John: In protocols like IPsec, the same key is used for many ESP packets. This is where 96-bits seems more comfortable. In COSE, one could do something similar, especially with COSE_Mac0.
Russ > On Mar 30, 2026, at 2:53 AM, John Mattsson > <[email protected]> wrote: > > Russ Housley wrote: > >Why do you think 64 bit authentication tags are desirable? I would be much > >more comfortable with 96 bits. > > We should probably try to limit the number of options. The security > properties of CMAC/CBC-MAC/HMAC depends very much on if the key is reused or > not and if the tag is truncated or not. If you use a fresh key for each MAC, > CMAC is great. If you reuse the key, untruncated CMAC gives a false sense of > security and waste a lot of bytes. The narrow block size of AES is a problem > and severely limits the security of AES-CMAC in these scenarios.
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
