The Security of the Cipher Block Chaining Message Authentication Code

Let F be some block cipher (eg., DES) with block length l. The cipher block chaining message authentication code (CBC MAC) specifies that an m-block message x=x1?xm be authenticated among parties who share a secret key a for the block cipher by tagging x with a prefix of ym, where y0=0l and yi=Fa(mi?yi?1) for i=1, 2, ?, m. This method is a pervasively used international and U.S. standard. We provide its first formal justification, showing the following general lemma: cipher block chaining a pseudorandom function yields a pseudorandom function. Underlying our results is a technical lemma of independent interest, bounding the success probability of a computationally unbounded adversary in distinguishing between a random ml-bit to l-bit function and the CBC MAC of a random l-bit to l-bit function.

[1]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[2]  Michael Luby,et al.  A Study of Password Security , 1987, CRYPTO.

[3]  Mihir Bellare,et al.  Constructing VIL-MACsfrom FIL-MACs: Message Authentication under Weakened Assumptions , 1999, CRYPTO.

[4]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[5]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[6]  Bart Preneel,et al.  MDx-MAC and Building Fast MACs from Hash Functions , 1995, CRYPTO.

[7]  Virgil D. Gligor,et al.  On message integrity in cryptographic protocols , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[9]  Carl Pomerance Advances in cryptology -- CRYPTO '87 : proceedings , 1988 .

[10]  Phillip Rogaway,et al.  Bucket Hashing and Its Application to Fast Message Authentication , 1995, Journal of Cryptology.

[11]  Mihir Bellare,et al.  XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions , 1995, CRYPTO.

[12]  Mitsuru Matsui,et al.  Differential Attack on Message Authentication Codes , 1993, CRYPTO.

[13]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[14]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[15]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[16]  Silvio Micali,et al.  On the Cryptographic Applications of Random Functions , 1984, CRYPTO.

[17]  Moti Yung,et al.  Systematic Design of Two-Party Authentication Protocols , 1991, CRYPTO.

[18]  Lars R. Knudsen,et al.  Chosen-text attack on CBC-MAC , 1997 .

[19]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[20]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.