One-key MAC: Difference between revisions

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
VisualWikitext
imported>SilkPyjamas
m Importing Wikidata short description: "Message authentication code algorithm"
 
imported>SchlurcherBot
m Bot: http → https
 
Line 3: Line 3:
'''One-key MAC''' ('''OMAC''') is a family of [[message authentication code]]s constructed from a [[block cipher]] much like the [[CBC-MAC]] algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:
'''One-key MAC''' ('''OMAC''') is a family of [[message authentication code]]s constructed from a [[block cipher]] much like the [[CBC-MAC]] algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:
* The original OMAC of February 2003, which is rarely used.<ref name=omac03/> The preferred name is now "OMAC2".<ref name=omac1/>
* The original OMAC of February 2003, which is rarely used.<ref name=omac03/> The preferred name is now "OMAC2".<ref name=omac1/>
* The OMAC1 refinement,<ref name=omac1/> which became an [[NIST]] recommendation in May 2005 under the name '''CMAC'''.<ref>{{Cite journal|last=Dworkin|first=Morris|title=Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication|url=http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf|doi=10.6028/nist.sp.800-38b|year=2016|doi-access=free}}</ref>
* The OMAC1 refinement,<ref name=omac1/> which became an [[NIST]] recommendation in May 2005 under the name '''CMAC'''.<ref>{{Cite journal|last=Dworkin|first=Morris|title=Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication|url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf|doi=10.6028/nist.sp.800-38b|year=2016|doi-access=free}}</ref>


OMAC is free for all uses: it is not covered by any patents.<ref>{{cite web |url=http://www.cs.ucdavis.edu/~rogaway/xcbc/ip.html |title=CMAC: Non-licensing |last=Rogaway |first=Phillip |access-date=May 27, 2020 |quote=Phillip Rogaway's statement on intellectual property status of CMAC}}</ref>
OMAC is free for all uses: it is not covered by any patents.<ref>{{cite web |url=https://www.cs.ucdavis.edu/~rogaway/xcbc/ip.html |title=CMAC: Non-licensing |last=Rogaway |first=Phillip |access-date=May 27, 2020 |quote=Phillip Rogaway's statement on intellectual property status of CMAC}}</ref>


== History ==
== History ==
Line 11: Line 11:
The core of the CMAC algorithm is a variation of [[CBC-MAC]] that [[John Black (cryptographer)|Black]] and [[Phillip Rogaway|Rogaway]] proposed and analyzed under the name "XCBC"<ref>{{Cite book|title=Advances in Cryptology – CRYPTO 2000|last1=Black|first1=John|last2=Rogaway|first2=Phillip|date=2000-08-20|publisher=Springer, Berlin, Heidelberg|isbn=978-3540445982|pages=197–215|language=en|doi=10.1007/3-540-44598-6_12}}</ref> and submitted to [[NIST]].<ref>{{Cite journal|last1=Black|first1=J|last2=Rogaway|first2=P|title=A Suggestion for Handling Arbitrary-Length Messages with the CBC MAC|url=https://web.cs.ucdavis.edu/~rogaway/papers/xcbc.pdf}}</ref> The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys.
The core of the CMAC algorithm is a variation of [[CBC-MAC]] that [[John Black (cryptographer)|Black]] and [[Phillip Rogaway|Rogaway]] proposed and analyzed under the name "XCBC"<ref>{{Cite book|title=Advances in Cryptology – CRYPTO 2000|last1=Black|first1=John|last2=Rogaway|first2=Phillip|date=2000-08-20|publisher=Springer, Berlin, Heidelberg|isbn=978-3540445982|pages=197–215|language=en|doi=10.1007/3-540-44598-6_12}}</ref> and submitted to [[NIST]].<ref>{{Cite journal|last1=Black|first1=J|last2=Rogaway|first2=P|title=A Suggestion for Handling Arbitrary-Length Messages with the CBC MAC|url=https://web.cs.ucdavis.edu/~rogaway/papers/xcbc.pdf}}</ref> The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys.


Iwata and Kurosawa proposed an improvement of XCBC that requires less key material (just one key) and named the resulting algorithm ''One-Key CBC-MAC'' (OMAC) in their papers.<ref name=omac03>{{Cite book|title=Fast Software Encryption|volume = 2887|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|date=2003-02-24|publisher=Springer, Berlin, Heidelberg|isbn=978-3-540-20449-7|pages=129–153|language=en|chapter=OMAC: One-Key CBC MAC|doi=10.1007/978-3-540-39887-5_11|series = Lecture Notes in Computer Science}}</ref> They later submitted the OMAC1 (= CMAC),<ref name=omac1>{{Cite journal|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|year=2003|title=OMAC: One-Key CBC MAC – Addendum|url=http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/omac/omac-ad.pdf|quote=In this note, we propose OMAC1, a new choice of the parameters of OMAC-family (see [4] for the details). Test vectors are also presented. Accordingly, we rename the previous OMAC as OMAC2. (That is to say, test vectors for OMAC2 were already shown in [3].) We use OMAC as a generic name for OMAC1 and OMAC2.}}</ref> a refinement of OMAC, and additional security analysis.<ref>{{Cite book|url=https://archive.org/details/progresscryptolo00joha|url-access=limited|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|title=Progress in Cryptology - INDOCRYPT 2003 |date=2003-12-08|publisher=Springer Berlin Heidelberg|isbn=9783540206095|editor-last=Johansson|editor-first=Thomas|series=Lecture Notes in Computer Science|volume=2904 |pages=[https://archive.org/details/progresscryptolo00joha/page/n412 402]–415|language=en|chapter=Stronger Security Bounds for OMAC, TMAC, and XCBC|doi=10.1007/978-3-540-24582-7_30|editor-last2=Maitra|editor-first2=Subhamoy|citeseerx = 10.1.1.13.8229}}</ref>
Iwata and Kurosawa proposed an improvement of XCBC that requires less key material (just one key) and named the resulting algorithm ''One-Key CBC-MAC'' (OMAC) in their papers.<ref name=omac03>{{Cite book|title=Fast Software Encryption|volume = 2887|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|date=2003-02-24|publisher=Springer, Berlin, Heidelberg|isbn=978-3-540-20449-7|pages=129–153|language=en|chapter=OMAC: One-Key CBC MAC|doi=10.1007/978-3-540-39887-5_11|series = Lecture Notes in Computer Science}}</ref> They later submitted the OMAC1 (= CMAC),<ref name=omac1>{{Cite journal|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|year=2003|title=OMAC: One-Key CBC MAC – Addendum|url=https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/omac/omac-ad.pdf|quote=In this note, we propose OMAC1, a new choice of the parameters of OMAC-family (see [4] for the details). Test vectors are also presented. Accordingly, we rename the previous OMAC as OMAC2. (That is to say, test vectors for OMAC2 were already shown in [3].) We use OMAC as a generic name for OMAC1 and OMAC2.}}</ref> a refinement of OMAC, and additional security analysis.<ref>{{Cite book|url=https://archive.org/details/progresscryptolo00joha|url-access=limited|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|title=Progress in Cryptology - INDOCRYPT 2003 |date=2003-12-08|publisher=Springer Berlin Heidelberg|isbn=9783540206095|editor-last=Johansson|editor-first=Thomas|series=Lecture Notes in Computer Science|volume=2904 |pages=[https://archive.org/details/progresscryptolo00joha/page/n412 402]–415|language=en|chapter=Stronger Security Bounds for OMAC, TMAC, and XCBC|doi=10.1007/978-3-540-24582-7_30|editor-last2=Maitra|editor-first2=Subhamoy|citeseerx = 10.1.1.13.8229}}</ref>


== Algorithm ==
== Algorithm ==
Line 52: Line 52:
* {{IETF RFC|4615|link=no}} The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
* {{IETF RFC|4615|link=no}} The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
* OMAC [https://web.archive.org/web/20150223220648/http://adder.demo.iworks.ro/Go/OMAC/ Online Test]
* OMAC [https://web.archive.org/web/20150223220648/http://adder.demo.iworks.ro/Go/OMAC/ Online Test]
* [http://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html More information on OMAC]
* [https://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html More information on OMAC]
* [https://github.com/RustCrypto/MACs/tree/master/cmac Rust implementation]
* [https://github.com/RustCrypto/MACs/tree/master/cmac Rust implementation]


Latest revision as of 07:00, 12 July 2025

Template:Short description Script error: No such module "redirect hatnote". One-key MAC (OMAC) is a family of message authentication codes constructed from a block cipher much like the CBC-MAC algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:

  • The original OMAC of February 2003, which is rarely used.[1] The preferred name is now "OMAC2".[2]
  • The OMAC1 refinement,[2] which became an NIST recommendation in May 2005 under the name CMAC.[3]

OMAC is free for all uses: it is not covered by any patents.[4]

History

The core of the CMAC algorithm is a variation of CBC-MAC that Black and Rogaway proposed and analyzed under the name "XCBC"[5] and submitted to NIST.[6] The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys.

Iwata and Kurosawa proposed an improvement of XCBC that requires less key material (just one key) and named the resulting algorithm One-Key CBC-MAC (OMAC) in their papers.[1] They later submitted the OMAC1 (= CMAC),[2] a refinement of OMAC, and additional security analysis.[7]

Algorithm

File:CMAC - Cipher-based Message Authentication Code.pdf

To generate an Template:Mvar-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a secret key (k), one first generates two b-bit sub-keys (k1 and k2) using the following algorithm (this is equivalent to multiplication by x and x2 in a finite field GF(2b)). Let ≪ denote the standard left-shift operator and ⊕ denote bit-wise exclusive or:

  1. Calculate a temporary value k0 = Ek(0).
  2. If msb(k0) = 0, then k1 = k0 ≪ 1, else k1 = (k0 ≪ 1) ⊕ C; where C is a certain constant that depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first irreducible degree-b binary polynomial with the minimal number of ones: <templatestyles src="Mono/styles.css" />0x1B for 64-bit, <templatestyles src="Mono/styles.css" />0x87 for 128-bit, and <templatestyles src="Mono/styles.css" />0x425 for 256-bit blocks.)
  3. If msb(k1) = 0Script error: No such module "Check for unknown parameters"., then k2 = k1 ≪ 1Script error: No such module "Check for unknown parameters"., else k2 = (k1 ≪ 1) ⊕ CScript error: No such module "Check for unknown parameters"..
  4. Return keys (k1, k2) for the MAC generation process.

As a small example, suppose b = 4Script error: No such module "Check for unknown parameters"., C = 00112Script error: No such module "Check for unknown parameters"., and k0 = Ek(0) = 01012Script error: No such module "Check for unknown parameters".. Then k1 = 10102Script error: No such module "Check for unknown parameters". and k2 = 0100 ⊕ 0011 = 01112Script error: No such module "Check for unknown parameters"..

The CMAC tag generation process is as follows:

  1. Divide message into b-bit blocks m = m1 ∥ ... ∥ mn−1mnScript error: No such module "Check for unknown parameters"., where m1, ..., mn−1 are complete blocks. (The empty message is treated as one incomplete block.)
  2. If mn is a complete block then mn′ = k1mnScript error: No such module "Check for unknown parameters". else mn′ = k2 ⊕ (mn ∥ 10...02)Script error: No such module "Check for unknown parameters"..
  3. Let c0 = 00...02Script error: No such module "Check for unknown parameters"..
  4. For i = 1, ..., n − 1Script error: No such module "Check for unknown parameters"., calculate ci = Ek(ci−1mi)Script error: No such module "Check for unknown parameters"..
  5. cn = Ek(cn−1mn′)Script error: No such module "Check for unknown parameters".
  6. Output t = msb(cn)Script error: No such module "Check for unknown parameters"..

The verification process is as follows:

  1. Use the above algorithm to generate the tag.
  2. Check that the generated tag is equal to the received tag.

Variants

CMAC-C1[8] is a variant of CMAC that provides additional commitment and context-discovery security guarantees.

Implementations

References

<templatestyles src="Reflist/styles.css" />

  1. a b Script error: No such module "citation/CS1".
  2. a b c Script error: No such module "Citation/CS1".
  3. Script error: No such module "Citation/CS1".
  4. Script error: No such module "citation/CS1".
  5. Script error: No such module "citation/CS1".
  6. Script error: No such module "Citation/CS1".
  7. Script error: No such module "citation/CS1".
  8. Script error: No such module "citation/CS1".
  9. Script error: No such module "citation/CS1".
  10. Script error: No such module "citation/CS1".

Script error: No such module "Check for unknown parameters".

External links

Script error: No such module "Navbox".

Retrieved from "http://debianws.lexgopc.com/wiki143/index.php?title=One-key_MAC&oldid=5042629"