CSA E0 235: Cryptography (19 Mar 2015)

CBC-MAC
Instructor: Arpita Patra Submitted by: Bharath Kumar , KS Tanwar

1 Overview
In this lecture, we will explore Cipher Block Chaining - Message Authentication Code (CBC-
MAC) which is a standardized MAC widely used in practice. We will see construction of
a basic version of CBC-MAC which is secure when authenticating messages of any fixed
length. We will highlight why such MAC is insecure for arbitrary-length messages, discuss
ways to handle it and also prove security of such variants of CBC-MAC.

2 Construction of Basic CBC-MAC

The schematic representation of basic version of CBC-MAC constructed using a pseudo-
random function (PRF) F is illustrated below. This version is secure when authenticating
messages of any fixed length, however it is not secure in cases when messages of different
lengths need to be authenticated.

Fig 2.1: Basic CBC-MAC for fixed length messages

Q
The construction of basic CBC-MAC, = (Gen, M ac, V rf y) as illustrated in Fig 2.1 using
PRF F and a fixed length function l > 0 is as follows:-

1. Gen : It takes as input the security parameter 1n and outputs a key k with |k| = n.
2. M ac : On input a key k ∈ {0, 1}n and a message m of length l(n) · n, does the
following:-

(a) Parse m as m = m1 , ..., ml where each mi is of length n.

(b) Set t0 := 0n . Then, for i = 1 to l, set ti := Fk (ti−1 ⊕ mi ).
Output tl as the tag.

3. V rf y : On input a key k ∈ {0, 1}n , a message m, a tag t; outputs 1 if and only if

t = M ack (m) and m is of length l(n).n. Otherwise, it outputs 0.

3-1
3 CBC-MAC vs. CBC-mode Encryption
Following are the salient differences between CBC-MAC as illustrated at Fig 2.1 above and
CBC-mode of encryption:-

1. CBC-mode encryption uses a random IV for security. However, CBC-MAC uses no

IV (can be viewed as using the fixed IV = 0n ). Moreover, if CBC-MAC uses a
random IV , it will not be secure. This is so because if we XOR the first block with
random IV before it first comes into contact with the block cipher, then changing
only the first block together with a corresponding change in IV may yield into same
authentication tag as earlier, thus breaking the CBC-MAC scheme. Additionally, we
have to transfer one extra block of data that results with M AC = (IV, t). Also, if the
IV is fixed as 0 (or some other constant), there is no way for the attacker to change
it together with the first block.

2. In CBC-mode encryption all intermediate values ci (equivalent to ti in CBC-MAC) are

output by the encryption algorithm as part of the ciphertext, whereas in CBC-MAC
only the final block is output as the tag.

4 Failure of basic CBC-MAC for arbitrary length messages

Following simple MAC forgery attack demonstrates why basic CBC-MAC is not secure
against arbitrary length messages:-

• Choose an arbitrary one block message, m ∈ X.

• Request tag t = Fk (m) for message m.

• Output t as the forged tag for new 2 block message, m0 = (m||t ⊕ m). Clearly,
CBCk (m, t ⊕ m) = Fk (Fk (m) ⊕ (t ⊕ m)) = Fk (t ⊕ t ⊕ m) = Fk (m) = t

As a valid forged message tag pair, (m0 , t) could be generated, we conclude that basic
CBC-MAC is not secure against arbitrary length messages.

5 Variants of CBC-MAC for arbitrary length messages

CBC-MAC can be modified in many ways to handle arbitrary length messages. We intro-
duce two such ways (concepts) that can be used as such or built upon to generate more
efficient schemes.

1. Utilize two independent uniform keys, k1 , k2 ∈ {0, 1}n . First compute basic CBC-
MAC of message m using k1 to obtain tag t0 and then compute final tag, t := Fk2 (t0 ).

2. Prepend the message m with its length |m| (encoded as an n-bit string), and then
compute basic CBC-MAC on the resulting message. We however note that appending
|m| to the end of the message and then computing basic CBC-MAC is not secure. We
illustrate a possible attack over such construction in succeeding section.

3-2
6 Failure of CBC-MAC construction having length of mes-
sage appended to it
Following MAC forgery attack utilizing ’mix and match’ attack methodology demonstrates
why the variant of basic CBC-MAC having length |m| of message m appended to it is still
insecure in handling arbitrary length messages:-

• Let t1 be the tag of message m1 = AAA4B6. We note that the length of message 0 60
has been appended to it.

• Similarly let t2 be the tag of message AAA4, and t3 be the tag of message CCC4.

• Let D := t2 ⊕ t3 .

• Also, E := B ⊕ D = B ⊕ t2 ⊕ t3

• We now output t1 as a valid tag for message m0 = CCC4E6. Clearly, while calculating
CBC-MAC value of m0 , we get intermediate tag value, t3 for CCC4 which further
evaluates to = t3 ⊕ E = t3 ⊕ B ⊕ t2 ⊕ t3 = t2 ⊕ B, which appended with message
length, 6 equates to t2 ⊕ B6 that yield same tag value as t1 .

Thus, a forged valid message tag pair can be generated for such scheme. However, such
attack cannot be done if message length, |m| is prepended with the message. This scheme
has a drawback that the message length needs to be known apriori.

7 Security proof of basic CBC-MAC

We first define that a set of strings P ⊂ ({0, 1}n )∗ is prefix-free if it does not contain the
empty string, and no string X ∈ P is a prefix of any other string X 0 ∈ P . We also observe
from forgery attacks illustrated at Sections 4 and 6 above that the basic CBC-MAC
and its variants are essentially secure against fixed length and arbitrary length messages
respectively if the set of inputs on which they are queried is prefix free.
If we fix the length of message l, we get the set of legal messages ∈ {0, 1}l(n)n . Since,
one string cannot be a prefix of a different string of the same length, it is trivially implied
that basic CBC-MAC is secure for messages of any fixed length. Towards this, we thus
state the following theorem:

Theorem 1 Let l be a polynomial. If F is a PRF, then construction given at section 2 for

basic CBC-MAC is a secure MAC for messages of length nl(n).

A trivial generalization statement supporting the above theorem has been specified
above. However, to establish it rigorously, we need to establish Theorem 8.1 which also
guarantees that the variants of CBC-MAC listed at Section 5 are also secure for arbitrary
length messages.

3-3
8 Security proof of variants of CBC-MAC
Theorem 2 If F is a PRF, then CBC is a PRF as long as the set of inputs on which it is
queried is prefix-free. Formally, for all probabilistic polynomial time (p.p.t.) distinguishers
D that query their oracle on a prefix-free set of inputs, there is a negligible function negl()
such that
| Pr[DCBCk (.) (1n ) = 1] − |P r[Df (.) (1n ) = 1] ≤ negl(n) (1)
where k is chosen uniformly from {0, 1}n and f is chosen uniformly from the set of functions
mapping ({0, 1}n )∗ to {0, 1}n (i.e., the value of f at each input is uniform and independent
of the values of f at all other inputs).

Proof

1. We start with the proof of security by assuming that the set of inputs to CBCk (.)
contains prefix free strings. In other words if m1 and m2 are two input messages to
CBCk (.), if |m1 | < |m2 | then m1 should not be prefix of m2 and if |m2 | < |m1 | then
m2 should not be prefix of m1 .

2. In proving the theorem, we analyze CBC when it is ’keyed’ with a random function g
rather than a random key k for some underlying PRF F . We will thus write CBCg (.)
instead of CBCk (.) to reflect this change. That is, we consider the keyed function
CBCg (.) defined as

CBCg (x1 , ..., xl ) = g(g(. . . g(g(x1) ⊕ 2)⊕. . . ) ⊕ xl

where, for security parameter n, the function g maps n-bit input to n-bit output, and
|x1 | =. . . = |xl | = n.

3. Claim 8.1: Fix any n ≥ 1. For all distinguishers D that query their Oracle on a
prefix-free set of q inputs, where the longest such input contains l blocks, it holds that:

q 2 l2
|P r[DCBCg (.) (1n ) = 1] − |P r[Df (.) (1n ) = 1] ≤ (2)
2n
where g is chosen uniformly from F uncn , and f is chosen uniformly from the set of
functions mapping ({0, 1}n )∗ to {0, 1}n .

4. Proof of Claim 8.1: To prove this (Equation 2), we define a notion of smoothness
and prove that CBC is smooth; we then show that smoothness implies this claim. Let
P = {X1 , . . . , Xq } be a prefix free set of q inputs, where each Xi is in ({0, 1}n )∗ and
the longest string in P contains l blocks. Note that ∀t1 , . . . tq ∈ {0, 1}n , it holds that

P r[∀i : f (Xi ) = ti ] = 2−nq

where the probability is over uniform choice of g. The argument in succeeding

paras would assert that CBC is indeed smooth and in turn prove Claim 8.1.
q 2 l2
5. Claim 8.2: CBCg is (q, l, δ) smooth, for δ = 2−n
.

3-4
6. Proof of Claim 8.2: For any X ∈ ({0, 1}n )∗ , with X = x1 , ... and xi ∈ {0, 1}n ,
let Cg (X) denote the set of inputs on which g is evaluated during the computation of
CBCg (X); i.e.,

Cg (X) = (x1 , CBCg (x1 ) ⊕ x2 , . . . , CBCg (x1 , . . . , xm−1 ) ⊕ xm )

For X, X 0 ∈ ({0, 1}n )m , with Cg (X) = (I1 , ..., Im ) and Cg (X 0 ) = (I10 , ..., Im0 ), say there

is a non trivial collision in X if Ii = Ij for some i 6= j, and say there is a non trivial
collision between X and X 0 if Ii = Ij0 but (x1 , ..., xi ) 6= (x01 , ..., x0i ) (in this latter case
i may equal j).
We prove Claim 8.2 in two steps. First, we show that if no trivial collision occurs,
CBCg (Xi ) = ti for all i is exactly 2−nq . Next, we show that the probability that
there is a non trivial collision in P is less than δ = q 2 l2 .2−n

