Message Authentication Codes

1. Introduction to Message Authentication Codes

The primary goal of message authentication is to verify the origin of a message and to ensure its integrity.
One simple solution is to attach a Message Authentication Code (MAC), a short piece of information
generated according to a secret key and the message. The MAC is sent along with the message. Upon
receipt, the destination calculates the MAC independently and compares it with the received one. If they
match, the message is considered authentic.

MACs, when properly implemented, are resistant to both impersonation and tampering. However, like digital
signatures, MACs do not inherently protect against replay attacks. A replay attack occurs when an adversary
intercepts a valid message and resends it at a later time, potentially triggering harmful or unintended
operations. For example, in an online transaction, replaying a valid money transfer message might lead to
multiple, unauthorized transfers.

One common, yet inefficient, solution to prevent replay attacks is to include microphones and cameras in
sensitive devices, such as automobiles and automobiles. This approach, however, is not universally
applicable. Alternatively, encrypting the communication channel ensures message authenticity but renders
the use of a MAC redundant. Therefore, MACs remain widely employed because they allow straightforward
authentication without the need for a protected channel (Gupta, 2016).

2. Historical Background
Early developments in message authentication focused on challenging and response mechanisms and digital
signatures, which limited their practical applicability. The concept of message authentication codes evolved
from the New Directions and Advances in Cryptology workshop series in 1996 (Gupta, 2016). The
proliferation of mobile handsets highlighted the necessity of secure links to the network, coupled with cost-
effective spectrum utilization. This demand coincided with the Third-Generation Partnership Project
specifying key establishment and authentication applications for the Long-Term Evolution system (Wu,
2015). Subsequently, subsequent specifications proposed extensions to the original authentication and key
agreement protocols for LTE and listed cryptographic primitives suitable for LTE and beyond. Message
authentication codes remain integral for ensuring connectionless data integrity amidst access delays and
intermittent connections (Mashatan, 2008).

3. Types of Message Authentication Codes

Message authentication codes exist in many different families, varying in design, efficiency, usage scenarios,
and security properties. The most widespread construction, HMAC, is almost exclusively used for messaging
protocols and other lightweight control message authentication. Strong theoretical foundations support the
security of HMAC, and further enhancements of security properties have appeared over the years. Its design
utilizes cryptographic hash functions to construct a secure message authentication code that can be
combined with a wide variety of deployed hash functions—some within widespread standards such as SHA-
3 or BLAKE2—yet remains compatible with numerous other designs (Gupta, 2016).

AES-CMAC, often preferred to HMAC when a dedicated signature algorithm is required, employs a block
cipher to build a MAC instead. With minimal and tightly constrained security assumptions, corresponding
constructions are well studied and provide strong confidence in application. The widespread use of AES as a
standard cipher also makes CMAC an appealing choice when systems already implement AES encryption
(Wu, 2015).

Efficient solutions, such as UMAC and Poly1305, combine polynomial evaluation over finite field arithmetic
with a single cryptographic hash invocation. These designs provide very strong security bounds based on the
collision resistance of the underlying hash combined with established competitive security of the universality
property of the polynomial construction.

Internal states (keys and initializations) in most MAC algorithms conceal the computation of the output tag.
Universal-hashing-based constructions utilize polynomial evaluation, which has been proven effective for
further efficiency improvements by removing internal state concealment. Likely related security bounds
supporting this enhancement have been established recently; this possibility emerges as a key motivation
for either adopting esoteric internal states or circumventing the security framework entirely.

Message authentication codes continue to be essential components of numerous cryptographic algorithms

and applications, integrating into and reinforcing nearly every system where ensuring authenticity remains a
concern.
3.1. HMAC (Hash-based Message Authentication Code)

Among the key families of message authentication codes (MACs), the Hash-Based MAC (HMAC) stands out
due to its widespread adoption in practice. The HMAC construction employs a keyed hash function to
produce a MAC that maintains the efficiency of the underlying hash algorithm while providing strong security
guarantees. The construction requires only a minimal number of additional primitives, such as fixed-value
padding bits, and is applicable to any iterative cryptographic hash function. When operating with an ideal
cryptographic hash function, the derivation of a MAC from a family of standard constructions is
straightforward and well-defined (Gupta, 2016).

3.2. CMAC (Cipher-based Message Authentication Code)

The Cipher-based Message Authentication Code (CMAC) is a symmetric key cipher-based message
authentication algorithm. It processes a message of an arbitrary number of bits into a fixed-length tag of t
bits (0 < t ≤ n, where n is the block cipher block size) (Rybar, 2017). CMAC serves as a derivative
standard, approved by NIST in 2005 and by ANSI in 2008, and as a cipher-based algorithm within the
CAESAR competition. CMAC employs a variable-length authentication key, allowing flexibility when the
desired tag size differs from the block size. This general-purpose MAC algorithm is widely adopted across
various technologies, including potentially securing firmware updates or verifying configuration file
authenticity.

3.3. UMAC (Universal Message Authentication Code)

UMAC (and its variant, VMAC) computes message-authentication codes that are designed to be nearly as fast
as popular non-cryptographic checksums. UMAC uses universal hashing to compress the input message, and
then encrypts the resulting short string. The output size is either 64 bits (UMAC-64) or 128 bits (UMAC-128).
The 128-bit form is still somewhat faster than HMAC-SHA-1 on 64-bit platforms, even if the software contains
an efficient AES implementation.

