Keyed cryptographic (MAC)

CMAC

Cipher-based Message Authentication Code. Standardized by NIST in SP 800-38B (2005, recommendation), drawing from OMAC1 by Iwata and Kurosawa. CMAC is the canonical block-cipher-based MAC: take any secure block cipher (almost always AES), and CMAC turns it into a secure variable-length MAC.

How it works

At its core CMAC is CBC-MAC with the last block handled specially. Two subkeys K₁ and K₂ are derived from the main key by encrypting zero and doubling in GF(2¹²⁸). The message is processed in CBC mode; before the final block, XOR with K₁ (if the last block is full) or pad+XOR with K₂(if not). The last encryption’s output is the tag.

At a glance

vs HMAC vs Poly1305

• CMAC: best when you already have AES hardware acceleration; pure block-cipher operation.
• HMAC: best when you already have a fast hash (SHA-2, SHA-3, BLAKE).
• Poly1305: fastest of the three, but needs a fresh key per message.

Where it shows up

• NIST SP 800-108 , KDF construction modes (CMAC as PRF).
• IEEE 802.11i / WPA2 , AES-CMAC for some management-frame integrity.
• Smart cards / EMV , common where AES is already running.
• NFC , some authenticated protocols.
• OMA DRM, 3GPP , AES-CMAC for integrity tags.

OMAC1 = CMAC

The exact construction NIST standardized is OMAC1, by Iwata and Kurosawa (2003). NIST renamed it CMAC. References to OMAC and CMAC in modern literature mean the same algorithm.

References

• NIST SP 800-38B , The CMAC Mode for Authentication
• RFC 4493 , The AES-CMAC Algorithm
• HMAC · GMAC · Poly1305