Security of the cipher block chaining message authentication code

Abstract

Let F be some block cipher (eg., DES) with block length l. The cipher block chaining message authentication code (CBC MAC) specifies that an m-block message x = x1···xm be authenticated among parties who share a secret key a for the block cipher by tagging x with a prefix of ym, where Y0 = 0l and yi = Fa(mi⊕yi-1) for i = 1, 2, ..., m. This method is a pervasively used international and U.S. standard. We provide its first formal justification, showing the following general lemma: cipher block chaining a pseudorandom function yields a pseudorandom function. Underlying our results is a technical lemma of independent interest, bounding the success probability of a computationally unbounded adversary in distinguishing between a random ml-bit to l-bit function and the CBC MAC of a random l-bit to l-bit function.