.1 Attacks on Message Authentication Schemes

• a tagging algorithm Tag : {0, 1}∗ × {0, 1}∗ → {0, 1}∗ that maps a pair consisting of a key K and messageM to a tag σ = TagK(M) = Tag(K,M). • a verification algorithm V erify : {0, 1}∗×{0, 1}∗×{0, 1}∗ → {0, 1} that takes a keyK, a messageM , and a string σ and produces a bit of output. We require that V erifyK(M,σ) = V erify(K,M, σ) if and only if σ is a possible output of TagK(M). For K ∈ {0, 1}, our definitions assume that TagK : {0, 1}∗ → {0, 1}∗. We also allow restricted authentication schemes in which keys of a given size can only be used to authenticate messages of up to a given size. An L(k) → `(k)-message authentication scheme is one in which for each k, Tag : {0, 1} × {0, 1} → {0, 1}. A message authemtication code is a special case of a message authentication scheme in which the algorithm Tag is deterministic and V erifyK(M,σ) simply evaluates the predicate “σ = TagK(M)”. We usually writeMACK(M) instead of TagK(M).