[tor-dev] Analysis of the Relative Severity of Tagging Attacks
unknown
unknown at pgpru.com
Mon Mar 12 17:30:22 UTC 2012
On Mon, 12 Mar 2012 09:40:18 -0500
Watson Ladd <watsonbladd at gmail.com> wrote:
> On Mon, Mar 12, 2012 at 9:04 AM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> > On 2012-03-12, Watson Ladd <watsonbladd at gmail.com> wrote:
> >> On Sun, Mar 11, 2012 at 10:45 PM, Robert Ransom <rransom.8774 at gmail.com>
> >> wrote:
> >
> >>> (The BEAR/LION key would likely be different for each cell that a
> >>> relay processes.)
> >> Different how: if we simply increment the key we still remain open to
> >> replay attacks.
> >
> > The paper proves that BEAR and LION are 'secure' if the two (three?)
> > parts of the key are 'independent'. Choosing the subkeys
> > independently is too expensive for Tor, but the standard way to
> > generate 'indistinguishable-from-independent' secrets is to feed your
> > key to a stream cipher (also known as a 'keystream generator').
The most adequate solution described in:
"Duplexing the sponge: single-pass authenticated encryption and other applications"
Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche
http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/DAEMEN_DuplexSponge.pdf
This is a SHA-3 workshop finalist Keccak, a universal cryptoprimitive (not only hash)
in special duplexing mode: stream encryption and authentication in one pass.
I hope NIST and cryptocommunity choose it as a new standard.
More information about the tor-dev
mailing list