Re: [Cfrg] New UMAC Draft

Ted Krovetz writes:
> UMAC is rigorously proven.

I don't believe you. It seems possible, perhaps even likely, that such a
proof exists; but it's also clear that you haven't done the work yet.
The risk of error is still unacceptably high.

In October 2004 you claimed various ``rigorously proven'' bounds on the
UMAC forgery probability. It's crystal clear that this claim was false;
I'm sure that nobody knows how to prove those bounds; in fact, I think
that your alleged bounds were flat-out wrong. (I'm reminded of the OAEP
fiasco, where Bellare and your coauthor Rogaway claimed a security
theorem that they weren't actually able to prove and that's now widely
believed to be incorrect, although several applications of the claimed
theorem were subsequently rescued by more sophisticated techniques.)

The problem wasn't that you tried to write a proof and made a mistake.
The problem was that you didn't even bother writing a proof. You looked
at the collision-probability bounds in Black's thesis; you incorrectly
assumed that forgery probabilities can't exceed collision probabilities
(as you now admit); and then you falsely stated that your bounds had
been ``rigorously proven.''

The same problem exists now. You have new resources at your disposal,
specifically a theorem that helps transfer some forgery-probability
bounds from uniform random functions to uniform random permutations, but
all you've done with those resources is assert that they're applicable.
Saying ``Another result [2], when combined with [3, 6], shows that [blah
blah blah]'' is a far cry from giving a rigorous proof. You haven't even
given a careful _statement_ of your alleged security bounds; you've
neglected to add the AES distinguishing probability, for example.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg