Improved Security Analyses for CBC MACs

  • Mihir Bellare
  • Krzysztof Pietrzak
  • Phillip Rogaway
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3621)


We present an improved bound on the advantage of any q-query adversary at distinguishing between the CBC MAC over a random n-bit permutation and a random function outputting n bits. The result assumes that no message queried is a prefix of any other, as is the case when all messages to be MACed have the same length. We go on to give an improved analysis of the encrypted CBC MAC, where there is no restriction on queried messages. Letting m be the block length of the longest query, our bounds are about mq 2/2 n for the basic CBC MAC and m o(1) q 2/2 n for the encrypted CBC MAC, improving prior bounds of m 2 q 2/2 n . The new bounds translate into improved guarantees on the probability of forging these MACs.


Random Function Structure Graph Message Authentication Code Cryptology ePrint Archive Fast Software Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. Cryptology ePrint Archive: Report 2004/309Google Scholar
  2. 2.
    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences (JCSS) 61(3), 362–399 (2000); Earlier version in Crypto 1994 Google Scholar
  3. 3.
    Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for CBC MACs. Full version of this paper. Available via authors’ web pagesGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: The game-playing technique. Cryptology ePrint Archive: Report 2004/331Google Scholar
  5. 5.
    Berendschot, A., den Boer, B., Boly, J., Bosselaers, A., Brandt, J., Chaum, D., Damgård, I., Dichtl, M., Fumy, W., van der Ham, M., Jansen, C., Landrock, P., Preneel, B., Roelofsen, G., de Rooij, P., Vandewalle, J.: Final Report of Race Integrity Primitives. In: Bosselaers, A., Preneel, B. (eds.) RIPE 1992. LNCS, vol. 1007. Springer, Heidelberg (1995)Google Scholar
  6. 6.
    Berke, R.: On the security of iterated MACs. Diploma Thesis, ETH Zürich (August 2003)Google Scholar
  7. 7.
    Black, J., Rogaway, P.: CBC MACs for arbitrary-length messages: the three-key constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 197. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Dodis, Y.: Personal communication to K. Pietrzak (2004)Google Scholar
  9. 9.
    Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, Cascade, and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004)Google Scholar
  10. 10.
    Hardy, G., Wright, E.: An Introduction to the Theory of Numbers. Oxford University Press, Oxford (1980)Google Scholar
  11. 11.
    Jaulmes, E., Joux, A., Valette, F.: On the security of randomized CBC-MAC beyond the birthday paradox limit: a new construction. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, p. 237. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). Journal of Cryptology 14(1), 17–35 (2001); Earlier version in Crypto 1996 Google Scholar
  13. 13.
    Maurer, U.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 110. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Dworkin, M.: National Institute of Standards and Technology, U.S. Department of Commerce. Recommendation for block cipher modes of operation: the CMAC mode for authentication. NIST Special Publication 800-38B (May 2005)Google Scholar
  15. 15.
    Petrank, E., Rackoff, C.: CBC MAC for real-time data sources. Journal of Cryptology 13(3), 315–338 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint report 2004/332 (2004)Google Scholar
  17. 17.
    Vaudenay, S.: Decorrelation over infinite domains: the encrypted CBC-MAC case. Communications in Information and Systems (CIS) 1, 75–85 (2001)zbMATHMathSciNetGoogle Scholar
  18. 18.
    Wegman, M., Carter, L.: New classes and applications of hash functions. In: Symposium on Foundations of Computer Science (FOCS), pp. 175–182 (1979)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Krzysztof Pietrzak
    • 2
  • Phillip Rogaway
    • 3
    • 4
  1. 1.Dept. of Computer Science & EngineeringUniversity of California San DiegoLa JollaUSA
  2. 2.Dept. of Computer ScienceETH ZürichZürichSwitzerland
  3. 3.Dept. of Computer ScienceUniversity of CaliforniaDavisUSA
  4. 4.Dept. of Computer Science, Faculty of ScienceChiang Mai UniversityChiang MaiThailand

Personalised recommendations