Consider the problem of finding two keys K1 and K2, such that for two distinct plaintexts P1 and P2, AES-CMAC(K1, P1) = AES-CMAC(K2, P2).
Is this problem any easier than brute-forcing? If so, how much easier?
Edit: plaintexts P1 and P2 are inputs to the problem and therefore they are fixed. We need to find the keys given the pair of inputs.
If so, how much easier?
Much easier. If you know the key, it is trivial to craft a message that CMACs to any specific value.
Here's one approach: the output of CMAC (assuming that the last block $M$ is full) is:
$$AES_k( PrevState \oplus k_1 \oplus M )$$
where $PrevState$ is the 16 byte state resulting from the previous message blocks, and $k_1$ is the tweak applied to the last message block (for full last message blocks).
So, the attacker arbitrarily selects the previous message blocks; given that he knows the key, he can compute $PrevState$ and $k_1$. So, to get a target output $T$, he just computes
$$M = AES_k^{-1}( T ) \oplus PrevState \oplus k_1$$
and that's the last message block.
To generate a collision, he can pick an arbitrary output block $T$ and generate two messages using the above mechanism.
If the two messages $P_1, P_2$ are fixed, then it is more difficult (although still computationally feasible, by the current definition of 'feasible').
You're stuck with doing a straight-forward birthday attack (as AES doesn't have any internal weaknesses you can exploit). In essense, you do:
Select $2^{64}$ values of $k_1$, and compute the values $CMAC_{k_1}( P_1 )$
Select $2^{64}$ values of $k_2$, and compute the values $CMAC_{k_2}( P_2 )$
Search the two lists for a collision.
If you don't want to take up $O(2^{64})$ memory, there are ways to optimize this that drastically reduce the memory and increase the processing by a small constant factor.
Still, we're talking about circa $2^{65}$ CMAC computations; feasible if you have a large budget, but not so much for an average hacker with a laptop...
