2013.01.27 20:31:41 (295615076885479424) from Daniel J. Bernstein, replying to "Halvar Flake (@halvarflake)" (295613436828741632):
@halvarflake The ORX degree will more than double with each round. It's nothing at all like Shamir's ludicrously shallow strawman circuit.
2013.01.27 19:22:20 (295597626848595968) from Daniel J. Bernstein:
Would hardware designers prefer ORX ciphers to ARX ciphers? Can't use a Skein-type mix but can imitate Salsa20, composing a^=((b|c)<<<r).
2013.01.27 19:54:49 (295605798510403584) from "Halvar Flake (@halvarflake)":
@hashbreaker Isn't diffusion via carry an important property of ARX ? Won't ORX create problems there ?
2013.01.27 20:11:03 (295609910803181570) from Daniel J. Bernstein, replying to "Halvar Flake (@halvarflake)" (295605798510403584):
@halvarflake Diffusion is a little slower, certainly, but a few extra rounds should easily compensate for this.
2013.01.27 20:25:10 (295613436828741632) from "Halvar Flake (@halvarflake)":
@hashbreaker Ok ... makes me feel queasy, though, because one can quickly approach the example construct from the cube-attack paper.