UMAC has been standardized by ANSI. The specification describes three distinct but related algorithms that
differ in the way they compress the input strings. The fastest variant requires a 128-bit block cipher that is
optimized for software implementation, but it is still fast even if only an n-bit block cipher is available. The
security of the compression functions in UMAC and VMAC depends on the quality of the nonce-generation
process.

3.4. Poly1305

Poly1305 is an authentication function developed by Daniel J. Bernstein that, when combined with a suitable
stream cipher, can form a message-authentication code (MAC) with information-theoretic security
guarantees. Unlike most MACs, Poly1305 does not produce an authentication tag based on a secret key and
the message alone. Instead, it also requires the use of a one-time key that must be chosen independently for
every message.

Poly1305 can be viewed as a universal hash function family instantiated with a single key, combined with an
encrypted nonce as a â€​padâ€​ (thus making it a cipher-based MAC, rather than a keyed-hash MAC). For
example, when Poly1305 is combined with the AES block cipher it produces a cipher-based MAC
indistinguishable from a truly random function under standard cryptographic assumptions, rather than
merely universal.

4. Mathematical Foundations
Message authentication codes (MACs) are cryptographic primitives that serve to confirm to a verifier who
possesses a secret key k whether a received message m was computed by a MAC-generating algorithm on
m using k. Whereas signatures also provide this property, the secret key in a MAC scheme is shared, and
thus the verifier himself could have generated the MAC. Authentication codes (A-codes) are the statistically
secure variants of this notion and enjoy different security properties and mechanisms for providing
authenticity (Dodis et al., 2012).

Hence, a system with q possible messages M is characterized by: 1. a set of source states S, often the set of
sub-keys k, |S| = N; 2. a set of messages M, |M| = q; 3. a set of tags T, |T| = r; 4. a probabilistic encryption
rule E_s from S to M; for a given source state, the encryption rule defines a set of possible messages that
can be sent; 5. a decryption rule D_s which assigns to each received message either a source state or the
empty message Ç«.

The principle behind MACs is to apply a secret key k known only by the legitimate players of the system to a
message m, so as to produce a MAC. Such a procedure must then be at least one-way to prevent counterfeit.
There exist contemporary MAC systems in use such as f9 in the 4G LTE system, which take as input a
COUNT−I, MESSAGE, DIRECTION, and FRESH values to generate a MAC that offers similar guaranties
against replay attacks on message freshness through the control of the validity of the MAC and the
imposition of a strict increasing order on the sequence numbers (Wu, 2015).

4.1. Cryptographic Hash Functions

Because Message Authentication Codes(MACs) are designed to produce short fixed-length message digests
securely keyed by a shared secret, it is expected that a public cryptographic hash function, when coupled
with a secret key, should be effective for the unilateral derivation of a collisionresistant and pseudorandom
message authentication tag. Cryptographic hash functions are public, deterministic, and collision-resistant
algorithms that map an arbitrarily sized message space into a finite message digest range as a one-way
transformation (Gupta, 2016). The hash function is a central and building-block primitive, which provides the
fundamental design mechanism for the construction of MACs and various other cryptographic applications.
During the past decades, many different general-purpose message digest algorithms have been devised and
analyzed.

The classic and still most common family of ubiquitous hash functions relies crucially on bit-shifting,
exclusive-or, and modular addition operations that are well suited to 32-bit hardware implementations.
Examples include the MD5 , RIPEMD-160 , HAVAL and the SHA family of algorithms . The first five steps of
each hash algorithm map a message input block into a 512-bit block. Subsequent steps either transform this
512-bit block or manipulate only the previous output of the algorithm, yielding a final digest of 128-bit for
MD5, 160-bit for RIPEMD-160 and most of SHA family algorithms, although a few other members of the SHA
family produce a smaller 128-bit or 100-bit output.

4.2. Block Ciphers

Message authentication codes based on block ciphers are extremely popular, since one moreover obtains a
confidential encryption algorithm. Earlier constructions include the MACs of NMAC () and OMAC (), and they
generally compute a MAC consisting of the encryption of a universal hash function value h of the message:
• The generic Coupling MAC C-MAC is based on Feistel networks applied to h. • PMAC () builds a PMAC
from . • Fabrice and Poettering (2017) propose a completely generic technique (F1) that takes a PRF on
strings and builds from it a MAC for messages of length strings. If the block cipher can be modelled as a
random function, the resulting construction is unforgeable without any computational assumption on the
hash function. These MACs keep a strong relationship with the underlying block cipher; the security reduction
is generally proportional to the inverse of the block cipher parameters uncertainty (thus often or ). There are
also a few MACs using Ultra-High Frequency such as HPA (Gupta, 2016) or R-HMAC (Cogliati et al., 2017) and
whose security does not depend on the block size paramceters. The fastest MACs have indeed used UHF, but
block-cipher-based algorithms were sometimes preferred nonetheless, because the user often needs also a
block-cipher encryption in the application.

4.3. Key Derivation Functions

In contrast to data derivation functions, a key derivation function (KDF) takes as input a source keying
material—either a shared secret or a master key—and aims to produce one or multiple cryptographically
strong secret keys that are suitable for subsequent use. A KDF can be, for example, a μ–proto-MAC that
processes the master key and a context (e.g., a label or a party identifier), with the output truncated to the
appropriate key length.

