The implementation of the
UMAC (Universal Message Authentication
Code).
The
UMAC algorithms described are
parameterized. This means
that various low-level choices, like the endian convention and the underlying
cryptographic primitive, have not been fixed. One must choose values for
these parameters before the authentication tag generated by
UMAC (for
a given message, key, and nonce) becomes fully-defined. In this document we
provide two collections of parameter settings, and have named the sets
UMAC16 and
UMAC32. The parameter sets have been chosen based
on experimentation and provide good performance on a wide variety of
processors.
UMAC16 is designed to excel on processors which provide
small-scale SIMD parallelism of the type found in Intel's MMX and Motorola's
AltiVec instruction sets, while
UMAC32 is designed to do well on
processors with good 32- and 64- bit support.
UMAC32 may take
advantage of SIMD parallelism in future processors.
UMAC has been designed to allow implementations which accommodate
on-line authentication. This means that pieces of the message may be
presented to
UMAC at different times (but in correct order) and an
on-line implementation will be able to process the message correctly without
the need to buffer more than a few dozen bytes of the message. For
simplicity, the algorithms in this specification are presented as if the
entire message being authenticated were available at once.
To authenticate a message,
Msg, one first applies the
universal hash function, resulting in a string which is typically much
shorter than the original message. The pseudorandom function is applied to a
nonce, and the result is used in the manner of a Vernam cipher: the
authentication tag is the xor of the output from the hash function and the
output from the pseudorandom function. Thus, an authentication tag is
generated as
AuthTag = f(Nonce) xor h(Msg)
Here
f is the pseudorandom function shared between the sender
and the receiver, and h is a universal hash function shared by the sender and
the receiver. In
UMAC, a shared key is used to key the pseudorandom
function
f, and then
f is used for both tag
generation and internally to generate all of the bits needed by the universal
hash function.
The universal hash function that we use is called
UHASH. It
combines several software-optimized algorithms into a multi-layered
structure. The algorithm is moderately complex. Some of this complexity comes
from extensive speed optimizations.
For the pseudorandom function we use the block cipher of the
Advanced
Encryption Standard (AES).
The UMAC32 parameters, considered in this implementation are:
UMAC32
------
WORD-LEN 4
UMAC-OUTPUT-LEN 8
L1-KEY-LEN 1024
UMAC-KEY-LEN 16
ENDIAN-FAVORITE BIG *
L1-OPERATIONS-SIGN UNSIGNED
Please note that this UMAC32 differs from the one described in the paper by
the
ENDIAN-FAVORITE value.
References:
-
UMAC: Message Authentication Code using Universal Hashing.
T. Krovetz, J. Black, S. Halevi, A. Hevia, H. Krawczyk, and P. Rogaway.
UMac32.java --
Copyright (C) 2001, 2002, 2003, 2006 Free Software Foundation, Inc.
This file is a part of GNU Classpath.
GNU Classpath is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at
your option) any later version.
GNU Classpath is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with GNU Classpath; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
USA
Linking this library statically or dynamically with other modules is
making a combined work based on this library. Thus, the terms and
conditions of the GNU General Public License cover the whole
combination.
As a special exception, the copyright holders of this library give you
permission to link this library with independent modules to produce an
executable, regardless of the license terms of these independent
modules, and to copy and distribute the resulting executable under
terms of your choice, provided that you also meet, for each linked
independent module, the terms and conditions of the license of that
module. An independent module is a module which is not derived from
or based on this library. If you modify this library, you may extend
this exception to your version of the library, but you are not
obligated to do so. If you do not wish to do so, delete this
exception statement from your version.