Reference: Advances in Cryptology - CRYPTO '05. Lecture Notes in Computer Science, vol. 3621. Springer-Verlag, pp. 527-541, 2005.
Abstract:
We present an improved bound on the advantage of any q-query adversary at distinguishing
between the CBC MAC over a random n-bit permutation and a random function outputting n
bits. The result assumes that no message queried is a prefix of any other, as is the case when
all messages to be MACed have the same length. We go on to give an improved analysis of
the encrypted CBC MAC, where there is no restriction on queried messages. Letting \ell be the
block length of the longest query, our bounds are about \ell q^2/2^n for the basic CBC MAC and
\ell^{o(1)} q^2/2^n for the encrypted CBC MAC, improving prior bounds of \ell^2 q^2 / 2^n.
The new bounds translate into improved guarantees on the probability of forging these MACs.
Rogaway's home page.