Key derivation also underpins the construction of ’–protocols whereas the ’–theorems are
typically stated in terms of a distribution–testing game rather than direct advantage in breaking an actual
norm or MAC. The Omnicient evaluation (i.e., predicting the output from only the queries) also represents
Ω(1) advantage and contradicts the underlying Distinguisher’s assumption. (Gupta, 2016)

5. Security Properties
Message Authentication Codes (MACs) aim to defend information from impersonation, substitution, and other
potential threats, serving as fundamental cryptographic primitives for authentication (Rybar, 2017). When
two parties, who initially share a secret key, exchange messages, MACs provide integrity and authenticity
assurances. Conceivably, a MAC resembles a keyed hash function; a secret key, selected from a key space,
along with a message, are input into a function that generates a fixed-length tag as output. The greater the
tag length, the stronger the security. Accordingly, a MAC comprises three algorithms: one for key generation,
one for tagging, and one for verification. It constitutes a deterministic function which takes a secret key and
an arbitrary-length message as input and produces a fixed-length tag.As with most cryptographic primitives,
there is an ongoing pursuit for “the bestâ€​ MAC. The one that enjoys widespread use today is HMAC
because of its proven security and efficiency (Dodis et al., 2012). 5G AKA also relies on HMAC for
authentication and key generation (Wu, 2015).

The security of a MAC is defined in terms of unforgeability under chosen-message attack (UF-CMA). The
adversary has access to a tagging oracle that returns the tag for every message querying the oracle. The
counterfeit experiment ends when the adversary outputs a message-tag pair and wins if the message was
never queried to the tagging oracle and the tag is valid. The maximum probability with which any
polynomial-time adversary capable of winning this experiment is called the advantage of the adversary.
When the advantage of every adversary is negligible, the MAC is said to be secure.

5.1. Integrity

Closely related to confidentiality, integrity protects a message M from being tampered with during
transmission (Gupta, 2016). Formalized in Thompson’s The Integrity Hypothesis, integrity ensures that
any message received uncorrupted corresponds to a message sent uncorrupted. However, integrity does not
by itself prevent substitution, duplication, or the replay of legitimate messages, because such operations do
not affect the cryptographic consistency of the message (Mashatan, 2008).

5.2. Authenticity

Message authentication schemes ensure that a legitimate signer is associated with a message. Such
schemes are needed in communication protocols, distributed systems, database security, and transaction
processing (Gupta, 2016).

A well-known scheme is the message authentication code (MAC), which is used together with a private
signing key and ensures the authenticity and integrity of a message. The MAC establishes a connection
between the message and the key that generated the signature. In contrast to publicly verifiable signatures,
the authentication code can thus only be verified by principals that have access to the private key. This also
means that it cannot provide stronger properties such as irrevocable non-repudiation.

A MAC scheme consists of three algorithms: key-generation, signing, and verification. The key-generation
algorithm returns a signing key; the signing algorithm receives the signing key and message and returns the
signature; and the verification algorithm accepts the key, message, and signature and returns one bit
indicating whether the signature is valid or not.

5.3. Resistance to Attacks

The introduction of new integrity protection mechanisms has raised concerns about their resistance to
attacks. Early MAC constructions suffer from impersonation forgery and substitution forgery attacks.

Impersonation forgery occurs without knowledge of keys or intercepting message-tag pairs. Observing
message-tag pairs suffices for substitution forgery. Block cipher-based MAC schemes use block-cipher-based
universal hash functions, suitable over a stream cipher key stream when keys and messages can be reused.
The widely adopted construction employs Almost XOR Universal (AXU) hash functions, which are secure
when combined with a pseudorandom function.

6. Applications of Message Authentication Codes

Message authentication codes (MACs) ensure the integrity and authenticity of messages exchanged between
a sender and a receiver that share a secret key (Wu, 2015). Active wiretappers who modify messages in real
time motivated MacEliece (1979) to propose the first system for symmetric-message authentication. Shortly
thereafter, the ISO in 1980 released an international standard containing a MAC algorithm based on a
blockcipher in cipher-block-chaining (CBC) mode. CBC MAC encrypted in three key triple-DES mode served
as the default MAC algorithm until 2001, when Federal Information Processing Standards (FIPS) mandated
the use of the HMAC standard.

Two-channel cryptography complements MACs in constrained environments lacking secure channels or

trusted infrastructures (Mashatan, 2008). It ofÂ​fers advantages over a traditional cryptoÂ​graphic approach
when an extremely large numÂ​ber of users are added to the system in a short time, or the number of
messages requiring authentication increases exponentially. Specialized two-channel cryptography
techniques provide personal area network security within telemedicine systems, disaster recovery and
improvised networks, or ad hoc networks. The resulting protocols allow an authorized user, who is unable to
establish a secure channel with a device that has no access to trusted infrastructure, to authenticate
messages with minimal energy expenditure.

6.1. Secure Communication Protocols

Internet users rely on security protocols such as SSL, SSH, IPSec, and Kerberos to verify identities, transmit
data securely, and restrict access to authorized users. Necessarily, these protocols incorporate mechanisms
to ensure message authentication, which guarantees a message originates with its claimed sender and has
not been altered in transit.

