Chris J. Mitchell (2003) On the security of XCBC, TMAC and OMAC.
Full text access: Open
The security provided by the XCBC, TMAC and OMAC schemes is analysed and compared with other MAC schemes. The results imply that there is relatively little to be gained practically through the introduction of these schemes by comparison with other well-established MAC functions. Moreover, TMAC and OMAC possess design weaknesses which enable part of the secret key to be recovered much more easily than would ideally be the case — design changes are suggested which alleviate this problem. Whether or not the proofs of security are retrievable for the modified designs remains an open question, although the need for change would appear to be clear.
This is a Published version This version's date is: 19/08/2003 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/35768eaa-2b85-ff35-374c-658edf7c99b5/1/
Deposited by () on 14-Jul-2010 in Royal Holloway Research Online.Last modified on 10-Dec-2010
[1] American Bankers Association, Washington, DC, ANSI X9.19, financialinstitution retail message authentication, August 1986.[2] A. Berendschot, B. den Boer, J.-P. Boly, A. Bosselaers, J. Brandt,D. Chaum, I. Damgard, M. Dichtl, W. Fumy, M. van der Ham, C. J. A.Jansen, P. Landrock, B. Preneel, G. Roelofsen, P. de Rooij, and J. Vandewalle,Integrity primitives for secure information systems, LectureNotes in Computer Science, vol. 1007, Springer-Verlag, Berlin, 1995.[3] J. Black and P. Rogaway, CBC-MACs for arbitrary length messages:The three-key constructions, Advances in Cryptology — Crypto 2000(M. Bellare, ed.), Lecture Notes in Computer Science, vol. 1880,Springer-Verlag, Berlin, 2000, pp. 197–215.[4] S. Furuya and K. Sakurai, Risks with raw-key masking — The securityevaluation of 2-key XCBC, Information and Communications Security,4th International Conference, ICICS 2002 (R. H. Deng, S. Qing,F. Bao, and J. Zhou, eds.), Lecture Notes in Computer Science, vol.2513, Springer-Verlag, Berlin, 2002, pp. 327–341.[5] International Organization for Standardization, Gen`eve, Switzerland,ISO/IEC 9797–1, Information technology — Security techniques —Message Authentication Codes (MACs) — Part 1: Mechanisms usinga block cipher, 1999.[6] T. Iwata and K. Kurosawa, Stronger security bounds for OMAC, TMACand XCBC, 2003, Department of Computer and Information Sciences,Ibaraki University, Japan.[7] , OMAC: One-key CBC MAC, Proceedings of FSE 2003, LectureNotes in Computer Science, Springer-Verlag, Berlin, to appear.[8] K. Kurosawa and T. Iwata, TMAC: Two-key CBC MAC, Topics inCryptology — CT-RSA 2003 (M. Joye, ed.), Lecture Notes in ComputerScience, vol. 2612, Springer-Verlag, Berlin, 2003, pp. 33–49.[9] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook ofapplied cryptography, CRC Press, Boca Raton, 1997.[10] E. Petrank and C. Rackoff, CBC MAC for real-time data sources, Journalof Cryptology 13 (2000), 315–338.[11] B. Preneel and P.C. van Oorschot, A key recovery attack on the ANSIX9.19 retail MAC, Electronics Letters 32 (1996), 1568–1569.[12] , On the security of iterated Message Authentication Codes, IEEETransactions on Information Theory 45 (1999), 188–199.[13] J. Sung, D. Hong, and S. Lee, Key recovery attacks on the RMAC,TMAC, and IACBC, ACISP 2003 (R. Safavi-Naini and J. Seberry, eds.),Lecture Notes in Computer Science, vol. 2727, Springer-Verlag, Berlin,2003, pp. 265–273.