Almost universal forgery attacks on AES-based MAC’s

Orr Dunkelman, Nathan Keller, Adi Shamir

Research output: Contribution to journalArticlepeer-review


A message authentication code (MAC) computes for each (arbitrarily long) message $$m$$m and key k a short authentication tag which is hard to forge when k is unknown. One of the most popular ways to process m in such a scheme is to use some variant of AES in CBC mode, and to derive the tag from the final ciphertext block. In this paper, we analyze the security of several proposals of this type, and show that they are vulnerable to a new type of attack which we call almost universal forgery, in which it is easy to generate the correct tag of any given message if the attacker is allowed to change a single block in it.

Original languageEnglish
Pages (from-to)431-449
Number of pages19
JournalDesigns, Codes, and Cryptography
Issue number3
StatePublished - 6 Sep 2015

Bibliographical note

Publisher Copyright:
© 2014, Springer Science+Business Media New York.


  • Almost Universal Forgery
  • Message authentication codes
  • Pelican

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science Applications
  • Discrete Mathematics and Combinatorics
  • Applied Mathematics


Dive into the research topics of 'Almost universal forgery attacks on AES-based MAC’s'. Together they form a unique fingerprint.

Cite this