Why is RMAC resistant to birthday attacks?

Sidney Markowitz sidney at sidney.com
Tue Oct 22 15:33:07 EDT 2002

Ed Gerck" <egerck at nma.com>
> It does to (as you can read in the paper). BTW, the "easily" applies to the
> WITHOUT salt

Well, to be really pedantic the paper never says that it is "easy" only that
it has a work factor of the square root of the number of possible MAC strings
without salt, and that adding the salt multiplies that by the square root of
the possible number of salt values. That attack scenario certainly doesn't
look easy to me :-). And as long as I'm being pedantic I'll point out my own
mistake in my last message of using 'k' as the variable for block size (MAC
length) instead of 'b' as in the paper.

 -- sidney

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list