One-key MAC

Content sourced from Wikipedia, licensed under CC BY-SA 3.0.

One-key MAC (OMAC) is a family of message authentication codes built from a block cipher, in the same spirit as CBC-MAC. It helps confirm that data is authentic and has not been tampered with.

Two versions exist:
- OMAC: free for all uses and not covered by patents.
- CMAC (also called OMAC1): an improved version of OMAC with stronger security analysis.

Background in brief:
- CBC-MAC has security weaknesses for variable-length messages.
- XCBC (Black and Rogaway) fixed these weaknesses but used three keys.
- Iwata and Kurosawa turned XCBC into a one-key scheme called OMAC.
- They later refined it to CMAC (OMAC1), with additional security guarantees.

How CMAC tags are generated (high level):
- Use a block cipher E with a secret key k and a block size of b bits. The tag length is an l-bit value t.
- Derive two subkeys k1 and k2 from k0 = E_k(0^b) by a doubling operation in GF(2^b) (efficiently implemented as left-shifts with conditional XOR of a constant). In practice, this is done by shifting and, if needed, XORing with a special constant to keep the result in the right field.
- Split the message m into b-bit blocks m1, m2, ..., mn.
- If the last block is a full block (no padding needed), form last_block' = (mn) XOR k1. If the last block is incomplete, pad it with zeros to a full block and form last_block' = (padded mn) XOR k2.
- Process the blocks in CBC fashion to get an intermediate state X_{n-1} (starting from X0 = 0^b).
- The tag is t = E_k( X_{n-1} XOR last_block' ).

In short, OMAC/CMAC provide a compact, secure way to authenticate messages using just one secret key and a block cipher, with CMAC offering a refined, more thoroughly analyzed version.