On Mon, 31 Oct 2011 23:59:55 -0500 Watson Ladd watsonbladd@gmail.com wrote:
What about this for modification resistance? We keep a count of all cells passing and use AES in CTR mode with a 2 part counter: the first part the cell counter, the second one a block counter. Then to authenticate the cell we can use a 16 byte tag and a Wegman-Carter MAC. This gives a total overhead of 48 bytes for a three hop link, which is half the cited one, and which is provably as secure as AES.
ChaCha is a component part of one of the SHA-3 finalists, namely JH. If JH is selected as the SHA3 candidate, this may (read may) entail something about the security of ChaCha. The HAIFA construction JH uses doesn't say much about proofs of security, unlike the sponge papers.
2012 is coming soon: The schedule says between March and June of this year SHA3 will be announced. Everything after that involves bureaucracy. Why switch to SHA256 and then to SHA3 when we won't be done before March anyway?
I'm very enthusiastic about one of five SHA-3 finalist -- Keccak. I contact with the Keccak team about some ideas and they responded readily. IMHO Keccak is more perspespective than Skein or ChaCha as a universal cryptoprimitive to make most of symmetryc algos obsolete.
Keccak is not only a hash with any possible length of output but PBKDF, KDF, MAC, old-style HMAC, Stream cipher, random acces Stream Cipher, stronge authenticated Stream Cipher, per block or per complete message authenticated Stream Cipher and possible many more, proved to be secure in random oracle model and easy to use to make most of protocols simple.
The Keccak team pointed me to a method for executing stream cipher encryption and authenticated encryption based on sponge.
The first presentation of the so called duplexing mode, using a sponge for MACing and encryption was at the SHA-3 conference in Santa Barbara in 2010. You can download the paper from here http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SH... And recently presented at SAC2011, here you can have a look at the presentation http://sac2011.ryerson.ca/SAC2011/BDPVA.pdf
If NIST make the Keccak a SHA-3 finalist then be prepare to integrate it as a good flexible choice. Not only as a hash but virtually as everything symmetric algos. Unfortunately, most of the Keccak properties may be standartizated so slow.
And most of that non-hash properties seems non-conservative, experimental, innovatory and ambitious but very amazingly perspective and good designed with respectful research works and good reputations of authors.
See www.keccak.noekeon.org for details.