Abstract: We present an improved bound on the advantage of any q-query adversary at distinguishing between the CBC MAC over a random n-bit permutation and a random function outputting n bits. The result assumes that no message queried is a prefix of any other, as is the case when all messages to be MACed have the same length. We go on to give an improved analysis of the encrypted CBC MAC, where there is no restriction on queried messages. Letting L be the block length of the longest query, our bounds are about Lq2/2n for the basic CBC MAC and Lo(1)q2/2n for the encrypted CBC MAC, improving prior bounds of L2q2/2n. The new bounds translate into improved guarantees on the probability of forging these MACs.
Ref: An extended abstract of this paper appeared in Advances in Cryptology - Crypto 2005 Proceedings, Lecture Notes in Computer Science Vol. 3621, V. Shoup ed, Springer-Verlag, 2005.
Full paper: Available as compressed postscript, postscript, or pdf. ( Help if this doesn't work).