Why is RMAC resistant to birthday attacks?
Sidney Markowitz
sidney at sidney.com
Tue Oct 22 16:52:18 EDT 2002
Victor.Duchovni at morganstanley.com
> I want to understand the assumptions (threat models) behind the
> work factor estimates. Does the above look right?
I just realized something about the salt in the RMAC algorithm, although it
may have been obvious to everyone else:
RMAC is equivalent to a HMAC hash-based MAC algorithm, but using a block
cipher. The paper states that it is for use instead of HMAC iin circumstances
where for some reason it is easier to use a block cipher than a cryptographic
hash.
The security of HMAC against attacks based on collisions is measured as a
function of the bit length of the hash. Using a block cipher in CBC mode makes
it in effect a b bit hash, where b is the block length of the cipher. In many
cases the block length of a cipher being 64 or 128 bits will be too small by
itself. Hence the need to add r bits from the salt and the need to write up
explicitly how RMAC handles collision based attacks and how the salt affects
that.
-- sidney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list