AES-GMAC as a hash
Matt Ball
matt.ball at ieee.org
Tue Sep 1 12:37:24 EDT 2009
On Thu, Aug 27, 2009 at 8:45 AM, Darren J Moffat wrote:
>
> Ignoring performance for now what is the consensus on the suitabilty of using AES-GMAC not as MAC but as a hash ?
>
> Would it be safe ?
>
> The "key" input to AES-GMAC would be something well known to the data and/or software.
>
> The only reason I'm asking is assuming it can be made to perform on some classes of machine better than or close to SHA256 if it would be worth considering as an available alternate now until SHA-3 is choosen.
In the 2005 Security in Storage Workshop (see
http://ieeeia.org/sisw/2005/), David McGrew proposed using GMAC to
protect large dynamic data sets, such a random access memory (RAM)
(see http://ieeeia.org/sisw/2005/PreProceedings/10.pdf). The general
idea is to use the linear characteristics of GMAC to dynamically
update the MAC when updating a memory address. If your use-case is
similar to this approach, then it would be possible to securely use
GMAC.
However, there are many caveats when using GMAC, so it's vitally
important to understand all the constraints.
Cheers,
Matt Ball, Chair, IEEE P1619 Security in Storage Working Group
Staff Engineer, Sun Microsystems, Inc.
500 Eldorado Blvd, Bldg #5 BRM05-212, Broomfield, CO 80021
Work: 303-272-7580, Cell: 303-717-2717
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list