OMAC: One-Key CBC MAC

Transcription

1 OMAC: One-Key CBC MAC etsu Iwata and Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University Nakanarusawa, Hitachi, Ibaraki , Japan {iwata, kurosawa}@cis.ibaraki.ac.jp March 10, 003 Abstract. In this paper, we present One-key CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K (k bits) of a block cipher E. Previously, XCBC requires three keys, (k +n) bits in total, and MAC requires two keys, (k + n) bits in total, where n denotes the block length of E. he saving of the key length makes the security proof of OMAC substantially harder than those of XCBC and MAC. Key words: CBC MAC, block cipher, provable security 1 Introduction 1.1 Background he CBC MAC [6, 7] is a well-known method to generate a message authentication code (MAC) based on a block cipher. Bellare, Kilian, and Rogaway proved the security of the CBC MAC for fixed message length mn bits, where n is the block length of the underlying block cipher E [1]. However, it is well known that the CBC MAC is not secure unless the message length is fixed. herefore, several variants of CBC MAC have been proposed for variable length messages. First Encrypted MAC (EMAC) was proposed. It is obtained by encrypting the CBC MAC value by E again with a new key K. hat is, EMAC K1,K (M) =E K (CBC K1 (M)), where M is a message, K 1 is the key of the CBC MAC and CBC K1 (M) isthe CBC MAC value of M []. Petrank and Rackoff then proved that EMAC is secure if the message length is a positive multiple of n [11] (Vaudenay showed another proof by using decorrelation theory [14]). Note that, however, EMAC requires two key schedulings of the underlying block cipher E. Next Black and Rogaway proposed XCBC which requires only one key scheduling of the underlying block cipher E [3]. XCBC takes three keys: one block cipher key K 1, and two n-bit keys K and K 3. XCBC is described as follows (see Fig. 1).

2 K 1 M[1] M[] M[3] M[1] M[] M[3] 10 }{{ i } K K3 E K 1 E K 1 E K 1 E K 1 E K 1 E Fig. 1. Illustration of XCBC. able 1. Comparison of key length. XCBC [3] MAC [9] OMAC (his paper) key length (k +n) bits (k + n) bits k bits If M = mn for some m>0, then XCBC computes exactly the same as the CBC MAC, except for XORing an n-bit key K before encrypting the last block. Otherwise, 10 i padding (i = n 1 M mod n) is appended to M and XCBC computes exactly the same as the CBC MAC for the padded message, except for XORing another n-bit key K 3 before encrypting the last block. However, drawback of XCBC is that it requires three keys, (k +n) bits in total. Finally Kurosawa and Iwata proposed wo-key CBC MAC (MAC) [9]. MAC takes two keys, (k + n) bits in total: a block cipher key K 1 and an n-bit key K. MAC is obtained from XCBC by replacing (K,K 3 ) with (K u,k ), where u is some non-zero constant and denotes multiplication in GF( n ). 1. Our Contribution In this paper, we present One-key CBC MAC (OMAC) and prove its security for arbitrary length messages. OMAC takes only one key, K of a block cipher E. he key length, k bits, is the minimum because the underlying block cipher must have a k-bit key K anyway. See able 1 for a comparison with XCBC and MAC (See Appendix A for a detailed comparison). OMAC is a generic name for OMAC1 and OMAC. OMAC1 is obtained from XCBC by replacing (K,K 3 ) with (L u,l u ) for some non-zero constant u in GF( n ), where L is given by L = E K (0 n ). OMAC is similarly obtained by using (L u,l u 1 ). We can compute L u, L u 1 and L u =(L u) u efficiently by one shift and one conditional XOR from L, L and L u, respectively. OMAC1 (resp. OMAC) is described as follows (see Fig. ).

3 M[1] M[] M[3] M[1] M[] M[3] 10 }{{ i } L u L u K E K E K E K E K E K E Fig.. Illustration of OMAC1. Note that L = E K(0 n ). OMAC is obtained by replacing L u with L u 1 in the right figure. If M = mn for some m>0, then OMAC computes exactly the same as the CBC MAC, except for XORing L u before encrypting the last block. Otherwise, 10 i padding (i = n 1 M mod n) is appended to M and OMAC computes exactly the same as the CBC MAC for the padded message, except for XORing L u (resp. L u 1 ) before encrypting the last block. Note that in MAC, K is a part of the key while in OMAC, L is not a part of the key and is generated from K. his saving of the key length makes the security proof of OMAC substantially harder than that of MAC, as shown below. In Fig., suppose that M[1] = 0 n. hen the output of the first E K is L. he same L always appears again at the last block. In general, such reuse of L would get one into trouble in the security proof. (In OCB mode [13] and PMAC [5], L = E K (0 n ) is also used as a key of a universal hash function. However, L appears as an output of some internal block cipher only with negligible probability.) Nevertheless we prove that OMAC is as secure as XCBC, where the security analysis is in the concrete-security paradigm [1]. Further OMAC has all other nice properties which XCBC (and MAC) has. hat is, the domain of OMAC is {0, 1}, it requires one key scheduling of the underlying block cipher E and max{1, M /n } block cipher invocations. 1.3 Other Related Work Jaulmes, Joux and Valette proposed RMAC [8] which is an extension of EMAC. RMAC encrypts the CBC MAC value with K R, where R is an n-bit random string and it is a part of the tag. hat is, RMAC K1,K (M) =(E K R(CBC K1 (M)),R). hey showed that the security of RMAC is beyond the birthday paradox limit. (XCBC, MAC and OMAC are secure up to the birthday paradox limit.) 3

4 Preliminaries.1 Notation We use similar notation as in [13, 5]. For a set A, x R A means that x is chosen from A uniformly at random. If a, b {0, 1} are equal-length strings then a b is their bitwise XOR. If a, b {0, 1} are strings then a b denote their concatenation. For simplicity, we sometimes write ab for a b if there is no confusion. For an n-bit string a = a n 1 a 1 a 0 {0, 1} n, let a < 1=a n a 1 a 0 0 denote the n-bit string which is a left shift of a by 1 bit, while a > 1 = 0a n 1 a a 1 denote the n-bit string which is a right shift of a by 1 bit. If a {0, 1} is a string then a denotes its length in bits. For any bit string a {0, 1} such that a n, we let pad n (a) = { a10 n a 1 if a <n, a if a = n. (1) Define a n = max{1, a /n }, where the empty string counts as one block. In pseudocode, we write Partition M into M[1] M[m] as shorthand for Let m = M n, and let M[1],...,M[m] be bit strings such that M[1] M[m] =M and M[i] = n for 1 i<m.. CBC MAC he block cipher E is a function E : K E {0, 1} n {0, 1} n, where each E(K, ) =E K ( ) is a permutation on {0, 1} n, K E is the set of possible keys and n is the block length. he CBC MAC [6, 7] is the simplest and most well-known algorithm to make a MAC from a block cipher E. Let M = M[1] M[] M[m] be a message string, where M[1] = M[] = = M[m] = n. hen CBC K (M), the CBC MAC of M under key K, is defined as Y [m], where Y [i] =E K (M[i] Y [i 1]) for i =1,...,mand Y [0]=0 n. Bellare, Kilian and Rogaway proved the security of the CBC MAC for fixed message length mn bits [1]..3 he Field with n Points We interchangeably think of a point a in GF( n ) in any of the following ways: (1) as an abstract point in a field; () as an n-bit string a n 1 a 1 a 0 {0, 1} n ; (3) as a formal polynomial a(u) =a n 1 u n 1 + +a 1 u+a 0 with binary coefficients. o add two points in GF( n ), take their bitwise XOR. We denote this operation by a b. o multiply two points, fix some irreducible polynomial f(u) having binary coefficients and degree n. o be concrete, choose the lexicographically first polynomial among the irreducible degree n polynomials having a minimum number 4

5 of coefficients. We list some indicated polynomials (See [10, Chapter 10] for other polynomials). f(u) =u 64 + u 4 + u 3 + u + 1 for n = 64, f(u) =u 18 + u 7 + u + u + 1 for n = 18, and f(u) =u 56 + u 10 + u 5 + u + 1 for n = 56. o multiply two points a GF( n ) and b GF( n ), regard a and b as polynomials a(u) =a n 1 u n a 1 u + a 0 and b(u) =b n 1 u n b 1 u + b 0, form their product c(u) where one adds and multiplies coefficients in GF(), and take the remainder when dividing c(u) byf(u). Note that it is particularly easy to multiply a point a {0, 1} n by u. For example, if n = 18, { a < 1 if a17 =0, a u = (a < 1) 0 10 () otherwise. Also, note that it is easy to divide a point a {0, 1} n by u, meaning that one multiplies a by the multiplicative inverse of u in the field: a u 1. For example, if n = 18, { a > 1 if a u 1 a0 =0, = (a > 1) (3) otherwise. 3 Basic Construction In this section, we show a basic construction of OMAC-family. OMAC-family is defined by a block cipher E : K E {0, 1} n {0, 1} n,an n-bit constant Cst, a universal hash function H : {0, 1} n X {0, 1} n, and two distinct constants Cst 1, Cst X, where X is the finite domain of H. H, Cst 1 and Cst must satisfy the following conditions while Cst is arbitrary. We write H L ( ) for H(L, ). 1. For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst 1 )=y is at most ɛ 1 n for some sufficiently small ɛ 1.. For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst )=y is at most ɛ n for some sufficiently small ɛ. 3. For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst 1 ) H L (Cst )=y is at most ɛ 3 n for some sufficiently small ɛ For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst 1 ) L = y is at most ɛ 4 n for some sufficiently small ɛ For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst ) L = y is at most ɛ 5 n for some sufficiently small ɛ For any y {0, 1} n, the number of L {0, 1} n such that H L (Cst 1 ) H L (Cst ) L = y is at most ɛ 6 n for some sufficiently small ɛ 6. Remark 3.1. Property 1 and says that H L (Cst 1 ) and H L (Cst ) are almost uniformly distributed. Property 3 is satisfied by AXU (almost XOR universal) hash functions [1]. Property 4, 5, 6 are new requirements introduced here. 5

6 Algorithm OMAC-family K (M) L E K(Cst) Y [0] 0 n Partition M into M[1] M[m] for i 1 to m 1 do X[i] M[i] Y [i 1] Y [i] E K(X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then X[m] X[m] H L(Cst 1) else X[m] X[m] H L(Cst ) E K(X[m]) return M[1] M[] M[3] K E K E K E Fig. 3. Definition of OMAC-family. HL(Cst 1) M[1] M[] M[3] 10 }{{ i } HL(Cst ) K E K E K E Fig. 4. Illustration of OMAC-family. he algorithm of OMAC-family is described in Fig. 3 and illustrated in Fig. 4, where pad n ( ) is defined in (1). he key space K of OMAC-family is K = K E. It takes a key K K E and a message M {0, 1}, and returns a string in {0, 1} n. 4 Proposed Specification In this section, we present two specifications of OMAC-family: OMAC1 and OMAC. We use OMAC as a generic name for OMAC1 and OMAC. In OMAC1 we let Cst =0 n, H L (x) =L x, Cst 1 = u and Cst = u, where denotes multiplication over GF( n ). Equivalently, L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u. OMAC is the same as OMAC1 except for Cst = u 1 instead of Cst = u. Equivalently, L = E K (0 n ), H L (Cst 1 )=L u and H L (Cst )=L u 1. Note that L u, L u 1 and L u =(L u) u can be computed efficiently by one shift and one conditional XOR from L, L and L u, respectively as shown in () and (3). It is easy to see that the conditions in Sec. 3 are satisfied for ɛ 1 = = ɛ 6 = n in OMAC1 and OMAC. OMAC1 and OMAC are described in Fig. 5 and illustrated in Fig.. 6

7 Algorithm OMAC1 K(M) Algorithm OMAC K(M) L E K(0 n ) L E K(0 n ) Y [0] 0 n Y [0] 0 n Partition M into M[1] M[m] Partition M into M[1] M[m] for i 1 to m 1 do for i 1 to m 1 do X[i] M[i] Y [i 1] X[i] M[i] Y [i 1] Y [i] E K(X[i]) Y [i] E K(X[i]) X[m] pad n (M[m]) Y [m 1] X[m] pad n (M[m]) Y [m 1] if M[m] = n if M[m] = n then X[m] X[m] L u then X[m] X[m] L u else X[m] X[m] L u else X[m] X[m] L u 1 E K(X[m]) E K(X[m]) return return Fig. 5. Description of OMAC1 and OMAC. 5 Security of OMAC-Family 5.1 Security Definitions Let Perm(n) denote the set of all permutations on {0, 1} n. We say that P is a random permutation if P is randomly chosen from Perm(n). he security of a block cipher E can be quantified as Adv prp E (t, q), the maximum advantage that an adversary A can obtain when trying to distinguish E K ( ) (with a randomly chosen key K) from a random permutation P ( ), when allowed computation time t and q queries to an oracle (which is either E K ( ) or P ( )). his advantage is defined as follows. Adv prp def E (A) = Pr(K K R E : A EK( ) =1) Pr(P R Perm(n) :A P ( ) =1) Adv prp def E (t, q) = max {Advprp E (A)} A We say that a block cipher E is secure if Adv prp E (t, q) is sufficiently small. Similarly, a MAC algorithm is a map F : K F {0, 1} {0, 1} n, where K F is a set of keys and we write F K ( ) for F (K, ). We say that an adversary A FK( ) forges if A outputs (M,F K (M)) where A never queried M to its oracle F K ( ). hen we define the advantage as Adv mac def F (A) =Pr(K K R F : A FK ( ) forges) Adv mac F (t, q, µ) def = max {Advmac F (A)} A where the maximum is over all adversaries who run in time at most t, make at most q queries, and each query is at most µ bits. We say that a MAC algorithm is secure if Adv mac F (t, q, µ) is sufficiently small. Let Rand(,n) denote the set of all functions from {0, 1} to {0, 1} n. his set is given a probability measure by asserting that a random element R of 7

