Editing Message authentication code

{{Short description|Information used for message authentication and integrity checking}}
{{Use dmy dates|date=December 2023}} 
In [[cryptography]], a '''message authentication code''' ('''MAC'''), sometimes known as an '''authentication tag''', is a short piece of information used for [[authentication|authenticating]] and [[Data integrity|integrity]]-checking a message. In other words, it is used to confirm that the message came from the stated sender (its authenticity) and has not been changed (its integrity). The MAC value allows verifiers (who also possess a secret key) to detect any changes to the message content.

==Terminology==
{{anchor|message integrity code}}The term '''message integrity code''' ('''MIC''') is frequently substituted for the term ''MAC'', especially in communications<ref>{{cite book |publisher=[[IEEE-SA]] |date=12 June 2007 |doi=10.1109/IEEESTD.2007.373646 |url=http://standards.ieee.org/getieee802/download/802.11-2007.pdf |archive-url=https://web.archive.org/web/20081013101112/http://standards.ieee.org/getieee802/download/802.11-2007.pdf |url-status=dead |archive-date=13 October 2008 | version=(2007 revision)|isbn=978-0-7381-5656-9 |title=IEEE Standard for Information Technology - Telecommunications and Information Exchange Between Systems - Local and Metropolitan Area Networks - Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications }}</ref> to distinguish it from the use of the latter as ''[[media access control address]]'' (''MAC address''). However, some authors<ref>{{Cite web|url=http://www.cs.cornell.edu/courses/cs513/2005fa/NL20.hashing.html|title=CS 513 System Security -- Hashes and Message Digests|website=www.cs.cornell.edu|accessdate=20 December 2023}}</ref> use MIC to refer to a [[message digest]], which aims only to uniquely but opaquely identify a single message. RFC 4949 recommends avoiding the term ''message integrity code'' (MIC), and instead using ''[[checksum]]'', ''[[error detection code]]'', ''[[hash function|hash]]'', ''keyed hash'', ''message authentication code'', or ''protected checksum''.

==Definitions==
Informally, a message authentication code system consists of three algorithms:
* A key generation algorithm selects a key from the key space uniformly at random.
* A MAC generation algorithm efficiently returns a tag given the key and the message.
* A verifying algorithm efficiently verifies the authenticity of the message given the same key and the tag. That is, return ''accepted'' when the message and tag are not tampered with or forged, and otherwise return ''rejected''.

A secure message authentication code must resist attempts by an adversary to [[digital signature forgery|forge tags, for arbitrary, select, or all messages]], including under conditions of [[Digital signature forgery|known-]] or [[Digital signature forgery|chosen-message]]. It should be computationally infeasible to compute a valid tag of the given message without knowledge of the key, even if for the worst case, we assume the adversary knows the tag of any message but the one in question.<ref>The strongest adversary is assumed to have access to the signing algorithm without knowing the key. However, her final forged message must be different from any message she chose to query the signing algorithm before. See Pass's discussions before def 134.2.</ref>

Formally, a '''message authentication code''' ('''MAC''') system is a triple of efficient<ref name=":1">Theoretically, an efficient algorithm runs within probabilistic polynomial time.</ref> algorithms (''G'', ''S'', ''V'') satisfying:
* ''G'' (key-generator) gives the key ''k'' on input [[unary numeral system|1<sup>''n''</sup>]], where ''n'' is the security parameter.
* ''S'' (signing) outputs a tag ''t'' on the key ''k'' and the input string ''x''.
* ''V'' (verifying) outputs ''accepted'' or ''rejected'' on inputs: the key ''k'', the string ''x'' and the tag ''t''.

