CBC MAC for real-time data sources (Q1573769)

Let \(X=\{x_1,x_2,\ldots,x_m\}\) be a message that needs to be authenticated amongst parties that share a common key \(a\). A popular method for achieving this is the Cipher Block Chaining Message Authentication Code (CBC MAC), where the following data is added to the message: \[ f_{a}^{(m)} = f_a(f_a(\ldots f_a(f_a(x_1)\oplus x_2)\ldots)\oplus x_m). \] Here \(f_a\) denotes a block cipher with key \(a\). CBC MAC for messages of fixed length was proven secure by \textit{M. Bellare, J. Kilian} and \textit{P. Rogaway} [Advances in cryptology - CRYPTO '94, Lect. Notes Comput. Sci. 839, 341-358 (1994; Zbl 0939.94554)]. CBC MAC for variable length messages is known to be insecure. The two main results of the current paper are the following. Firstly, encrypted CBC MAC is proven secure for variable length messages. Encrypted CBC MAC is a variant of CBC MAC where the block cipher \(f\) is applied one extra time on the result of CBC MAC, with a key different from the one used in CBC MAC. Secondly, CBC MAC is proven secure when applied to prefix free messages. This second result is a simple extension of the work by Bellare et al. cited above.