the messages are sent only once (encrypted) should guarantee that the sender's choice of messages is uniquely defined. However, consider the following attack: the corrupt sender inputs x * 1 = (k 2 , k * ) (instead of x 1 ) such that D(k * , c 3 ) = m * 3 with m * 3 = m 3 and m * 3 = ⊥. This means that the receiver will see two different versions of m 3 depending on whether the receiver asked for the pair (2,3) or (1,3). (This attack is an example of input-dependence and is a clear breach of security since it cannot be simulated in the ideal world.) The attack described here is a very simplified version on an actual attack described by [Lam16] on the private set-intersection protocol of [DCW13]. A strong form of key-robustness for symmetric encryption is also used to prove the security of the OT protocol presented in [CO15].
Our contributions. We give simple and strong definitions of key-robustness for a number of symmetric primitives of interest. Starting with the work of Abdalla et al. [ABN10] and Farshim et al. [FLPQ13] (which studied the notion of (key-)robustness in the public-key setting) we develop appropriate notions for symmetric encryption, MACs, and PRFs. To the best of our knowledge this is the first attempt in this direction (we note that [Moh10] considers robustness and anonymity of hybrid encryption, but not for symmetric encryption directly). As briefly mentioned above, our notion also formalizes the non-existence of "unexpected collisions" in a cryptosystem over distinct keys, even when inputs (including keys) are maliciously generated.
We consider both notions where the adversary has control over the keys and notions where the keys are generated honestly. The strongest notion that we formulate is called complete robustness and allows an adversary to generate the keys used in the system. We show that whether the adversary is in control of the keys or not makes a significant difference, by giving separations between the notions. While previous work in the publickey setting also had to deal with adversarially generated keys that were also invalid, this is not an issue in our setting, since in the symmetric world keys are often bit-strings of some pre-specified length and can be easily checked for validity. By focusing on correctly formed keys we can show equivalence between complete robustness and a syntactically simpler notion, which we call full robustness.
By giving appropriate separating examples we show that AE security and strong unforgeability do not provide full robustness. Before building fully robust schemes, we first characterize the level of robustness that is enjoyed by AE-secure encryption and strongly unforgeable MACs. For MACs we prove that as long as the two keys are honestly generated and remain outside the view of the adversary the scheme is robust in the presence of tag-generation and verification routines. Interestingly, AE-secure encryption schemes achieve a higher level of robustness where both keys are honestly generated, but one is provided to the adversary. Intuitively, this gap arises from the fact that the adversary against the MAC can still choose a message with respect to which a common tag should verify under two distinct keys, but in the encryption setting such an adversary is bound to ciphertexts that are random and outside its control. Unfortunately these weaker notions of security provide guarantees only if the keys are honestly and independently generated. Therefore no guarantees are provided in applications where the adversary completely controls the keys in the system (like the in the OT example before), where encryption is performed using related keys, or when the scheme is used to encrypt key-dependent messages (KDM). Full robustness, on the other hand, would be sufficient in such settings.
We then show that full robustness composes well: any fully robust symmetric encryption when combined with a fully robust MAC results in a fully robust AE scheme. Analogous composition results also hold for MAC-then-Encrypt and Encrypt-and-MAC. In these transformations, however, the length of the key doubles (since independent keys are used for encryption and MAC), while in practical AE schemes it is desirable to use a single key for both tasks. Using a single key for both the encryption and MAC components not only reduces storage, it increases security by only relying on the robustness of either of its components. (We emphasize, however, that AE security of the generically composed scheme with key reuse, although provable for some schemes, does not always hold.) We show that this can be avoided by modifying the Encrypt-then-MAC transform to also authenticate the encryption key. As long as the MAC component is both pseudorandom and collision-resistant, we show this transform gives a robust and AE-secure scheme. Simultaneous pseudorandomness and collision-resistance is an expected property from standard hash functions (and is met by the random oracle). This provides the most practical route to generically build robust encryption schemes. We caution, however, that not all MACs would satisfy this requirement. In particular, we point out that CBC-MAC fails to be fully robust, even when one of two honestly generated keys is in adversary's view.
We then ask if feasibility results for robustness in the public-key setting can be translated to the symmetric setting. This turns out not to be the case. The main reason for this is that in the asymmetric setting the public key can be used as mechanism to commit to its associated secret key. In the symmetric case, on the other hand, there is no such public information. It might be tempting to think that one can just commit to the secret key and append it to the ciphertext. Unfortunately this approach cannot be proven secure due to a circular key-dependency between the encryption and the commitment components. To give a provably secure construction, we construct appropriate commitments that can be used in this setting. This requires a right-injective PRG, that can be in turn based on one-way permutations. This result relies on the one-time security of the MAC and its collision-resistance, which once again we base on right-injective PRGs.
We finally study constructions of collision-resistant and robust PRFs (which can be immediately converted to collision-resistant and robust MACs). We first show that any robust PRF can be converted into a fully collision-resistant PRF using a right-injective PRG and a parallel application of a pseudorandom permutation. Next we identify of left/right collision-resistant (LRCR) PRGs as both a necessary and a sufficient assumption for building robust PRFs. In an LRCR PRG, no adversary should be able to find collisions over the left or right halves of the outputs of the PRG. We show that the GGM construction [Gol01] converts any LRCR PRG into a fully robust PRF. We then give an instantiation of left/right collision-resistant PRGs based on DDH to justify them in the standard model. The resulting PRG, however, is not GGM-friendly (as input and output spaces do not match). We show how to convert it into a GGM-friendly PRG via pairwise-independent permutations and regular collision-resistant hash functions. The first can be based on injective linear maps, while the latter can be based on claw-free permutations. Our work leaves open the task of constructions of LRCR PRGs from generic assumptions such as one-way functions/permutations or collision resistance.

Preliminaries
Notation. We denote the security parameter by λ ∈ N and assume it is implicitly given to all algorithms in the unary representation 1 λ . By an algorithm we mean a stateless Turing machine. Algorithms are randomized unless stated otherwise, and ppt as usual stands for "probabilistic polynomial-time," in the security parameter (rather than the total length of its inputs). Given a randomized algorithm A we denote the action of running A on input(s) (1 λ , x 1 , . . .) with uniform random coins r and assigning the output(s) to (y 1 , . . .) by (y 1 , . . .) ← ← A(1 λ , x 1 , . . . ; r). For a finite set S, we denote its cardinality by |S| and the action of sampling a uniformly at random element x from X by x ← ← X. We define [k] := {1, . . . , k}. A real-valued function ε(λ) is negligible if ε(λ) ∈ O(λ −ω(1) ). We denote the set of all negligible functions by Negl. Throughout the paper ⊥ stands for a special error symbol. We use || to denote the concatenation of binary strings.
Pseudorandom generators. A pseudorandom generator PRG with domain D and range R is a deterministic algorithm that on input a point x ∈ D outputs a value y ∈ R. We define the advantage of an adversary A against PRG as where the game PRG A PRG (λ) is shown in Figure 1 (top left). A PRG is secure if the above advantage function is negligible for every ppt adversary A. In what follows, we assume D and R come with algorithms for sampling elements, which by slight abuse of notation we denote by D(1 λ ) and R(1 λ ). We allow for arbitrary domain and range in this definition to allow for the analysis of our constructions later on.
Pseudorandom functions. A PRF is a pair of algorithms (Gen, PRF), where Gen is a randomized algorithm that on input the security parameter 1 λ generates a key K in some key space K. We will assume that this algorithm simply outputs a random keys in Figure 1: Games defining the security of pseudorandom generators (top left), pseudorandom functions (top right), authenticated encryption (middle), and pseudorandom and strongly unforgeable message authentication codes (down). The PRF, AE, and $UF notions entail strong notions of key anonymity for each primitive. IND$ security is a weakening of AE security where the adversary is not allowed to call the decryption oracle. The standard strong unforgeability game omits the boxed statement from the Tag procedure.
{0, 1} λ . Algorithm PRF is deterministic and given K as input and a point x ∈ D outputs a value y ∈ R. We define the advantage of an adversary A against PRF as where game PRF A PRF (λ) is shown in Figure 1 (top right). A PRF is secure if the above advantage function in negligible for every ppt adversary A.
Authenticated encryption. An authenticated encryption scheme AE is a triple of algorithms AE := (Gen, Enc, Dec) such that: (1) Gen(1 λ ) is the randomized key-generation algorithm that on input the security parameter 1 λ outputs a key K ; (2) Enc(K , M ; R) is the randomized encryption algorithm that on input a key K , a plaintext M and possibly random coins R outputs a ciphertext C ; (3) Dec(K , C ) is the deterministic decryption algorithm that on input a key K and a ciphertext C , outputs a plaintext M or the special error symbol ⊥. We call a scheme AE (perfectly) correct (for message space {0, 1} * ) if for all λ ∈ N, all K ← ← Gen(1 λ ), all M ∈ {0, 1} * and all C ← ← Enc(K , M ) we have that Dec(K , C ) = M . We define the advantage of an adversary A against AE as where game AE A AE (λ) is shown in Figure 1 (middle). An AE scheme is secure if the above advantage function in negligible for every ppt adversary A. This is the standard definition of security for AE schemes [RS06, HK07]. An alternative security definition would come with a challenge oracle that on input two messages (M 0 , M 1 ) of same length, returns an encryption of M b . This definition is weaker that AE security as the latter already implies a strong form of anonymity due to the pseudorandomness of ciphertexts, whereas this is not necessary the case for the left-right-based definition. 2 Message-authentication codes. A message-authentication code (MAC) is a triple of algorithms MAC := (Gen, Tag, Ver) defined as follows: (1) Gen(1 λ ) is the randomized key generation algorithm that on input the security parameter 1 λ outputs a key K .
(2) Tag(K , M ; R) is the randomized tagging algorithm that on input a key K , a plaintext M and possibly random coins R, outputs a tag T . (3) Ver(K , M , T ) is the deterministic verification algorithm that on input a key K , a plaintext M and a tag T , outputs a bit. We call a MAC scheme (perfectly) correct (for message space {0, 1} * ) if for all λ ∈ N, all K ← ← Gen(1 λ ), all M ∈ {0, 1} * and all T ← ← Tag(K , M ), the verification is successful: Ver(K , M , T ) = 1. We define the advantage of an adversary A against a MAC as Figure 1. This game strengthens the standard strong unforgeability for MACs, which is shown in the same figure omitting the boxed statement, in a number of aspects. First, Ver outputs the error symbol only when the pair (M , T ) was generated via the Tag procedure and therefore pseudorandom MACs are also strongly unforgeable. Second, the definition implies the tags are pseudorandom and hence they fully hide the messages and the keys that were used to generate them. Stated differently, pseudorandom MACs are both confidential and anonymous in the sense that they hide both the message and the key that is used to generate a tag. Finally, since Tag does not repeat T for repeated messages, it implies a notion of unlinkability.
Feasibility of pseudorandom MACs. Given a PRF, consider scheme MAC whose key-generation algorithm is identical to that of the PRF and whose tag-generation and verification algorithms operate as We call such message authentication codes randomized MACs. It is straightforward to prove that this MAC satisfies our strong security notion for MACs given above.
Encrypt-then-MAC. Recall that in the Encrypt-then-MAC paradigm, one first encrypts a message M and finally authenticates the resulting ciphertext using a MAC. If the underlying encryption AE in this transform is AE-secure without access to decryption oracle (a.k.a. IND$ secure) and the MAC used is pseudorandom, the encryption scheme is AE secure [BN08].

Definitions
Informally, in a robust scheme no unexpected collisions in the input/output behavior of the system exists. For instance, in the case of encryption no adversary should be able to compute a ciphertext that decrypts correctly under two distinct keys. This notion was first formulated in the asymmetric setting [ABN10, FLPQ13] and we adapt it to symmetric encryption, MACs, and PRFs in this section.
