** Reference:** * Advances in Cryptology - CRYPTO '99.
*.
Lecture Notes in Computer Science, vol. 1666, M. Wiener, ed., Springer-Verlag, pp. 215-233.

** Abstract: **
We describe a message authentication algorithm, UMAC,
which authenticates messages (in software, on contemporary machines)
roughly an order of magnitude faster than current practice (eg, HMAC-SHA1).
To achieve such speeds UMAC uses a variant of the
Carter-Wegman paradigm, employing
a new universal-hash-function, NH, as well as
a new way to use such a family to construct a MAC.
The "cryptographic" work of UMAC is done using standard
primitives of the user's choice, such as a block cipher or
cryptographic hash function;
no new heuristic primitives are developed here.
Instead, the security of UMAC is rigorously proven,
in the sense of giving exact and quantitatively strong
results which demonstrate an inability to forge UMAC-authenticated messages
assuming an inability to break the underlying cryptographic primitive.
Unlike conventional, inherently serial MACs,
{\name} is parallelizable, and will have ever-faster implementation
speeds as machines offer up increasing amounts of parallelism.
We envision UMAC as a practical and desirable
algorithm for next-generation message authentication.

** Availability: **
Full paper available as
pdf

** Reference:** RFC 4418, Network Working Group,
The Internet Society, 2006.

** Abstract: **
This specification describes how to generate an authentication tag
using the UMAC message authentication algorithm. UMAC is designed to
be very fast to compute in software on contemporary uniprocessors.
Measured speeds are as low as one cycle per byte. UMAC relies on
addition of 32-bit and 64-bit numbers and multiplication of 32-bit
numbers, operations well-supported by contemporary machines.

To generate the authentication tag on a given message, a "universal"
hash function is applied to the message and key to produce a short,
fixed-length hash value, and this hash value is then xor'ed with a
key-derived pseudorandom pad. UMAC enjoys a rigorous security
analysis, and its only internal "cryptographic" component is a block
cipher used to generate the pseudorandom pads and internal key
material.

** Comment: ** Specificatoin document corresponding to academic paper above.
Additional information on the
UMAC home page

** Availability: **
Spec available as
ASCII text.

Rogaway's home page.