Fact-checked by Grok 2 weeks ago

Message authentication code

A message authentication code (MAC) is a cryptographic checksum generated from a message and a secret symmetric key shared between the sender and receiver, used to verify the message's and by detecting both accidental and intentional modifications. The MAC processes an arbitrary-length message along with the key to produce a fixed-length tag, which is appended to the message and recomputed by the recipient using the same key and message; a match confirms that the message originated from the key holder and remains unaltered. Unlike digital signatures, which rely on asymmetric for , MACs use symmetric keys, making them efficient for high-speed applications but requiring secure between parties. MACs provide essential security properties, including resistance to existential forgery under chosen-message attacks, ensuring that an adversary without the key cannot produce a valid for a new message with non-negligible probability. Common constructions include hash-based MACs like the keyed-hash message authentication code (), which combines a (e.g., SHA-256) with the secret key in a specific manner to enhance security against length-extension attacks on plain hashes; other hash-based MACs include KMAC, based on the KECCAK family (). is specified in Federal Information Processing Standard (FIPS) 198-1 (with content proposed for incorporation into NIST 800-224 as of 2025) and widely used in protocols such as TLS and for authenticating . Block cipher-based MACs, such as the cipher-based MAC (CMAC), employ modes like cipher block chaining () with algorithms like to generate tags, offering strong security guarantees for integrity and authenticity. CMAC is specified in NIST Special Publication () 800-38B and is particularly suitable for environments where block ciphers are already in use, such as in systems. In practice, MACs are integral to securing communications, file checks, and , with implementations required to use approved algorithms and keys of sufficient length (e.g., at least 128 bits for modern security) to withstand brute-force and collision attacks. While early MAC concepts emerged alongside symmetric ciphers like in the 1970s, contemporary standards from NIST ensure their robustness against classical threats, with ongoing research addressing potential vulnerabilities in specific constructions, including quantum threats.

Fundamentals

Definition

A message authentication code (MAC) is a cryptographic primitive that provides assurance of the integrity and of a message by generating a short, fixed-length value known as a , computed from the and a . This allows a recipient who possesses the same to verify whether the has been altered or originated from an unauthorized party. Formally, a is defined as a family of parameterized by a symmetric , where each processes an input of arbitrary length to produce an authenticator (the ) that is computationally infeasible to forge without knowledge of the . A MAC scheme is typically specified as a tuple of three probabilistic polynomial-time algorithms: (\mathsf{Gen}, \mathsf{Tag}, \mathsf{Vrfy}). The key generation algorithm \mathsf{Gen}(1^n) takes a security parameter n and outputs a secret key k from a key space \mathcal{K}. The tagging algorithm \mathsf{Tag}_k(m) takes the key k and a message m from the message space \mathcal{M} (usually \{0,1\}^*) and outputs a tag t from a tag space \mathcal{T}. The verification algorithm \mathsf{Vrfy}_k(m, t) takes the key k, message m, and tag t, and outputs 1 if the tag is valid for the message under the key (accepting it as authentic), or 0 otherwise (rejecting it). For security, the scheme requires that \mathsf{Vrfy}_k(m, \mathsf{Tag}_k(m)) = 1 with overwhelming probability for honestly generated keys and messages. Unlike digital signatures, which rely on asymmetric key pairs to enable public and provide , MACs utilize symmetric keys shared exclusively between the communicating parties, making them suitable for scenarios where is secure but is unnecessary.

Terminology

In cryptographic literature, the output of a message authentication code () is commonly referred to as a "tag," a short fixed-length appended to the message to enable , though it is sometimes interchangeably called a "code" or "MAC value" in older texts. The term "tag" has become prevalent in modern standards and papers to emphasize its role as an authenticating appendage, distinct from the MAC scheme itself. Certain MAC constructions, especially those built on hash functions, are described as "keyed hashes," where a secret key is integrated into the hashing process to produce the tag, ensuring the output depends on both the message and the key. In MAC designs relying on , the term "universal hash" denotes a family of hash functions with provable properties under random key selection, foundational to unconditionally secure schemes. The nomenclature has evolved historically from "authentication code," as used in seminal works on in the late and early , to the more precise "message authentication code" adopted in international standards beginning with the first edition of ISO/IEC 9797 in , which formalized MAC algorithms for . This shift reflects a focus on message-specific in symmetric . The primary MAC expands to "message authentication code," denoting a symmetric-key that generates a verifiable tag for a given . , standing for "hash-based message authentication code," is a widely adopted variant that applies a (such as SHA-256) in a key-dependent manner to produce the tag. In MAC definitions, the term "message" encompasses any arbitrary binary string or data block, including non-textual content like files or network packets, rather than being restricted to human-readable text. This broad scope allows MACs to protect diverse formats in practical applications.

