A Tight Bound for EMAC
نویسنده
چکیده
We prove a new upper bound on the advantage of any adversary for distinguishing the encrypted CBC-MAC (EMAC) based on random permutations from a random function. Our proof uses techniques recently introduced in [BPR05], which again were inspired by [DGH04]. The bound we prove is tight — in the sense that it matches the advantage of known attacks up to a constant factor — for a wide range of the parameters: let n denote the block-size, q the number of queries the adversary is allowed to make and ` an upper bound on the length (i.e. number of blocks) of the messages, then for ` ≤ 2 and q ≥ ` the advantage is in the order of q/2 (and in particular independent of `). This improves on the previous bound of q` ln ln /2 from [BPR05] and matches the trivial attack (which thus is basically optimal) where one simply asks random queries until a collision is found.
منابع مشابه
Revisiting Structure Graph and Its Applications to CBC-MAC and EMAC
In Crypto’05, Bellare et al. proved O(`q/2) bound for the PRF (pseudorandom function) security of the CBC-MAC based on an n-bit random permutation Π, provided ` < 2. Here an adversary can make at most q prefix-free queries each having at most ` “blocks” (elements of {0, 1}). In the same paper O(`q/2) bound for EMAC (or encrypted CBC-MAC) was proved, provided ` < 2. Both proofs are based on stru...
متن کاملRevisiting structure graphs: Applications to CBC-MAC and EMAC
In Crypto’05, Bellare et al. proved an O(lq/2) bound for the PRF (pseudorandom function) security of the CBC-MAC based on an n-bit random permutation Π, provided l < 2. Here an adversary can make at most q prefix-free queries each having at most l many “blocks” (elements of {0, 1}). In the same paper an O(lq/2) bound for EMAC (or encrypted CBC-MAC) was proved, provided l < 2. Both proofs are ba...
متن کاملA bound for Feichtinger conjecture
In this paper, using the discrete Fourier transform in the finite-dimensional Hilbert space C^n, a class of nonRieszable equal norm tight frames is introduced and using this class, a bound for Fiechtinger Conjecture is presented. By the Fiechtinger Conjecture that has been proved recently, for given A,C>0 there exists a universal constant delta>0 independent of $n$ such that every C-equal...
متن کاملOn The Exact Security of Message Authentication Using Pseudorandom Functions
Traditionally, modes of Message Authentication Codes(MAC) such as Cipher Block Chaining (CBC) are instantiated using block ciphers or keyed Pseudo Random Permutations(PRP). However, one can also use domain preserving keyed Pseudo Random Functions(PRF) to instantiate MAC modes. The very first security proof of CBC-MAC [BKR00], essentially modeled the PRP as a PRF. Until now very little work has ...
متن کاملSharp Upper bounds for Multiplicative Version of Degree Distance and Multiplicative Version of Gutman Index of Some Products of Graphs
In $1994,$ degree distance of a graph was introduced by Dobrynin, Kochetova and Gutman. And Gutman proposed the Gutman index of a graph in $1994.$ In this paper, we introduce the concepts of multiplicative version of degree distance and the multiplicative version of Gutman index of a graph. We find the sharp upper bound for the multiplicative version of degree distance and multiplicative ver...
متن کامل