On Mon, 12 Mar 2012 09:40:18 -0500 Watson Ladd <[email protected]> wrote:
> On Mon, Mar 12, 2012 at 9:04 AM, Robert Ransom <[email protected]> wrote: > > On 2012-03-12, Watson Ladd <[email protected]> wrote: > >> On Sun, Mar 11, 2012 at 10:45 PM, Robert Ransom <[email protected]> > >> wrote: > > > >>> (The BEAR/LION key would likely be different for each cell that a > >>> relay processes.) > >> Different how: if we simply increment the key we still remain open to > >> replay attacks. > > > > The paper proves that BEAR and LION are 'secure' if the two (three?) > > parts of the key are 'independent'. Choosing the subkeys > > independently is too expensive for Tor, but the standard way to > > generate 'indistinguishable-from-independent' secrets is to feed your > > key to a stream cipher (also known as a 'keystream generator'). The most adequate solution described in: "Duplexing the sponge: single-pass authenticated encryption and other applications" Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/DAEMEN_DuplexSponge.pdf This is a SHA-3 workshop finalist Keccak, a universal cryptoprimitive (not only hash) in special duplexing mode: stream encryption and authentication in one pass. I hope NIST and cryptocommunity choose it as a new standard. _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
