comparing RMAC to AES+CBC-MAC or XCBC (Re: Why is RMAC resistant to birthday attacks?)

[Adam Back]

On Thu, Oct 24, 2002 at 02:08:11AM -0700, Sidney Markowitz wrote:
> [...] XCBC should be inherently resistant to extension forgery
> attacks. The attack requires that the MAC have the property that
> MAC(x) == MAC(y) implies that MAC(x||z) == MAC(y||z). In the case of
> XCBC, because of the padding and the use of K2 and K3 that would
> only be true when x and y are the same length or both have lengths
> that are multiples of the cipher block size.

The pre-conditions you give are a little over restrictive, but yes
there are limitations due to the structure of XCBC.  However provided
the pre-conditions are met, and they don't seem that implausible to
occur, the extension forgery attacks are possible so I wouldn't say
RMAC is inherently resistant to extension forgery.

> I agree with your conclusion [...]
> 
> In the case of RMAC, if the parameter sets were chosen to make the
> work factors comparable on the two attacks, I think it is making the
> mistake of comparing apples and oranges: In the exhaustive key
> search attack, the attackers captures one message and the work
> factor is multiplied times the time it takes to try a key on their
> own computers. In the extension forgery attack the work factor is
> multiplied by the time between captured messages. The latter is
> somewhat under the control of the person who is using RMAC. There is
> no reason to require that they have similar work factors if the
> scale is much different.

Yes.  Perhaps I/someone should submit my comment to them before the
deadline.  If RMAC parameter sets were interpreted strictly they would
be quite incovenient and inflexible for the protocol designer.

Adam
--
http://www.cypherspace.net/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com