[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    Faster, stronger MACs
From:       "D. J. Bernstein" <djb () cr ! yp ! to>
Date:       1999-06-26 0:07:53
[Download RAW message or body]

Many message authentication systems compute a 128-bit authenticator for
a message m as follows:

     keyed hash function           keyed cryptographic function
   m -------------------> 128 bits ----------------------------> 128 bits

There is a proof that any system of this type is secure against adaptive
chosen-message attacks, provided that

   * the cryptographic function is ``unpredictable''---this is a
     standard assumption about block ciphers, keyed MD5, etc.---and

   * the hash function is ``universal.''

For example, NMAC-MD5 is a system in this class, using keyed MD5 with
variable-length input as the hash function, and keyed MD5 with
fixed-length input as the cryptographic function. (HMAC-MD5 is the same
as NMAC-MD5 except that the two keys are derived from a single key.)

There are, however, better systems in this class:

   * Some 128-bit hash functions are _provably_ universal. You might
     guess that provable security comes at the expense of speed or key
     size; however, I have code for a simple universal 128-bit hash
     function, with a 128-bit key, that's _faster than MD5_ on the
     Pentium, Pentium II, UltraSPARC, and other popular chips.

   * When unique message numbers are available---for replay prevention,
     for example---they can be fed into the cryptographic function. The
     result is a quantifiable improvement in security.

See http://pobox.com/~djb/hash127/faq.html for further details.

I don't see a pressing need to eliminate HMAC from situations where its
performance hasn't caused problems. However, faster MACs would be a
useful option for people running busy servers.

---Dan

[prev in list] [next in list] [prev in thread] [next in thread]