A tight bound for EMAC

We prove a new upper bound on the advantage of any adversary for distinguishing the encrypted CBC-MAC (EMAC) based on random permutations from a random function. Our proof uses techniques recently introduced in [BPR05], which again were inspired by [DGH+04]. The bound we prove is tight - in the sense that it matches the advantage of known attacks up to a constant factor - for a wide range of the parameters: let n denote the block-size, q the number of queries the adversary is allowed to make and f an upper bound on the length (i.e. number of blocks) of the messages, then for l <= 2(n/8) and q >= l(2) the advantage is in the order of q(2)/2(n) (and in particular independent of l). This improves on the previous bound of q(2)l(Theta(1/ln In l))/2(n) from [BPR05] and matches the trivial attack (which thus is basically optimal) where one simply asks random queries until a collision is found.