Why is RMAC resistant to birthday attacks?
Sidney Markowitz
sidney at sidney.com
Tue Oct 22 15:33:07 EDT 2002
Ed Gerck" <egerck at nma.com>
> It does to (as you can read in the paper). BTW, the "easily" applies to the
case
> WITHOUT salt
Well, to be really pedantic the paper never says that it is "easy" only that
it has a work factor of the square root of the number of possible MAC strings
without salt, and that adding the salt multiplies that by the square root of
the possible number of salt values. That attack scenario certainly doesn't
look easy to me :-). And as long as I'm being pedantic I'll point out my own
mistake in my last message of using 'k' as the variable for block size (MAC
length) instead of 'b' as in the paper.
-- sidney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list