On 10/9/12, Nick Mathewson wrote:
> On Tue, Oct 9, 2012 at 12:31 PM, Robert Ransom
> wrote:
> [...]
>>> AES-CTR + HMAC-SHA512/256.
>>>
>>> AES-CTR + Poly1305. Poly1305 requires nonces, but we can use a
>>> counter for those.
>>
>> Poly1305AES requires nonces. Poly1305 itself requires
>>
On Tue, Oct 9, 2012 at 12:31 PM, Robert Ransom wrote:
[...]
>> AES-CTR + HMAC-SHA512/256.
>>
>> AES-CTR + Poly1305. Poly1305 requires nonces, but we can use a
>> counter for those.
>
> Poly1305AES requires nonces. Poly1305 itself requires
> (computationally-indistinguishable-from-) indepe
On 10/9/12, Robert Ransom wrote:
> On 10/8/12, Nick Mathewson wrote:
>> The second category (frob, encrypt, frob) is pretty elegant IMO. The
>> best-explained of these I've seen so far are in a
>> paper by Palash Sarkar [Efficient-Tweakable], though the earlier TET
>> construction [TET] might al
On 10/8/12, Nick Mathewson wrote:
> I should share with the list an update of where I am with a design for
> an improved relay crypto protocol. For background and motivation,
> please see the last thread on the topic [Prop202].
>
> There are three main questions remaining for me in choosing among
