[Cryptography] Gates are cheap. Should cipher design change?

[dj at deadhat.com]

> On 30/03/2016 00:09 am, Jon Callas wrote:
>> You might be thinking of The Hasty Pudding Cipher by Rich Schroeppel
>> which is in my opinion the most brilliant of the AES submissions. My
>> comment at the time was that it didn't meet any of the requirements NIST
>> had, but it met requirements they should have had. It's also the first
>> cipher that had what we now call "tweaks."
>
> Curious - what requirements should NIST have had?

Bigger or arbitrary block sizes.
Fine grained parallel scalabilty.
Intrinsic Side channel resistance.

To be fair those were not such hot topics at the time. But that's in part
because HW implementers didn't have much of a voice in the process.

Similarly for SHA3, the data for HW properties seemed to come from studies
on FPGAs that came up with the wrong answer for synthesis to cells and all
the performance and implementability went out of the window in the final
selection. Packing the room with European researchers determined the
outcome.

>
> And, what are tweaks?
>

>From here: https://www.cs.berkeley.edu/~daw/papers/tweak-crypto02.pdf

"Abstract. We propose a new cryptographic primitive, the “tweakable
block cipher.” Such a cipher has not only the usual inputs—message and
cryptographic key—but also a third input, the “tweak.” The tweak serves
much the same purpose that an initialization vector does for CBC mode
or that a nonce does for OCB mode. Our proposal thus brings this feature
down to the primitive block-cipher level, instead of incorporating it only
at the higher modes-of-operation levels. We suggest that (1) tweakable
block ciphers are easy to design, (2) the extra cost of making a block
cipher “tweakable” is small, and (3) it is easier to design and prove
modes of operation based on tweakable block ciphers.
"

Which I take to mean "more data input bits" because it's inconvenient to
steal from the existing power-of-2 number of data bits or add a whole
extra block.