Zooko writes:
> By the way, the traditional practice of using a hash function as a 
> component of a MAC should, in my humble opinion, be retired in favor of 
> the Carter-Wegman alternative such as Poly-1305 AES [7].

This is a great topic where there are lots of pros and cons.  The CW
MACs like UMAC and Poly1305-AES have advantages including speed and
provable security.  However the recent result Perry cited by Bellare,
http://eprint.iacr.org/2006/043, argues that HMAC relies only on the
compression function being a PRF, and the CW MACs also need a PRF.
So perhaps their security properties will not turn out to be so different.

>From the security implementor's POV, the speed of the CW MACs must
be balanced against potentially greater difficulty in using them.
They are not black-box drop-in replacements for HMAC.  CW MACs rely on
the presence of a unique nonce per message (and per key).  This can be
as simple as a sequence number, or perhaps a random string.  But either
one may require adding state and/or environmental access to what is a
simple stateless function with HMAC.

CW MACs also have the property that they may allow single brute-force
forgeries to be easily extended to multiple forgeries.  The ease or
difficulty of this extension will depend on details of the MAC design,
but in principle, the CW security properties allow for it.  This means
that MACs of moderate length, like 64 bits or less, need to be evaluated
much more critically with a CW MAC implementation.

Hal Finney

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to