Talk:UMAC

From Wikipedia, the free encyclopedia

This article is part of WikiProject Cryptography, an attempt to build a comprehensive and detailed guide to cryptography on Wikipedia. If you would like to participate, you can choose to edit the article attached to this page, or visit the project page, where you can join the project and see a list of open tasks.

I should drop the intro -- Nroets 23:31, 8 Jun 2005 (UTC)

Explaining an edit that I made: hashing (for instance, by evaluating a polynomial over a finite field) followed by one-time pad is not a secure MAC. For instance, the attacker might twiddle the lowest-order bit of the input. This will add (or subtract) 1 to the output, which has a 50% chance of just twiddling the low-order bit there. That would commute with the one-time pad, so the attacker can just twiddle the low-order bit of the MAC also, and he forges a message with probability 1/2. To make the MAC secure, you need a pseudorandom function. -- bitwiseshiftleft

If the attacker twiddle the lowest bit of the plaintext (or input as you call it), it will change roughly half the bits in the output of the dot product (what you call a polynomial). For example if your finite field is MOD 7 and your secret hash function is f(x)=x * 5 MOD 7 and the next value from your OTP is Y, then f(0) XOR Y and f(1) XOR Y will differ in 2 bits. -- Nic Roets 18:30, 7 May 2007 (UTC)