On Mon, 12 Mar 2012 09:40:18 -0500 Watson Ladd watsonbladd@gmail.com wrote:
On Mon, Mar 12, 2012 at 9:04 AM, Robert Ransom rransom.8774@gmail.com wrote:
On 2012-03-12, Watson Ladd watsonbladd@gmail.com wrote:
On Sun, Mar 11, 2012 at 10:45 PM, Robert Ransom rransom.8774@gmail.com wrote:
(The BEAR/LION key would likely be different for each cell that a relay processes.)
Different how: if we simply increment the key we still remain open to replay attacks.
The paper proves that BEAR and LION are 'secure' if the two (three?) parts of the key are 'independent'. Choosing the subkeys independently is too expensive for Tor, but the standard way to generate 'indistinguishable-from-independent' secrets is to feed your key to a stream cipher (also known as a 'keystream generator').
The most adequate solution described in:
"Duplexing the sponge: single-pass authenticated encryption and other applications" Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche
http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/Aug2010/documents/papers/DA...
This is a SHA-3 workshop finalist Keccak, a universal cryptoprimitive (not only hash) in special duplexing mode: stream encryption and authentication in one pass.
I hope NIST and cryptocommunity choose it as a new standard.