One-key MAC


One-key MAC is a family of message authentication codes constructed from a block cipher much like the CBC-MAC algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:
OMAC is free for all uses: it is not covered by any patents.

History

The core of the CMAC algorithm is a variation of CBC-MAC that Black and Rogaway proposed and analyzed under the name "XCBC" and submitted to NIST. The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys.
Iwata and Kurosawa proposed an improvement of XCBC that requires less key material and named the resulting algorithm One-Key CBC-MAC in their papers. They later submitted the OMAC1, a refinement of OMAC, and additional security analysis.

Algorithm

To generate an -bit CMAC tag of a message using a b-bit block cipher and a secret key, one first generates two b-bit sub-keys using the following algorithm. Let ≪ denote the standard left-shift operator and ⊕ denote bit-wise exclusive or:
  1. Calculate a temporary value k0 = Ek.
  2. If msb = 0, then k1 = k0 ≪ 1, else k1 = ⊕ C; where C is a certain constant that depends only on b.
  3. If, then, else.
  4. Return keys for the MAC generation process.
As a small example, suppose,, and. Then and.
The CMAC tag generation process is as follows:
  1. Divide message into b-bit blocks, where m1,..., mn−1 are complete blocks.
  2. If mn is a complete block then else.
  3. Let.
  4. For, calculate.
  6. Output.
The verification process is as follows:
  1. Use the above algorithm to generate the tag.
  2. Check that the generated tag is equal to the received tag.

    Variants

CMAC-C1 is a variant of CMAC that provides additional commitment and context-discovery security guarantees.

Implementations