LLMpediaThe first transparent, open encyclopedia generated by LLMs

Carter–Wegman MAC

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: ChaCha20-Poly1305 Hop 4
Expansion Funnel Raw 95 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted95
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Carter–Wegman MAC
NameCarter–Wegman MAC
CaptionUniversal hashing based message authentication
InventorBruce Schneier, Don Coppersmith, James L. Massey
Introduced1979
Derived fromUniversal hashing
TypeMessage authentication code

Carter–Wegman MAC The Carter–Wegman MAC is a message authentication code construction based on universal hashing combined with a cryptographic pseudorandom function or block cipher to provide integrity and authenticity. Developed from the work of Michael O. Rabin and formalized by J. Lawrence Carter and Mark N. Wegman, the technique has influenced standards and protocols used by National Institute of Standards and Technology, Internet Engineering Task Force, and industry implementations by Microsoft, IBM, and RSA Security. It is foundational in both academic treatments in venues like CRYPTO and Eurocrypt and practical deployments in TLS, IPsec, and SSH.

Introduction

The construction originates from the theory of universal hashing introduced by Carter and Wegman and complements earlier authentication concepts from David Chaum and Lamport. It separates authentication into a hashing stage and a pseudorandom tagging stage, enabling provable security reductions in the style of provable security frameworks used in Bellare–Rogaway analyses. Key figures who extended the approach include Gilles Brassard, Silvio Micali, and Oded Goldreich, and later optimizations were studied by researchers at MIT, Stanford University, and The University of California, Berkeley.

Construction and Algorithms

A Carter–Wegman MAC typically computes a universal hash of the message using a key selected from a family of pairwise independent or k-wise independent hash functions, then masks or combines the hash with the output of a keyed pseudorandom function (PRF) such as HMAC, a block cipher like AES, or a stream cipher like RC4 (historically). Implementations employ polynomial evaluation over finite fields such as GF(2^n) or GF(p), multiply–accumulate arithmetic inspired by Polynomial rolling hash and constructions related to NH hash. Algorithms use parameter choices influenced by work at IETF, NIST, and research from D. J. Bernstein, Daniel J. Bernstein, and Tanja Lange on field arithmetic and reduction.

Security Properties and Analysis

Security proofs for Carter–Wegman MACs provide bounds on forgery probability based on the universality of the hash family and the unpredictability of the PRF, following paradigms popularized by Goldwasser–Micali proof techniques and reductions used in IND-CPA analyses. Adversarial models derive from the Dolev–Yao and computational models common in papers at ACM CCS and IEEE S&P. Attacks exploiting weak key reuse were examined by Ross Anderson and M. Joye, while side-channel analyses by researchers at École Polytechnique Fédérale de Lausanne and Darmstadt University of Technology considered timing and cache leakage. The construction supports information-theoretic authentication when the PRF is replaced by a one-time pad, linking to Shannon's secrecy concepts and Wyner’s work on wiretap channels.

Performance and Implementations

Practical implementations emphasize high throughput on modern CPUs using SIMD instructions like SSE, AVX, and NEON, and leverage hardware support such as AES-NI and CLMUL. Notable software packages and libraries implementing variants include OpenSSL, LibreSSL, BoringSSL, libsodium, and GnuTLS, with contributions from organizations like Google, Facebook, and Cloudflare. Hardware implementations appear in network devices from Cisco Systems, Juniper Networks, and Intel NIC offloads. Benchmarks reported at venues like USENIX and SIGCOMM compare Carter–Wegman variants to HMAC and authenticated encryption schemes standardized by IETF.

Variants and Extensions

Several variants extend or adapt the original Carter–Wegman idea: polynomial-based variants such as Poly1305 (influenced by work at Google and Daniel J. Bernstein), NH-based designs used in VMAC, and constructions combining with Galois/Counter Mode (GCM) used in IEEE 802.11 and IPsec. Extensions include keyed-hash variants for streaming data, incremental hashing inspired by Merkle–Damgård structures, and hybrid constructions blending with Authenticated Encryption modes like AES-GCM-SIV. Cryptographers at Bell Labs, ETH Zurich, and Tel Aviv University have proposed trade-offs between tag size, key reuse, and computational overhead.

Applications and Use Cases

Carter–Wegman MACs power message authentication in network protocols such as TLS 1.3 proposals, IPsec ESP, and SSH transport layers, and are used in storage integrity systems developed by Amazon Web Services, Google Cloud Platform, and Microsoft Azure. They appear in secure logging solutions used by Palantir-style analytics platforms, content delivery networks operated by Akamai Technologies, and database replication systems at Oracle Corporation and PostgreSQL projects. Standards bodies including ISO and IETF recognize constructions derived from Carter–Wegman in cryptographic modules certified under programs like FIPS.

Category:Message authentication codes