(a) Step I: Let Coll be the event that there is a non-trivial collision in P , i.e. in
some X ∈ P or between some pair of strings X, X 0 ∈ P . A non trivial collision
between two strings X, X 0 ∈ P can be determined by first choosing the values
of g(I1 ) and g(I10 ), and continuing in this way until we choose values of g(Im−1 )
0
and g(Im−1 ). In particular, we need not choose values of g(Im ) and g(Im 0 ) or

else X = X 0 . It is thus possible to determine whether Coll occurs by choosing

the values of g on all but final entries of each of Cg (X1 ), ..., Cg (Xq ) for q queries.
Assuming Coll has not occurred, the result is immediate that final entries in each
of Cg (X1 ), ..., Cg (Xq ) are distinct. Since, g is a random function, it implies that
CBCg (X1 ), ..., CBCg (Xq ) are uniform and independent of each other as well as
other values of g that have already been fixed. Thus, for any t1 , ..., tq ∈ {0, 1}n
we have
P r[∀i : CBCg (Xi ) = ti | Coll] = 2−nq (3)

(b) Step II: We next show that Coll occurs with high probability by upper bounding
P r[Coll]. For distinct Xi , Xj ∈ P , let Colli,j denote the event that there is a
non trivial collision in X or X 0 , or a non-trivial collision between X and X 0 . We
have Coll = ∨i,j Colli,j and so a union bound gives

q2
 
X q
P r[Coll] ≤ P r[Colli,j ] = P r[Colli,j ] = P r[Colli,j ] ≤ . P r[Colli,j ]
2 2
i,j:i<j
(4)
Now let X = (x1 , ..., xl ) and X0 (x01 , ..., x0l )
= and let t be the largest integer such
that (x1 , ..., xt ) = (x01 , ..., x0t ). Computation of g on these fields yields (I1 . . . . It )
= (I10 . . . . It0 ). We fix the values of g in following 2l − 2 steps:-

i. Steps 1 through t − 1 (if t > 1): In each step i, choose a uniform value
0
for g(Ii ), thus defining Ii+1 and Ii+1 (which are equal).
0 .
ii. Step t: Choose a uniform value for g(It ), thus defining It+1 and It+1

3-5
iii. Steps t + 1 to l − 1 (if t < l − 1): Choose, in turn, uniform values for each
of g(It+1 ), g(It+2 ), ..., g(Il−1 ), thus defining It+2 , Ii+3 , ..., Il .

iv. Steps l to 2l − 2 (if t < l − 1): Choose, in turn, uniform values for each
0 ), ..., g(I 0 ), thus defining I 0 , I 0 , ..., I 0 .
of g(It+1 ), g(It+2 l−1 t+2 t+3 l

Let Coll(k) be the event that a non-trivial collision occurs by step k. Then,
2l−2
X
P r[Colli,j ] = P r[∨k Coll(k)] ≤ P r[Coll(1)]+ P r[Coll(k) | Coll(k − 1)] (5)
k=2

For k < t, we claim P r[Coll(k) | Coll(k − 1)] = k/2n because if no collision

has occured by step k − 1, then g(Ik ) is chosen uniformly in step k. Also, a
non trivial collision occurs only if it happens that Ik=1 = g(Ik ) ⊕ xk+1 is equal
to one of {I1 , ..., Ik } which are all distinct. Similarly, for k > t, we have that
P r[Coll(k) | Coll(k − 1)] = (k + 1)/2n . By similar reasoning, we have that
P r[Coll(t) | Coll(t − 1)] = 2t/2n . Using equation (5), we have
t−1 2l−2
!
X X
−n
P r[Colli,j ] ≤ 2 . k + 2t + (k + 1)
k=1 k=t+1
2l−1
X (6)
= 2−n . k
k=2
= 2−n . (2l + 1). (l − 1) < 2l2 . 2−n

From (4) and (6), we get

q 2 l2
P r[Coll] < = δ. (7)
2n
Using (3) and (7), we get

P r[∀i : CBCg (Xi ) = ti ] ≥ P r[∀i : CBCg (Xi ) = ti | Coll]. P r[Coll]

(8)
= 2−nq . P r[Coll] ≥ (1 − δ). 2−nq

This proves claim 8.2.

3-6
7. We now show that the smoothness implies Theorem 8.1. For distinct X1 , . . . , Xq ∈
({0, 1}n )∗ and arbitrary t1 , . . . , tq ∈ {0, 1}n , we have
q
X
CBCg (.) n
P r[D (1 ) = 1] = P r[∀i : CBCg (Xi ) = ti ]
i=1
q
X
≥ (1 − δ). P r[∀i : f (Xi ) = ti ]
i=1
= (1 − δ). P r[Df (.) (1n ) = 1]

This implies that

|P r[Df (.) (1n ) = 1] − P r[DCBCg (.) (1n ) = 1]| ≤ δ. P r[Df (.) (1n ) = 1] ≤ δ.

This proves our Theorem 8.1.

3-7