Dear Ciphermode enthusaists,
While sitting down and writing out a HBSH based proposal (similar to
Adantium
https://iacr.org/cryptodb/data/paper.php?pubkey=29245) , I
realized that there's a problem with using previous NIST primitives to
build a stream cipher with an extended nonce: the blocks are just not
that big, and we only permute them.
First there is the PRP to PRF step. Using only counter mode we have a
quadratic loss in the number of blocks, as a PRF would collide
eventually, while the counter never does until it wraps. Secondly with
128 bits there isn't a lot of room for a block counter and a nonce to
fit in: you end up with a loss in length as inputs start to get
repeated if they live in the same space, versus different. Making an
XChaCha like construction to extend the nonce space runs into the key
agility issue, and I don't think the clever structure of XChaCha
really works out for AES. If we had a XChaCha20 analogue life would be
a lot easier when making stream ciphers.
That said we do have sponges in SHA3, but that's going to take a
rather different approach to construction. Or I could do some actual
work with OCB3 like constructions for the encryption stage. However, a
bigger block hash function for use in a stream cipher would make the
analysis easier, and the downsides of big blocks vanish when
streaming.
Sincerely,
Watson Ladd
--
Astra mortemque praestare gradatim