Às the title already indicates, I would like to know: Are MACs vulnerable to birthday attacks?
Asked
Active
Viewed 1,923 times
1 Answers
5
Are Message Authentication Codes (MAC) are vulnerable to birthday attacks...
Like most things in life, it depends.
Certainly, if you have an $n$-bit MAC, then after about $O(2^{n/2})$ MAC'ed messages, there's a decent probability that you see two different messages $M_1, M_2$ for which $\text{MAC}_k( M_1 ) = \text{MAC}_k( M_2 )$
However, that begs the question: is this observation actually an attack? After all, the security property of a MAC is "it's hard to generate the MAC of a message you haven't seen"; in the above attack scenario, you've seen the MAC's for both $M_1$ and $M_2$, and so neither would qualify under the "you haven't seen" part.
The pertinent question is "does having two message evaluating to the same MAC actually allow us to deduce the MAC of a message we haven't seen". For most MACs, it doesn't; there's no obvious way to do this for HMAC, and for nonce-based MACs, the fact that each message was MAC'ed with a different nonce would appear to block any such obvious approach.
However, there is a common MAC where it would appear to be an issue: CMAC. That is, if we can find two messages $M_1, M_2$ (both a multiple of 16 bytes in length; it is easy to extend this observation to non-multiples of 16 bytes) with $\text{CMAC}_k(M_1) = \text{CMAC}_k(M_2)$, then we know that, for any string $N$, we have $\text{CMAC}_k(M_1 | N) = \text{CMAC}_k(M_2 | N)$. Hence, if we find such a collision, we can ask for the MAC of $M_1 | N$, and then we immediately know the MAC for $M_2 | N$; this counts as a valid attack.
However, CMAC is the only MAC I can think of with this potential vulnerability.
poncho
- 154,064
- 12
- 239
- 382