[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Analysis of the Relative Severity of Tagging Attacks



On Mon, 12 Mar 2012 09:40:18 -0500
Watson Ladd <watsonbladd@xxxxxxxxx> wrote:

> On Mon, Mar 12, 2012 at 9:04 AM, Robert Ransom <rransom.8774@xxxxxxxxx> wrote:
> > On 2012-03-12, Watson Ladd <watsonbladd@xxxxxxxxx> wrote:
> >> On Sun, Mar 11, 2012 at 10:45 PM, Robert Ransom <rransom.8774@xxxxxxxxx>
> >> wrote:
> >
> >>> (The BEAR/LION key would likely be different for each cell that a
> >>> relay processes.)
> >> Different how: if we simply increment the key we still remain open to
> >> replay attacks.
> >
> > The paper proves that BEAR and LION are 'secure' if the two (three?)
> > parts of the key are 'independent'. ÂChoosing the subkeys
> > independently is too expensive for Tor, but the standard way to
> > generate 'indistinguishable-from-independent' secrets is to feed your
> > key to a stream cipher (also known as a 'keystream generator').

The most adequate solution described in: 

"Duplexing the sponge: single-pass authenticated encryption and other applications"
Guido Bertoni, Joan Daemen, MichaÃÂl Peeters, and Gilles Van Assche

http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/DAEMEN_DuplexSponge.pdf

This is a SHA-3 workshop finalist Keccak, a universal cryptoprimitive (not only hash)
in special duplexing mode: stream encryption and authentication in one pass.

I hope NIST and cryptocommunity choose it as a new standard.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev