The security of the cipher block chaining message authentication code
Journal of Computer and System Sciences
Integrity Primitives for Secure Information Systems: Final Ripe Report of Race Integrity Primitives Evaluation
CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
Indistinguishability of Random Systems
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Improved security analyses for CBC MACs
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
A new mode of operation for block ciphers and length-preserving MACs
EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
A unified method for improving PRF bounds for a class of blockcipher based MACs
FSE'10 Proceedings of the 17th international conference on Fast software encryption
Improving the security of MACs via randomized message preprocessing
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
New bounds for PMAC, TMAC, and XCBC
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Hi-index | 0.00 |
We prove a new upper bound on the advantage of any adversary for distinguishing the encrypted CBC-MAC (EMAC) based on random permutations from a random function. Our proof uses techniques recently introduced in [BPR05], which again were inspired by [DGH+04] The bound we prove is tight — in the sense that it matches the advantage of known attacks up to a constant factor — for a wide range of the parameters: let n denote the block-size, q the number of queries the adversary is allowed to make and ℓ an upper bound on the length (i.e. number of blocks) of the messages, then for ℓ≤2n/8 and q≥ł2 the advantage is in the order of q2/2n (and in particular independent of ℓ). This improves on the previous bound of q2ℓΘ(1/lnln ℓ)/2n from [BPR05] and matches the trivial attack (which thus is basically optimal) where one simply asks random queries until a collision is found