Re: ECB+CTR Mode?
From: Tom St Denis (tomstdenis_at_iahu.ca)
Date: Mon, 11 Aug 2003 16:24:05 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Mark Wooding wrote:
| Tom St Denis <email@example.com> wrote:
|>Last I checked OBC [or what not]
| OCB, by Phillip Rogaway.
|>was the only mode to provide both security and authentication.
| Err... I presume you mean `secrecy' where you said `security'. Both
| secrecy and authenticity are security goals, and there are others. And
| you're wrong. Check out Jutla's IACBC and IAPM, and Gligor and
| Donescu's XECB and XCBC; and then see EAX (Bellare, Rogaway, and Wagner)
| and CWC (Kohno, Viega, and Whiting). All of these come with security
| proofs, and I have no reason to think they're invalid.
Oh look at me. I'm mark, I know what I'm talking about, oh
Yeah, I dunno I'm just a big fan of simplicity, CTR+HMAC :-)
Unfortunately none of those "protocols" are a standard? [right?] so
adopting one may be troublesome.
|>Ironically the NIST standard "OMAC" only provides a MAC
| Your idea of irony is very odd. And it looks to me as if OMAC does what
| it says on the tin.
If I am not mistaken several of the modes you listed were offered to the
NIST submission process. I think standardizing a secrey+authentication
protocol would do more than standardizing one that doesn't.
|>[so you might as well use HMAC since it will allow you to use other
|>hashes with bigger digest sizes].
| Depends. Many applications will truncate MAC tags, because they need
| only be unpredictable in their entirety. A 128-bit tag is quite
| sufficient for most applications, and using the same 128-bit block
| cipher for both means that you don't have to assume the security of some
| hash function like SHA1.
If collision resistance is not a goal than MD4 would be ideally
suitable. Would it not?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----