> On 19-Oct-18 8:19 PM, Paul Crowley wrote: >> I would prefer not to wait. Unlike a new primitive whose strength can >> only be known through attempts at cryptanalysis, Adiantum is a >> construction based on >> well-understood and trusted primitives; it is secure if the proof >> accompanying it is correct. Given that (outside competitions or >> standardization efforts) no-one ever issues public statements that >> they think algorithms or proofs are good, what I'm expecting from >> academia is silence :) The most we could hope for would be getting the >> paper accepted at a conference, and we're pursuing that but there's a >> good chance that won't happen simply because it's not very novel. It >> basically takes existing ideas and applies them using a stream cipher >> instead of a block cipher, and a faster hashing mode; it's also a >> small update from HPolyC. I've had some private feedback that the >> proof seems correct, and that's all I'm expecting to get. > I tend to agree with Paul on this point. This is a place where academia needs to improve. An attempt to do so is the Real World Crypto conference (RWC; https://rwc.iacr.org/2019/), but the deadline for submissions was October 1st. For HpolyC I asked a few people to take a look at the construction and the consensus was that it seems secure but that the proof style makes it hard to verify. I haven't had the time yet to read the Adiantum paper (and I'm not a provable security person anyway) but I suppose Paul took the comments he received on this into account and that's the best we can hope for. Academia simply moves in a different pace and has different incentives. Tomer
Attachment:
signature.asc
Description: OpenPGP digital signature