Hi,
Thanks NIST for an excellent workshop! Some reflections:
- I think Paul Crowley's suggestion that NIST should specify TurboSHAKE, Rijndael with 256 bit blocks, and one of the double-deckers is a very good starting point for a discussion. NIST is right now asking for comments on the SHA-3 specifications, I will myself make an official comment that NIST should add TurboSHAKE. I think NIST adding TurboSHAKE is quite uncontroversial.
- While adding Rijndael with 256 bit blocks is likely not controversial, adding Simpira is likely quite controversial. I had never heard of Simpira before the workshop, and it was not presented during the workshop. Maybe NIST could arrange a presentation of Simpira, or point to a recording of a presentation? Is Simpira with 256 bit blocks faster than Rijndael with 256 bit blocks on modern x86 processors? How do the security properties compare?
- I have not looked into HCTR2 and the double-deckers, but the fact that the author of Adiantum and HCTR2 suggests standardization of a competing suggestion indicates that the double-deckers are very good.
Cheers,
John
- I have not looked into HCTR2 and the double-deckers, but the fact that the author of Adiantum and HCTR2 suggests standardization of a competing suggestion indicates that the double-deckers are very good.
--
To unsubscribe from this group, send email to ciphermodes-fo...@list.nist.gov
View this message at https://list.nist.gov/ciphermodes-forum
---
To unsubscribe from this group and stop receiving emails from it, send an email to ciphermodes-fo...@list.nist.gov.