Comments to NIST concerning AES Modes of Operations: A Suggestion for Handling Arbitrary-Length Messages with the CBC MAC

The CBC MAC is the customary way to make a message authentication code (MAC) from a block cipher. It is the subject of several standards, including [1, 5, 6]. It is well-known and well-understood. Given all this, it seems likely that the CBC MAC will be standardized as an AES mode of operation. In this note we suggest a nice version of the CBC MAC that one might select for this purpose. We recall that the CBC MAC actually comes in a number of different versions. These versions differ in details involving padding (what to do when a message is not a non-zero multiple of the block length), length-variability (how to properly authenticate messages that come in a variety of lengths), and key-search strengthening (making the mode more secure against key-search attacks). Our CBC MAC variant is described in [4], where it is called XCBC. Let us now review this MAC’s definition, as well as the definition for the basic CBC MAC.