Re: [LinkSec] RE: algorithm choices - criteria
Mats:
>>Outside of the OCB and CCM options, as you correctly suggest there are
>>alternatives, but I have tried to restrict myself to the modes described
>>and discussed in the ongoing NIST modes process. If you can bring a
>>proposal for an alternative mode that is superior to the CCM and OCB,
>>please do so. I believe the reasoning for selecting these modes is based
>
>I don't claim that the following proposal is superior, but it
>has some very attractive properties, yet it is often forgotten.
>
>Carter and Wegman described how to get *unconditionally* secure MICs
>using families of universal hash functions. Clearly, integrity is
>very important (without it, attacks against confidentiality may be¨
>launched). There are also some very efficient implementations of
>(almost) universal hash functions, e.g. the MMH functions and
>adoptions thereof to binary fields.
>
>Of course, there could be performance issues on specific platforms
>(I'm not an implementation expert) but a provable security might
>be worth a few extra cycles of processing time.
>
>An MMH type MAC would fit very neatly together with a stream cipher,
>e.g. AES_CTR.
>
>Is it worth to pursue this track? At least to investigate the possibilties
>before we decide?
802.11i looked into this quite deeply. There are a number of very
interesting alternatives in this space. However, none of them was on track
for acceptance by NIST for algorithms that could be evaluated under FIPS
140. One thing the group could do is ask NIST to select an integrity
algorithm for use in this context. I think that there are many
applications that could be well served by NIST doing so.
Russ