Re: [Cfrg] Re: [saag] Bad day at the hash function factory

["D. J. Bernstein" <djb at cr.yp.to>]

der Mouse writes:
> I'm not sure what this statement even _means_.

Any message-forgery attack against a polynomial-evaluation MAC using AES
can be turned into a comparably fast algorithm to predict AES, i.e., to
distinguish AES from a uniform random permutation. AES was explicitly
designed to be indistinguishable from a uniform random permutation.

See, e.g., Rogaway, ``Bucket hashing and its application to fast message
authentication,'' J. Cryptology 12 (1999), 91-115, Proposition 14; or my
new paper http://cr.yp.to/papers.html#securitywcs, particularly Theorem
5.4; or http://www.google.com/search?as_q=wegman+carter+authentication.

Are MACs, message-encryption functions, etc. different objects from
block ciphers? Of course. Are there separate definitions of breaking a
MAC, breaking a message-encryption function, and breaking AES? Yes. But
that doesn't stop us from proving that breaking various AES-based MACs
implies breaking AES, that breaking counter-mode AES implies breaking
AES, etc.

> For that matter, what's "GCM MAC"?

http://eprint.iacr.org/2004/193/

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg