[11899] in cryptography@c2.net mail archive
Re: Why is RMAC resistant to birthday attacks?
daemon@ATHENA.MIT.EDU (Wei Dai)
Tue Oct 22 16:35:02 2002
Date: Tue, 22 Oct 2002 16:21:54 -0400
From: Wei Dai <weidai@weidai.com>
To: Ed Gerck <egerck@nma.com>
Cc: bear <bear@sonic.net>, Victor.Duchovni@morganstanley.com,
Cryptography <cryptography@wasabisystems.com>
In-Reply-To: <3DB5A7A3.AA92B775@nma.com>
On Tue, Oct 22, 2002 at 12:31:47PM -0700, Ed Gerck wrote:
> My earlier comment to bear applies here as well -- this attack can be avoided
> if only a subset of the MAC tag is used
I can't seem to find your earlier comment. It probably hasn't gone through
the mailing list yet.
I don't see how the attack is avoided if only a substring of the MAC tag
is used. (I assume you mean substring above instead of subset.) The
attacker just needs to find messages x and y such that the truncated MAC
tags of x|0, x|1, ..., x|n, matches those of y|0, y|1, ..., y|n, and this
will tell him that there is an internal collision between x and y. n only
has to be large enough so that the total length of the truncated MAC tags
is greater than the size of the internal state of the MAC.
> OR if the message to be hashed has
> a fixed length defined by the issuer. Only one of these conditions are needed.
No I don't think that works either. The attacker can try to find messages
x and y such that MAC(x|0^n) = MAC(y|0^n) (where 0^n denotes enough zeros
to pad the messages up to the fixed length). Then there is a good
chance that the internal collision occured before the 0's and so
MAC(x|z) = MAC(y|z) for all z of length n.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
