The Security of the Cipher Block Chaining Message Authentication Code

摘要

Let F be some block cipher (eg., DES) with block length l. The cipher block chaining message authentication code (CBC MAC) specifies that an m-block message x=x1…xm be authenticated among parties who share a secret key a for the block cipher by tagging x with a prefix of ym, where y0=0l and yi=Fa(mi⊕yi−1) for i=1, 2, …, m. This method is a pervasively used international and U.S. standard. We provide its first formal justification, showing the following general lemma: cipher block chaining a pseudorandom function yields a pseudorandom function. Underlying our results is a technical lemma of independent interest, bounding the success probability of a computationally unbounded adversary in distinguishing between a random ml-bit to l-bit function and the CBC MAC of a random l-bit to l-bit function.