Editing One-key MAC

{{Short description|Message authentication code algorithm}}
{{redirect|CMAC}}
'''One-key MAC''' ('''OMAC''') is a family of [[message authentication code]]s constructed from a [[block cipher]] much like the [[CBC-MAC]] algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:
* The original OMAC of February 2003, which is rarely used.<ref name=omac03/> The preferred name is now "OMAC2".<ref name=omac1/>
* The OMAC1 refinement,<ref name=omac1/> which became an [[NIST]] recommendation in May 2005 under the name '''CMAC'''.<ref>{{Cite journal|last=Dworkin|first=Morris|title=Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication|url=http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf|doi=10.6028/nist.sp.800-38b|year=2016|doi-access=free}}</ref>

OMAC is free for all uses: it is not covered by any patents.<ref>{{cite web |url=http://www.cs.ucdavis.edu/~rogaway/xcbc/ip.html |title=CMAC: Non-licensing |last=Rogaway |first=Phillip |access-date=May 27, 2020 |quote=Phillip Rogaway's statement on intellectual property status of CMAC}}</ref>

== History ==

The core of the CMAC algorithm is a variation of [[CBC-MAC]] that [[John Black (cryptographer)|Black]] and [[Phillip Rogaway|Rogaway]] proposed and analyzed under the name "XCBC"<ref>{{Cite book|title=Advances in Cryptology – CRYPTO 2000|last1=Black|first1=John|last2=Rogaway|first2=Phillip|date=2000-08-20|publisher=Springer, Berlin, Heidelberg|isbn=978-3540445982|pages=197–215|language=en|doi=10.1007/3-540-44598-6_12}}</ref> and submitted to [[NIST]].<ref>{{Cite journal|last1=Black|first1=J|last2=Rogaway|first2=P|title=A Suggestion for Handling Arbitrary-Length Messages with the CBC MAC|url=https://web.cs.ucdavis.edu/~rogaway/papers/xcbc.pdf}}</ref> The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys.

Iwata and Kurosawa proposed an improvement of XCBC that requires less key material (just one key) and named the resulting algorithm ''One-Key CBC-MAC'' (OMAC) in their papers.<ref name=omac03>{{Cite book|title=Fast Software Encryption|volume = 2887|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|date=2003-02-24|publisher=Springer, Berlin, Heidelberg|isbn=978-3-540-20449-7|pages=129–153|language=en|chapter=OMAC: One-Key CBC MAC|doi=10.1007/978-3-540-39887-5_11|series = Lecture Notes in Computer Science}}</ref> They later submitted the OMAC1 (= CMAC),<ref name=omac1>{{Cite journal|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|year=2003|title=OMAC: One-Key CBC MAC – Addendum|url=http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/omac/omac-ad.pdf|quote=In this note, we propose OMAC1, a new choice of the parameters of OMAC-family (see [4] for the details). Test vectors are also presented. Accordingly, we rename the previous OMAC as OMAC2. (That is to say, test vectors for OMAC2 were already shown in [3].) We use OMAC as a generic name for OMAC1 and OMAC2.}}</ref> a refinement of OMAC, and additional security analysis.<ref>{{Cite book|url=https://archive.org/details/progresscryptolo00joha|url-access=limited|last1=Iwata|first1=Tetsu|last2=Kurosawa|first2=Kaoru|title=Progress in Cryptology - INDOCRYPT 2003 |date=2003-12-08|publisher=Springer Berlin Heidelberg|isbn=9783540206095|editor-last=Johansson|editor-first=Thomas|series=Lecture Notes in Computer Science|volume=2904 |pages=[https://archive.org/details/progresscryptolo00joha/page/n412 402]–415|language=en|chapter=Stronger Security Bounds for OMAC, TMAC, and XCBC|doi=10.1007/978-3-540-24582-7_30|editor-last2=Maitra|editor-first2=Subhamoy|citeseerx = 10.1.1.13.8229}}</ref>

== Algorithm ==
[[Image:CMAC - Cipher-based Message Authentication Code.pdf||800px]]

To generate an {{mvar|ℓ}}-bit CMAC tag (''t'') of a message (''m'') using a ''b''-bit block cipher (''E'') and a secret key (''k''), one first generates two ''b''-bit sub-keys (''k''<sub>1</sub> and ''k''<sub>2</sub>) using the following algorithm (this is equivalent to multiplication by ''x'' and ''x''<sup>2</sup> in a [[finite field]] GF(2<sup>''b''</sup>)). Let ≪ denote the standard left-shift operator and ⊕ denote bit-wise [[Exclusive or#Computer science|exclusive or]]:

# Calculate a temporary value ''k''<sub>0</sub> = ''E<sub>k</sub>''(0).
# If msb(''k''<sub>0</sub>) = 0, then ''k''<sub>1</sub> = ''k''<sub>0</sub> ≪ 1, else ''k''<sub>1</sub> = (''k''<sub>0</sub> ≪ 1) ⊕ ''C''; where ''C'' is a certain constant that depends only on ''b''. (Specifically, ''C'' is the non-leading coefficients of the lexicographically first irreducible degree-''b'' binary polynomial with the minimal number of ones: {{mono|0x1B}} for 64-bit, {{mono|0x87}} for 128-bit, and {{mono|0x425}} for 256-bit blocks.)
# If {{math|1=msb(''k''<sub>1</sub>) = 0}}, then {{math|1=''k''<sub>2</sub> = ''k''<sub>1</sub> ≪ 1}}, else {{math|1=''k''<sub>2</sub> = (''k''<sub>1</sub> ≪ 1) ⊕ ''C''}}.
# Return keys (''k''<sub>1</sub>, ''k''<sub>2</sub>) for the MAC generation process.

As a small example, suppose {{math|1=''b'' = 4}}, {{math|1=''C'' = 0011<sub>2</sub>}}, and {{math|1=''k''<sub>0</sub> = ''E<sub>k</sub>''(0) = 0101<sub>2</sub>}}. Then {{math|1=''k''<sub>1</sub> = 1010<sub>2</sub>}} and {{math|1=''k''<sub>2</sub> = 0100 ⊕ 0011 = 0111<sub>2</sub>}}.

The CMAC tag generation process is as follows:
# Divide message into ''b''-bit blocks {{math|1=''m'' = ''m''<sub>1</sub> ∥ ... ∥ ''m''<sub>''n''−1</sub> ∥ ''m<sub>n</sub>''}}, where ''m''<sub>1</sub>, ..., ''m''<sub>''n''−1</sub> are complete blocks. (The empty message is treated as one incomplete block.)
# If ''m<sub>n</sub>'' is a complete block then {{math|1=''m<sub>n</sub>''′ = ''k''<sub>1</sub> ⊕ ''m<sub>n</sub>''}} else {{math|1=''m<sub>n</sub>''′ = ''k''<sub>2</sub> ⊕ (''m<sub>n</sub>'' ∥ 10...0<sub>2</sub>)}}.
# Let {{math|1=''c''<sub>0</sub> = 00...0<sub>2</sub>}}.
# For {{math|1=''i'' = 1, ..., ''n'' − 1}}, calculate {{math|1=''c<sub>i</sub>'' = ''E<sub>k</sub>''(''c''<sub>''i''−1</sub> ⊕ ''m<sub>i</sub>'')}}.
# {{math|1=''c<sub>n</sub>'' = ''E<sub>k</sub>''(''c''<sub>''n''−1</sub> ⊕ ''m<sub>n</sub>''′)}}
# Output {{math|1=''t'' = msb<sub>''ℓ''</sub>(''c<sub>n</sub>'')}}.

The verification process is as follows:
# Use the above algorithm to generate the tag.
# Check that the generated tag is equal to the received tag.

== Variants ==
CMAC-C1<ref>{{Cite book |last1=Bhaumik |first1=Ritam |last2=Chakraborty |first2=Bishwajit |last3=Choi |first3=Wonseok |last4=Dutta |first4=Avijit |last5=Govinden |first5=Jérôme |last6=Shen |first6=Yaobin |chapter=The Committing Security of MACs with Applications to Generic Composition |series=Lecture Notes in Computer Science |date=2024 |volume=14923 |editor-last=Reyzin |editor-first=Leonid |editor2-last=Stebila |editor2-first=Douglas |title=Advances in Cryptology – CRYPTO 2024 |chapter-url=https://link.springer.com/chapter/10.1007/978-3-031-68385-5_14 |language=en |location=Cham |publisher=Springer Nature Switzerland |pages=425–462 |doi=10.1007/978-3-031-68385-5_14 |isbn=978-3-031-68385-5}}</ref> is a variant of CMAC that provides additional [[Message authentication code#Security|commitment and context-discovery security]] guarantees.

==Implementations==
* [[Python (programming language)|Python]] implementation: see the usage of the <code>AES_CMAC()</code> function in "[https://github.com/SecureAuthCorp/impacket/blob/master/tests/misc/test_crypto.py impacket/blob/master/tests/misc/test_crypto.py]", and its definition in "[https://github.com/SecureAuthCorp/impacket/blob/master/impacket/crypto.py#L94 impacket/blob/master/impacket/crypto.py]"<ref>{{cite web|url=https://github.com/SecureAuthCorp/impacket|title=Impacket is a collection of Python classes for working with network protocols.: SecureAuthCorp/impacket|date=15 December 2018|via=GitHub}}</ref>
* [[Ruby (programming language)|Ruby]] implementation<ref>{{cite web|url=https://github.com/louismullie/cmac-rb|title=Ruby C extension for the AES-CMAC keyed hash function (RFC 4493): louismullie/cmac-rb|date=4 May 2016|via=GitHub}}</ref>

==References==
{{Reflist}}

==External links==
* {{IETF RFC|4493|link=no}} The AES-CMAC Algorithm
* {{IETF RFC|4494|link=no}} The AES-CMAC-96 Algorithm and Its Use with IPsec
* {{IETF RFC|4615|link=no}} The Advanced Encryption Standard-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
* OMAC [https://web.archive.org/web/20150223220648/http://adder.demo.iworks.ro/Go/OMAC/ Online Test]
* [http://www.nuee.nagoya-u.ac.jp/labs/tiwata/omac/omac.html More information on OMAC]
* [https://github.com/RustCrypto/MACs/tree/master/cmac Rust implementation]

{{Cryptography navbox | hash}}

[[Category:Message authentication codes]]
[[Category:Finite fields]]