One-key MAC

---

title: "One-key MAC" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["message-authentication-codes", "finite-fields"] description: "Message authentication code algorithm" topic_path: "general/message-authentication-codes" source: "https://en.wikipedia.org/wiki/One-key_MAC" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0

::summary Message authentication code algorithm ::

One-key MAC (OMAC) is a family of message authentication codes constructed from a block cipher much like the CBC-MAC algorithm. It may be used to provide assurance of the authenticity and, hence, the integrity of data. Two versions are defined:

• The original OMAC of February 2003, which is rarely used. The preferred name is now "OMAC2".
• The OMAC1 refinement,

OMAC is free for all uses: it is not covered by any patents.

History

The core of the CMAC algorithm is a variation of CBC-MAC that Black and Rogaway proposed and analyzed under the name "XCBC" and submitted to NIST. The XCBC algorithm efficiently addresses the security deficiencies of CBC-MAC, but requires three keys.

Iwata and Kurosawa proposed an improvement of XCBC that requires less key material (just one key) and named the resulting algorithm One-Key CBC-MAC (OMAC) in their papers. They later submitted the OMAC1 (= CMAC), a refinement of OMAC, and additional security analysis.

Algorithm

::figure[src="https://upload.wikimedia.org/wikipedia/commons/e/e2/CMAC_-_Cipher-based_Message_Authentication_Code.pdf" caption=""] ::

To generate an ℓ-bit CMAC tag (t) of a message (m) using a b-bit block cipher (E) and a secret key (k), one first generates two b-bit sub-keys (k1 and k2) using the following algorithm (this is equivalent to multiplication by x and x2 in a finite field GF(2b)). Let ≪ denote the standard left-shift operator and ⊕ denote bit-wise exclusive or:

1. Calculate a temporary value k0 = Ek(0).
2. If msb(k0) = 0, then k1 = k0 ≪ 1, else k1 = (k0 ≪ 1) ⊕ C; where C is a certain constant that depends only on b. (Specifically, C is the non-leading coefficients of the lexicographically first irreducible degree-b binary polynomial with the minimal number of ones: for 64-bit, for 128-bit, and for 256-bit blocks.)
3. If , then , else .
4. Return keys (k1, k2) for the MAC generation process.

As a small example, suppose , , and . Then and .

The CMAC tag generation process is as follows:

1. Divide message into b-bit blocks , where m1, ..., m**n−1 are complete blocks. (The empty message is treated as one incomplete block.)
2. If mn is a complete block then else .
3. Let .
4. For , calculate .
6. Output .

The verification process is as follows:

1. Use the above algorithm to generate the tag.
2. Check that the generated tag is equal to the received tag.

Variants

CMAC-C1 is a variant of CMAC that provides additional commitment and context-discovery security guarantees.

Implementations

• Python implementation: see the usage of the AES_CMAC() function in "impacket/blob/master/tests/misc/test_crypto.py", and its definition in "impacket/blob/master/impacket/crypto.py"
• Ruby implementation

References

References

1. Dworkin, Morris. (2016). "Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication".
2. Rogaway, Phillip. "CMAC: Non-licensing".
3. (2000-08-20). "Advances in Cryptology – CRYPTO 2000". Springer, Berlin, Heidelberg.
4. "A Suggestion for Handling Arbitrary-Length Messages with the CBC MAC".
5. (2003-02-24). "Fast Software Encryption". Springer, Berlin, Heidelberg.
6. (2003). "OMAC: One-Key CBC MAC – Addendum".
7. (2003-12-08). "Progress in Cryptology - INDOCRYPT 2003". Springer Berlin Heidelberg.
8. (2024). "Advances in Cryptology – CRYPTO 2024". Springer Nature Switzerland.
9. (15 December 2018). "Impacket is a collection of Python classes for working with network protocols.: SecureAuthCorp/impacket".
10. (4 May 2016). "Ruby C extension for the AES-CMAC keyed hash function (RFC 4493): louismullie/cmac-rb".

::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::