For further information about UMAC see the UMAC Web page.

UMAC: Fast and secure message authentication


Authors: John Black, Shai Halevi, Hugo Krawczyk, Ted Krovetz and Phillip Rogaway.

Reference: Advances in Cryptology - CRYPTO '99. . Lecture Notes in Computer Science, vol. 1666, M. Wiener, ed., Springer-Verlag, pp. 215-233.

Abstract: We describe a message authentication algorithm, UMAC, which authenticates messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (eg, HMAC-SHA1). To achieve such speeds UMAC uses a variant of the Carter-Wegman paradigm, employing a new universal-hash-function, NH, as well as a new way to use such a family to construct a MAC. The "cryptographic" work of UMAC is done using standard primitives of the user's choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMAC-authenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, {\name} is parallelizable, and will have ever-faster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical and desirable algorithm for next-generation message authentication.

Availability: Full paper available as pdf


RFC 4418

Title: UMAC: Message authentication code using universal hashing

Authors: Ted Krovetz (editor), with John Black, Shai Halevi, Alejandro Hevia, Hugo Krawczyk, and Phillip Rogaway.

Reference: RFC 4418, Network Working Group, The Internet Society, 2006.

Abstract: This specification describes how to generate an authentication tag using the UMAC message authentication algorithm. UMAC is designed to be very fast to compute in software on contemporary uniprocessors. Measured speeds are as low as one cycle per byte. UMAC relies on addition of 32-bit and 64-bit numbers and multiplication of 32-bit numbers, operations well-supported by contemporary machines.

To generate the authentication tag on a given message, a "universal" hash function is applied to the message and key to produce a short, fixed-length hash value, and this hash value is then xor'ed with a key-derived pseudorandom pad. UMAC enjoys a rigorous security analysis, and its only internal "cryptographic" component is a block cipher used to generate the pseudorandom pads and internal key material.

Comment: Specificatoin document corresponding to academic paper above. Additional information on the UMAC home page

Availability: Spec available as ASCII text.


Rogaway's home page.