Decorrelation over Infinite Domains: The Encrypted CBC-MAC Case

Decorrelation theory has recently been proposed in order to address the security of block ciphers and other cryptographic primitives over a nite domain. We show here how to extend it to in nite domains, which can be used in the Message Authentication Code (MAC) case. In 1994, Bellare, Kilian and Rogaway proved that CBC-MAC is secure when the input length is xed. This has been extended by Petrank and Racko in 1997 with a variable length. In this paper, we prove a result similar to Petrank and Racko 's one by using decorrelation theory. This leads to a slightly improved result and a more compact proof. This result means to be a general proving technique for security, which can be compared to the approach which was announced by Maurer at CRYPTO'99. Decorrelation theory has recently been introduced. (See references [17] to [22].) Its rst aim was to address provable security in the area of block ciphers in order to prove their security against di erential [7] and linear cryptanalysis [10]. As a matter of fact, these techniques have also been used in order to prove Luby-Racko [9]-like pseudorandomness results in a way similar to Patarin's \coeÆcient H method" [14,15]. All previous cases however address random functions over a nite domain, which is not appropriate for MACs. The CBC-MAC construction is well known in order to make Message Authentication Codes from a block cipher in Cipher Block Chaining mode. Namely, if C is a permutation de ned on a block space f0; 1g, for a message x = (m1; : : : ; m`) 2 (f0; 1g ) we de ne MAC(x) = C(C(: : : C(m1) +m2 : : :) +m`): In 1994, Bellare, Kilian and Rogaway proved that if C is a uniformly distributed random permutation, then for any integer ` and any distinguisher between MAC and a truly random function which is limited to d queries, the advantage is less than 3d`2 m [6]. This shows that no adaptive attack can forge a new valid (x;MAC(x)) pair with a relevant probability unless the total number of known blocks d` is within the order of 2 m 2 . This however holds when all messages have the xed length `. If the attacker is allowed to use messages with di erent length, it is easy to notice that for any message m and any block a the MAC of x concatenated with a MAC(x) is MAC(x; a MAC(x)) = C(a) which does not depend on x and allows to forge a new authenticated message by replacement of x. In 1997, Petrank and Racko addressed the case of DMAC de ned by MAC(x) = C2(C1(C1(: : : C1(m1) +m2 : : :) +m`)) (see [16]). This type of construction does not mean any originality since it is already suggested by several standards [2,3,4]. Its security was however formally proved in [16] for the rst time. If we replace C2 by C2 Æ C 1 1 we can obviously remove the last C1 application. We can thus consider the MAC de ned by MAC(x) = C2(C1(: : : C1(m1) +m2 : : :) +m`) which we call the \encrypted CBC-MAC" in the sequel. In this paper we give a security proof which is di erent from [16] and with a slightly improved reduction. Our proof also happens to be more compact (it is less than 2-page long), thanks to use of the decorrelation theory tools. Our approach is also more general and can be applied to other schemes. In this way it can be compared to the information theoretic general approach which was announced by Maurer at CRYPTO'99 [12].