Secure communication often builds on the premise of two parties engaged in either two- or three-phase
message-exchange protocols that can terminate early when a message is not properly authenticated. One
such protocol deploys an authenticated message or a synchronized counter. Authentication is symmetrical: if
Bob authenticates a message from Alice, then Alice authenticates the subsequent response from Bob.
Protocols of this form appear in the TLS handshake and Diffie–Hellman key-exchange protocols (Mashatan,
2008).

6.2. Digital Signatures

Digital signature algorithms generate two mathematically linked keys: a private signing key and a
corresponding public verification key. Whereas Message Authentication Codes employ a shared secret to
produce a keyed message digest, digital signatures enable users to sign messages in a manner that permits
any holder of the public key to verify the signature without acquiring the private key. Consequently, digital
signature mechanisms demonstrate far greater flexibility in disseminating verifiable authentication tokens
than Message Authentication Code schemes, which depend upon secrecy of the shared secret key (Gupta,
2016).

6.3. Data Integrity Verification

A message authentication code (MAC) is used as a checksum on data that also depends on a secret key, so
both the content and authenticity of the data can be verified. The MAC mechanism provides data integrity
and authentication. The key used by the MAC function to generate the checksum is shared between the
generator of the data and the recipient to verify the checksum. An adversary who intercepts the transmission
and modifies the data will not be able to generate the correct checksum and will be detected by the
recipient. For example, a server may use a MAC function with a secret key shared with clients to
authenticate the contents of data sent by it.

One of the widely used MAC schemes is HMAC (keyed-hash message authentication code). The MAC function
is constructed from a secure hash function such as SHA and a secret key. It has been proved to be as secure
as the underlying hash function. Being a hash-based construction, it is much faster than the MAC
constructions based on block ciphers, such as CBC-MAC (Gupta, 2016).

7. Performance Considerations
Resource-constrained applications that rely on wireless communication require low-latency transmission of
short messages, which complicates the implementation of adequate protection of time-critical messages. To
clarify, a MAC scheme consists of four identities: sender, receiver, verifier and attacker. Firstly, the sender
generates the MAC tag based on a shared secret key and the message using the Tag algorithm. Then the
receiver uses the same secret key, the message and the received tag to verify the authenticity and integrity
of the message at the Ver algorithm. Subsequently, the verifier confirms that the MAC tag is authentic by
comparing the received tag to the computed tag at the Verify algorithm. Finally, the attacker tries to
fabricate the MAC tag by querying the MAC oracle and extracting the secret key at the Forge algorithm.
When computational burden must be considered, a fast method for computing MACs using a Carter-Wegman
style construction speeds up the integrity protection of short messages; unbounded computations, however,
are performed in idle phases to save time during latency-critical phases and only a few XOR operations are
required to compute a universal hash function for integrity protection (Wagner et al., 2022). Methods
performed by the Tag algorithm are shown in Fig. 7.1.

Two of the most renowned types of MAC are special-purpose constructions and universal hash function
families. The Special-Purpose MAC construction is designed to provide inexpensive integrity at the cost of
confidentiality. The Universal Hash Function Family is, however, a method for constructing MAC schemes
using inexpensive universal families of hash functions selected by the secret key. To illustrate, Carter and
Wegman first introduced the notion of universal hash functions in 1979 to develop efficient schemes for
authentication, with the schemes being a combination of an universal hash function family and a
pseudorandom function, as expressed in (Rybar, 2017).

Performance of the MAC scheme is a primary consideration for short messages because the added latency
for computing a MAC fundamentally conflicts with the low-latency goal. According to the Special-Purpose
Family of MAC (SPMA) and the Universal Families of MAC method (UFM), the two main categories of methods
used by SPMA are Extra Padding and Flexible Padding. Extra Padding processes data blocks by adding
additional padding before authentication. Flexible Padding, on the other hand, authenticates data blocks
without the need for extra padding. Both methods construct a separate data block authentication scheme
OMAC based on the prevalence of block ciphers and universal hash function families and produce a fast yet
secure MAC scheme, as seen in Fig. 7.2.

7.1. Speed and Efficiency

Unique message identifiers enable the generation of one-time passwords, thereby mitigating replay attacks
(Gupta, 2016). The length of the message authentication code (MAC) directly influences the security level by
determining the size of the search space for forgeries. Generally, longer MACs provide greater security
against exhaustive search attacks, but the security also depends on the MAC generation algorithm, such as
CMAC or HMAC.

Efficiency considerations vary depending on the use case. When verifying messages against multiple MAC
algorithms, a computational approach that allows the simultaneous computation of several MACs, capable of
early rejection as soon as a mismatch is detected, is important. This method is particularly beneficial for
systems where messages arrive in bursts, such as 3G-WLAN intersystem handovers. Conversely, when only a
single MAC must be applied or verified, the speed of the underlying algorithm is the critical performance
metric.

7.2. Resource Utilization

Hash-based message authentication codes use cryptographic hash functions to convert a secret key and
message data into a fixed-size authentication tag (Gupta, 2016). Message authentication codes secured with
a pseudo-random function provide data origin authentication and integrity, while retaining efficiency. In
contrast, digital signatures generally require public key cryptography and are orders of magnitude more
time-consuming. Efficient authenticator generation supports authentication after the arrival of every
message, which prevents certain attacks; in particular, it precludes denial of service attacks on the shared
key.

