Bellare, Mihir ; Pietrzak, Krzysztof ZIST Austria ; Rogaway, Phillip
We present an improved bound on the advantage of any q-query adversary at distinguishing between the CBC MAC over a random n-bit permutation and a random function outputting n bits. The result assumes that no message queried is a prefix of any other, as is the case when all messages to be MACed have the same length. We go on to give an improved analysis of the encrypted CBC MAC, where there is no restriction on queried messages. Letting m be the block length of the longest query, our bounds are about mq2/2n for the basic CBC MAC and mo(1)q2/2n for the encrypted CBC MAC, improving prior bounds of m2q2/2n. The new bounds translate into improved guarantees on the probability of forging these MACs.
Pietrzak was supported by the Swiss National Science Foundation, project No. 200020-103847/1.
527 - 545
CRYPTO: International Cryptology Conference
Bellare M, Pietrzak KZ, Rogaway P. Improved security analyses for CBC MACs. In: Vol 3621. Springer; 2005:527-545. doi:10.1007/11535218_32
Bellare, M., Pietrzak, K. Z., & Rogaway, P. (2005). Improved security analyses for CBC MACs (Vol. 3621, pp. 527–545). Presented at the CRYPTO: International Cryptology Conference, Springer. https://doi.org/10.1007/11535218_32
Bellare, Mihir, Krzysztof Z Pietrzak, and Phillip Rogaway. “Improved Security Analyses for CBC MACs,” 3621:527–45. Springer, 2005. https://doi.org/10.1007/11535218_32.
M. Bellare, K. Z. Pietrzak, and P. Rogaway, “Improved security analyses for CBC MACs,” presented at the CRYPTO: International Cryptology Conference, 2005, vol. 3621, pp. 527–545.
Bellare M, Pietrzak KZ, Rogaway P. 2005. Improved security analyses for CBC MACs. CRYPTO: International Cryptology Conference, LNCS, vol. 3621. 527–545.
Bellare, Mihir, et al. Improved Security Analyses for CBC MACs. Vol. 3621, Springer, 2005, pp. 527–45, doi:10.1007/11535218_32.