[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: paper comment



George: I'll fix it in the paper if you change the picture to say
AONT rather than BEAR. Sound good? (Is this a good thing to change it
to? Read below.)

> I would prefer to see BEAR replaced by an abstract primitive with the
> properties required and then BEAR brought up as an example of such a
> primitive at the beginning. That way you can plan for a Type 3.5 remailer
[snip]
> Just for my own understanding, BEAR is attractive because
> 
> 	* it is variable length
> 	* it is an AONT
> 	* it respects length
> 	* encryption and decryption are the same operation

actually, we need encryption=decryption but bear by default doesn't give
us that. but we convinced ourselves that if we set the keys equal for
the hash steps then it's symmetric (and not too insecure, we hope ;)

> 	* anything else?
> 
> In any case, you should acknowledge the critique of BEAR Nick mentioned
> earlier:
> http://citeseer.nj.nec.com/124166.html
> 
> to avoid it being mentioned to you by reviewers. and maybe talk about
> briefly if BEAR should fail what plan B is. It seems to me that one naive
> way to work around the issue by padding everything to a maximum length and
> then using OAEP-AONT + AES -- you would keep the tagging resistance, but
> lose the variable length and the same operation for encryption and
> decryption.

actually, we don't use the fact that it can handle variable-length-ness.
there are two sizes which are AONT'ed -- the size of a header and the size
of a payload.

i don't know much about this, so i'd like to defer to somebody who has more
clue, if such a person is here :)

--roger