Security Properties

Integrity and Authenticity

A message authentication code (MAC) ensures by generating a tag that depends on the entire message content and a secret key, such that any modification to the message will result in a mismatch during verification, thereby detecting alterations. This protection arises because the MAC algorithm is designed to produce a unique output for each distinct input-message pair under the same key, making unauthorized changes computationally infeasible to conceal without knowledge of the key. MACs also provide authenticity by confirming that the message originates from a party possessing the shared secret key, as only the legitimate sender can generate a valid tag that the receiver will accept upon verification. This prevents impersonation attacks, where an adversary attempts to forge a message-tag pair, since producing a correct tag without the key violates the underlying cryptographic assumptions of the MAC construction. The primary formal security property for MACs is existential unforgeability under chosen-message attack (EUF-CMA), which captures both and in an adversarial setting. In this model, an adversary is given oracle access to a MAC generation function for adaptively chosen s and succeeds by producing a valid (, ) pair for a new not previously queried; a secure MAC ensures no efficient adversary achieves this with more than negligible probability. The adversary's resources, including running time, query count, and total message length, bound the insecurity probability, emphasizing resistance even against powerful attackers with partial information. In probabilistic MACs, randomness plays a crucial role through the use of a or (IV), which is included in the input to ensure uniqueness and prevent replay attacks where an intercepted valid - pair is reused. By requiring unique nonces for each , these MACs render replays invalid, as verification fails if the nonce does not match the expected fresh value, while maintaining EUF-CMA security under the condition that nonces remain distinct.

Key Security Goals

Message authentication codes (MACs) are designed to ensure the integrity and authenticity of messages but do not provide , as the underlying message remains unencrypted and visible to any observer, with the MAC tag serving only as a verification mechanism rather than an tool. This limitation means that MACs must be combined with separate schemes, such as in modes, to protect message secrecy. A critical security goal for MACs is resistance to key recovery attacks, where an adversary observing multiple valid message-tag pairs cannot computationally feasibly extract the secret used to generate the tags. This property is foundational to MAC models, ensuring that even under adaptive chosen-message attacks, the key remains indistinguishable from random, preventing the generation of arbitrary forgeries beyond the unforgeability bound. To address replay attacks, where an adversary resubmits a previously valid message-tag pair to deceive the verifier, MAC constructions often incorporate nonces or timestamps into the authenticated data, ensuring that each tag is unique to a specific context and cannot be reused effectively. Without such mechanisms, a deterministic MAC would accept replayed tags as valid, compromising the protocol's freshness guarantees. In the context of quantum threats, MACs based on symmetric primitives like hash functions maintain security against by doubling the effective key and tag lengths to preserve pre-quantum security levels, as quantum search reduces brute-force complexity quadratically but does not break the core assumptions. As of 2025, standards such as NIST's guidelines for recommend these adjustments for hash-based MACs like , without requiring entirely new constructions for most symmetric authentication needs. MAC designers face trade-offs in tag length, where shorter tags—while improving efficiency—reduce the security margin against brute-force forgery attempts, potentially allowing an adversary to guess a valid tag with non-negligible probability after sufficiently many trials. For instance, tags below 128 bits may expose systems to practical attacks in high-volume scenarios, necessitating longer outputs to align with desired security levels like 128-bit resistance.

