RE: [TLS] Truncated HMAC recommendation

"Blumenthal, Uri" <uri.blumenthal@intel.com> Mon, 27 November 2006 20:55 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GonVj-0001Dy-6c; Mon, 27 Nov 2006 15:55:31 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GonVg-0001Cc-ER for tls@ietf.org; Mon, 27 Nov 2006 15:55:28 -0500
Received: from mga03.intel.com ([143.182.124.21]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GonVA-0002x9-La for tls@ietf.org; Mon, 27 Nov 2006 15:55:28 -0500
Received: from azsmga001.ch.intel.com ([10.2.17.19]) by mga03.intel.com with ESMTP; 27 Nov 2006 12:54:55 -0800
Received: from fmsmsx333.amr.corp.intel.com ([132.233.42.2]) by azsmga001.ch.intel.com with ESMTP; 27 Nov 2006 12:54:52 -0800
X-ExtLoop1: 1
X-IronPort-AV: i="4.09,464,1157353200"; d="scan'208"; a="150898249:sNHT405334209"
Received: from hdsmsx412.amr.corp.intel.com ([10.127.2.72]) by fmsmsx333.amr.corp.intel.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 27 Nov 2006 12:54:51 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Truncated HMAC recommendation
Date: Mon, 27 Nov 2006 15:54:48 -0500
Message-ID: <279DDDAFA85EC74C9300A0598E704056FE754D@hdsmsx412.amr.corp.intel.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Truncated HMAC recommendation
thread-index: AccSWD6j7rsyhSPVR0S9tZ1Cd5YbAQAANmoAAACe5NAAAD5vMA==
From: "Blumenthal, Uri" <uri.blumenthal@intel.com>
To: tls@ietf.org
X-OriginalArrivalTime: 27 Nov 2006 20:54:51.0994 (UTC) FILETIME=[48C14BA0:01C71266]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7a6398bf8aaeabc7a7bb696b6b0a2aad
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

> But if you truncate it to half-length, two
> MACs are enough to allow verification of a
> guess with high probability. I don't think
> this is a significant gain.

Cryptologic science disagrees with you. 

If your MAC size is N bits and your key size is K bits, then you need
K/N known pairs of messsage <-> MAC in order to verify your guess of the
key (I wonder why you think that just two MACs are enough if you leave
only half of the MAC bits). Among other sources, see
<http://www.cosic.esat.kuleuven.be/publications/thesis-16.pdf> (page
15).

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls