Re: MAC speeds

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

On 19 Mar 2000, David A. Wagner wrote:

> In article <Pine.BSI.3.91.1000315102404.16490C-100000@spsystems.net>,
> Henry Spencer  <henry@spsystems.net> wrote:
> > On 14 Mar 2000, D. J. Bernstein wrote:
> > > Asking how much scrutiny a Wegman-Carter-type authentication system has
> > > received is like asking how much scrutiny counter mode has received:
> > > you're missing the point. The security is _provably_ as good as the
> > > encryption function you plug in.
> > 
> > That just shifts the problem one step:  how much scrutiny has that proof had?
> 
> Lots.  This particular proof is taught in (some/many) graduate theory
> classes, and is an especially simple one as well.
> 
> For some proofs (especially lengthy, complex, recent, or obscure proofs),
> there are very good reasons to start asking questions like this, but the
> proof of security for Wegman-Carter-like authentication is not one of them.
> 

Not only that; when using the Wegman-Carter approach you do not
need to speculate on the future strength of the hash function and derive
complicated estimates that measure the development of the
human "cryptanalytical brain" (as we are seeing now for deriving key
sizes).

With CW hashes you give an EXACT mathematical *proven* bound on the
collision probablility and from there you derive your MAC strength (still,
of course, you have to apply a one-block encryption per-mesage and that
part does require some cryptanalytical speculation -- but in a much more
restricted sense than other MAC solutions). 

Hugo

---

References:

• Re: MAC speeds
• From: daw@cs.berkeley.edu (David A. Wagner)

---

• Prev by Date: Re: AES draft query
• Next by Date: Re: MAC speeds
• Prev by thread: Re: MAC speeds
• Next by thread: Re: MAC speeds
• Index(es):
  • Main
  • Thread