[11915] in cryptography@c2.net mail archive
Re: Why is RMAC resistant to birthday attacks?
daemon@ATHENA.MIT.EDU (Ed Gerck)
Wed Oct 23 20:17:59 2002
Date: Wed, 23 Oct 2002 17:01:52 -0700
From: Ed Gerck <egerck@nma.com>
To: Wei Dai <weidai@weidai.com>
Cc: bear <bear@sonic.net>, Victor.Duchovni@morganstanley.com,
Cryptography <cryptography@wasabisystems.com>
Wei Dai wrote:
> ...
> suppose that an attacker finds two messages X and Y such that MAC(X|0) =
> MAC(Y|0), MAC(X|1) = MAC(Y|1), up to MAC(X|n) = MAC(Y|n). There are two
> possibilities: either there is a collision in the internal state after
> processing X and Y, or the internal states are different and all those MAC
> tags match up through seperate coincidences.
> ...
I think that there is a third (and dominating) possibility: this is a very bad MAC.
(A required property of MACs is providing a uniform distribution of values for a
change in any of the input bits, which makes the above sequence extremely
improbable)
BTW, references for using MAC subsets OR fixed-length messages to prevent
guessing the internal chaining value should be straight forward to find in the
literature.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
