On the security of XCBC, TMAC and OMAC

by Chris J. Mitchell

Abstract:

The security provided by the XCBC, TMAC and OMAC schemes is
analysed and compared with other MAC schemes.  The results imply
that there is relatively little to be gained practically through
the introduction of these schemes by comparison with other
well-established MAC functions.  Moreover, TMAC and OMAC possess
design weaknesses which enable part of the secret key to be
recovered much more easily than would ideally be the case ---
design changes are suggested which alleviate this problem. Whether
or not the proofs of security are retrievable for the modified
designs remains an open question, although the need for change
would appear to be clear.