### MAC Reforgeability

John Black and Martin Cochran

##### Abstract

Message Authentication Codes (MACs) are central algorithms deployed in virtually every security protocol in common usage. In these protocols, the integrity and authenticity of messages rely entirely on the security of the MAC; we examine cases in which this security is lost. In this paper, we examine the notion of “reforgeability” for MACs. We first give a definition for this new notion, then examine some of the most widely-used and well-known MACs under our definition. We show that for each of these MACs there exists an attack that allows efficient forgeries after the first one is obtained, and we show that simply making these schemes stateful is usually insufficient. For those schemes where adding state is effective, we go one step further to examine how counter misuse affects the security of the MAC, finding, in many cases, simply repeating a single counter value yields complete insecurity. These issues motivated the design of a new scheme, WMAC, which has a number of desirable properties. It is as efficient as the fastest MACs, resists counter misuse, and has tags which may be truncated to the desired length without affecting security (currently, the fastest MACs do not have this property), making it resistant to reforging attacks and arguably the best MAC for constrained environments.

Note: Updated to full version of FSE 2009 proceedings.

Available format(s)
Category
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
Message Authentication CodesBirthday AttacksProvable Security
Contact author(s)
History
2009-02-24: last of 6 revisions
See all versions
Short URL
https://ia.cr/2006/095

CC BY

BibTeX

@misc{cryptoeprint:2006/095,
author = {John Black and Martin Cochran},
title = {MAC Reforgeability},
howpublished = {Cryptology ePrint Archive, Paper 2006/095},
year = {2006},
note = {\url{https://eprint.iacr.org/2006/095}},
url = {https://eprint.iacr.org/2006/095}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.