Cryptographic MACs¶
links: AC1 TOC - Random Oracle & Applications - Modern Cryptography MOC - Index
MAC based on block cipher¶
CBC-MAC¶
CBC-MAC for fixed-length messages¶
in compare with CBC mode of operation:
- no IV
- only output of last tag (no intermediate output)
is only secure for "fixed-length" messages (see Length-Extension Attack)
CBC-MAC for arbitrary-length messages¶
- one solution is to include the length of the message in the first block
- has been proven secure as long as no two messages that are prefixes of each other are ever used
- Drawback: requires a number of cryptographic operations (specifically, block-cipher evaluations) linear in the length of the message being authenticated \(\rightarrow\) not efficient
MAC based on universal hash functions¶
GMAC (Galois Message Authentication Code)¶
- GMAC is an specialization of the GCM (Galois/Counter mode) for authentication only
- uses GHASH, which is a universal hash family
- very efficient by using hardware-level instructions (more efficient and secure than CBC-MAC)
Poly1305¶
- Universal hash family designed by Bernstein
- more efficient and secure than CBC-MAC
GMAC vs. Poly1305¶
The main difference between Poly1305-AES and AES-GMAC is the type of arithmetic used by the underlying universal hash family, Poly1305 or GHASH, respectively. (...) Poly1305 is optimized for fast safe software implementations, whereas GHASH is a security risk unless you can guarantee you're using hardware support.
Source: Link
MAC based on Hash-and-MAC¶
HMAC (Hash-based Message Authentication Code)¶
- based on the Hash-and-Mac construct
- Avoids the Length-Extension Attack
- uses the Merkle-Damgård transform to compress arbitrary-length messages
- there is an "inner" and an "outer" hash evaluation with some fixed constants (ipad/opad)
- Definition: "HMAC-Hash"" (e.g. HMAC-SHA-256, HMAC-SHA3-512)
- Security: HMAC is secure as long as you choose a secure hash algorithm (e.g. HMAC-SHA3-256)
Drawback of Hash-and-MAC Constructions¶
With Hash-and-MAC (like HMAC) we typically use conjecturally collision-resistant functions like SHA-256, which are orders of magnitude more expensive to compute for conjectured security that we don't even care about in this application (collision resistance).
Source: Link
MAC based on Sponge Functions¶
KMAC (Keccak Message Authentication Code)¶
- KMAC is a PRF and keyed hash function based on Keccak
- It can be leveraged in KDF
- two variants KMAC128 and KMAC256, built from cSHAKE128 and cSHAKE256 respectively
- KMAC can also be used as a XOF, which mimics the behaviour of cSHAKE
links: AC1 TOC - Random Oracle & Applications - Modern Cryptography MOC - Index