The work of [FLPQ13] refines and strengthens the original definitions of robustness [ABN10]. The central security notion introduced in [FLPQ13] is complete robustness (CROB), a notion that contains three sub-notions of full robustness (FROB), key-less robustness (KROB) and mixed robustness (XROB). These, roughly speaking, correspond to three possible ways finding a colliding ciphertext using either the encryption or decryption algorithms of the scheme. That is, for some K 1 , The last condition can be made stronger: one expects that Enc(K 1 , M 1 ; R 1 ) would decrypt to ⊥ under an unrelated key K 2 . The middle check can be also made stronger by only checking that the outputs are both valid. We formalize the resulting notions next.
Robustness. We define the advantage of an adversary A in the CROB games against an encryption scheme AE as where game CROB A AE (λ), is shown in Figure 2 (top). Similarly, for a message authentication code MAC we define Figure 2 (bottom). Farshim et al. [FLPQ13] give pair-wise separations among the three sub-notions mentioned above, showing they are all incomparable and hence should be (implicitly) included in the CROB notion. Some of these separations use invalid keys, as key pairs in the public-key setting cannot be necessarily checked for validity. This issue disappears in our setting as the key space is {0, 1} k , a set which is trivially checkable for validity. This fact simplifies relations among notions (which we study in detail in Appendix A). Analogues of the FROB notion [FLPQ13] for AE and MAC turn out to be equivalent to our strongest notions above. We formalize FROB in Figure 3 (left) for AE and (middle) for MACs, and summarize this discussion is under Theorem 1. Figure 3 (right) also includes our definition of robustness for PRFs with advantage function Figure 3: Games defining full robustness for a symmetric encryption scheme AE (left), a message authentication code MAC (middle) and a pseudorandom function PRF (right).
As we shall see, from a foundational perspective, robust PRFs underlie feasibility of robustness for many symmetric primitives.
Collision resistance. Complete robustness strengthens to unkeyed collision resistance when the case K 1 = K 2 is not ruled out. For MACs, (unkeyed) collision-resistance states that it should be hard to come up with ( . The standard notion of keyed collision resistance, on the other hand, imposes that keys are equal, Proof. The proof is simple and we give an example for one case. Suppose that adversary A wins the CROB game by finding a collision between the outputs of encryption. In other words A finds (K 1 , M 1 , R 1 , K 2 , M 2 , R 2 ) such that: This means that K 1 and K 2 are valid. Now consider an FROB adversary that computes C := Enc(K 1 , M 1 ; R 1 ) and outputs (C, K 1 , K 2 ). By the perfect correctness of the scheme for valid keys it must be the case that Dec(K 1 , C) = M 1 and Dec(K 2 , C) = M 2 , which wins the FROB game.
Other cases are dealt similarly, by either computing a colliding ciphertexts using Enc or a colliding tag using Tag. We provide the details in Appendix A.
Throughout the paper we assume that keys are checkable for validity and that they are indeed checked for validity in all algorithms. Hence we will only use FROB security to establish CROB security in the subsequent sections. We limit our study to schemes that have perfect correctness (as defined under syntax). Correctness with all but negligible probability would allow for artificial attacks and separations. As an example, consider an encryption scheme that, when invoked with a special random tape computes the identity function -this is allowed since the probability of hitting that random tape is negligible and at the same time gives an easy way to break robustness.

Robustness, AE Security, and Unforgeability
We show that standard AE-secure encryption schemes offer a basic level of resilience against incorrect usage of keys. The level of robustness offered corresponds to a setting where the adversary does not get to choose any keys. Instead, two keys are honestly generated and the adversary is given oracle access to encryption and decryption algorithms under both keys. The notion for MACs is similar where oracle access to tag-generation and verification algorithms under honestly generated keys are provided to the adversary. This notions which we call strong robustness (SROB) are shown in Figure 6 (without boxed variables). This nomenclature follows the original notion of strong robustness by Abdalla et al. [ABN10]. We also define semi-full robustness (SFROB) as one where the adversary gets to see one of the keys (as shown in Figure 6 with boxed variables).

S F ROB
return Tag Moreover, for any adversary A against the SROB-security of the MAC there is an adversary B against the SUF-security of the scheme such that Furthermore, there exist a pseudorandom MAC that is not SFROB-secure.
Proof. First, we prove the implication from AE security to SFROB. Let G 0 be the SFROB game. We assume without loss of generality that the adversary in G 0 never queries the Enc(2, ·) and Dec(2, ·) oracles as it has access to K 2 , and that it never queries an output of Enc(1, ·) to Dec(1, ·) as it already knows the answer.
In G 1 we modify the winning condition of G 0 as follows. When the adversary returns a ciphertext C , instead of checking that Dec(C , K 1 ) =⊥ and Dec(C , K 2 ) =⊥, the game checks if C was one of the ciphertexts that was returned from the Enc(1, ·) oracle and that Dec(C , K 2 ) =⊥. The games G 0 and G 1 are identical unless A outputs a ciphertext C that was not obtained from the Enc(1, ·) oracle, but decrypts correctly (call this event E). We bound the probability of E via the AE as follows. For any distinguishing A, we define an algorithm B that picks a random key K 2 , runs A(K 2 ), and answers its queries using its own equivalent pair of oracles. When A terminates with C , algorithm B queries C to its decryption oracle to get M 1 and also computes M 2 ← Dec(C , K 2 ). It returns (M 1 =⊥ ∧M 2 =⊥). If B's decryption oracle is fake and implements ⊥, algorithm B will always return 0. If B's decryption oracle is real, algorithm B runs A according to the environment of G 0 and G 1 , and will output 1 whenever E happens. Hence . In G 2 we replace Enc(1, ·) and Dec(1, ·) with the $ and ⊥ procedures respectively. (As in G 1 we still use the list of ciphertexts and K 2 for the winning condition.) The distance between G 1 and G 2 can be bounded via the AE game as follows. Consider an AE adversary B that generates an independent key K 2 and runs a distinguishing adversary A(K 2 ). Algorithm B answers A's oracle queries using the oracles provided to it. When A terminates with a ciphertext C , algorithm B performs the winning check and outputs its result. Algorithm B runs A with respect to the real or replaced procedures according to the real or fake procedures that it gets. The output of B is identical to that of A in the two games. Hence Pr . In G 2 , the adversary has essentially no control over C and we show its advantage is small. For this we will rely on the AE game once more (but now implicitly with respect to the second key). G 2 can only be won if Dec(K 2 , C ) =⊥ for at least one of q distinct random strings C obtained from the $ oracle. Consider an AE adversary B that generates q such random C and queries them to its Dec oracle and outputs 1 if and only if one of the answers is non-⊥. Adversary B always outputs 0 when the oracle implements ⊥. On the other hand, when the oracle implements the real decryption routine, the probability of B outputting 1 is exactly the probability that Dec(K 2 , C ) =⊥ for one of the random C and key K 2 . This means Pr[G A 2 ] ≤ Adv ae AE,B (λ). The first part of the theorem follows from that last (in)equalities.
