Why is RMAC resistant to birthday attacks?
Ed Gerck
egerck at nma.com
Tue Oct 22 18:06:28 EDT 2002
Sidney Markowitz wrote:
> Victor.Duchovni at morganstanley.com
> > I want to understand the assumptions (threat models) behind the
> > work factor estimates. Does the above look right?
>
> I just realized something about the salt in the RMAC algorithm, although it
> may have been obvious to everyone else:
>
> RMAC is equivalent to a HMAC hash-based MAC algorithm, but using a block
> cipher.
No -- these are all independent things. One can build an RMAC wih SHA-1.
An RMAC does not have to use an HMAC scheme. One can also have an
HMAC hash-based MAC algorithm using a block cipher, that is not an RMAC.
> The paper states that it is for use instead of HMAC iin circumstances
> where for some reason it is easier to use a block cipher than a cryptographic
> hash.
That's is not the reason it was devised. The reason is to prevent a birthday attack
for 2^(t/2) tries on a MAC using a t-bit key. Needless to say, it also makes harder
to try a brute force attack.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list