A Block-Cipher Mode of Operation for Parallelizable Message Authentication

We define and analyze a simple and fully parallelizable block-cipher mode of operation for message authentication. Parallelizability does not come at the expense of serial efficiency: in a conventional, serial environment, the algorithm’s speed is within a few percent of the (inherently sequential) CBC MAC. The new mode, PMAC, is deterministic, resembles a standard mode of operation (and not a Carter-Wegman MAC), works for strings of any bit length, employs a single block-cipher key, and uses just max{1, ⌈|M |/n⌉} block-cipher calls to MAC a string M ∈ {0, 1}∗ using an n-bit block cipher. We prove PMAC secure, quantifying an adversary’s forgery probability in terms of the quality of the block cipher as a pseudorandom permutation.