Cryptography Reference
In-Depth Information
3. If
x
n
was not padded, replace it by
x
n
⊕
H
L
(Cst
1
). If
x
n
was padded, replace it
H
L
(Cst
2
).
4. Compute the regular CBC-MAC of
x
1
||
by
x
n
⊕
x
n
.
5. Truncate it to its
t
leftmost bits and obtain the MAC of
M
.
x
2
||···||
In the OMAC1 instance,
H
is defined in the finite field GF(2
n
) where
n
is the block
length. Concretely, blocks are
n
-bit strings which represent a polynomial in the variable
u
whose coefficients are binary and read in descending order from the coefficient of
u
n
−
1
(the leftmost bit) to the constant coefficient (the rightmost bit). The addition of
polynomials corresponds to the XOR of bitstrings. The multiplication of a polynomial
represented by the bitstring
B
by
u
is obtained from
B
by dropping the leftmost bit
and concatenating a zero bit, then by XORing the result to a constant if the dropped
bit is 1. The constant is, in hexadecimal,
0x000000000000001b
if
n
=
64 and
0x00000000000000000000000000000087
if
n
128. These rules and field
properties fully define a multiplication law over
n
-bit strings. Finally,
H
L
(
x
)isthe
multiplication of
L
by
x
, Cst
1
is the bitstring representing
u
, i.e.
0x00
···
02
, and Cst
2
is the bitstring representing
u
2
, i.e.
0x00
···
04
. Note that we only have to compute
L
=
u
2
, which means that we just have to multiply
L
by the constant
u
twice.
Implementation of the full GF(2
n
) arithmetics is not necessary. So finally, we can get
rid of all these algebraic aspects (which will be made clearer in Chapter 6) and define
the operation
y
×
u
and
L
×
←
x
×
u
by
1. take
x
;
2. drop the leftmost bit and insert a new bit zero to the right;
3. if the dropped bit was 1, XOR with
0x00
···
1b
for
n
=
64 and
0x00
···
87
for
128;
4. get
y
.
n
=
In OMAC1,
H
L
(Cst
1
) is defined by
L
×
u
, and
H
L
(Cst
2
) is defined by
H
L
(Cst
1
)
×
u
.
3.4.4
Analysis of CBC-MAC
To illustrate the CBC-MAC constructions from the previous section, we provide here a
security analysis of the encrypted CBC-MAC, i.e. the EMAC construction. Assuming
that the block encryption with the first key is denoted
C
1
and that the final block double
encryption with the two keys is denoted
C
2
, EMAC matches the construction in the
following theorem.
Theorem 3.4.
Given two independent uniformly distributed random permutations C
1
and C
2
on
M
of cardinality N, let us define
MAC(
x
1
,...,
x
)
=
C
2
(
C
1
(
···
C
1
(
C
1
(
x
1
)
⊕
x
2
)
⊕···⊕
x
−
1
)
⊕
x
)
.
We assume that the MAC function is implemented by an oracle, and we consider an
(adaptive) adversary who can send queries to the oracle with a limited total length of q:
Search WWH ::
Custom Search