[144804] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: AES-GMAC as a hash

daemon@ATHENA.MIT.EDU ("Hal Finney")
Fri Sep 4 15:41:01 2009

To: cryptography@metzdowd.com, Darren.Moffat@Sun.COM
Date: Mon, 31 Aug 2009 10:19:32 -0700 (PDT)
From: hal@finney.org ("Hal Finney")

Darren J Moffat <Darren.Moffat@Sun.COM> asks:
> Ignoring performance for now what is the consensus on the suitabilty of 
> using AES-GMAC not as MAC but as a hash ?
>
> Would it be safe ?
>
> The "key" input to AES-GMAC would be something well known to the data 
> and/or software.

No, I don't think this would work. In general, giving a MAC a fixed key
cannot be expected to produce a good hash. With AES-GMAC in particular,
it is unusual in that it has a third input (besides key and data to MAC),
an IV, which makes your well-known-key strategy problematic. And even as a
MAC, it is very important that a given key/IV pair never be reused. Fixing
a value for the key and perhaps IV would defeat this provision.

But even ignoring all that, GMAC amounts to a linear combination of
the text blocks - they are the coefficients of a polynomial. The reason
you can get away with it in GMAC is because the polynomial variable is
secret, it is based on the key. So you don't know how things are being
combined. But with a known key and IV, there would be no security at all.
It would be linear like a CRC.

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post