The CBC-MAC, or cipher block chaining message authentication code, is a well-known method to generate message authentication codes. Unfortunately, it is not forgery-secure over an arbitrary domain. There are several secure variants of CBC-MAC, among which OMAC (or one-key CBC-MAC) is a widely-used candidate. A simple variant of it, called CMAC, also has been recommended by NIST and is also used widely. Both OMAC and CMAC cost (s+1) blockcipher invocations to authenticate an s-block message, and it takes only one blockcipher key. In this paper we propose two secure and efficient variants of CBC-MAC. Our constructions cost only s block cipher encryptions to authenticate an s-block message, for all s?=?2. Moreover, GCBC2 needs only one block cipher encryption for almost all single block messages, and for all other single block messages, it costs two block cipher encryptions. We have also defined a class of generalized CBC-MAC constructions, and proved a sufficient condition for prf-security. In particular, we have provided an unified prf-security analysis of CBC-type constructions, e.g., XCBC, TMAC and our proposals GCBC1 and GCBC2.
The CBC-MAC, or cipher block chaining message authentication code, is a well-known method to generate message authentication codes. Unfortunately, it is not forgery-secure over an arbitrary domain. There are several secure variants of CBC-MAC, among which OMAC (or one-key CBC-MAC) is a widely-used...
See full abstract
The CBC-MAC, or cipher block chaining message authentication code, is a well-known method to generate message authentication codes. Unfortunately, it is not forgery-secure over an arbitrary domain. There are several secure variants of CBC-MAC, among which OMAC (or one-key CBC-MAC) is a widely-used candidate. A simple variant of it, called CMAC, also has been recommended by NIST and is also used widely. Both OMAC and CMAC cost (s+1) blockcipher invocations to authenticate an s-block message, and it takes only one blockcipher key. In this paper we propose two secure and efficient variants of CBC-MAC. Our constructions cost only s block cipher encryptions to authenticate an s-block message, for all s?=?2. Moreover, GCBC2 needs only one block cipher encryption for almost all single block messages, and for all other single block messages, it costs two block cipher encryptions. We have also defined a class of generalized CBC-MAC constructions, and proved a sufficient condition for prf-security. In particular, we have provided an unified prf-security analysis of CBC-type constructions, e.g., XCBC, TMAC and our proposals GCBC1 and GCBC2.
Hide full abstract
Keywords
CBC-MAC; OMAC; padding rule; prf-security
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
