FastPRF

Question

FastPRF

tarcieri opened this issue 7 years ago · 5 comments

Some interesting ideas in this paper, potentially applicable to PMAC:

Answer 1 · 2017-09-12T04:12:49.000Z

FastPRF cannot help much with PMAC or SIV, since you have a birthday factor endemic to the mode itself. It can help with GCM[-SIV], or more generally counter mode combined with Wegman-Carter, which (with unique nonces) does not have such quadratic factors when used with a PRF. GCM-SIV gets around the birthday factor inherent to SIV-type modes by deriving new keys for each nonce.

Answer 2 · 2017-09-12T05:13:24.000Z

Thanks for the input! Will go ahead and close this issue out then, as I would personally like to avoid the nonce-specific key derivation as a mandatory step, and it can always be pursued as an optional one.

Answer 3 · 2017-09-19T17:25:07.000Z

@sneves I'm curious if 1k-PMAC_Plus might address the birthday bound issues:

#76

Answer 4 · 2017-09-19T20:54:37.000Z

It does, with respect to the MAC component, but the fundamental issue with SIV remains---collisions in the IV/tag will still happen around the birthday bound, and this will compromise the confidentiality of the mode.

Answer 5 · 2017-09-19T21:06:21.000Z

@sneves thanks for the clarification!