http://eprint.iacr.org/2013/338.pdf
Isn't this straight from the crypto paper construction kit? Make up
some criterion, show that a popular primitive or implementation lacks
it, demonstrate that a new construction has it. Talk about the
standard model. Do not provide any explicit bounds.
Date: Tue, 1 Oct 2013 15:45:27 -0400
From: zooko zo...@zooko.com
To: Multiple recipients of list hash-fo...@nist.gov
Subject: Re: On 128-bit security
Folks:
Here are my personal opinions about these issues. I'm not expert at
cryptanalysis. Disclosure: I'm one of the authors of BLAKE2 (but not