Hal Finney wrote:
Darren J Moffat <darren.mof...@sun.com> asks:
Ignoring performance for now what is the consensus on the suitabilty of using AES-GMAC not as MAC but as a hash ?

Would it be safe ?

The "key" input to AES-GMAC would be something well known to the data and/or software.

No, I don't think this would work. In general, giving a MAC a fixed key
cannot be expected to produce a good hash. With AES-GMAC in particular,
it is unusual in that it has a third input (besides key and data to MAC),
an IV, which makes your well-known-key strategy problematic. And even as a
MAC, it is very important that a given key/IV pair never be reused. Fixing
a value for the key and perhaps IV would defeat this provision.

But even ignoring all that, GMAC amounts to a linear combination of
the text blocks - they are the coefficients of a polynomial. The reason
you can get away with it in GMAC is because the polynomial variable is
secret, it is based on the key. So you don't know how things are being
combined. But with a known key and IV, there would be no security at all.
It would be linear like a CRC.

Thanks, that is pretty much what I suspected would be the answer but you have more detail than I could muster in my head at a first pass on this.

Thanks.

--
Darren J Moffat

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to