
On Mon, 12 Mar 2012 09:40:18 -0500 Watson Ladd <watsonbladd@gmail.com> wrote:
On Mon, Mar 12, 2012 at 9:04 AM, Robert Ransom <rransom.8774@gmail.com> wrote:
On 2012-03-12, Watson Ladd <watsonbladd@gmail.com> wrote:
On Sun, Mar 11, 2012 at 10:45 PM, Robert Ransom <rransom.8774@gmail.com> wrote:
(The BEAR/LION key would likely be different for each cell that a relay processes.) Different how: if we simply increment the key we still remain open to replay attacks.
The paper proves that BEAR and LION are 'secure' if the two (three?) parts of the key are 'independent'. Choosing the subkeys independently is too expensive for Tor, but the standard way to generate 'indistinguishable-from-independent' secrets is to feed your key to a stream cipher (also known as a 'keystream generator').
The most adequate solution described in: "Duplexing the sponge: single-pass authenticated encryption and other applications" Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/DA... This is a SHA-3 workshop finalist Keccak, a universal cryptoprimitive (not only hash) in special duplexing mode: stream encryption and authentication in one pass. I hope NIST and cryptocommunity choose it as a new standard.