Why is RMAC resistant to birthday attacks?

Sidney Markowitz sidney at sidney.com
Tue Oct 22 16:52:18 EDT 2002

Victor.Duchovni at morganstanley.com
> I want to understand the assumptions (threat models) behind the
> work factor estimates. Does the above look right?

I just realized something about the salt in the RMAC algorithm, although it
may have been obvious to everyone else:

RMAC is equivalent to a HMAC hash-based MAC algorithm, but using a block
cipher. The paper states that it is for use instead of HMAC iin circumstances
where for some reason it is easier to use a block cipher than a cryptographic

The security of HMAC against attacks based on collisions is measured as a
function of the bit length of the hash. Using a block cipher in CBC mode makes
it in effect a b bit hash, where b is the block length of the cipher. In many
cases the block length of a cipher being 64 or 128 bits will be too small by
itself. Hence the need to add r bits from the salt and the need to write up
explicitly how RMAC handles collision based attacks and how the salt affects

 -- sidney

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list