We now prove the second part of the Theorem 2. We first note that via a simple hybrid argument, unforgeability with respect to two keys reduces to unforgeability with respect to a single key with loss 2 in advantage. We also assume, without loss of generality, that an adversary in G 0 := SROB does not query Ver on any (i, M , T ) where T is an output of Tag(i, M ); the answer is always 1 for such queries.
In G 1 we replace the Ver(1, ·, ·) and Ver(2, ·, ·) procedures with the ⊥ procedure. We also replace the computation of Ver(K i , T , M ) for i = 1, 2 in the winning condition with 0 unless T was output by both Tag(1, ·) and Tag(2, ·) procedures. Hence G 0 and G 1 are identical unless A outputs a tag T that was not output by both tag-generation oracles and yet verifies under both keys. Call this event E. The probability of event E can be bounded via the (single-key) SUF game as follows. Algorithm B generates a key K 2 . It uses its own oracles and K 2 to simulate the oracles for A. When A terminates with a tag (T , M 1 , M 2 ), algorithm B queries (T , M 1 ) to its verification oracle and returns 1 iff the result was not 0. Algorithm B will always output 0 when the oracle is 0 (i.e., when it is fake). If its oracles are real, B runs A according to the environments of G 0 and G 1 , and whenever E happens it returns 1. Hence, The advantage of any adversary A in G 1 can be bounded, once again, by the twokey SUF game as follows. Consider any adversary against the two-key SUF game as follows. Algorithm B runs A and answers its oracle queries using its own oracles. When A terminates with a tag (T , M 1 , M 2 ), algorithm B checks for which i this tag was not obtained from Tag(i, ·) (if both, it chooses either i). Algorithm B the queries Ver(i, T , M i ) and returns 1 iff the result is not 0. Note that B never outputs 1 when its oracles are fake. However, when its oracles are real B runs A according to the rules of G 1 and it returns 1 whenever A wins. Hence, Pr[G A 2 ] ≤ 2 · Adv suf MAC,B (λ). The second part of the theorem follows.
Interestingly, MAC security (including pseudorandomness) does not imply SFROB security for MACs. (And the above theorem is, in a sense, "sharp.") Indeed, given a pseudorandom MAC consider a modified scheme whose verification procedure on input M = K and any tag always passes. This MAC can be still shown to be pseudorandom (without access to K ), but fails to be SFROB as any tag T obtained under K 1 for, say, message 0 would be also valid with respect to K 2 if message M 2 := K 2 . Note, however, that since any AE scheme is a pseudorandom MAC, the result for AE schemes shows SFROB-secure MACs can be built via authenticated encryption.
In the above proof we showed that for MACs, SROB is strictly weaker than SFROB, and hence it also weaker than CROB. We next prove that SFROB is weaker than CROB for AE schemes. We show a stronger result that not all AE schemes, even those obtained via Encrypt-then-MAC, are CROB.

Proposition 1. There exist an authenticated encryption scheme obtained via the Encryptthen-MAC transform that is not CROB secure (but SFROB secure as shown in Theorem 2).
Proof. Consider any symmetric encryption scheme whose decryption algorithm never outputs ⊥. (A natural example is a scheme whose encryption algorithm evaluates a PRF at a random point and masks the message with the result: Enc(K e , M ; R) := R||PRF(K e , R) ⊕ M .) Then the AE scheme obtained by applying the EtM transform using such an encryption scheme and any MAC (even robust ones) will not be CROB secure. For a random MAC key K m and random and distinct encryption keys K e1 , K e2 consider an attacker that computes C ← ← Enc(K e1 , 0) and T ← ← Tag(K m , C ) and outputs (C ||T ), (K e1 ||K m ), (K e2 ||K m ) . The ciphertext (C ||T ) will decrypt to a valid message under the distinct keys (K e1 ||K m ) and (K e2 ||K m ) as the tag T is always checked against K m and the base encryption scheme does not have invalid ciphertexts.
The attack described above applies against authenticated encryption schemes that follow the EtM transform and use independent keys for the encryption and MAC components. If the same key is used for both the encryption and authentication components (and assuming the AE security of the composed construction), the above attack no longer works. Artificial counterexamples, however, still exist. As before, consider a MAC that verifies whenever M = K irrespectively of its input tag. Such a MAC, when combined with any encryption scheme whose decryption never returns ⊥ gives rise to a separating example between CROB and SFROB for AE schemes. Here the attacker gets K 2 , sets C := K 2 , computes a tag T = Tag(K 1 , C ) and outputs ((C ||T ), K 1 , K 2 ). Now the verification of T for C with K 1 always passes. It also passes with respect to K 2 and K 2 = C . Since Dec never outputs ⊥ in the base scheme, C also decrypts under both keys.

Constructions
We now prove two positive results for obtaining robust encryption through generic composition.

Theorem 3 (Robustness for generic composition). The AE schemes obtained through either Encrypt-then-Mac (EtM), Encrypt-and-MAC (EaM), or MAC-then-Encrypt (MtE)
(with independent keys) are CROB secure as long as their encryption and MAC components are CROB secure. Moreover, the AE scheme obtained through EtM, EaM or MtE when reusing the same key for encryption and authentication is CROB secure as long as either the encryption or the MAC component is CROB secure.
