## On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit - A New Construction (2001)

### Cached

### Download Links

- [eprint.iacr.org]
- [www.iacr.org]
- [eprint.iacr.org]
- [www.ssi.gouv.fr]
- DBLP

### Other Repositories/Bibliography

Venue: | Fast Software Encryption ’02, Lecture Notes in Computer Science |

Citations: | 28 - 1 self |

### BibTeX

@INPROCEEDINGS{Jaulmes01onthe,

author = {Éliane Jaulmes and Antoine Joux and Frédéric Valette},

title = {On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit - A New Construction},

booktitle = {Fast Software Encryption ’02, Lecture Notes in Computer Science},

year = {2001},

pages = {237--251},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

. In this paper, we study the security of randomized CBC{MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The proof is done in a new security model that may be of independent interest to study the security of randomized functions. The size of the MAC tags in this construction is optimal, i.e., exactly twice the size of the block cipher. Up to a constant, the security of the proposed randomized CBC{MAC using an n{bit block cipher is the same as the security of the usual encrypted CBC{MAC using a 2n{bit block cipher. Moreover, this construction adds a negligible computational overhead compared to the cost of a plain, non-randomized CBC{MAC. 1

### Citations

490 | Keying hash functions for message Authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...xample to start from a hash function and transform it into a secure MAC. The idea first appeared in the work of Wegman and Carter [15]. Other existing constructions are for example XOR-MACs [3], HMAC =-=[1]-=- and UMAC [6]. However, in low end cryptographic devices, the ability to reuse an existing primitive is an extremely nice property. In practice, a simple construction called CBC–MAC is frequently enco... |

338 |
New hash functions and their use in authentication and set equality
- Wegman, Carter
- 1981
(Show Context)
Citation Context ... constructions are possible. A wellknown method to build MACs is for example to start from a hash function and transform it into a secure MAC. The idea first appeared in the work of Wegman and Carter =-=[15]-=-. Other existing constructions are for example XOR-MACs [3], HMAC [1] and UMAC [6]. However, in low end cryptographic devices, the ability to reuse an existing primitive is an extremelynice property. ... |

206 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
- 2000
(Show Context)
Citation Context ...he length of the message M has to be a multiple of the block size n, however several padding techniques have been proposed to remove this constraint [9]. This simple CBC–MAC has been proved secure in =-=[4]-=- for messages of fixed (non zero) length. However, when the length is no longer fixed, forgery attacks exist. The simplest of those uses two messages of one block each M and M ′ , and queries their MA... |

123 | XOR MACs: New methods for message authentication using finite pseudorandom functions
- Bellare, Guerin, et al.
- 1995
(Show Context)
Citation Context ...s is for example to start from a hash function and transform it into a secure MAC. The idea first appeared in the work of Wegman and Carter [15]. Other existing constructions are for example XOR-MACs =-=[3]-=-, HMAC [1] and UMAC [6]. However, in low end cryptographic devices, the ability to reuse an existing primitive is an extremely nice property. In practice, a simple construction called CBC–MAC is frequ... |

116 | UMAC: Fast and secure message authentication
- Black, Halevi, et al.
- 1999
(Show Context)
Citation Context ...rt from a hash function and transform it into a secure MAC. The idea first appeared in the work of Wegman and Carter [15]. Other existing constructions are for example XOR-MACs [3], HMAC [1] and UMAC =-=[6]-=-. However, in low end cryptographic devices, the ability to reuse an existing primitive is an extremely nice property. In practice, a simple construction called CBC–MAC is frequently encountered. Seve... |

84 | MDx-MAC and Building Fast MACs from Hash Functions - Preneel, Oorschot - 1995 |

69 | CBC MACs for arbitrary-length messages: The three-key constructions
- Black, Rogaway
- 2005
(Show Context)
Citation Context ...e uses two messages of one block each M and M ′ , and queries their MACs C and C ′ . Then it can forge the MAC of M‖(M ′ ⊕ C), namely C ′ . In order to remove this limitation, it is shown in [11] and =-=[7]-=- that it suffices to encrypt the plain CBC–MAC of a message with another key. However, the security level offered by these CBC–MACs is not optimal, since they all suffer from a common weakness: birthd... |

56 | Improved cryptanalysis of Rijndael - Ferguson, Kelsey, et al. - 1978 |

46 | CBC MAC for real-time data sources
- Petrank, Rackoff
- 2000
(Show Context)
Citation Context ...t of those uses two messages of one block each M and M ′ , and queries their MACs C and C ′ . Then it can forge the MAC of M‖(M ′ ⊕ C), namely C ′ . In order to remove this limitation, it is shown in =-=[11]-=- and [7] that it suffices to encrypt the plain CBC–MAC of a message with another key. However, the security level offered by these CBC–MACs is not optimal, since they all suffer from a common weakness... |

24 | Luby-Rackoff backwards: increasing security by making block ciphers non-invertible. Eurocrypt ’98
- Bellare, Krovetz, et al.
(Show Context)
Citation Context ...birthdayparadox limit. Up to now, the onlyknown solutions for designing pseudorandom functions with securitybeyond the birthday limit using block-ciphers (pseudorandom permutations) are counter-based =-=[5,8]-=-. Moreover, it was shown in [13] that the simple and arguablyreasonable approach of adding a random value at the beginning of a message before computing its CBC–MAC does not give full security. Indeed... |

20 |
Stateless evaluation of pseudorandom functions: Security beyond the birthday barrier
- Bellare, Goldreich, et al.
- 1999
(Show Context)
Citation Context ...ch easier to deal with in practice. However, building a randomized MAC provably secure against birthday paradox attacks is not a simple matter. Indeed, the best currently known solution, called MACRX =-=[2]-=-, is not CBC–MAC based and it expands the size of the MAC values by a factor of 3 instead of the expected 2. Indeed since with a MAC of size kn, an adversary can always obtain collisions in 2 kn 2 , i... |

18 | Building PRFs from PRPs - Hall, Wagner, et al. - 1998 |

3 | L-collision attacks against randomized MACs
- Semanko
- 2000
(Show Context)
Citation Context ...e only known solutions for designing pseudorandom functions with security beyond the birthday limit using block-ciphers (pseudorandom permutations) are counter-based [5, 8]. Moreover, it was shown in =-=[13]-=- that the simple and arguably reasonable approach of adding a random value at the beginning of a message before computing its CBC–MAC does not give full security. Indeed, this construction suffers fro... |

1 | Organization for Standards, Geneva, Switzerland. ISO/IEC 9797-1. Information Technology - Security Techniques - Data integrity mechanism using a cryptographic check function employing a block cipher algorithm, second edition edition - International - 1999 |

1 | Department of Commerce/National Bureau of Standards, National Technical Information - S - 1994 |

1 | See new version at http://www.cs.ucdavis.edu/˜rogaway - Springer - 1994 |

1 |
ISO/IEC 9797-1. Information Technology – Security Techniques – Data integrity mechanism using a cryptographic check function employing a block cipher algorithm, second edition edition
- Standards, Switzerland
- 1999
(Show Context)
Citation Context ...se an existing primitive is an extremelynice property. In practice, a simple construction called CBC–MAC is frequentlyencountered. Several variants of the CBC–MAC are described in normative documents =-=[9,14]-=-. The simplest of those works as follows: let E be a block cipher using a key K to encrypt n–bit blocks. To compute the CBC–MAC of the message M with the key K, we split M into a sequence of n–bit blo... |

1 |
of Commerce/National Bureau of Standards, National Technical Information Service
- Department
- 1994
(Show Context)
Citation Context ...se an existing primitive is an extremelynice property. In practice, a simple construction called CBC–MAC is frequentlyencountered. Several variants of the CBC–MAC are described in normative documents =-=[9,14]-=-. The simplest of those works as follows: let E be a block cipher using a key K to encrypt n–bit blocks. To compute the CBC–MAC of the message M with the key K, we split M into a sequence of n–bit blo... |