The implementation of the
UMAC (Universal Message Authentication
Code).
The
UMAC algorithms described are
parameterized. This means
that various low-level choices, like the endian convention and the underlying
cryptographic primitive, have not been fixed. One must choose values for
these parameters before the authentication tag generated by
UMAC (for
a given message, key, and nonce) becomes fully-defined. In this document
we provide two collections of parameter settings, and have named the sets
UMAC16 and
UMAC32. The parameter sets have been chosen based on
experimentation and provide good performance on a wide variety of processors.
UMAC16 is designed to excel on processors which provide small-scale
SIMD parallelism of the type found in Intel's MMX and Motorola's AltiVec
instruction sets, while
UMAC32 is designed to do well on processors
with good 32- and 64- bit support.
UMAC32 may take advantage of SIMD
parallelism in future processors.
UMAC has been designed to allow implementations which accommodate
on-line authentication. This means that pieces of the message may
be presented to
UMAC at different times (but in correct order) and an
on-line implementation will be able to process the message correctly without
the need to buffer more than a few dozen bytes of the message. For
simplicity, the algorithms in this specification are presented as if the
entire message being authenticated were available at once.
To authenticate a message,
Msg
, one first applies the
universal hash function, resulting in a string which is typically much
shorter than the original message. The pseudorandom function is applied to a
nonce, and the result is used in the manner of a Vernam cipher: the
authentication tag is the xor of the output from the hash function and the
output from the pseudorandom function. Thus, an authentication tag is
generated as
AuthTag = f(Nonce) xor h(Msg)
Here
f
is the pseudorandom function shared between the sender
and the receiver, and h is a universal hash function shared by the sender and
the receiver. In
UMAC, a shared key is used to key the pseudorandom
function
f
, and then
f
is used for both tag
generation and internally to generate all of the bits needed by the universal
hash function.
The universal hash function that we use is called
UHASH
. It
combines several software-optimized algorithms into a multi-layered
structure. The algorithm is moderately complex. Some of this complexity comes
from extensive speed optimizations.
For the pseudorandom function we use the block cipher of the
Advanced
Encryption Standard (AES).
The UMAC32 parameters, considered in this implementation are:
UMAC32
------
WORD-LEN 4
UMAC-OUTPUT-LEN 8
L1-KEY-LEN 1024
UMAC-KEY-LEN 16
ENDIAN-FAVORITE BIG *
L1-OPERATIONS-SIGN UNSIGNED
Please note that this UMAC32 differs from the one described in the paper
by the
ENDIAN-FAVORITE value.
References:
-
UMAC: Message Authentication Code using Universal Hashing.
T. Krovetz, J. Black, S. Halevi, A. Hevia, H. Krawczyk, and P. Rogaway.