OMAC (One-key CBC MAC) is a message authentication code which was designed by Tetsu Iwata and Kaoru Kurosawa of Ibaraki University. It was offered to NIST as part of their project for developing new modes of block cipher operation. The algorithm is extremely simple, and has proven to be quite secure. It is a variant of a MAC called XCBC, and related (through it's CBC-MAC heritage) to RMAC and EMAC. (We're going to run out of nMAC names pretty soon!)
Initially, RMAC was chosen by NIST to be their standard MAC algorithm, but shortly thereafter a number of researchers demonstrated that RMAC was not as secure as its designers had hoped. Thus OMAC was chosen as the replacement, and has proven to be much more durable. In particular, the proofs surrounding OMAC's security are much less fragile than RMAC's.
OMAC works as follows:
- Choose a key, K
- Compute L to be the encryption of the all zero block under K.
- Pad the message M to a multiple of the block size of the underlying cipher. This is done by adding a single 1 bit, and as many 0 bits as needed.
- Compute the CBC MAC of the message M using K, and denote the result X
- If M's length (before padding) was a multiple of the block size, then choose Y to be L⋅ u, otherwise let Y be L⋅ u-1, where the ⋅ operator represents polynomial multiplication, and u is a small fixed polynomial.
- Let the final MAC be EK(X ⊕ Y)
A recent modification of this is to use L⋅u2 instead of L⋅ u-1, for somewhat easier software implementation (one doesn't have to implement the polynomial division operation, which is nice).
OMAC is very new, so not many systems use it yet (in fact, none at all do). However, the new and highly-neat EAX cipher mode does use it to provide authenticity; this use of OMAC is 'built in' to EAX. However, since EAX is even newer than OMAC, nobody uses it either. However, EAX is a very nice design, and I highly suspect that we'll be seing it in the future (possibly in a WEP replacement).