A cryptanalysis is given of a MAC proposal presented at CRYPTO 2003 by Cary and Venkatesan. A nice feature of the CaryVenkatesan MAC is that a lower bound on its security can be proved when a certain block cipher is modelled as an ideal cipher. Our attacks find collisions for the MAC and yield MAC forgeries, both faster than a straightforward application of the birthday paradox would suggest. For the suggested parameter sizes (where the MAC is 128 bits long) we give a method to find collisions using about 248.5 MAC queries, and to forge MACs using about 255 MAC queries. We emphasise that our results do not contradict the lower bounds on security proved by Cary and Venkatesan. Rather, they establish an upper bound on the MAC’s security that is substantially lower than one would expect for a 128-bit MAC.
Simon R. Blackburn, Kenneth G. Paterson