On Mon, Jun 20, 2011 at 01:12:19AM +0300, Sampo Syreeni wrote: > I mean, wouldn't it be easier to just implement it better, and/or to > add to the certification requirements?
If you know of a way to implement AES in a way that is not vulnerable to cache-based timing attacks in standard C in a way that is remotely efficient (eg at least 10% the speed of the usual table technique), please post a reference, I'd be interested. > Often you'd be using the same key That certainly doesn't seem like a particularly good idea... > or the same source data for the key derivation function, all over > your cascade, which could jeopardize even the strongest one in the > chain if the last one leaked. Wouldn't that be the case only if your KDF was weak? > the last, if you don't know enough to just pick the strongest cipher and > be done with it without compounding? In this case, the assumption is that XSalsa20 is stronger than AES. AES is just the window dressing for those who insist that it be used (eg NIST and co). -Jack _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
