Re: [LinkSec] Meeting material
Hi,
Dolors Sala wrote:
> DJ material is now posted at the same page:
>
> http://www.ieee802.org/linksec/meetings/Sep03/
I have two questions regarding some of these.
On Don's "format" presentation, p 8, I read:
"ICV Size
•* Birthday attack susceptible modes
– Strength proportional to sqrt(2^n) where n is the number of bits"
Bits in the tag?
This was up for discussion a few weeks ago, and I still wonder
what are these modes and attacks? AFAIK, there are no generic
birthday attacks on the tag size as such. For iterated MIC
constructions, there are birthday attacks, but these attacks depend
on the internal state space size, not the tag size (unless they happen
to be the same, e.g. as in CBC_MAC). Basically, these attack makes
use of the fact that if two distinct messages x, y, end up in the
same state after a number of iterations, then for any fixed z,
x || z and y || z will have the same tag. Another attack, is that by
Breneel et al which actually gets *more* efficient as the tag size
increases! I think it is important to be clear on how various
parameters relate to security. Of course, there may be an attack
that I am not aware of, in wich case I woule be interested to hear
about it. In general though, a good MIC should behave like a pseudo
random function, and thus, there should be collsions as we approach
the "birthday bound".
Secondly, on Mick's "SeCY Functions", p 2, if I understand
correctly you promote an integrity-before-encryption order.
Since we know that this is suboptimal both from DoS-resistance
and from cryptographic point of view, I wonder what good rationale
there is for still doing so.
cheers,
/Mats