Constructions

Hash-Based MACs

Hash-based message authentication codes (MACs) construct authentication tags by leveraging cryptographic hash functions as the primary primitive, typically involving a secret key to ensure security. A simple approach nests the key and message within the hash, such as \text{MAC}_k(m) = H(k \| m), where H denotes the hash function, k is the secret key, m is the message, and \| represents concatenation. However, this naive construction is vulnerable to length-extension attacks, where an adversary, given a valid tag for message m, can compute a tag for an extended message m' = m \| \text{pad} \| \text{extension} without knowledge of k, exploiting the iterative structure of Merkle-Damgård hash functions like MD5 or SHA-1. To address these vulnerabilities, the construction was developed, providing a robust method for keying functions. is defined as \text{HMAC}_k(m) = H\left( (\overline{k} \oplus \text{opad}) \| H\left( (\overline{k} \oplus \text{ipad}) \| m \right) \right), where \overline{k} is the key k padded to the block size of H, \text{ipad} = 0x36 repeated across the block, and \text{opad} = 0x5c repeated across the block. The inner computes H((\overline{k} \oplus \text{ipad}) \| m), which processes the message after key-dependent , while the outer applies the outer to produce the final . This double-nesting with XOR-based prevents length-extension attacks by ensuring that the intermediate value is not directly reusable for extensions, as the outer key modification disrupts the hash's internal state. The security of reduces to the of the underlying H. Specifically, if H is weakly collision-resistant, then HMAC is a secure MAC, with the proof establishing that any forgery against HMAC implies a collision in H, under the assumption that the hash behaves as a pseudorandom when keyed appropriately. This reduction holds for iterative hash functions, making HMAC provably secure as long as H resists collisions, even if it is not a full ideal . Hash-based MACs like offer significant advantages in efficiency, particularly for messages of arbitrary length, as they avoid the block size limitations inherent in cipher-based alternatives and require only a single pass over the data after the inner . Their simplicity and compatibility with widely available functions further enhance their practicality for software implementations.

Block Cipher-Based MACs

Block cipher-based message authentication codes (MACs) adapt standard modes to produce authentication tags from a secret and a , leveraging the underlying 's pseudorandom properties. The most straightforward construction is the cipher chaining (CBC) MAC, designed for fixed-length messages that are exact multiples of the size. In CBC-MAC, the m = m_1 \parallel m_2 \parallel \cdots \parallel m_t, where each m_i is a , is processed sequentially: the first is encrypted directly with the k, and each subsequent is XORed with the previous before . The final serves as the MAC tag: \text{MAC}_k(m) = C_t, where C_1 = E_k(m_1), C_i = E_k(m_i \oplus C_{i-1}) for i = 2, \dots, t, and E is the . This mode initializes with a zero IV and requires no , ensuring efficiency for predefined lengths. However, CBC-MAC is insecure for variable-length messages due to length-extension attacks, where an adversary can forge tags by appending blocks without knowing the . To address this, extensions like CMAC (also known as OMAC1) introduce subkey generation and conditional to handle arbitrary lengths securely. In CMAC, two subkeys K_1 and K_2 are derived from the master k by encrypting a zero block and applying left shifts with XORed constants based on carry bits, typically using a 128-bit like for derivation. The message is padded to the block length: if the last block is full, it is XORed with K_1; if partial, it is right-padded with a '1' bit and zeros, then XORed with K_2. The chaining then proceeds as in basic , with the final block as the , truncated if needed. This provably achieves for messages of any length, with a bound on probability when the tag is shorter than the block size. For scenarios demanding higher throughput, such as hardware implementations with multiple processing units, parallelizable variants like PMAC offer an alternative to sequential chaining modes. PMAC partitions the message into blocks and applies the in parallel to each, using a key-derived tweak sequence (often based on a progression) to XOR with blocks before ; the results are then summed modulo 2 in the of the block size to produce the tag. This allows all but the final (padded) block to be computed concurrently, reducing latency in parallel environments while maintaining provable security. PMAC requires approximately one block-cipher invocation per message block, similar to , but its parallelism suits high-speed applications. The of these -based MACs reduces to the pseudorandom (PRF) of the underlying , ensuring that distinguishing the MAC from a random requires roughly $2^{b/2} queries, where b is the block size (typically 128 bits for modern ciphers like ). Forgery attacks are thus infeasible under standard models, with the authentication tag length usually matching the block size at 128 bits to achieve full strength, though to 64 or 96 bits is sometimes used with adjusted bounds.

