[tor-dev] Draft sketch document with ideas for future crypto ops

Wed Nov 2 17:46:38 UTC 2011

On Mon, 31 Oct 2011 23:59:55 -0500
Watson Ladd <watsonbladd at gmail.com> wrote:

> What about this for modification resistance?
> We keep a count of all cells passing and use AES in CTR mode with a 2 part
> counter: the first part the cell counter, the second one a block counter.
> Then to authenticate the cell we can use a 16 byte tag and a Wegman-Carter
> MAC. This gives a total overhead of 48 bytes for a three hop link, which is
> half the cited one, and which
> is provably as secure as AES.
> 
> ChaCha is a component part of one of the SHA-3 finalists, namely JH. If JH
> is selected as the SHA3 candidate, this may (read may) entail something
> about the security of ChaCha. The HAIFA construction JH uses doesn't say
> much about proofs of security, unlike the sponge papers.
> 
>
> 2012 is coming soon: The schedule says between March and June of this year
> SHA3 will be announced. Everything after that involves bureaucracy. Why
> switch to SHA256 and then to SHA3 when we won't be done before March anyway?

I'm very enthusiastic about one of five SHA-3 finalist -- Keccak. 
I contact with the Keccak team about some ideas and they responded readily.
IMHO Keccak is more perspespective than Skein or ChaCha as a universal cryptoprimitive to make
most of symmetryc algos obsolete.

Keccak is not only a hash with any possible length of output but PBKDF, KDF, MAC, old-style HMAC, 
Stream cipher, random acces Stream Cipher, stronge authenticated Stream Cipher, 
per block or per complete message authenticated Stream Cipher and possible many more, 
proved to be secure in random oracle model and easy to use to make most of protocols
simple. 

The Keccak team pointed me to a method for executing stream cipher encryption and
authenticated encryption based on sponge.

The first presentation of the so called duplexing mode, using a sponge
for MACing and encryption was at the SHA-3 conference in Santa Barbara
in 2010.
You can download the paper from here
http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/SHA3_Aug2010_Papers.zip
And recently presented at SAC2011, here you can have a look at the
presentation http://sac2011.ryerson.ca/SAC2011/BDPVA.pdf

If NIST make the Keccak a SHA-3 finalist then be prepare to integrate it as a good flexible choice.
Not only as a hash but virtually as everything symmetric algos.
Unfortunately, most of the Keccak properties may be standartizated so slow. 

And most of that non-hash properties seems non-conservative, experimental, innovatory and ambitious but
very amazingly perspective and good designed with respectful research works 
and good reputations of authors.

See www.keccak.noekeon.org for details.