Why is RMAC resistant to birthday attacks?

Greg Rose ggr at qualcomm.com
Tue Oct 22 19:01:39 EDT 2002


At 03:05 PM 10/22/2002 -0400, Wei Dai wrote:
>Call the Jan 21 document x, and the Sept 30 document y. Now Bob knows
>MAC_Alice(x | z) = MAC_Alice(y | z) for all z, because the internal states
>of the MAC after processing x and y are the same and therefore will remain
>equal given identical suffixes. So he can get a MAC on x | z and
>it's also a valid MAC for y | z, which Alice didn't sign.  This applies
>for CBC-MAC, DMAC, HMAC, and any another MAC that is not randomized or
>maintains state (for example a counter) from message to message.

A nit... this isn't *quite* true for HMAC; the collision could have been in 
the outer hash function evaluation, not the inner. I haven't yet looked at 
RMAC and don't know what DMAC is, so I can't comment on them.

Still, the attack gives a 50% chance of forging an HMAC, so it's a valid 
attack.

Greg.

Greg Rose                                       INTERNET: ggr at qualcomm.com
Qualcomm Australia          VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,                http://people.qualcomm.com/ggr/
Gladesville NSW 2111    232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list