Re: [Cfrg] New UMAC Draft
Ted Krovetz <tdk@csus.edu> Fri, 30 September 2005 15:14 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELMaa-0001FT-A7; Fri, 30 Sep 2005 11:14:20 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ELMaY-0001FG-Lb for cfrg@megatron.ietf.org; Fri, 30 Sep 2005 11:14:18 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA16186 for <cfrg@ietf.org>; Fri, 30 Sep 2005 11:14:16 -0400 (EDT)
Received: from gaia.ecs.csus.edu ([130.86.71.9]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ELMiQ-00087D-HV for cfrg@ietf.org; Fri, 30 Sep 2005 11:22:27 -0400
Received: from [130.86.74.20] (isis.ecs.csus.edu [130.86.74.20]) by gaia.ecs.csus.edu (8.12.11/8.12.8) with ESMTP id j8UFEBM2012406 for <cfrg@ietf.org>; Fri, 30 Sep 2005 08:14:11 -0700
Mime-Version: 1.0 (Apple Message framework v734)
Content-Transfer-Encoding: 7bit
Message-Id: <3C1D5161-1625-4456-B275-2CF122F37EAB@csus.edu>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
To: cfrg@ietf.org
From: Ted Krovetz <tdk@csus.edu>
Subject: Re: [Cfrg] New UMAC Draft
Date: Fri, 30 Sep 2005 08:14:11 -0700
X-Mailer: Apple Mail (2.734)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 97adf591118a232206bdb5a27b217034
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Lest anyone think we "haven't done the work yet", I am willing to continue to engage Bernstein further in this discussion. > > UMAC is rigorously proven. > > I don't believe you. It seems possible, perhaps even likely, that > such a > proof exists; but it's also clear that you haven't done the work yet. Please tell me which of the following is not true: - Suppose H is a \e-SU hash family with each h \in H returning n bits, further suppose that h is randomly chosen from H and f is a randomly chosen function returning n bits. Then, the probability an attacker could forge against h(msg) xor f(nonce) is at most \e. - Since UHASH is \e-SU, this bound holds for UMAC when UMAC is used with a random function. - Let A be an algorithm that is given random function \rho with 128- bit outputs and inputs. Let A run an attacker on UMAC-64 and let A simulate UMAC-64 for the attacker using \rho instead of AES. Let A output 1 if the attacker forges. We know that the probability of success here is no more than 2^{-61} (for the sake of argument) in the attacker's forgery attempt. This means A outputs 1 with probability no more than 2^{-61}. Let's say the attacker sees 2^i MACs along the way (meaning no more than 2^i \rho invocations). Then, Bernstein's theorem says that if we substitute random permutation \pi for \rho, then A will output 1 (indicating forgery success) with probability no more than (1 - 2^{i-128})^{2^{i-1}} 2^{-61} < 2^{-60} for i <= 64. Thank you, Ted Krovetz _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] New UMAC Draft Ted Krovetz
- Fwd: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft David McGrew
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Hal Finney
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft Mark Baugher
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft Hugo Krawczyk
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- Re: [Cfrg] New UMAC Draft Ted Krovetz
- Re: [Cfrg] New UMAC Draft D. J. Bernstein
- [Cfrg] An attack violating the UMAC security clai… D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … David McGrew
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … John Wilkinson
- Re: [Cfrg] An attack violating the UMAC security … David McGrew
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … canetti
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein
- Re: [Cfrg] An attack violating the UMAC security … canetti
- Re: [Cfrg] An attack violating the UMAC security … D. J. Bernstein