SHA-based encryption function in Python

[Bryan Olson]

Paul Rubin wrote:

 > Note that there's a trivial O(2**64) attack on my authentication since
 > I'm truncating the MAC to 8 bytes.  So if a security difference
 > between HMAC and what I'm doing needs more than O(2**64) work to
 > exploit, it's not really useful to an attacker.  Is that a reasonable
 > way to think of this?

I don't think it's reasonable, no.  The 2**64 attack is to try sending
messages until the defender accepts one.  It cannot be done off-line
because the attacker cannot tell when he has the right MAC.  It's not
comparable to a 2**64 off-line work factor.

--Bryan