We prove a new upper bound on the advantage of any adversary for distinguishing the encrypted CBC-MAC (EMAC) based on random permutations from a random function. Our proof uses techniques recently introduced in [BPR05], which again were inspired by [DGH + 04]. The bound we prove is tight -in the sense that it matches the advantage of known attacks up to a constant factor -for a wide range of the parameters: let n denote the block-size, q the number of queries the adversary is allowed to make and ℓ an upper bound on the length (i.e. number of blocks) of the messages, then for ℓ≤ 2 n/8 and q ≥ ℓ 2 the advantage is in the order of g 2 /2 n (and in particular independent of ℓ). This improves on the previous bound of q 2 ℓ ⊖(1/In In ℓ) from [BPR05] and matches the trivial attack (which thus is basically optimal) where one simply asks random queries until a collision is found. © Springer-Verlag Berlin Heidelberg 2006.
CITATION STYLE
Pietrzak, K. (2006). A tight bound for EMAC. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4052 LNCS, pp. 168–179). Springer Verlag. https://doi.org/10.1007/11787006_15
Mendeley helps you to discover research relevant for your work.