2013.01.28 00:01:37 (295667908401577984) from Daniel J. Bernstein, replying to "Halvar Flake (@halvarflake)" (295636268174430208):
@halvarflake Sure. Figuring out the right number of rounds requires a much closer look. But the overall ORX structure should be fine.
2013.01.27 20:11:03 (295609910803181570) from Daniel J. Bernstein, replying to "Halvar Flake (@halvarflake)" (295605798510403584):
@halvarflake Diffusion is a little slower, certainly, but a few extra rounds should easily compensate for this.
2013.01.27 20:25:10 (295613436828741632) from "Halvar Flake (@halvarflake)":
@hashbreaker Ok ... makes me feel queasy, though, because one can quickly approach the example construct from the cube-attack paper.
2013.01.27 20:31:41 (295615076885479424) from Daniel J. Bernstein, replying to "Halvar Flake (@halvarflake)" (295613436828741632):
@halvarflake The ORX degree will more than double with each round. It's nothing at all like Shamir's ludicrously shallow strawman circuit.
2013.01.27 21:55:53 (295636268174430208) from "Halvar Flake (@halvarflake)":
@hashbreaker Ok, sorry for comparing :-) - just wanted to say 'watch degrees & diffusion when removing the add' :-P