Constructing VIL-MACsfrom FIL-MACs: Message Authentication under Weakened Assumptions

Many practical MACs are designed by iterating applications of some xed-input-length (FIL) primitive, namely one like a block cipher or compression function that only applies to data of a xed length. Existing security analyses of these constructions either require a stronger security property from the FIL primitive (eg. pseudorandomness) than the unforgeability required of the nal MAC, or, as in the case of HMAC, make security assumptions about the iterated function itself. In this paper we consider the design of iterated MACs under the (minimal) assumption that the given FIL primitive is itself a MAC. We look at three popular transforms, namely CBC, Feistel and the Merkle-Damg ard method, and ask for each whether it preserves unforgeability. We show that the answer is no in the rst two cases and yes in the third. The last yields an alternative cryptographic hash function based MAC which is secure under weaker assumptions than existing ones.