A tight bound for EMAC

Authors:
Krzysztof Pietrzak
Affiliations:
Département d'Informatique, École Normale Supérieure, Paris
Venue:
ICALP'06 Proceedings of the 33rd international conference on Automata, Languages and Programming - Volume Part II
Year:
2006

Citing 5
Cited 4

The security of the cipher block chaining message authentication code

Journal of Computer and System Sciences
Integrity Primitives for Secure Information Systems: Final Ripe Report of Race Integrity Primitives Evaluation

Integrity Primitives for Secure Information Systems: Final Ripe Report of Race Integrity Primitives Evaluation
CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
Indistinguishability of Random Systems

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Improved security analyses for CBC MACs

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology

A new mode of operation for block ciphers and length-preserving MACs

EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
A unified method for improving PRF bounds for a class of blockcipher based MACs

FSE'10 Proceedings of the 17th international conference on Fast software encryption
Improving the security of MACs via randomized message preprocessing

FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
New bounds for PMAC, TMAC, and XCBC

FSE'07 Proceedings of the 14th international conference on Fast Software Encryption

Quantified Score

Hi-index	0.00

Visualization

Abstract

We prove a new upper bound on the advantage of any adversary for distinguishing the encrypted CBC-MAC (EMAC) based on random permutations from a random function. Our proof uses techniques recently introduced in [BPR05], which again were inspired by [DGH+04] The bound we prove is tight — in the sense that it matches the advantage of known attacks up to a constant factor — for a wide range of the parameters: let n denote the block-size, q the number of queries the adversary is allowed to make and ℓ an upper bound on the length (i.e. number of blocks) of the messages, then for ℓ≤2n/8 and q≥ł2 the advantage is in the order of q2/2n (and in particular independent of ℓ). This improves on the previous bound of q2ℓΘ(1/lnln ℓ)/2n from [BPR05] and matches the trivial attack (which thus is basically optimal) where one simply asks random queries until a collision is found