Proof. We provide the proofs for the three cases separately.
EtM composition. Suppose a CROB adversary A outputs a tuple ((C ||T ), (K e1 ||K m1 ), (K e2 ||K m2 )) winning the CROB game against the generically composed scheme with distinct keys. Since (K e1 , K m1 ) = (K e2 , K m2 ) there are two possibilities to consider: Case K e1 = K e2 : then (C , K e1 , K e2 ) wins the CROB game against encryption, as C would have decrypted correctly with respect to both keys for A to be successful.
Case K m1 = K m2 : then (T , K m1 , C , K m2 , C ) wins the CROB game for MAC as T would have to be a valid tag with respect to C and two distinct keys.
EaM composition. Suppose a CROB adversary A outputs a tuple ((C ||T ), (K e1 ||K m1 ), (K e2 ||K m2 )) winning the CROB game against the EaM generically composed scheme with distinct keys. Since (K e1 , K m1 ) = (K e2 , K m2 ), as for the EtM transform, if: (1) K e1 = K e2 , we have that (C , K e1 , K e2 ) wins the CROB game against encryption, as C would have decrypted correctly with respect to both keys for A to be successful; (2) for the second case we let M 1 ← Dec(K e1 , C ) and M 2 ← Dec(K e2 , C ); when K m1 = K m2 , then (T , K m1 , M 1 , K m2 , M 2 ) wins the CROB game for MAC as T would have to be a valid tag with respect to M 1 , M 2 and both keys for A to be successful. Thus for adversaries B 1 and B 2 , the advantage of A can be bounded as follows Adv crob EaM,A (λ) ≤ Adv crob AE,B1 (λ) + Adv crob MAC,B2 (λ). When the keys are reused, the same argument as in the previous case applies.
MtE composition. Let a CROB adversary A output a tuple (C , (K e1 ||K m1 ), (K e2 ||K m2 )) winning the CROB game against the MtE generically composed scheme with distinct keys. Since (K e1 , K m1 ) = (K e2 , K m2 ), as for the EtM transform, if: (1) K e1 = K e2 , we have that (C , K e1 , K e2 ) wins the CROB game against encryption, as C would have decrypted correctly with respect to both keys for A to be successful. Thus we assume K e1 = K e2 and let (M ||T ) ← Dec(K e1 , C ); (2) when K m1 = K m2 then (T , K m1 , M , K m2 , M ) wins the CROB game for MAC as T would have to be a valid tag with respect to M and both keys for A to be successful. (Note that the same tag is obtained after decryption). Therefore for adversaries B 1 and B 2 the advantage of A is bounded as Adv crob MtE,A (λ) ≤ Adv crob AE,B1 (λ) + Adv crob MAC,B2 (λ). When the keys are reused, the same argument as in the first case applies.
Some CAESAR candidates follow the generic composition paradigm but incorporate various optimizations to reduce computation, bandwidth and keying material. This means that a strategy similar to Theorem 3 can be used to carry out robustness proofs for them. We leave a provable security treatment of the robustness of the CAESAR candidates to future work.
To instantiate the components in Theorem 3, we start by observing that randomizing a CROB-secure PRF gives a pseudorandom MAC that is CROB secure. Indeed, a successful CROB adversary against this randomized PRF outputs a tuple (T , An analogous route for directly building a CROB secure encryption scheme from a CROB secure PRF does not go through as the decryption algorithm of such schemes would never return ⊥. However, by using a common PRF in both the encryption and MAC components we safely reuse the keys across encryption and MAC. More precisely, given a CROB-secure PRF, the following scheme is both CROB and AE secure By our theorem above, this scheme is CROB as long as the PRF is CROB. An alternative and practical route for achieving robustness makes use of a random oracle to instantiate the MAC as it can be easily shown to be CROB and also allows secure reuse of keys with any scheme. The above raises the question if robustness can be achieved without key reuse or random oracles. Such an approach is sometimes recommended as it allows for modular proofs of AE security. Below we give a transform akin to EtM that also authenticates the encryption key and which results in a scheme that is both AE and CROB secure. We give the details of the transform in  Proof. For CROB, consider an adversary that outputs ((C ||T ), (K e ||K m ), (K e ||K m )) such that (C ||T ) decrypts to valid messages under both keys. Then the tag T must also verify under both K m and K m . This however constitutes an attack on the collision resistance of MAC unless K m = K m and K e = K e . For AE security, we follow the standard path as follows. Let G 0 be the AE with real procedure. In G 1 we compute T in the Enc procedure by replacing T with random bit strings, and also replace the Dec procedure with the ⊥ procedure. We can bound the difference between G 0 and G 1 using a direct reduction to the pseudorandomness of MAC: . In G 2 we replace the ciphertext components in the outputs of the Enc procedure with random strings. Again, using a reduction to the IND$ security of AE we can bound the difference between games G 1 and G 2 : . Finally note that G 2 is the AE with fake procedures which translates to:

The symmetric ABN transform
The starting point for our second construction is the transform introduced by Abdalla et al. [ABN10] (henceforth, the ABN transform) to convert any PKE scheme into one that is also completely robust as shown in [FLPQ13]. Roughly speaking in the ABN transform one commits to the public key during encryption, encrypts the decommitment along with the plaintext, and includes the commitment as part of the ciphertext. The commitment is then checked against the public key in the decryption algorithm. The transform is shown in Figure 8. ABN relies on a commitment scheme (CPG, Com, Ver) and operates in the CRS model via a common parameter-generation algorithm CPG. We ask if an analogue of ABN, perhaps in the CRS model, can be also formulated for symmetric encryption. In this setting there is no public key and a natural alternative would be to commit to the secret key instead. This however results in a key-dependent message being encrypted as the decommitment dec is computed based on the encryption key K . Furthermore, the commitment string com must be pseudorandom to accomplish AE security.
