Re: [Cfrg] Deoxys-II for AEAD

"Blumenthal, Uri - 0553 - MITLL" <> Thu, 21 November 2019 21:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C7291120120 for <>; Thu, 21 Nov 2019 13:52:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fBhvbnQxCcEL for <>; Thu, 21 Nov 2019 13:52:10 -0800 (PST)
Received: from (LLMX2.LL.MIT.EDU []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BC1DE120045 for <>; Thu, 21 Nov 2019 13:52:10 -0800 (PST)
Received: from ( by (unknown) with ESMTPS id xALLq8Sm004405; Thu, 21 Nov 2019 16:52:08 -0500
From: "Blumenthal, Uri - 0553 - MITLL" <>
To: Thomas Peyrin <>
CC: "" <>
Thread-Topic: [Cfrg] Deoxys-II for AEAD
Thread-Index: AQHVoI7HYUchnWzvIECG6UXueJz6aaeWICaAgABddgD//60bAA==
Date: Thu, 21 Nov 2019 21:52:06 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3657199926_1187407126"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-11-21_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1911210181
Archived-At: <>
Subject: Re: [Cfrg] Deoxys-II for AEAD
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Nov 2019 21:52:14 -0000


On 11/21/19, 4:49 PM, "Thomas Peyrin" <> wrote:

    Hi Uri,
    the final timeline of the competition is given on this page:
    Indeed, for each of the three portfolio, two candidates are given:
    - "Lightweight applications": ASCON is 1st choice and ACORN is 2nd choice
    - "High-performance applications": both AEGIS-128 and OCB are 1st choices
    - "Defense in depth": Deoxys-II is 1st choice and COLM is 2nd choice
    Sorry the broken link, but we have changed our website for Deoxys, it
    is now located at:
    Le ven. 22 nov. 2019 à 05:19, Blumenthal, Uri - 0553 - MITLL
    <> a écrit :
    > I confess to being confused with the CAESAR process. It's web site does not say anything about completion, and lists two candidates (1st and 2nd choices) for each of the three portfolios.
    > Speaking of Deoxys - the site refers to the paper
    > The paper refers to , which doesn't exist any more.
    > What gives???
    > On 11/21/19, 12:11 PM, "Cfrg on behalf of Thomas Peyrin" < on behalf of> wrote:
    >     Dear all,
    >     Following my presentation at yesterday’s CFRG meeting, we would like
    >     to propose Deoxys-II for consideration at IRTF. Deoxys-II is the
    >     winner of the CAESAR competition for Authenticated Encryption
    >     (portfolio “defense in depth”) that terminated a few months ago after
    >     a 5-year process that went through several rounds of selection
    >     (
    >     Deoxys-II is a nonce-misuse resistant beyond-birthday AEAD
    >     (Authenticated Encryption with Associated Data) scheme, with two
    >     versions: 128-bit key and 256-bit key. It is based on Deoxys-BC, a new
    >     tweakable block cipher that reuses the AES round function, and SCT-2,
    >     a nonce-misuse resistant AEAD operating mode. We believe it presents a
    >     lot of interesting features from a security and efficiency point of
    >     view.
    >     - It is a very simple, clean design, and offers a lot of flexibility
    >     - It provides full 128-bit security for both privacy and authenticity
    >     when the nonce is not reused (meaning the AE security bound is of the
    >     form O(q/2^{128}), where q is the total number of encryption or
    >     decryption queries). This is very different from block cipher-based
    >     modes such as OCB3, GCM, or AES-GCM-SIV. To give a numerical example,
    >     when encrypting 2^32 messages of 64 KB each, existing security proofs
    >     ensure that the attacker against authenticity has an advantage of at
    >     most 2^−37 for OCB3, 2^−41 for GCM, 2^-73 or AES-GCM-SIV, and 2^−94
    >     for Deoxys-II.
    >     - Nonce-misuse resistance: Deoxys-II provides very good resistance
    >     when the nonce is reused. Actually, if the nonce is reused only a
    >     small number of times, it retains most of its full 128-bit security as
    >     the security degrades only linearly with the number of nonce
    >     repetitions. This is very different from OCB3 and GCM (for which a
    >     single nonce reuse breaks confidentiality and allows universal
    >     forgeries). Compared to AES-GCM-SIV which is also nonce-misuse
    >     resistant, Deoxys-II provides a larger security margin: for example,
    >     when encrypting 2^32 messages of 64 KB each with the same nonce, the
    >     attacker gets an advantage of about 2^−41 against AES-GCM-SIV versus
    >     2^−51 for Deoxys-II.
    >     - Deoxys-II security has been already analyzed by the designers and by
    >     many third parties during the CAESAR competition (a few publication
    >     venue examples among several others: CRYPTO 2016, ISCAS 2017,
    >     INDOCRYPT 2017, FSE 2018, EUROCRYPT 2018, ISC 2018, 2*FSE 2019, …).
    >     One can see some of these works listed on the Deoxys website:
    >   This provides very strong
    >     confidence in the design.
    >     - Deoxys-II is fully parallelizable, inverse-free (no need to
    >     implement decryption for the internal tweakable block cipher) and
    >     initialization-free. It provides very good software performances,
    >     benefiting from the AES-NI instructions and general good performances
    >     of AES on any platform. Benchmarks for efficiency comparison will be
    >     produced soon, but one can expect a speed at about 1.5 AES-GCM-SIV for
    >     long messages, and about the same speed as AES-GCM-SIV for short
    >     messages.
    >     - Constant time implementations for Deoxys-II are straightforward,
    >     basically using directly bitslice implementations of AES.
    >     - A tweakable block cipher (TBC) such as Deoxys-BC is a very valuable
    >     primitive, that can be used to build easily lots of different more
    >     complex schemes, with very strong security bounds (for example,
    >     several NIST LWC candidates are based on a TBC and defining a hash out
    >     of it). To the best of our knowledge, there is no standard TBC as of
    >     today.
    >     - Deoxys-II is not covered by any patent.
    >     More details on our design, reference implementations and test
    >     vectors, can be found here:
    >     The Deoxys-II team.
    >     _______________________________________________
    >     Cfrg mailing list