Zooko writes: > By the way, the traditional practice of using a hash function as a > component of a MAC should, in my humble opinion, be retired in favor of > the Carter-Wegman alternative such as Poly-1305 AES [7].
This is a great topic where there are lots of pros and cons. The CW MACs like UMAC and Poly1305-AES have advantages including speed and provable security. However the recent result Perry cited by Bellare, http://eprint.iacr.org/2006/043, argues that HMAC relies only on the compression function being a PRF, and the CW MACs also need a PRF. So perhaps their security properties will not turn out to be so different. >From the security implementor's POV, the speed of the CW MACs must be balanced against potentially greater difficulty in using them. They are not black-box drop-in replacements for HMAC. CW MACs rely on the presence of a unique nonce per message (and per key). This can be as simple as a sequence number, or perhaps a random string. But either one may require adding state and/or environmental access to what is a simple stateless function with HMAC. CW MACs also have the property that they may allow single brute-force forgeries to be easily extended to multiple forgeries. The ease or difficulty of this extension will depend on details of the MAC design, but in principle, the CW security properties allow for it. This means that MACs of moderate length, like 64 bits or less, need to be evaluated much more critically with a CW MAC implementation. Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
