Journal of Cryptology

, Volume 18, Issue 2, pp 111–131 | Cite as

CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions

  • John BlackEmail author
  • Phillip RogawayEmail author


We suggest some simple variants of the CBC MAC that enable the efficient authentication of arbitrary-length messages. Our constructions use three keys, K1, K2, K3, to avoid unnecessary padding and MAC any message M ∈ {0,1}* using max{1, ⌈ |M|/n⌉} applications of the underlying n-bit block cipher. Our favorite construction, XCBC, works like this: if |M| is a positive multiple of n then XOR the n-bit key K2 with the last block of M and compute the CBC MAC keyed with K1; otherwise, extend M’s length to the next multiple of n by appending minimal 10 padding (ℓ ≥ 0), XOR the n-bit key K3 with the last block of the padded message, and compute the CBC MAC keyed with K1. We prove the security of this and other constructions, giving concrete bounds on an adversary’s inability to forge in terms of his inability to distinguish the block cipher from a random permutation. Our analysis exploits new ideas which simplify proofs compared with prior work.

CBC MAC Message authentication codes Modes of operation Provable security Standards 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer 2005

Authors and Affiliations

  1. 1.Department of Computer Science, 430 UCB, Boulder, CO 80309USA
  2. 2.Department of Computer Science, University of California, Davis, CA 95616 USA and Department of Computer Science, Faculty of Science, Chiang Mai University, Chiang Mai 50200Thailand

Personalised recommendations