On Wed, May 2, 2012 at 8:00 PM, D. J. Bernstein <d...@cr.yp.to> wrote: > I should emphasize that an authenticated-cipher competition would be > much more than an "AE mode" competition. There are certainly people > working on new ways to use AES, but there are many more people working > on new authenticators, new block ciphers, new stream ciphers, new > ciphers with built-in authentication mechanisms, etc.
A few years ago Schneier proposed a cipher called Helix that, while broken, has some very interesting properties making it unlike any other cipher or cipher more I'm aware of. > Zooko Wilcox-O'Hearn writes: >> authenticated encryption can't satisfy any of my use cases! > > Of course it can! Evidently you to want to combine it with public-key > signatures, which will render the secret-key authenticator useless, so > for efficiency you'd like to suppress that authenticator. This doesn't > work well with something like AES-OCB3, but it _does_ work well with > something like AES-GCM, giving you AES-CTR. Well, Zooko has an application that uses Merkle hash trees and really wants to authenticate only the roots of the trees, with all the leaves being encrypted without authentication. I think that's a perfectly fine design, assuming a strong enough hash primitive. It *is* AE, in a way, but it's not AE like GCM and it's intimately tied to Tahoe-LAFS' on-disk format. Git is very similar (though there's no built-in head signature scheme, IIRC, but it's perfectly possible to sign git hashes); git does use SHA-1, which is too weak for my taste, but aside from that the design is fine. Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography