Re: [Cfrg] UMAC draft version 06
"D. J. Bernstein" <djb@cr.yp.to> Thu, 20 October 2005 21:29 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EShyZ-0001YR-J5; Thu, 20 Oct 2005 17:29:27 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EShmf-0005qw-SB for cfrg@megatron.ietf.org; Thu, 20 Oct 2005 17:17:10 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA07537 for <cfrg@ietf.org>; Thu, 20 Oct 2005 17:16:55 -0400 (EDT)
Received: from stoneport.math.uic.edu ([131.193.178.160]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1EShyb-0004oP-VM for cfrg@ietf.org; Thu, 20 Oct 2005 17:29:30 -0400
Received: (qmail 75919 invoked by uid 1016); 20 Oct 2005 21:17:20 -0000
Date: Thu, 20 Oct 2005 21:17:20 -0000
Message-ID: <20051020211720.75918.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@ietf.org
Subject: Re: [Cfrg] UMAC draft version 06
References: <8622D330-0138-4800-92E9-CF221BAB0FBF@csus.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Ted Krovetz writes: > This gets the basic message across (longer tags give proportionally > lower forgery probability), That message is horribly misleading. It makes users think, incorrectly, that UMAC-128 is a billion times harder to break than UMAC-96. In fact, for a small number of messages, current attacks on UMAC-128 have almost exactly the _same_ success probability as current attacks on UMAC-96--- and it isn't possible for better attacks to increase the ratio, unless there's a huge error in the UMAC security claims. > Our core claim has not changed over any of these drafts: So long as > AES is not broken, UMAC forgery probability is no more than 2^-30i. That core claim is horribly misleading. It makes the reader think, incorrectly, that the UMAC-128 (single-)forgery probability is no more than 1/2^120. In fact, the UMAC-128 forgery probability is billions of times larger than 1/2^120. > The 3*delta term could be written 1.01*(delta(2^64)+delta > (82)), where delta(q) is PRP distinguishing probability over q > queries. This would make the 3*delta term much closer to 1*delta(q) > than 3*delta(q) No! An attacker who does just _one_ query and searches through 2^50 keys achieves delta(1) very close to 2^50/2^128. Obviously delta(2^64) and delta(82) are at least delta(1), so if you're adding both delta(2^64) and delta(82) then you have to add at least _two_ times this 2^50/2^128. Even if your current security ``proof'' (which is far below contemporary standards of rigor in security proofs) is correct, it doesn't justify claiming an addition of just 1 times delta. ---D. J. Bernstein, Professor, Mathematics, Statistics, and Computer Science, University of Illinois at Chicago _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] UMAC draft version 06 David McGrew
- Re: [Cfrg] UMAC draft version 06 D. J. Bernstein
- [Cfrg] UMAC draft version 06 David Wagner
- Re: [Cfrg] UMAC draft version 06 John Wilkinson
- Re: [Cfrg] UMAC draft version 06 canetti
- Re: [Cfrg] UMAC draft version 06 D. J. Bernstein
- Re: [Cfrg] UMAC draft version 06 canetti
- Re: [Cfrg] UMAC draft version 06 D. J. Bernstein
- Re: [Cfrg] UMAC draft version 06 Hugo Krawczyk
- Re: [Cfrg] UMAC draft version 06 canetti
- Re: [Cfrg] UMAC draft version 06 D. J. Bernstein
- Re: [Cfrg] UMAC draft version 06 D. J. Bernstein
- Re: [Cfrg] UMAC draft version 06 Ted Krovetz
- [Cfrg] UMAC draft version 06 David Wagner
- Re: [Cfrg] UMAC draft version 06 D. J. Bernstein
- Re: [Cfrg] UMAC draft version 06 D. J. Bernstein
- [Cfrg] UMAC draft version 06 David Wagner
- Re: [Cfrg] UMAC draft version 06 canetti