Revisiting structure graphs: Applications to CBC-MAC and EMAC

Article Type

Research Article

Publication Title

Journal of Mathematical Cryptology

Abstract

In [2], Bellare, Pietrzak and Rogaway proved an O(lq2/2n)bound for the PRF (pseudorandom function) security of the CBC-MAC based on an n-bit random permutation II, provided 12n/3. Here an adversary can make at most q prefix-free queries each having at most l many "blocks" (elements of {0, 1}n). In the same paper an O(lo(1)qv/2n)bound for EMAC (or encrypted CBC-MAC) was proved, provided l2n/4. Both proofs are based on structure graphs representing all collisions among "intermediate inputs" to II during the computation of CBC. The problem of bounding PRF-advantage is shown to be reduced to bounding the number of structure graphs satisfying certain collision patterns. In the present paper, we show that [2, Lemma 10], stating an important result on structure graphs, is incorrect. This is due to the fact that the authors overlooked certain structure graphs. This invalidates the proofs of the PRF bounds. In [31], Pietrzak improved the bound for EMAC by showing a tight bound O(q2/2n)under the restriction that l2n/8. As he used the same flawed lemma, this proof also becomes invalid. In this paper,we have revised and sometimes simplified these proofs. We revisit structure graphs in a slightly different mathematical language and provide a complete characterization of certain types of structure graphs.Using this characterization,we show that PRF security of CBC-MAC is about oq/2n provided l2n/3 where is the total number of blocks in all queries. We also recover tight bound for PRF security of EMAC with a much relaxed constraint (l2n/4) than the original (l2n/8).

First Page

157

Last Page

180

DOI

10.1515/jmc-2016-0030

Publication Date

12-1-2016

Link to Full Text

Share

COinS