Especially in the context of Encrypt-then-Authenticate.
Asked
Active
Viewed 1,641 times
2
-
Strong Mac? – kelalaka Oct 21 '18 at 16:14
-
3Can you please link the paper / resource where a "strong MAC" is mentioned / defined? – SEJPM Oct 21 '18 at 16:44
-
Do you mean strong existential unforgeability vs. existential unforgeability? – Maeher Oct 22 '18 at 08:20
1 Answers
4
I assume that by a "strong MAC" you mean that it is infeasible for an adversary to also find a different MAC tag on a message which has been tagged. Any deterministic MAC (with canonical verification) is a strong MAC, but it is certainly not the case that every MAC is a strong MAC. Thus, indeed, there exist secure MAC schemes (that are existentially unforgeable) but are not strong MACs, meaning that this is a strictly stronger notion (by definition, a strong MAC is existentially unforgeable so the question is just whether it's the same or strictly stronger as a notion). Note that in order to achieve CCA security you need a strong MAC and thus in the context of encrypt-then-authenticate, this is indeed needed. It is possible to define a weaker type of authenticated channel for which it would not be necessary, but typically it is required.
For those not sure what a strong MAC is, see the following pasted excerpt from "Introduction to Modern Cryptography":
Yehuda Lindell
- 27,820
- 1
- 66
- 83
-
I see, thanks! I asked this question as I believed existential unforgeability would be sufficient in authenticated encryption. – Awesoemness Yeah Oct 22 '18 at 17:07
-
1