Why is RMAC resistant to birthday attacks?
Greg Rose
ggr at qualcomm.com
Tue Oct 22 19:01:39 EDT 2002
At 03:05 PM 10/22/2002 -0400, Wei Dai wrote:
>Call the Jan 21 document x, and the Sept 30 document y. Now Bob knows
>MAC_Alice(x | z) = MAC_Alice(y | z) for all z, because the internal states
>of the MAC after processing x and y are the same and therefore will remain
>equal given identical suffixes. So he can get a MAC on x | z and
>it's also a valid MAC for y | z, which Alice didn't sign. This applies
>for CBC-MAC, DMAC, HMAC, and any another MAC that is not randomized or
>maintains state (for example a counter) from message to message.
A nit... this isn't *quite* true for HMAC; the collision could have been in
the outer hash function evaluation, not the inner. I haven't yet looked at
RMAC and don't know what DMAC is, so I can't comment on them.
Still, the attack gives a 50% chance of forging an HMAC, so it's a valid
attack.
Greg.
Greg Rose INTERNET: ggr at qualcomm.com
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list