Why is RMAC resistant to birthday attacks?

Victor.Duchovni at morganstanley.com Victor.Duchovni at morganstanley.com
Tue Oct 22 10:15:46 EDT 2002

On Mon, 21 Oct 2002, Aram Perez wrote:

> Victor.Duchovni at morganstanley.com wrote:
> While you are correct in the general case, I have worked on a system where
> Alice could only generate MACs and Bob could only verify MACs. The hardware
> was designed so that Alice could not verify MACs and Bob could not generate
> MACs even though they shared the same key (that was only known to the
> hardware).

This is interesting, but it does not help me to understand what threat
model is addressed RMAC, or more generally how do birthday attacks play
out against (shared secret) keyed MAC algorithms. The details of the RMAC
algorithm itselft are not at issue here, I want to understand the problem
so I can use the solution under the right conditions.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list