IETF Logo Mail Archive

Re: [Cfrg] New UMAC Draft

"D. J. Bernstein" <djb@cr.yp.to> Sun, 02 October 2005 00:21 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELrby-0004zO-0N; Sat, 01 Oct 2005 20:21:50 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELrbw-0004zJ-1R for cfrg@megatron.ietf.org; Sat, 01 Oct 2005 20:21:48 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA27054 for <cfrg@ietf.org>; Sat, 1 Oct 2005 20:21:44 -0400 (EDT)
Received: from stoneport.math.uic.edu ([131.193.178.160]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1ELrk5-00045q-Hp for cfrg@ietf.org; Sat, 01 Oct 2005 20:30:14 -0400
Received: (qmail 91570 invoked by uid 1016); 2 Oct 2005 00:22:01 -0000
Date: Sun, 02 Oct 2005 00:22:01 -0000
Message-ID: <20051002002201.91569.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@ietf.org
Subject: Re: [Cfrg] New UMAC Draft
References: <89E8D8B7-3B23-4BBF-87B8-E2B73093DC3D@csus.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 21c69d3cfc2dd19218717dbe1d974352
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Ted Krovetz writes:
> On September 9, Russ Housley asked if there were any  
> ``cryptographic concerns'' with UMAC.

I find myself extremely skeptical of your claimed bounds on the
attacker's single-forgery probability against UMAC: 2^(-30), 2^(-60),
2^(-90), and 2^(-120). Would you be surprised if I told you that I have
an attack achieving a larger forgery probability? How about much larger?

It is thoroughly irresponsible of you to claim ``rigorously proven''
bounds that you have not, in fact, proven. This is not merely a question
of dotting the i's and crossing the t's; there is a very important piece
of the proof that you obviously haven't even tried to do.

It is not _my_ responsibility to demonstrate that your bounds are wrong.
It is _your_ responsibility to avoid making unjustified claims. Suppose
that a user chooses UMAC-128 on the basis of your ``rigorously proven''
2^(-120) bound on the probability of a forgery succeeding, and then that
bound turns out to be incorrect; wouldn't you be ashamed for having
misled the user?

I am _not_ saying that UMAC is easily breakable. UMAC is close to
Gilbert-MacWilliams-Sloane, and I'm willing to believe that the changes
don't destroy security. However, I find myself extremely skeptical of
your specific quantitative claims of forgery-probability bounds.

> Clearly you believe that an \e-SU hash family wed with AES makes a  
> good MAC (witness Poly1305-AES).

The Poly1305-AES paper gives a precise statement and proof of the
Poly1305-AES security bound.

If you're going to claim a security bound then you need to show us a
proof. Your UMAC security claim is as follows, for each n in {1,2,3,4}:

   Claimed theorem. An attack against UMAC-32n using at most 2^64 chosen
   messages and one forgery attempt cannot have success probability
   larger than 2^{-30n}, if AES is secure.

Please define ``secure'' and then show us the proof of this claimed
forgery-probability bound.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email