accounting. PMAC uses #|M |/n# block-cipher invocations for any nonempty message M . (The empty string takes one block-cipher invocation). We compare with the CBC MAC: The "basic" CBC MAC, which assumes that the message is a nonzero multiple of the block length and which is only secure when all messages to be MACed are of one fixed length, uses the same number of block cipher calls: |M |/n. The version of the CBC MAC described in [10], which removes the two restrictions just mentioned, uses the same number of calls as PMAC, #|M |/n#. Obligatory padding (to support short-final-block messages) and standard methods to process the final block (double or triple encryption, to achieve security across variable-length messages) can raise the number of block-cipher calls to as much as #|M + 1|/n# + 2. Thus PMAC saves between 0 and 3 block-cipher calls compared to the various versions of the CBC MAC. As with any mode, there is further overhead beyond the block-cipher calls. Per block, this overhead is about three n-bit xor operations plus associated logic. The work for this associated logic will vary according to whether or not one precomputed L(i)-values, whether or not there is an ntz() instruction available, and on other factors. Though some of the needed L(i)-values are likely to be pre-computed, calculating these values "on the fly" is not too expensive. Starting with 0 n we form successive o#sets by xoring the previous o#set with L, 2