Published online by Cambridge University Press: 06 November 2012
A Message Authentication Code (MAC) is a function that takes a message and a key asparameters and outputs an authentication of the message. MAC are used to guarantee thelegitimacy of messages exchanged through a network, since generating a correctauthentication requires the knowledge of the key defined secretly by trusted parties.However, an attacker with access to a sufficiently large number of message/authenticationpairs may use a brute force algorithm to infer the secret key: from a set containinginitially all possible key candidates, subsequently remove those that yield an incorrectauthentication, proceeding this way for each intercepted message/authentication pair untila single key remains. In this paper, we determine an exact formula for the expected numberof message/authentication pairs that must be used before such form of attack issuccessful, along with an asymptotical bound that is both simple and tight. We conclude byillustrating a modern application where this bound comes in handy, namely the estimationof security levels in reflection-based verification of software integrity.