Abstract
A message authentication code (MAC) computes for each (arbitrarily long) message $$m$$m and key k a short authentication tag which is hard to forge when k is unknown. One of the most popular ways to process m in such a scheme is to use some variant of AES in CBC mode, and to derive the tag from the final ciphertext block. In this paper, we analyze the security of several proposals of this type, and show that they are vulnerable to a new type of attack which we call almost universal forgery, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it.
| Original language | American English |
|---|---|
| Pages (from-to) | 431-449 |
| Number of pages | 19 |
| Journal | Designs, Codes, and Cryptography |
| Volume | 76 |
| Issue number | 3 |
| DOIs | |
| State | Published - 6 Sep 2015 |
Keywords
- ALRED
- Almost Universal Forgery
- Message authentication codes
- Pelican
All Science Journal Classification (ASJC) codes
- Theoretical Computer Science
- Computer Science Applications
- Discrete Mathematics and Combinatorics
- Applied Mathematics