IETF Logo Mail Archive

Re: [Cfrg] New UMAC Draft

"D. J. Bernstein" <djb@cr.yp.to> Fri, 30 September 2005 05:05 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELD4y-0000Lm-4t; Fri, 30 Sep 2005 01:05:04 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELD4v-0000Kl-OG for cfrg@megatron.ietf.org; Fri, 30 Sep 2005 01:05:02 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA06748 for <cfrg@ietf.org>; Fri, 30 Sep 2005 01:05:01 -0400 (EDT)
Received: from stoneport.math.uic.edu ([131.193.178.160]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1ELDCi-0002gX-F6 for cfrg@ietf.org; Fri, 30 Sep 2005 01:13:05 -0400
Received: (qmail 47622 invoked by uid 1016); 30 Sep 2005 05:05:18 -0000
Date: Fri, 30 Sep 2005 05:05:18 -0000
Message-ID: <20050930050518.47621.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@ietf.org
Subject: Re: [Cfrg] New UMAC Draft
References: <9C49EC50-7BD8-49CB-9EC9-5A1B448E5C9A@acm.org> <da7b3ce305092814475736ed58@mail.gmail.com> <4358EF0B-3ED3-403F-A74C-50863872A51A@acm.org> <9C49EC50-7BD8-49CB-9EC9-5A1B448E5C9A@acm.org> <da7b3ce305092814475736ed58@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Hal Finney writes:
> For reasons which are not completely clear to me, implementations of
> this idea like UMAC and Dan Bernstein's Poly1305-AES substitute a
> random permutation p(nonce) for the random function f(nonce).

The reason is simple: We're taking advantage of the community's (perhaps
misplaced) trust in the security of a block cipher, namely AES.

I suspect that future cryptographers will regard the notion of a block
cipher as a historical accident, not something to actually be deployed
in any sort of cryptographic protocol. Using Poly1305 with a stream
cipher is easy: insert 128 blank bits at the beginning of the message
being encrypted, and steal those 128 bits of ciphertext for Poly1305.

Ted Krovetz writes:
> What Bernstein's theorem says  is that it does not matter HOW the
> function f is used, but instead  HOW MANY times it is used.

It's certainly true that the main parameters in the theorem are the
maximum number of f applications and the size of f's domain. However, to
apply the theorem, you also need a bound on Pr[A(f) = 1]; and producing
that bound requires knowing how f can be used by the algorithm A.

I agree that splitting isn't inherently a problem. The real question is
how UMAC chooses oracle inputs.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email