Specialized Variants

One-Time MACs

One-time message authentication codes (MACs) are designed to ensure message integrity and under the restriction that each key is used to authenticate at most one message, providing security guarantees that hold only for this single-use scenario. This approach contrasts with multi-use MACs by relying on information-theoretic principles rather than computational hardness assumptions, making it suitable for settings where unconditional security is desired. The foundational construction, introduced by Wegman and Carter, employs a strongly hash family H to compute a for a m. Specifically, given a key k that selects a h_k \in H, and a random s from the tag space T, the is generated as t = h_k(m) \oplus s, where \oplus denotes bitwise XOR, and h_k(m) maps the to an in T. Verification by the receiver, who shares k and s, recomputes h_k(m) \oplus s and checks equality with the received . The strongly ensures that for any two distinct messages, the values are nearly uniformly random and independent, bounding the adversary's forgery probability. In theoretical applications, one-time MACs achieve , where the probability of an adversary forging a valid for a new message is at most \epsilon + \frac{1}{|T|}, with \epsilon determined by the family's universality parameter and |T| the space size, without relying on unproven computational assumptions. This makes them ideal for analyzing in models with unlimited computational power, such as in quantum-resistant or proofs requiring perfect . However, their single-use requirement leads to key exhaustion after one authentication per key pair, rendering them impractical for scenarios involving multiple messages without key generation overhead. Additionally, the tag length must match the hash output size, often necessitating large keys and pads that increase communication costs.

Deterministic vs. Probabilistic MACs

Message authentication codes (MACs) are classified as deterministic or probabilistic based on whether their tag generation process incorporates . In deterministic MACs, the tag generation takes a k and m as and produces a fixed tag t such that the same always yield the same output; this is the standard construction for most practical MACs, including those based on pseudorandom functions (PRFs), ensuring a unique valid tag per message under the unforgeability under chosen-message attack (UF-CMA) security definition. Such MACs are vulnerable to replay attacks, where an adversary can resend a previously authenticated (, tag) pair, as the verification will succeed without additional context like timestamps or counters. Probabilistic MACs, in contrast, include a source of randomness—such as a or —during tag generation, resulting in potentially multiple valid tags for the same (key, message) pair; this requires security against unforgeability under chosen-message and verification attacks (UF-CMVA) to prevent forgeries via verification oracle queries. The randomness enhances resistance to replay attacks by ensuring each tag is unique and non-reusable, as the probability of collision is negligible. Key trade-offs between the two arise in , , and applicability. Deterministic MACs offer simplicity in and storage, producing compact tags without overhead for randomness management, making them suitable for scenarios where replay is handled externally. Probabilistic MACs, while providing built-in replay , typically require larger tag sizes to accommodate the random component and may demand stronger computational assumptions (e.g., decisional Diffie-Hellman) for , though they excel in protocols like two-round where uniqueness is critical. In practice, probabilistic approaches are less common due to these size and complexity costs but enable constructions from weaker assumptions compared to PRF-based deterministic MACs. A approach mitigates replay vulnerabilities in deterministic MACs by incorporating an external or sequence number into the message before tagging, effectively rendering the scheme probabilistic per invocation without modifying the underlying MAC algorithm; for instance, in TLS 1.2, the computation includes an implicit 64-bit sequence number to detect replays or reorders. This method balances the efficiency of deterministic MACs with the benefits of uniqueness, commonly used in protocols to ensure forward progress without full randomization.

Standards and Implementations

Key Standards

The National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 198-1 defines the Keyed-Hash Message Authentication Code () as a mechanism for message authentication using cryptographic hash functions, serving as an approved for ensuring and in U.S. federal systems. Published in July 2008 (superseding the original 2002 version), it remains current as of November 2025, though NIST proposed its withdrawal in June 2025 to relocate the content to a Special Publication (SP 800-224) without impacting validation processes. As a FIPS publication, under FIPS 198-1 is mandatory for federal agencies handling sensitive unclassified information where cryptographic authentication is required. The (ISO) and (IEC) jointly publish ISO/IEC 9797, a multi-part standard specifying mechanisms for generating message authentication codes (MACs) to verify . Part 1 (ISO/IEC 9797-1:2011) details six MAC algorithms that employ a secret key and an n-bit to produce an m-bit MAC, applicable to various architectures and processes. This part covers -based modes and was confirmed current in 2022, with an amendment in 2023. Part 2 (ISO/IEC 9797-2:2021) addresses MAC algorithms using a dedicated (or its components) with a secret key to generate an m-bit MAC, building on frameworks like ISO/IEC 10181-6 for services. Together, these parts provide international guidelines for both and hash-based MAC constructions, excluding details. The (IETF) has standardized key algorithms through its (RFC) series, promoting interoperability in network protocols. RFC 2104 (February 1997) specifies , enabling message via keyed hashing with functions like or , and supports key lengths up to the hash block size while allowing truncation for efficiency. RFC 4493 (June 2006) defines AES-CMAC, an mode based on the (AES-128) using the Cipher-based (CMAC) construction, which generates a 128-bit tag (optionally truncated to at least 64 bits) for data origin and integrity in and similar protocols. These RFCs underpin widespread adoption of and AES-CMAC in internet standards. MAC standards have evolved significantly with advances in , notably the deprecation of the by NIST in 2005 due to its vulnerability to brute-force attacks, which rendered single-DES insufficient for protecting federal information. This withdrawal prompted a shift toward AES-based MACs, as (standardized in FIPS 197 in 2001) offered superior security and performance, influencing updates in standards like ISO/IEC 9797 and IETF RFC 4493 to prioritize AES-CMAC over DES-derived modes.

Practical Algorithms

HMAC-SHA-256 is a widely adopted hash-based message authentication code constructed using the , producing a 256-bit output tag. The key can be of any length, but keys longer than the 64-byte block size of SHA-256 are first hashed to fit within that size, allowing effective key sizes up to 64 bytes. It is commonly used in protocols such as for integrity protection in VPNs, where it pairs with AES-CBC mode. HMAC-SHA-256 also serves as the authentication mechanism in TLS 1.3 cipher suites, ensuring message integrity during secure connections. In terms of , HMAC-SHA-256 achieves approximately 8 cycles per byte on modern Skylake processors for typical workloads. AES-CMAC, or CMAC based on the block cipher, operates on 128-bit blocks and supports key sizes of 128, 192, or 256 bits, matching AES variants. It generates a 128-bit tag, though truncation to at least 64 bits is permitted for some applications while maintaining security. Specified in NIST Special Publication 800-38B, published in May 2005, AES-CMAC provides authenticity for and is suitable for environments requiring block cipher integration. On hardware with AES-NI instructions, such as processors, AES-CMAC benefits from acceleration, achieving speeds around 3.3 cycles per byte in software implementations, with parallel variants reaching 1.65 cycles per byte. Poly1305 is a high-speed, one-time message authentication code often paired with the stream cipher for key derivation, producing 128-bit tags from a 256-bit one-time key. Defined in 8439 from June 2018, it uses a over a prime field for efficiency, making it particularly effective in software without specialized . Poly1305 excels in scenarios demanding fast , such as in the AEAD construction, where it contributes to overall throughputs of about 1.33 cycles per byte on modern CPUs. Its design prioritizes low overhead for variable-length messages, outperforming traditional MACs like HMAC-SHA-1 in short-packet authentication on resource-constrained platforms.

Applications and Examples

Common Use Cases

Message authentication codes (MACs) are integral to securing network protocols, where they ensure the and of transmitted data. In TLS versions such as 1.2, the record layer employs MACs during the to protect message , incorporating a sequence number to prevent replay attacks. Similarly, the Security (IPsec) Authentication Header (AH) mode utilizes MACs to provide connectionless and data origin for IP datagrams, authenticating the entire packet excluding mutable fields. In software integrity applications, MACs facilitate secure API authentication in RESTful services by generating a keyed hash of the request payload and parameters, allowing servers to verify the sender and detect tampering without relying on public-key infrastructure. Hardware systems leverage MACs in secure boot processes to validate firmware images before execution, where a device computes a MAC over the firmware using a stored key and compares it to an embedded tag, halting boot if discrepancies indicate compromise. As of 2025, emerging applications include device authentication, where lightweight MACs enable efficient mutual verification in resource-constrained networks, supporting broadcast schemes for group communications. In some research proposals for systems, such as those integrating , MACs are used to authenticate message integrity in distributed ledgers, enhancing security in peer-to-peer validations.

Illustrative Example

To illustrate the use of a message authentication code (MAC), consider a scenario where sends a bank transfer instruction to Bob over an insecure channel: the message m = "Pay 100 to ". share a secret symmetric key, and they employ HMAC- to authenticate the message, ensuring its integrity and origin. Although HMAC-MD5 was once common, MD5 is now considered insecure for cryptographic purposes due to vulnerabilities like collision attacks, and stronger alternatives like HMAC-SHA-256 are recommended today. The process begins with . The shared k is a random 128-bit (16-byte) value, such as k = 0x0123456789abcdef0123456789abcdef (generated securely using a cryptographically strong generator). To create the tag, Alice computes the as follows: first, pad the to the block size of 64 bytes with zeros if necessary; XOR the padded with the inner constant (a block of 0x36 bytes) and append the m; compute the of this inner input to get an intermediate value; then, XOR the with the outer constant (a block of 0x5c bytes) and append the intermediate ; finally, compute the of this outer input to produce the 128-bit (32-hex-digit) . This , say a value like 0x9294727a3638bb1c13f48ef8158bfc9d (from a standard illustrating the output format), is appended to the and transmitted. Upon receipt, performs by recomputing the using the same k and the received m, then comparing the resulting to the received one. If they exactly, Bob accepts the as authentic and unaltered. The construction relies on nested hashing with key-derived to bind the inseparably to the . If an attacker modifies the during transmission—for instance, changing it to "Pay 200 to Alice"—Bob's recomputation will produce a different that does not the received one, causing to fail and alerting Bob to potential tampering. This property ensures that even a single-bit alteration in the results in a completely different with overwhelming probability.

References

  1. [1]
    Message Authentication Code (MAC) algorithm - Glossary | CSRC
    Definitions: A family of cryptographic functions that is parameterized by a symmetric key. Each of the functions can act on input data (called a “message”) of ...
  2. [2]
    8. Message Authentication Codes (MACs) - Computer Security
    MAC: Definition. A MAC is a keyed checksum of the message that is sent along with the message. It takes in a fixed-length secret key and an arbitrary-length ...MAC: Definition · MAC: Security properties · HMAC · MACs are not confidential
  3. [3]
    FIPS 198-1, The Keyed-Hash Message Authentication Code (HMAC)
    This Standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions.
  4. [4]
    SP 800-38B, Recommendation for Block Cipher Modes of Operation
    Oct 6, 2016 · This block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity and, hence, the integrity of binary data.
  5. [5]
    Message Authentication Codes | CSRC
    FIPS 198-1, The Keyed-Hash Message Authentication Code (HMAC) (July 2008), specifies a mechanism for message authentication using an approved hash function. The ...
  6. [6]
    SP 800-224, Keyed-Hash Message Authentication Code (HMAC)
    Jun 28, 2024 · A message authentication code (MAC) scheme is a symmetric-key cryptographic mechanism that can be used with a secret key to produce and verify ...
  7. [7]
    [PDF] Message Authentication Codes
    Definition 1 A message authentication code consists of three algorithms (Gen,Mac,Vrfy) such that:
  8. [8]
    MACs, hashes, and signatures - UWP applications - Microsoft Learn
    Aug 6, 2025 · Digital signatures are the public key equivalent of private key message authentication codes (MACs). Whereas MACs use private keys to enable a ...
  9. [9]
    [PDF] Key-Indistinguishable Message Authentication Codes
    A message authentication code MAC = {KG,TAG,VRFY} is a triple of algorithms with associ- ated key space K, message space M, and tag space T . – Key Generation.
  10. [10]
    [PDF] 10 Message Authentication Codes - The Joy of Cryptography
    Definition 10.1. (MAC scheme). A message authentication code (MAC) scheme for message space M consists of the fol- lowing algorithms: I KeyGen: samples a key. I ...
  11. [11]
    Universal hashing and authentication codes - SpringerLink
    In this paper, we study the application of universal hashing to the construction of unconditionally secure authentication codes without secrecy.
  12. [12]
    New hash functions and their use in authentication and set equality
    J.L. Carter, M.N. Wegman. Universal classes of hash functions. J. Comput. System Sci., 18 (No. 2) (April 1979), pp. 143-154. View PDFView articleView in Scopus.
  13. [13]
    Revisiting the Development of ISO/IEC 9797-1 MACs
    ISO/IEC 9797-1 is an international standard for block-cipher-based MessageAuthentication Code (MAC). The current version ISO/IEC 9797-1:2011 specifiessix ...Missing: evolution | Show results with:evolution
  14. [14]
    [PDF] Constructing VIL-MACs from FIL-MACs - Computer Science
    The required security property is unforgeability, namely that even under a chosen-message attack, it be computationally infeasible for an adversary (not ...<|control11|><|separator|>
  15. [15]
    [PDF] Keying Hash Functions for Message Authentication - UCSD CSE
    NMAC and HMAC are new schemes for message authentication using hash functions, which are not naturally keyed, and are secure if the underlying hash function is ...
  16. [16]
    [PDF] Message Authentication Codes - The University of Texas at Dallas
    • Adversary is allowed to see some message and tag pairs. • Security against key recovery is not enough. • No assumptions about the message space. • We do not ...
  17. [17]
    What Are Replay Attacks? | Baeldung on Computer Science
    Jun 29, 2024 · Furthermore, MACs can prevent replay attacks by having a timestamp or other value that changes with each transmission, making it difficult for ...
  18. [18]
    [PDF] GCM Update - NIST Computer Security Resource Center
    May 31, 2005 · However, the default MAC for SRTP is. HMAC-SHA1, the default tag length is 80 bits, and the defaults are strongly encouraged. 1For some systems, ...
  19. [19]
    draft-irtf-cfrg-fast-mac-requirements-01 - IETF Datatracker
    Security Some MACs offer a performance-security tradeoff, for example by having a variable output size. ... trade-off throughput and security. Progressive ...<|separator|>
  20. [20]
    RFC 2104: HMAC: Keyed-Hashing for Message Authentication - IETF
    This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash ...
  21. [21]
    [PDF] The security of the cipher block chaining message authentication ...
    Sep 8, 2000 · A cryptanalytic approach directly attacks the CBC MAC based on details of the underlying block cipher F. An attempt to directly attack the DES ...
  22. [22]
    OMAC: One-Key CBC MAC - Cryptology ePrint Archive
    Paper 2002/180. OMAC: One-Key CBC MAC. Tetsu Iwata and Kaoru Kurosawa. Abstract. In this paper, we present One-key CBC MAC (OMAC) and prove its security for ...Missing: original | Show results with:original
  23. [23]
    [PDF] Recommendation for Block Cipher Modes of Operation
    Oct 6, 2016 · This block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity and, hence, the integrity of binary ...
  24. [24]
    [PDF] A Block-Cipher Mode of Operation for Parallelizable Message ...
    Feb 15, 2002 · Abstract. We define and analyze a simple and fully parallelizable block-cipher mode of operation for message authentication.Missing: original | Show results with:original
  25. [25]
    [PDF] urnal of computer and system sciences 22, 265-279 (1981) - FI MUNI
    New Hash Functions and Their Use in Authentication and Set Equality. MARK N. WEGMAN AND J. LAWRENCE CARTER. IBM Thomas J. Watson Research Center, Yorktown ...
  26. [26]
    None
