[tor-dev] Analysis of the Relative Severity of Tagging Attacks

unknown unknown at pgpru.com
Mon Mar 12 17:30:22 UTC 2012

On Mon, 12 Mar 2012 09:40:18 -0500
Watson Ladd <watsonbladd at gmail.com> wrote:

> On Mon, Mar 12, 2012 at 9:04 AM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> > On 2012-03-12, Watson Ladd <watsonbladd at gmail.com> wrote:
> >> On Sun, Mar 11, 2012 at 10:45 PM, Robert Ransom <rransom.8774 at gmail.com>
> >> wrote:
> >
> >>> (The BEAR/LION key would likely be different for each cell that a
> >>> relay processes.)
> >> Different how: if we simply increment the key we still remain open to
> >> replay attacks.
> >
> > The paper proves that BEAR and LION are 'secure' if the two (three?)
> > parts of the key are 'independent'.  Choosing the subkeys
> > independently is too expensive for Tor, but the standard way to
> > generate 'indistinguishable-from-independent' secrets is to feed your
> > key to a stream cipher (also known as a 'keystream generator').

The most adequate solution described in: 

"Duplexing the sponge: single-pass authenticated encryption and other applications"
Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche


This is a SHA-3 workshop finalist Keccak, a universal cryptoprimitive (not only hash)
in special duplexing mode: stream encryption and authentication in one pass.

I hope NIST and cryptocommunity choose it as a new standard.

More information about the tor-dev mailing list