IETF Logo Mail Archive

Re: [Cfrg] UMAC security proof posted

Ted Krovetz <tdk@csus.edu> Fri, 07 October 2005 14:09 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ENsuO-0006bU-08; Fri, 07 Oct 2005 10:09:12 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ENsuM-0006bP-46 for cfrg@megatron.ietf.org; Fri, 07 Oct 2005 10:09:10 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA20030 for <cfrg@ietf.org>; Fri, 7 Oct 2005 10:09:07 -0400 (EDT)
Received: from gaia.ecs.csus.edu ([130.86.71.9]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ENt3e-0008KL-1d for cfrg@ietf.org; Fri, 07 Oct 2005 10:18:47 -0400
Received: from [130.86.74.20] (isis.ecs.csus.edu [130.86.74.20]) by gaia.ecs.csus.edu (8.12.11/8.12.8) with ESMTP id j97E92BW007501 for <cfrg@ietf.org>; Fri, 7 Oct 2005 07:09:02 -0700
Mime-Version: 1.0 (Apple Message framework v734)
In-Reply-To: <200510062237.PAA09636@csus.edu>
References: <200510062237.PAA09636@csus.edu>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <24B8CD78-A41A-4DA1-A9F1-D59F0F63D00A@csus.edu>
Content-Transfer-Encoding: 7bit
From: Ted Krovetz <tdk@csus.edu>
Subject: Re: [Cfrg] UMAC security proof posted
Date: Fri, 07 Oct 2005 07:09:02 -0700
To: cfrg@ietf.org
X-Mailer: Apple Mail (2.734)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Some facts to try to refocus onto the UMAC draft:

- UMAC offers 2^30i forgery probability so long as AES is secure.  
This claim is stable and has not changed in years. We have modified  
the draft to include a 2^64 message limit and will soon include  
"delta" terms to make more explicit what we mean by "so long as AES  
is secure".

- UMAC offers choice in tag length. It is up to the security  
architect to choose a risk/performance tradeoff. We are clear in the  
draft both that forgery probability grows linearly with the number of  
attempts and that one forgery may mean subsequent forgeries are easy.  
We are changing the language in the draft from saying 64-bits is  
appropriate for "most applications" to saying 64-bits is appropriate  
for "many application". Since key discovery after a session has  
expired is of no value and many (maybe most) sessions are short  
lived, it is undoubtedly true that 2^-60 security is sufficient for  
many applications. That was the only place in the draft that we made  
an explicit recommendation of 64-bit tags.

-Ted Krovetz

PS -- An apology. In my apoplexy over a bogus claim that our proof  
showed only a D * (2^-30i + delta) forgery probability over D  
attempts rather than the intended (D * 2^-30i) + delta, I mistakenly  
referenced BGM04, which says nothing about this situation. It is well  
known and proved several times (including in Bernstein's work) that  
the uni-valued MACS have the better bound.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email