One can attempt to repair the ABN transform as follows. First, use a commitment scheme with pseudorandom commitments. Any collision-resistant PRF is equivalent to such a commitment scheme, where crs = ε (assuming the PRF does not use a CRS) and Com(M ||K ) outputs (PRF(K , M ), K ) as the (com, dec) pair. The verification algorithm simply checks the commitment by recomputing the PRF using K and M . This scheme is computationally hiding down to the pseudorandomness of PRF. Furthermore, it is computationally binding down to its collision resistance. This technique still does not resolve the key-dependency issue. Although in this scheme the decommitment string is simply a random PRF key independent of the encryption key, a circular dependency between the encryption key and the PRF key exists which prevents a proof to go through. (Recall that in the public-key setting this issue does not arise as the public key is a key-dependent value that is available "for free.") To fix these issues we compute a string that acts as a "public labeling" of the encryption key, and which does not hurt the security of the scheme. We first expand K using a PRG, use its left-half in encryption, and commit to its right-half as the public labeling. For this, we must however ensure that different keys give always rise to different public labellings. This can be achieved if the PRG is collision resistant (for example injective) on the right-half of outputs. Such PRGs can be based on one-way permutations via Yao's transform [Yao82]. Indeed, assuming π is a one-way permutation and HC is a hardcore predicate for it [GL89], we get a right-injective PRG via PRG(x) := HC(x)||HC(π(x))|| . . . ||HC(π |x|−1 (x))||π |x| (x) .
Observe the last part in this PRG is a permutation, which provides the required injectivity. This results in the transform shown in Figure 9. Proof. Suppose that an adversary computes a ciphertext (C ||T ) that decrypts correctly under two keys K e = K e . The fact that K e = K e together with the right collision resistance of PRG implies that K 2 e = K e 2 . This then can be used to break the collision resistance of MAC using the pair (K m , (C||K 2 e )) and (K m , (C||K e 2 )) where K m and K m are computed by decrypting C using the left halves K 1 e and K e 1 of the PRG output, respectively. AE security can be proven in the standard way as follows. Let G 0 be the AE game with respect to the real encryption and decryption oracles. In G 1 we replace the outputs of the PRG with truly random bit strings. This transition can be justified using the security of PRG: . In G 2 we replace T with random tags and decryption with the ⊥ oracle. A direction reduction to $UF security the MAC can be used to bound this transition: In G 3 we replace C with random strings via the IND$ security of the AE. Now note that G 3 corresponds to the AE game with respect to the fake encryption and decryption oracles: One advantage of the second transform is that it only relies on the pseudorandomness of MAC with freshly generated keys. This in turns allows for simple instantiation of it. For a right collision-resistant PRG, let Then we compute a MAC on a (hashed) message M with |M | = 1 as: The collision resistance of this MAC follows from the fact that the right (and collisionresistant) half of PRG is output in the clear.

Robust and Collision-Resistant PRFs
We now turn to the problem of constructing robust and collision-resistant PRFs. For practical purposes, it is a reasonable assumption that a keyed hash function acts as a PRF when used with a random and unknown key, and is also an unkeyed collision-resistant function. 3 Hence, a practical hash function can be used to instantiate the transformations in the previous section. We ask if collision-resistant PRFs can be based on simpler assumptions in the standard model. One method to immediately obtain collision-resistant PRFs would be to use a combiners. Roughly speaking, a hash function combiner is a transform that takes two (ore more) hash functions as input and outputs a hash function that is secure if either hash function is secure. For example, concatenation is a combiner for collision resistance. Fischlin et al. [FLP14] give a multi-property combiner for hash function that is above to simultaneously preserve multiple security properties of input hash functions, including collision-resistance and pseudorandomness. This raises an alternative route to obtain collision-resistant/robust PRFs based on multi-property hash combiners. The construction of Fischlin et al. [FLP14], however, considers keyed collision resistance which is not sufficient for our purposes. Furthermore, a modification to unkeyed hash functions results in key dependency issues (somewhat similarly to the ABN transform) which then prevents a security proof.
Our first result is a simple transform that converts any CROB-secure PRF into a fully collision-resistant PRF. In this transform, which is shown in Figure 10, we use a length-doubling PRG that is collision resistant on the right half of its output. We expand a key K to (K 1 ||K 2 ) via a PRG, use K 2 in a key-injective PRF and K 1 in a pseudorandom permutation to guarantee collision resistance over both keys and inputs. Key-injective PRF [CMR98,Fis99] is a weakening of FROB where it is required that M 1 = M 2 , i.e., it should be infeasible to find K 1 = K 2 such that PRF(K 1 , M ) = PRF(K 2 , M ). We will also use a pseudorandom permutation PRP to ensure injectivity over messages. Figure 10 is collision-resistant (and in particular CROB) if the underlying PRF is key-injective and the PRG is right collision-resistant. Furthermore, the construction is PRF secure if the PRG, PRF, and PRP are secure.

Proposition 2. The PRF construction in
Proof. We first prove collision resistance. Suppose an adversary outputs (K , M ) = (K , M ) such that PRF(K , M ) = PRF(K , M ). Let (K 1 , K 2 ) ← PRG(K ) and (K 1 , K 2 ) ← PRG(K ). Then by construction: This means that the adversary breaks the assumed key-injectivity property of the PRF unless K 2 = K 2 (note that the PRF is run on the same input). But K 2 = K 2 implies that we also have K = K as otherwise the adversary would break the right collisionresistance property of the PRG. This however means that K 1 = K 1 . Now since PRP is a permutation over this key, collisions can only occur if M = M . This, however, contradicts the assumption that (K , M ) = (K , M ).
