Re: [LinkSec] RE: algorithm choices - criteria
Hi
Johnston, Dj wrote:
[snip]
> Outside of the OCB and CCM options, as you correctly suggest there are
> alternatives, but I have tried to restrict myself to the modes described
> and discussed in the ongoing NIST modes process. If you can bring a
> proposal for an alternative mode that is superior to the CCM and OCB,
> please do so. I believe the reasoning for selecting these modes is based
I don't claim that the following proposal is superior, but it
has some very attractive properties, yet it is often forgotten.
Carter and Wegman described how to get *unconditionally* secure MICs
using families of universal hash functions. Clearly, integrity is
very important (without it, attacks against confidentiality may be¨
launched). There are also some very efficient implementations of
(almost) universal hash functions, e.g. the MMH functions and
adoptions thereof to binary fields.
Of course, there could be performance issues on specific platforms
(I'm not an implementation expert) but a provable security might
be worth a few extra cycles of processing time.
An MMH type MAC would fit very neatly together with a stream cipher,
e.g. AES_CTR.
Is it worth to pursue this track? At least to investigate the
possibilties before we decide?
Cheers
/Mats