|
|
|
|
|
|
by tptacek
5002 days ago
|
|
|
Regarding the bits exposed to inputs in Keccak, I read the claim in the same manner as the claim that CTR is more side-channel resistant because attacker ciphertext bits never hit the AES core; here further margin is given by the additional capacity bits. That's my attempt at exposition from the Sponge paper. You would know far better than I would, though; I'm a tester, not a cryptographer. Regarding length extension, strong disagree; we see the SHA functions routinely abused this way. |
|
|