Closed david415 closed 7 years ago
The paper is somewhat flawed.
The core of their premise appears to hinge upon the assumption that people implementing Sphinx (and the original paper) suggest using Anderson/Biham's experimental setup from the original BEAR/LION paper, which is flat out wrong. They're also seem to have missed the point of the BEAR/LION paper, in that BEAR/LION/LIONESS are generic constructs, and the experimental setup in the 90s with SHA-1/SEAL was part of an experimental performance evaluation setup.
Other notes:
1023
/1023 - alpha
respectively).E()
was fixed. (http://web.cs.ucdavis.edu/~rogaway/aez/bug.pdf)The one useful thing they're doing is "Have the per hop mac that authenticates the header, also cover the payload". But at that point, I question the need for a fragile/wide-block construct for payload encryption in general.
http://www.cs.ru.nl/~bmennink/pubs/16cans.pdf