Re: The Poly1305-AES message-authentication code

From: D. J. Bernstein (djb_at_cr.yp.to)
Date: 11/05/04 

Date: Fri, 5 Nov 2004 06:18:36 +0000 (UTC)

David Wagner wrote:
> I really don't think attacks that require 2^63 chosen messages are
> worth worrying about.

The only reason it's 2^63 chosen messages is to allow 2^63 forgeries.

What would you say about an attack that requires 2^48 known messages and
2^24 chosen messages, and has a one-in-a-billion chance of producing
2^24 forgeries? HMAC-MD5 is vulnerable to that too.

> Instead, you should be changing session keys much more frequently than
> that

I was talking about HMAC-MD5: i.e., the authenticator HMAC-MD5(k,m).
You're talking about a different MAC, namely HMAC-MD5(MD5(k,n),m), where
n is used for a limited number of messages m.

I agree that this different MAC provides better security than HMAC-MD5
(relative to the usual, increasingly wobbly, assumptions about MD5), at
the expense of extra complication and extra computation.

Meanwhile, Poly1305-AES (relative to AES) provides better security than
HMAC-MD5 (relative to MD5) and is _faster_ than HMAC-MD5.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

Quantcast