''S'' and ''V'' must satisfy the following:

: {{math|1=Pr [ ''k'' ← ''G''(1<sup>''n''</sup>), ''V''( ''k'', ''x'', ''S''(''k'', ''x'') ) = ''accepted'' ] = 1}}.<ref>Pass, def 134.1</ref>

A MAC is '''unforgeable''' if for every efficient adversary ''A''

: {{math|1=Pr [ ''k'' ← ''G''(1<sup>''n''</sup>), (''x'', ''t'') ← ''A''<sup>''S''(''k'', · )</sup>(1<sup>''n''</sup>), ''x'' ∉ Query(''A''<sup>''S''(''k'', · )</sup>, 1<sup>''n''</sup>), ''V''(''k'', ''x'', ''t'') = ''accepted''] < negl(''n'')}},

where ''A''<sup>''S''(''k'', · )</sup> denotes that ''A'' has access to the oracle ''S''(''k'', · ), and Query(''A''<sup>''S''(''k'', · )</sup>, 1<sup>''n''</sup>) denotes the set of the queries on ''S'' made by ''A'', which knows ''n''. Clearly we require that any adversary cannot directly query the string ''x'' on ''S'', since otherwise a valid tag can be easily obtained by that adversary.<ref>Pass, def 134.2</ref>

==Security==
While MAC functions are similar to [[cryptographic hash function]]s, they possess different security requirements. To be considered secure, a MAC function must resist [[existential forgery]] under [[Digital signature forgery|chosen-message attack]]s. This means that even if an attacker has access to an [[oracle machine|oracle]] which possesses the secret key and generates MACs for messages of the attacker's choosing, the attacker cannot guess the MAC for other messages (which were not used to query the oracle) without performing infeasible amounts of computation.

MACs differ from [[digital signature]]s as MAC values are both generated and verified using the same secret key. This implies that the sender and receiver of a message must agree on the same key before initiating communications, as is the case with [[symmetric encryption]]. For the same reason, MACs do not provide the property of [[non-repudiation]] offered by signatures specifically in the case of a network-wide [[shared secret]] key: any user who can verify a MAC is also capable of generating MACs for other messages. In contrast, a digital signature is generated using the private key of a key pair, which is public-key cryptography.<ref name=":1" /> Since this private key is only accessible to its holder, a digital signature proves that a document was signed by none other than that holder. Thus, digital signatures do offer non-repudiation.  However, non-repudiation can be provided by systems that securely bind key usage information to the MAC key; the same key is in the possession of two people, but one has a copy of the key that can be used for MAC generation while the other has a copy of the key in a [[hardware security module]] that only permits MAC verification. This is commonly done in the finance industry.{{citation needed|date=February 2013}}

{{see also|Key commitment}}
While the primary goal of a MAC is to prevent forgery by adversaries without knowledge of the secret key, this is insufficient in certain scenarios. When an adversary is able to control the MAC key, stronger guarantees are needed, akin to [[collision resistance]] or [[Preimage attack|preimage security]] in hash functions. For MACs, these concepts are known as ''commitment'' and ''context-discovery'' security.<ref>{{Cite book |last1=Bhaumik |first1=Ritam |last2=Chakraborty |first2=Bishwajit |last3=Choi |first3=Wonseok |last4=Dutta |first4=Avijit |last5=Govinden |first5=Jérôme |last6=Shen |first6=Yaobin |chapter=The Committing Security of MACs with Applications to Generic Composition |series=Lecture Notes in Computer Science |date=2024 |volume=14923 |editor-last=Reyzin |editor-first=Leonid |editor2-last=Stebila |editor2-first=Douglas |title=Advances in Cryptology – CRYPTO 2024 |chapter-url=https://link.springer.com/chapter/10.1007/978-3-031-68385-5_14 |language=en |location=Cham |publisher=Springer Nature Switzerland |pages=425–462 |doi=10.1007/978-3-031-68385-5_14 |isbn=978-3-031-68385-5}}</ref>

==Implementation==
MAC algorithms can be constructed from other cryptographic primitives, like [[cryptographic hash function]]s (as in the case of [[HMAC]]) or from [[block cipher]] algorithms ([[OMAC (cryptography)|OMAC]], [[CCM mode|CCM]], [[Galois/Counter mode|GCM]], and [[PMAC (cryptography)|PMAC]]). However many of the fastest MAC algorithms, like [[UMAC (cryptography)|UMAC]]-[[VMAC]] and [[Poly1305-AES]], are constructed based on [[universal hashing]].<ref>{{cite journal |url=http://www.fastcrypto.org/vmac/draft-krovetz-vmac-01.txt|title=VMAC: Message Authentication Code using Universal Hashing |access-date=16 March 2010 |journal=CFRG Working Group }}</ref>

Intrinsically keyed hash algorithms such as [[SipHash]] are also by definition MACs; they can be even faster than universal-hashing based MACs.<ref name="SipHash">{{cite web
 |url=https://131002.net/siphash/siphash.pdf
 |title=SipHash: a fast short-input PRF
 |author1=Jean-Philippe Aumasson
 |author2=Daniel J. Bernstein |author-link2=Daniel J. Bernstein
 |name-list-style=amp
 |date=2012-09-18
}}</ref>

Additionally, the MAC algorithm can deliberately combine two or more cryptographic primitives, so as to maintain protection even if one of them is later found to be vulnerable. For instance, in [[Transport Layer Security]] (TLS) versions before 1.2, the [[input data]] is split in halves that are each processed with a different hashing primitive ([[SHA-1]] and [[SHA-2]]) then [[exclusive or|XORed]] together to output the MAC.

===One-time MAC===
[[Universal hashing]] and in particular [[pairwise independent]] hash functions provide a secure message authentication code as long as the key is used at most once. This can be seen as the [[one-time pad]] for authentication.<ref name=":0">{{cite book |author-link=Gustavus Simmons |first=Gustavus |last=Simmons |chapter=Authentication theory/coding theory |title=Advances in Cryptology – Proceedings of CRYPTO 84 |pages=411–431 |year=1985 |location=Berlin |publisher=Springer |isbn= }}</ref>

The simplest such pairwise independent hash function is defined by the random key, {{nowrap|''key'' {{=}} (''a'', ''b'')}}, and the MAC tag for a message ''m'' is computed as {{nowrap|''tag'' {{=}} (''am'' + ''b'') mod ''p''}}, where ''p'' is prime.

More generally, [[k-independent hashing|''k''-independent hashing]] functions provide a secure message authentication code as long as the key is used less than ''k'' times for ''k''-ways independent hashing functions.

Message authentication codes and data origin authentication have been also discussed in the framework of quantum cryptography. By contrast to other cryptographic tasks, such as key distribution, for a rather broad class of quantum MACs it has been shown that quantum resources do not offer any advantage over unconditionally secure one-time classical MACs.<ref>{{Cite journal|last1=Nikolopoulos|first1=Georgios M.|last2=Fischlin|first2=Marc|date=2020|title=Information-Theoretically Secure Data Origin Authentication with Quantum and Classical Resources|journal=Cryptography|language=en|volume=4|issue=4|pages=31|doi=10.3390/cryptography4040031|arxiv=2011.06849|s2cid=226956062|doi-access=free}}</ref>

==Standards==
Various standards exist that define MAC algorithms. These include:
* FIPS PUB 113 ''Computer Data Authentication'',<ref>{{Cite web |url=http://www.itl.nist.gov/fipspubs/fip113.htm |title=FIPS PUB 113 ''Computer Data Authentication'' |access-date=2010-10-10 |archive-url=https://web.archive.org/web/20110927022556/http://www.itl.nist.gov/fipspubs/fip113.htm |archive-date=2011-09-27 |url-status=dead }}</ref> withdrawn in 2002,<ref>{{Cite web |url=http://www.itl.nist.gov/fipspubs/withdraw.htm |title=Federal Information Processing Standards Publications, Withdrawn FIPS Listed by Number |access-date=2010-10-10 |archive-url=https://web.archive.org/web/20100801020458/http://www.itl.nist.gov/fipspubs/withdraw.htm |archive-date=2010-08-01 |url-status=dead }}</ref> defines an algorithm based on [[Data Encryption Standard|DES]].
* FIPS PUB 198-1 ''The Keyed-Hash Message Authentication Code (HMAC)''<ref>{{Cite web|url=http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf|title=''The Keyed-Hash Message Authentication Code (HMAC)''|accessdate=20 December 2023}}</ref>
* NIST SP800-185 ''SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash''<ref>[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf SHA-3 Derived Functions] nvlpubs.nist.gov</ref>
* [[ISO/IEC 9797-1]] ''Mechanisms using a block cipher''<ref>{{Cite web|url=https://www.iso.org/standard/50375.html|title=ISO/IEC 9797-1:2011|website=ISO|accessdate=20 December 2023}}</ref>
* [[International Organization for Standardization|ISO]]/IEC 9797-2 ''Mechanisms using a dedicated hash-function''<ref>{{Cite web|url=https://www.iso.org/standard/51618.html|title=ISO/IEC 9797-2:2011|website=ISO|accessdate=20 December 2023}}</ref>
* [[International Organization for Standardization|ISO]]/IEC 9797-3 ''Mechanisms using a universal hash-function''<ref>{{Cite web|url=https://www.iso.org/standard/51619.html|title=ISO/IEC 9797-3:2011|website=ISO|accessdate=20 December 2023}}</ref>
* [[International Organization for Standardization|ISO]]/IEC 29192-6 ''Lightweight cryptography - Message authentication codes''<ref>{{Cite web|url=https://www.iso.org/standard/71116.html|title=ISO/IEC 29192-6:2019|website=ISO|accessdate=20 December 2023}}</ref>

ISO/IEC 9797-1 and -2 define generic models and algorithms that can be used with any block cipher or hash function, and a variety of different parameters. These models and parameters allow more specific algorithms to be defined by nominating the parameters. For example, the FIPS PUB 113 algorithm is functionally equivalent to ISO/IEC 9797-1 MAC algorithm 1 with padding method 1 and a block cipher algorithm of DES.

==An example of MAC use==
[[Image:MAC.svg|center]]

<ref><!--<ref group="SJVKJJLSGVHS">-->{{Citation|title=Mac® Security Bible|date=2011-11-01|pages=1–26|chapter=Mac Security Overview|publisher=Wiley Publishing, Inc.|doi=10.1002/9781118257739.ch1|isbn=9781118257739}}</ref> In this example, the sender of a message runs it through a MAC algorithm to produce a MAC data tag. The message and the MAC tag are then sent to the receiver. The receiver in turn runs the message portion of the transmission through the same MAC algorithm using the same key, producing a second MAC data tag. The receiver then compares the first MAC tag received in the transmission to the second generated MAC tag. If they are identical, the receiver can safely assume that the message was not altered or tampered with during transmission ([[data integrity]]).

However, to allow the receiver to be able to detect [[replay attack]]s, the message itself must contain data that assures that this same message can only be sent once (e.g. time stamp, [[Cryptographic nonce|sequence number]] or use of a [[#One-time_MAC|one-time MAC]]). Otherwise an attacker could – without even understanding its content – record this message and play it back at a later time, producing the same result as the original sender.

==See also==
* [[Checksum]]
* [[CMAC]]
* [[HMAC]] (hash-based message authentication code)
* [[Message Authenticator Algorithm|MAA]]
* [[MMH-Badger MAC]]
* [[Poly1305]]
* [[Authenticated encryption]]
* [[UMAC (cryptography)|UMAC]]
* [[VMAC]]
* [[SipHash]]
* [[SHA-3#Additional instances|KMAC]]

==Notes==
{{Reflist|30em}}
{{Reflist|group=SJVKJJLSGVHS}}

==References==
*{{citation|last1=Goldreich|first1=Oded|title=Foundations of cryptography I: Basic Tools|date=2001|publisher=Cambridge University Press|location=Cambridge|isbn=978-0-511-54689-1}}
*{{citation|last1=Goldreich|first1=Oded|title=Foundations of cryptography II: Basic Applications|date=2004|publisher=Cambridge Univ. Press|location=Cambridge [u.a.]|isbn=978-0-521-83084-3|edition=1. publ.}}
*{{citation|last1=Pass|first1=Rafael|title=A Course in Cryptography|url=https://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf|access-date=31 December 2015}}<ref>11-12-20C8</ref>

==External links==
* [https://web.archive.org/web/20061020212439/http://www.rsasecurity.com/rsalabs/node.asp?id=2177 RSA Laboratories entry on MACs]
* [http://web.mit.edu/6.857/OldStuff/Fall97/lectures/lecture3.pdf Ron Rivest lecture on MACs]

{{Cryptography navbox | hash}}
{{Authority control}}

[[Category:Message authentication codes]]
[[Category:Error detection and correction]]