[144806] in cryptography@c2.net mail archive
Re: AES-GMAC as a hash
daemon@ATHENA.MIT.EDU (Darren J Moffat)
Fri Sep 4 15:43:01 2009
Date: Tue, 01 Sep 2009 10:39:21 +0100
From: Darren J Moffat <Darren.Moffat@Sun.COM>
In-reply-to: <20090831171932.ED71814F6E1@finney.org>
To: Hal Finney <hal@finney.org>
Cc: cryptography@metzdowd.com
Hal Finney wrote:
> Darren J Moffat <Darren.Moffat@Sun.COM> asks:
>> Ignoring performance for now what is the consensus on the suitabilty of
>> using AES-GMAC not as MAC but as a hash ?
>>
>> Would it be safe ?
>>
>> The "key" input to AES-GMAC would be something well known to the data
>> and/or software.
>
> No, I don't think this would work. In general, giving a MAC a fixed key
> cannot be expected to produce a good hash. With AES-GMAC in particular,
> it is unusual in that it has a third input (besides key and data to MAC),
> an IV, which makes your well-known-key strategy problematic. And even as a
> MAC, it is very important that a given key/IV pair never be reused. Fixing
> a value for the key and perhaps IV would defeat this provision.
>
> But even ignoring all that, GMAC amounts to a linear combination of
> the text blocks - they are the coefficients of a polynomial. The reason
> you can get away with it in GMAC is because the polynomial variable is
> secret, it is based on the key. So you don't know how things are being
> combined. But with a known key and IV, there would be no security at all.
> It would be linear like a CRC.
Thanks, that is pretty much what I suspected would be the answer but you
have more detail than I could muster in my head at a first pass on this.
Thanks.
--
Darren J Moffat
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com