On Tue, 9 Oct 2012 00:28:38 -0400 Nick Mathewson <nickm@torproject.org> wrote:

So to be concrete, let me suggest a few modes of operation. I believe I'm competent to implement these:

I think (IMHO) Keccak makes many (most?) symmetric encryption modes obsolete in the near future. Now Keccak-Hash is SHA-3 winner. It is not only a hash. Keccak is universal and can be used to authenticated stream encryption with one pass with input any amount of pads and output any amount of additional MACs from one-pass operation (so called duplexing mode). http://sponge.noekeon.org/SpongeDuplex.pdf "Duplexing the sponge: single-pass authenticated encryption and other applications" Guido Bertoni, Joan Daemen, MichaC+l Peeters, and Gilles Van Assche. In this year Keccak will recieve only a hash status officialy. Later we can see many other modes of using Keccak as universal RO-indistinguishable PRF with good security proofs and tons of analysis published already. Some parts of protocols can be done more simply with Keccak: new padding modes for RSA instead of OAEP is one example. Cite: " In a sponge function, the input is like a white page: It does not impose any specio,
c structure to it. Additional optional inputs (e.g., key, nonce, personalization data) can be appended or prepended to the input message according to a well-deo,
ned convention, possibly under the hood of diversio,
cation as proposed in [6, Section b Domain separationb]. K supports all the possible applications of sponge functions and duplex objects described in [6, Chapters b Sponge applicationsb and b Duplex applicationsb]. These include hash function, randomized hash function, hash function instance dio,erentiation, slow one-way function, parallel and tree hashing, mask generating function, key derivation function, deterministic random bit generator, reseedable pseudo random bit sequence generator, message authentication code (MAC) function, stream cipher, random-access stream cipher and authenticated encryption. " http://keccak.noekeon.org/Keccak-submission-3.pdf "The Keccak SHA-3 submission" Guido Bertoni, Joan Daemen, Michael Peeters, Gilles Van Asshe Keccak is hardware fast and can be realased in GPU at first. "Keccak Tree hashing on GPU, using Nvidia Cuda API" https://sites.google.com/site/keccaktreegpu/ If NIST adopt many uses Keccak as standards then the most of cryptoinfrastructure migrate to it. Keccak in the future is more then AES today and makes many uses of AES (and any other blockciphers) unnecessary (excluding PRP-modes for disk encryption, but PRF-PRP transformation modes is potentially possible too). _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE