[cryptography] "stream MAC" - does anything like it exist?

Jack Lloyd lloyd at randombit.net
Tue Sep 14 12:09:56 EDT 2010


On Tue, Sep 14, 2010 at 08:54:36AM -0700, Zooko O'Whielacronx wrote:
> Also, even if you did have a setting where the CPU cost of HMAC-SHA1
> was a significant part of your performance (at e.g. 12 cycles per byte
> [1]), then you could always switch to Poly1305 or VMAC (at e.g. 2
> cycles per byte), or to an authenticated encryption mode (effectively
> zero cycles per byte?).

As far as I know the only authenticated mode that is really 'free' is
OCB (which requires 1 block cipher operation per block
encrypted/authenticated, plus some polynomial operations); others
either require two block cipher encryptions per block processed (CCM,
EAX, anything else using CBC-MAC) or use a Carter-Wegman MAC (GCM).

OCB is patented (though you can use it for free if the software is
GPLed, or if you don't care about not being able to use it in the
US). Otherwise, your choices seem to be use a CBC-MAC (or HMAC) or a
CW MAC (GMAC, UMAC, VMAC, Poly1035, take your pick).

-Jack



More information about the cryptography mailing list