Skip to content

Cryptographic MACs

links: AC1 TOC - Random Oracle & Applications - Modern Cryptography MOC - Index


MAC based on block cipher

CBC-MAC

CBC-MAC for fixed-length messages

in compare with CBC mode of operation:

  • no IV
  • only output of last tag (no intermediate output)

is only secure for "fixed-length" messages (see Length-Extension Attack)

cbc_mac.png

CBC-MAC for arbitrary-length messages

  • one solution is to include the length of the message in the first block
  • has been proven secure as long as no two messages that are prefixes of each other are ever used
  • Drawback: requires a number of cryptographic operations (specifically, block-cipher evaluations) linear in the length of the message being authenticated \(\rightarrow\) not efficient

cbc_mac_2.png

MAC based on universal hash functions

GMAC (Galois Message Authentication Code)

Poly1305

GMAC vs. Poly1305

The main difference between Poly1305-AES and AES-GMAC is the type of arithmetic used by the underlying universal hash family, Poly1305 or GHASH, respectively. (...) Poly1305 is optimized for fast safe software implementations, whereas GHASH is a security risk unless you can guarantee you're using hardware support.

Source: Link

MAC based on Hash-and-MAC

HMAC (Hash-based Message Authentication Code)

  • based on the Hash-and-Mac construct
  • Avoids the Length-Extension Attack
  • uses the Merkle-Damgård transform to compress arbitrary-length messages
  • there is an "inner" and an "outer" hash evaluation with some fixed constants (ipad/opad)
  • Definition: "HMAC-Hash"" (e.g. HMAC-SHA-256, HMAC-SHA3-512)
  • Security: HMAC is secure as long as you choose a secure hash algorithm (e.g. HMAC-SHA3-256)

hmac.png

Drawback of Hash-and-MAC Constructions

With Hash-and-MAC (like HMAC) we typically use conjecturally collision-resistant functions like SHA-256, which are orders of magnitude more expensive to compute for conjectured security that we don't even care about in this application (collision resistance).

Source: Link

MAC based on Sponge Functions

KMAC (Keccak Message Authentication Code)

  • KMAC is a PRF and keyed hash function based on Keccak
  • It can be leveraged in KDF
  • two variants KMAC128 and KMAC256, built from cSHAKE128 and cSHAKE256 respectively
  • KMAC can also be used as a XOF, which mimics the behaviour of cSHAKE

links: AC1 TOC - Random Oracle & Applications - Modern Cryptography MOC - Index