AES-GMAC as a hash
Hal Finney
hal at finney.org
Mon Aug 31 13:19:32 EDT 2009
Darren J Moffat <Darren.Moffat at Sun.COM> asks:
> Ignoring performance for now what is the consensus on the suitabilty of
> using AES-GMAC not as MAC but as a hash ?
>
> Would it be safe ?
>
> The "key" input to AES-GMAC would be something well known to the data
> and/or software.
No, I don't think this would work. In general, giving a MAC a fixed key
cannot be expected to produce a good hash. With AES-GMAC in particular,
it is unusual in that it has a third input (besides key and data to MAC),
an IV, which makes your well-known-key strategy problematic. And even as a
MAC, it is very important that a given key/IV pair never be reused. Fixing
a value for the key and perhaps IV would defeat this provision.
But even ignoring all that, GMAC amounts to a linear combination of
the text blocks - they are the coefficients of a polynomial. The reason
you can get away with it in GMAC is because the polynomial variable is
secret, it is based on the key. So you don't know how things are being
combined. But with a known key and IV, there would be no security at all.
It would be linear like a CRC.
Hal Finney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list