On the Security of Randomized CBC-MAC Beyond the Birthday Paradox Limit A New Construction

  • Éliane Jaulmes
  • Antoine Joux
  • Frédéric Valette
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2365)


In this paper, we study the security of randomized CBC-MACs and propose a new construction that resists birthday paradox attacks and provably reaches full security. The size of the MAC tags in this construction is optimal, i.e., exactly twice the size of the block cipher. Up to a constant, the security of the proposed randomized CBC-MAC using an n-bit block cipher is the same as the security of the usual encrypted CBC-MAC using a 2n-bit block cipher. Moreover, this construction adds a negligible computational overhead compared to the cost of a plain, non-randomized CBC-MAC. We give a full standard proof of our construction using one pass of a block-cipher with 2n-bit keys but there also is a proof for n-bit keys block-ciphers in the random oracle model.


Hash Function Random Permutation Block Cipher Message Authentication Code Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. In CRYPTO’96, volume 1109 of LNCS. Springer, 1996.Google Scholar
  2. 2.
    M. Bellare, O. Goldreich, and H. Krawczyk. Stateless evaluation of pseudorandom functions: Security beyond the birthday barrier. In CRYPTO’99, volume 1666 of LNCS, pages 270–287. Springer, 1999.Google Scholar
  3. 3.
    M. Bellare, R. Guerin, and P. Rogaway. XOR MACs: New methods for message authentication using finite pseudorandom functions. In CRYPTO’95, volume 963 of LNCS, pages 15–28. Springer-Verlag, 1995.Google Scholar
  4. 4.
    M. Bellare, J. Killian, and P. Rogaway. The security of the cipher block chaining message authentication code. In CRYPTO’94, volume 839 of LNCS, pages 341–358. Springer, 1994. See new version at Scholar
  5. 5.
    M. Bellare, T. Krovetz, and P. Rogaway. Luby-rackoff backwards: increasing security by making block-ciphers non-invertible. In EUROCRYPT’98, volume 1403 of LNCS, pages 266–280. Springer, 1998.Google Scholar
  6. 6.
    J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway. UMAC: Fast and secure message authentication. In CRYPTO’99, volume 1666 of LNCS, pages 216–233. Springer-Verlag, 1999.Google Scholar
  7. 7.
    J. Black and P. Rogaway. CBC MACs for arbitrary-length messages: The three-key constructions. In CRYPTO 2000, volume 1880 of LNCS, pages 197–215. Springer, 2000.CrossRefGoogle Scholar
  8. 8.
    C. Hall, D. Wagner, J. Kelsey, and B. Schneier. Building PRFs from PRPs. In CRYPTO’98, volume 1462 of LNCS, pages 370–389. Springer, 1998.Google Scholar
  9. 9.
    International Organization for Standards, Geneva, Switzerland. ISO/IEC 9797-1. Information Technology-Security Techniques-Data integrity mechanism using a cryptographic check function employing a block cipher algorithm, second edition edition, 1999.Google Scholar
  10. 10.
    É. Jaulmes, A. Joux, and F. Valette. On the security of randomized cbc-mac beyond the birthday paradox limit: A new construction. Available at, 2002. Full version of this paper.
  11. 11.
    E. Petrank and C. Rackoff. CBC-MAC for real-time data sources. Technical Report 97-10, Dimacs, 1997.Google Scholar
  12. 12.
    B. Preneel and P. van Oorschot. MDx-MAC and building fast MACs from hash functions. In CRYPTO’95, volume 963 of LNCS, pages 1–14. Springer, 1995.Google Scholar
  13. 13.
    M. Semanko. L-collision attacks against randomized MACs. In CRYPTO 2000, volume 1880 of LNCS, pages 216–228. Springer, 2000.CrossRefGoogle Scholar
  14. 14.
    U.S. Department of Commerce/National Bureau of Standards, National Technical Information Service, Springfield, Virginia. FIPS 113. Computer Data Authentication. Federal Information Processing Standards Publication 113, 1994.Google Scholar
  15. 15.
    M. Wegman and J. Carter. New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences, 22(3):265–279, 1981.zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Éliane Jaulmes
    • 1
  • Antoine Joux
    • 1
  • Frédéric Valette
    • 1
  1. 1.DCSSI Crypto LabIssy-Les-Moulineaux

Personalised recommendations