    ### Summary of Definitions, Differences, and Trade-offs Between Deterministic and Probabilistic MACs
  27. [27]
    RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2
    Outgoing data is protected with a MAC before transmission. To prevent message replay or modification attacks, the MAC is computed from the MAC key, the ...
  28. [28]
    [PDF] Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC ...
    Let us first consider a coin-explicit probabilistic MAC defined as (r, cTG(r, m)). As deterministic MAC, one can similarly prove the security of MAC given that.
  29. [29]
    Why are MACs in general deterministic, whereas digital signature ...
    May 29, 2012 · MACs are deterministic because randomization increases cryptogram size, can create backdoors, and MACs don't need randomization for security.
  30. [30]
    Surviving a bad RNG - A Few Thoughts on Cryptographic Engineering
    Mar 9, 2012 · The good news is that virtually every practical MAC in use today is deterministic. While there are probabilistic MACs, they're rarely used. As ...
  31. [31]
    Proposed Withdrawal of FIPS 198-1 (HMAC) | CSRC
    June 23, 2025. NIST proposes to withdraw FIPS 198-1, The Keyed-Hash Message Authentication Code (HMAC), from the FIPS series.<|control11|><|separator|>
  32. [32]
    ISO/IEC 9797-1:2011 - Message Authentication Codes (MACs)
    In stockISO/IEC 9797-1:2011 specifies six MAC algorithms that use a secret key and an n-bit block cipher to calculate an m-bit MAC.
  33. [33]
    ISO/IEC 9797-2:2021 - Information security
    This document specifies MAC algorithms using a secret key and hash-function to calculate an m-bit MAC, for data integrity verification.
  34. [34]
    RFC 2104 - HMAC: Keyed-Hashing for Message Authentication
    This document describes HMAC, a mechanism for message authentication using cryptographic hash functions.
  35. [35]
    RFC 4493 - The AES-CMAC Algorithm - IETF Datatracker
    This memo specifies an authentication algorithm based on CMAC with the 128-bit Advanced Encryption Standard (AES). This new authentication algorithm is named ...
  36. [36]
    NIST Withdraws Outdated Data Encryption Standard
    Jun 2, 2005 · The DES is being withdrawn because it no longer provides the security that is needed to protect federal government information.
  37. [37]
    [PDF] fips pub 180-4 - federal information processing standards publication
    Aug 4, 2015 · For the secure hash algorithms, the size of the message block - m bits - depends on the algorithm. a) For SHA-1, SHA-224 and SHA-256, each ...
  38. [38]
    RFC 2104: HMAC: Keyed-Hashing for Message Authentication
    Current candidates for such hash functions include SHA-1 [SHA] ... Keys The key for HMAC can be of any length (keys longer than B bytes are first hashed using H).Missing: size | Show results with:size
  39. [39]
    [PDF] Guide to IPsec VPNs - NIST Technical Series Publications
    Jun 1, 2020 · For the fallback proposal, use AES-CBC with HMAC-SHA256. It will use SHA-256 (in HMAC) for integrity protection as well. The following ECP ...
  40. [40]
    RFC 9150: TLS 1.3 Authentication and Integrity-Only Cipher Suites
    This document defines the use of cipher suites for TLS 1.3 based on Hashed Message Authentication Code (HMAC).
  41. [41]
    [PDF] Combining Nonce and Key Derivation for Fast and Scalable AEAD
    This is an attempt to align it with the NIST standard for AES key derivation from SP800-108r1 [18] using CMAC ... HMAC-SHA256 performs at ∼8 cycles per byte (cpb) ...<|separator|>
  42. [42]
    RFC 4493: The AES-CMAC Algorithm
    This memo specifies an authentication algorithm based on CMAC with the 128-bit Advanced Encryption Standard (AES). This new authentication algorithm is named ...
  43. [43]
    [PDF] Parallel Verification of Serial MAC and AE Modes⋆
    On x86 platforms equipped with AES instruction set (AES-NI), the pincer verification doubles the performance utilizing the pipeline as in the same manner to ...
  44. [44]
    RFC 8439: ChaCha20 and Poly1305 for IETF Protocols
    This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a combined mode.
  45. [45]
    [PDF] Shaking up authenticated encryption - Cryptology ePrint Archive
    ChaCha20-Poly1305 is an AE scheme based on a stream cipher (ChaCha20) and a one-time authenticator. (Poly1305) that has received massive adoption mostly thanks ...
  46. [46]
    [PDF] The Poly1305-AES message-authentication code
    Mar 29, 2005 · Poly1305-AES is a state-of-the-art message-authentication code that computes a 16-byte authenticator of a variable-length message.
  47. [47]
    Azure App Configuration REST API - HMAC authentication
    Apr 14, 2023 · You can authenticate HTTP requests by using the HMAC-SHA256 authentication scheme. (HMAC refers to hash-based message authentication code.)
  48. [48]
    [PDF] UNIT-IV - NotesMarket
    However, if a message authentication code were attached to the program, it could be checked whenever assurance was required of the integrity of the program.<|control11|><|separator|>
  49. [49]
    How to design secure SoCs, Part III: Secure Boot - KiviCore
    Aug 26, 2025 · The SoC's secure boot firmware calculates the hash of the software being loaded. ... HMAC can be used for authentication. Keys for ...
  50. [50]
    Broadcast authentication scheme for Internet of things (IoT) system
    In this document, a message authentication code (MAC)-based anonymous broadcast authentication and digital signature (DS)-based broadcast authentication are ...
  51. [51]
    Distributed Blockchain-Based Message Authentication Scheme for ...
    Here, we introduce public-private key and message authentication code (MAC) for secure authentication. In this paper, we adopt consensus algorithms for ...
  52. [52]
    RFC 2202 - Test Cases for HMAC-MD5 and HMAC-SHA-1
    The code for HMAC-MD5 is similar, just replace the strings "SHA" and "sha" with "MD5" and "md5". HMAC-MD5 code is also listed in RFC 2104. #ifndef ...