> On 23 Dec 2015, at 03:59, Nick Mathewson wrote:
>
> On Mon, Nov 30, 2015 at 2:12 AM, Tim Wilson-Brown - teor
> wrote:
>> Hi Nick,
>>
>> The AEZ paper says:
>>
>> "We impose a limit that AEZ be used for at most 2^48 bytes of data (about
>> 280 TB); by that time, the user should rekey. This u
On Mon, Nov 30, 2015 at 2:12 AM, Tim Wilson-Brown - teor
wrote:
> Hi Nick,
>
> The AEZ paper says:
>
> "We impose a limit that AEZ be used for at most 2^48 bytes of data (about
> 280 TB); by that time, the user should rekey. This usage limit stems from
> the existence of birthday attacks on AEZ, a
Hi Nick,
The AEZ paper says:
"We impose a limit that AEZ be used for at most 2^48 bytes of data (about 280
TB); by that time, the user should rekey. This usage limit stems from the
existence of birthday attacks on AEZ, as well as the use of AES4 to create a
universal hash function."
http://we
On Sun, Nov 29, 2015 at 7:06 PM, Tim Wilson-Brown - teor
wrote:
>
> On 30 Nov 2015, at 09:13, Nick Mathewson wrote:
> ...
> 2.2. New relay cell payload
> ...
> When encrypting a cell for a hop that was created using one of these
> circuits, clients and relays encrypt them using the AEZ algori
> On 30 Nov 2015, at 09:13, Nick Mathewson wrote:
> ...
> 2.2. New relay cell payload
> ...
> When encrypting a cell for a hop that was created using one of these
> circuits, clients and relays encrypt them using the AEZ algorithm
> with the following parameters:
>
> Let Chain denote
[This is an improvement over my last draft in this area; it makes
concrete proposals about forward secrecy and chaining, and tries to
start getting performance numbers for some platforms. I still need to
compute plausible performance numbers on non-aesni platforms, but I
might not get to that immed
