The Security of the Cipher Block Chaining Message Authentication Code

Let F be some block cipher (eg., DES) with block length l. The Cipher Block Chaining Message Authentication Code (CBC MAC) speci es that an m-block message x = x1 xm be authenticated among parties who share a secret key a for the block cipher by tagging x with a pre x of ym, where y0 = 0 l and yi = Fa(mi yi 1) for i = 1; 2; : : : ;m. This method is a pervasively used international and U.S. standard. We provide its rst formal justi cation, showing the following general lemma: cipher block chaining a pseudorandom function yields a pseudorandom function. Underlying our results is a technical lemma of independent interest, bounding the success probability of a computationally unbounded adversary in distinguishing between a randomml-bit to l-bit function and the CBC MAC of a random l-bit to l-bit function. Department of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093, USA. E-Mail: [email protected]. URL: http://www-cse.ucsd.edu/users/mihir. Supported by NSF CAREER Award CCR-9624439 and a Packard Foundation Fellowship in Science and Engineering. y NEC Research Institute, 4 Independence Way, Princeton, New Jersey 08540, USA. Email: [email protected]. z Department of Computer Science, University of California at Davis, Davis, CA 95616, USA. Email: [email protected]. URL: http://wwwcsif.cs.ucdavis.edu/~rogaway. Supported by NSF CAREER Award CCR-9624560.