8 Rand(,n) associates to each string M {0, 1} a random string R(M) {0, 1} n. hen we define the advantage as Adv viprf def F (A) = Pr(K K R F : A FK( ) =1) Pr(R R Rand(,n):A R( ) =1) { } Adv viprf def F (t, q, µ) = max Adv viprf F (A) A where the maximum is over all adversaries who run in time at most t, make at most q queries, and each query is at most µ bits. We say that a MAC algorithm is pseudorandom if Adv viprf F (t, q, µ) is sufficiently small (viprf stands for Variablelength Input PseudoRandom Function). Without loss of generality, adversaries are assumed to never ask a query outside the domain of the oracle, and to never repeat a query. 5. heorem Statements We first prove that OMAC-family is pseudorandom if the underlying block cipher is a random permutation P (information-theoretic result). his proof is much harder than the previous works because of the reuse of L as explained Sec. 1.. Lemma 5.1 (Main Lemma for OMAC-family). Suppose that H, Cst 1 and Cst satisfy the conditions in Sec. 3 for some sufficiently small ɛ 1,...,ɛ 6, and let Cst be an arbitrarily n-bit constant. Suppose that a random permutation P Perm(n) is used in OMAC-family as the underlying block cipher. Let A be an adversary which asks at most q queries, and each query is at most nm bits (m is the maximum number of blocks in each query). Assume m n /4. hen Pr(P R Perm(n) :A OMAC-family P ( ) =1) ( Pr(R R Rand(,n):A R( ) =1) q 7m ) + (4) n +3m ɛ, where ɛ = max{ɛ 1,...,ɛ 6 }. A proof is given in the next section. he following results hold for both OMAC1 and OMAC. First, we obtain the following lemma by substituting ɛ = n in Lemma 5.1. Lemma 5. (Main Lemma for OMAC). Suppose that a random permutation P Perm(n) is used in OMAC as the underlying block cipher. Let A be an adversary which asks at most q queries, and each query is at most nm bits. Assume m n /4. hen Pr(P R Perm(n) :A OMAC P ( ) =1) Pr(R R Rand(,n):A R( ) =1) (5m +1)q n. 8

9 We next show that OMAC is pseudorandom if the underlying block cipher E is secure. It is standard to pass to this complexity-theoretic result from Lemma 5.. (For example, see [1, Section 3.] for the proof technique. In [1, Section 3.], it is shown that a complexity-theoretic advantage of the CBC MAC is obtained from its information-theoretic advantage.) Corollary 5.1. Let E : K E {0, 1} n {0, 1} n be the underlying block cipher used in OMAC. hen Adv viprf OMAC (t, q, nm) (5m +1)q n + Adv prp E (t,q ), where t = t + O(mq) and q = mq +1. Finally we show that OMAC is secure as a MAC algorithm from Corollary 5.1 in the usual way. (For example, see [1, Proposition.7] for the proof technique. In [1, Proposition.7], it is shown that pseudorandom functions are secure MACs.) heorem 5.1. Let E : K E {0, 1} n {0, 1} n be the underlying block cipher used in OMAC. hen Adv mac OMAC (t, q, nm) (5m +1)q +1 n + Adv prp E (t,q ), where t = t + O(mq) and q = mq Proof of Main Lemma for OMAC-family Let H, Cst 1 and Cst satisfy the conditions in Sec. 3 for some sufficiently small ɛ 1,...,ɛ 6, and Cst be an arbitrarily n-bit constant. For a random permutation P Perm(n) and a random n-bit string Rnd {0, 1} n, define Q 1 (x) def = P (x) Rnd, Q (x) def = P (x Rnd) Rnd, Q 3 (x) def = P (x Rnd H L (Cst 1 )), Q 4 (x) def = P (x Rnd H L (Cst )), Q 5 (x) def = P (x H L (Cst 1 )) and Q 6 (x) def = P (x H L (Cst )), where L = P (Cst). See Fig. 6 for illustrations. We first show that Q 1 ( ), Q ( ), Q 3 ( ), Q 4 ( ), Q 5 ( ), Q 6 ( ) are indistinguishable from a pair of six independent random permutations P 1 ( ), P ( ), P 3 ( ), P 4 ( ), P 5 ( ), P 6 ( ). Lemma 5.3. Let A be an adversary which asks at most q queries in total. hen Pr(P R Perm(n); Rnd {0, R 1} n : A Q1( ),...,Q6( ) =1) ( ) R Pr(P 1,...,P 6 Perm(n) :A P 1( ),...,P 6( ) =1) 3q 1 n + ɛ, where ɛ = max{ɛ 1,...,ɛ 6 }. (5) 9

10 x x x x x x P Rnd Q 1(x) Rnd P Rnd Q (x) Rnd H L(Cst 1) P Q 3(x) Rnd H L(Cst ) P Q 4(x) HL(Cst 1) P Q 5(x) HL(Cst ) P Q 6(x) Fig. 6. Illustrations of Q 1, Q Q 3, Q 4, Q 5 and Q 6. Note that L = P (Cst). A proof is given in Appendix B. Next we define MOMAC (Modified OMAC). It uses six independent random permutations P 1,P,P 3,P 4,P 5,P 6 Perm(n). he algorithm MOMAC P1,...,P 6 ( ) is described in Fig. 7 and illustrated in Fig. 8 and Fig. 9. We prove that MOMAC is pseudorandom. Lemma 5.4. Let A be an adversary which asks at most q queries, and each query is at most nm bits. Assume m n /4. hen R Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr(R R Rand(,n):A R( ) =1) (m +1)q n. A proof is given in Appendix C. he next lemma shows that OMAC-family P ( ) and MOMAC P1,...,P 6 ( ) are indistinguishable. Lemma 5.5. Let A be an adversary which asks at most q queries, and each query is at most nm bits. Assume m n /4. hen Pr(P R Perm(n) :A OMAC-family P ( ) =1) R Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) 3m q Proof. Suppose that there exists an adversary A such that Pr(P R Perm(n) :A OMAC-family P ( ) =1) R Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) > 3m q By using A, we show a construction of an adversary B A such that: B A asks at most mq queries, and Pr(P R Perm(n) :B Q1( ),...,Q6( ) A =1) R P Pr(P 1,...,P 6 Perm(n) :B 1( ),...,P 6( ) A =1) > 3m q 10 ( ) 1 n + ɛ ( ) 1 n + ɛ ( ) 1 n + ɛ,..

11 Algorithm MOMAC P1,P,P 3,P 4,P 5,P 6 (M) Partition M into M[1] M[m] if m then X[1] M[1] Y [1] P 1(X[1]) for i to m 1 do X[i] M[i] Y [i 1] Y [i] P (X[i]) X[m] pad n (M[m]) Y [m 1] if M[m] = n then P 3(X[m]) else P 4(X[m]) if m =1then X[m] pad n (M[m]) if M[m] = n then P 5(X[m]) else P 6(X[m]) return Fig. 7. Definition of MOMAC. M[1] M[] M[3] P 1 P P 3 M[1] M[] M[3] 10 }{{ i } P 1 P P 4 Fig. 8. Illustration of MOMAC for M >n. M P 5 M 10 }{{ i } P 6 Fig. 9. Illustration of MOMAC for M n. which contradicts Lemma 5.3. Let O 1 ( ),...,O 6 ( ) be B A s oracles. he construction of B A is given in Fig. 10. When A asks M (r), then B A computes (r) = MOMAC O1,...,O 6 (M (r) )asif the underlying random permutations are O 1,...,O 6, and returns (r). When A halts and outputs b, then B A outputs b. Now we see that: B A asks at most mq queries to its oracles, since A asks at most q queries, and each query is at most nm bits. Pr(P 1,...,P 6 R Perm(n) :B P 1( ),...,P 6( ) A =1) =Pr(P 1,...,P 6 R Perm(n) :A MOMAC P1,...,P 6 ( ) = 1), 11

12 Algorithm B O 1,...,O 6 A 1: When A asks its r-th query M (r) : : (r) MOMAC O1,...,O 6 (M (r) ) 3: return (r) 4: When A halts and outputs b: 5: output b Fig. 10. Algorithm B A. Note that for 1 i 6, O i is either P i or Q i M[1] M[] Rnd P P Rnd Rnd M[3] Rnd HL(Cst 1) P Rnd M[1] M[] Rnd P P Rnd Fig. 11. Computation of B A when O i = Q i for 1 i 6, and M >n. M[3] 10 }{{ i } Rnd HL(Cst ) P M M 10 }{{ i } HL(Cst 1) HL(Cst ) P P Fig. 1. Computation of B A when O i = Q i for 1 i 6, and M n. since B A gives A a perfect simulation of MOMAC P1,...,P 6 ( ) ifo i ( ) =P i ( ) for 1 i 6. Pr(P R Perm(n) :B Q1( ),...,Q6( ) A =1) =Pr(P R Perm(n) :A OMACP ( ) = 1), since B A gives A a perfect simulation of OMAC P ( ) ifo i ( ) =Q i ( ) for 1 i 6. See Fig. 11 and Fig. 1. Note that Rnd is canceled in Fig. 11. his concludes the proof of the lemma. We finally give a proof of Main Lemma for OMAC-family. Proof (of Lemma 5.1). By the triangle inequality, the left hand side of (4) is at most R Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) Pr(R R Rand(,n):A R( ) (6) =1) + Pr(P R Perm(n) :A OMAC-family P ( ) =1) R Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1). (7) 1

13 Lemma 5.4 gives us an upper bound on (6) and Lemma 5.5 gives us an upper bound on (7). herefore the bound follows since (m +1)q n + 3m q ( ) ( 1 n + ɛ = q 7m ) + n +3m ɛ. his concludes the proof of the lemma. Acknowledgement he authors would like to thank Phillip Rogaway of UC Davis for useful comments. References 1. M. Bellare, J. Kilian, and P. Rogaway. he security of the cipher block chaining message authentication code. JCSS, vol. 61, no. 3, 000. Earlier version in Advances in Cryptology CRYPO 94, LNCS 839, pp , Springer-Verlag, A. Berendschot, B. den Boer, J. P. Boly, A. Bosselaers, J. Brandt, D. Chaum, I. Damgård, M. Dichtl, W. Fumy, M. van der Ham, C. J. A. Jansen, P. Landrock, B. Preneel, G. Roelofsen, P. de Rooij, and J. Vandewalle. Final Report of RACE Integrity Primitives. LNCS 1007, Springer-Verlag, J. Black and P. Rogaway. CBC MACs for arbitrary-length messages: he three key constructions. Advances in Cryptology CRYPO 000, LNCS 1880, pp , Springer-Verlag, J. Black and P. Rogaway. Comments to NIS concerning AES modes of operations: A suggestion for handling arbitrary-length messages with the CBC MAC. Second Modes of Operation Workshop. Available at 5. J. Black and P. Rogaway. A block-cipher mode of operation for parallelizable message authentication. Advances in Cryptology EUROCRYP 00, LNCS 33, pp , Springer-Verlag, FIPS 113. Computer data authentication. Federal Information Processing Standards Publication 113, U. S. Department of Commerce / National Bureau of Standards, National echnical Information Service, Springfield, Virginia, ISO/IEC Information technology security techniques data integrity mechanism using a cryptographic check function employing a block cipher algorithm. International Organization for Standards, Geneva, Switzerland, Second edition. 8. É. Jaulmes, A. Joux, and F. Valette. On the security of randomized CBC-MAC beyond the birthday paradox limit: A new construction. Fast Software Encryption, FSE 00, LNCS 365, pp , Springer-Verlag, 00. Full version is available at Cryptology eprint Archive, Report 001/074, 9. K. Kurosawa and. Iwata. MAC: wo-key CBC MAC. Cryptology eprint Archive, Report 00/09, o appear in Cryptographers rack RSA Conference 003, C-RSA

14 10. R. Lidl and H. Niederreiter. Introduction to finite fields and their applications, revised edition. Cambridge University Press, E. Petrank and C. Rackoff. CBC MAC for real-time data sources. J.Cryptology, vol. 13, no. 3, pp , Springer-Verlag, P. Rogaway. Bucket hashing and its application to fast message authentication. Advances in Cryptology CRYPO 95, LNCS 963, pp. 9 4, Springer-Verlag, P. Rogaway, M. Bellare, J. Black, and. Krovetz. OCB: a block-cipher mode of operation for efficient authenticated encryption. Proceedings of ACM Conference on Computer and Communications Security, ACM CCS 001, ACM, S. Vaudenay. Decorrelation over infinite domains: he encrypted CBC-MAC case. Communications in Information and Systems (CIS), vol. 1, pp , 001. Earlier version in Selected Areas in Cryptography, SAC 000, LNCS 01, pp , Springer-Verlag, 001. A Discussions A.1 Design Rationale Our choice for OMAC1 is Cst =0 n, H L (x) =L x, Cst 1 = u and Cst = u, where denotes multiplication over GF( n ). Similarly, our choice for OMAC is Cst =0 n, H L (x) =L x, Cst 1 = u and Cst = u 1. Below, we list reasons of this choice. One might try to use Cst 1 = 1 instead of Cst 1 = u. In this case, the fourth condition in Sec. 3 is not satisfied, and in fact, the scheme can be easily attacked. Similarly, if one uses Cst = 1 instead of Cst = u or Cst = u 1, the fifth condition in Sec. 3 is not satisfied, and the scheme can be easily attacked. herefore, we can not use 1 as a constant. For OMAC1, we adopted u and u as Cst 1 and Cst, since L u and L u = (L u) u can be computed efficiently by one left shift and one conditional XOR from L and L u, respectively, as shown in (). Note that this choice requires only a left shift. his would ease the implementation of OMAC1, especially in hardware. For OMAC, we adopted u 1 instead of u as Cst. It requires one right shift to compute L u 1 instead of one left shift to compute (L u) u. his would allow to compute both L u and L u 1 from L simultaneously if both left shift and right shift are available (for example, the underlying block cipher uses both shifts). A. On Standard Key Separation echnique For XCBC, assume that we want to use a single key K of E, where E is the AES. 14

