Re: [Cfrg] New UMAC Draft
"D. J. Bernstein" <djb@cr.yp.to> Sun, 02 October 2005 00:21 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELrby-0004zO-0N; Sat, 01 Oct 2005 20:21:50 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELrbw-0004zJ-1R for cfrg@megatron.ietf.org; Sat, 01 Oct 2005 20:21:48 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA27054 for <cfrg@ietf.org>; Sat, 1 Oct 2005 20:21:44 -0400 (EDT)
Received: from stoneport.math.uic.edu ([131.193.178.160]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1ELrk5-00045q-Hp for cfrg@ietf.org; Sat, 01 Oct 2005 20:30:14 -0400
Received: (qmail 91570 invoked by uid 1016); 2 Oct 2005 00:22:01 -0000
Date: Sun, 02 Oct 2005 00:22:01 -0000
Message-ID: <20051002002201.91569.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@ietf.org
Subject: Re: [Cfrg] New UMAC Draft
References: <89E8D8B7-3B23-4BBF-87B8-E2B73093DC3D@csus.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Ted Krovetz writes: > On September 9, Russ Housley asked if there were any > ``cryptographic concerns'' with UMAC. I find myself extremely skeptical of your claimed bounds on the attacker's single-forgery probability against UMAC: 2^(-30), 2^(-60), 2^(-90), and 2^(-120). Would you be surprised if I told you that I have an attack achieving a larger forgery probability? How about much larger? It is thoroughly irresponsible of you to claim ``rigorously proven'' bounds that you have not, in fact, proven. This is not merely a question of dotting the i's and crossing the t's; there is a very important piece of the proof that you obviously haven't even tried to do. It is not _my_ responsibility to demonstrate that your bounds are wrong. It is _your_ responsibility to avoid making unjustified claims. Suppose that a user chooses UMAC-128 on the basis of your ``rigorously proven'' 2^(-120) bound on the probability of a forgery succeeding, and then that bound turns out to be incorrect; wouldn't you be ashamed for having misled the user? I am _not_ saying that UMAC is easily breakable. UMAC is close to Gilbert-MacWilliams-Sloane, and I'm willing to believe that the changes don't destroy security. However, I find myself extremely skeptical of your specific quantitative claims of forgery-probability bounds. > Clearly you believe that an \e-SU hash family wed with AES makes a > good MAC (witness Poly1305-AES). The Poly1305-AES paper gives a precise statement and proof of the Poly1305-AES security bound. If you're going to claim a security bound then you need to show us a proof. Your UMAC security claim is as follows, for each n in {1,2,3,4}: Claimed theorem. An attack against UMAC-32n using at most 2^64 chosen messages and one forgery attempt cannot have success probability larger than 2^{-30n}, if AES is secure. Please define ``secure'' and then show us the proof of this claimed forgery-probability bound. ---D. J. Bernstein, Professor, Mathematics, Statistics, and Computer Science, University of Illinois at Chicago _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] New UMAC Draft Ted Krovetz
- Fwd: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft David McGrew
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft Mark Baugher
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft Hugo Krawczyk
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- [Cfrg] An attack violating the UMAC security clai… D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … David McGrew
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … John Wilkinson
- Re: [Cfrg] An attack violating the UMAC security … David McGrew
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … canetti
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … canetti
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein