OMAC: One-Key CBC MAC

OMAC is a blockcipher-based message authentication code designed and analyzed by me and Kaoru Kurosawa.

OMAC is a simple variant of the CBC MAC (Cipher Block Chaining Message Authentication Code). OMAC stands for One-Key CBC MAC.

OMAC allows and is secure for messages of any bit length (while the CBC MAC is only secure on messages of one fixed length, and the length must be a multiple of the block length). Also, the efficiency of OMAC is highly optimized. It is almost as efficient as the CBC MAC.

``NIST Special Publication 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication'' has been finalized on May 18, 2005. This Recommendation specifies CMAC, which is equivalent to OMAC (OMAC1).


OMAC: Brief description

OMAC is a generic name for OMAC1 and OMAC2. OMAC1 is described first. OMAC1 is equivalnent to CMAC.

OMAC1:

Before using OMAC1, you have to choose a blockcipher E and a tag length t .

Then you have to share a secret key with your partner. Let K be the k-bit OMAC1 key, which is just the key for E .

Pre-processing: The following steps can be done without the message.

  1. First, encrypt n-bit 0 (denoted by 0 n ) to compute L . That is, let L be E (K, 0 n) .
  2. Check if the most significant bit of L is 0 .
  3. Check if the most significant bit of L.u is 0 .
  4. Save L.u and L.u 2 .

Tag-generation: Let M be the message. Break M into blocks M[1], M[2], ..., M[m] , where each M[i] (i = 1 ,..., m-1) is n bits. The last message block M[m] may have fewer than n bits (but it has 0 bits only if the message M is empty).

  1. Let Y[0] be 0 n .
  2. For i = 1 to m-1 do : let Y[i] be E(K, M[i] xor Y[i-1]) .
  3. Check if the bit length of the last message block M[m] is n bits.
  4. Let T be E(K, X[m]) .
  5. Let Tag be the t-bit truncation of T .
  6. Return Tag.

Note that if the message length is a positive multiple of n , then L.u is used. Otherwise 10 i padding and L.u 2 are used. If the message is an empty string, then you have to append 10 n-1 and use L.u 2 .

Here is the algorithmical description in pseudocode (Also available in [.ps] and [.pdf]).

Here are illustrations (Also available in [.ps] and [.pdf]).

Tag-verification: Suppose that you have received a message-tag pair (M, Tag ') . To check if (M, Tag ') is authentic, first, compute the tag Tag for the message M using the above Tag-generation and your own secret key. If Tag ' = Tag then M is authentic. Otherwise, M is inauthentic.

OMAC2:

Next, OMAC2 is described. In OMAC1, we use L.u and L.u 2 . In OMAC2, we use L.u and L.u -1 . To compute L.u -1 , first, check if the least significant bit of L is 0 .

Here is the algorithmical description in pseudocode (Also available in [.ps] and [.pdf]).


OMAC: Documents

OMAC: Presentations

OMAC: Test vectors

Test vectors are given for implementations with the AES as the underlying blockcipher (See also ``Updated CMAC Examples (.pdf - 37 KB) [pdf]'' for TDES test vectors.).

Also, the following documents contain test vectors (without intermediate values).

If your own implementation does not match the above test vectors, be sure that you use

Also, be careful with endian nonsense.

The following picture may help (Also available in [.ps] and [.pdf]). It shows the computation of L.u and L.u 2 , where AES with 128-bit key is used as the underlying blockcipher.

The following picture gives the data flow in OMAC1, where AES with 128-bit key is used as the underlying blockcipher, and the message length is 40 bytes (Also available in [.ps] and [.pdf]).


OMAC: IP statement

There are no IP claims related to OMAC by me or, to the best of my knowledge, by anybody else. OMAC is entirely in the public domain.

Here is the IP statement sent to NIST (May 13, 2003) [.pdf].


OMAC: Related works

OMAC: Links

OMAC: Implementations

To Iwata's web page.
Page created: May 1, 2006.
Last update: August 1, 2006.