[11900] in cryptography@c2.net mail archive
Re: Why is RMAC resistant to birthday attacks?
daemon@ATHENA.MIT.EDU (Sidney Markowitz)
Tue Oct 22 17:19:40 2002
From: "Sidney Markowitz" <sidney@sidney.com>
To: <Victor.Duchovni@morganstanley.com>, "Ed Gerck" <egerck@nma.com>
Cc: "Cryptography" <cryptography@wasabisystems.com>
Date: Tue, 22 Oct 2002 13:52:18 -0700
Victor.Duchovni@morganstanley.com
> I want to understand the assumptions (threat models) behind the
> work factor estimates. Does the above look right?
I just realized something about the salt in the RMAC algorithm, although it
may have been obvious to everyone else:
RMAC is equivalent to a HMAC hash-based MAC algorithm, but using a block
cipher. The paper states that it is for use instead of HMAC iin circumstances
where for some reason it is easier to use a block cipher than a cryptographic
hash.
The security of HMAC against attacks based on collisions is measured as a
function of the bit length of the hash. Using a block cipher in CBC mode makes
it in effect a b bit hash, where b is the block length of the cipher. In many
cases the block length of a cipher being 64 or 128 bits will be too small by
itself. Hence the need to add r bits from the salt and the need to write up
explicitly how RMAC handles collision based attacks and how the salt affects
that.
-- sidney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
