Re: [Cryptography] Evaluating draft-agl-tls-chacha20poly1305
2013/9/11 William Allen Simpson william.allen.simp...@gmail.com It bugs me that so many of the input words are mostly zero. Using the TLS Sequence Number for the nonce is certainly going to be mostly zero bits. And the block counter is almost all zero bits, as you note, (In the case of the TLS, limits on the plaintext size mean that the first counter word will never overflow in practice.) [...] In my PPP ChaCha variant of this that I started several months ago, the nonce input words were replaced with my usual CBCS formulation. That is, invert the lower 32-bits of the sequence number, xor with the upper 32-bits, add (mod 2**64) both with a 64-bit secret IV, count the bits, and variably rotate. [...] Chacha20 being a stream cipher, the only requirement we have on the ICV is that it doesn't repeat isn't ? This means that if there's a problem with setting 'mostly zeroed out' ICV for Chacha20 we shouldn't use it at all period. As far as your proposition is concerned, the performance penalty seems to largely depend on the target platform. Wouldn't using the same set of operations as Chacha prevent an unexpected performance drop in case of lots of short messages ? Cheers ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Good private email
This is everything *but* PRISM-proof : it doesn t solve the metadata issue and your directory server containing public keys could very well be forced by a law enforcement agency ( in the best case scenario because it could also be the mafia) to answer the fbi/mafia public key on any request made to it. On Monday, August 26, 2013, Richard Salz wrote: I don't think you need all that much to get good secure private email. You need a client that can make PEM pretty seamless; reduce it to a button that says encrypt when possible. You need the client to be able to generate a keypair, upload the public half, and pull down (seamlessly) recipient public keys. You need a server to store and return those keys. You need an installed base to kickstart the network effect. Who has that? Apple certainly; Microsoft could; Google perhaps (although not reading email is against their business model). Maybe even the FB API. It's not perfect -- seems to me the biggest weakness is (a) the client could double-encrypt for TLA's to read, or (b) it could give you the wrong key so your mail only goes to the bad guy -- but it's a hell of a lot better than we have now and I'd say it's more than good enough. Thoughts? ___ The cryptography mailing list cryptography@metzdowd.com javascript:; http://www.metzdowd.com/mailman/listinfo/cryptography -- Alexandre Anzala-Yamajako ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography