Thursday, August 24, 2006

Removing the proof-based support

Today, Mihir Bellare presented a paper with this abstract:
HMAC was proved in [2] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collision-resistant. However, recent attacks show that assumption (2) is false for MD5 and SHA-1, removing the proof-based support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, ...
The paper actually had some legitimate arguments for the security of HMAC, but this abstract makes him sound like a charlatan to any mathematician.

First, he claims to prove that something is a PRF assuming that it is already a PRF plus another assumption. Then he admits that the proof is invalid, by using the euphemism "removing the proof-based support". Then he again claims to prove that something is a PRF assuming that it is already a PRF. The last sentence is the silliest.

What is a "proof based guarantee"? Does he have a proof or not? It sounds like he is saying that he seems to have a proof because no one has found a counterexample yet. If he really had a proven guarantee, then he wouldn't be worrying about the known attacks.

No comments: