Simon Josefsson simon@josefsson.org writes:
The name GMAC is well established:
And if I understand the spec correctly, T = GMAC(K, M) is computed roughly as follows
H = E_K(0...0) T = GHASH_H(M || ...) XOR E_K(IV)
I.e, the MAC key K is converted to the "hash subkey H" using the encryption function of some block cipher (typically AES), and this block cipher is also used together with the IV to get a value XOR:ed to the output of GHASH.
I imagine the final XOR is essential for the MAC security (to hide the otherwise very regular algebraic structure of GHASH).
When writing the previous mail, I hadn't realized that also the MAC part depends on the block cipher, and should be parametrized by the block cipher used. This makes it less natural to view GMAC as an independent algorithm.
Also, the need for an IV (never repeated with the same key) necessarily makes the interface more complex than, e.g., the HMAC interface.
Just like for DSA, where would be some use for a deterministic variant where the IV (or random number in the case of DSA) is determined as some function of the message (and possibly also of the key, although the dependence on the key clearly should be one-way).
Regards, /Niels