The proof of PRF security is standard and proceeds as follows. G 1 : This is the PRF experiment with b = 0, where the outputs are computed using the PRF. G 2 : In this game, instead of outputs of PRG we use random and independent K 1 and K 2 . The distance to the previous game can be bounded via the security of PRG. This step decouples the two keys. We now prove that the key-injective PRF used above can be based on length-doubling PRGs that achieve collision-resistance both on the left and the right halves of their outputs. That is, when for any efficient A the probability is negligible. We call such a PRG left-right collision-resistant (LRCR). The next lemma build on results from [CMR98,Fis99] shows that the GGM construction [GGM86] when instantiated with an LRCR-secure PRG is key-injective. Recall that the GGM construction defines a PRF as where M i denotes the i-th bit of M , PRG 0 (X) the left half of the output of PRG(K) and PRG 1 (K) its right half. The difference with [CMR98,Fis99] is that we do not rely on a CRS (a.k.a. tribe-key) but rely on the stronger LRCR security of the PRG. In the first case a collision is found and we are done. In the second case we look at y n−2 1 and y n−2 2 and so on. If we reach y 1 1 and y 1 2 and a collision is yet to be found then, since K 1 = K 2 , this is the collision for the PRG.
Finally, we show that left/right collision-resistant PRGs can be built in the standard model (without the use of ROs). Consider the function G : Z 3 p −→ G 6 for a group G of order p generated by g [BCP02]: We start by observing that this function is indeed injective on its left and right halves of output. Suppose there exists (x 1 , x 2 , x 3 ) = (y 1 , y 2 , y 3 ) such that (g x1 , g x1x2 , g x2x3 ) = (g y1 , g y1y2 , g y2y3 ). Then by comparing the first elements, we must have x 1 = y 1 , which in conjunction with the equality of second components implies x 2 = y 2 . This together with the equality of third components implies x 3 = y 3 . Injectivity for the right half of the outputs is shown similarly.
The outputs of G when run on random inputs are indistinguishable from a random element of G 6 under the DDH assumption. To see this, we start with (g x1 , g x1x2 , g x2x3 , g x2 , g x1x3 , g x3 ) and replace g x1x2 with g z1 using DDH applied to (g x1 , g x2 , g x1x2 ) and
Following [Dod05,DS05], we address these issues by applying in parallel a collisionresistant extractor to the outputs of G in two steps: (1) we apply a pairwise-independent permutation to bring the output distribution close to uniform; (2) we then use a collisionresistant, regular hash function to compress the result down to n bits without losing uniformity of the outputs. A pairwise-independent permutation π can be instantiated as (where the · and + operations are defined over an extension field). A function H : D −→ R is regular if its outputs are uniformly distributed over R for uniform inputs in D, equivalently for all y ∈ R it holds |H −1 (y)| = |D|/|R|. Regular, collision-resistant hash functions can be obtained from claw-free permutations [CMR98].
We define the required LRCR-secure and GGM-friendly PRG in Figure 11, where PRG 0 is a right-injective PRG and G(x) = (x 0 , x 1 ) is a LRCR-secure PRG (for example the one above obtained from DDH).
Theorem 6. The PRG in Figure 11 is LRCR-secure and a secure PRG if PRG 0 is secure, G is secure with respect to the output distribution of D with min-entropy at least 3n, H is a regular and collision-resistant hash function, and π is a pairwise-independent permutation.
Proof. We first show PRG is LRCR secure. Let PRG(s) = s 0 ||s 1 . Suppose that an adversary outputs s = s such that s d = s d for some d = 0, 1. Let d = 0. So either the adversary can be used to break the collision resistance of H or ((a 0 , b 0 ), π((a 0 , b 0 ), x 0 )) = ((a 0 , b 0 ), π((a 0 , b 0 ), x 0 )). Therefore (a 0 , b 0 ) = (a 0 , b 0 ) and π((a 0 , b 0 ), x 0 ) = π((a 0 , b 0 ), x 0 ). Since π ((a 0 , b 0 ), ·) is a permutation we must have that x 0 = x 0 . This contradicts the LRCR security of G unless x = x . This in turns means that a collision on the right side (corresponding to x) of the output of PRG 0 is found unless s = s . The case d = 1 is dealt with similarly. This concludes the proof of LRCR security.
We now turn to the pseudorandomness of the PRG. If H is regular, its outputs are uniform when fed with uniform inputs. Hence, we show the outputs of π are uniform. We prove this by first replacing the key (a 0 , b 0 ) (and respectively, (a 1 , b 1 )) of π with truly random keys using the security of PRG 0 . We then replace x 0 (and respectively x 1 ) with random strings sampled according to the distribution D on {0, 1} 3(n+l) . This follows from the security of G. Note that the distribution D has min-entropy at least 3n by the injectivity of group exponentiation.
Dodis and Smith [DS05,Prop. 11] show a left-over hash lemma for composition with functions: for H a regular collision-resistant hash function with output length ≤ t − 2 log( 1 ), where t is the min-entropy of the input source D to a pairwise-independent permutation π, the statistical distance between H(π(D)) and H(U) is at most . Applying this result to our setting with := 2 −n , we get that setting ≤ 3n − 2 log( 1 ) = n would result in uniform outputs. This matches the output length of H and concludes the proof of security of PRG.
Remark. We note that LRCR security is also necessary for building key-injective PRFs as any key-injective PRF would immediately give rise to an LRCR-secure PRG by setting the seed to the PRF key and the outputs of the PRG to those of the PRF evaluated at two points. We leave the possibility of basing LRCR-secure PRGs on generic assumptions, such as one-way functions/permutations or collision-resistance, to future work. We, however, observe that collision resistant does not seem to be a necessary condition as the left or right halves of the PRG do not need to be compressing.

