Re: [Cfrg] HMAC-MD5

["D. J. Bernstein" <djb at cr.yp.to>]

I wouldn't recommend an emergency switch away from HMAC-MD5/HMAC-SHA1.
However, if people are looking at alternatives, are they aware that the
research community has found provably secure 128-bit Wegman-Carter MACs
_faster_ than HMAC-MD5? See

   http://cr.yp.to/mac/speed.html#graphs

for verification speed charts (packet size on the x axis from 0 bytes to
8192 bytes, time on the y axis from 0 cycles to 49152 cycles, diagonal 6
cycles per byte) for my public-domain Poly1305-AES software.

``Provably secure,'' in this context, means that any break of the MAC
easily implies a break of AES. The security gap between Poly1305-AES and
AES is below n/2^102 per forgery attempt for 16n-byte messages, even for
long-term keys (2^64 messages). If you're worried about AES then you can
replace Poly1305-AES with Poly1305-YourFavoriteBlockOrStreamCipher and
get the same guarantee relative to YourFavoriteBlockOrStreamCipher.

Older Wegman-Carter MACs had problems with short packets and with key
agility, but those problems have been eliminated. The new generation of
MAC functions is consistently faster than HMAC-MD5.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg