Why is RMAC resistant to birthday attacks?
Victor.Duchovni at morganstanley.com
Victor.Duchovni at morganstanley.com
Mon Oct 21 22:39:12 EDT 2002
The RMAC FIPS draft does not appear to explicitly state when RMAC is
useful. What is the scenario in which (presumably unlike some other keyed
MAC algorithms) RMAC is resistant to birthday attacks? More broadly for an
arbitrary keyed MAC (in a plausible application!) how does the birthday
attack come into play?
With unkeyed message digests encrypted by a public key, the attacks are
clear, Alice sends Bob message A, Bob agrees to message A, and signs it.
Later Alice claims that Bob signed message B. The birthday paradox
helps Alice because she can generate lots of minor variants of each
message, generate ~sqrt(2^n) hashes of each and have a good shot at
finding a collision.
With keyed MACs Alice and Bob share the same secretkeys, either can
freely generate messages with correct MAC values, so the MAC cannot be
used as evidence to a third party that Alice is the signer of the
message.
In this case the attacker is clearly not either Alice or Bob. So Eve wants
to convince Bob that a message really is from Alice. What does Eve do?
Does Eve somehow entice Alice to send ~sqrt(2^n) messages to Bob? How does
the birthday attack come into play when the attacker cannot independently
test potential collisions?
Please pardon the naive question, I just want to understand the premises
of the problem to which RMAC is a solution.
--
Viktor.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list