15 hen the following key separation technique is suggested in [4]. Let K be a k-bit AES key. hen K 1 = the first k bits of AES K (C 1a ) AES K (C 1b ), K = AES K (C ), and K 3 = AES K (C 3 ) for some distinct constants C 1a, C 1b, C and C 3. We call it XCBC+kst (key separation technique). XCBC+kst uses one k-bit key. However, it requires additional one key scheduling of AES and additional 3 or 4 AES invocations during the pre-processing time. Similar discussion can be applied to MAC. For example, we can let { K1 = the first k bits of AES K (C 1a ) AES K (C 1b ), and K = AES K (C ) for some distinct constants C 1a, C 1b and C. We call it MAC+kst. We note that OMAC does not need such a key separation technique since its key length is k bits in its own form (without using any key separation technique). his saves storage space and pre-processing time compared to XCBC+kst and MAC+kst. A.3 Comparison Let E : {0, 1} k {0, 1} n {0, 1} n be a block cipher, and M {0, 1} be a message. We show an efficiency comparison of CBC MAC and its variants in able, where: ({0, 1} n ) + denotes the set of bit strings whose lengths are positive multiples of n. K len. denotes the key length. #K sche. denotes the number of block cipher key schedulings. For RMAC, it requires one block cipher key scheduling each time generating a tag. #M denotes the number messages which the sender has MACed. #E invo. denotes the number of block cipher invocations to generate a tag for a message M, assuming M > 0. #E pre. denotes the number of block cipher invocations during the preprocessing time. hese block cipher invocations can be done without the message. For XCBC+kst and MAC+kst, the block cipher is assumed to be the AES. Next, let E : {0, 1} k {0, 1} n {0, 1} n be the underlying block cipher used XCBC, MAC and OMAC. In able 3, we show a security comparison of XCBC, MAC and OMAC. We see that there is no significant difference among them. hey are equally secure up to the birthday paradox limit. 15

16 able. Efficiency comparison of CBC MAC and its variants. Name Domain K len. #K sche. #E invo. #E pre. CBC MAC ({0, 1} n ) m k 1 M /n 0 EMAC ({0, 1} n ) + k 1+ M /n 0 RMAC {0, 1} k 1+#M 1+ ( M +1)/n 0 XCBC {0, 1} k +n 1 M /n 0 MAC {0, 1} k + n 1 M /n 0 XCBC+kst {0, 1} k M /n 3or4 MAC+kst {0, 1} k M /n or3 OMAC {0, 1} k 1 M /n 1 able 3. Security comparison of XCBC, MAC and OMAC. Name Security Bound XCBC Adv mac XCBC(t, q, nm) (4m +1)q Adv prp n E (t,q ), [3, Corollary ] where t = t + O(mq) and q = mq. MAC Adv mac MAC(t, q, nm) (3m +1)q +1 + Adv prp n E (t,q ), [9, heorem 5.1] where t = t + O(mq) and q = mq. OMAC Adv mac OMAC(t, q, nm) (5m +1)q +1 + Adv prp n E (t,q ), [heorem 5.1] where t = t + O(mq) and q = mq +1. B Proof of Lemma 5.3 If A is a finite multiset then #A denotes the number of elements in A. Let {a,b,c,...} be a finite multiset of bit strings. hat is, a {0, 1},b {0, 1},c {0, 1},... hold. We say {a,b,c,...} are distinct if there exists no element occurs twice or more. Equivalently, {a,b,c,...} are distinct if any two elements in {a,b,c,...} are distinct. Before proving Lemma 5.3, we need the following lemma. Lemma B.1. Let q 1,q,q 3,q 4,q 5,q 6 be six non-negative integers. For 1 i 6, let x (1) i,...,x (qi) i be fixed n-bit strings such that {x (1) i,...,x (qi) i } are distinct. Similarly, for 1 i 6, let y (1) i,...,y (qi) i be fixed n-bit strings such that 6,...,y(q6) 6 } are dis- {y (1) 1,...,y(q1) 1 } {y (1),...,y(q) } are distinct, and {y (1) 3,...,y(q3) 3 } {y (1) 4,...,y(q4) 4 } {y (1) 5,...,y(q5) tinct. 5 } {y (1) 16

17 Let P Perm(n) and Rnd {0, 1} n. hen the number of (P, Rnd) which satisfies Q 1 (x (i) 1 )=y(i) 1 for 1 i q 1, Q (x (i) )=y(i) for 1 i q, Q 3 (x (i) 3 )=y(i) 3 for 1 i q 3, Q 4 (x (i) 4 )=y(i) 4 for 1 i q 4, Q 5 (x (i) 5 )=y(i) 5 for 1 i q 5 and Q 6 (x (i) 6 )=y(i) 6 for 1 i q 6 is at least ( n (q + q /) (1 + ɛ n )) ( n q)!, where q = q q 6 and ɛ = max{ɛ 1,...,ɛ 6 }. Proof. At the top level, we consider two cases: Cst {x (1) 1,...,x(q1) 1 } and Cst {x (1) 1,...,x(q1) 1 }. Case 1: Cst {x (1) 1,...,x(q1) 1 }. Let c be a unique integer such that 1 c q 1 and Cst = x (c) 1. Let l be an n-bit variable. First, observe that: #{l 1 i q 1, 1 j q,x (i) 1 = x (j) y (c) 1 l} q 1 q, #{l 1 i q 1, 1 j q 3,x (i) 1 = x (j) 3 y(c) 1 l H l (Cst 1 )} q 1 q 3 ɛ 4 n, #{l 1 i q 1, 1 j q 4,x (i) 1 = x (j) 4 y(c) 1 l H l (Cst )} q 1 q 4 ɛ 5 n, #{l 1 i q 1, 1 j q 5,x (i) 1 = x (j) 5 H l (Cst 1 )} q 1 q 5 ɛ 1 n, #{l 1 i q 1, 1 j q 6,x (i) 1 = x (j) 6 H l (Cst )} q 1 q 6 ɛ n, #{l 1 i q, 1 j q 3,x (i) = x (j) 3 H l (Cst 1 )} q q 3 ɛ 1 n, #{l 1 i q, 1 j q 4,x (i) = x (j) 4 H l (Cst )} q q 4 ɛ n, #{l 1 i q, 1 j q 5,x (i) y(c) 1 l = x (j) 5 H l(cst 1 )} q q 5 ɛ 4 n, #{l 1 i q, 1 j q 6,x (i) y(c) 1 l = x (j) 6 H l(cst )} q q 6 ɛ 5 n, #{l 1 i q 3, 1 j q 4,x (i) 3 H l(cst 1 )=x (j) 4 H l(cst )} q 3 q 4 ɛ 3 n, #{l 1 i q 3, 1 j q 5,x (i) 3 y(c) 1 l = x (j) 5 } q 3q 5, #{l 1 i q 3, 1 j q 6,x (i) 3 y(c) 1 l H l (Cst 1 )=x (j) 6 H l (Cst )} q 3 q 6 ɛ 6 n, #{l 1 i q 4, 1 j q 5,x (i) 4 y(c) 1 l H l (Cst )=x (j) 5 H l (Cst 1 )} q 4 q 5 ɛ 6 n, #{l 1 i q 4, 1 j q 6,x (i) 4 y(c) 1 l = x (j) 6 } q 4q 6, #{l 1 i q 5, 1 j q 6,x (i) 5 H l(cst 1 )=x (j) 6 H l(cst )} q 5 q 6 ɛ 3 n, #{l 1 i q 1, 1 j q 3,y (i) 1 y (c) 1 l = y (j) 3 } q 1q 3, #{l 1 i q 1, 1 j q 4,y (i) 1 y (c) 1 l = y (j) 4 } q 1q 4, #{l 1 i q 1, 1 j q 5,y (i) 1 y (c) 1 l = y (j) 5 } q 1q 5, #{l 1 i q 1, 1 j q 6,y (i) 1 y (c) 1 l = y (j) 6 } q 1q 6, #{l 1 i q, 1 j q 3,y (i) y (c) 1 l = y (j) 3 } q q 3, #{l 1 i q, 1 j q 4,y (i) y (c) 1 l = y (j) 4 } q q 4, 17 (8)

18 #{l 1 i q, 1 j q 5,y (i) y (c) 1 l = y (j) 5 } q q 5, and #{l 1 i q, 1 j q 6,y (i) y (c) 1 l = y (j) 6 } q q 6, from the conditions in Sec. 3. Wenowfixanyl which is not included in any of the above twenty-three sets. We have at least ( n (q 1 q +q 1 q 3 ɛ 4 n +q 1 q 4 ɛ 5 n +q 1 q 5 ɛ 1 n +q 1 q 6 ɛ n + q q 3 ɛ 1 n +q q 4 ɛ n +q q 5 ɛ 4 n +q q 6 ɛ 5 n +q 3 q 4 ɛ 3 n +q 3 q 5 +q 3 q 6 ɛ 6 n + q 4 q 5 ɛ 6 n +q 4 q 6 +q 5 q 6 ɛ 3 n +q 1 q 3 +q 1 q 4 +q 1 q 5 +q 1 q 6 +q q 3 +q q 4 +q q 5 +q q 6 )) ( n q ɛ n / q /) choice of such l. Now we let L l and Rnd l y (c) 1. hen we have: the inputs to P, {x (1) 1,...,x(q1) 1,x (1) Rnd,...,x (q) Rnd,x (1) 3 Rnd H L (Cst 1 ),...,x (q3) 3 Rnd H L (Cst 1 ),x (1) 4 Rnd H L(Cst ),...,x (q4) 4 Rnd H L (Cst ),x (1) 5 H L(Cst 1 ),...,x (q5) 5 H L (Cst 1 ),x (1) 6 H L(Cst ),...,x (q6) 6 H L (Cst )}, are distinct, and the corresponding outputs, {y (1) 1 Rnd,...,y (q1) 1 Rnd,y (1) Rnd,...,y (q) Rnd,y (1) 3,...,y(q3) 3,y (1) 4,...,y(q4) 4,y (1) 5,...,y(q5) 5,y (1) 6,...,y(q6) 6 }, are distinct. In other words, for P, the above q 1 + q + q 3 + q 4 + q 5 + q 6 input-output pairs are determined. he remaining n (q 1 +q +q 3 +q 4 +q 5 +q 6 ) input-output pairs are undetermined. herefore we have ( n (q 1 + q + q 3 + q 4 + q 5 + q 6 ))! = ( n q)! possible choice of P for any such fixed (L, Rnd). Case : Cst {x (1) 1,...,x(q1) 1 }. In this case, we count the number of Rnd and L independently. hen similar to Case 1, observe that: #{Rnd 1 i q, Cst = x (i) Rnd} q, #{Rnd 1 i q 1, 1 j q,x (i) 1 = x (j) #{Rnd 1 i q 3, 1 j q 5,x (i) 3 #{Rnd 1 i q 4, 1 j q 6,x (i) 4 Rnd} q 1 q, Rnd = x(j) 5 } q 3q 5, Rnd = x(j) 6 } q 4q 6, #{Rnd 1 i q 1, 1 j q 3,y (i) 1 Rnd = y (j) 3 } q 1q 3, #{Rnd 1 i q 1, 1 j q 4,y (i) 1 Rnd = y (j) 4 } q 1q 4, #{Rnd 1 i q 1, 1 j q 5,y (i) 1 Rnd = y (j) 5 } q 1q 5, #{Rnd 1 i q 1, 1 j q 6,y (i) 1 Rnd = y (j) 6 } q 1q 6, #{Rnd 1 i q, 1 j q 3,y (i) Rnd = y (j) 3 } q q 3, #{Rnd 1 i q, 1 j q 4,y (i) Rnd = y (j) 4 } q q 4, #{Rnd 1 i q, 1 j q 5,y (i) Rnd = y (j) 5 } q q 5, and #{Rnd 1 i q, 1 j q 6,y (i) Rnd = y (j) 6 } q q 6. We fix any Rnd which is not included in any of the above twelve sets. We have at least ( n (q + q 1 q + q 3 q 5 + q 4 q 6 + q 1 q 3 + q 1 q 4 + q 1 q 5 + q 1 q 6 + q q 3 + q q 4 + q q 5 + q q 6 )) ( n q q /) choice of such Rnd. Next we see that: 18

19 #{L 1 i q 3, Cst = x (i) 3 Rnd H L(Cst 1 )} q 3 ɛ 1 n, #{L 1 i q 4, Cst = x (i) 4 Rnd H L(Cst )} q 4 ɛ n, #{L 1 i q 5, Cst = x (i) 5 H L(Cst 1 )} q 5 ɛ 1 n, #{L 1 i q 6, Cst = x (i) 6 H L(Cst )} q 6 ɛ n, #{L 1 i q 1, 1 j q 3,x (i) 1 = x (j) 3 Rnd H L (Cst 1 )} q 1 q 3 ɛ 1 n, #{L 1 i q 1, 1 j q 4,x (i) 1 = x (j) 4 Rnd H L (Cst )} q 1 q 4 ɛ n, #{L 1 i q 1, 1 j q 5,x (i) 1 = x (j) 5 H L (Cst 1 )} q 1 q 5 ɛ 1 n, #{L 1 i q 1, 1 j q 6,x (i) 1 = x (j) 6 H L (Cst )} q 1 q 6 ɛ n, #{L 1 i q, 1 j q 3,x (i) = x (j) 3 H L (Cst 1 )} q q 3 ɛ 1 n, #{L 1 i q, 1 j q 4,x (i) = x (j) 4 H L (Cst )} q q 4 ɛ n, #{L 1 i q, 1 j q 5,x (i) Rnd = x(j) 5 H L (Cst 1 )} q q 5 ɛ 1 n, #{L 1 i q, 1 j q 6,x (i) Rnd = x(j) 6 H L (Cst )} q q 6 ɛ n, #{L 1 i q 3, 1 j q 4,x (i) 3 H L(Cst 1 )=x (j) 4 H L (Cst )} q 3 q 4 ɛ 3 n, #{L 1 i q 3, 1 j q 6,x (i) 3 Rnd H L(Cst 1 )=x (j) 6 H L (Cst )} q 3 q 6 ɛ 3 n, #{L 1 i q 4, 1 j q 5,x (i) 4 Rnd H L(Cst )=x (j) 5 H L (Cst 1 )} q 4 q 5 ɛ 3 n, #{L 1 i q 5, 1 j q 6,x (i) 5 H L(Cst 1 )=x (j) 6 H L (Cst )} q 5 q 6 ɛ 3 n, #{L 1 i q 1,L= y (i) 1 Rnd} q 1, #{L 1 i q,l= y (i) Rnd} q, #{L 1 i q 3,L= y (i) 3 } q 3, #{L 1 i q 4,L= y (i) 4 } q 4, #{L 1 i q 5,L= y (i) 5 } q 5, and #{L 1 i q 6,L= y (i) 6 } q 6, from the conditions in Sec. 3. WenowfixanyL which is not included in any of the above twenty-two sets. We have at least ( n (q 3 ɛ 1 n +q 4 ɛ n +q 5 ɛ 1 n +q 6 ɛ n +q 1 q 3 ɛ 1 n +q 1 q 4 ɛ n +q 1 q 5 ɛ 1 n +q 1 q 6 ɛ n +q q 3 ɛ 1 n +q q 4 ɛ n +q q 5 ɛ 1 n +q q 6 ɛ n +q 3 q 4 ɛ 3 n +q 3 q 6 ɛ 3 n +q 4 q 5 ɛ 3 n +q 5 q 6 ɛ 3 n +q 1 +q +q 3 +q 4 +q 5 +q 6 )) ( n q ɛ n q ɛ n / q) choice of such L. hen we have: the inputs to P, {Cst,x (1) 1,...,x(q1) 1,x (1) Rnd,...,x (q) Rnd,x (1) 3 Rnd H L (Cst 1 ),...,x (q3) 3 Rnd H L (Cst 1 ),x (1) 4 Rnd H L(Cst ),...,x (q4) 4 Rnd H L (Cst ),x (1) 5 H L(Cst 1 ),...,x (q5) 5 H L (Cst 1 ),x (1) 6 H L(Cst ),...,x (q6) 6 H L (Cst )}, are distinct, and the corresponding outputs, {L, y (1) 1 Rnd,...,y(q1) 1 Rnd,y (1) Rnd,...,y(q) Rnd,y (1) 3,...,y(q3) 3,y (1) 4,...,y(q4) 4,y (1) 5,...,y(q5) 5,y (1) 6,...,y(q6) 6 }, are distinct. 19

20 In other words, for P, the above 1 + q 1 + q + q 3 + q 4 + q 5 + q 6 input-output pairs are determined. he remaining n (1 + q 1 + q + q 3 + q 4 + q 5 + q 6 ) input-output pairs are undetermined. herefore we have ( n (1+q 1 +q +q 3 +q 4 +q 5 +q 6 ))! = ( n (1 + q))! possible choice of P for any such fixed (L, Rnd). Completing the Proof. In Case 1, we have at least ( n (q /) (1+ɛ n )) ( n q)! choice of (P, Rnd) which satisfies (8). In Case, we have at least ( n q q /) ( n q ɛ n q ɛ n / q) ( n (1 + q))! choice of (P, Rnd) which satisfies (8). his bound is at least ( n (q + q /) (1 + ɛ n )) ( n q)!. his concludes the proof of the lemma. We now prove Lemma 5.3. Proof (of Lemma 5.3). For 1 i 6, let O i be either Q i or P i. he adversary A has oracle access to O 1,...,O 6. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. here are six types of queries A can make: (O j,x) which denotes the query what is O j (x)? For the i-th query A makes to O j, define the query-answer pair ) {0, 1}n {0, 1} n, where A s query was (O j,x (i) ) and the answer it (x (i) j,y(i) j j got was y (i) j. Suppose that we run A with oracles O 1,...,O 6. For this run, assume that A made q j queries to O j ( ), where q q 6 = q. For this run, we define view v of A as v def = (y (1) 1,...,y(q1) 1 ), (y (1),...,y(q) ), (y (1) 3,...,y(q3) 3 ), (y (1) 4,...,y(q4) 4 ), (y (1) 5,...,y(q5) 5 ), (y (1) 6,...,y(q6) 6 ). (9) For this view, we always have: For 1 j 6, {y (1) j,...,y (qj) } are distinct. We note that since A never repeats a query, for the corresponding queries, we have: For 1 j 6, {x (1) j,...,x (qj) j } are distinct. Since A is deterministic, the i-th query A makes is fully determined by the first i 1 query-answer pairs. his implies that if we fix some qn-bit string V and return the i-th n-bit block as the answer for the i-th query A makes (instead of the oracles), then A s queries are uniquely determined, q 1,...,q 6 are uniquely determined, the parsing of V into the format defined in (9) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. j 0

21 Let V one be a set of all qn-bit strings V such that A outputs 1. We let def N one =#V one. Also, let V good be a set of all qn-bit strings V such that: For 1 i< j q, the i-th n-bit block of V the j-th n-bit block of V. Note that if V V good then the corresponding parsing v satisfies: 6,...,y(q6) 6 } are dis- {y (1) 1,...,y(q1) 1 } {y (1),...,y(q) } are distinct, and {y (1) 3,...,y(q3) 3 } {y (1) 4,...,y(q4) 4 } {y (1) 5,...,y(q5) tinct. 5 } {y (1) Now observe that the number of V which is not in the set V good is at most ( q ) qn n. herefore, we have #{V V (V one V good )} N one Evaluation of p rand. We first evaluate ( ) q qn n. (10) def R p rand =Pr(P 1,...,P 6 Perm(n) :A P 1( ),...,P 6( ) =1) = #{(P 1,...,P 6 ) A P1( ),...,P6( ) =1} {( n )!} 6. For each V V one, the number of (P 1,...,P 6 ) such that For 1 j 6, P j (x (i) j )=y(i) j for 1 i q j, (11) is exactly 1 j 6 (n q j )!, which is at most ( n q)! {( n )!} 5. herefore, we have p rand = V Vone ( n q)! ( n )! V Vone = N one (n q)! ( n )! Evaluation of p real. We next evaluate #{(P 1,...,P 6 ) (P 1,...,P 6 ) satisfying (11)} {( n )!} 6. def p real =Pr(P R Perm(n); Rnd {0, R 1} n : A Q1( ),...,Q6( ) =1) = #{(P, Rnd) AQ1( ),...,Q6( ) =1} ( n )! n. hen from Lemma B.1, we have 1

22 p real V (Vone V good ) V (Vone V good ) # {(P, Rnd) (P, Rnd) satisfying (8)} ( n )! n ( n q)! ( n )! ( 1 (q + q /) (1 + ɛ n ) ) n. Completing the Proof. From (10) we have p real ( N one ( p rand ( ) q qn n ( ) q qn ) (n q)! ( n )! n (n q)! ( n )! ( 1 (q + q /) (1 + ɛ n ) n ) ( 1 (q + q /) (1 + ɛ n ) n ) ). Since qn (n q)! ( n )! 1, we have p real ( p rand ) ( q(q 1) n 1 (q + q /) (1 + ɛ n ) ) n p rand (q + q)+(q +q) ɛ n ( ) n p rand 3q 1 n + ɛ. (1) Applying the same argument to 1 p real and 1 p rand yields that ( ) 1 p real 1 p rand 3q 1 n + ɛ. (13) Finally, (1) and (13) give p real p rand 3q ( 1 n + ɛ ). C Proof of Lemma 5.4 Let S and S be distinct bit strings such that S = sn for some s 1, and S = s n for some s 1. Define V n (S, S ) def R =Pr(P Perm(n) : CBCP (S) = CBC P (S )). hen the following proposition is known [3]. Proposition C.1 (Black and Rogaway [3]). Let S and S be distinct bit strings such that S = sn for some s 1, and S = s n for some s 1. Assume that s, s n /4. hen V n (S, S ) (s + s ) n.

