IETF Logo Mail Archive

Re: [Cfrg] UMAC draft version 06

canetti <canetti@watson.ibm.com> Fri, 21 October 2005 03:16 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ESnO4-0002ZP-0u; Thu, 20 Oct 2005 23:16:08 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ESnO3-0002Yu-8e for cfrg@megatron.ietf.org; Thu, 20 Oct 2005 23:16:07 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA19914 for <cfrg@ietf.org>; Thu, 20 Oct 2005 23:15:56 -0400 (EDT)
Received: from igw2.watson.ibm.com ([129.34.20.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ESna6-0005dc-6g for cfrg@ietf.org; Thu, 20 Oct 2005 23:28:35 -0400
Received: from sp1n293en1.watson.ibm.com (sp1n293en1.watson.ibm.com [129.34.20.41]) by igw2.watson.ibm.com (8.12.11/8.13.1/8.13.1-2005-04-25 igw) with ESMTP id j9L3Hikq005739; Thu, 20 Oct 2005 23:17:44 -0400
Received: from sp1n293en1.watson.ibm.com (localhost [127.0.0.1]) by sp1n293en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_2) with ESMTP id j9L3FqF71456; Thu, 20 Oct 2005 23:15:52 -0400
Received: from mgsmtp00.watson.ibm.com (mgsmtp00.watson.ibm.com [9.2.40.58]) by sp1n293en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_1) with ESMTP id j9L3Fq471454; Thu, 20 Oct 2005 23:15:52 -0400
Received: from prf.watson.ibm.com (prf.watson.ibm.com [9.2.16.112]) by mgsmtp00.watson.ibm.com (8.12.11/8.12.11/2005/09/01) with ESMTP id j9L3DbA9012742; Thu, 20 Oct 2005 23:13:37 -0400
Received: from localhost (canetti@localhost) by prf.watson.ibm.com (AIX5.1/8.11.6p2/8.11.0/03-06-2002) with ESMTP id j9L3Fq065596; Thu, 20 Oct 2005 23:15:52 -0400
Date: Thu, 20 Oct 2005 23:15:51 -0400
From: canetti <canetti@watson.ibm.com>
To: Ted Krovetz <tdk@csus.edu>
Subject: Re: [Cfrg] UMAC draft version 06
In-Reply-To: <8622D330-0138-4800-92E9-CF221BAB0FBF@csus.edu>
Message-ID: <Pine.A41.4.58.0510202302370.66240@prf.watson.ibm.com>
References: <8622D330-0138-4800-92E9-CF221BAB0FBF@csus.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Thanks Ted for the clarifying note. I agree that not mentioning the
precise 2.01 factor in the introduction is a reasonable move.

One thing regarding your note: I wouldnt treat the delta factor as
generically insignificant. It may be insignificant, or it may be very
significant... we dont know...

Ran


On Thu, 20 Oct 2005, Ted Krovetz wrote:

> > [The introduction] omits the factor 2.01, and thus misstates the
> > conclusions of the security analysis.
>
> We have striven to make the I-D readable to a broad audience and to
> make the introduction simpler than the security considerations. In
> past drafts, this translated to saying in the introduction that UMAC
> had forgery probabilities no more than 2^-30i and saying in the
> security section that so long as AES was secure that forgery
> probabilities were no more than 2^-30i. This gets the basic message
> across (longer tags give proportionally lower forgery probability),
> and the sophisticated reader of the security section would infer the
> AES-delta-term's existence.
>
> This wasn't "honest" enough for many, so we have changed our
> presentation. Now the introduction says forgery probability is 2^-30i
> + delta where value delta "measures the security of the pseudorandom
> function." Here delta is a general term that includes anything
> related to breaking AES. Making a more explicit claim of 2^-30i +
> 3*delta would probably make things less clear for those who simply
> read introductions. The security section is now more explicit saying
> that forgery probabilities are no more than 2^-30i + 3*delta, and it
> gives a more explicit discussion of delta. [See footnote.]
>
> This more simplistic use of a delta term in the introduction along
> with a more precise usage in the security section seems reasonable
> and appropriate.
>
> Our core claim has not changed over any of these drafts: So long as
> AES is not broken, UMAC forgery probability is no more than 2^-30i.
>
> -Ted
>
> [Footnote.] The 3*delta term could be written 1.01*(delta(2^64)+delta
> (82)), where delta(q) is PRP distinguishing probability over q
> queries. This would make the 3*delta term much closer to 1*delta(q)
> than 3*delta(q), but we didn't want any ugly terms in the I-D so we
> wrote 3*delta. If delta is generally considered insignificant, so
> should 3*delta.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
>

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email