initialization-vector cbc-mac semantic-security: Updated Sat, 16 Jul 2022 18:13:29 GMT

Is the tag generated in MAC equal for equal messages in CBC-MAC?

The Cipher Block Chaining algorithm for generating message authentication codes uses a 0 IV . So my understanding is that same messages will generate same MACs which seems to violate semantic security. An attacker may deduce that 2 messages are same by looking at the MAC. Is my intuition correct?

Solution

First of all, you seem to be talking about semantic security for a cipher. So I'll answer from that perspective. There is no security requirement for a MAC to be indistinguishable for identical messages after all.

So, from that perspective, your intuition is correct. However, generally we perform encrypt-then-MAC, and in that case the IV should be included as well. As the IV should be at least unique and the ciphertext should be randomized, we should not get the same MAC even for the same messages.

The semantic security issue only becomes an issue if you perform a "Encrypt-and-MAC". Quoted from the answer above:

May reveal information about the plaintext in the MAC. Theoretical, of course, but a less than ideal scenario. This occurs if the plaintext messages are repeated, and the MACed data does not include a counter (it does in the SSH 2 protocol, but only as a 32-bit counter, so you should take care to re-key before it overflows).

In AEAD ciphers sometimes a slightly different method is used: GMAC is over the plaintext message, but it is dependent on the nonce, which should of course be unique for each message.

External Links

External links referenced by this document:

References

https://crypto.stackexchange.com/questions/95483