Why is RMAC resistant to birthday attacks?

Aram Perez aram at pacbell.net
Tue Oct 22 01:34:40 EDT 2002

Victor.Duchovni at morganstanley.com wrote:

> With keyed MACs Alice and Bob share the same secretkeys, either can
> freely generate messages with correct MAC values, so the MAC cannot be
> used as evidence to a third party that Alice is the signer of the
> message.

While you are correct in the general case, I have worked on a system where
Alice could only generate MACs and Bob could only verify MACs. The hardware
was designed so that Alice could not verify MACs and Bob could not generate
MACs even though they shared the same key (that was only known to the

Aram Perez


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list