8. Comparative Analysis of MAC Algorithms

In the design of message authentication codes (MACs), different algorithms provide varying trade-offs
between security and performance. PMAC is a parallelizable MAC derived from a block cipher. Unlike CBC-
MAC, it is designed to process all message blocks simultaneously, allowing for fully parallel computation of
the authentication tag. The security of PMAC relies on the block cipher’s block size and the cipher’s
cryptographic strength. The MAC tag produced by PMAC has the same length as the block size and can be
truncated if desired. Although PMAC is still efficient, it tends to be less so than CBC-MAC modes. Despite its
suitability for parallel platforms, PMAC has neither been standardized nor achieved the widespread adoption
of HMAC (Rybar, 2017).

Recent cryptographic developments have introduced probabilistic MACs, which incorporate randomness into
the tag computation. As a result, a single message can have multiple valid tags, and the completeness error
becomes nonzero. The use of randomness enables these MACs to resist tag reuse and leak less information
with each repetition, characteristics that are particularly attractive for resource-constrained devices like RFID
tags. These properties also reflect that such schemes behave more like a signature system than a traditional
MAC. In light of this, revised security definitions have emerged, among them unforgeability under chosen-
message with verification (UMACV) attack. By contrast, classical MACs are deterministic and maintain
security assurances against computationally bounded adversaries.

8.1. HMAC vs. CMAC

The widely adopted standard for generating Message Authentication Codes (MACs) using hash functions is
HMAC​1e Hashed Message Authentication Code (Gupta, 2016) ; (Rybar, 2017). The HMAC construction utilizes
a cryptographic hash function such as MD5, SHA-1, or SHA-2, a message, and a secret key to produce the
message digest. HMAC is designed for efficient software implementation due to its reliance on hash
functions. In contrast, the standard mechanism for creating MACs from block-ciphers is CMAC, which is
adopted by several standards such as ISO/IEC 9797-1, NIST SP 800-38B, and ANSI. CMAC employs a block-
cipher (e.g., AES or 3DES) and a key to generate the MAC.

8.2. UMAC vs. Poly1305

UMAC and Poly1305 are both message authentication codes (MACs) that use a two-step process to generate
tags: first the entire message is hashed, then a pseudorandom function is applied to the hash to produce the
tag. Both employ a universal hash function—UMAC uses NH, while Poly1305 utilizes polynomial hashing
over primes—to ensure efficient message hashing. Despite these structural similarities, the inner hash
functions differ substantially.

UMAC aims primarily to minimize processor cycles per octet; it achieves a speed of about 0.25 cycles per
byte on a 3.0 GHz Pentium D, attaining approximately 12 gigabytes of throughput per second (Rybar, 2017).
Conversely, Poly1305 focuses on reducing the number of instructions per byte, optimizing for power
efficiency as well as speed. This approach enabled it to reach 0.44 cycles per byte on an i7-4770,
corresponding to roughly 7 gigabytes per second (Wu, 2015). Consequently, UMAC outperforms Poly1305 on
high-end processors with abundant computational resources, whereas Poly1305 is more effective on
constrained devices where instruction-level efficiency is paramount. Overall, MAC designs illustrate a
tradeoff between cycles per byte and instructions per byte: high-end systems can afford more instructions
per byte if cycles per byte remain low, while constrained platforms require fewer instructions regardless of
cycle-count to optimize efficiency.

9. Implementation Challenges
The block-cipher-based construction of f9 appears to be widely used in 3G/4G systems. In addition to the
dedicated f9 algorithm, a standard-compliant construction method uses an encrypted counter block to
construct a pad for messages of any length, together with the f8 confidentiality algorithm.

The complete 3G ACS consists of six functions, labelled f1 through f5 and f1* for the re-synchronization
procedure. The f1 function is used for network authentication, while f1* provides user authentication; f2
generates the response (RES); f3 and f4 generate CK and IK, the remaining parts of the master key; and f5
produces the anonymity key. Integrity protection is handled by f9, which is specified as a separate function.

Universal hash-function constructions for message authentication require a key stream of the same length as
the message being authenticated. Existing topologies (e.g., Of-R, OMAC1, and PMAC) therefore demand the
use of block ciphers either operating in counter mode or the provision of a dedicated stream-cipher system.
The former results in the utilization of the block-cipher circuitry for both universal hashing and OTP
generation, while the latter requires a separate key. The generated padding material is subsequently XORed
with the message prior to universal hashing. The key for the universal-hash function is subsequently
generated by encrypting incre- mental counters to produce the keys needed by the At-MAC procedure (or
any other appropriate variable-input-length universal-hash function) (Wu, 2015) (Mashatan, 2008) (Gupta,
2016).

