IETF Logo Mail Archive

Re: [Cfrg] UMAC draft version 06

"D. J. Bernstein" <djb@cr.yp.to> Thu, 20 October 2005 08:17 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ESVbr-0001T3-8U; Thu, 20 Oct 2005 04:17:11 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ESVbp-0001Sw-LO for cfrg@megatron.ietf.org; Thu, 20 Oct 2005 04:17:09 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA23836 for <cfrg@ietf.org>; Thu, 20 Oct 2005 04:16:59 -0400 (EDT)
Received: from stoneport.math.uic.edu ([131.193.178.160]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1ESVni-0007FY-KT for cfrg@ietf.org; Thu, 20 Oct 2005 04:29:27 -0400
Received: (qmail 68176 invoked by uid 1016); 20 Oct 2005 08:17:29 -0000
Date: Thu, 20 Oct 2005 08:17:29 -0000
Message-ID: <20051020081729.68175.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@ietf.org
Subject: Re: [Cfrg] UMAC draft version 06
References: <20051019084840.22903.qmail@cr.yp.to> <Pine.GSO.4.44_heb2.09.0510191718160.28450-100000@ee.technion.ac.il>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Hugo Krawczyk writes:
> There were NO no new security claims nor new proofs since Ted's thesis
> which has been in the public domain since 2000

False. Consider, for example, the following security claim appearing in
draft-krovetz-umac-05.txt, shortly after the claim that UMAC ``has been
rigorously proven to be secure'':

   When UMAC produces 32-, 64-, 96- or 128-bit tags, the probability
   that an attacker can produce a correct tag for any message of its
   choosing is no more than 1/2^30, 1/2^60, 1/2^90 or 1/2^120,
   respectively.

This is just one of many UMAC security claims that did not appear in the
2000 Krovetz thesis. In fact, if you look at the Krovetz thesis, you
won't find _any_ proofs of bounds on UMAC forgery probabilities! As
David Wagner put it: ``There are some claims and proofs about the UMAC
2-universal hash, but that's just a component in the UMAC authentication
scheme.''

Let me also emphasize that the above security claim is false. I've
already given a detailed explanation of a fast attack that indisputably
has much larger success probability against UMAC-128. This is an
illustration of the importance of reviewing security claims.

> The only adjustment we did recently is to move our PRF-based
> quantification to PRP-based using your recent results.

No, that's not the only ``adjustment'' you did recently. You've removed
quite a few false and questionable security claims---while failing to
state for the record that you are no longer making those claims---and
replaced them with different security claims. The new claims need
review, just as the old ones did.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email