## CBC MACs for arbitrary-length messages: The three-key constructions (2000)

### Cached

### Download Links

Venue: | Advances in Cryptology – CRYPTO ’00, Lecture Notes in Computer Science |

Citations: | 70 - 17 self |

### BibTeX

@INPROCEEDINGS{Black00cbcmacs,

author = {John Black and Phillip Rogaway},

title = {CBC MACs for arbitrary-length messages: The three-key constructions},

booktitle = {Advances in Cryptology – CRYPTO ’00, Lecture Notes in Computer Science},

year = {2000},

pages = {197--215},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We suggest some simple variants of the CBC MAC that let you efficiently MAC messages of arbitrary lengths. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0, 1} ∗ using max{1, ⌈|M|/n⌉} applications of the underlying n-bit block cipher. Our favorite construction, XCBC, works like this: if |M | is a positive multiple of n then XOR the n-bit key K2 with the last block of M and compute the CBC MAC keyed with K1; otherwise, extend M’s length to the next multiple of n by appending minimal 10 i padding (i ≥ 0), XOR the n-bit key K3 with the last block of the padded message, and compute the CBC MAC keyed with K1. We prove the security of this and other constructions, giving concrete bounds on an adversary’s inability to forge in terms of her inability to distinguish the block cipher from a random permutation. Our analysis exploits new ideas which simplify proofs compared to prior work. 1

### Citations

662 | How to construct random functions - Goldreich, Goldwasser, et al. - 1986 |

348 |
New hash functions and their use in authentication and set equality
- Wegman, Carter
- 1981
(Show Context)
Citation Context ... give a proof of security. Rather than adapt the rather complex proof of [10], or the even more complicated one of [2], we follow a new tack, viewing EMAC as an instance of the Carter-Wegman paradigm =-=[5, 12]-=-: with EMAC one is enciphering the output of a universal-2 hash function. This universal-2 hash function is the CBC MAC itself. Since it is not too hard to upper bound the collision probability of the... |

208 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...der key K, is defined as Cm, where Ci = EK(Mi ⊕ Ci−1) for i = 1, . . . , m and C0 = 0 n . Bellare, Kilian, and Rogaway proved the security of the CBC MAC, in the sense of reduction-based cryptography =-=[2]-=-. But their proof depends on the assumption that it is only messages of one fixed length, mn bits, that are beings198 MACed. Indeed when message lengths can vary, the CBC MAC is not secure. This fact ... |

119 | UMAC: Fast and Secure Message Authentication
- Black, Halevi, et al.
- 1999
(Show Context)
Citation Context ...f two random functions to the output of CBC MAC and claim that this construction is itself a good PRF. Applying a PRF to a universal-2 hash function is a well-known approach for creating a PRF or MAC =-=[5, 12, 4]-=-. The novelty here is the extension to three keys and, more significantly, the treatment of the CBC MAC as an almost universal-2 family of hash functions. The latter might be against one’s instincts b... |

113 | Tweakable block ciphers
- Liskov, Rivest, et al.
- 2002
(Show Context)
Citation Context ...rmutation and K is a random n-bit string. This lemma, and ones like it, may make generally useful tools. Indeed, this technique anticipates the generalization of making multiple permutations from one =-=[12]-=-. Lemma 6 [Two permutations from one] Fix n ≥ 1. Let A be an adversary with a left oracle and a right oracle, and assume that A asks at most q total queries. Then � � � Pr[π $ ← Perm(n); K $ ← Σ n : A... |

91 | How to protect DES against exhaustive key search
- Kilian, Rogaway
- 1996
(Show Context)
Citation Context ...arch strengthening by modifying XCBC to again XOR the second key (K2 or K3) with the result of the last encipherment. (If one is using DES, this amounts to switching to DESX for the last encipherment =-=[9]-=-.) We call this variant XCBCX. Likely one could prove good bounds for it in the Shannon model. However, none of this is necessary or relevant if one simply starts with a strong block cipher. Complexit... |

86 |
Universal Hash Functions
- Carter, Wegman
- 1979
(Show Context)
Citation Context ... give a proof of security. Rather than adapt the rather complex proof of [10], or the even more complicated one of [2], we follow a new tack, viewing EMAC as an instance of the Carter-Wegman paradigm =-=[5, 12]-=-: with EMAC one is enciphering the output of a universal-2 hash function. This universal-2 hash function is the CBC MAC itself. Since it is not too hard to upper bound the collision probability of the... |

48 | CBC MAC for Real-time Data Sources
- Petrank, Rackoff
(Show Context)
Citation Context ...main is still (Σn ) + but one defines EMAC (for encrypted MAC) by EMACEK1,EK2 (M) = EK2(CBCEK1 (M)). This algorithm was developed for the RACE project [3]. It has been analyzed by Petrank and Rackoff =-=[10]-=- who show, roughly said, that an adversary who obtains the MACs for messages which total σ blocks cannot forge with probability better than 2σ2 /2n . Among the nice features of EMAC is that one need n... |

46 | Indistinguishability of random systems
- Maurer
- 2002
(Show Context)
Citation Context ...s. One could adapt the rather complex proof of Petrank and Rackoff [14], or the even more complicated one of Bellare, Kilian, and Rogaway [1]. Better would be to apply the general framework of Maurer =-=[13]-=-, which has already been used to analyze the basic CBC MAC. Another approach is to use the decorrelation theory of Vaudenay [15], which has already been used to analyze EMAC, the encrypted CBC MAC. Ou... |

31 | On the security of two MAC algorithms - Preneel, Oorschot - 1996 |

20 |
Information technology - security techniques - data integrity mechanism using a cryptographic check function employing a block cipher algorithm", International Organization for Standardization
- ISOIEC
- 1994
(Show Context)
Citation Context ...s of any bit length. In addition to our schemes, we introduce new techniques to prove them secure. Our proofs are much simpler than prior work. We begin with some background. The CBC MAC. The CBC MAC =-=[6, 8]-=- is the simplest and most well-known way to make a message authentication code (MAC) out of a block cipher. Let’s recall how it works. Let Σ = {0, 1} and let E : Key × Σ n → Σ n be a block cipher: it ... |

18 | OMAC: One-Key CBC MAC
- Iwata, Kurosawa
- 2003
(Show Context)
Citation Context ...a pair of functions π(·),π(·⊕K), where π is a random permutation and K is a random constant. Subsequent work. Iwata and Kurosawa present a variant of XCBC that makes due with a single blockcipher key =-=[10]-=-. Their OMAC algorithm is identical to XCBC except that one selects (K1,K2,K3) = (K, 2EK(0 n ), 4EK(0 n )), say, with the indicated multiplication being carried out in the finite field GF(2 n ). We li... |

17 |
Computer Data Authentication," Federal Information Processing Standard
- FIPS
- 1985
(Show Context)
Citation Context ...s of any bit length. In addition to our schemes, we introduce new techniques to prove them secure. Our proofs are much simpler than prior work. We begin with some background. The CBC MAC. The CBC MAC =-=[6, 8]-=- is the simplest and most well-known way to make a message authentication code (MAC) out of a block cipher. Let’s recall how it works. Let Σ = {0, 1} and let E : Key × Σ n → Σ n be a block cipher: it ... |

9 |
National Standard–Financial institution retail message authentication
- 19
- 1986
(Show Context)
Citation Context ...oy would seem to necessitate a meet-in-the-middle attack.) It was such considerations that led the designers of the retail MAC, ANSI X9.19, to suggest triple encryption for enciphering the last block =-=[1]-=-. It would seem to be possible to gain this same exhaustive-key-search strengthening by modifying XCBC to again XOR the second key (K2 or K3) with the result of the last encipherment. (If one is using... |

4 |
CBC MAC for real-time data sources, manuscript
- PETRANK, RACKOFF
- 1997
(Show Context)
Citation Context ...the domain is still (n)+ but one defines EMAC (for encrypted MAC) by EMACz,,z2 (M) = Ec2(CBCz, (M)). This algorithm was developed for the RACE project [3]. It has been analyzed by Petrank and Rackoff =-=[10]-=- who show, roughly said, that an adversary who obtains the MACs for messages which total a blocks cannot forge with probability better than 2a/2 n. Among the nice features of EMAC is that one need not... |

3 |
UMAC: Fast and securemessage authentication
- Black, Halevi, et al.
- 1999
(Show Context)
Citation Context ...ctions, ae2 or ae3, depending on the padding that was initially performed. 6sApplying a PRF to the output of an almost-universal hash-function family is a well-known approach forcreating a PRF or MAC =-=[3, 5, 16]-=-. The novelty here is our method of dealing with messages that are not a multiple of the block length and, more significantly, the treatment of the CBC MAC as an almost-universalhash-function family. ... |

2 |
The Security of the Cipher Block Chaining MessageAuthentication Code
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...M under key K, is the value Cmwhere Ci = EK(Mi \PhisCi-1) for i = 1, . . . , m and C0 = 0n.Bellare, Kilian, and Rogaway proved the security of the CBC MAC in the sense of reduction-based cryptography =-=[1]-=-. Their proof depends on the assumption that it is only messages of one fixed length, mnbits, that are being MACed. Indeed when message lengths can vary the CBC MAC is not secure. This fact is well-kn... |

1 | Decorrelation over infinite domains: the encrypted CBC-MAC case - Vaundenay |

1 |
Universal hash functions. J. of Computer and System Sciences
- Carter, Wegman
- 2003
(Show Context)
Citation Context ...tend our domain to \Sigma * is a slightly longer key. For each of the new schemes we provide a proof of security. Our proof approach begins by viewingECBC as an instance of the Carter-Wegman paradigm =-=[5, 16]-=-: with ECBC one is enciphering the output of an almost-universal hash-function family, this almost-universal hash-function family being the CBC MACitself. Thus by bounding the collision probability of... |

1 |
CBC MAC for real-time data sources. Journal of Cryptology 13, 3(2000), 315-338. [15] Vaundenay, S. Decorrelation over infinite domains: the encrypted CBC-MAC case
- Petrank, Rackoff
- 1981
(Show Context)
Citation Context ...domain is still (\Sigma n)+ but onedefines EMAC (for Encrypted MAC) by EMAC EK1 EK2(M ) = EK2(CBCEK1(M )). This algorithm wasdeveloped for the RACE project [2]. It was analyzed by Petrank and Rackoff =-=[14]-=- who show, roughly said, that an adversary who obtains the MACs for messages that total oe blocks cannot forge with probabilitybetter than 2 oe2/2n.Among the nice features of EMAC is that one need not... |