Assume we are using HMAC-SHA-256 with 128-bit key for authenticating our messages, and an adversary has eavesdropped $n$ (message, tag) pairs.
If the adversary wants to forge a tag for a message $m'$, (I think) he has two options:
- Output a random number;
- Output one of the eavesdropped tags
I think the probability of success in the first option is $1^{-256}$. In the second option, the probability of success is $1^{-128}$ (birthday paradox).
Am I correct?
