Re: [LinkSec] RE: algorithm choices - criteria
Näslund wrote:
>
>
> Carter and Wegman described how to get *unconditionally* secure MICs
> using families of universal hash functions. Clearly, integrity is
> very important (without it, attacks against confidentiality may be¨
> launched). There are also some very efficient implementations of
> (almost) universal hash functions, e.g. the MMH functions and
> adoptions thereof to binary fields.
>
> Of course, there could be performance issues on specific platforms
> (I'm not an implementation expert) but a provable security might
> be worth a few extra cycles of processing time.
>
> An MMH type MAC would fit very neatly together with a stream cipher,
> e.g. AES_CTR.
>
> Is it worth to pursue this track? At least to investigate the
> possibilties before we decide?
>
I've seen some darned fast UMAC schemes, but the real win isn't
making the work units run faster, it's de-serializing them,
a la Jutla, Rogaway, and Gligor.
Now, making the work units themselves faster is clearly advantageous,
but if they have to be serialized, you lose any opportunity to
parallelize them, and *thats* how you're going to do security
at meltdown speeds.
I agree that adding a few cycles per work-unit to get better security
is definitely worth it, because for meltdown speeds, you just add
another work unit to make up for the fact that the individual work
units are running somewhat slower.
--
----------------------------------------------------------------------
Marcus Leech Mail: Dept 8M70, MS 012, FITZ
Advisor Phone: (ESN) 393-9145 +1 613
763 9145
Security Architecture and Planning Fax: (ESN) 393-2754 +1 613
763 2754
Nortel Networks mleech@nortelnetworks.com
-----------------Expressed opinions are my own, not my employer's------