23 Now let M and M be distinct bit strings such that M = mn for some m, and M = m n for some m. Define W n (M,M ) def R =Pr(P 1,...,P 6 Perm(n) : MOMAC P1,...,P 6 (M) = MOMAC P1,...,P 6 (M )). We note that P 5 and P 6 are irrelevant in the event MOMAC P1,...,P 6 (M) = MOMAC P1,...,P 6 (M ) since M and M are both longer than n bits. Also, P 4 is irrelevant in the above event since M and M are both multiples of n. Further, P 3 is irrelevant in the above event since it is invertible, and thus, there is a collision if and only if there is a collision at the input to the last encryption. We show the following lemma. Lemma C.1 (MOMAC Collision Bound). Let M and M be distinct bit strings such that M = mn for some m, and M = m n for some m. Assume that m, m n /4. hen W n (M,M ) (m + m ) n. Proof. Let M[1] M[m] and M [1] M [m ] be partitions of M and M respectively. We consider two cases: M[1] = M [1] and M[1] M [1]. Case 1: M[1] = M [1]. In this case, Let P 1 be any permutation in Perm(n), and let S (P 1 (M[1]) M[]) M[3] M[m] and S (P 1 (M [1]) M []) M [3] M [m ]. Observe that MOMAC P1,...,P 6 (M) = MOMAC P1,...,P 6 (M ) if and only if CBC P (S) = CBC P (S ), since we may ignore the last encryptions in CBC P (S) and CBC P (S ). herefore W n (M,M ) V n (S, S ) (m + m ) n. Case : M[1] M [1]. In this case, we split into two cases: P 1 (M[1]) M[] P 1 (M [1]) M [] and P 1 (M[1]) M[] = P 1 (M [1]) M []. he former event will occur with probability at most 1. he later one will occur with probability at most 1 n 1, which is at most n. hen it is not hard to see that W n (M,M ) 1 V n (S, S )+ (m + m ) n n + n (m + m ) n by applying the similar argument as in Case 1. Let m be an integer such that m n /4. We consider the following four sets. def D 1 = {M M {0, 1}, n< M mn and M is a multiple of n} def D = {M M {0, 1}, n< M mn and M is not a multiple of n} def D 3 = {M M {0, 1} and M = n} def D 4 = {M M {0, 1} and M <n} We next show the following lemma. 3

24 Lemma C.. Let q 1,q,q 3,q 4 be four non-negative integers. For 1 i 4, let M (1) i,...,m (qi) i be fixed bit strings such that M (j) i D i for 1 j q i and {M (1) i,...,m (qi) i } are distinct. Similarly, for 1 i 4, let (1) i,..., (qi) i be fixed n-bit strings such that { (1) i,..., (qi) i } are distinct. hen the number of P 1,...,P 6 Perm(n) such that MOMAC P1,...,P 6 (M (i) (i) 1 )= 1 for 1 i q 1, MOMAC P1,...,P 6 (M (i) (i) )= for 1 i q, MOMAC P1,...,P 6 (M (i) (i) (14) 3 )= 3 for 1 i q 3 and MOMAC P1,...,P 6 (M (i) (i) 4 )= 4 for 1 i q 4 ( ) is at least {( n )!} 6 1 q m 1 n, where q = q qn q 4. Proof. We first consider M (1) 1,...,M(q1) 1. he number of (P 1,P ) such that MOMAC P1,...,P 6 (M (i) 1 ) = MOMAC P 1,...,P 6 (M (j) 1 ) for 1 i< j q 1 is at most {( n )!} (q 1 4m ) from Lemma C.1. Note that P n 3,...,P 6 are irrelevant in the above event. We next consider M (1),...,M(q). he number of (P 1,P ) such that MOMAC P1,...,P 6 (M (i) ) = MOMAC P 1,...,P 6 (M (j) ) for 1 i< j q is at most {( n )!} (q ) 4m from Lemma C.1. n Now ( we fix any (P 1,P ) which is not like the above. We have at least {( n )!} 1 ( q 1 ) 4m ( q ) ) 4m n choice. n Now P 1 and P are fixed in such a way that the inputs to P 3 are distinct and the inputs to P 4 are distinct. Also, the corresponding outputs { (1) 3,..., (q3) 3 } are distinct, and { (1) 4,...,(q4) 4 } are distinct. We know that the inputs to P 5 are distinct, and the corresponding outputs { (1) 3,..., (q3) 3 } are distinct. Also, the inputs to P 6 are distinct, and and the corresponding outputs { (1) 4,..., (q4) 4 ) } n ( are distinct. herefore, we have at least {( n )!} 1 ( q 1 ) 4m ( q ) 4m n ( n q 1 )! ( n q )! ( n q 3 )! ( n q 4 )! choice of P 1,...,P 6 which satisfies (14). his bound is at least {( n )!} 6 ( 1 q m his concludes the proof of the lemma. We now prove Lemma 5.4. n ) 1 qn since ( n q i )! (n )! q i n. Proof (of Lemma 5.4). Let O be either MOMAC P1,...,P 6 or R. Since A is computationally unbounded, there is no loss of generality to assume that A is deterministic. Similar to the proof of Lemma 5.3, for the query A makes to the oracle O, define the query-answer pair (M (i) j, (i) j ) D j {0, 1} n, where A s i-th query in D j was M (i) j D j and the answer it got was (i) j {0, 1} n. 4

25 Suppose that we run A with the oracle. For this run, assume that A made q j queries in D j, where 1 j 4 and q q 4 = q. For this run, we define view v of A as v def = ( (1) 1,..., (q1) 1 ), ( (1),..., (q) ), ( (1) 3,..., (q3) 3 ), ( (1) 4,..., (q4) 4 ). (15) Since A is deterministic, the i-th query A makes is fully determined by the first i 1 query-answer pairs. his implies that if we fix some qn-bit string V and return the i-th n-bit block as the answer for the i-th query A makes (instead of the oracle), then A s queries are uniquely determined, q 1,...,q 4 are uniquely determined, the parsing of V into the format defined in (15) is uniquely determined, and the final output of A (0 or 1) is uniquely determined. Let V one be a set of all qn-bit strings V such that A outputs 1. We let def N one =#V one. Also, let V good be a set of all qn-bit strings V such that: For 1 i< j q, the i-th n-bit block of V the j-th n-bit block of V. Note that if V V good, then the corresponding parsing v of V satisfies that: { (1) 1,..., (q1) 1 } are distinct, { (1),...,(q) } are distinct, { (1) 3,..., (q3) 3 } are distinct and { (1) 4,..., (q4) 4 } are distinct. Now observe that the number of V which is not in the set V good is at most ( q ) qn. herefore, we have n ( ) q qn #{V V (V one V good )} N one n. (16) Evaluation of p rand. We first evaluate hen it is not hard to see p rand def =Pr(R R Rand(,n):A R( ) =1). p rand = V Vone Evaluation of p real. We next evaluate 1 qn = N one qn. def R p real =Pr(P 1,...,P 6 Perm(n) :A MOMAC P1,...,P ( ) 6 =1) = #{(P 1,...,P 6 ) A MOMACP 1,...,P 6 ( ) =1} {( n )!} 6. hen from Lemma C., we have 5

26 p real V (Vone V good ) V (Vone V good ) # {(P 1,...,P 6 ) (P 1,...,P 6 ) satisfying (14)} {( n )!} 6 (1 q m n ) 1 qn. Completing the Proof. From (16) we have ( ( ) ) q qn p real N one n (1 q m n ( ( ) ) q 1 = p rand n (1 q m n ( ) q 1 p rand n q m n ) 1 qn ) p rand q m + q n. (17) Applying the same argument to 1 p real and 1 p rand yields that 1 p real 1 p rand q m + q n. (18) Finally, (17) and (18) give p real p rand q m +q n. 6