9.1. Key Management

The security guarantees provided by a MAC depend heavily on the secrecy of its key. To maintain this
secrecy, key-management issues must be addressed in any MAC deployment. In practice, a system designer
may rely on a trusted system entity​a key distribution center (KDC)​to generate and distribute keys along
numerous secure, authenticated channels. The KDC composes a separate key for each pair of parties in the
system, or perhaps late develops means for generating keys on demand. (Gupta, 2016)

9.2. Algorithm Selection

A 3-round actively secure identification protocol, more efficient than standard constructions, can be
instantiated from any weak pseudorandom function (wPRF). This construction also naturally abstracts
existing identification protocols such as the LPN-based schemes by Katz and Shin and by Juels and Weiss,
while its security proof captures the core argument behind those protocols. TUAK, AES, KASUMI, and
PRESENT are all symmetric-key cryptographic functions⎯TUAK takes a 128-bit key, a 128-bit input, and
produces a 64-bit output; AES-128/256 accept 128-bit keys and inputs to generate 128-bit outputs; KASUMI
operates with a 64-bit input, a 128-bit key, and a 64-bit output; and PRESENT is a 64-bit block cipher
employing an 80-bit key (Wu, 2015). MATM chooses one of these functions or the block cipher in Davies-
Meyer mode as a building block to compute a MAC. A 3-bit selector field can indicate the operation mode or
the chosen function—specific values may designate MACs derived from AES, KASUMI, or PRESENT—and a
four-bit code identifies the encryption or integrity algorithm. Modifications can accommodate the AES-256
cipher variant.

The block cipher itself is employed in Davies-Meyer mode; this choice simplifies parameter replication and
stem from the availability of a large security margin. AES-128, AES-256, and the block cipher in Davies-
Meyer mode are widely accepted as highly secure, whereas KASUMI and PRESENT might offer reduced
margins. Although integrity MACs can be constructed with any primitive, the appropriate algorithm for
execution on a UE or IoT device depends on various factors beyond security assumptions—namely
efficiency, data rate support, and compatibility with the operations of the corresponding UTILS cryptographic
primitive. Security assumptions play a pivotal role among these considerations (Dodis et al., 2012).

10. Future Trends in Message Authentication

Message authentication, which was first proposed by Carter and Wegman in 1979, is essential for the
development of authentication systems. The four universally adopted principles established by Simmons
reveal the widespread prevalence of impersonation and substitution forgery attacks. Such observations,
when combined with the evidence that public key cryptography and message authentication cannot coexist
in the same efficient system, underscore the importance of messaging protection codes (Wu, 2015).
Application specific integrated circuit (ASIC) implementation results further demonstrate that constructions
based on block ciphers are about twice as resource-demanding on a chip as those based on universal hash
functions, particularly when large-on-chip memory is unavailable. Acoustic wave devices provide an
inexpensive hardware solution for hashing, but because the security proofs of universal hash functions
require a one-time pad, block ciphers are preferred when cipher-based MAC security is crucial. Universal
hash functions are often used with stream ciphers such as RC4 because the one-time pad is readily available
for each message (Gupta, 2016). Although hash-based message authentication codes (HMACs) are robust
against impersonation and tampering, they are vulnerable to replay attacks if used in isolation. Extending
HMACs to produce a keyed message digest with a finite validity period enables a message signature scheme
that incorporates unique message identifiers, thereby allowing detection and rejection of replayed messages
and enhancing resistance against replay attacks.

10.1. Post-Quantum Cryptography

Exploring architectures of quantum computers exponential speed-ups over classical computers are observed
. Potentially harmful impact on information security is well known, prompting a significant shift in the state of
cryptography—leading to modifications of current protocols and the design of new ones, able to counteract
these newly emerged threats. Novel systems and versatile techniques optimized for solution of robust
computational problems, having a slow or even negligible growth in the presence of quantum algorithms.
Classical computational problems significantly accelerated by quantum protocols exist and they are carefully
examined to establish a quantum equilibrium enforcing symmetry among classical, quantum and post
quantum cryptography.

Following significant advances in quantum computing, Shor’s well-known algorithm is capable of

breaking popular digital-signature and encryption schemes (Robert Vates, 2018) , and even producing an
efficient way to factor composite integers. Since public-key exchange systems are based on the intractability
of problems such as factoring, lattice-based problems, discrete logarithms, etc., Shor’s algorithm poses
threats to such technologies—a physical realization of quantum computers will break classical
cryptographic systems. Lattice-based cryptography, aiming at design of quantum-secure post-quantum
systems, has emerged as a very promising approach. Several cryptosystems, encryption schemes and digital
signatures have already been designed and standardized, with systems like NTRU and Ring-LWE—relying
on the hardness of structured lattice problems—considered excellent candidates for practical and efficient
post-quantum-cryptography realizations. In particular, Ring-LWE has favorable properties for efficient
implementations. Chaotic systems characterized by linear transmissions of masked signals can be efficiently
realized with quantum-dot cellular automata . The stability of chaotic systems suggests that, with
appropriate control, chaos frameworks offer robust methods for securing communications and message
authentication. Whereas the one-time-pad is computationally unfeasible and requires keys the same size as
the message, chaotic cryptography provides a more tractable solution.

Thorough investigations of a parallelizable message-authentication-code construction operating with a single

secret key over arbitrary-length plaintexts have been presented (Datta et al., 2017). Their security addresses
extensions of previous models, and the design—a single-key variant of the well-known PMAC_Plus
mode—is specified. During the last years, the security of widely employed MAC schemes like CBC-MAC,
PMAC and XCBC have been extensively studied, with several proposals providing security bounds against
beyond-birthday-length attacks. Lightweight constructions for constrained environments have also been
proposed. Single-key PMAC_Plus is a block-cipher mode of operation generating parallelizable MACs retaining
security beyond the birthday bound.

10.2. Advancements in Cryptographic Techniques

Multiple networks, like SMS, IP, packet domain connection, WLAN, and LTE systems, have introduced some
form of authentication (Wu, 2015). Conceived by Leslie Lamport, the first Message Authentication Code
(MAC) scheme was based on hashes, but these required the passwords to be changed after each use, which
proved impractical (Gupta, 2016).

11. Case Studies

The f2 function, called the user authentication function, generates the expected response and response. The
f3 and f4 functions generate the CK and IK, respectively, which are legacies of the 3G UMTS network. They
are the keys to protect confidentiality and integrity. Other keys are derived from this master session key. To
reuse the infrastructure, KASME is derived from CK and IK by a key derivation function. The SQN is masked
by an anonymity key generated by the function f5. After the AKA and security mode setup, the integrity and
confidentiality of control messages are protected. The integrity protection method, called f9, is applied in the
radio resource control layer. The f9 function takes four inputs: COUNT−I, MESSAGE, DIRECTION, and FRESH.
COUNT−I is a counter that counts how many times the integrity key is used. When it reaches a threshold,
the UE and MME must negotiate a new integrity key. Upon receiving a message, the sequence number is
checked for freshness, and the message is validated by checking MAC.

Integrity protection attracted more attention when the active wiretapper was proposed. Simmons proposed
the first authentication model using Message Authentication Code (MAC), demonstrating impersonation and
substitution forgery attacks. Constructions using block ciphers can be equivalent to keyed hash functions in
the sense of CBC or other modes. Constructions based on universal hash functions are suitable for working
with stream ciphers, as they require a one-time pad for security. Krawczyk demonstrated that any Almost
XOR Universal (AXU) hash function is equivalent to a secure message authentication code (Wu, 2015).
11.1. Real-world Implementations

Message authentication codes (MACs) were introduced in response to active wiretapping in armed
communications. The two main goals of the MAC are to authenticate the message origin and to verify the
integrity of the message (Wu, 2015). A MAC is a function of a message and a secret key, formed by a tag.
Discrete and continuous approaches have been applied to the analysis of various security protocols, and
discrete analysis remains the dominant paradigm for the verification of security protocols (Dodis et al.,
2012). The actual requirements to be met depend on the operational and business context. Private-key
message authentication requires the recipients of a message to share a secret key. Conventional public-key
signatures often imply computational or communication overheads that far exceed the cost of the encryption
(Gupta, 2016). Block cipher-based MACs were the first widely used MACs, but today constructions based on
universal hash functions and a relatively small encapsulated primitive are the most popular ones. When
combined with a pseudo-random function, an almost XOR universal hash function forms the basis of a secure
message-authentication scheme.

11.2. Failures and Lessons Learned

Failures in message authentication codes offer instructive lessons, guiding the design and evaluation of new
systems. Such failures may result from implementation, design, or underlying primitive weaknesses and
typically yield a loss of assurance—a situation that deserves separate consideration. Key historical
examples begin with DESMAC, which was declared insecure in the late 1980s because the underlying cipher
was vulnerable to a key-recovery attack that was superpolynomial in complexity (Wu, 2015). More recently,
the ad-hoc HMAC candidate DMAC* was broken through structural analysis, underscoring the endurance of
the MAC problem, the value of standard models, and the perils of innovation without a solid basis (Gupta,
2016). A common challenge is the specification of the required properties in a manner sufficiently detailed to
enable rigorous analysis. For example, in 1991 Merkle gave an attack on the IAC, the MAC used in ISO 9797-
1, revealing that a given key-and-message pair could produce several distinct valid tags and that the
function was not a strongly unforgeable MAC.

12. Regulatory and Compliance Issues

Message Authentication Code (MAC) security and its regulatory and compliance implications are examined.
MACs are widely used for message integrity and authenticity verification in mobile and distributed networks,
but they remain vulnerable to various attacks. Construction methods based on block ciphers and universal
hash functions provide strong security guarantees within the accepted security model (Wu, 2015).

In GEOPRIV scenarios, protection against message-substitution attacks is emphasized by limiting the types
of fields that can be substituted without detection. A novel ciphertext-based private MAC-address scheme
using a block cipher in counter mode is proposed to mitigate MAC-address-tracking attacks. Derived
temporary MAC addresses achieve low collision rates while maintaining compatibility with existing protocols.
Encapsulated MAC addresses are deterministically randomized when exposed to malicious nodes. The
scheme meets privacy requirements without compromising efficiency or integrity and does not require
additional protocols (Gupta, 2016).

Both studies underscore the necessity of rigorous standards for MAC construction and usage to ensure
message integrity and prevent impersonation, substitution, and related attacks.

12.1. Standards and Guidelines

The application of message authentication codes (MACs) faces a complex of standards and guidelines. These
regulate not only choice of suitable constructions but also various particulars of key management and use.
Requirements differ according to the security objectives and application domains; nevertheless, the overall
trend is toward increased use of MACs in a wide variety of applications.

