Re: [Cfrg] UMAC draft version 06

Ted Krovetz writes:
> This gets the basic message  across (longer tags give proportionally
> lower forgery probability),

That message is horribly misleading. It makes users think, incorrectly,
that UMAC-128 is a billion times harder to break than UMAC-96. In fact,
for a small number of messages, current attacks on UMAC-128 have almost
exactly the _same_ success probability as current attacks on UMAC-96---
and it isn't possible for better attacks to increase the ratio, unless
there's a huge error in the UMAC security claims.

> Our core claim has not changed over any of these drafts: So long as  
> AES is not broken, UMAC forgery probability is no more than 2^-30i.

That core claim is horribly misleading. It makes the reader think,
incorrectly, that the UMAC-128 (single-)forgery probability is no more
than 1/2^120. In fact, the UMAC-128 forgery probability is billions of
times larger than 1/2^120.

> The 3*delta term could be written 1.01*(delta(2^64)+delta 
> (82)), where delta(q) is PRP distinguishing probability over q  
> queries. This would make the 3*delta term much closer to 1*delta(q)  
> than 3*delta(q)

No! An attacker who does just _one_ query and searches through 2^50 keys
achieves delta(1) very close to 2^50/2^128. Obviously delta(2^64) and
delta(82) are at least delta(1), so if you're adding both delta(2^64)
and delta(82) then you have to add at least _two_ times this 2^50/2^128.

Even if your current security ``proof'' (which is far below contemporary
standards of rigor in security proofs) is correct, it doesn't justify
claiming an addition of just 1 times delta.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg