The security of the cipher block chaining message authentication code

Let F be some block cipher (eg, DES) with block length l. The cipher block chaining message authentication code (CBC MAC) specifies that an m-block message x-x(1) ...x(m) be authenticated among parties who share a secret kev a for the block cipher by tagging x with a prefix of y(m), where y(o) = 0' and y(i) = F-a(m(i) + y(i-l)) for i = l, 2, ..., m. This method is a pervasively used international and U.S. standard. We provide its first formal justification, showing the following general lemma: cipher block chaining a pseudorandom function yields a pseudorandom function. Underlying our results is a technical lemma of independent interest, bounding the success probability of a computationally unbounded adversary in distinguishing between a random ml-bit to l-bit function and the CBC MAC of a random l-bit to l-bit function. (C) 2000 Academic Press.