[144806] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: AES-GMAC as a hash

daemon@ATHENA.MIT.EDU (Darren J Moffat)
Fri Sep 4 15:43:01 2009

Date: Tue, 01 Sep 2009 10:39:21 +0100
From: Darren J Moffat <Darren.Moffat@Sun.COM>
In-reply-to: <20090831171932.ED71814F6E1@finney.org>
To: Hal Finney <hal@finney.org>
Cc: cryptography@metzdowd.com

Hal Finney wrote:
> Darren J Moffat <Darren.Moffat@Sun.COM> asks:
>> Ignoring performance for now what is the consensus on the suitabilty of 
>> using AES-GMAC not as MAC but as a hash ?
>>
>> Would it be safe ?
>>
>> The "key" input to AES-GMAC would be something well known to the data 
>> and/or software.
> 
> No, I don't think this would work. In general, giving a MAC a fixed key
> cannot be expected to produce a good hash. With AES-GMAC in particular,
> it is unusual in that it has a third input (besides key and data to MAC),
> an IV, which makes your well-known-key strategy problematic. And even as a
> MAC, it is very important that a given key/IV pair never be reused. Fixing
> a value for the key and perhaps IV would defeat this provision.
> 
> But even ignoring all that, GMAC amounts to a linear combination of
> the text blocks - they are the coefficients of a polynomial. The reason
> you can get away with it in GMAC is because the polynomial variable is
> secret, it is based on the key. So you don't know how things are being
> combined. But with a known key and IV, there would be no security at all.
> It would be linear like a CRC.

Thanks, that is pretty much what I suspected would be the answer but you 
have more detail than I could muster in my head at a first pass on this.

Thanks.

-- 
Darren J Moffat

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post