Re: [Cfrg] New UMAC Draft
"D. J. Bernstein" <djb@cr.yp.to> Fri, 30 September 2005 04:36 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELCdC-0001ih-PZ; Fri, 30 Sep 2005 00:36:22 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELCdA-0001i2-Nc for cfrg@megatron.ietf.org; Fri, 30 Sep 2005 00:36:20 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA05434 for <cfrg@ietf.org>; Fri, 30 Sep 2005 00:36:17 -0400 (EDT)
Received: from stoneport.math.uic.edu ([131.193.178.160]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1ELCkx-0001zV-0n for cfrg@ietf.org; Fri, 30 Sep 2005 00:44:24 -0400
Received: (qmail 14127 invoked by uid 1016); 30 Sep 2005 04:36:34 -0000
Date: Fri, 30 Sep 2005 04:36:34 -0000
Message-ID: <20050930043634.14126.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@ietf.org
Subject: Re: [Cfrg] New UMAC Draft
References: <9C49EC50-7BD8-49CB-9EC9-5A1B448E5C9A@acm.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 97adf591118a232206bdb5a27b217034
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Ted Krovetz writes: > UMAC is rigorously proven. I don't believe you. It seems possible, perhaps even likely, that such a proof exists; but it's also clear that you haven't done the work yet. The risk of error is still unacceptably high. In October 2004 you claimed various ``rigorously proven'' bounds on the UMAC forgery probability. It's crystal clear that this claim was false; I'm sure that nobody knows how to prove those bounds; in fact, I think that your alleged bounds were flat-out wrong. (I'm reminded of the OAEP fiasco, where Bellare and your coauthor Rogaway claimed a security theorem that they weren't actually able to prove and that's now widely believed to be incorrect, although several applications of the claimed theorem were subsequently rescued by more sophisticated techniques.) The problem wasn't that you tried to write a proof and made a mistake. The problem was that you didn't even bother writing a proof. You looked at the collision-probability bounds in Black's thesis; you incorrectly assumed that forgery probabilities can't exceed collision probabilities (as you now admit); and then you falsely stated that your bounds had been ``rigorously proven.'' The same problem exists now. You have new resources at your disposal, specifically a theorem that helps transfer some forgery-probability bounds from uniform random functions to uniform random permutations, but all you've done with those resources is assert that they're applicable. Saying ``Another result [2], when combined with [3, 6], shows that [blah blah blah]'' is a far cry from giving a rigorous proof. You haven't even given a careful _statement_ of your alleged security bounds; you've neglected to add the AES distinguishing probability, for example. ---D. J. Bernstein, Professor, Mathematics, Statistics, and Computer Science, University of Illinois at Chicago _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] New UMAC Draft Ted Krovetz
- Fwd: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft David McGrew
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft Mark Baugher
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft Hugo Krawczyk
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- [Cfrg] An attack violating the UMAC security clai… D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … David McGrew
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … John Wilkinson
- Re: [Cfrg] An attack violating the UMAC security … David McGrew
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … canetti
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … canetti
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein