论文信息 - A Tight Bound for EMAC

A Tight Bound for EMAC

We prove a new upper bound on the advantage of any adversary for distinguishing the encrypted CBC-MAC (EMAC) based on random permutations from a random function. Our proof uses techniques recently introduced in [BPR05], which again were inspired by [DGH+04] The bound we prove is tight — in the sense that it matches the advantage of known attacks up to a constant factor — for a wide range of the parameters: let n denote the block-size, q the number of queries the adversary is allowed to make and l an upper bound on the length (i.e. number of blocks) of the messages, then for l≤2n/8 and q≥l2 the advantage is in the order of q2/2n (and in particular independent of l). This improves on the previous bound of q2lΘ(1/lnln l)/2n from [BPR05] and matches the trivial attack (which thus is basically optimal) where one simply asks random queries until a collision is found

Krzysztof Pietrzak | Krzysztof Pietrzak

[1] Bart Preneel,et al. Integrity Primitives for Secure Information Systems , 2005, Lecture Notes in Computer Science.

[2] Mihir Bellare,et al. The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[3] Bart Preneel,et al. Integrity Primitives for Secure Information Systems: Final RIPE Report of RACE Integrity Primitives Evaluation , 1995 .

[4] Ueli Maurer,et al. Indistinguishability of Random Systems , 2002, EUROCRYPT.

[5] John Black,et al. CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, Journal of Cryptology.

[6] Mihir Bellare,et al. Improved Security Analyses for CBC MACs , 2005, CRYPTO.

[7] Joos Vandewalle,et al. Integrity primitives for secure information systems : final report of RACE Integrity Primitives Evaluation RIPE-RACE 1040 , 1995 .

[8] Bart Preneel. New European Schemes for Signature, Integrity and Encryption (NESSIE): A Status Report , 2002, Public Key Cryptography.

[9] E. T.. An Introduction to the Theory of Numbers , 1946, Nature.

[10] Hugo Krawczyk,et al. Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[11] Larry Carter,et al. Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..