Re: [Cfrg] New UMAC Draft
"D. J. Bernstein" <djb@cr.yp.to> Fri, 30 September 2005 05:05 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELD4y-0000Lm-4t; Fri, 30 Sep 2005 01:05:04 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELD4v-0000Kl-OG for cfrg@megatron.ietf.org; Fri, 30 Sep 2005 01:05:02 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA06748 for <cfrg@ietf.org>; Fri, 30 Sep 2005 01:05:01 -0400 (EDT)
Received: from stoneport.math.uic.edu ([131.193.178.160]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1ELDCi-0002gX-F6 for cfrg@ietf.org; Fri, 30 Sep 2005 01:13:05 -0400
Received: (qmail 47622 invoked by uid 1016); 30 Sep 2005 05:05:18 -0000
Date: Fri, 30 Sep 2005 05:05:18 -0000
Message-ID: <20050930050518.47621.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@ietf.org
Subject: Re: [Cfrg] New UMAC Draft
References: <9C49EC50-7BD8-49CB-9EC9-5A1B448E5C9A@acm.org> <da7b3ce305092814475736ed58@mail.gmail.com> <4358EF0B-3ED3-403F-A74C-50863872A51A@acm.org> <9C49EC50-7BD8-49CB-9EC9-5A1B448E5C9A@acm.org> <da7b3ce305092814475736ed58@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Hal Finney writes: > For reasons which are not completely clear to me, implementations of > this idea like UMAC and Dan Bernstein's Poly1305-AES substitute a > random permutation p(nonce) for the random function f(nonce). The reason is simple: We're taking advantage of the community's (perhaps misplaced) trust in the security of a block cipher, namely AES. I suspect that future cryptographers will regard the notion of a block cipher as a historical accident, not something to actually be deployed in any sort of cryptographic protocol. Using Poly1305 with a stream cipher is easy: insert 128 blank bits at the beginning of the message being encrypted, and steal those 128 bits of ciphertext for Poly1305. Ted Krovetz writes: > What Bernstein's theorem says is that it does not matter HOW the > function f is used, but instead HOW MANY times it is used. It's certainly true that the main parameters in the theorem are the maximum number of f applications and the size of f's domain. However, to apply the theorem, you also need a bound on Pr[A(f) = 1]; and producing that bound requires knowing how f can be used by the algorithm A. I agree that splitting isn't inherently a problem. The real question is how UMAC chooses oracle inputs. ---D. J. Bernstein, Professor, Mathematics, Statistics, and Computer Science, University of Illinois at Chicago _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] New UMAC Draft Ted Krovetz
- Fwd: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft David McGrew
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft Mark Baugher
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft Hugo Krawczyk
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- [Cfrg] An attack violating the UMAC security clai… D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … David McGrew
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … John Wilkinson
- Re: [Cfrg] An attack violating the UMAC security … David McGrew
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … canetti
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … canetti
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein