On Thu, Oct 24, 2002 at 02:08:11AM -0700, Sidney Markowitz wrote: > [...] XCBC should be inherently resistant to extension forgery > attacks. The attack requires that the MAC have the property that > MAC(x) == MAC(y) implies that MAC(x||z) == MAC(y||z). In the case of > XCBC, because of the padding and the use of K2 and K3 that would > only be true when x and y are the same length or both have lengths > that are multiples of the cipher block size.
The pre-conditions you give are a little over restrictive, but yes there are limitations due to the structure of XCBC. However provided the pre-conditions are met, and they don't seem that implausible to occur, the extension forgery attacks are possible so I wouldn't say RMAC is inherently resistant to extension forgery. > I agree with your conclusion [...] > > In the case of RMAC, if the parameter sets were chosen to make the > work factors comparable on the two attacks, I think it is making the > mistake of comparing apples and oranges: In the exhaustive key > search attack, the attackers captures one message and the work > factor is multiplied times the time it takes to try a key on their > own computers. In the extension forgery attack the work factor is > multiplied by the time between captured messages. The latter is > somewhat under the control of the person who is using RMAC. There is > no reason to require that they have similar work factors if the > scale is much different. Yes. Perhaps I/someone should submit my comment to them before the deadline. If RMAC parameter sets were interpreted strictly they would be quite incovenient and inflexible for the protocol designer. Adam -- http://www.cypherspace.net/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]