From 0f85caec0a64f8b93e0d6a88ce8ae602f453a4f0 Mon Sep 17 00:00:00 2001
From: zooko <>
Date: Thu, 28 Jun 2012 01:36:24 +0000
Subject: [PATCH] add link to Dodis Katz 2005

[Imported from Trac: page Bibliography, version 64]
---
 Bibliography.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/Bibliography.md b/Bibliography.md
index 3ee9e2d..ddf20c5 100644
--- a/Bibliography.md
+++ b/Bibliography.md
@@ -12,16 +12,14 @@ Here are some papers that are potentially of interest.
 
 #### Ciphers
 
+[Chosen-Ciphertext Security of Multiple Encryption](http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.65.8477) by Dodis, Katz 2005 ; combining two or more ciphers together
+
 [Salsa20 Design](http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.59.9522) a fast and secure cipher
 
 [Salsa20 Security Arguments](http://cr.yp.to/snuffle.html#security) why Salsa20 is probably safe against this and that threat
 
 [The European Stream Cipher project](http://www.ecrypt.eu.org/stream) which evaluated many stream ciphers including Salsa20
 
-[Bitsliced AES implementation](http://www.cryptojedi.org/crypto/index.shtml#aesbs) The faster and timing resistant implementation of AES-CTR in bitsliced mode by Peter Schwabe and Emilia Kasper.
-
-[Vector permutations and AES](http://crypto.stanford.edu/vpaes/) The fast and timing-resistant implementations of Mike Hamburg using vector permute instructions (read: pshufb and vperm).
-
 ### Public Key Cryptography
 
 #### Hash-Based Digital Signatures
@@ -121,3 +119,6 @@ These are some references which are less interesting or relevant than the ones a
 
 [Fast Hash-Based Signatures on Constrained Devices](https://www.minicrypt.cdc.informatik.tu-darmstadt.de/reports/reports/REDBP08.pdf) by Rohde, Eisenbarth, Dahmen, Buchmann, and Paar; a case study of implementing hash-based digital signatures for a 8-bit microcontroller. Their implementation had some trade-offs that we wouldn't want: it is a "key-evolving" design (the signer has to maintain state in order to avoid a security failure), it can only handle a limited number of signatures, and they spent a lot of time in key generation. Hm, they don't say how long key-generation took in this paper—only that it took so long that they had to run it on a PC instead of on their microcontroller. In [Signatures with Virtually Unlimited Signature Capacity]Merkle, the key-generation took tens of hours on a PC!!! On the other hand, they do show a digital signature scheme which is faster at signing and verifying and is also arguably safer than RSA or ECDSA on their 8-bit microcontroller. 
 
+[Bitsliced AES implementation](http://www.cryptojedi.org/crypto/index.shtml#aesbs) The faster and timing resistant implementation of AES-CTR in bitsliced mode by Peter Schwabe and Emilia Kasper.
+
+[Vector permutations and AES](http://crypto.stanford.edu/vpaes/) The fast and timing-resistant implementations of Mike Hamburg using vector permute instructions (read: pshufb and vperm).
\ No newline at end of file