[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

universal MACs [was: Re: [Cfrg] Re: [saag] Bad day at the hash function factory]

To: "D. J. Bernstein" <djb at cr.yp.to>
Subject: universal MACs [was: Re: [Cfrg] Re: [saag] Bad day at the hash function factory]
From: "David A. McGrew" <mcgrew at cisco.com>
Date: Thu, 28 Oct 2004 04:51:27 -0700
Cc: saag at mit.edu, cfrg at ietf.org
In-reply-to: <20040926195031.59299.qmail@cr.yp.to>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <151A63B4E33B4F49896AC6D1BA788A6E15C57F@EXCHVS2.louisville.stortek.com> <20040926155422.1F55F1AE84@berkshire.research.att.com> <20040926195031.59299.qmail@cr.yp.to>
Sender: cfrg-bounces at ietf.org

Dan,

On Sep 26, 2004, at 12:50 PM, D. J. Bernstein wrote:

A note to everyone using HMAC: Modern polynomial-evaluation MACs (such as GCM MAC) offer strong security guarantees (they're provably as secure as AES) and are faster than HMAC-SHA1.

yes, thanks for pointing this out. It would be worth having a discussion on universal hash based message authentication on the CFRG list. (We should probably start a new thread for it too, so I've done that.) I know that several others in CFRG are interested in this sort of work. They'd probably also be interested in your recent announcement on `Stronger security bounds for Wegman-Carter-Shoup authenticators'', http://cr.yp.to/papers.html#securitywcs.

Some of them (not GCM MAC) are
even faster than HMAC-MD5.

Do you mean "in software" here? As you know, the design target for GCM was high-speed authenticated encryption. Unlike much of the work that uses universal hashing, GCM aims to be implementable in hardware as well as software.

Some other hashes, like UMAC and hash127, are better in software. It would be great if CFRG could produce a specification for one or more of these functions. It should not be hard to get some others to verify the test vectors. I suspect that the group preference would be towards hash functions that are portable (e.g. fast on a wide variety of CPUs) and that require minimal per-key state. There may be other points of view; others please chime in if you have other priorities.

David


---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
_______________________________________________
saag mailing list
saag at mit.edu
https://jis.mit.edu/mailman/listinfo/saag

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- [Cfrg] Re: universal MACs
  - From: D. J. Bernstein
- [Cfrg] Re: universal MACs
  - From: RJ Atkinson

References:
- [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: Hughes, James P
- [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: Steven M. Bellovin
- Re: [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: D. J. Bernstein

Prev by Date: Re: [Cfrg] Re: [saag] Bad day at the hash function factory
Next by Date: [Cfrg] Re: universal MACs
Previous by thread: Re: [Cfrg] Re: [saag] Bad day at the hash function factory
Next by thread: [Cfrg] Re: universal MACs
Index(es):
- Date
- Thread