Analysis of RMAC
In this paper the newly proposed RMAC system is analysed. The scheme allows a (traditional MAC) attack some control over one of two keys of the underlying block cipher and makes it possible to mount several related-key attacks on RMAC. First, an efficient attack on RMAC when used with triple-DES is presented, which rely also on other findings in the proposed draft standard. Second, a generic attack on RMAC is presented which can be used to find one of the two keys in the system faster than by an exhaustive search. Third, related-key attacks on RMAC in a multi-user setting are presented. In addition to beating the claimed security bounds in NIST’s RMAC proposal, this work suggests that, as a general principle, one may wish to avoid designing modes of operation that use related keys.
KeywordsExhaustive Search Block Cipher Generic Attack Decryption Operation Block Cipher Algorithm
- 1.Biham, E.: How to decrypt or even substitute DES-encrypted messages in 228 steps. Information Processing Letters 84 (2002)Google Scholar
- 3.Kelsey, J., Schneier, B., Wagner, D.: Key-schedule cryptanalysis of IDEA, GDES, GOST, SAFER, and triple-DES. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 237–251. Springer, Heidelberg (1996)Google Scholar
- 5.Mitchell, C.: Private communicationGoogle Scholar
- 6.NIST. DRAFT Recommendation for Block Cipher Modes of Operation: the RMAC Authentication Mode. NIST Special Publication 800-38B. October 18 (2002)Google Scholar
- 7.Rivest, R., Shamir, A.: Payword and Micromint: Two simple micropayment schemes. Cryptobytes 2(1), 7–11 (1996)Google Scholar