A Relations among Notions of Robustness
For completeness and comparison with prior work we introduce symmetric analogues of mixed-robustness (XROB) and keyless-robustness (KROB) for AE schemes in Figure 12 below. This follow the definitions of [FLPQ13] in the context of public-key encryption. We study relations among notions of robustness for AE schemes below.  (2) and (3) we have that a FROB scheme is also KROB and XROB. Then, note that a pair of winning tuples for the CROB game can arise in one of three possible ways: (1) Both tuples were added to the list through decryption queries. This directly translates into a winning output for a FROB adversary; (2) Both tuples were added to the list through encryption queries. This translates into a winning output for a KROB adversary; (3) One tuple was added to the list through an encryption query and the other through a decryption query. This translates into a winning output for an XROB adversary. (2) FROB =⇒ XROB. We proceed as in the previous case. We build an adversary B that wins the FROB game in Figure 13. B runs A to obtain an XROB winning tuple (M 1 , K 1 , R 1 , C 2 , K 2 ) that fulfills the XROB constraints: C 1 = Enc(K 1 , M 1 ; R 1 ) = C 2 ∧ Dec(K 2 , C 2 ) = ⊥. Then B computes C 1 ← Enc(K 1 , M 1 ; R 1 ) and uses the tuple (C 1 , K 1 , K 2 ) to win the FROB game: both tuples Dec(K 1 , C 1 ) and Dec(K 2 , C 2 ) will return = ⊥, given that C is a valid ciphertext. Therefore Adv frob AE,B (λ) = Adv xrob AE,A (λ). (3) XROB =⇒ KROB. The intuition behind the proof is that an adversary breaking KROB can be used to construct an XROB winning tuple simply by encrypting part of the output obtained from the KROB adversary. The reduction is shown in Figure 14. Let A be an adversary having a non-negligible advantage against the KROB game. We build an adversary B that wins the XROB game as follows: B begins by running A to obtain a KROB winning tuple (M 1 , K 1 , R 1 , M 2 , K 2 , R 2 ) that fulfills the KROB constraint: C 1 ← Enc(K 1 , M 1 ; R 1 ) ∧ C 2 ← Enc(K 2 , M 2 ; R 2 ) ∧ C 1 = C 2 . Next, B computes C 2 ← Enc(K 2 , M 2 ; R 2 ) and creates the tuple (M 1 , K 1 , R 1 , C 2 , K 2 ) to win the XROB game; we state that C 1 ← Enc(K 1 , M 1 ; R 1 ) = ⊥ because it is part of a KROB tuple while Dec(K 2 , C 2 ) = ⊥ returns a valid message with non-negligible probability. We conclude that Adv xrob AE,B (λ) = Adv krob AE,A (λ). (4) FROB =⇒ SFROB. As in the previous cases, we build an adversary B that wins the FROB game in Figure 15. B samples K 1 , K 2 uniformly at random and runs A and answers its oracle queries using the keys. When A returns C ; then, B constructs an FROB winning tuple (C , K 1 , K 2 ) that fulfills the constraints: M 1 ← Dec(K 1 , C ) ∧ M 2 ← Dec(K 2 , C ) ∧ M 1 = ⊥ ∧ M 2 = ⊥. B simply returns (C , K 1 , K 2 ) to win the FROB game. Therefore Adv frob AE,B (λ) = Adv sfrob AE,A (λ).
(5) SFROB =⇒ SROB. This follows from a trivial reduction as the games are identical except that an SROB adversary does not get to see K 2 .
We define mixed-robustness (XROB) and keyless-robustness (KROB) for MACs in Figure 16 below. where B := PRF(K f , Enc(K e , M ; R)) otherwise. The modified decryption on keys 0 k and 1 k , decrypts the second part of the ciphertext, and if it is ⊥ and B = 0 k , it returns 0. This scheme is not FROB as any ciphertext beginning with B = 0 k will decrypt to a valid message under keys 0 k and 1 k .
This scheme, however, is still XROB secure. Encryption under any key will not result in a ciphertext that begins with B = 0 k . Hence an XROB must have B = 0 k in its ciphertext. Such an XROB attack must have the second components of the ciphertext matching too. This then translates to an XROB on the base scheme AE as modified decryption is equivalent to the original one when B = 0 k . This scheme is also AE secure, as it is an Encrypt-then-MAC construction and a random key will hit 0 k and 1 k with negligible probability.
Note that only valid keys are used in the above attacks, and that the modified schemes all remain perfectly correct.
We do not prove that there exists an AE scheme that is XROB secure but not SROB secure as SROB security is already implied by AE security. Without AE security, counterexamples similar to those given above exist.
We give similar separations for MACs. We recall that (by Theorem 2) a KROB secure MAC is SROB secure.
Proposition 7. Let MAC be a MAC that is SUF and FROB secure.
1. There exists a scheme MAC that is SUF and SFROB secure but not KROB secure.
2. There exists a scheme MAC that is SUF and KROB secure but not XROB secure.
3. There exists a scheme MAC that is SUF and XROB secure but not FROB secure. Proof.
(1) SFROB =⇒ KROB. Consider scheme MAC whose verification always passes on keys 0 k and 1 k and whose tag generation on these keys always returns 0. This scheme is trivially not KROB secure as tags on 0 k and 1 k always collide. But it remains SUF and SFROB as a random key will be 0 k or 1 k with only a negligible probability.
(2) KROB =⇒ XROB. Consider scheme MAC that operates as where T 1 := Tag(K 1 , M 1 ; R 1 ). Indeed, 00|T 1 will verify under K 1 = 0 k and M 1 = 0 as it is a correctly generated tag value for these inputs. It will also verify under K 2 = 1 k as the leading bits are ignored for this key upon verification. This scheme is still KROB. To see this note that the scheme has disjoint tag ranges for keys 0 k and 1 k and that KROB security at all other keys are not affected. The SUF security of the scheme is also not affected as the scheme checks the attached bits upon verification for random keys (keys 0 k , 1 k are used in the SUF game with only a negligible probability). The modified verification algorithm passes if B = 0 and the rest of the tag verifies or if B = 1. This scheme is clearly not FROB as any tag starting with a 1 will always verify under any key. However, The modified scheme is still XROB. Indeed a tag that verifies under two keys, one of which is in the range of Tag, must begin with 0. For tag values that start with a 0, the scheme is FROB and hence also XROB. The modified scheme is also SUF as keys 0 k and 1 k will be used in SUF with negligible probability.
Note that only valid keys are used in the above counterexamples, and the modified schemes are also perfectly correct.
Using similar ideas, it can be also shown that there is a MAC which is SUF and XROB secure but not SFROB secure. Without SUF security a counterexample between XROB and SROB can be also given.