Koblitz and Menezes have responded to the discussion, both by posting an updated version of their HMAC paper (http://eprint.iacr.org/2012/074) and by posting a new paper “Another look at non-uniformity” — see http://www.anotherlook.ca/nonunif.shtml for links to that paper and to additional material (such as slides at http://cacr.uwaterloo.ca/~ajmeneze/anotherlook/ECC2012.pdf, for the impatient reader).

Regarding the question of whether or not there is a “flaw”, here is the core of an essential quote from the latest version of “Another look at HMAC”:

“The claim that Bellare’s proofs are in the non-uniform model of complexity may be puzzling to readers, since the paragraph titled “Techniques” in the Introduction would lead those who understand the uniform vs. non-uniform distinction to conclude that Bellare is not using the non-uniform model of complexity. He writes: “[...]” [...] this statement makes no sense if proofs are valid only in the non-uniform model. Thus, a careful reader would be led to believe that Bellare’s results are intended to be valid in the uniform model of complexity.

Moreover, in the next section we show that the analysis of his theorem that Bellare provides in §3.2 of [1] is flawed, because it implicitly assumes that his proof is valid in the uniform model of complexity.”

(I do realize that this update continues to side-track the actual subject of this blog article, which is _how_ to deal with flaws. In this regard, it seems fair to say that Yehuda has observed a flaw in Neal Koblitz. Do I agree with how he has reported it? Well, if I didn’t, I probably shouldn’t tell you here.)

]]>P.S. Make sure you are familiar with time-space tradeoff and precomputation attacks before reading Bernstein’s slides; otherwise some aspects may be inscrutable (e.g., where 2^85 comes from).

]]>Could I have your opinion about one post “P versus UP” in:

http://the-point-of-view-of-frank.blogspot.com/

?

Thanks

I’d suggest teaching about confidentiality and integrity. I explain that one of the most common mistakes is to use encryption without authentication, thinking that all you need is confidentiality but not integrity, and actually ending up with neither. Make sure to give some real-world examples.

Then, I would explain about the concept of a secure channel.

I actually think that we do our students a disservice by focusing so heavily on the low-level primitives like encryption and message authentication. Those are too low-level, and consequently get misused. For 95% of applications, the abstraction they need is either a secure channel (e.g., SSL/TLS), or secure storage (e.g., GPG).

]]>I also am a strong believer that a strong foundation in theory helps practice. However, I have no contempt whatsoever of cryptanalysis or practice. By the way, from my experience in Crypto and Eurocrypt committees, papers on cryptanalysis get rejected by cryptanalysis people and certainly NOT by theory people (who have no opinion on it).

Regarding open contempt: I have never ever seen a paper or heard a talk by a theoretician who shows open contempt of practice and criticises an entire field, like [KM]. (Now, I am sure that there are some theoreticians with such contempt. However, they are not writing papers about this contempt and are not given wide support for their contempt.)

One last word: I DO believe that there is merit to some claims made by [KM]. Indeed, proofs need to be checked more. Indeed, a discussion on the usefulness of theoretical models in practice is important. And more. However, a discussion based on mutual respect of both sides is much more constructive and productive than a mud-slinging match.

]]>