MACs have been employed in a number of specifications and standards. The ISO/IEC 9797-1 specification of
data integrity mechanisms considers both DES- and MAC-based algorithms. Its restriction to DES keys of
length 56 bits, however, limits its utility for modern systems. The widely implemented IEEE 802.11i standard
for wireless LANs uses the AES-CMAC algorithm for providing integrity and confidentiality protection for link-
layer frames. Similarly, NIST describes the use of CMAC within U.S. Government systems for ensuring
confidentiality and integrity of classified material. (Gupta, 2016)

12.2. Legal Implications

Message authentication codes enjoy broad acceptance in government and commercial applications. The
government supports the use of message authentication codes to concur (*authorized or not repudiated?*)
with FIPS 140-1 and FIPS 140-2 on the basis that a digital signature is not necessary and message
confidentiality is not required. The NSA certified the system as secure and permitted Electronic Key
Management System (EKMS) messaging to the DNS that contains Sensitive but Unclassified (SBU) National
Security Agency (NSA) information. NATO has declassified its ADatP-3750 compliant products for use on
commercial networks. The NATO organization controls the dissemination of additional NATO-specific secret
marketing keys. The NATO/multi-platform solution would have to be made compatible with non-NATO-specific
security systems to allow the exchange of Non-classified Information (NCII). Two versions of the algorithm
have been certified by Task Group 1 for worldwide usage in NATO and non-NATO equipment. TEA/TREX used
with the SNMP protocol is one example. Additional policy issues are summarized below.

The algorithm is patent-free and FIPS 140-1 and FIPS 140-2 compliant. FIPS 140-2 requires the approved
mode of operation be a FIPS approved algorithm. The structure of the algorithm clearly requires the input
padding to be either appended before the message is processed or a feed-back bit is implemented to provide
the source of the 16th double-wide word to calculate the checksum. If the padding is appended to the data a
counter-mode approach is implied. The approved Message Authentication Code (MAC) for a counter-mode
encryption is CBC-MAC (NIST). It is not feasible to output a 96-bit number from a 32-bit structure; therefore,
the output must be passed through an approved one-way hash, such as Secure Hash Standard (SHS). The
padding needs to be appended prior to processing the message so the intermediate 96-bit MAC is computed
on the message and not the counter data (Gupta, 2016). Additional work is required before the algorithm can
be submitted. The Internet Engineering Task Force (IETF) and National Institute of Standards and Technology
(NIST) continue to evaluate the suitability of HMAC and the SHA-3 family of functions. Although not as
efficient, Message Digest 5 (MD5) continues to provide a robust solution for use in the near term.

13. Conclusion
The f2 function, called the user authentication function, generates the expected response. The f3 and f4
functions generate the CK and IK, which are keys to protect confidentiality and integrity. Other keys are
derived from this master session key, including KASME, derived from CK and IK. The SQN is masked by an
anonymity key generated by the function f5 to prevent subscriber information leaks. After authentication and
security setup, all control messages’ integrity and confidentiality are protected. The integrity protection
method, called f9, is applied in the radio resource control (RRC) layer, using inputs like COUNT−I,
MESSAGE, DIRECTION, and FRESH to prevent replay attacks. Upon receiving messages, the sequence
number is checked for freshness, and the MAC is validated. Message Authentication Code (MAC) was
introduced to ensure integrity protection; attacks against MAC include impersonation and substitution
forgery. Constructions using block ciphers and universal hash functions are common, with the latter being
suitable for stream ciphers due to their security proofs based on one-time pads. An Almost XOR Universal
(AXU) hash function is equivalent to a secure message authentication code (Wu, 2015).

The standard security notion for MACs is unforgeability under chosen-message attack, which is achieved by
every PRF. Collision security involves analyzing the probability of different inputs producing the same output
under a keyed function. Random systems, composed of inner and outer functions chained together, are used
to study collision properties. Lemma 1 states that if two systems are equivalent conditioned on no collision at
the inner function, then the advantage of a distinguisher is limited. Adaptive queries do not increase success
probability. A Message Authentication Code (MAC) is a cryptographic primitive used to ensure message
integrity and authenticity through three algorithms: key generation, tagging, and verification. The security of
MACs is formalized as existential unforgeability under chosen-message attack (uf-cma), a property achieved
by all PRFs (Rybar, 2017).

References:

Gupta, B. (2016). A replay-attack resistant message authentication scheme using time-based keying hash
functions and unique message identifiers. [PDF]

Wu, T. (2015). On Message Authentication in 4G LTE System. [PDF]

Mashatan, A. (2008). Message Authentication and Recognition Protocols Using Two-Channel Cryptography.
[PDF]

Rybar, M. (2017). (The exact security of) Message Authentication Codes. [PDF]

Dodis, Y., Pietrzak, K., Kiltz, E., & Wichs, D. (2012). Message authentication, revisited. [PDF]

Cogliati, B., Lee, J., & Seurin, Y. (2017). New Constructions of MACs from (Tweakable) Block Ciphers. [PDF]

Wagner, E., Serror, M., Wehrle, K., & Henze, M. (2022). BP-MAC: Fast Authentication for Short Messages.
[PDF]

Robert Vates, J. (2018). Developments in multivariate post quantum cryptography.. [PDF]

Datta, N., Dutta, A., Nandi, M., Paul, G., & Zhang, L. (2017). Single Key Variant of PMAC_Plus. [PDF]