[8010] in cryptography@c2.net mail archive
[Hugo Krawczyk ] Re: I-D ACTION:draft-krovetz-umac-01.txt
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Fri Oct 27 17:29:50 2000
To: cryptography@c2.net
From: "Perry E. Metzger" <perry@piermont.com>
Date: 27 Oct 2000 08:39:46 -0400
Message-ID: <87r952wj8t.fsf@snark.piermont.com>
--
------- Start of forwarded message -------
Date: Thu, 26 Oct 2000 17:53:34 +0200 (IST)
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
To: ipsec list <ipsec@lists.tislabs.com>,
TLS list <ietf-tls@lists.certicom.com>, saag@lists.tislabs.com
Subject: Re: I-D ACTION:draft-krovetz-umac-01.txt
As recently announced, the draft draft-krovetz-umac-01.txt is available
from the Internet-Drafts directory.
This document contains a full specification of the "UMAC"
Message Authentication Code (i.e a function that provides data
integrity verification for entities that share a key).
This is the result of a three-year project involving several researchers.
A paper describing the mathematical foundations of the algorithm
was published more than a year ago in CRYPTO '99 [1].
UMAC was designed to provide strong authenticity guarantees while
being flexible, provably secure, and **as fast as possible** on modern
(and emerging) processors. Experiments show that UMAC achieves
software speeds that are many times the speed of HMAC-SHA1.
A quite unique feature of UMAC is that it lets you easily trade performance
and security: from weak authentication against Denial of Service at
GigaByte/second to the strongest authentication for the real paranoids
at 100's of MegaBytes/second.
For the most speed-demanding applications, as they emerge, I believe
that UMAC provides a solution that is superior to current algorithms
based on cryptographic hash functions (e.g. HMAC) or block ciphers
(e.g. CBC-MAC).
See the the UMAC homepage, http://www.cs.ucdavis.edu/~rogaway/umac,
for additional information, including some performance details.
Hugo
PS: A word about UMAC's security.
UMAC's security analysis is based on two factors:
1) The 20-year old methodology (due to Carter and Wegman) for
building MAC functions on the basis of universal hashing.
2) The availability of a strong cipher (e.g. AES).
The result of this analysis is that the only way that the proven
security bounds for UMAC could fail is by breaking the underlying
cipher (say Rijndael). As long as this cipher is unbroken so is UMAC.
In this sense, UMAC does not need to be subject to cryptanalytical
scrutiny before it can be used; you just need to believe that the
underlying block cipher is secure.
(See more information in [1] and in the draft's Security Considerations)
[1] J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway.
"UMAC: Fast and secure message authentication". Advances in
Cryptology - CRYPTO '99. Lecture Notes in Computer Science,
vol. 1666, Springer-Verlag, 1999, pp. 216-233.
------- End of forwarded message -------
